Interview with Richard Moulton, Software Security Engineer, Chiron Technology Services Inc.
About Richard Moulton
Richard Moulton is Software Security Engineer and an Air Force veteran, who performed flight-line maintenance before transitioning to military intelligence. From 1998 until his retirement from the military in 2014, he specialized in intelligence analysis, intelligence collection, and, ultimately, software development in those areas. His current work, as a Subject Matter Expert for Chiron Technology Services Inc., involves preparing the next generation of cybersecurity practitioners to defend information systems and emulate cyber threats. He researches cybersecurity issues, writes course materials on the subject, and teaches how to defend computers and information networks from attackers. He holds a Bachelor’s of Science degree from Excelsior University with concentrations in Computer Science and Turkish, and a Master’s of Science from University of Maryland University College in Information Technology with a concentration in Software Engineering.
[OnlineEducation.com] As someone who works and teaches in the field of cybersecurity, what distinguishes it as a discipline and a career from other areas in computer science/programming? Specifically, how does cybersecurity relate to other similar IT specializations, like information assurance, computer forensics, and cloud security?
[Mr. Moulton] Many areas of computer science are dedicated to finding ways to facilitate tasks for humans. There is software that will track financial transactions, drive or park your car, help you stay in contact with friends and families over long distances, and so on. The focus in these areas is to create a relatively efficient solution, to do one thing well.
The focus of cybersecurity, on the other hand, is to analyze where these solutions break down. In this field, we focus less on the one thing that solutions are trying to do well, and more on the secondary and tertiary effects of that solution. For example, we might ask, “Does this solution guarantee the confidentiality, integrity, and availability of my data?”; “Will my secrets be revealed to the world?”; “Will my data be erased or corrupted?”; “Is there a trust relationship built in that someone could abuse to do these things?” So, in cybersecurity, we look less at what is being done right, and focus on what is being done wrong.
At the same time, just like many other areas in computer science, cybersecurity demands that once we identify a problem, we ask, “What is a better way of doing the same thing?”; “How do we eliminate this vulnerability?”; “How do we solve this new problem?” In this regard, a career in cybersecurity is very much like a career in other branches of computer science. We are all focused on solving problems. We’re just focused on the class of problems that come about because of immature solutions.
The specializations you mention — information assurance, computer forensics, and cloud security — are all a part of cybersecurity. Information assurance is concerned with finding cybersecurity problems and mitigating them to the extent possible; computer forensics is concerned with identifying the who, what, why, and when resulting from cybersecurity problems; and cloud security is largely information assurance in the cloud.
[OnlineEducation.com] What should we be teaching the next generation, and even the current generation, of cybersecurity specialists and technicians, in terms of practical skills and philosophical outlook?
[Mr. Moulton] The first thing we need to teach the next generation is that cybersecurity is a team sport. No one knows everything, and you must not be afraid to ask questions when you don’t understand something. Of course, you should probably read the documentation first, but then ask someone if you still have questions. Every person has a different perspective and experience and will be in a unique position to solve certain problems.
The next thing we need to get across is that anything made by human hands is going to have deficiencies. This means that there are weaknesses waiting to be discovered. On the one hand, this means you can’t be shy about looking for vulnerabilities in systems that people rely on so long as you are legally able to do so. On the other hand, this means you probably can’t hope to ever find all the vulnerabilities in any but the simplest systems.
As to whether we should focus more on building new, secure systems or securing legacy systems, we have to strike a balance. In the real world, legacy and money dictate almost every decision. This means people will continue to do things the way they always have as long as they can and people will always look to do those things as cheaply as possible. In other words, decision makers will often refuse to replace legacy systems because it will be too expensive; you and I will have to find a way to secure these systems. When decision makers commission new systems, they will want to skimp on security because it is too expensive; you and I will have to be the voice of reason.
