What I Learned at Career Day

In early 2019 I wrote an article for the ISSA Journal titled, “Application Security, Ethics and 8-year olds” where I described the chain of events related to my son finding a bug in a software product at school.  The experience of walking him through the reasons behind the software bug, his responsibility of using software provided by the school and disclosing the issue to a vendor was eye opening.

In January of 2020, I had the opportunity to present at an elementary school career day, to which I spent some time with a 4^th grade class on security testing, staying safe online and what skills are needed for a job in information security.  I wanted my time with the class to be very interactive, so outside of a few questions and a word search, we were going to wing it a bit.  I opened with a relatively high-level question:  What things do I do at my job that you also do at school?  If you know a child that asks why they need to finish their homework, take pride in their work, or simply doesn’t think what they are learning is relevant, this one question may be a good start.  For the class and me, it started a 40-minute discussion that left all us smarter than when we began.

 

The 4 Rs

The initial responses from the class were correct with reading, writing and arithmetic (well, math) leading the way.  Research also was mentioned, which I would consider to be a fourth “R” these days.   They understood a penetration tester continually needs to read and they had some great answers when asked, “What do I read for my job?”  Their replies included:

• User manuals
• Code
• Previous reports
• Information my clients email me
• Things on the Internet

All spot on.  When asked about what I write their replies were similar, but still very accurate (i.e.  reports, email, blog posts, etc.).  When it came to math, the conversation went two ways.  First, we discussed the correlation between math and programming at a very high-level.  Many of the kids had used code.org and a few had gone to camps.  However, we also ran through some very 4^th grade examples, such as the following:

“If [insert gaming company name] has 3 data centers worldwide and 32 servers in each data center, how long would it take us to test the environment if each server takes us 4 hours to test”.  Luckily no one questioned me on having a data center as opposed to using cloud services, but with more time we may have gotten there.  The class had several questions related to jailbreaking an iPhone and I was even specifically asked about Checkra1n.         

Finally, with research we discussed how some technologies are new and how to learn about them.  Conversely, I showed them a few pictures of various items that were at their time technological advances, but are no longer used much.  While the class quickly recognized objects like Alexander Graham Bell’s original phone, the one object that took them a little longer was this (note:  with a proper label I think they would have gotten it quicker):

Figure 1 - 5 1/4 Floppy

https://www.ibm.com/ibm/history/ibm100/us/en/icons/floppy/transform/

 

Speaking the Same Language

Overall, the kids knew more security and IT related terms than I thought they would.  While I knew some of them had the basics of programming, their knowledge of what phishing is, what a firewall does, and good password hygiene was impressive.  While they don’t have the basics of encryption down, I think they ready for Alice and Bob, and the concept of FIDO2 and better authentication would be understood.

There were two terms that did have different connotations, or could easily be taken out of context.  Hashes, when used in the context of authentication and passwords, are not related to hash tags.  Also, text books, to which I brought in a few from the late 90s (search for ISBN 0471170674 as an example) have nothing to do with texting.

 

Keep Asking Questions

My experience at career day was great and if you have time to volunteer to talk about information security with kids, my recommendation is to take the opportunity.  While demonstrating a proof-of-concept of the latest Citrix vulnerability (CVE-2019-19781) may have shown what remote code execution is and would have really resonated with a few in the class, letting the discussion go its own way was the best approach for me.  I’ve found the more questions you are asked, the more questions you’ll likely have answered. 

 

---

 

Career Day Q&A

Thanks to the fourth-grade class that had great questions and answers during my time at the school.  Below are answers to the questions we didn’t get to.

Q:  Is it true that crashing a game is bad and you can code a game to cheat it?

A:  If you intentionally attempt to crash a game it would be considered a denial of service attack and yes, that would be bad.  Additionally, players can and do find ways to cheat games.  The game providers often will have cheat detection mechanisms in place, but they aren’t perfect. 

 

Q:  Has there been any major security breaches or vulnerabilities with a corporation or website?

A:  Unfortunately, yes there have been major security breaches.  The largest breaches generally involve credit card numbers and/or access to personal information.  Two of the most recent vulnerabilities relate to Citrix products and Windows 10 patches.  

 

Q:  What are some good colleges to get you on the road to hacking?

A:  These days, many schools have very good Information Security / Cybersecurity programs.  There are great programs online and on campus.  Depending on the school, the IT security programs may be in the computer science and engineering department or a business / management information systems department.  Some of the more prominent ones also have large centers of research, such as the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.  That said, you do not have to wait until college to get on the road.  There are plenty of free resources available and options to play and learn in a free and safe environment.   

 

Q:  Do you ever make viruses?  Can you take a virus off a computer?  Lastly, on a scale of 1 to 10, how do you like your job?

A:  Great question.  I’ll answer these separately:

1. A virus is one type of malware, which usually modifies one or more files on a computer and then attempts to reach other computers.  We do write code that provides some functionality similar to viruses; however, our code does not cause any damage and is used in particular circumstances known by our clients.
2. Yes, we can remove viruses from a computer.  There is software to help detect and remove viruses. 
3. 10, my job is great!

 

Q:  Have you ever stopped and seen somebody hacking (in a bad way)?  What is your favorite part of your job?

A:  Yes, I have seen individuals hack in a bad way.  Some of the more common malicious attacks involve ransomware and crypto miners.  Our team tries to find the weaknesses in systems before those who hack in a bad way have an opportunity to take advantage of the weakness.  My favorite part of my job is having the opportunity to work with an incredibly talented team. 

 

Q:  What happens when you jailbreak something?

A:  Jailbreaking a device means you bypass controls that are intended to restrict (and often protect) access to the device.     

 

Q:  What kind of work do you do for gaming companies?

A:  Gaming companies have a lot of information on their players and customers.  We assess these companies’ policies, procedures and technologies to ensure player and customer data remains safe.

 

Q:  How long does it take to hack into a system?

A:  It varies a lot.  Insecure systems can be compromised in a matter of minutes, whereas well secured and maintained systems may not be vulnerable to known attacks. 

 

Q:  What are some problems you encounter and conquer every day?

A:  We see new systems and vulnerabilities all the time.  However, some of the ones we see often include individuals falling for phishing emails, applications that do not have proper input validation and systems that are not properly patched. 

 

Q:  What things do you do to get better at your job?

A:  Trying new things.  There are always new vulnerabilities, tools and technologies.  To really understand them, you need to get hands on and try them out. 

 

Q:  What is the address of your website?  I would like to visit it and see your blog. 

A:  Our site can be found at https://www.schellman.com and the blog is at https://hub.schellman.com/blog.

 

Q:  Are there other companies you are working against?

A:  While the security industry as a whole works best with collaboration, there are other firms that provide security assessment services. 

 

---

 

About the Author

Matt Wilgus is a Principal at Schellman, where he heads the delivery of Schellman’s penetration testing services related to FedRAMP and PCI assessments, as well as other regulatory and compliance programs. Matt has over 20 years’ experience in information security, with a focus on identifying, exploiting and remediating vulnerabilities. In addition, he has vast experience enhancing client security programs while effectively meeting compliance requirements. Matt has a strong background in network and application penetration testing, although over the past 10 years most of his focus has been on the application side, with extensive experience testing some of the most well-known IaaS, PaaS and SaaS providers.

More Content by Matt Wilgus