Let’s Put Cyber Back in Cybersecurity | by Kamyar Kojouri | Apr, 2022

Is there a shortage of Cybersecurity workers or are we doing this wrong?

“You run the, um, net-trace command?” he finally responded after a long pause. He had checked the network cable, refreshed the browser, and rebooted the router twice! How could the user still have no Internet?

At this point, we both knew that the interview was over. Granted, this one was a rather unusual case — a Computer Science graduate fresh out of college looking for an internship position — but you would be surprised to hear how many “experienced” cybersecurity analyst and engineering candidates have gotten off to a good start on my interviews, only to crash and burn when it gets to answering some of the most basic IT questions: Which layer of the OSI model does HTTP operate on? How do you kill a process on Linux? What is the Hosts file for?

Let’s face it, Cybersecurity — not to be confused with the broader field of Information Security — is about technology. To quote from CISA, “Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”

In other words, to be successful in Cybersecurity, one must understand and truly appreciate technology!

Think about it. If a SOC analyst is not familiar with the default file structure of a Windows or Linux machine, how can you expect her to identify an LFI attack when she sees one?

How can a Penetration Tester who has never heard of uuencode and echo commands transfer files to/from a victim using a reverse shell session without Meterpreter?

How can you expect someone who has never touched the command line to be able to decipher this attack?

cmd.exe /Q /c for /f "tokens=1,2 delims= " ^%%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:windowsSystem32comsvcs.dll, MiniDump ^%%B WindowsTemp1LAF.txt full

[This, by the way, was taken from an actual LSASS Minidump attack we caught the other day.]

Give me an IT generalist, I’ll give you a Cybersecurity professional!

On the one hand, we keep complaining about the shortage of Cybersecurity specialists in the market, while on the other hand, we continue losing mid-level IT professionals to outsourcing or automation. Do you see where I’m going with this?

When I used to work as a sysadmin back in early 2000's, the server to admin ratio used to be somewhere around 50:1. Nowadays, that number is probably closer to 500:1 at most medium sized organizations. An article published by Computer World in 2011 even claimed that it can go as high as a whopping 10,000:1 at some dominant cloud vendors like Google.

It’s not hard to see why that is the case. Office 365 and Google Workspace have killed Exchange. Box, OneDrive, Amazon S3, and Azure blobs are replacing CIFS and NFS shares stored on servers and storage arrays. Slack, Zoom, and Teams have made telephony a thing of the past. Application hosting has gone from physical servers, to virtual machines, to docker containers, to server-less micro-services, and a single DevOps engineer armed with a text editor and Ansible can replace more than a dozen systems administrators clicking “Next”, “Next”, “Finish” and watching progress bars all day long.

So what can we do with all the IT knowledge and talent lying about? What do we do with the hordes of skilled computer enthusiasts who have laid their hands on anything from Commodore 64 tape drives to Nutanix storage arrays? Or the high school kid who has built a weather station in her backyard using a Raspberry Pi?

Why not bring them into Cybersecurity? Ultimately, this is the type of stuff that hackers are made of, not college degrees and industry certifications.

To be clear, I’m not trying to downplay the value of formal education. I have both a college degree in CIS and a number of IT and Cybersecurity certifications, but I see these as add-on ‘features’, not core requirements. Academia gives you a solid foundation to build on, and industry certifications fill your knowledge gaps, but in my opinion, at least in Cybersecurity, no degree or certification can replace the drive and passion of a 19-year old staying up until the crack of dawn trying to change the background picture of his GRUB bootloader.

And there are plenty of them out there. Hire them!

Comments are closed.