CTAC 2024 Valencia - Henrik Hanke - Reduce to the max - slideshare.pdf
I hack you hack we all hack
1. I Hack, You Hack, We All Hack!
… or Why Cybersecurity Is Great for Underrepresented
Communities
Kara Harkins
Urban Institute
@kara_h
#WITSMA20
April x, 2020 Women In Technology Midatlantic
2. Investigating:
More work in cyber security (cybersec) to add to my toolbox
Current Title:
Senior Web Developer at the Urban Institute (been here since 2004)
Previous Jobs:
Applications Developer (White House, IRS, Urban)
Network Operator (Rockingham Memorial Hospital)
Systems Manager (James Madison University)
Who am I?
3. I was doing programming before HS (yes, in the 70s).
I was the student who was more used to being called to sys
managers’ offices than to ones of principals and deans.
If I was in college today people would decide I was headed to
cybersec/hacking but this was the 80s. I wanted to study
computational physics (probably even more obscure than cybersec
back then) so CS grad school and programming it was.
Basically, I am a computer generalist. My career concentrates more
on breadth of experience than depth.
Now the non-resume stuff
11. It can also be read as defenders here. The overlap of security and
hacking is not exact (in fact it was even the DefCon theme last year)
but at a high level it works.
This is also part of my attempt to make the word not seen as scary to
people.
For this I will use the terms hackers and
infosec as the good guys
13. Not much representation from diverse communities right now. Any
field benefits from different voices.
Hacking is about looking at problems differently. Black hats are
*counting* on people all doing the same thing.
High demand. High salary.
Why is diversity needed?
14. • Cyber Security (CyberSec), Information Security (InfoSec)
• Physical Security (may work in CyberSec later, some overlap)
• Blue Teams (Defense)
• Application Security
• Web Security
• Automotive Security, IoT Security
• Cybercrime Investigator
• Auditor
• Security Architect
• Network Security Administrator
• Trainer
• Data Security Analyst
Jobs – staff (just some)
15. • Penetration Testing, Tiger Teams, Red Teams (Offense)
• Bug Bounty Hunter
• Data Recovery
• Virus Technician
• Ethical Hacker
• Data Recovery Specialist
• Forensic Computer Analyst
• Security Consultant
• Vulnerability Assessor
Jobs – contractors (may also be staff)
17. Hackers will pay attention to this more than the best lock on the
market but good luck convincing people to use only a sign. I would
not suggest it anyway as black hats will love it when there is not a
lock.
What is your first reaction? Why?
18. Intense curiosity about what is beyond the door but annoyed there is a
lock. Remember, signs keep out hackers more than locks.
Ex: I got the combo to a door leading from my lab once because it was
like fingernails on a chalkboard to not know it. I had no desire to be in
that other room, the point was the lock.
This is traditional security
What is your first reaction? Why?
19. Security through obfuscation: someone WILL find it. This is the worst
form of security next to no security.
Yes, I have encountered this with computers.
What is your first reaction? Why?
22. Social engineering … people WANT to help
- locked door? Approach it with your arms full when
someone with access is going to it.
Not all hacking is hard
23. • Do not always need to do … a lot of things are keyed alike
• Information is your friend
• Can find reasonably priced picks and places to practice … google
Sometimes used in pen testing.
Lockpicking
24. • Lots and lots to learn about here!
• First thing: how to properly lock down your own machines (even if
someone else will do the work).
Tech stuff
26. BsidesDC (www.bsidesdc.org)
DefCon (www.defcon.org) … getting more diverse, for example,
queercon
Local DefCon groups (www.defcon.org/dcpages)
Hint: Volunteer! Good networking and often a perk is free admission
Resources - conferences
27. ‘Hackers’ – Steven Levy
‘Cuckoo’s Egg’ – Cliff Stohl
While these two are my favourite hacker books they are closer to the
mainstream though. At the same time, neither is a perfect example of
that. Part one of Levy’s book is about college kids and Stohl is an
astronomer.
Resources - Books
31. Attackers assume defenders will look at the world just like everyone
else. What if that assumption does not work though?
For example, some people will see tasks as needing to be done fast
so will see something as impossible. Meanwhile you may be used to
being patient to get something done. Bingo! A solve to what others
call impossible.
See the advantages?
Advantages in general
32. Hyperfocus when interested
Pattern recognition
This means a person with ADD or ADHD would be GREAT at
spotting attack patterns when engaged in finding an attack. This is
something an attacker may want to slip under the radar with.
Example: advantages to ADD/ADHD
33. For the discussion please pull up these:
http://techgenix.com/cybersecurity-skills/
[google: cyber security skills]
https://cybersecurityventures.com/50-cybersecurity-titles-that-every-
job-seeker-should-know-about/
[google: cyber security titles]
34. @kara_h
How can you see advantages in other
unrepresented groups? How can they
apply to cyber security?
What strengths does a group have?
How can those strengths work in
cybersecurity?