Last time, I had the privilege of speaking with web security specialist Pam Armstrong. This time I got to chat with Alana Staszczyszyn, someone whom I’ve had the pleasure of meeting in person. She’s very active in Toronto’s cybersecurity scene. She’s currently a student, but she has so much to teach people in our industry about evolving cyber threats and the red team mindset. Considering her role as an information security thought leader already, imagine the impact she’ll have on the industry once she graduates! Kim Crawley: Please tell me a bit about what you do. Alana Staszczyszyn: As of right now, I am mainly focusing on offensive security consulting – penetration testing, particularly. I am also in the midst of finishing my degree in infosec and I am involved in some initiatives that target infosec education. KC: That's awesome. Where are you studying, and what does your academic program entail? AS: I am studying at Sheridan College in its Information Systems Security degree program. The program consists of a wide variety of information security topics from more computer science-based mathematical and theoretical topics to applied technical topics. The technical courses later in the program dive into specific infosec topics, such as forensics, malware analysis, secure software development, penetration testing, and more. There are also courses that cover the business aspects and strategic principles of infosec. When I entered the industry, I found those to be some of the most valuable ideas I had yet come across. There are also some courses that focus on the connection between infosec/technology and the world, such as ethics or viewing trends in the industry. Personally, I find those to be some of the most interesting classes. I'm a huge nerd for intersecting concepts, such as sociology, politics, economics, biotechnology and infosec, so they tend to be right up my alley. KC: That sounds really cool! How did you get into cybersecurity in the first place? When were you bitten by the bug? AS: Haha, "bitten by the bug" is the perfect expression for it. It seems to be a pretty common experience to sort of fall into infosec. I was definitely one of those. I actually fell into it pretty much by accident. When I was in high school, I was an avid musician and artist, and I had thought that that was what I wanted to do. But I eventually found a love for the natural sciences and math. I wasn't sure what I wanted to study afterwards, so a developer whom I know suggested I try IT. I took a couple summer courses and found it to be pretty enjoyable. By the time I was looking for programs, I knew I wanted two things: something cheap(er) and something that would get me a good job. I looked at the Sheridan pamphlet, and security seemed more interesting than what the other courses offered, so I just went for it without really having any idea about what I was getting into. It's hilarious thinking back to being in my first "Principles of Information Security" class. We learned about types of malware, and I was just like "What on earth did I just get myself into?" I had used computers a lot when I was younger but not in an IT context, so I was really approaching this program with a completely blank slate. Yet, I remember cracking open that Principles of Information Security textbook for the first time, and the opening page said something along the lines of: "Information security is not so much a science but an art." It continued to elaborate on the way information systems and security must be contextualized with the bigger picture much like painting a picture, putting a little stroke here and a dash of color there. Even though I was basically completely clueless going into all these courses, I knew I had found home. KC: Yeah, I was similarly overwhelmed when I started to learn about cybersecurity. So, as a red team minded person, where do you feel the evolving cyber threat landscape is headed? AS: As it always does, the threat landscape will continue to grow and evolve with technology. I haven't been doing offensive security for too long, but I have noticed that a lot of the more "classic" attacks – SQL injection, for example – are rarely found as security awareness rises and development cycles define more rigid security control implementations, as well as find ways to automate the implementation of them. As these cycles become more robust, the reliance on user interaction will only increase. We saw the dramatic rise of ransomware in the last couple years, and of course, phishing is still one of the most prevalent attack vectors. I remember reading that though ransomware infections have decreased in the past year, the number of variants increased a lot. I think this really speaks to the rise of a new tier-based malware economy. We have heard of all of the different business models that criminals are using to rope unknowing users into paying up and also coercing them to infect others whom they know. They are even offering technical support for users who don't know how to navigate cryptocurrencies. Notice too that there have been less massive ransomware outbreaks recently. Threats are getting smarter and more targeted rather than spraying victims en masse.
