Risk

4/1/2015
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Dance Of The 'Next-Gen' CISO

Security Pro File: Classical ballerina-turned hacker-turned CISO Justine Bone talks old-school hacking, biometric authentication, coding in stilettos, Kristin Wiig -- and finishing her kids' leftover mac and cheese.

When Justine Bone visited New York City at the age of 21 with the Royal New Zealand Ballet Company for an auditioning tour, she decided two things: one, that she definitely loved New York, and two, that she wasn't going to be a prima ballerina after all.

"If I can't be the best in the world, screw it, I'm out," Bone recalls thinking that day in the mid-1990's as a young professional ballet dancer on the New York stage. She vowed to come back to New York someday, and when she returned home to New Zealand, she enrolled at the University of Otago and earned a degree in computer science.

Bone, a renowned security pioneer in the white hat hacking world-turned chief information security officer, got her start in security with New Zealand's equivalent of the National Security Agency, the Government Communications Security Bureau, where she was heads-down hacking in her first job out of college on the agency's newly minted security offense team.  "I learned how to reverse-engineer, write exploits, and code. I was Windows-focused: I was all over Windows NT and Windows 95, finding bugs," she says.

Security was in Bone's blood: her dad was a detective, and she found herself a natural at hacking things as a teenager. "Climbing out of windows in the middle of the night to see boyfriends," she quips, "I had to figure out the home alarm system, the motion detection system. I kind of grew up with a hacker mentality."

Bone ultimately worked her way back to the Big Apple as she had planned after landing a job as a consultant and researcher in 1999 with Atlanta-based Internet Security Systems, now IBM X-Force, after meeting some of the company's executives at a seminar. "I walked up to them and said this is what I do. I know how to hack and I think I can help you and you can help me," she recalls. She eventually moved from ISS's Atlanta headquarters to its New York City office, where she honed her hacking skills in penetration testing.

An "old-school Windows hacker," Bone used to hunt for zero-day buffer overflows and write exploits for them. "I was queen of the buffer overflows," she says. As SQL injection flaws came to light with the explosion of Web servers, she set her sights on Web application bugs as well.  Bone later took her skills to the business world, setting up the security department at Bloomberg LP, where she was head of risk management, a gig that encompassed both information and physical security.

Bone later co-founded security research firm Immunity Security in 2002 with David Aitel, serving as CEO, and in early 2013, returned to the enterprise security space as CISO of Dow Jones, a job she held until last fall when she left to become chief information security and solutions officer at identity management company Hoyos Labs. She describes her current role as a "next-gen" CISO, which entails overseeing security at Hoyos as well as helping its customers understand the company's biometrics-based identity management technology and how to integrate this new generation of facial, iris, and periocular authentication into their environments.

"I do presentations to customers, pure sales calls, internal strategy ... I'm at least 50 percent business-oriented," she says. "I'm still needed in a technical capacity, so still [creating] white-boarding designs, wondering where our bugs are, and still converting those who don't believe in zero-days."

Bone works in Hoyos Labs' Manhattan office four days a week, and then returns to her home in Miami where she lives with her three young children, ages 3, 5, and 9 -- all boys. Her commute requires a little creative hacking of her time and the discipline of a dancer: she leaves from Miami at 3:30am on Monday morning, and gets to the office by 10am. On Thursday night, she heads out of New York and back to Miami, where she works out of her South Beach office on Fridays.

A lot has changed in security since buffer overflows were all the rage, but after nearly two decades in the field, Bone is painfully aware that she remains one of the only women in the room in security. "We need to make it more attractive to women," she says of the security industry and its wealth of job opportunities. "You can be social and engaged with other humans and code," a fact often overshadowed by the standard geek stereotype associated with the tech world. "You can wear stilettos and code."

Bone says some women and men can be intimidated by the security industry's relatively aggressive culture, where many experts don't hesitate to call one another out publicly over a technical detail or dispute over a security issue. "You've got to be very factual and assertive to survive in our scene," she says. "For someone coming in, that can be a bit intimidating."

That's where her classical ballet training came in handy. She says her past experience performing on stage helped her through some nervous moments as a 20-something woman in security walking into room full of men. "I was able to hold my own," she says.

As a seasoned CISO and a hacker, Bone is also well aware of the major security challenges faced by businesses today, especially large, established ones in an era where cyber attacks are now routine. Large companies struggle to manage their data, much less control its access in a climate of mergers and acquisitions. "They don't understand their systems, and they certainly don't understand their data and where it is," Bone says, which leaves them vulnerable to attacks and data breaches.

"The other problem is accountability: the way we authenticate doesn't work anymore," she says. "You have to introduce accountability into the equation so we really understand who has access to what, where the transaction is initiated, and which humans are involved."

Bone's hacking projects today are more on the philosophical side of things. "These days my research gets pretty out there and philosophical" about the balance between privacy and technology, she says. She's focusing on things like data-centric security strategy.

That doesn't mean she doesn't ever want to get back into the trenches again. "I'll end up on a beach coding someday" when I retire, she says. "We still need other old-school coders out there."

 Justine Bone, chief information security &  solutions officer, Hoyos Labs

Justine Bone, chief information security & solutions officer, Hoyos Labs

 PERSONALITY BYTES

Worst day ever at work:
The day I found out my CEO was no longer with Dow Jones. Everything changed overnight.

What your co-workers don't know about you that would surprise them:
I'm so business-oriented these days, maybe it would surprise them to see me when I was an orange-haired techie, spending all my days in a blacked-out room, coding and reverse engineering with the best & worst of 'em.

Security must-haves:
My face and my phone.

Business hours:
These days it never stops, but sometimes I take breaks. If left to my natural rhythms I lean toward 7am-10am for creative thinking like presentation preparation or solving harder tech problems, 10am-5pm is major game time - customer meetings and what-not, after that the more administrative stuff. Some business meetings in the evenings, a few phone calls, or writing papers over the weekend. I sleep on planes.

Actress who would play you in a film:
People are constantly thinking I'm Kristen Wiig. At The Wall Street Journal, rumors went around that Kristen Wiig was on the floor, but it was just me at work. I get it when I go into shops. I get it all over the place. I can't imagine how much worse it must be for her: "Hey, are you Justine Bone!???" probably every time she sits down at a keyboard.

Favorite hangout:
Segafredo's on Lincoln Road in South Beach. Great outdoor people-watching, great cocktails, great music.

Comfort food:
My kids' leftover mac & cheese.

In your music player right now:
Tove Lo, ODESZA, The Broods and Hannah Georgas.

Ride:
A VW Eurovan and Fisker Karma as needed in South Beach. Everywhere else, Uber.

For Fun:
(Spending) time with my kids in the pool/beach/yard primarily. I also love music and I'm an amateur turntable DJ. And I love clothes - I spend too much time thinking about clothes.

Next career:
Artist.

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.