Everything.

Yesterday, my trainer asked me if I could do it all over again, what would I go into?  Today – I feel I’m in a pretty good position.  I think I would have done it slightly differently though.  I never wanted to really work in IT, but my career evolved to a point where I LOVE what I do every day.

First – if any of you have kids, I’d steer them towards the military.  No joke. There are jobs in the military that are NOT dealing with being infantry.  Lots of them, especially if your kid has a brain.  One of those jobs is working in IT for the military.  There are TONS of these jobs.  And – as a hiring manager, I have many of these guys working for me these days.  A lot of these sign up for the reserves, get a clearance, pass an IT test, and they are starting well into the 60k range.  With this, the military also has the GI bill.  So – at 20 years old, they could be making 60-70k full time and getting Uncle Sam to pay for their college.  At 26, they could be well into the 80k range with no debt, advanced certifications, and their clearance and military background will make them a prime candidate for a federal job.

There are lots of “green to gold” programs and the like in the branches that can take you from enlisted to an officer.  If your kid was pretty damn smart, but you couldn’t stomach 60k a year for college – the military could be a great option to get lots of work experience, free college, and zero debt.

Second – I mentioned I would have tried to go to West Point.  Now, you just don’t apply there.  You need some sort of congressional assistance.  So – just because I WANTED to go there doesn’t mean I could have even gotten to the point of applying.  But I feel like had I been able to go there or do ROTC, I would have been an officer at 22 and started a military career then.  I would have tried to major in a form of computer engineering.  I would have learned to code well (instead of barely passing while being a drunk).   And today, I’d be advanced in the ranks.  Had I just understood nutrition a lot better then, I would have most definitely gone ROTC somewhere like some of my friends did.  I was SOOO jealous of them!  They were also cross country runners and I was topping out about 4 miles at a 10 min per mile clip lol.

I digress – one thing that made me go down this rabbit hole was my attraction at a young age to strategy and tactics.  For me, strategy was the macro “big picture” where tactics were the micro means of executing the strategy.  I was also highly drawn to math and won a bunch of awards when I was young.  I bailed somewhere just after calc because I didn’t need it, but I loved the beauty in it.  I was a big fan of statistics as well.  Also loved me some physics, but alas, when you drink 6 nights a week in college, it’s hard to score well in some of these classes.

All of this comes to a head.

When I used to tell people what I did, I would see after 5 seconds peoples’ attention start to go “squirrel” on me.  Eventually, I dumbed it down and would tell people that I’m a “glorified IT security guard”.  I just told others that I’m in IT.

I’m still not really going to do a deep dive of what I do because of the people who might actually be watching this lol.  This isn’t linkedin, and none of you give a shit on that level.  But I will tell you how your kid’s abilities can point them towards a career like mine.  And – I’m going to give you some examples below of what the hell someone like me does.

As a young person, I played a lot of chess.  My dad would play with me for hours.  I took to it.  I was drawn to it.  People don’t really understand the addiction to it.  “It’s just a game”.  True.  But it used to be called the “Game of Kings”.  If your child is REALLY good at chess, you really have no idea of how that will help him in life.  At the age of 7, I started to understand probability concepts I wouldn’t learn in school for another 10 years.  Shortly later that year, I was playing without looking at the board and beat my dad without looking.  This led to playing in the PA state junior high state championships and the World Open in my early teens and being successful.  Unfortunately, I had to start working at 16 and I then went 20 years without playing in a tournament.  Anyway, “I coulda been a contenda” lol.

“If I move my night to e5 – he will be able to attack 8 squares.  If I move him to h1, he is limited to attack 2 squares. ”  So – very, very young, I figured out how to maximize my pieces.  You start to see that they are more powerful based on their location, their cover, and their ability to move.  I understood about pacing.  If you let up on an attack, your opponent can flee.  So I would trick them into fleeing into checkmate.  I was then able to force people to move pieces to my will.   I’m not perfect.  Sometimes I’d get very bored by opponents and take them for granted – and get the occasional scare.  But what you find is if you beat people routinely within 10-15 moves, no one ever wants to play you again.

When you would make other moves, you might think in your head, “there’s a very good chance he will take me.  But if he does, 4 moves from now I will take his queen”.  So you start to be able to conceptualize trade offs, risk, position, and carrying out the big picture strategy.  At a very young age, you start to understand warfare well before you should.

With math – you then start to understand probability a little clearer.  You then start to take the fun classes on correlation and when you have played your 6,000 games, you start to really understand patterns in your play and can recognize patters in others.

