Veteran penetration tester David Ethington joined me on the third episode of Champions of Security. David’s vast experience in offensive and defensive cybersecurity in the Army, as a consultant, and now as an information security architect for Paramount gives him a broad view of the cybersecurity industry.
We had an excellent conversation about cybersecurity education, professional development, and how some basic skills, courtesy, and common sense can be most impactful.
Perspectives on Cybersecurity Education
Like any industry, there is plenty of misinformation in cybersecurity. David cautions listeners to watch out for LinkedIn influencers who claim to have the “top 5 resources for launching a cybersecurity career” or the “12 experts you need to follow.”
Similarly, there are no one-size-fits-all learning paths in cybersecurity. David calls for a “choose your own adventure” approach to learning, similar to Duolingo. This will help guide students who have different backgrounds, interests, and levels of understanding. There are so many different facets of this industry and variables that determine what type of courses and content might make the most sense for someone who wants to break into security, advance their career, or just learn.
How to Think Like an Adversary
David’s service in the Army helped him develop critical thinking skills that have proven invaluable throughout his career. He truly embraced the military mindset by asking himself:
- What can I use to my advantage?
- How can I do the most amount of damage in the shortest amount of time?
- And, how can I get out?
Another way to develop these patterns of thinking is through mentorship. David believes a key part of cybersecurity professional development is having a mentor to help challenge your thinking.
As a pentester, David learned that a critical skill is being able to reframe the problem that you’re trying to solve. If you can get mentorship while learning on the job, that’s even better. The theories become real experiences, which isn’t something that a book or course can offer.
Best Practices are “Best” for a Reason
Offensive attacks like phishing are still prevalent and more sophisticated than ever. The higher the sophistication level, the harder it becomes to detect at the human/user level.
Even well-trained employees can click a link that seems totally legitimate or reply to someone with a stolen signature block that seems trustworthy. And no amount of training will prevent bad actors from being successful 100 percent of the time.
The best way to thwart attacks? David emphasizes the importance of basic best practices. Set reasonable access and permissions. Use complex passwords and change those passwords regularly, and don’t allow users to the default – or a slight variation of the default.
David shares a great story that illustrates the importance of password hygiene. While he was pentesting a bank, he was able to guess a bank employee’s password, which was a slight deviation from the default setup on her first day of employment.
He had four attempts, and in a matter of minutes, he was able to gain access as a local admin on the employee’s laptop. If the access had been granted to an adversary, the bank could have suffered a data breach or worse.
Three Key Takeaways
- There’s no “one-path-fits-all” for cybersecurity learning.
- Critical thinking and perspective helps accelerate cybersecurity skills.
- Don’t underestimate the power of basic security best practices.
Thank you, David, for sharing your experiences and perspectives with me.
You can find all available Champions of Security episodes here.