If you’re familiar with my articles over the last couple of years, you may have noticed a pattern. I reference raccoons - a lot - and not always in a good way. It’s almost as if I’ve been trying to tell you something. Believe me, I have.
Raccoons are well known to be crafty and ingenious, as they are generally very successful at attempting to open a closed door, a zipped tent, or a latched garbage can full of tasty treats. Obviously, this analogy can be more broadly applied to the genius of hackers, and their relentless effort to circumvent, decrypt, and defy layers of complex and labyrinthine security systems.
So, without further ado, let’s take a look back at the security industry in 2018 through the eyes of a raccoon…
I started the year looking at how to “think like a vulnerability” which quickly escalated into a look at the state of vulnerability management:
“I bet you thought all these articles are supposed to be about teaching you how to be secure and not about being vulnerable. Well you thought wrong. And you thought right. I don’t know, I just write what the raccoon tells me. Never mind, the point being that vulnerability is a big part of being secure.”
The subsequent article looked into the security community’s favorite topic - breaches! Well, the favorite topic that’s not about the lack of qualified people to help. But that’s HR, right? Nope, it’s also a contributor to breaches:
“But not everything works in the cloud, therefore there’s been a stronger push for artificial intelligence to punch the clock for you due to the security analyst shortage. AI can already excel at many of a company’s security tasks, often with the analysis ability of a trained analyst and the tenacity of an angry raccoon.”
In February I penned this article showing the hacking process, which actually became one of my most popular articles ever, even knocking out “Using NMAP to Find Naked Pictures of Your Ex Online,” which held the previous number one spot:
“When I’m not studying videos of raccoons online (know your enemy!), I’m fielding requests from wannabe hackers all around the world because I work for Hacker Highschool. So, wannabe hackers tend to think of our curriculum as a checklist of script kiddie tools that lets them DoS your online competition of ‘Banjo Hero’, or creep into private Instagram accounts.”
The real take-away is that those pesky raccoons have to be known and relatively well understood if one is to learn to hack.
Following up to that we look at what problems exist still in security that we aren’t even close to having an answer to. It’s a pretty deep dive into security philosophy. So deep that it doesn’t even mention raccoons, but it does include a picture of one:
“It’s totally like my Aunt Beth, right?! In case don’t know her here’s the gist: my parents said she had no job but she said her job was her scratch-off lottery tickets and monthly trips to Las Vegas with her gentlemen friends. I figured what does it matter as long as she’s making money. Isn’t that what a job is? And it’s the same with security. If you’re reducing the kinds of attacks that come through and how much they can take then that’s security. I mean, as long as those other attacks don’t ever show up, you’re doing your security job. Right? At least it feels more secure. And that’s how risk works in security too...”
Since my sense of humor sits somewhere between terrible and awful we next did a complete 360 and went with a look at the relationship between business and cybersecurity. Yes I meant to say 360 because I basically meant the same things. Of course, it’s this article that launched one of the most famous security metaphors in the history of 2018:
“If cybersecurity was an animal, it would be a raccoon, protecting the dumpster it eats out of while thinking that washing its hands in the creek somehow makes it dignified.”
As April showers bring May flowers, they also bring change. I addressed the idea of patch-based security in this final article for April:
“We are told patching is good. It feels good. We see it as fixing something which we are told is broken: there's a hole, bad people can take advantage of it, and now they can't. It fixes a definite, specified problem. And it feels good and safe and comfy to take care of problems, like a raccoon washing moldy garbage in a stream before eating it. All good things.”
Because I apparently like to antagonize my audience so much, I had this great idea to make them suffer through a Part Two on my wisdom of patching:
“If patching is a tactic towards a particular security strategy, how can that be bad? I never said it was all bad. There are reasons where patching makes sense just like there are times when it makes sense to have that third diazepam pill, park diagonally across two parking spots, or hide in a dumpster - and not coincidentally they all involve raccoons.”