This takes you to the battlefield.  I took military history in 9th grade as an elective, and the big thing I remembered was “high ground is king!”.  This lesson was shared in the Battle of Palo Alto, and since then – high ground has been something of interest to me in life.

With the military battlefield, if you think 100 years back, if you have a spot in a mountain overlooking a valley, you can monitor troop movements and set traps.  Today, that correlates to F15s flying overhead along with satellites monitoring everything.  If you have high ground – you win, right?

The traditional domains of warfare – land, sea, air, space – have now been augmented with cyber.

The big tenants of cyber are – “Confidentiality, Integrity, and Availability”.   I’m going to give you a few examples below of how cyber plays a role in warfare.  I’ll give you a bonus one that will blow your mind.

Example 1 – integrity

There have been a few cases of “radar spoofing” that I have read about.  This means that an enemy is looking at his radar and all highly advanced weapons systems are tuned to use that radar information.  An enemy will record a time of this, then when ready to attack, will replay it.  From what I recall, we used this in one of the Iraq invasions and Israel has used it to attack Syrian nuke development sites.  Imagine you’re being bombed and your radar shows nothing.  The integrity of your data is being compromised.

Example 2 – Confidentiality

In military systems, you usually have your public facing networks that are not classified, then you have your more private networks that have more sensitive data.  Maybe something is classified on a network and is very sensitive, and your generals use this network to talk.  Then, imagine the enemy sends an email to all of the people on this secure network saying they have been compromised and you should just throw down your weapons now and provide instructions on how to surrender.  It would probably scare the shit out of me.  But using attacks like this, you are also using psychology to affect the enemy.  In chess, it’s one of those brazen attacks you use on a noob.

If your most secret and sensitive plans have been compromised, you lose any element of surprise and your enemy has information dominance.

Checkmate.

Example 3 – Availability

Imagine someone was trying to break into your house and the following conditions happened:

  1. Your landline is dead.  You can’t call for help
  2. Your cell line has been jammed
  3. You can’t get into your electronic safe to get a gun
  4. The lights are out and they won’t turn on.

Feel pretty helpless?

In 2008, Russia invaded Georgia.  No, not Atlanta.  Georgia the country.  They rolled right down the street with tanks.  From what I read, they took out their communications infrastructure.  Remember when we went after Bin Laden in Pakistan and flew helicopters into a residential neighborhood?  Wonder why no one called the cops?

If you have the ability to remove the enemy’s ability to call for help and isolate and overwhelm them, you have a huge tactical advantage.

Bonus example – Stuxnet

In 2011, the NY times reported that a virus called STUXNET essentially destroyed thousands of Iranian centrifuges.  It was a cyber warfare tool created to slow down and destroy the ability for the enemy to enrich uranium.  From what I recall (I’m not reading the 12 page story all over again), it was built in a few principles:

  1. A virus was released to affect a certain type of software in a certain IP range only under certain conditions.
  2. Hardware from Siemens was intercepted by intelligence agencies and chips were swapped out in the hardware.
  3. The virus made it to an air gapped network where it found the Siemens devices and affected the SW running them.

So what happened was that the software was supposed to spin these things at maybe 5k RPM.  In reality, the virus changed it to spin at like 15k RPM.  The software would show it was 5k RPM and operators thought all was fine.  This led to this expensive and hard to find equipment not operating properly and burning out years before it was supposed to.

So – big picture here people is that strategy, tactics, and math – along with a little military history could put your child on a path to coding things that can protect your grandchildren for the next 50 years.  No bullets.

 

An example in real life

 

One of the big problems you have with the United States is that everything is connected to the internet.  Your TV is even vulnerable and it’s been reported that these cameras have been hacked to have you watch TV.  The huts in the middle of the desert – we drop million dollar bombs on them, but who the hell are we hacking?  What radars are we doing replay attacks on?  They may have a few of their people they send to elite schools and they can come back and do immense damage against us.

We have millions upon millions of endpoints.  We have everything connected.  We have smart grids.  Highly advanced electronic stock markets.  Credit scores.  Bank records.  Cars that can be hacked.  Satellite systems.  GPS.  IOT.

What we need is a lot of “glorified IT security guards” to help protect all of these systems.  There are not enough.

This is also a great area for AI – but we won’t go there, here.  You’ll see sort of an idea of it with automation.

Imagine you own a large company that sells and ships widgets.  These giant factories get hot, and during the day, occasionally, an employee opens a window.  Imagine you have 1,000,000 windows at each site.  Imagine you have hundreds of sites all over the world.

