A few weeks ago, just before heading off to Black Hat and DEF CON, I was asked to present at the PDX Cyber Camp in my hometown of Portland, Oregon. The cybersecurity camp is designed to give high school students a hands-on, introductory experience in cybersecurity, covering multiple disciplines and topics.
The instructors consisted of various experts in different areas of security. The camp was a great opportunity for many of us to give back and share the insights we've learned as we grew into an industry that barely existed (if at all) when we were in high school.
I presented my session titled “Malware for Good and Evil” twice at two different campuses. I began with how I got my start in security from a non-traditional route; being a bit of a misfit armed with a liberal arts degree, I self-taught myself programming before going back to school to expand my technical chops before finally finding my passion in security. I discussed the various tools and techniques I developed to track stolen devices that led to the unveiling of organized criminal syndicates and working with law enforcement, which sparked a lot of interest and brought up a lot of great questions from the kids.
I stressed the importance of creativity and abstract thinking to solve security problems, particularly the ability to connect dots—identifying and discovering hidden connections, whether it is the synthesis of different technologies to build a tool, seeing patterns in data that identifies an attack, or identifying security trends. Not every problem is solved with technology alone; creativity and innovation, I feel, is often forgotten as education seems to favor and focus on the technical tools without understanding context and application. Some of the most brilliant people I know in technology actually came from a liberal arts background and have a passion for learning.
In the second half of my talk, I discussed the research I did in analyzing tools and techniques used by criminal syndicates targeting Point-of-Sale systems and the importance of understanding the underlying economics of cyber crime. We explored how ransomware is an evolution of malware, and the monetization of poor security hygiene.
I did a live demo of WannaCry so they could see what ransomware actually looks like when it hits a system, then pivoted to Splunk to show how the endpoint and pcap data looks when conducting analysis and research. I then discussed best practices for mitigating ransomware and provided the kids with additional tools and resources to research more themselves (without having to infect an actual system with ransomware).
I was actually jealous of the kids at the PDX Cyber Camp, as I wish that I had a camp like this when I was their age. I love the trend of security/hacker conferences involving kids—like r00tz Asylum—and over the years, I've been bringing my own child to ToorCamp, a week-long hacker conference and camp held every year in the NW. As our world becomes more dependent on technology, securing infrastructure will require new ideas and fresh recruits. By getting kids security literate even if they don't become practitioners, we set them up for success and protect ourselves as they will be protecting our infrastructure in the future.