Jeff Wilson is a self-described IT pro by day, tinkerer by night. I had a chance to catch up with Jeff ahead ofSecurity Field Day.我们谈到了代码完整性的重要性,修补的乐趣,以及为什么您应该三思而后行地考虑所有这些智能设备。在Twitter上关注Jeff@jeffwilsontech。
杰米(Jamie)轻松:当您不参加Security Field Day等活动时,您的日常工作是什么?
Jeff Wilson:我一直是IT专业人士已有18年了。我认为自己是一个具有安全重点的IT通才。我有多个学科的经验 - 存储,网络和虚拟化 - 在过去的两年中,我已经提高了安全性,今年早些时候获得了GSEC认证。而且,我是洛杉矶一家公司的高级系统工程师。
JE: How did you get into IT?
JW:我一直都有技术能力,但是当我上大学时,我研究了一些不同的历史。但是,我需要在大学里工作,所以我去了Helpdesk并被聘为学生工作者。iMac G3刚刚出来,所以我在校园周围的教授和教职员工的课程之间度过了一段时间。
After I got out of college, I found IT paid the bills better than being a history teacher, so for the next eight years, I progressed from Level 1 helpdesk person to network technician, database administrator, and finally, systems engineering. In the meantime, I picked up a Master’s in Public Administration while working at a school district. My MPA gave me the framework and ability to understand how people work together and organize inside large organizations, and I feel it’s been very useful in my security work.
JE: What motivates you to do what you do?
JW:I like building and enabling success for users and employees. There’s a feeling of joy when you build something from the ground up, release it into the ‘wild’ and watch it take flight. It’s a bit like being a kid after you’ve finished building a Lego set.
JE:您认为人们始终忽略或不知道的最大安全风险是什么?
JW:I worry a lot about code integrity. I don’t know if it’s a legacy of our industry, where we shot from the hip. Open source works great, but it’s a little bit cowboy-ish.
I come from a Microsoft way of thinking, and I’m focused on making sure the binaries running on my network haven’t been modified or touched.
JE:业内有很多讨论说,没有足够的IT安全专业人员来满足需求。我们需要做什么才能吸引更多的人进入该行业?
JW:The shortage is more than just security. It’s technical people in general. The only way to address it is to grow the pool of people in our industry. We need to attract more women, people of color or people who haven’t been represented in our industry but maybe have equivalent experience in other verticals.
Young girls and young boys of all colors and backgrounds should have the opportunity to learn computing and technology if it sparks their interest.
JE:AI如今是一个热门话题。您认为AI在网络安全上被用来善还是邪恶?
JW:AI大约是80%的嘶嘶声和20%的牛排。
From my seat, the benefits of AI are mostly in automation. And automation is a large component of security. We in IT are often touching components of our stack that we shouldn’t touch, which affects the integrity of our stack. If AI can automate the busy work such that we don’t feel the need to touch so many things, we’d have high integrity systems that were as sealed as an iPhone or Xbox.
但是,在组织中拥有过多的AI或自动化存在危险。我强烈认为,人类应该在某个阶段处于循环中,我认为法律最终将要求这一点。
从消费者和业务的角度来看,我的感觉是,了解谁设计AI系统变得越来越重要,因为人们将其价值,偏见和商业模型编码为软件。
When I look at a product advertising AI features, I ask myself who built it, the tooling they used to build it, whether it was built in an open source fashion on Github, and what the algorithms intend to accomplish. Then I think about the price of such a product, and how data from the product might be monetized. Taken together, these are the ‘ingredients’ of many modern AI products, and I think that, as a society, people will eventually want to see them listed in the same way that nutrition labels inform us about the foods we eat.
JE:你有一个聪明的家吗?
JW:我不像我的一些同事那样大胆,但是我确实有一个Cortana扬声器,Wi-Fi恒温器和一些POE摄像机,以确保安全。我经常考虑这个空间。随着越来越复杂的设备最终进入我们的私人房屋,随着从业人员将其扩展到我们的住所,我们的安全界限。我们已经看到了几种面向消费者的智能设备的黑客。
在我的家庭网络,这是相当复杂的,I’ve got micro-segmented VLANs for specific uses. One VLAN is for trusted devices used by my family (computers, Xbox console, and Apple devices). Other devices I trust less, like a set of Sony multi-room speakers (running Android), are segmented to another VLAN. Finally, I put the cloud devices I can access with my phone or my voice on a private VLAN so that they can only reach the internet, but not each other.
This is not something an average consumer could do, but I think the market is responding and we’re seeing some sophisticated home technologies today that borrow a lot of principles from the enterprise.
JE: What is your favorite technology gadget?
JW:我在不起眼的PC中发现了很多价值。PC很酷的一件事是,您仍然可以构建一个,修补它,将其拆除并再次构建。我爱我的iPhone,但我无法修补它。修补是让我进入技术的原因。
Another great device I like is my SharkTap. For about $90, you can tap any network link transparently and pipe out wire data to your console for inspection. At home, I have a SharkTap between my modem and my firewall. I use it to monitor inbound/outbound traffic flows to see the same wire data my ISP sees. Lots of fun!
JE: What is your favorite meme these days?
JW:它不受欢迎,但是我喜欢一个在暴风雨中森林森林森林船上的森林杂志电影中的丹中尉。对我来说,GIF谈到了毅力,英勇和战斗。
JE:谢谢,杰夫。我期待安全现场日!问我们棘手的问题!
杰夫是一名代表Security Field Day12月14日,星期五,PST上午9点。在这里观看直播。
认识其他代表
Ethan Banks talks cybersecurity and winter peak bagging.
保罗·斯奈德(Paul Snyder)在他聪明的家中使用补偿控制。
Christopher Kusek talks about why sensitive conversations need to happen in a Faraday cage.
