Red Teaming
KimCrawley,
Sep 03
2021
I’ve been in the cybersecurity industry and hacker culture for nearly fifteen years now. I once knew very little, now I know a little bit more, and I’m always learning. But my expertise grows, enhanced through my work and my conversations with hacker and infosec people. In that process, I’ve definitely developed some strong opinions. And sometimes cybersecurity people are wrong about things. The myths I will address in this post are often circulated through Twitter and other corners of the internet. And as Peter Griffin would say, they really “grind my gears!” If we can address these myths, we can make the computer world a more secure place for everyone.
Myth: “Never ever tell people on the internet what your favorite food is, your favorite sports team, the name of your dog. You’ll reveal your password retrieval answers and destroy your user account security!”
Fact: If discussing yourself and your life at the most basic, conversational level is a threat to your cybersecurity, then your security design is terrible! It’s simply not practical to encourage this sort of hyper paranoia, nor is it reasonable. Good, pragmatic security behavior makes it relatively safe to discuss yourself like a normal person. Therefore, there’s a much simpler and much more feasible way to address how awful password retrieval answers are as a security measure. Don’t give honest answers to password retrieval questions! Tell the password retrieval answer form you were born in Neverland, your cat’s name is Hghgngbnkgbjhti, and your mother’s maiden name is RFVfrvrkmgkbmtb. You could then either just give up on ever retrieving your password with answers, or some password managers do allow you to store your password retrieval answers. Either way, security harden your life so you can safely talk about your cat and your hobbies on the internet.
Myth: “My entry level SOC analyst needs a CISSP.”
Fact: As a cybersecurity training company, here at Hack The Box we have great respect for particular credentials. But a CISSP is basically the equivalent of a PhD. in our industry. CISSPs should only be expected of very high level (often executive) roles, such as for a Chief Information Security Officer. The majority of cybersecurity jobs shouldn’t require expensive certifications. Heck, you need several years of industry experience to get a CISSP or some other certs, regardless of your knowledge and expertise. These unrealistic hiring expectations are keeping possibly millions of cybersecurity roles worldwide vacant, hurting security everywhere. Hack The Box’s labs and HTB Academy can help hackers keep up with their certifications because we offer (ISC)² CPEs. We also offer our own certificates for the successful completion of our programs, and a means for employers to validate them. Employers can also check a job candidate’s skills with their HTB profile. There are lots of ways to train for a variety of cybersecurity roles that don’t require very expensive tuition or years of prior industry experience. We can help hiring managers figure out which skills are actually needed for particular roles. If someone can demonstrate their skills, give them a chance!
Myth: “This operating system is more secure than that operating system.”
Fact: I’m a huge Linux fan. But I have researched cyber threats for enough years now to know that you can’t really say one particular operating system is more secure than another operating system. Our labs feature vulnerabilities in many popular operating systems, including Windows, Linux, and Android. Your operating system of choice can be pwned, no matter what it is! I’ve learned that endpoint security has a lot more to do with how an operating system is configured and used than what your choice of platform is. A well patched OS with well patched applications and strong security settings will always be more secure than an unpatched OS with default settings and no antivirus and no firewall. Plus, different OSes are simply more vulnerable to different sorts of cyber threats. For instance, iOS and iPhones are largely homogenous and Android phones are largely heterogeneous. You can’t over generalize by saying “iOS is more secure than Android” or vice versa. An iOS vulnerability will affect most iPhones, whereas an iOS security advantage will also affect most iPhones. iPhones by default can only install apps from the App Store, but a jailbroken iPhone can side load apps (at your own risk). Android phones by default will only install apps from the Play Store, but you can permit apps outside of the Play Store with a setting change. Both the App Store and the Play Store screen to prevent malware, but malware has also been found in both Stores. Security is complex. Different software simply has different security issues.
Myth: “Hackers do bad things.”
Fact: Hackers are the good guys. Everyone at Hack The Box is a hacker, from our HTB Community to our founder and executives, to all of our employees and contractors. We’re all hackers here. Hackers find new and novel ways to use technology. All of our computer technology was invented by hackers. Steve Wozniak, Linus Torvalds, Alan Turing, they’re all hackers. It’s very harmful to the hacker community to say “hacker” when you mean to say “cyber attacker, cyber threat actor, cybercriminal.” Throughout my career, I have only used the word “hacker” to describe a good person who does good things. It makes me very sad to see major media publications say that a “hacker” spread ransomware or whatever.
There you go, there’s some food for thought. Hopefully, I’ve got the hacker community and the cybersecurity community talking. Let’s banish these harmful myths, together!