An ongoing look at why and how our Foxes started their career in security. This is the third installment of the series.
Name: Matt Frost
Position: Security Associate
Proud Fox since October 2016
Hacker since 2009 (professionally) but (really) since 1998
Meet Matt Frost, a Senior Penetration Tester at Bishop Fox
“I didn’t find security, security found me,” isn’t an actual Matt Frost quote, but it’s the perfect cliché statement to sum up Matt’s path to security. He was a natural hacker whose passion for security truly shines through as he talks about his career.
What originally drew you to security?
Around the seventh grade, my performance in school started to suffer. I didn’t feel really challenged and was bored with what we were learning. Around this time, my family bought our first computer. It didn’t interest me at first, but I soon found myself spending every night on AOL and that sparked an interest in programming, learning C++, and Visual Basic. I carried around my C++ book everywhere. I discovered “progz” that allowed you to flood chat rooms and mail bomb people. These were dream toys to me at that age. I discovered backdoors and trojans and the thrill of taking over a friend’s computer and opening their CD tray repeatedly just to mess with them.
In the eighth grade, I convinced my mom to let me build my own computer where I ran Linux and started really delving into the hacker community. I realized AOL was old school and became a frequent member of the #2600 channel on IRC. I discovered buffer overflows and advanced learning about actual exploit writing. This is what I first saw as real hacking and I became obsessed, learning everything that I could. Back then, hacking wasn't a career, but I was determined to keep learning and see what would happen.
How did you get your first job in the industry?
After high school, I sold everything that I thought was mine except my computer and decided to go to England. I began attending local hacker meetups and meeting likeminded people. One person I met asked me to accompany them to the Chaos Communications Congress in Berlin. We lived in a van and made our way across Europe and it turned out my new travel companion had just landed a job in security with a startup – it was a major moment that gave me hope that I could find a real career in security.
When I returned home from Europe, I started school and began working at a job in technology. A few years later, I happened across a job posting for a pentester in Nashville and immediately applied. It turned out that the person who interviewed me for this position was the same person who hired the friend I went to Berlin with. Our mutual connection and my passion for hacking helped me land my first job in security.
Tell me about one career highlight.
I’d love to speak to a real career highlight, but as I’ve been trained, “I cannot speak to this question as it would be a conflict of interest.”
One of my favorite memories though was doing a war-dialing exercise against a UK-based clothing company around 2010. It wasn’t even traditional hacking, but it was at the start of my career in security and something I never thought I’d be doing. We were dialing afterhours, and you could hear security guards becoming progressively angrier and fighting with each other after each dial.
Where would you like to be in the next 5-10 years (career wise)?
Honestly, I’m exactly where I’d like to be right now. If you would have asked me 10 years ago where I’d like to be, I would never have imagined I could have found this type of position. It’s my dream job. I’ve worked for many companies where you are quickly pigeonholed into doing one thing repeatedly. At Bishop Fox, they value and promote creative work, and encourage you to learn new things and work on diverse projects. This really is the pinnacle of my career.
Over the next five years, I’d like to continue taking on more responsibility, I’d like to do more mentoring and expand personal research and passion projects.
What was one unexcepted challenge you have encountered?
There really isn’t one thing – but overall, I’ve learned to always expect the unexpected. Security is changing all the time. Ten years ago, it was possible to read everything available on the internet about hacking. Today? New information is added every day and new techniques are found all the time. You must be willing to adapt; every job, every application, and every network is different.
What advice would you give to someone wanting to break in and/or advance in security?
But also, security is one of the few professions where your education and who you know are actually not the most important factors. There are so many ways that you can demonstrate your skills publicly from bug bounty programs, blogs, open-source projects, etc.
You will never be successful in the security space without a passion and a desire to constantly learn. When I interview candidates, this is the biggest thing for me. You just can’t say you love learning new things and want to be challenged, you need to demonstrate how. How are you involved in the hacker community? What blogs do you read? What presentation really stayed with you? What is the most recent hack you read about? If you can’t answer these questions, you probably aren’t the best fit. One other note: No one knows everything about everything. Be willing to say when you don’t know something.
What is the greatest resource you have found?
Reddit is an excellent source for everyone in the security space. It’s a great place to keep up with what is going on and to network.
Another great source of information I recommend are public bug bounty programs. These programs give you insights into real attacks and real issues.
What’s the biggest misconception in security?
That client-driven and mandated assessments are enough – that compliance standards hold companies to a decent level of security. Real world hackers are going to find the path of least resistance, and it’s not likely going to be through a server that is regularly tested and held to compliance standards.
In terms of a career in security, the biggest misconception is that you must know someone to get a job. This industry needs more brilliant minds. If you have a passion for security and do the work, you can find a job.
What is your current security obsession?
Out-of-band or side channel attacks are all the rage for me right now. It’s an area I find that hardly anyone knows anything about it – but it’s important and fascinating.
Tell me one interesting fact about yourself.
I love hunting and fishing, but I am terrified of spiders. I’ll literally leap out of a tree to get away from one.