This means behavioral science is of paramount importance to us. We must understand people as well as we understand the systems we are trying to secure. First, we have to convince the developers and maintainers of these systems to consider the security aspects of their products as early as possible. Then, once we uncover the remaining weaknesses, we have to train the users of these systems to compensate for those weaknesses.
As an example of the first task, take a look at Microsoft. Microsoft products have taken a beating in security circles for so long, they have made the first task a formal part of systems development in their organization. They call it the Security Development Lifecycle.
For examples of the second task, search online for the adventures of social engineer Jayson E. Street. He makes his living off discovering and remediating social vulnerabilities that allow compromise of information systems. He embodies the principle of training users to mitigate system weaknesses.
[OnlineEducation.com] Can you elaborate on the role of behavioral science and social engineering in cybersecurity?
[Mr. Moulton] All software is developed with certain assumptions in mind. Often, however, the way that end users employ or understand technology is inconsistent with the assumptions made by the developers. Cybersecurity professionals looking to prepare for the social aspect of the job need to first learn how each technology is intended to be used, then learn how it is actually used. Afterward, the cybersecurity pro will be in a position to help developers and end users create a shared understanding of the technology.
I saw an example of this disconnect between developer and end user understanding of technology just this morning: @Bry_Campbell posted a tweet complaining about a phishing scam that targeted him. In it, the attacker, purporting to be Apple Inc., asks him to verify all of his iTunes account information or face account termination. The link that the email provided for the user to verify this information is https://appleid(dot)apple(dot)com(dot)re-validate. An end user not very familiar with how the internet works might assume this will lead them to an apple website. This could lead to the compromise of financial information.
A more astute Internet user would see the text at the far right and say, “The top-level domain of this website is not apple.com. Therefore, this is probably not an apple website.” A cybersecurity expert would say, “It doesn’t matter what the text says, let’s look at the URL hyperlinked by the text and do an nslookup, whois, etc.” It is the role of the cybersecurity professional to point out that this website is probably not what it purports to be, uncover the truth, and to teach end users and developers how they might better identify and make clear such distinctions while protecting their interests.
[OnlineEducation.com] What does working in the field of cybersecurity mean in a practical sense? What are likely to be the daily concerns and responsibilities? Alternately, what should those concerns and responsibilities be? And, does it require a particular type of personality, or personality type?
[Mr. Moulton] I’m afraid I don’t have time to give you a comprehensive answer to this right now, but let me begin to answer by saying this field demands divergent thinkers. To work in this field, you must understand that rules only apply so long as we choose to adhere to them.
For example, a system manual may tell you that you need to supply a username and password to get access to the system. What the manual won’t tell you is that if you supply a username with a password consisting of 4096 capital letter A’s, the authentication mechanism will crash and grant you full administrative access to the system. So, you must understand that rules only apply within certain boundaries, and you need a personality with the courage and creativity to find where those boundaries exist.
At the same time, you must understand that there are certain lines you cannot cross. I believe that people in general are, rightly, deathly afraid of the havoc that imprudent cybersecurity practitioners and malicious hackers can wreak. As such, doing something as benign as hacking a sign to read “Drive crazy, y’all” can mean an early end to your career and freedom. So, while searching for the boundaries where rules break down, you need to understand well the legal limits of what you can do.
[OnlineEducation.com] What are employers looking for in cybersecurity hires and how should someone who’s aiming to enter the field prepare him or herself? In your opinion, what makes the strongest candidates: experience, advanced degrees, certifications, programming and technology knowledge?
[Mr. Moulton] Employers frequently don’t know what to look for in cybersecurity candidates. Because they don’t understand the field themselves, they often rely on certifications or word-of-mouth to choose candidates. The certifications they often look for include Network+, Security+, CCENT, CCNA, CISSP, CEH, and other, similar certifications.
This is not a great way of identifying candidates, but it is better than nothing. Change is in the wind here, but it is too early for me to say much about it. Right now, I think people should look at certification programs that require hands-on rather than knowledge-based testing.
