Blog

Ruminations on how I became the Tech Guy in my personal and professional life

I love that we live in an era where we can communicate almost instantaneously with friends, relatives, and colleagues. I am thankful that God graced me a career field where I can work remotely and is in high demand and seems like it will always be so. Of course, no one gets where they are alone, although I did work my rear off to get where I am. I would be remiss if I did not first pay homage to the support of my two amazing parents who were both successful IT professionals in their own right. My Dad of course who worked for IBM and now can barely work a smartphone and my Mom who worked Information Assurance at the hightest levels of our government, but has a hard time getting her iTunes library backed up or her data synced to her new iPhone. My parents always encouraged me to aim high and ensure my schoolwork was before any extracurricular activities like sports, clubs, or the opposite sex.

My journey to become an IT professional did not really take shape until I got accepted to the United States Naval Academy (Canoe U, or the Boat School as some call it) and I was forced to choose a major. I really wanted to get in to the Networking track of Computer Science, but there was limited space available and I was sort of forced into programming and databases. Not that it was a bad thing, because I still had to take all the core courses like computer architecture, data structures, computer algorithms, and the major agnostic courses like Naval Architecture and Thermodynamics. Somehow, I was able to keep my head above water to graduate with a 2.97 GPA and earn my commission as an Ensign in the United States Navy. My first duty station was Coastal Systems Station in Panama City Beach, Florida (or Naval Support Activity Panama City as it is known today). Little did I know that I would eventually come back here as an IT gun for hire of sorts thanks to the opportunities affording me by serving in the military.

Information Technology is an unforgiving, ever-evolving field that at times can make you experience tremendous pride, heartache, anxiety, and that there are never enough hours in the day especially when you are a Cybersecurity professional and expected to be somewhat of an expert in almost every aspect of computers. In the early days of computing, life was much easier because most of us were using dialup modems at 14400 or 28800 baud if we were lucky. Back in the good old days of Bulletin Board Systems (BBS) and American Online (You’ve Got Mail), security threats were much slower as was the hardware. My first computer was a monochrome 286 that could barely play jeopardy, pong, and do word processing. Fast forward to today where we are carrying around computers in our pockets that are more powerful than the computers used to send men into space in the 1960s. In many ways technology and computing devices have become disposable and many of us go through a cycle where we upgrade to a new device every year. More and more of our day to day activities are done on smartphones and tablets rather than traditional computers and we are all too inclined to share the details of our day to our various social media outlets (myself included).

Someone once said, with great power comes great responsibility. Well not to be too cliche, but that is true. I have worked in places where my bosses could barely turn on a computer, let alone successfully operate and conduct business on one. This is not their fault for the most part and this does not mean that they can’t be great leaders just because they don’t understand the technical details of a particular device, system, or software. Much like I am ignorant in what the cool kids do these days on social media, the previous generations that did not grow up in the digital age are in many ways still learning how to navigate this jungle of seemingly endless digital technology and our increasingly connected society. The Internet of Things is here and is not slowing down anytime soon. I continuously stress that technology should be seen in a positive light, but it seems like every day there are more horror stories about bad guys stealing identities, bank accounts, and other personal information in order to achieve their own financial gains or other objectives. You can buy just about anything on the Darknet for the right price these days.

That is why I’ve shifted my focus to more offensive security than traditional network security because despite all our advances in technology and knowledge, the bad guys, nation state actors, lone hackers, are still able to disrupt and destroy people’s livelihood using tools that are freely available both online and on the dark web. If the traditional bad guys (mafia, nation state, cyberterrorists) weren’t enough, we now have the ability to share exploits with young kids (script kiddies) that may or may not have a strong moral compass and understand that their actions have consequences.

Security is ever evolving and it seems like security professionals are always a step behind the bad guys. This is why it is important that we recruit new blood in the tech industry and also always look at not just how someone looks on paper, but also how they interact with people, situations, and the content of their character. Then once you have good people in your organization continue to challenge them with new responsibilities as well as training opportunities to earn new certifications in areas in which they might not normally be exposed.