In the next article I talked about what’s fair in the world of cybersecurity. So, I once again relied on my favorite, sneaky critters; comparing raccoons and bears through the filter of a fair fight:
“People want fair. That’s why security is a process - to make sure it’s consistently spread and maintained. That’s why we security people are told to make sure that management itself is under compliance to the security policies. Because it should all be equal. It’s not equal. Equal may be like a grizzly and a raccoon are both bears, but that wouldn’t be a fair fight. (Unless it’s a ‘washing putrid garbage in a stream before eating it’ competition, and then the raccoon wins - tiny, filthy hands down.)”
In July, to celebrate summer, I relied on my sweet memories from my time living in Lake George, NY, as a raccoon catcher to capture the essence of what kind of cybersecurity professional you should hire. I also relied on my editor Anthony for inspiration:
“Back when I was working in Animal Control for the city of Lake George we had a saying- Only the people who really love animals should work in animal control. And I feel the same about cybersecurity. We had this guy, I’ll call him Anthony for no reason at all, and man he got frustrated with those animals. One night I get this call over the radio that the shelter is in lock down. So, I race over there, and Anthony is freaking out! He didn’t know raccoons could open latches and they escaped the enclosures and opened up a bunch of others. There were raccoons everywhere! Anyway, while he was trying to get them back in cages, they of course kept getting out. The more they resisted the more frustrated he got, and the less control he had over them. The problem is that for him, it was just a job. He didn’t love animals and didn’t love what he did. And it showed whenever something didn’t just work out for him. He would get frustrated and he’d lose control over the whole situation. I think to this day he absolutely hates raccoons. I don’t get it. This story was about Anthony, not me.”
Later that month I stuck to my employment kick and focused on happiness, which happens to be the exact opposite of raccoons. But that’s irony for ya! As it turns out, happier employees are more security aware employees and so I give the whole reasons thing with action items:
“That’s not to say science isn’t sometimes wrong (it’s not, I’m just placating you) or that employees must be happy (they should, me placating again), but if you follow this advice you’ll find their happy place at work for them. And as I said before, science says you’ll also make your company more productive and more secure against online attackers and social engineering fraudsters. That’s three awesome benefits for the price of one! That’s like throwing a crazy wild birthday party for one friend and in the process also trapping those two nasty raccoons that keep sneaking into your kitchen to lick your apple chips. Three benefits out of one! True story.”
In August I decided to celebrate my first year of not going to BlackHat in Vegas by writing about whitepapers. I’ve never been to BlackHat, but I also never celebrated not going, so why not start with the first time I didn’t go? This article became an instant cult classic because it covered both Churchill’s improprieties and explained what exactly should go into a product whitepaper:
“Apparently the 1922 Churchill white paper in response to the Jaffe Riots is the best well-known example starting this trend of IT product vendors passing off positive opinions of their own products as factual, decision-making guidance. Which is why this white paper is a response to Churchill dressing raccoons in school children’s outfits and raising them as his own children. <Editor please don’t bother with fact-checking that as this is now officially a white paper.>”
In my next article I tackled the issue of assessing Smart City cybersecurity. Man did I get attacked for that one. Well, just one person attacked me for it. Apparently, I don’t satisfy everyone equally. Still:
“Cybersecurity is that thing that all that smart-stuff in your Smart City needs to grow upon. It’s not the thing you buy to put in front of all these things to make them safe because you’d need one for each of the thousands of devices that make up the Smart City network. Security needs to be part of everything, or else just one criminal on the other side of the planet will be joy-riding your traffic light system and at the minimum causing pure chaos. Or just one raccoon could chew through the line going to your smart thermostat system and your courthouse could double as a sauna.”
You know how many go back to school in September, well, that inspired me to finish a quiz about learning to be something in this massively broad field we call cybersecurity. While it appears to be just another goofy quiz, it’s actually something that took me a few months to get right. From the feedback I received, it’s been adequately accurate:
“A truck over turns on the highway, and although nobody is injured, hundreds of rare, show-quality raccoons are freed from their cages. What do you do?
