Female Hacker Rising: The Changing Paradigm of the Hacker Subculture
"If you can't handle her fire, let someone else enjoy the flames." -Anonymous
In 1903, the first known circumvention of security controls was when Magician and inventor Nevil Maskelyne disrupted John Ambrose Fleming's public demonstration of Guglielmo Marconi's secure wireless telegraphy technology when he sent insulting Morse code messages through the auditorium's projector.
In 1971, John T. Draper "Captain Crunch" and a friend created the first "blue box" used for hacking phones referred to as "phone phreaking." He was later followed in 1979 by Kevin Mitnick who broke into his first major computer system, the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E Operating System.
From Maskelyne, to Robert T. Morris, to Peiter C. Zatko ("Mudge"), and the many other well known hackers I've missed all share one single commonality. They're... well... men. However much media attention male hackers throughout history have received, very little has been given to the female hackers lurking in the shadows of history. But as Heraclitus once said, "There is nothing permanent except change."
From Raven Adler, the first girl to speak at Defcon; Adeanna Cooke, the Playboy model also well-established hacker; Gigabyte, the creator of a number of malware variants; Xiao Tian, founder of the Chinese hacking group China Girl Security Team; Kristina Vladimirovna Svechinskaya who was responsible for hacking thousands of bank accounts across the United States and creating fake accounts at Bank of America and Wachovia; to Jude Milhon, also known as St. Jude; and Joanna Rutkowska, who was famed for hacking Windows Vista at Blackhat Briefings in 2006 and demonstrating a "Blue Pill" technique that allowed her to transfer a running OS onto a virtual machine well before the worldwide use of virtual machines and virtual servers became a "thing."
The list of female hackers across the pages of history goes on and on and continues to gain more traction today as the cybersecurity industry undergoes a radical shift as more women enter the field as engineers and senior management, such as Jennifer Sunshine Steffens, CEO of IOActive, Sherry Ryan, the CISO of Juniper or Kristin Paget, hacker at Lyft, as we ourselves learn and exploit our unique soft skills we bring that give us sustainable advantage in cybersecurity.
It is without contestation that women are radically reshaping the male-dominated cybersecurity landscape. We are naturally wired to think, act, and innovate like immigrants and the historical "underdog". These soft skills unique to us making us particularly effective in cybersecurity, giving us the ability to see what others do not, do what others won't, and keep pushing our ideas and ideals when prudence would otherwise say to quit or give up. This is especially useful in penetration testing when giving up before achieving Domain Admin in a target Windows domain is not an option.
I was recently taken aback by a comment made by an individual in a LinkedIn post recently who made the statement that the reason there are fewer women in IT is because women, unlike their male counterparts, prefer to have a family and be at home than have their lives consumed by work. He went on to say that we're not wired to sacrifice so much of our available time to work over family. Suffice it to say, I was not only just offended by this point, but disappointed that in 2018 this is still a very pervasive view of women in the workplace. This simply couldn't be further from the truth. This view of women that we all stereotypically prefer to raise families than have a successful career couldn't be more farce than it is now, and the data proves it. As a matter of fact, according to new federal data published, the U.S. fertility rate has plummeted to the lowest point on record. The first quarter of 2016 brought 59.8 babies for every 1,000 women ages 15-44. Nearly half the rate at the peak of the baby boom in the late 1950s. The numbers are an unmistakable trend. Women in our 30s are now increasingly choosing to have stable careers and higher income over motherhood. This gentleman's stereotype is what contributes to the systemic problems of how women are viewed in IT and why we need to continue to educate men on the matter whenever we see it.
In this article, I describe the soft skills that we as women have that make us uniquely effective in the field of cybersecurity and give us particular strengths as cybersecurity engineers and hackers. From being opportunity experts in seeing opportunity in everything in front of us that can be leveraged for exploitation and pivoting that a man may gloss over and miss, to being far more strategic than tactical, laser-focused, keeping our eye on our target, and not easily distracted or letting our egos get in our way to achieving the ultimate goal of "root."