I think the threat landscape will also continue to expand as IoT technologies advance, again leveraging that user interaction aspect. If I had to pinpoint a subset of IoT that is really going to continue to feel this, I would say healthcare. My former experience working in the healthcare sector showed me just how unprepared the industry is to implement security at all. There is double the chance of reward here. The development of those technologies is not robust from a security perspective, and the benefits of attacking those assets are literally vital. Peoples' lives are affected by this, so the incentive for victims to cooperate is high. I am just waiting for the day when someone's bionic Wi-Fi connected arm goes rogue on them and then demands a ransom.
Continuing with that social theme, I think that the biggest and most subtle development of the threat landscape will be (or, heck, already is) that of information warfare. From a political perspective, the anarchy of social media is really one of the biggest threats that is being experienced on a global scale. The injection of false or biased information combined with the mechanisms of information-fed algorithms creates an environment where the beliefs, opinions and actions of people can be radically changed and amplified if they are given a communal space to express them. We have seen, for example, Pepe bots through Twitter memes in an image format to avoid detection. Security is just as much social as it is technical, and the expansiveness of technology no longer requires technical expertise to be a part of a security threat. The average person, even if disconnected from a particular system, still has easy access to the much larger connected infrastructure of the Internet. As we all know, the biggest risk is the unaware and uneducated end-user. That all being said, there is also still much room for current attack vectors to grow. Information systems are becoming more secure, but very slowly. In my work, I still see gaps in systems that seem silly to us security professionals. Things like misconfigured components, missing access controls, lack of data validation and sanitization and so on. I picture the landscape like a loaf of bread sitting on a steady base but steadily rising and amplifying in all directions. There is lots of room for the development of new kinds of exploits, but there is also just as much room for the commoditization of threats that already exist. KC: Do you think carefully targeted attacks, even APTs that go after one target at a time, are more destructive overall than bot-driven promiscuous attacks? A virus or worm developed a certain way may do less damage to each computer, but the number of computers that can be attacked could be huge. I do notice though that a lot of people in our industry are a lot more concerned about SamSam ransomware, which is really specifically targeted, than most other strains of ransomware, which usually aren't. AS: That's a tough question, and I think it is really hard to generalize. This is partially because the concept of "destruction" means different things in different contexts and the temporal factor makes it hard to quantify. Bot-driven attacks have the potential to be absolutely detrimental to everything from personal assets to critical infrastructure, and the effects tend to be more instantaneous. Thinking back to WannaCry, we experienced the destruction of assets in several countries, affecting all different types of users. The shutdown of NHS hospitals for several days is the obvious hugely destructive outcome from that infection, but the infecting of average end users’ devices can conceptually be just as drastic. If we were to theorize that a large portion of some nation-state's personal assets were encrypted, we could imagine that there will be economic damage as users are locked out of their sources of production. Likewise, we all know how notorious other infrastructures – like the power grid – are for being vulnerable. The ability for bot-fueled ransomware to transcend all layers and types of infrastructure in such an instant fashion probably seems more drastic at a first glance. Yet the damage that a one-time APT can do can theoretically be just as large. The nature of APTs is that they are persistent. This implies that they are operating over a long time and probably undetected for some stretch of that time. From a strategic perspective, the infiltration and subsequent surveillance of intelligence assets could be just as detrimental. The damage associated with having that sort of reconnaissance may not produce immediate consequences. In fact, the consequences may never be discovered by the victim. If that information is pivotal for the success of some other dangerous operation, then the injury is just as much, albeit spread over time. KC: Do you think there are special challenges for women and queer people in our industry? AS: Ah, everyone's favorite topic. The short answer is absolutely yes, and I think the answer is a lot more nuanced than the way our industry and society handle this issue. The cultural aspect of the industry – or, really, any industry – is an important one that is overlooked. The sheer fact that the representation of these groups is so low is a comment on itself. With an estimated workforce gap of literally millions, we are an industry that’s starved for talent, and there are people in these groups looking for non-menial work. So why can't we reach them? There are factors that are either not making their access to the industry clear or are actively pushing them away. The subculture that our industry has acquired contributes to this issue. Even in North America, where these groups are not legally barred from accessing the education required