An Interview with the Founder of Bulb Security, Georgia Weidman
Georgia Weidman is one of the few women in the Infosec industry who made a name for herself. She is an experienced penetration tester, security researcher and trainer. She is also the founder of Bulb Security which is highly rated security firm for security assessments and training.Georgia was awarded a DARPA Cyber Fast Track grant to build the Smartphone Pentest Framework (SPF). She is also the founder of Shevirah Inc. a provider of testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. Shevirah allows security teams to integrate mobility into their risk management and penetration testing program. Georgia is invited as a speaker on many international security conferences To name a few she has spoken at the Blackhat Briefings, Brucon, Hack in the Box, Derbycon, and many Bsides events.
Georgia’s work has been featured in print articles including CNN, Ars Technica, PC World, and MIT Technology Review. She’s also discussed security on television on programs such as Fox News Live and 16×9 on Global TV Canada.
Georgia completed her bachelor’s degree at the age of 18. After that she perused her education in Computer Science from James Madison University with emphases in information security and secure software engineering.
Georgia success story doesn’t end there. Her book was published recently under the tile Penetration Testing: A Hands-on Introduction to Hacking. Here is an exclusive interview that she gave to Ehacking. We have asked some
EH: Hi Georgia, as we see in your short biography you have achieved tremendous success as an Infosec professional which is a rare thing. World want to know what brings you to this Industry?
GW: Well both my parents are technical, so it was kind of a given that I would pursue some sort of technical career. I went to an early college program that was all female. While there were fewer students in the STEM fields, I thought that was because they were harder fields of study than other subjects. It wasn’t actually until graduate school that it even occurred to me that women in computer science are rare. I’ve never let that hold me back though. I discovered cyber security in the collegiate cyber defense competition (CCDC) a competition in the United States for college students to get a taste of the life of security professionals managing a network actively under attack. I really enjoyed the competition, even though naturally it was more stressful to keep a network alive and well when a lot of security professionals kept trying to break into it. I immediately knew I had found my calling and decided to pursue a career in information security.
EH: You are pretty much becoming a role model with your accomplishments for the young girls. What message do you want to give them?
GW: Never let anyone tell you don’t belong in information security. Unfortunately, there are a lot of people who get jealous of anyone else’s success and try to tear other people down. Anyone who is in a minority in the industry gets more than their fair share of abuse. Don’t let it get you down. If people are mean to you, it means you are doing something right, making mean people jealous of your successes. It’s easier said than done to not let things like that get to you, but it’s important that people with a passion for information security pursue a career in this field.
EH: Give us an insight about your book? What was the motive behind it and what do you want to accomplish through it?
GW: I wanted to provide a hands-on book for beginners, people just starting in information security, to help them learn. When I was first starting out I had a lot of trouble getting the experience I needed to move forward. Lots of tutorials would assume understanding of Linux or programming or even previous information security experience that I didn’t have. And a lot of times when I would ask for help I’d get something along the lines of “Get off N00b!” which was very frustrating. I teach introductory technical information security courses, but naturally not everyone will be able to attend those. With the book hopefully I will be able to reach more people who are interested in learning these skills. Readers will have to do the work to learn the skills, setting up the environment and working through the exercises, but it makes the information available for beginners everywhere to learn.
EH: You have an M.S degree in Computer Science. Do you think that it is important for the people to succeed in this Industry to have an educational background in Computer Science?
GW: I went to college early at the age of 14. So when I graduated I was only 18 and not sure what I wanted to do yet. I went to get a Master’s degree just to avoid moving back home with parents after college. Luckily in the course of my studies I joined the cyber defense club at my school and discovered my passion for information security. I know many security professionals who do not have a college degree or studied another subject. Hard work and gaining skills in information security will get you far in this industry. That said, it is much easier to get your first information security job if you have a computer science educational background. Many schools even offer an information security concentration.
EH: We have seen that some hacking groups are pretty much in news in recent times like Syrian Electronic Army and Anonymous. What is the motivation behind those attacks?
GW: Why do people do bad things? That’s a question for the psychologist or philosopher. Hacking attacks are motivated by the same things as other types of attack. There are monetary rewards associated with attacks whether from some entity paying you for the attack or the “spoils” of the attack like credit card information. There is also the thrill and prestige that comes from said attack, although the individual anonymity is a drawback. I think the primary motivation for these latest attacks are to generate fear. Or maybe it is just a warning to us to take security seriously.EH: The companies are investing millions on their Cyber security programs but still we see time to time that even the most powerful companies fall victims to cyber attacks. As a founder of a Bulb security do you think the world will ever have a full proof Cyber Security program which was impossible to breach?
GW: I don’t think it’s possible to have a running network without at least some vulnerability. Consider your home. You probably have door locks, maybe an alarm system, maybe bars on the windows if you live in a very high crime area. But would you consider your house impossible for a thief to break into? What if the thief knows how to pick locks? What if the thief poses as a delivery person or police officer to trick you into gaining access? We can and should minimize risk as much as possible, but we must never assume that we are not vulnerable to any attacks. This will give us a false sense of security and we will not do the things we need to insure we are as secure as possible.
EH: According to a research the Cyber Security industry will grow three times in the next 4 years. This is the hottest Industry right now for the Investors. How do you see the future of this Industry? What challenges this Industry is facing and what steps can be taken to eliminate those challenges?
GW: The biggest challenge I see is the way our networks and assets are changing. In a traditional network where everything is hosted locally, physically in our data center, on someone’s desk, etc. The only way they can communicate is over the network, with all traffic passing through our perimeter to the Internet. With the rise of mobile, the cloud, etc. this is changing drastically. Traditional methods of vulnerability assessment, incident response, etc. are not sufficient to deal with these changes. In particular, my work centers around moving vulnerability assessment and penetration testing capabilities forward to cover the unique issues around mobile devices such as the mobile modem, near field communication, and the effectiveness of security controls around mobile such as enterprise mobility management solutions and data containers.
EH: What is your opinion about Edward Snowden?
GW: When Edward Snowden exposed our government’s spying practices, most people were not at all surprised by the news. This is really sad because privacy is one of those freedoms we should be protecting instead of giving away. Most of our privacy laws are built on an expectation of privacy. Do you have any expectation of privacy, now?
EH: Women in information security, is it still myth or they can make it?
GW: Of course they can make it, and anyone who says otherwise is the people who shouldn’t be making it in information security. Anyone who says otherwise needs to climb back under the rock they came from.
EH: At the end, what would you recommend/suggest to someone new in information security filed?
GW: My book of course. And there’s some great free training available at Cybrary.it including a course from me that does some of the exercises from my book (and some additional exercises and topics) in video form.
Something along the line of do lots of different types of trainings to figure out what you like and what you are good at. Network/intern with people in those areas so your talents become known.
interesting questions related to the current scenario, the future of Infosec and the role of women in this industry.
Georgia Weidman has achieved tremendous success in pretty short time. She was gifted because of her family background but it was in college when she realized her potential in a Cyber security competition.
The biggest reason behind her success is the passion, Georgia is a perfect role model for the young generation specially for those who think this industry is for men only.
