Lessons from Teaching Cybersecurity: Week 5

As I had mentioned previously this year, I’m going back to school. Not to take classes, but to teach a course at my alma mater, Fanshawe College. I did this about a decade ago and thought it was interesting, so I was excited to give it another go. Additionally, after a friend mentioned that their kid wanted to learn Python, I developed an Intro to Python class aimed at high school students that I’m teaching weekly. I thought that this would be good fodder for the State of Security. So, whenever I have something interesting to discuss, I'll post it here. Week 5 proved to be an interesting week for a couple of reasons. I volunteered seven hours of my time to provide extra Python help to some of the college students who wanted to put in more time with the language. We had SecTor, which my team here at Tripwire along with several of my students attended. In my high school class, we reviewed their previous week’s quiz, and with the college students, I discussed obfuscation. It was the obfuscation that I wanted to talk about this week.

Shroud of Mystery

Cybersecurity is shrouded in mystery. To be fair, many industries are, but there’s something different in our mystery. Sure, companies like Coca-Cola and KFC keep their recipes under lock and key, but that’s one aspect of their business. In our industry, everything is a mystery. From businesses to criminals to enterprises to individuals, everyone wants to keep information secret and limit the flow. Everyone thinks they have a reason to do this, and in many cases, they are correct. For those entering the industry or learning, this can make the waters even trickier to navigate. Interestingly, there’s a lot that we don’t intentionally hide, but it remains hidden to those not in the know. This stood out to me as I discussed obfuscation with my students this week. While we may not lock up recipes like the food industry, we definitely obfuscate a lot of the information behind communities, working groups and even private cliques. I don’t think this is intentional. It’s just the nature of security. Take groups like Infragard in the United States or CCTX in Canada, for example. These organizations are only open to individuals of their respective nations. There are reasons for this, but in the grand scheme of things, do these reasons make sense? They definitely control access, but a nation-state or organized group would likely have means of infiltrating these organizations if they really wanted to.

Finding the Point

So, what’s the point of this post? Perhaps my point is so finely obfuscated that it is impossible to see. The point is to ask yourself if obfuscation is necessary. Are we making it harder to get access to information than we need to? I was discussing this with a colleague, and he pointed out that years ago, you commonly heard the phrase, “Security through Obscurity.” We’ve accepted that maybe it isn’t the best approach to security, but somehow we'll still obfuscate data and resources from time to time. The question we need to ask ourselves is whether or not that obfuscation is necessary… is security improved by requiring individuals to jump through steps to de-obfuscate knowledge? Unrelated question: Deobfuscate or Unobfuscate? Let me know your opinion on Twitter, as people seem to be split.

Still Looking for that Point

The reason I found myself thinking about this is that my students’ lab this week on obfuscation led to varied results. While some students finished the lab quickly via intentional shortcuts, others took their time to really understand what was happening. Finally, some students struggled and were frustrated. The way I look at it, that translates into three types of employees. Those that will get the job done and deliver it quickly; those that will take their time and future-proof the job, building something that is easy for future engineers to maintain; and those that want to do the job but are missing the knowledge or critical thinking to accomplish the task and may need some help. We also attended SecTor this week, a conference designed to convey the latest in the security world. We work in an industry where people come together on various scales in multiple venues to educate each other. From local meet-ups to industry-specific conferences to cybersecurity mega shows. We have people who work together to de-obfuscate our industry, to demystify it. Think of how difficult that must be for people entering the field, how frightening it must be. Even as employers, we need to be aware of the mystery around what we do with new employees. I recently found out that a tool I’ve used for nearly a decade that I wrote to accomplish a task was unknown to several of my team members. I hadn’t purposely hidden its existence. I wasn’t trying to obfuscate certain tasks. It just hadn’t crossed my mind that the one time I shared it, not everyone immediately jumped on it and remembered it. In other cases, people do purposely obfuscate their roles and responsibilities. They consider it a form of job security, and that makes it even harder for new people starting out.

Look Mom! A Point!

At the end of the day, my point is simple. We work in a confusing industry that spans the globe, that spans verticals and that spans a variety of responsibilities. A mistake in our line of work could shut down cellular networks or payment systems, render areas without utilities or, worst case scenario, take a life. Luckily, for most of us, these are stresses we won’t likely realize during our careers, but some will. We need to make it easier for people to step into the role of defender, the role of "Protector of the Enterprise." We should make it our goal to de-obfuscate knowledge in our industry, to demystify actions that we take and to enable learning with employees regardless of their time with an organization.