People looking to enter the field would do well to follow one of the most common tracks, starting as a system administrator, network administrator, or programmer before picking up one or more of these certifications. If someone entering the field were interested in a degree program, they would do well to look at computer science, information technology, networking, or computer engineering programs to prepare for this field.
Certifications and formal training are invaluable, of course, but the best thing you can do to prepare yourself is to get hands-on experience. I would suggest getting familiar with VMware, HyperV, or a similar virtualization technology and spinning up some virtual machines you can attack for practice. With technologies like Qemu, Kali Linux, MetaSploitable, PowerShell Empire, GCC, GDB, Nasm, Immunity Debugger/Olly Debug, Wanem, and GNS3, you can create a set of targets and attack platforms to practice on at little or no cost. This experience is something you can generally only get for free at home or for thousands of dollars at cybersecurity conferences or schools, and candidates with this type of experience will be the strongest candidates.
[OnlineEducation.com] You’ve pointed out that, “Any company with staying power is going to need one or even a team of cybersecurity people.” With that in mind, how significantly do cybersecurity protocols and practices differ across industries, for example from healthcare to financial services? Or, do the same vulnerabilities and concerns exist across all computer systems and networks, regardless of industry?
[Mr. Moulton] All computer systems and networks, regardless of industry, have the same vulnerabilities. Computers are made of sand, and will give up data to your competitor just as easily as it will give it up to you. The risk of an organization’s assets being compromised, however, vary greatly depending on the threat and the assets they have.
This means that among industries, security protocols and practices will vary somewhat depending on the assets they hold and the threats they face. There are, however, some general principles that apply across industries. These principles apply at every level of technology from design to deployment, and have actually been well understood for some time. These principles are hard to define, but you’ll know them when you see them.
They include things like not talking about private matters (read: things that should be encrypted) in public (read: unencrypted). They include not taking input from untrusted sources at face value; when a system receives input, it should try to validate the input (read: ask, “Does this make sense?”) and drop the input if it could be malicious. The IEEE has more ideas along these lines.
[OnlineEducation.com] Finally, if you were starting a career in cybersecurity today, what would be your first few steps?
[Mr. Moulton] To get the on-the-ground experience you need in this field you need to do three things. First, use the technology. Generation Y and younger have a great head start on the rest of us because they are growing up using all these technologies from a young age. They are getting experience in how these systems are supposed to work, and learning very quickly where the shortcomings are in these technologies.
Second, learn how the technology works. This will take some time, but is much easier to do now than it was in days past. Because more people know how the underlying technologies work now, we have products on the market like Arduino, Raspberry Pi, Code Academy, and more that teach people how to use technology at low costs. Learn to program; build an app; learn to build a little robot that follows a line on the floor; learn to make a web page. All of this will help.
Finally, once you are comfortable with how the technology works, use all the failures in your experiences to understand the limits of the technology. Explore these limits. What happens when you give your robot 18 volts instead of 9 volts? What happens when you enter a password 1024 characters long? What happens when you connect to a web server in Python instead of a web browser? Just be sure that you only test these limits on things that you own or on things you have explicit, written permission to test on. This will guarantee you a long, rewarding career.
One area in which you might consider spending that career and, in my opinion, the area with the greatest pressing need for cybersecurity today is in the Internet of Things (IoT). The IoT is a collection of Internet-connected devices that facilitate and automate tasks at work, at home, and on the road. It is being built very quickly and with little or no concern for security. Take, for example, baby cameras that are accessible by anyone on the internet. Consider closed-circuit television (CCTV) systems that forward video back to one privately owned website due to a hard-coded address in the CCTV software. Consider electronic door locks that anyone can command to unlock the door to your home. The organizations building these systems desperately need cybersecurity professionals to help them build secure products before malicious people start going around jackpotting ATMs, stopping your father’s pacemaker, or hacking your jeep while on the highway.
So, if you like technology and aren’t afraid to help find and fix its limitations, consider joining us in cybersecurity. The barrier to entry is lower than it has ever been, and we can use all the help we can get.