Infosec decision-makers must rely on facts
Personally, I am terrified about how the world is moving to a dystopian sci-fi reality. Movies such as War Games, Robocop, Terminator and The Matrix can no longer be classified under 'science fiction'. It is a matter of when, not if, that the world enters a Huxleyan or an Orwellian dystopia. The machines have penetrated our lives a little too much. And humanity has allowed it to happen, one 'like' at a time, to get a bit of a dopamine rush from time to time."
These are the words of Saumil Shah, CEO Net-Square Solutions, who will be presenting on 'The Seven Axioms of Security', at the ITWeb Security Summit 2017, to be held from 15 to 19 May, at Vodacom World in Midrand.
A journey into security
CEO of Net-Square Solutions, Saumil Shah's journey into computer science began in the late 80s. "It was the age when 8-bit microcomputers still dominated the home computer scene, and PCs were finding their way into businesses. I participated in a year-long national programming competition in 1988 and eventually stood second in the finals. I won a BBC Micro as a prize."
In 1991, Shah built a robot out of Lego Technic that played Tic Tac Toe using a paper and pen against a human opponent. "The programming was done on the BBC micro and my father helped me interface the Lego motors with the BBC's I/O ports. This was almost a couple of decades before Mindstorms came on the scene. This is when I realised I want to build my career in computer science."
His describes his journey into information security as being intertwined with his career path from the beginning. "It has been a very long journey. During my MS-DOS days in the early 90s, I used to reverse-engineer viruses, battling the likes of Jerusalem, Raindrops and Dark Avenger. This got me deep into DOS internals, assembly language and debugging."
During his undergraduate studies, Shah used to work part time as a research assistant at the Indian Institute of Management, where his small group built a campus wide LAN using scrapped hardware. "I also used to defend the network from viruses and worms during those days."
His graduate studies took him to Purdue's COAST Laboratory (now called CERIAS) and his interest turned towards cryptography, in addition to operating systems and TCP/IP networking. "In 1998, we were offered a seminar class on a subject called "penetration testing", the likes of which I had never heard before. It was all about breaking software, and I signed up purely on impulse. Little did I know that this would become my career path from then on."
My first job was with Ernst & Young as a Unix penetration tester. The lure of the dotcom days saw me and my E&Y colleagues forming Foundstone, where I worked until 2002, and thereafter started my own company Net-Square and have been running it since. I am an entrepreneur at heart."
A turning point
Shah describes 2002 and 2003 as years of disillusionment. "Reality gave me a very different view than my perception of business relationships. Net Square was just started, and it went nearly broke. My decision to stay with my venture and see it through was the defining point.
"Infosec conferences have also been a huge influence in my career. My first Blackhat and Defcon was in 1999. 2017 will be the 18th year for me teaching classes at Blackhat. Of late, I have preferred smaller conferences over the larger ones, purely for enhancing my own learning through interaction with other speakers and participants."
Would he have done anything differently? "A dear friend of mine once told me: 'Once a hacker, always a hacker'. He didn't use the word 'hacker' as a negative term that is has unfortunately become, instead he was referring to our abilities to think outside the box, push a system beyond its limits and repurpose it to do something we wanted it to, not what it was built for. It is innovation, but in an unusual way. Apart from a few minor course corrections here and there, I wouldn't have done anything differently. But I do dream of exploring the Himalayas and the forests of India not too long from now."
Joys and frustrations
Speaking of what he loves about his work, Shah says he enjoys learning new things. "Our firm is a boutique penetration testing company. The kind of learning we as a team get from our customer environments is most valuable to me. I wouldn't have experienced this kind of variety working for a technology company."
He adds that teaching offensive security classes at conferences has been another driving force behind his learning. "Every few years, I feel like diving into a new area, so I decide to teach a class on that topic, and then I have to force myself to exceed expectations."
Frustrations however, aren't far behind. "What frustrates me most is that infosec decision-makers rely less on common sense and independent investigation and are more likely to fall prey to hype and fear, uncertainty and doubt. Information security was supposed to be an exercise and mission in fact-finding. Rather it has turned out to be a very reactive game of buying boxes or services that rely upon 'rules, signatures, updates' and recently 'machine learning'. Year after year we see millions of dollars of infosec equipment occupying racks, filling up line items in annual contracts and invoices, and racking up stacks of compliance documents. Yet the hacks still happen. When will the decision-makers depart from the herd mentality?"