Women in information security, being a minority, deserve a spotlight. Previously, I've interviewed Tiberius Hefflin, a Scottish security analyst who is currently working in the United States, and Tracy Maleeff, a woman who went from library sciences to infosec, who's now a host of the PVCSec podcast, and who runs her own infosec business. Recent years have brought greater visibility to people who don't completely identify with binary genders, male or female. I think openly nonbinary people are even less visible in our field than binary women are. Isly identifies as a nonbinary femme, and she works as a penetration tester for the defense industry. Kim Crawley: Hi, Isly! How would you describe your job and title? Isly: I'm a penetration tester for the civil department of a defense contractor. KC: That sounds pretty intense! I: We're all pretty laid back. KC: My husband did pentesting for the Canadian Forces over a decade ago. Do you have any favourite pentesting suites? I: If it wasn't civil and was government, I'd be less hesitant to work there, for sure. We have some folks who are still active reservists. Suites? Hmm. Depends on the engagement, really. I just did an OSINT engagement, and we made use of Maltego. I mostly stick to Kali and sometimes use Metasploit. I've stuck myself with Linux. KC: Are there a lot of plugins for that? Most of my familiarity is with OpenVAS. I: Well, we don't do scanning, really. We have another team for that. Mostly we do black box and fuzzing and then follow-up with Nessus for anything we may have missed. Some of us specialize in industrial control systems (ICS)/SCADA, so they have their own tools. We're learning Dradis next week, in fact. KC: I think the earliest versions of Kali were incomplete, package- and feature-wise. But the latest releases are much improved. I: Yeah, that's what I've heard. It's quite useful. KC: Have you done a lot of SCADA work? What do you think of some people speculating about SCADA IoT? I think SCADA systems should only connect to private internal networks, anyway. I: I haven't done any, but my mentors and colleagues at work have, and I'm sure I will within the next year. If they're considering SCADA-based IoT, that makes me nervous. They're just so uniquely vulnerable, and when one domino topples in an ICS layout, they all do. KC: Those of us with knowledge of infosec are concerned, but the suits often won't listen. I: Also, a lot of people utilizing SCADA have everything on a lateral network connecting to it. That's very problematic. KC: Have you seen utilities experience downtime due to that? I: I personally haven't, but some of my friends have surrounding the need for engagements over the last few years. They're people I work with, so I trust the source. KC: It's especially scary when it affects stuff like nuclear power and sanitizing water. I: Yeah, those things are horrifying, I agree. It can be done safely, but it takes careful planning. KC: So, how did you get into infosec? I: I started out as a Linux sysadmin, and my company needed help with the abuse department. I kind of flourished there, then went into abuse department management. But then I enjoyed the technical guts of the work too much, so I moved into other fields in infosec. KC: So, something must have gotten you into sysadmining in the first place. I: I worked in a completely unrelated field for a decade. I moved and I wasn't allowed to keep my job. I got laid off. After not having a job for seven months, I finally applied as tech support for the sysadmin job, so the lowest level. And it turns out I had a knack for it, moved up from lowest level to admin to tech management within five years. KC: From a helpdesk background, I always thought that was the lowest level of IT. I think sysadmining can be more stressful, but it generally pays better. I: Yeah, helpdesk, call centre, chats… it's very low level. I'm glad my company then gave me the chance to earn my way into a sysadmin role. More complex problems with a bright side: fewer issues about billing and people yelling in my ear. KC: Did your employer realize your gender identity? I: Yes. There were fewer and fewer females the higher up I got into the admin department. KC: Did you ever feel like you had to fight against sexism in IT? I: I was the first non-male technical leader in the admin department, as a supervisor for admins, the company had ever had. So yeah, I did. I felt like I had to prove myself double. I worked extra hard. There were men in that role who didn't pull their weight. KC: Did you have a lot of private sector experience before you got into the public sector? I: No, I had no private sector experience. I've had very few employers, as once I like somewhere, I tend to stick around. It's kind of against what people do now, with changing jobs every year or two for greener grass. Now people expect to do that. KC: I guess you're kind of lucky that way. Aside from my long helpdesk gig, all of my infosec work has been contracting. I: I'm a consultant, full-time, so luckily not contract, and a lot of the people I work with have been with the company for several years and enjoy it. It's nice for family life. That can also let you travel. KC: Okay. See, I was writing study material for CISSP and CEH programs and I had to self-teach. I learned those exams that way, and that's backwards. I: Same on self-teaching, the last job where I did some security sysadmin work was barely scratching the surface. And they didn't wanna pay for anything but Security+, which is garbage compared to what's out there. KC: Do you think infosec employers are getting stingier like that? I: I can't really say. That employer wasn't an infosec employer. They just needed some attention to security, so it wasn't their primary focus. If you wanted the RHCSA/RHCE, they'd pay and give you a promotion. Here at this employer, they really do care. I got signed on with a ninety days paid OSCP lab because they recognize it's a good certification. We all get one training or cert paid per year. They also pitch in for bigger security conferences. KC: You should count your blessings. I: I really do. One of my female friends on Twitter is required to speak at four conventions a year, but I don't know about certs. I'm sure they also provide them, but they're a huge company she works for. KC: Do you think you've had a socially progressive influence? I: Oh yes. That said, in all these years, I've been doing technical work. So there have been few females or non-males. That said, I have tattoos and some minor facial piercings and coloured hair. I leave the latter two visible but demure and wear long sleeves. I applied to about twenty things before I got the job I'm in now, and that was only because a friend who works there referred me. So yeah, it's hard with how I am and how it is. KC: You couldn't just demonstrate that you could reverse engineer a piece of malware (that obviously isn't Stuxnet?) I: I don't know how to reverse engineer! I applied as a SOC Analyst because I didn't think I could do anything more complex after being just a sysadmin who read logs. But with this shop, I applied to a SOC Analyst position, and they felt I had the brain for pentesting, so here I am. I don't have a lot of self-confidence at the end of the day. KC: I think all that loganalysis can hurt your eyes if you don't have a bunch of metrics monitors and log analysis software. But then, what if the log analysis software has a catastrophic bug? I: I didn't have the luxury of using software back at my old job. I got very used to using 'less' and 'grep' and 'regex' to pull what I found. KC: Wow, you get extra respect from me. But back to the idea of women in infosec, do you think it's detrimental to the field when 99% of us seem to be male? The lack of diversity? I: Yes, but that can be spread to a large portion of the IT world. I know way more femme and non-male developers than I do in infosec. I'm only one of maybe three non-males in a team of twenty-six, I think. The ratio was worse at my old job for admins. Even worse for tech support. Though there are lots of females in non-technical roles there, like sales and billing. KC: What would you say to a young girl who's interested in an infosec career who might be reading this? I: I'd quote Dual Core's paraphrasing of his own rhymes, and say, "Find all the clues, hack all the things.” KC: Make IoT Barbie say “Math is not hard.” I: Ha, IoT Barbie! I forgot that existed.
Conclusion
Tune in next time for my next interview with Kat Sweet, another woman in information security.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This October, she gave her first talk at an infosec convention, a penetration testing presentation at BSides Toronto. She considers her sociological and psychological perspective on infosec to be her trademark. Given the rapid growth of social engineering vulnerabilities, always considering the human element is vital. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