You have heard chatter that a ninja plans to break into one of your sites through a window and steal your company secrets.  Metaphorically speaking, this is what all nation states are doing against us and all of our companies every single day.

Today, this is the gold rush of 1849.  You build enough tools and you can mine information.  You can sell it on the black market.  You can use Coca Cola’s recipe and sell a knock off drink for half price and put them out of business.  You can steal Pfizer’s patents and make your own drugs at 1,000 times cheaper the cost because they are doing the R&D for you.  You can steal F35 plans from Lockheed (the Chinese did this in 2009 when I worked for Lockheed).

You tell your 5 security guards to keep an eye out.  You tell them to walk around and close windows when they can.  You are spending the least amount to make your investors happy.  You ARE providing security – and look how CHEAP we are doing it!

You find out that if this ninja gets in, he can bring down an entire site.  Uh oh.  This might cost you billions.  You now decide to install electronically-controlled windows and spend more money.  Every 30 minutes, a program runs automatically to detect if a window is open, and if it is open, to shut it immediately.  Suddenly, investors are flocking to you because security is your product differentiator.  You spend more than others, but investors are more confident you will survive and be around for another 50 years.

Your attack surface was a function of math.  You spent money based on reducing risk.

You had over a million windows at 100 sites, or 100,000,000 potential vulnerabilities.  You have x number of employees and y percent of employees open windows.  You train employees on the dangers of opening a window.  You make them sign documents stating they won’t open a window or else they will get fired.

In the months leading up to this, you had 5 employees who were each closing 50,000 windows a day.  They were BUSY!!!  They were also missing 50,000 windows a day because they couldn’t get to all of the sites.

You had a certain risk every day of being attacked.  You spent z dollars on these 5 employees.  When you spent money on this new electronic system, you now use 2 employees to operate it, and your risk has been reduced by 100x.  Your policies have also helped.  You installed air conditioning as well to prevent this.  You are now spending the same money as before, but you have reduced your risk by a factor of 100.

You still have risk.  But you are now managing it using ROI and accepting certain events that have a low likelihood of happening.  For example, I don’t want to spend a billion dollars on an asteroid detection system.  While an asteroid CAN take me down, I will accept the risk that one will not hit my site.

With risk  – you are looking at accepting, mitigating, or transferring.  For example, I can accept the risk that an asteroid will not hit me.  I will mitigate the window problem by installing automation and enhancing perimeter security, and I will transfer the risk by taking out an insurance policy against someone stealing my patent.  The insurance companies will then want to inspect your facilities to ensure you are doing everything you can.

How can you make this even better to protect against the ninja?  Let’s look at what I talked about with mitigation – perimeter security.

Gates, guns, and guards.

While today the fun saying is “walls don’t work”, the hilarious comedy in that is that it is one of the 3 tenants of physical security.  Going back hundreds of years.   I don’t want to get political here, but the rhetoric spoken enough doesn’t make it true.  It’s like someone shouting “the sky is green” and everyone nods their heads like sheep and say, “yes – the sky is GREEN!”.  It’s just….not correct, and it sounds silly when people say it.  Like, just stop already.

 

 

You sound like flat earthers and those moon conspiracy people.  If you don’t believe me, I want you to drive up to your nearest military installation and go knock on the commanding general’s door and wish him a Merry Christmas.  Please report back to me your experiences.

Tin-Foil-Hats

 

Physical barriers may not stop everyone, but they reduce the likelihood of breach.  You also patrol these areas with guards.  Without the gates, guards could easily be overrun.  This is not good security.  Gates and checkpoints direct a flow to a specific area to reduce breach likelihood.  You can then inspect all deliveries and inbound and outbound traffic.  This is sort of the idea behind firewalls and intrusion detection systems.

Guns are then the means of neutralizing the ninja threat before getting to the warehouse.  This can also be a rule on an IDS device to drop packets or a firewall to block traffic from a range of IP addresses.

So – you add LAYERS of security to your windows.  In IT security, there are like 45 different fields.  It’s not just window protection.

What if this ninja gets into your factory?  He is looking for documents that he can then take back to his employer.

What if these documents were then in a giant vault?  What if these documents were then put on to a disk electronically and encrypted?  Even if the ninja scaled the fence, outran the guards, dodged bullets, found an open window, then dash to the vault – and somehow cracked this before being gunned down – he would then open the vault to see a disk with encryption he could not possibly get.  The vault for that key might be in another warehouse which is protected with 50 times more gates, guards, and guns.  This is “data at rest”.

The idea here is that strategy, tactics, and math make for compelling foundations for IT security.  I’d encourage you to all have your kids get into it!!

img_2586