 

Common Sense Security Strategies in a Digitally Connected World

 

You’ve been Hacked! Pwned! Account Compromised. Bank account emptied. Credit cards stolen and sold on the dark web. Facebook account hacked, now inappropriate messages or videos sent to your friends and family members. New accounts and credit cards opened in your name. Or worse, you’re on a vacation and suddenly your credit card is declined or you’re in the airport and your flight in cancelled. Maybe you’re traveling through an airport and someone skims your credit card and starts making transactions while you’re in the air. What would you do? How long would it take you to respond? How many times have you received a phone call that says you have to pay some portion of a bitcoin (BTC), or a webcam video of you doing something inappropriate is going to be sent to all your contacts.

These are just a few of the scenarios that can and do happen in our increaasingly connected world. With the Samsung Pay and Apple Pay mobile payments that can be performed with your cell phone, Apple Watch, or Android Wear watch and the increasing number of Mobile devices and Internet of Things (IoT) devices security is paramount for everyone no matter what your career field or socioeconomic status. The purpose of this article is to give you some common sense tips to protect yourself and also give you the ability to help your friends and family stay safe online as well.

Part 1: Facebook:

As of the time of writing this article, Facebook has approximately 2.23 Billion users worldwide and that means that even if you are not on Facebook, many of your friends might be. So you don’t have a Facebook account you say so you’re not at risk? Well that’s not exactly true because of a trend called cyber squatting…That means that someone can claim your Facebook name and effectively pose as you simply by creating an account in your name even if you don’t have a Facebook account. Or maybe you don’t check Facebook that often. It’s also plausible that someone might make a Facebook account that is similar to yours and people in your network or friends of your friends might send you a friend request thinking that it’s you. Additionally, you absolutely should go into your Facebook account and view your profile as someone else sees it to make sure you’re not sharing information with people you don’t want to. If you’ve seen the news recently, hackers were able to exploit a vulnerability in the supposedly secure tokens that allow you to view your profile as one of your friends.

Part 2: Email

Seems like email used to be so innocent; it was the way you shared funny pictures, images, cat videos. But now email is one of the main catalysts by which hackers launch attacks against unsuspecting users. It doesn’t matter if you’re a VIP, bank executive, hedge fund manager…Everyone is at risk including small and medium sized businesses. Hackers usually don’t go after the harder targets that use industry standard security and follow best practices. They go after regular people that may not be able to afford to hire an INFOSEC or cybersecurity professional to protect their networks.

No longer will the emails come with obvious misspellings, poor grammar, and outlandish requests. Now, the spam email of 2018 is well crafted, looks legitimate, and may very well appear to come from someone you know. Attackers can craft emails that look exactly like they come from your bank, employer, and even credit monitoring agencies. Bottom line, don’t click on links sent to you in email, copy and paste them into a web browser. Don’t open attachments from people you don’t know, or even maybe people that you do know and are claiming they are trying to be helpful. They may even use threatening tactics and say something like law enforcement is going to issue a warrant for your arrest if you don’t respond. The IRS and US Government will never contact you and threaten you via email with warrants or imprisonment, they will just garnish your wages and tax returns direclty. You should be aware of whether your email address has been compromised using sites like haveibeenpwned.com and other data breach sites.

Part 3: Passwords and Password vaults

There are three kinds of users in this world: 1. Those that use the same password for everything 2. Those that write their passwords down so they won’t forget, and 3. Those that use password vaults/generators. Passwords are the last line of defense when it comes to security and often the first thing that bad guys go after. Commonly referred to as creds, the usernames and passwords are what hackers seek to exfiltrate from the networks and systems they go after. Passwords should be changed at a minimum every 90 days and should be a complex pattern of letters, numbers, and special characters that are not easily guess or cracked. No dictionary words allowed or any of the potential answers to your secret questions.

It doesn’t matter really the password service you use, just use one. Whether it’s LastPass, Dashlane, KeePass, or Apple’s built in password manager. Every password in the wild is another chance for a bad guy to exploit.

