We had the privilege of interviewing Ed Skoudis on his journey into cybersecurity, and the importance of curiosity as a cybersecurity professional. Ed is a recognized expert in penetration testing and incident response. With over twenty years of teaching experience with SANS and running his own cyber security consulting company, Couther Hack, Ed is respected internationally for his skill and expertise.
First, what was your journey into cybersecurity?
My whole life revolves around curiosity…wanting to take something apart, see inside, or explore.
As a child, I took toys apart, and in high school, I explored CompuServe (an online service provider popular through the mid-90s). In my undergraduate studies, my friends and I reverse engineered elevators. “If the elevator doesn’t have a ‘door close’ button, how can you make it close faster?” we wondered.
We spent hours on that question. We noticed that if we jumped up once and pushed a button, the doors would close faster. If we jumped up twice and pushed the button they would close faster still. When we jumped three times and pushed a button, they closed as fast as they would ever close. Four times had no change from three times in case you were wondering.
In graduate school at Carnegie Mellon University, other friends and I explored the Carnegie Mellon network and its connected internet. We found flaws and vulnerabilities in both the corporate environment and the university network. Of course, we responsibly disclosed them to the university, but that became the turning point. We were exploring; curious about how this network was put together and how the software performed on it. It was my first experience in what I’ll call ethical hacking. Up until that point, my hacking attempts could be classified as just playing around. This was much more systematic. Years later, I became a professional penetration tester.
Penetration testing is best when done at that edge: where you see a sign that says, “don’t push this button.” It can be done in a rote way, using a procedure and looking systematically for vulnerabilities, but that’s just a small part of how to do penetration testing right. It’s important to have a procedure, but as a penetration tester, you push the forbidden button out of curiosity (but always with explicit written permission).
When done well, penetration testing is inherently fueled by curiosity, but curiosity certainly isn’t limited to this field. If you look at threat hunting or digital forensics, everything is about trying to see beyond the surface. Insatiable curiosity makes the best cybersecurity professionals.
Can curiosity be nurtured, developed further, or stifled?
I think there is a nugget of it that is innate. Some people are inherently more curious than others. That being said, I think you can develop it in yourself and in others by encouraging it.
In closing, would you say that there is something important about surrounding yourself with cyber professionals that are curious? Is there a collaborative and communal aspect to curiosity?
Yes. It will encourage you and help you go further and farther in a couple of different ways. Curiosity itself is infectious. But also, while you can be curious about something, the answer might be too complex for a single person so a whole team can help you make discoveries. Finally, it’s more fun to work together to come up with the “how” and the “why”. Remember the elevator example—there were three of us working together. We took over one of the elevators and spent hours studying how it worked. To this day, when nobody’s looking, I will jump up and down three times in each elevator to get those doors closed faster. So, if you ever go in an elevator with me and you notice me starting to jump before the doors close, I’m just being curious.