A. Start chasing down raccoons and caging them before they can get hurt.
B. Start chasing raccoons off the road and away so nobody else gets hurt.
C. Go on Twitter and blame Russia.
D. Lock the doors and call the police.”
October is my birthday month, and apparently the majority of people’s birthday month. Yes, more people are born in October than any other month. So, it’s not very special apparently. I decided to reveal my birthday to the world through social media to celebrate my overall lack of privacy. And that’s what this article was all about, well, that and GDPR:
“Now I just made exactly three people on the planet angry when I made fun of privacy being a killer app. I know who they are too, and one I consider a good friend. The other two I don’t know so well because they don’t post jack on Instagram. Go figure. Now we do know that identity theft is a real and brutal thing. We know that so much of our lives is online now that it doesn’t take much to roll us. And while my method of cranking Twilight videos up at work to drown out my personal noise is good, it’s not the best kind of privacy one can have. The best kind of privacy is the one that the we can find in Fairytopia, Neverland, RaccoonWorld, and between the pages of that mythical story of an impossible place called GDPR. There’s where we’ll actually find the privacy we need, the privacy that a killer app would be good for. Unfortunately, nobody would buy it.”
By November I had attended a lot of conferences in a short period between September and end of October. A boatload. One a week actually. And something struck me in that time - the glorification of a particular cybersecurity professional by a large organization to the level of Pop Star. So I needed to write about it:
“It turns out modern cybersecurity has a lot in common with pop stars. For one, it’s too easy to make it big with just a little skill and a lot of confidence because you have software that can do all the work for you. Vulnerability scanners make the auto-tune voices of the security space. And the same self-confidence you need to try to convince the world this vulnerability you discovered may be the end of the Internet as we know it is also the same you need to wear a full-body, raccoon-fur leotard on stage in front of 10,000 people.”
By the end of November, I had to share the research I did on the use of risk in cybersecurity. It was a very polarizing article, either people loved it or hated it, or thought it was okay. Okay, maybe not all that polarizing but an important article nonetheless that didn’t mince words or dispense pleasantries:
“Now I’m all about luck. I love it. I love it when I find a few bucks on the street. I love it when the car actually misses me when the driver loses control. I love it when the raccoon chooses my neighbor’s garbage cans. I love it every time I win the lottery.”
I was on such a roll that I even ended with raccoons:
“You know, I could write a hundred pages on this topic, but I won’t, because those of you who get it already stopped reading and those of you who don’t already stopped reading. And the rest of you just kept reading in case I’d make another raccoon analogy. And you’re now disappointed.”
Closing out the year I tackled the age-old question of attribution and a bunch of other questions as well. But mainly, it was about realistic threat detection and prevention and what we can really do:
“Many cybersecurity companies and government agencies have given advice over the years on how to protect yourself online that I will condense here into a single sentence on how to assure yourself complete protection: don’t have a bank account, register for anything online or offline, use social media, vote or use any government benefits of any kind, be in the military, use your personal identity number for anything, have any kind of electronic medical implant, drive a car newer than the 1980s with ABS and fuel injection, store any kind of data whether pictures or addresses on an electronic device that is networked in any way, or not walk into a “Smart City”. Additionally, you’d be wise to also not try to put footsy pajamas on a wild raccoon even if it has little pictures of raccoons on it. That won’t help you against hackers but it’s just sound advice from my experience and I don’t want you to suffer it too.”
I ended the year with a thought-provoking challenge as to what we can do with all those unsuccessful attacks. That’s a lot of energy getting wasted. So how can we put it to good, productive use? Make lemons from lemon seeds, I say:
“Now some of you are thinking, what? Well, you know how I told you how I turn every TSA pat-down into a much-needed hug by feigning dizziness? Or how I use neighborhood package thieves to haul my trash away by packaging it in Amazon boxes and leaving it on my porch during the day? Or how I got rid of the raccoons in my yard by putting up a sign that said “Free Kittens” until the neighborhood middle school kids cleaned out every last one? Well, we need to do something like that. We need to turn something terrible into something wonderful, maybe even profitable.”
Please forgive me - I was waxing poetic, but to wrap this up, I can only hope you may have gained something of value from my many articles - especially how raccoons fit in the cybersecurity space.