Part 4: Location, Google Maps, Waze,

This should not come as a surprise…..Google, Apple, Facebook, Banks are tracking you everywhere you go. Every purchase you make, every location you visit, every bank transaction or mobile deposit. Many of these services require your location information. It doesn’t matter if you turn off location, every time you open an app, that lets the app you are using tell the server where you are. This information is very valuable to companies that sell your information to advertisers. Some people say “I don’t have anything valuable or anything to hide.” Well, what about the patterns established by you traveling to visit family members, parents, grandparents, kids, grandkids, etc. You can’t be everywhere and police your entire social circle and bad guys will capitalize on these patterns. Some key tips: Vary your route, be a hard target, read the small print when choosing which apps you use to navigate. If they require excessive permissions on your device, don’t use them. There are countless groups out there that would love nothing more than to gain access to your information and use it as part of a botnet, cryptomining scheme, etc.

Part 5: App downloads

Third party app stores are the primary way that ransomware and cryptominers are spread in the wild. Even Amazon’s own app store requires you to allow apps from unknown sources if you don’t have an Amazon branded device. Bottom line, don’t use app stores you don’t know and us security software if possible (though that doesn’t provide much protection). Mobile apps are special in that each app runs code on a mobile device and can be reverse engineerined/exploited by anyone with enough time and effort. Mobile apps are usually digitally signed by Apple and Google, but that is easily faked. Mobile apps live in an operating environment that is full of security vulnerabilities and exploits and many of them cannot be fixed because they are controlled by the carriers or equipment manufacturers. Carriers like T-Mobile, Verizon, AT&T and Sprint, many of which don’t have an interest in fixing the vulnerabilities because they are more interested in getting you to buy a new phone every year or every other year. Because data plans are at a premium, carriers can charge ridiculous amounts of money for data and wireless hotspot plans. With the introduction of 5G service, this will only amplify the speed at which attackers can serve up exploits to mobile users. Apple is notorious for convincing users to upgrade to new devices becuase of some new feature or operating system version and eventually devices will no longer run the latest and greatest Operating System (anyone still remember the iPod touch?)

Part 6: Two Factor Authentication (2FA) and Multi-Factor Authentication (MFA)

In 2018 this is an absolute must. If you are simply relying on usernames and passwords for authentication, you are setting yourself up for failure. Now, I get it, there are those that will say it’s too much of an inconvenience to turn on 2FA because it requires you to get a code from your phone or use one of your pre-shared keys, but not using 2FA is not smart in this day and age. There are too many options like Google Authenticator and Authy that allow code generation of QR codes or one-time-pads (OTP) that will make it that much harder for bad guys to attack your accounts/information. Don’t get me wrong, 2FA by itself is no silver bullet because there is malware specifically created to capture 2FA messages sent from a server to a mobile device. But it’s another layer in the defense in depth security strategy that people need to be aware of an add to their repetoire.

Conclusion:

Be a hard target, don’t do the easy thing. The more awareness you have about how hackers go after your information, the better equipped you’ll be to protect your friends and family. Don’t be a statistic, be an arbiter and protector of information. I hope this article helps you and your friends and family protect themselves and as always if you have questions or concerns, message me and let me help you.

Hefner Technical Solutions Blog

jobs-cybersecurity

How to Land your Dream Job in Information Technology, INFOSEC and my experience after leaving military service

It seems like only yesterday I was getting out of the active duty Army and frantically searching through job sites, drafting my resumes, and signing up for every mailing list, job placement service, job board, etc. There are so many things I know now that I wish I had known then and could have saved the 2013 me so much heartache and frustration. The military provides a service called the Transition Assistance Program (TAP) when you are preparing to leave the military service. It essentially is the last line of defense and gives you vital information that you must receive before being able to effectively sign out of the military. Topics covered include balancing a checkbook, budgeting, job interview process, where to look for jobs, etc. Each branch has their own version of it and may or may not effectivevly prepare you to face the job market. The problem is that many people who get out of the military while very accomplished and skilled in their respective area, may not be ready to face the rigors of joining the civilian workforce let alone finding a good paying job in their area. The problem of navigating our crazy job market is not unique to any one group of people and thanks to the magic of the Internet, there are endless job preparation sites, interview prep, resume review, and many others. Those topics will not be addressed here because they are beyond the scope of this article.

Follow the $$$$$

 

It took me approximately three months to land a job in Information Technology and part of that is because I limited my job search to a single geographic area, more specifically Panama City Beach, Florida. Now don’t get me wrong, I love this place and the prospect of being near the ocean is something I think almost anyone can get behind. That said, there are essentially three main industries here: Government, Healthcare, and Tourism. Luckily, because of my military and IT background, there were many opportunities for contracting jobs on the various military bases nearby. The only downside to that is when you are married with three kids, it’s tough to live in a resort/vacation area on a single salary. So if I can give you any pearls of wisdom to remember is be flexible in location, otherwise you will have to make compromises elsewhere. Most companies nowadays will offer some type of relocation assistance package and may even allow some teleworking depending on circumstances. Just do the market analysis and make sure that the cost of living combined with goods and services is not so high that the salary will not be enough to cover it. Additionally, remember that there’s always the possibility that you might be forced to relocate due to company restructuring or say a contract gets moved. Another important distinction is that government contracts are very tedious and quite often will lowball the competition in order to come in with a competitive bid to win a contract. You may be able to negotiate a better salary and a non-defense contracting company.

Do what you <3

 

Arguably the most important factor in selecting a job is doing something you love. There are endless stories about disgruntled employees who hate their job and just move from one dead-end unsatisfying debacle to the next. While it may be exciting for some to constantly change career fields, it can be a frightening experience and almost feels like starting over. Part of being able to do what you love is first knowing what your goals are and what you want out of the job. Anyone who blindly takes a job without first asking numerous questions and doing research on what the job entails is just asking for trouble. Figure out what the day to day routine looks like, who your coworkers are, what kinds of hours you’re going to keep, and what kinds of reports or other deliverables are requred on a regular basis. Also, the type of boss you work for can set the tone for whether you have a positive experience or a negative one. If your goal in the job is money, then you are most likely at some point going to have to move up to management if you want to make more money. Entry level positions are often more hands on while the more senior positions are more administrative and generally less technical. Ensure that you don’t forget to budget time with family, friends and or a social life if those are important to you. If the job requires you to work say night shift and you like to go out at night, that would be a sacrifice you’d have to make even if it was only temporary. Benefits and intangibles also go a long way towards job satisfaction. Depending on your organization, there may be holiday parties, paid time off (PTO), 401k, health insurance, and many other things to consider.

Networking and Communication

Every job I’ve ever gotten has been more about me as a person and who I know than solely how good my resume looks. There are so many different types of resumes that I ended up keeping different versions depending on the job I was applying for and some of them were pages upon pages of work history, education, experience, military schooling, and on and on. Additionally, knowing important people at a company like the CSO, CTO, CISO, and someone in HR can definitely help. It also doesn’t hurt to have great references that know details about your technical abilities That can and absolutely will make up for ANY apparent shortcomings on paper. If you’re hoping to land a technical position, having a website, 100% complete LinkedIn profile, and Facebook page are a must. Tech blogging can be a great way to learn and build credibility in the industry and can go along way to bridging the knowledge gap that can land you an interview. It’s also a ton of fun and a great way to learn by emulating the success of others! Lastly, never leave on a bad note. Giving your employer proper notice to hire your replacement and not burning any bridges at jobs you’ve had are absolutely vital. Lastly, security people tend to have a reputation for not being good with people, being introverted, or just in general not interested in getting to know the human side of a client/customer, etc.

Which Certifications ???

While the job listing may specifically dictate which certifications are required, there are many that are “nice to haves” and are not necessarily going to prevent you from landing a job nor are they even really necessary. An example is many Network Engineer jobs list CCNP or higher as a requirement, but the actual network portion is nowhere near that level of complexity. Additionally, experience will be much more valuable than what certifications you have. Many contracting jobs give a period of time in which you can work on obtaining the necessary certifications while you’re doing your day to day tasks. DoD 8140 is the standard for Cybersecurity Workforce Positions, but there’s not really a civilian equivalent to that. That said, if the job specifically asks for experience coding something like PHP, Ruby, Python, Java, C#, you better be able to deliver on those requirements (or be a quick learner).

What to do once you get the job

Keep your resume up to date and always look for new ways to better your organization. Let your actions do the talking and ensure that your results always remind the leadership what value you bring to the company. Always be open to other opportunities, but don’t let that distract you from whatever objective you’re working on. Time management is absolutely vital and going back to budgeting time in to decompress so you don’t get burnt out from the job. Best of luck in the job search!