In my last interview, I spoke to Katherine Teitler, who is the director of content for
MISTI Training Institute. She also helps run the InfoSec World conference.
This time, I spoke with
Carrie Roberts. She has a senior red team role with Walmart. She's also a pretty good cartoonist if I say so myself.
Kimberly Crawley: Tell me a bit about what you do.
Carrie Roberts: I am a Senior
Red Team Engineer for Walmart. This means I work with a team to perform the same kind of attacks against Walmart computer systems as actual adversaries. By doing this in a controlled manner, our team is able to demonstrate – in a tangible and impactful way – where weaknesses are and suggest areas of improvement. These exercises also allow the organization to measure their detection and response capabilities. Think of it as a scrimmage while practicing a sport.
KC: Does Walmart give you information about the networks you
penetration test for them?
CR: I can't give specifics about my work at Walmart, but in general, a red team is not provided with privileged information to keep things more representative of an adversary.
KC: How did you get into redteaming in the first place? Did you do red team work for other companies before you were hired by Walmart?
CR: I spent 10 years as a mechanical engineer when I was encouraged to learn computer science to diversify my skillset. After one trial class, I was sold. I finished a degree in computer science and started writing code. I first learned about pentesting when my code failed a security audit. I was surprised that I hadn't been taught anything about these issues in school. I felt shocked, horrified, vulnerable, intrigued, and more. So, I resolved that I could not be a good developer until I knew how to develop secure code.
I took some secure coding classes and enjoyed it so much that I pursued a degree from the SANS Institute in Information Security Engineering. During those studies, I determined that being a pentester was the ideal job for me. I spent three years as a pentester for Black Hills Information Security before recently moving into the red team role.
KC: What do you think some general misconceptions are that people have about pentesting?
CR: I think the biggest misconception is that penetration testing and vulnerability scanning are the same thing. Vulnerability scanning is simply running scanning software against a resource and printing out a report. Pentesting is much more than this. I wrote a blog post on the difference between pentesting and vulnerability scanning called
Wedgies & Penetration Testing, complete with a hand-drawn comic!
KC: Awesome! Even though you entered school to study engineering, were you a computer geek as a little girl?
CR: No, but I did enjoy my computer classes in middle and high school. In 7th grade, I was awarded a CD with the Family Feud game on it for winning a class challenge in computers. I thought that was the coolest thing ever. This is my first memory of thinking computers were amazing, but I was big into athletics and didn't use computers as a hobby.
KC: Do you think it's easier for women to enter the cybersecurity field now than it has been previously?
CR: I haven't experienced anything that I felt made getting into information security hard because of my gender, but I do see many organizations coming forward to encourage and support women in this field, so I think that helps. On a related note, I have experienced attitudes and behaviors within the community that can deter people, perhaps women especially, from choosing the profession. For example, crude language and behavior at some popular conferences and an “I'm awesome and you're not” message that comes through, particularly in the online community.
KC: Yeah, geeks can have terrible social skills sometimes. But it's never an excuse for misogyny. What do you think are some of the biggest cybersecurity problems these days?
CR: Not enough trained personnel to fill the need. The threat landscape is huge and ever-changing. It will always be difficult to keep up on it and manage it.
KC: Do you think employers should think outside of the box when they hire cybersecurity professionals? Many people have a lot of skill and knowledge but no certifications or academic degrees.
CR: That is actually one of the things I have appreciated in this industry so far, at least on the pentesting side. Employers focus on actual skills and not just how you look on paper. But I'm afraid that as the industry matures, employers will demand credentials more and more.
KC: Is there anything you'd like to add before we go?
CR: Infosec is an awesome career choice. I have thoroughly enjoyed it even though I started late in my career. If you do encounter some negative experiences, don't let it get you down. Take it on as a challenge to overcome and think of how sweet the story will be when you look back at what you have overcome.
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.Her first solo developed PC game, Hackers Versus Banksters, had a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
