Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

10/2/2019
08:00 AM
Sara Peters
Sara Peters
Edge Features
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Inestimable Values of an Attacker's Mindset & Alex Trebek

Akamai security architect Marc Pardee tells the story of cutting his security teeth as an NSA intern and why all cybersecurity professionals can benefit from learning how to break things.

Marc Pardee has very strong opinions about who should succeed Alex Trebek as host of Jeopardy! His position on Major League Baseball’s use of instant replay is also clear. (Kill it.) And he is positively certain that learning to attack computer systems makes one better at defending them.

Now a cloud security architect at Akamai, where he works as a technical security presales expert, Pardee began his career 10 years ago like many of us do: as an intern.

An intern for the NSA.

That NSA internship led to a second NSA internship, which turned into a full-time job as a cyber exploitation analyst for the National Security Agency, "which was really interesting," says Pardee, "because all through undergrad I didn't study anything on cybersecurity."

For three years, Pardee performed network analysis to include target characterization, exploitation usage, documentation, and exploit planning to help the intelligence agency extract insights from targets. Yet he'd begun as an electrical engineering major, with dreams of working on mobile communications, and was initially hired by NSA to work on power distribution logistics.

Pardee didn't have any training on cyberattacks or defense. What he did have was a strong set of critical thinking, logic, and problem-solving skills – a highly translatable skillset that was further honed by his NSA work. The agency trained him on the rest.

"Looking back on it, I got a lot of interesting classes and experiences there to learn about security from the other side first. Everything was taught through an attacker's lens," he says. "Now, as I've continued my career, I see how valuable that is.”

Many IT professionals, he explains, will begin their careers learning about the right way to do things. They'll be trained in best practices and provided checklists for writing good applications and building strong networks. Conversely, Pardee admits he didn't learn the "right" way to do things until later in his career; his first lessons were "what happens when I push the 'wrong' button." And that, in his opinion, has been beneficial.

"I don't think there's really a better way to understand how something works than breaking it," Pardee says. A team with professionals who "have certain skills breaking certain systems and networks will translate naturally into having a stronger understanding of how to set up and design those things — and prevent someone like them from breaking back in."

(Image Source: Marc Pardee)
(Image Source: Marc Pardee)

"Regardless of your position," he says, "whether you're an analyst or sales or whatever it might be, you have this insight that can contextualize the decisions that are being made or the traffic you're seeing. Is that noise or is that an attack? If you have that background [in offensive cybersecurity], you can help stakeholders understand the threat landscape they're facing."

That same rule applies to Pardee in his current position helping companies solve cloud security challenges — challenges they know they have but don't fully understand. He gives himself "the mom test" when presenting complex security concepts.

"How would I explain this to my mom so she doesn't get phished by somebody or have ransomware take over her computer? Similarly, when I have customers I'm dealing with on the cloud platform, how do we help them keep people like my mom … from being targets of these credential abuse or account takeover attacks?"

Some employers may still shy away from hiring security professionals with "scary" backgrounds as "hackers," concerned that they might one day become a malicious insider threat. Yet Pardee notes that credentials like the Offensive Security Certified Professional and Certified Ethical Hacker may help employers find talent they can trust.

"There are organizations, including the government, that struggle today to hire any kind of talent because of things they perceive to be as those kinds of risk, but they still go through with it," he says, "because what is the saying? It takes a fox to guard the hen house."

FAVORITE TECH OF ALL TIME: The Samsung Alias2 flip phone, equipped with a full QWERTY keyboard, e-Ink screen, and a dual-hinge design so you can view the screen in portrait or landscape. He still has his. "If flip phones are ever a fad again, I'll be ready."

FAVORITE TECH NOW:  Smart doorbell. "That thing tickles me to no end."

HOW 'SMART' IS YOUR HOME: "I get the [privacy and security] concerns, I understand them. … But when I'm bored working from home I can always just talk to the [Google Home] speaker, pretend that the FBI is listening on the other end, and share how my day is going with somebody. … There are legitimate concerns, but I guess I'm going to ignore them to my eventual demise."

WHEN NOT WORKING, YOU ... : "What I would like to be doing is anything in the mountains. Hiking. Skiing. Professionally speaking, I'd love to be spending more time setting up labs and poking around vulnerable machines." (However, grinding toward a graduate degree in information systems is largely preventing those pursuits.)

SECRET FANBOI OF: Ken Jennings, the author and computer scientist who famously won 74 consecutive games of Jeopardy. "I've always been a big kinda trivia nerd. So I think I was just caught up in the swell of what he did on the show. And he seemed very affable. And he's continued. He writes books — his sense of humor hits me to my core."

SO THEN THE NEXT JEOPARDY HOST SHOULD BE: "Ken has to get the job. If he doesn't, we might as well just cancel the whole thing. Although, if Alex Trebek, who does not know me, called me up and said, 'Hey, you've got the skills and the right stuff for the job, we love what you do in security, love this interview you gave to Dark Reading, please please come here, we think you've got what it takes,' then, yeah, absolutely. That's a dream job."  

IF YOU COULD CHANGE ONE THING ABOUT ANYTHING: Pardee would instill and teach more deep critical-thinking skills. "I think some of the biggest frustrations we see in the industry, the world at large, [are that] folks cling to an answer that sounds good or fits with whatever your preconceptions are, without ever really thinking it out or challenging it. We would be in a better place if everyone stopped and scrutinized their problems a little more deeply."

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Edge Cartoon Contest: Need a Lift?
Flash Poll