Soft Skills Needed in Cybersecurity

Transcript

Welcome to A Cup of Joe. Today I want to talk about the talent crunch and letting your hackers, well, hack, hire for passion, train for skills. Is that just some fluffy, ethereal idea, or can we really do that? I mean, it sounds like a great idea. And I’ve often said that you can always tell a good technologist because they have that certain thing genesis quad the ability to look at a problem and tear it down into its individual pieces. But is that enough? Theoretically, if they have the passion, teaching them the tools and the methodologies and approaches for red teaming or blue teaming should be easy. At that point, we’re just talking about the mechanics of what we do. But they also need to have soft skills if they’re going to be wildly successful.

So what are soft skills? Soft skills, also known as interpersonal skills or better known as people skills, are the nontechnical abilities that enable someone to interact effectively and smoothly with others. Those skills can include a strong work ethic, self-motivation flexibility, creativity, empathy, time management, organization and even humor. But in the infosec space, the skills that are most often needed and that frequently come up a bit short, are communication and confidence skills. Communication in both the written and spoken word is an absolute requirement, as it is critical that we are able to articulate our findings and whatever the risks that come with them. The confidence and negotiations skills are helpful for when a customer pushes back on our findings. Now, Wikipedia says that confidence is a state of being clear headed. Either that a hypothesis or prediction is correct and that a chosen course of action is the best or most effective.

Now, think back on all the number of times a customer has pushed back on a finding and you have had to explain firmly how you arrived at your conclusions and how the vulnerability could be exploited in their environment. Now, you may not be personally satisfied with your performance in all of these areas, or you might have an employee that could use a little help. So where do you begin? The first step is to give and be willing to receive clear actionable feedback. You should do this as frequently as possible. Don’t wait for the annual review to dump everything on somebody. Be as specific as possible too, and have concrete examples to share in a nonaccusitory manner. If you’re giving the feedback, reassure the employee that this isn’t to make them feel bad, rather it’s just to help them be more successful.

And if you’re receiving the advice, remember that this isn’t criticism, but it’s an opportunity to get even better.

If you’re in a role, a new role, or in a new environment, consider getting a coach or a mentor. For example, if you’ve only ever worked at startups and now you’re working in a Fortune 500, things are going to be a little different. Getting a coach or a mentor can accelerate your adaptation and help you be successful faster.

If you’re looking for tangible ways to improve, the Internet has hundreds of resources available for free online courses. MIT’s Open Courseware has dozens of courses on the writing and speaking skills necessary for effective communication. Finally, practice, practice, practice. Doing a readout is a real skill and it takes practice. It’s more than just parroting the findings in the narrative. You have to be able to respond to a client’s questions and be prepared for challenges and disagreement. If there’s a particularly egregious issue that might cause some embarrassment for somebody, discuss it internally before the readout and decide how to approach it.

These practice sessions beforehand make it more likely your client will accept your results, and it can also reduce the number of edits to that final report. Still, some of your people might not be comfortable in front of clients. And you know what? That’s okay. This is where the PlexTrac platform can really shine. See, our platform lets you collect enough information and in a logical, useful way so that the tech lead or the practice manager can step in to do the readout and have all the details about the engagement at their fingertips. Here, let me show you.

So in this scenario, I am the practice manager stepping in for my Pen tester, who is sick and can’t make the readout call. So I’ve logged in to our client engagement and we’re performing a Pen test for Big Bank. So the first place I go is into the readout. Just give it a quick overview. Looks like the reports been written. We’ve got a number of findings and the report attack chain is in. So everything’s looking pretty good.

Let me go into details and see if there’s anything specific I need to know about this client. So this is the big bank pen test. The report has reached a published status, so it’s gone through Review and QA, so it’s pretty much ready to go. We used our regular Acme template, so that saved us a lot of time.

Our operator was Brian. What I don’t have is the start date. Now I’ll have to go back to my operator and ask for the start and end dates and have that placed in there. Also, I’m going to ask him to fill out the Tags section. Tags are great for being able to search through a variety of engagements and reports and try and figure out what information you have for a specific customer or for a common theme amongst customers. I see that our objective was for PCI and this was a custom field that was added that made it easy for us to add additional information. So this looks pretty good.

I will save this and move on.

Let’s see, let’s go to artifacts. Let me make sure that everything has been uploaded regarding the testing and the evidence during the engagement. So going through here, it looks like what I would expect to see. We’ve got the run notes. That’s good. So he kept notes of what he was doing. He’s got day one, day two.

He’s got his console notes. He’s got specific output from SQL Server net stat. Looks like some domain interrogation was done. The one thing I noticed here I’m going to have to talk to him, is that everything seems to have been uploaded today. And one of the advantages of having this platform is that during the course of his engagement, he should be updating or uploading his evidence to the platform. That way, if something happens to his laptop or it gets stolen or it gets broken, all of the information that he’s collected, all of the evidence that he’s collected is in the platform, and we don’t lose it and have to start over again. So that’s about the only thing there.

Let me go into the findings and let’s see what we’ve got. It looks like we’ve got four high findings for this engagement. You’ll notice that one of these findings is kind of orange in the background and has this orange dot. And what that means is that this still has not yet been published. So that could mean that we’re still discussing the finding, whether or not it was appropriate for the evidence. It could be that it just hasn’t gone through QA here yet. So let me take a peek.

Click on it, and it looks clean. No problems there. Let me go into edit and just flip that published switch.

And now when I go back into findings, it’s published and ready to go. I love this part because you don’t have to wait until the end of the reporting process to begin QA, as the operators, as the Pen testers are here building the findings, your tech writer, your tech lead, your peer review people, they can be in the PlexTrac platform. Reviewing identifying things that need to be changed and approving as you go makes the process go much faster. All right, so the findings are okay. Let’s go to the narrative and take a peek here.

Let’s see.

Introduction. This looks okay. Wait, hold on. That’s not how you spell China. So what I’m going to do is I’m going to turn on track changes and I’m going to change this so that it’s correct. And my operator, my Pen Tester, understands that a change was made to his report and he can go through and approve it and make sure that we’re not putting words in their mouth. Everything else looks okay.

Looking at the process during the narrative, I see a place maybe where my operator could add an image. So maybe a screenshot here would be nice.

Wonderful. So let’s go over then to the Attack Path. I love the Attack Path piece because when you get into the conversation of, well, I only want to fix a few things, I don’t want to fix everything. The problem with that is that if you were to only fix the, for example, here guest wireless network allows access to corporate network, then all the other steps in the attack continue to remain. So maybe next time, if you haven’t fixed the weak or easily guessed passwords or the weak password on the Microsoft SQL Server, if someone does find a way in that isn’t through the Guest Wireless, they’re still going to have an easy time of it once they’re in the network. So the operator here has kind of laid out the steps and this is a good visual representation of what it took. So if I’m going to step into the engagement now to do the read out with the customer, I feel fairly confident that I have enough information at my fingertips without the operator actually being on the call.

So you see, with PlexTrac, you can still provide a solid would read out even if you weren’t the operator or even a participant in the engagement. So that’s all for today. I’m Joe Pierini PlexTrac product evangelist. Wishing you happy hacking. Until next time.