#000 – Douglas A. Brush: You’re Always a Student – You Never Stop Learning
Before we tackle the hearts and minds of some of the leaders and influencers in cyber security, I wanted to provide a little background about me and how I got started in cyber security.
As far back as I can remember, I always wanted to be a hacker.
In 1981, at an impressionable age five, I plopped down in front of a Texas Instruments TI99/4A computer. It had a whopping 3MHz CPU, 16K of RAM, and 16 colors. My parents got one for the home and I mostly used it to play video games. My favorite game was Hunt the Wumpus.
At some point, I came across Compute! magazine that had instructional pages of BASIC, spaghetti code programs that you could use to run on your computer. After hours of painstakingly transcribing lines and lines of GOTO commands into the TI99, I would have a small colored box bounce from one side of the screen to the other. Then back again. #Fun.
[caption id="attachment_1332" align="alignleft" width="173"]“Hi sugar. After you store my 'portable' computer, can you please light my Pall Mall and fetch me a double Alabama Slammer?" Image source: Oldcomputers[/caption]
The Reagan 1980's roared on and computers gained greater adoption in the business community, particularly in finance and accounting. However, computers for the general public consumption were still in their infancy. Glorified calculators with some generic word processing capabilities. Then movies like Tron and War Games came out. Whoa. They depicted the anti-heros as computer users, but different. They were hacker misfits, but cool in their own way. They could command computers to do powerful things. I wanted to do that.
My parents continued to bring technology into the home (they were leading communication consultants and authors) including new computers to play with, break, and hopefully, repair. In the summer of 1983 we made the investment in a Compaq Portable Plus. This was also a deciding point because it set me down the IBM/PC market path (sorry Apple). Mind you, this beast of plastic and metal was marketed as "portable" at 28 pounds. Nine-inch monochrome monitor and detachable keyboard? Heck yeah I'll travel with this thing! And we did!
The real selling point to me on this computer was WordPerfect 3 with the spell checking feature and a printer. No longer was I chained to homework assignments of handwritten drafts! I was able to write a book report on birds, it showed me how horrid my spelling was, and I could print it. Sold. However, my final submission caused a certain amount of controversy with my teacher. She accused my parents of writing this masterpiece. With Kerouac-esque lines like "Cardinals are red," I can see the confusion. She simply couldn’t understand how a kid could use a computer to write a paper. This resulted in my parents meeting with the teacher and principal to explain how I could possibly do such a thing.
Luckily things started to change and computers were becoming more mainstream. They were more and more likely to be common appliances in the home.
“I asked for a car, I got a computer. How’s that for being born under a bad sign.”– Ferris Buller
[caption id="attachment_1333" align="alignleft" width="568"]A MUD. By Source, Fair use, Wikipedia.org[/caption]
In the late 1980’s, we started using CompuServe and then Prodigy. A whole other world with computers opened up. Computers, and me, were now connected to people all over. I could chat and play text based online games. Hardly worth PewDiePie commentary, but it was fun to explore these MUD's (Multi-User Dungeons).
For those old enough to remember, this also created some lessons in POTS and the North American Numbering Plan (NANP). For those not old enough to remember, for these services we had to find "local" numbers to have our computers dial into (yes on landline phones, now get off my lawn). If you didn't use a local number, the Bell carriers would charge you long distant charges per minute on top of the per minute charges of the online service. Whoops, sorry dad.
In early 1990's while in high school I became the "go to" family member and friend who could fix computers. "Doug, the stupid thing won't turn on." "Windows won't open." "I have no sound." I have edited my fair share of Autoexec.bat files and fixed paths in Config.sys files just to get computers to boot or play noises (Sound Blaster drivers anyone?).
At some point, we moved away from Prodigy and got on this new thing called the "Internet" with a local ISP. I wasn't limited to messaging users on closed systems or bulletin boards anymore. Now, I could email people with a publicly routable address and post and search Usenet forums. It was pretty cool to suddenly be able interact with people all over the world. I even saved my pennies to make the big jump to a 28.8k modem for some real speed!
After graduating high school, I was faced with a “do what you love” (computers) or “do what you should” (college) scenario. The options to combine the two scenarios at that particular time was not appealing. The big push for college computer science in the early/mid 1990’s was still focused around mainframe computers and COBOL programming. Um, no thanks. It was not appealing to get pushed towards what I felt was an antiquated architecture when home and small business PC’s were on an exponential rise, the Internet was gaining visibility, and LAN equipment prices were falling.
