Red Teaming
KimCrawley,
Sep 03
2021
I’ve been in the cybersecurity industry and hacker culture for nearly fifteen years now. I once knew very little, now I know a little bit more, and I’m always learning. But my expertise grows, enhanced through my work and my conversations with hacker and infosec people. In that process, I’ve definitely developed some strong opinions. And sometimes cybersecurity people are wrong about things. The myths I will address in this post are often circulated through Twitter and other corners of the internet. And as Peter Griffin would say, they really “grind my gears!” If we can address these myths, we can make the computer world a more secure place for everyone.
Myth: “Never ever tell people on the internet what your favorite food is, your favorite sports team, the name of your dog. You’ll reveal your password retrieval answers and destroy your user account security!”
Fact: If discussing yourself and your life at the most basic, conversational level is a threat to your cybersecurity, then your security design is terrible! It’s simply not practical to encourage this sort of hyper paranoia, nor is it reasonable. Good, pragmatic security behavior makes it relatively safe to discuss yourself like a normal person. Therefore, there’s a much simpler and much more feasible way to address how awful password retrieval answers are as a security measure. Don’t give honest answers to password retrieval questions! Tell the password retrieval answer form you were born in Neverland, your cat’s name is Hghgngbnkgbjhti, and your mother’s maiden name is RFVfrvrkmgkbmtb. You could then either just give up on ever retrieving your password with answers, or some password managers do allow you to store your password retrieval answers. Either way, security harden your life so you can safely talk about your cat and your hobbies on the internet.
Myth: “My entry level SOC analyst needs a CISSP.”
Fact: As a cybersecurity training company, here at Hack The Box we have great respect for particular credentials. But a CISSP is basically the equivalent of a PhD. in our industry. CISSPs should only be expected of very high level (often executive) roles, such as for a Chief Information Security Officer. The majority of cybersecurity jobs shouldn’t require expensive certifications. Heck, you need several years of industry experience to get a CISSP or some other certs, regardless of your knowledge and expertise. These unrealistic hiring expectations are keeping possibly millions of cybersecurity roles worldwide vacant, hurting security everywhere. Hack The Box’s labs Loading Preview... Loading Preview... Loading Preview... Loading Preview...
Myth: “This operating system is more secure than that operating system.”
Fact: I’m a huge Linux fan. But I have researched cyber threats for enough years now to know that you can’t really say one particular operating system is more secure than another operating system. Our labs feature vulnerabilities in many popular operating systems, including Windows, Linux, and Android. Your operating system of choice can be pwned, no matter what it is! I’ve learned that endpoint security has a lot more to do with how an operating system is configured and used than what your choice of platform is Loading Preview...
Myth: “Hackers do bad things.”
Fact: Hackers are the good guys Loading Preview... Loading Preview...
There you go, there’s some food for thought. Hopefully, I’ve got the hacker community and the cybersecurity community talking. Let’s banish these harmful myths, together!