Last time, I had a great chat with Anna Westelius. She has a lot of experience with everything from web security to Linux driver development, and I learned a lot from her.
This time, I had the pleasure of talking with Virginia Robbins, otherwise known as fl3uryz. Not only is she an expert in malware detection; she also founded The Diana Initiative, a cybersecurity event focused on women in our industry.
Kim Crawley: Please tell me a bit about your cybersecurity career and how you got there.
Virginia Robbins: Originally, I gained an interest in computers in my teens by simply watching my big brother using a computer. I later acquired an 8086 and started coding. I loved it so much that I studied for a BS in Electrical Engineering followed by an MS in Computer Science after I realized how I loved both hardware and software. I gained an even stronger interest in cybersecurity by chance as a sysadmin at the university and while working at Intel as a security software engineer developing self-modifying agents and other security applications.
I continued on that path by working at Microsoft and McAfee on diverse projects researching and developing TPM, BitLocker, Elliptic curve crypto for TLS, anti-malware products, endpoint security and so on.
KC: Well, that’s pretty cool! Considering your work on anti-malware, what do you think about different kinds of heuristic malware detection?
VR: Aside from behavioral-based detection techniques, which has false detections and performance issues, there is research and integration of diverse heuristic detections techniques out there using machine learning and data mining that all have their pros and cons.
For instance, API system call technique is good at detecting unknown malware with fewer false positives and good performance; however, it only does binary detection and produces a large data set. The CFG with API call technique is better because it has low false positives, great detection rate and can do metamorphic and unknown malware detection with less complexity. There is also the OpCode method that can detect obfuscated malware in addition to metamorphic and unknown malware.
The drawback for obfuscated malware is the high number of executables. Another technique called N-Grams also improves detection with low false positive but introduces time complexity. Some other methods like content-based behavioristics improve detection, but training time takes a long time.
KC: That’s fascinating. What are some misconceptions about the work that you do?
VR: In terms of anti-malware, there is a common misconception that anti-malware is enough to protect your machines. Anti-malware is just a small subset; comprehensive prevention applications and user education are just as important considering the weakest link is usually a user clicking a malicious link.
I also forgot to mention that I am currently focusing on improving gender diversity in the cybersecurity field by co-founding a 501c3 charity called the Diana Initiative and by encouraging women to submit talks to diverse security conferences. Another misconception about the work I have done is this notion that cybersecurity and computer jobs, in general, are male jobs.
I am hoping this interview can show that women can do this job just as well. I would like to help encourage and support other women. To those who might read this, I would like to tell them that we all have the ability to excel in the highest technical and executable ladder levels regardless of gender.
KC: Yes, I’m familiar with The Diana Initiative, and I’m happy you founded it! Can you tell me a bit more about it?
VR: The Diana Initiative is a non-profit 501c3 charity which has the mission of encouraging diversity and supporting women who want to pursue careers in information security, promote diverse and supportive workplaces and help change workplace culture.
We try to achieve this via our online presence and by organizing a two-day event during DEF CON where we hope to bring together information security professionals of all experience levels and talk about educating women and allies on breaking into and succeeding in the cybersecurity field.
We try to create communities of support and mentoring, in short, an environment for women and their allies where we can discuss gender diversity, come together for the chance to form deep friendships and mentoring relationships, provide a space for women to showcase their work and technical research as well as teach our attendees how to find the work they want to do in information security.
Our event will take place on August 9th and 10th. Please check out our website; you can find us on Twitter at @DianaInitiative.
KC: What led to you founding The Diana Initiative?
VR: First of all, I did not start this to solve the gender gap issue. I am not even claiming to know how to fix it exactly. I personally originally decided to co-found The Diana Initiative from a desire to be part of a supportive infosec women-oriented group while attending DEF CON. The cybersecurity field has very few women, and as a result, I have felt isolated in my profession from my own gender. As much as I like to be surrounded by amazingly smart and talented co-workers, I felt the social and gender supportive aspect needed improvement due to some few less-than-ideal experiences.
In addition, it is such an unfortunate missed opportunity to not be able to hear the voices from potentially half of the population, some that might have different ideas and ways to research and solve a problem. So some reasons for creating the Initiative was simply my curiosity at what my own gender thinks about diverse cybersecurity topics.
KC: What are some misconceptions about what you do in your day job?
VR: Those who are not familiar with encryption think it will be safer to hide secrets in code or data by obfuscation or by rolling their own crypto. Hiding secrets by obfuscation or rolling crypto is never a good idea, for someone in the field is going to break it eventually, and there is a good chance someone’s own crypto will have more vulnerabilities than a crypto algorithm that has been reviewed, used and tested by many in the field.
KC: That’s excellent. Is there anything else you’d like to add before we go?
VR: Thank you very much for giving me the opportunity to get interviewed. You are doing an amazing job interviewing all these smart ladies and giving them a voice.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.