In this interview we talked with one of our instructors, Sean Oriyano, whose Linux System Hardening was published recently. Sean is an experienced information security professionals with years of experience under his belt, and had some interesting things to say. Enjoy!
[Hakin9 Magazine]: Hello Sean! How are you doing? Could you introduce yourself briefly to those of our readers who don’t already know you?
[Sean-Philip Oriyano]: Thanks, I’m doing great. Writing about yourself is always tough (at least for me), but I’ll try my best.
I have been in the infosec and technology industry professionally since 1990, but I started tinkering with technology much earlier in my life. Over the years I have instructed, consulted, and worked with many different people and many different industries, which has given me a unique and diverse perspective on things. In addition to my professional/civilian life, I am also a member of the State Guard where I used to work in the area of Cyberwarfare/Cybersecurity before leaving due to a lack of any advancement opportunities in my military career (no promotion opportunities) and other reasons I won’t get into here. I’ve since moved into a non-cyber area in the military for the balance of my time before I retire. I still use my cyber skills in my civilian work all the time.
Outside of these parts of my life I am an avid runner of obstacle races (ran 25 of them over 4 years), pilot, paint, and I volunteer some of my spare time working with Jr High and High School age students teaching STEM related topics as well as cybersecurity. I’m also planning on going back to school to get a degree in Astronomy/Astrophysics as it is a field that has always excited me so I’m doing that for fun.
This sounded like a dating profile you find on a website (or is that just me?).
[H9]: Well, from where we stand the field is just figuring out how to deal with this kind of stuff, like self-promotion - when you have to sum up your skills or bio, most people find themselves at a loss. Yours is fine! However, I feel we need to ask on behalf of all our readers - is your day 24 hours like the rest of us? Any time management tips you would like to share?
[SPO]: I get that question a lot, especially from colleagues and friends who joke about me never sleeping. I have found that if I am diligent about setting reminders and schedules for myself I am able to do a lot. However, I would also say that I try to make sure that I take a day or two off each week to let my brain do something else. I love this field, but it’s important for all of us to step away now and then so we can relax (which makes us more productive anyway).
[H9]: You’ve just published a “Linux system hardening” course with us. What’s your favorite Linux distribution to secure?
[SPO]: I don’t really have a favorite distro, to tell you the truth, as I try not to get too attached to things like this. One of my core philosophies is to focus on concepts, architectures, and reasons why a system was designed a certain way prior to securing it. This has helped me adapt more readily to different environments and different distros of Linux or anything else.
As far as favorite Linux distros go, I would say Debian and some Debian-based distros.
[H9]: What’s the most useful tool anyone hardening Linux should know inside and out, in your opinion?
[SPO]: I think the most important tool or concept that someone should keep in mind when hardening any system is to first ask „What is the system going to be used for?” for example a Web or File Server. With an understanding of what the system is intended to do, anything that doesn’t support this goal can be uninstalled or configured to be more secure. All the tools in the world won’t help you if you don’t do this assessment first.
[H9]: You have a few books published, all about cybersecurity, of course. Was it challenging to write them?
[SPO]: At this point, I have written about 20 books along with various white papers and training courses. Of the books, the biggest challenge is organizing and laying out a logical structure for the reader that makes sense and is easy to follow. Once that is in place the biggest issue becomes sitting down to write. I’m a slow typist so that was a big challenge until I started using voice transcription software so I can just speak and have it written out. However, if I was going to pick out the biggest challenge, it would be the dreaded Writer’s Block that pops up now and then.
[H9]: Do you think, in general, that writing is an overlooked skill in cybersecurity? What happens more often, finding a piece that’s really well-written, or one that would improve greatly with even a basic writing skill applied?
[SPO]: Writing is definitely a neglected skill across the board in society, but technical writing can be a much bigger challenge. Being able to understand a concept and documenting that same concept so another can understand and contextualize it are two different things entirely. As far as finding a well-written piece and one that can be improved with the proper attention to basic writing skill I would say the latter for sure. I see far too many articles that leave details out or make assumptions about who is reading it. I try never to assume that the reader will always have a specific level of knowledge in their head when they pick up something of mine to read. I try to put things in the proper context with some background to setup a piece or concept. It may be easier to leave things like this out or assume someone would know it, but playing it safe and giving even a brief description to setup things is best. I would also add that many of the things that a technical writer leaves out are items like a step or two here and there that makes a piece hard to follow. This can be alleviated by getting a friend or colleague to read the piece before publication. I think it is also worth adding that the overuse of acronyms, buzzwords and abbreviations are also a problem that pops up often.
[H9]: Is there any topic you’ve written about that you constantly see talked about incorrectly online?
[SPO]: I don’t think I could narrow it down to just one. This is also why anyone in this field or trying to learn more needs to be mindful of where they are getting their information as well as ensuring they are verifying things before they use them.
[H9]: What’s a mistake that you can’t believe people are still making when it comes to Linux security?
[SPO]: Assuming that Linux is secure for no other reason than it is Linux.
[H9]: What’s the most important skill to have when starting a career in cybersecurity?
[SPO]: In my opinion, the most important skill to have is a desire to keep learning and pushing yourself to stay current. Just having pieces of paper and a job in the industry doesn’t make anyone an expert.
Another one is experience in IT before jumping into cybersecurity. I have encountered many people in the industry that moved directly into the field without any experience supporting, configuring, and dealing with the issues of IT on its own. I believe even a couple years of experience in IT prior to getting into cybersecurity is invaluable as it gives you context and foundation. In fact, I have run into people (in the military, for example) that have no experience at all in the field being put in leadership positions that can „Speak” the language, but have no idea or context. Don’t be one of these people! We don’t need more CISOs, Generals, and others who have no background and instead have a loud voice that says nothing useful. Good news is that I see this changing.
[H9]: In your opinion, what’s the most challenging thing to get right when hardening systems?
[SPO]: Understanding the role of how a system is to be used prior to hardening it. Context is important.
[H9]: Do you think people miss that because they don’t know how to apply the context, or are to busy (or lazy) to bother?
[SPO]: I would think it is more the former rather than the latter. There are still plenty of those that believe there is a simple template that can be applied the same way each and every time, but that’s simply not the case. Some things, like patching and upgrading, are common, but knowing which services to turn off or logging to enable is largely dependent on how a given system is to be used.
[H9]: You have not only published a course with us, but you actually have a long and successful history of providing training to a wide audience. Who’s the best to teach?
[SPO]: Believe it or not some of my favorite people to teach are teenagers who are very interested in this field. I love the energy, curiosity, and the original ideas they have. It’s safe to say that I have learned from them as much as they have learned from me. I also enjoy teaching anyone who genuinely wants to learn and get better. I have always said „I don’t care who you are and what you know. If you want to learn and become better in this field I will do whatever I can to help you accomplish that goal.”
[H9]: Do you have a topic that, even after all this time, you still find yourself stressed about when instructing?
[SPO]: For me the most stressful part of teaching is always that first day and meeting your students for the first time. You never know who you are going to be spending the next few days with. Ever been sitting in your seat when a plane is still boarding wondering if that open seat next to you is going to be empty, have a screaming kid in it, have someone with a cold, or someone that knows how to play well with others in it? The feeling is kind of like that.
[H9]: Do you have any advice for people who are just getting into cybersecurity?
[SPO]: I know it’s cliche, but never stop learning. Read new things, look for new information, try new technologies, get your hands dirty. The other piece of advice I have is to always question the rules and the norms. Just because something has „Always been done” a certain way doesn’t mean it should stay that way. Learn how to adapt and try new things. As Bruce Lee once said „Become like water my friend.”