to enter the industry, there are still cultural aspects that can make the industry unappealing. The roots of information security reach into that of hacker culture, and those are tied intimately with other concepts such as gaming and trolling. The reality is that these communities can tend to be very elitist and misogynistic. Furthermore, academia in general, stemming from a culture where higher education was historically only normalized for men, also carries the same sort of notion. One of the biggest misnomers is that people participate in prejudiced structures by blatantly insulting others when in fact they are often express their views more subtly in the ways that they interact with and make assumptions about one another. While I've been mostly lucky to work with individuals who are not like this, I still have had some experiences where my success was assumed "because you are a woman" rather than the work that I contributed. Most of the women and queer people I have talked to have mentioned having similar experiences at some point. In a setting where there are few to no others in the same underrepresented group, this can become a huge deterrent for wanting to be in the industry. And so, the way that companies attempt to remediate this discrepancy becomes commoditized as a business plan. In my experience, women and queer people wholeheartedly agree that competition for work should be based on talent. Yet we have now programs and quotas that insist on a certain amount of representation in the workforce, so hiring becomes a game of meeting this quota. Underrepresented individuals must be hired not for their talent but because they will make that business culture "diverse enough." This issue is further amplified by how much this commoditization aggravates peoples' views on it. Discussions about the topic often degrade into complaints about the degradation of true, unbiased competition from both sides. And really, it is a valid concern because both want to be respected for their work. The remediation here is really to target the root, to target the educational institutions that provide people for the industry. If women and queer individuals were encouraged to try infosec and STEM in general from a young age, then the talent pool would inherently have this representation. Hiring would no longer become an issue of "how many" minorities a business unit has because those minorities would inherently be there already. When the talent pool is diversified, the presence of women and queer people becomes a normality rather than an exception. The social culture of the industry will also change. If underrepresentation becomes a non-issue, then the commoditization of "diverse" talent also no longer exists, and the talent will tend towards being based purely on skill again. That being said, I would like to acknowledge that it is, in no way, an easy solution to implement. At least in my experience, it seems that there is very little dissemination of what information security even is before a post-secondary level. And post-secondary has its own plethora of issues when it comes to providing up-to-date curriculums with knowledgeable and experienced teachers that will actually provide actionable industry skills. Tackling this issue will require a massive upheaval in the way education is handled in general. It's this train of thought that really inspires my passion for thinking of new ways to present information security education training. Going through the existing educational institutions is challenging because of the barriers that are imposed on having control over program materials, control over hiring and so on. While we need to find ways to work around those issues, we also have the power to create our own education. The presence of community education events such as CTFs, conferences and workshops are at utmost importance. And with the issue of underrepresentation in mind, it is important to encourage that these events accommodate access to them, whether it's simply by making an effort to reach out to those groups or explicitly hosting events for integrating those groups into the industry. KC: Excellent! Do you have any advice for people who aspire to have a career in cybersecurity? AS: Don't be afraid to jump in to the unknown, don't be afraid to fail and especially don't be afraid to bring your own unique talents to the table. The industry is young, and its emergence has coincided with the exponential growth of technology. There are so many areas of study in cybersecurity that do not have a definitive, fleshed-out methodology and that require creative, critical thought to develop them. There is so much room for creating new ways to solve old problems. One of my biggest anxieties when I started studying cybersecurity was that I was always trying to get it "right", and for some time, this kept me from experimenting with my own projects because I didn't want to do them if I knew they were going to "fail." But it is that failure that provide experience and knowledge, and I really believe that every skill that is learned somehow pops up in some project later. I've experienced this especially when analyzing the intersection of infosec and other bodies of study. There are huge gaps to solve in the industry, and all different sorts of talents are required to formulate solutions that coherently integrate with other issues in technology in general. It's impossible to be an expert in everything, but it is certainly viable to create new expertise! KC: Excellent! Do you have anything else to add before we go? AS: l think we've actually hit a great breadth of topics. Not much else to say on my end. Thanks so much, Kim, for taking the time to chat!
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
