Date: 04 May 2020
Chris Roberts: Hacking Sheep, Ships, Stations & Everything in Between
We recently had our ICE71 Distinguished Speaker Series with Chris Roberts who shared his journey in cybersecurity, what he feels about the current state of the industry, and more.
How he got started with cybersecurity and his first hacking experience
Chris attributed this to his ATARI game days around the time he was 13. He mused, “I hated losing the games, so I would load the programs up, arrow them out, drop them into the command line and see how they actually worked. And then I loaded up a basic shell and just really started to figure the code out from there. At the time my father was still around, he would play a game, sometimes winning and sometimes losing, while I could play a game and become a trillionaire after like 20 minutes because I’ve hacked the system. That got me started with hacking.”
Getting a foot in the door
His advice for aspiring youth who want to venture into cybersecurity? They need to have a good attitude, and know how to reverse engineer solutions. He said, “If I’m looking at somebody who’s new, I don’t care about the qualifications. What I care about are what they think, how they feel and how they can demonstrate it.”
For those who want to get into the red or blue teams, he’d ask: “Have they built their own machine at home? Have they figured out how things work? Do they know how to reverse engineer? Have they broken things to be able to then figure out how to repair them?”
Someone new to the industry doesn’t only learn cybersecurity skills. Newbies should take a proactive step in connecting with the cybersecurity community, for example, through a platform like LinkedIn. To succeed, It’s important to have good communication skills, both verbal and written, together with a collaborative mindset.
Need for effective communication
Chris lamented about one of his biggest frustrations in cybersecurity, the lack of effective communication within the industry.
He spoke about acronyms and jargons in cybersecurity.
“People outside our industry go: “How can you explain security in the language I need to understand?” This is where you talk about risk, and where you basically put your point in human terms,” Chris said.
It doesn’t matter whether it’s a CEO or CIO who’s trying to explain to leadership about risk. He said, “Risk reduction is about mitigation controls and compliance regulations.” And if it’s a technical person trying to educate the end user about passwords, it’s ultimately about “how it’s meant to keep the end user safe”, and how the end user can “teach his family to be safe” too.
What deception technology is about
Chris explained this as “using technology to effectively lie to someone who’s trying to break into a system”. In the case of hackers, the better the system lies to them, the more interaction they would have with the system, ultimately triggering alerts.
“Or look at it as building an architecture that camouflages itself effectively,” he said. If there is a request from an attacker, the deceptive system is like a “butler”, serving the attacker deceptive credentials and setting off an alarm.
On hacking cows and other things
Chris has hacked everything from cow pedometers to milking machines to ships.
Once, he overrode GPS tracking data from a cow pedometer database, and at one point he tracked 0.25 million herd of cows virtually lurking around a friend’s house! He’s also made milking machines stop and “line dance” every 12 hours.
About two years ago in Turkey, he hacked into a ballast control system of a ship at a harbour. Ballast control systems give stability to ships. Hacking into these systems could potentially make ships roll in the middle of a harbour. Chris has approached a few shipping companies to caution about these insecure systems but to no avail. It’s challenging to responsibly disclose the security loopholes to the company, and most of the time it falls on deaf ears. He said, “They just want to focus on getting the ships from point A to B.”
How startups can get a foot into the door despite legacy issues
Startups need to learn who can they can work with or have access to a particular company in a particular industry.
“It isn’t all about doing it yourself, you need to make friends, talk to people and present your ideas.”
He suggested startups to ask for advice, and even form partnerships, stating Attivo Networks as a good example. Startups need to think about how they can help make an existing process more effective and reduce risk. He said, “Don’t go out and solve the world. Think about how to help others become effective.”
Top challenges CISO are facing and what keeps him up at night
Chris’ take on the top challenges of CISOs are:
1) Visibility: CISOs need to have visibility of all their network endpoints to know the location of their risks.
2) Too many tools, too much inefficiency: Particularly in big organisations, CISOs can have too many security technologies in place. These could just be at 30 to 40 percent capacity.
3) Regulatory and compliance: This includes data privacy, which continues to be a huge concern for CISOs.
So for startups, offering to add another security tech to the mix might not be ideal. Instead, offer something that could give CISOs the visibility they need and could make make existing systems more effective, while ensuring regulatory needs are met.
“As security people, we have one job and one job only, and that is to protect the people around us.”
Rather than throwing in and relying on more technology to secure systems, he feels there is a need to take a step back: “We’re so focused on tech, we forget about the humans and processes,” and added that we should instead ask this: “What can I do to help?”
Watch the video of the whole conversation including the interactive Q&A at the end: