Countercastle Cybersecurity


How Scotch Wichmann looks when discussing cybersecurity

Let’s Build An Amber Alert For Pandemics

Dear CDC: How about an Amber Alert system for coronavirus and other pandemics?

Say a patient tests positive for coronavirus. Here’s what happens next:

1. The patient’s doctor notifies the CDC.

2. CDC sends patient’s cellphone number to the NSA.

3. Using cell tower triangulation records from cell carriers, the NSA determines which cellphones have been in patient’s close proximity during the past 2 weeks, and texts an exposure warning to those phone numbers so those people can take precautions.

Some might say this impinges on privacy, but the NSA can already determine who has been in your proximity (see and, so why not use this to alert people who might’ve been exposed, given that 96% of Americans have a cellphone and people are dying? (

March 16, 2020

Day in the Life of a CISO

I spotted this meme flying around the Internet this week:

Being a Chief Information Security Officer is easy. It’s like riding a bike — except the bike is on fire — you’re on fire — everything is on fire — because you’re in hell.

Being a CISO, I’d have to agree there are days when it feels like everything’s ready to burst into flame.

Sometimes it’s because of something enormous. You’re suffering a cyberattack. A malware infection is spreading. You discovered a massive security hole.

. . . Or maybe you just work at Equifax. Zing!

But more often it’s 10,000 little things. Everything you have to manage. All the things you have to be concerned about. Everything you have to protect. All the reassurance you have to provide to customers, employees, executives, auditors, regulators. Everything you have to know — and all the things you don’t know.

You could easily have 50,000 networked devices to keep safe — and just as many people doing insanely insecure things with them.

data flames binary burnOh man, you’d love to think that you have deep visibility into what every server, computer, application, and user are doing continually. And that every system has been hardened against attack. And that everything’s being monitored 24/7 by smart people. And that some dumb-dumb hasn’t misconfigured anything. And that evil insiders aren’t secretly hellbent on wreaking havoc.

That’s a lot to keep in view when you’ve also got policies to write, metrics to gather, meetings to attend, candidates to interview, auditors to appease, contracts and laws to absorb, advice to provide, questions to answer, forgotten systems and data to discover, fraud to investigate, trainings to give, applications to test, holes to fix, and culture to improve.

Susan Mauldin, Equifax’s security chief of 4 years, made strategic mistakes that paved the way for the theft of 145,000,000 Americans’ personal data in 2017. My information was stolen — and probably yours too.

Don’t get me wrong: Equifax’s mistakes were catastrophic. But as a CISO, I have to sympathize a little with Mauldin’s challenge of trying to secure networks, devices, and software being pounded on by 10,000 employees across 24 countries. If somebody wants to steal information in a sprawling landscape like that, how many possible points of egress could allow data to escape? A hundred thousand? Millions?

Even if you’re a security genius, that’s a lot of holes to plug — disaster only requires a single leak. You have to be on point 100% of the time.

Mauldin’s gravest sin was failing to patch Equifax’s systems. This should’ve been near the top of her to-do list, given most hacks are the result of unpatched vulnerabilities.

But even though patching seems like it should’ve been obvious, actually doing it isn’t trivial. There’s a lot that can go wrong. After inventorying your 50,000 servers, computers, and other networked devices — and all the software running on them — you’ll need to begin watching their manufacturers’ websites for news of any security patches that need to be installed. With new patches emerging daily, that’s a lot of watching to do — and of course, every new patch must be fully tested before installation to make sure it doesn’t break anything, so you’ll need a test environment that looks identical to Production — and a dedicated team to manage all of this day in, day out — or risk facing your own Equifax horror show.

But even a dedicated team may not catch everything. Can you name every piece of software installed on your computer? I can’t — and most Fortune 500 companies where I’ve worked can’t name everything running on their systems either. Programmers and engineers quietly install software all the time for various tasks, and then forget about it, where it can fly under the radar for years.

Make no mistake: even though it’s difficult, patching is a CISO’s responsibility — but so are 100 other things ranked as critical. And this, my friends, is every CISO’s problem: with so many critical problems to solve, which do you focus on first?

The answer is that you have to focus on all of them — even if this means giving each only minutes of attention per day. “Attention deficit” is almost mandatory, if you want to make sure you’re not missing a minute detail that’ll ruin your career later.

To give you an idea of what this controlled chaos is like, I made a list of all the things I did yesterday. This list is pretty typical, and no matter how fast I type during my 9-10 hours at work, I end each day feeling like I barely made a dent. Enjoy.

  • Read daily threat intel feed from FBI and other orgs
  • Read hacker news websites
  • Reviewed data dump sites for signs of data leaks
  • Reviewed logs for fraud investigation
  • Reviewed logs for signs of data leaks
  • Reviewed and updated project list
  • Compliance meeting re: European Union data laws
  • Continued manual penetration testing of mobile app
  • Reviewed results of perimeter security scan
  • Finished review of firewall rules
  • Compliance meeting re: New York data laws
  • Provided direction to security team re: testing encryption tools
  • Short meeting re: improving physical security of facilities
  • Answered emails re: security policy for India
  • Formatted security status report for executives
  • Quick meeting with I.T. Operations director
  • Investigated possible infection on legacy system (false positive, thankfully)
  • Updated risk rankings on security roadmap while eating lunch
  • Quick meeting with Chief Information Officer
  • Edited awareness/communication calendar for the new year
  • Booked meeting with executives
  • Took 2 phone calls from vendor sales reps
  • Quick meeting with recruiter to discuss staffing for upcoming year
  • Updated budget projections for the new year
  • Gave direction re: a project to document data handling practices
  • Quick meeting with senior project manager
  • Wrote official answers to questions from state auditors
  • Clarified global policies governing external storage devices
  • Wrote security language for a vendor legal contract
  • Circulated new security best practices to development teams in U.S. & Latin America
  • Wrote test plan requirements for new firewall product under evaluation

Cybersecurity 101 Training in Burbank!

I’ll be giving a free, 90-minute crash course in cybersecurity at the Burbank Library’s Buena Vista branch on January 30, 2018 @ 7PM! Learn how to protect yourself against hackers, cybercriminals, government surveillance, and more. See you there! Full info here.

Recruiters: Time For Extreme Recruiting?

Extreme Programming

I started searching for new cybersecurity leadership opportunities 1.5 months ago, and wow — the market has certainly changed since I last looked for a job in 2011.

After posting my résumé to a handful of career sites, I was hardly prepared for the deluge of recruiter emails that began pouring in, and never let up.  I’m now receiving an average of 42 emails per day, with some days spiking as high as 65. (Granted, many offers aren’t matches for what I’m seeking, but that doesn’t lighten the load — I still have to spend time filtering offers for fitness). In the time it takes to customize a résumé and cover letter, a dozen or more offers will sometimes appear in my inbox. Many of my peers are experiencing this same frenzied demand, and news headlines concur: the cybersecurity job market is on fire.

Given the market’s breakneck speed, you’d think that hiring companies would be scurrying to respond to candidates, but this isn’t always the case.

Sure, some companies have been fast: an initial response came right away, with screening interviews lined up within days.

But over half of the companies where I applied took their sweet time, gingerly letting weeks pass before initial contact, or worse, between interview rounds. Spending time and money reeling in candidates — and then doing nothing — isn’t an affordable luxury in this market. (See “42 emails per day” above).

The cyber job market has gone transactional, just like everything else cyber touches.  This means recruiting may need to become transactional as well, since candidates seeking new challenges may only be available on the market for weeks, if not days — and soon, perhaps only hours.

Extreme Recruiting (XR) is one name that some companies have given to this more transactional, self-organizing, and fast-moving recruiting model. Borrowing concepts from Extreme Programming (XP), the idea is to move candidates as quickly as possible through a streamlined interview process in order to arrive at an initial offer pronto.

XR implementations vary wildly, so here’s my interpretation:

  • Treat initial contact with candidates as part of company onboarding, which means painting a clear picture early of what day-to-day life would be like after hiring.  Simply listing skills isn’t enough. Candidates want to know what they will actually be doing (the “user story,” in XP parlance).  Many recruiters I contacted couldn’t summarize daily job activities, so I had to wait to speak with hiring managers, wasting precious time.
  • Mine for candidates who are already in technical or social environments where talent is being proven. For example, if seeking hackers who are great team players under pressure, go recruit at team hacking competitions.
  • Respond to candidates within hours, rather than days. If recruiters are swamped, spread out the screening load to technical team members, who can CC: recruiters on replies to candidates.
  • Ask disqualifying questions ASAP. A job opportunity located 2,000 miles away won’t help a candidate who can’t relocate. Put key details (including job city and state) in the subject line of emails so candidates who aren’t a good fit can delete messages faster without bugging you. And, by all means, cut a candidate loose immediately during an interview if it’s obviously not a good fit; these days, it is far more impolite to string them along.
  • Have hiring managers partner with team members to develop screening strategies (“collective ownership”), and give screening activities high priority daily during hiring periods.
  • Have screeners vote on candidates by ballot across a range of critical categories for speed, rather than spending time discussing candidate qualities endlessly.
  • Hold daily standup meetings to review candidate schedules and progress; rank and re-rank candidates by their interview scores on a whiteboard (“refactor and integrate often”).
  • Screen for technical, soft, and other skills in a single meeting with key hiring managers and team members present. If this isn’t possible, and multiple screenings are needed, try to at least hold them all on the same day, or on consecutive days. But remember: while waiting for the next interview round, candidates may be receiving tens or hundreds of emails from other recruiters. Waiting carries risk.
  • Consider giving candidates actual work problems to solve (“unit tests”), rather than inventing hypothetical interview problems. This way, a candidate gets a real taste of the job, and interviewers better understand how working with the candidate will be. Examples: “How I could I improve the security of this software, system, or process?”  “Our industry faces security challenge X; how would you approach this?”  “Our Python developers lack security awareness; give them an impromptu security awareness talk right now.”  Etc.
  • Be prepared to give an initial offer within a day when a suitable candidate is found so negotiations can begin without delay.  This may also help encourage a candidate to postpone pending interview appointments at other companies.

The old model of front-loading the hiring process with leisurely interviews and weeks of waiting is dead. The new transactional landscape requires speed and simultaneity: do it fast, and do it all at once, or risk losing talent.

Additional Reading:

Tough Love for Russia’s (Alleged) Election Hack

Tough Love for Russia's (Alleged) Election Hack, by Scotch WichmannThe Director of National Intelligence (DNI) released its official report this week on Russia’s alleged hack of the DNC’s email servers and the 2016 election.

I was really hoping for a smoking gun, but the report proves nothing. It doesn’t contain a shred of forensic evidence. Its paltry 14 pages only demonstrate that Putin wanted Trump to win the election. How that passes for “secret intel,” I have no idea. Maybe I should open my own spy agency! Wanna join?

Grab the full article on Lifehacker here.

Security Secrets from a Hacker

Security Secrets from a Hacker by Scotch WichmannUnless you’re knee-deep in security, you might not know that spy and law enforcement agencies won’t hesitate to break the law in order to spy on you.

Or that most companies don’t know where their most valuable data is stored.

Or that the Defense Department has no idea how much it actually spends on top secret programs.

…And these are just the tip of the proverbial iceberg.

Want more security secrets? Check out my new Security Secrets from a Hacker article at Lifehacker.

H3ll0 W0rld

It only happens once: the very first post.

I’ve worked as a security consultant, researcher, and intelligence nerd (a.k.a. hacker) for nearly a quarter century now. And, while I’ve written about security in popular culture (and in my award-winning novel, which you should totally buy!), this is my attempt at a longer conversation.

. . . And it’ll probably be an idiosyncratic one, because I’m also a longtime performance artist known for crawling around on broken glass and sporting extra appendages.  This right-brained activity serves me well in my security work, since “seeing” the cyber terrain—and imagining what new attacks may come—require nonstop creativity, which is a skill like any other. You’ve gotta work that muscle, which is why my co-workers no longer blink when I show up to meetings limping and covered in band-aids.

Enjoy, and thank you for stopping by!