Through my parent’s communication consulting company, I gave presentations at business groups in Poughkeepsie, NY (IBM country!) about using the Internet and the World-Wide-Web to market and promote your business. After one of these talks, a gentleman came up to me and said, “Kid this is all great, but no one knows what the hell you are talking about. People and businesses need more general help with computers.” Good point. I took my college savings and started a computer consulting company called Computer House Calls. Business quickly took off and I grew a decent client base serving the Hudson Valley in New York. The best part was I was doing what I loved: troubleshooting and exploring technology.
I also started to get more interested in cyber security as well as hacker culture. I was very intrigued by the interplay between technology, law, activism, privacy, and security. I devoured books like the The Cuckoo's Egg and The Hacker Crackdown. I consumed back issues of 2600 and Phrack and regularly listened to Off the Hook (which as far as I can surmise, is the first “podcast”/radio show dedicated to cyber security). When the movie Sneakers came out, I wanted to be Robert Redford’s character Marty Bishop and run a team that would get paid to hack in to places.
I closely followed the exploits and (mis)adventures of hackers like Kevin Mitnick and Kevin Poulsen. I was amazed by what they were able to pull off. What was even more shocking was the fearful reaction they garnered from law enforcement and the media. When Mitnick was finally caught, the prosecution made claims that he could start a nuclear war by whistling into a payphone. To me, this demonstrated a huge disconnect with the public’s understanding of how to secure technology work, even while becoming voracious consumers of all things digital.
During the Internet bubble of the late 1990’s and into the early 2000’s I started and built various IT consulting companies with services around networking, desktops, support, web design, and home automation. I did a ton of malware and virus remediation for clients and was exposed to the various tools that let me see how these nasty pieces of software propagated and infected machines.
By the time the global financial crisis hit, I decided to focus exclusively on cyber security. It was (and still is) what I loved doing and the marketplace for these services was maturing. I started The Digital Forensic Group, a firm focused on digital forensics, incident response, electronic discovery, and security consulting. I then moved my practice to larger consulting firms to cover end to end security consulting. I have worked investigations involving computer hacking, insider threats, massive corporate espionage, and trade secret theft, as well as assisted clients improve their defenses by having me break into their networks.
Currently, I run an amazing “A” team of forensicators, penetration testers, security analysts, and data privacy experts. We provide a full range of cyber security and information governance consulting services to clients around the globe. Most importantly, I get to do what I am passionate about and love doing. Every day I get to be a hacker, solve complex problems, and help people achieve a better state of information security. It’s a dream come true.
However, as I look back on my journey and talk to others, I realize there is no “one way” to start and stay in the field of cyber security. Whether you are involved from the military, law enforcement, consulting, or IT services, it doesn’t matter. There is no one path. Additionally, that type of diversity of professionals only makes the industry stronger. We all need to learn from each other and share our experiences. There is not one person who knows it all.
I also love the willingness to help each other and the collaboration to solve problems from this diverse set of professionals in cyber security. There truly is a security “community.” Whether it is a technical problem or a career hurdle, there is someone else out there who has overcome that same obstacle. I have had countless discussions for years with other professionals online, at conferences, or over drinks, which have changed the way I think about cyber security. Sometimes, it was just enough to hear that I was not alone when mulling an opinion or thought.
So, that is where my idea to create this podcast started. What if I can capture those moments and frank discussions? I want to share the stories from other cyber security leaders and influencers so everyone can learn from their respective journeys and challenges. Why did they take the path they did? Who were their mentors? How did they tackle some of their biggest career challenges? Where do they think the industry is going?
By hearing how the industry leaders and influencers got to where they are and how they overcame some of the problems they faced, I hope to shed light on the path for other professionals. Also, the cyber security professionals I have come to know over the years are some of the funniest, intelligent, and most interesting people I have ever met. It has been very rewarding to get to know them want to share this experience with others.
So please join me as we meet the leaders and influencers in cyber security. I will discover what motivates them, explore their journey in cyber security, and discuss where they think the industry is going. Cyber Security Interviews will let listeners learn from the experts' stories and hear their opinions on what works (and doesn't) in cyber security.
Thank you, I look forward to hearing all of your stories.