Tribe of Hackers Spotlight: Dan Tentler
Dan Tentler is the executive founder and Offensive Security Practice Director of the Phobos Group.
He has an established reputation in the industry for his innovative risk surface discovery projects and numerous speaking engagements. Dan and his team have conducted unique targeted attack simulations for companies in sectors including financial, energy, manufacturing and industrials, and various platform service providers. Dan routinely appears in the press to speak on new security risks and security industry development.
Don’t know what the Tribe of Hackers is? Check it out here!
What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?
Examining their own perimeter, even with a rudimentary skill set. Many orgs simply ignore security outright and focus almost solely on compliance. It literally translates to “They’re putting in zero effort.” They do the paperwork dance to keep the auditors away, and they make that circus sideshow of smoke and mirrors so elaborate, so huge, that it takes a whole department of people to produce all of this self-referential documentation to occupy regulators and auditors. If they actually did some kind of security instead of completely ignoring it, it would make staggering, mammoth improvements. Even just having an inventory of their equipment and Nmapping it from time to time.
Do you need a college degree or certification to be a cybersecurity professional?
No, flat out. I and many other professionals have established careers on their skills alone. Think about it this way: How long does it take for Q1 2018 threat intel and knowledge about bugs and techniques to percolate down to students sat in chairs? Ten years? How good is that information ten years later? Maybe parts of it, but certainly not all of it. Certifications tend to be a mixed bag. Many many certifications are specific to hardware or equipment. CCNA/CCNP, for example, these are great certs, but only if you’re going to be spending a lot of time working with Cisco equipment on switching and routing. You want to do firewalls or wireless? Those are different certs.
There is no “well-rounded security cert,” no matter how much people attempt to convince you otherwise. That 400-question, multiple-choice cert that asks you about barbed wire fences and fire extinguishers? Don’t waste your money. There is a whole school of thought for getting into information security that follows the “practice what you preach” mantra. Do you really think we’re improving things for everyone if we let people “just buy their way into security?” Do you think those people who “just bought their way in” won’t also be the same people from the previous question who will “just buy an expensive appliance in an effort to solve their security problems?” There are patterns here, but few people in the industry are actually willing to admit this is the case, because it is this charlatanism that keeps them getting paid.
What qualities do you believe all highly successful cybersecurity professionals share?
The ability to be malleable. Security rolls forward with technology, and technology is always changing. If you’re not prepared to adapt when the new things come rolling in, you’ll get left behind—plain and simple. Always be learning, always be interested in what’s coming down the road. Some of it is interesting, and some of it is horribly lame. You have to see what’s coming and examine whether it’s something that you want to be involved with. Your success will depend entirely on the choices you make here.