The strategy inherent in our nature often times allows us to see what others don't. Such as the man who can't find the mustard staring right at him on the top shelf of the refrigerator that we have to hand him. A woman's lens of skepticism oftentimes forces us to see well beyond the most obvious details before us, the obvious "critical" vulnerabilities in the vulnerability scan that conveniently have Metasploit modules. We expertly stretch our perspective to broaden our observations. Many of us not hesitant to peel the defense-in-depth layers of the onion back in a penetration test until we ultimately get where we are set on getting. At times we play the part to test the intentions of others, particularly skillful in social engineering and vishing -- able to play any game when we have to. We know what cards to play and are keenly able to calculate the timing of each new move we make as we check each and every PHP script in the dozens that might be overlooked for lack of trying to find the failures to sanitize user input that could lead to SQL injection.
Because of our familiarity with being the underdog, we often work hard not to disappoint ourselves or others, often exceeding the expectations in any compromise. We hold ourselves to particularly higher standards knowing how we're perceived by our male colleagues and our attention to detail makes it difficult for others to cut corners or abuse any special privilege around us.
We're passionate explorers in pursuit of excellence. We are not satisfied with the status quo, and will always want to harden applications, systems, or networks better than they are today, seeing how much more secure they have the potential to be. We get things done and abhor procrastination. We enjoy order and stability and a genuine sense of control making us very effective hackers. We don't depend on others for our own advancement and thus have a tendency to be independent, even if that means learning Ruby to write the Metasploit module that doesn't yet exist or Python to create the exploit that hasn't yet been published. Our independent nature is our way of finding our focus in a penetration test or the analysis of hundreds of logs on a Syslog server or packets in tcpdump, each step of the way dialing up our pursuits.
Our natural inquisitiveness forces us to investigate all possible ingress points and when firewalls block the way, finding ways around it. We pursue this in ourselves and become knowledge seekers, not afraid to ask questions when given a safe platform to express ourselves, asking the most questions more often, and inspire to adopt new ideas and ideals that can be shared on social networks, at Defcon, Blackhat, or DarkReading. We have an unshaken work ethos driven by extreme curiosity balanced with a healthy amount of skepticism of any vendor claiming their product is "unhackable."
We want all things to be authentic yet practical, we enjoy a good challenge and seek to find meaning and purpose from each circumstance we face and opportunity we're given. We like to see and understand the connectivity between supposedly isolated network segments to breach the CDE, how the network and endpoint security controls work, or why they don't. We want all facts and figures before making important decisions and rarely, if ever, "ready, fire, aim."
We are the rising number of women in cybersecurity. Expect us. As usual, if you liked this article, please support me by clicking LIKE and share it to your own feed! This is the best possible way that you can support me and my continued research in this area. If anyone has anything to add or comment on in this article, please feel free to share it with everyone below in the comments section!I am the Group CEO of Brier & Thorn and heads up its Connected Car Division where my team and I perform penetration testing and risk assessments of cyber-physical vehicles (CPVs) from OEMs in the United States, Europe, and Asia. As a recognized thought leader in the new Internet of Everything economy, specifically telematics and infotainment systems, I can be found speaking at se
curity conferences in North America and EMEA, vlogging, blogging, and writing contributed articles on the idiosyncratic cybersecurity issues affecting IoT that matter most. Learn more about me at my homepage at www.alissaknight.com, LinkedIn, listen to my weekly podcast episodes, or follow me on Twitter @alissaknight.
I am the Group CEO of Brier & Thorn and heads up its Connected Car Division where my team and I perform penetration testing and risk assessments of cyber-physical vehicles (CPVs) from OEMs in the United States, Europe, and Asia. As a recognized thought leader in the new Internet of Everything economy, specifically telematics and infotainment systems, I can be found speaking at security conferences in North America and EMEA, vlogging, blogging, and writing contributed articles on the idiosyncratic cybersecurity issues affecting IoT that matter most. Learn more about me at my homepage at www.alissaknight.com, LinkedIn, listen to my weekly podcast episodes, or follow me on Twitter @alissaknight.