My Path to Security - How Tom Wilhelm Got Into Security

How did our consultants end up here? This ongoing series looks at the stories behind our Foxes and their specific career trajectories. (Learn more about Bishop Fox careers at our careers page).

Meet Tom Wilhelm, Practice;Director at Bishop Fox

Tom has always had an interest in security - ever since that fateful day when his friend hacked into his personal email account. Once he’d experienced firsthand how easily vulnerabilities can be exploited, Tom started gravitating towards IT and security-related roles, eventually becoming a successful system administrator. It wasn’t long before his security expertise quickly attracted the attention of the head of penetration testing at his company, and Tom officially moved into his first offensive security role. Since those beginnings, Tom has held a variety of InfoSec roles, and over the years has become an industry expert, presenting across the United States at major security conferences and authoring several books.

In this interview, he discusses the understated importance of communication, how success in InfoSec often requires choosing a focus, and the inherent contradictions contained within “100% security.”

What originally drew you to security?

Sometime in the late `80s, I remember getting into a conversation with a friend who introduced me to the Bulletin Board System (BBS) world. At one point, I said the system was secure and he argued that it wasn’t. To prove his point, he ended up sending me an email from my FidoNet account. It blew me away – the concept of breaking into someone else’s account was just fascinating to me. At that point, it really clicked that you can’t inherently trust what others are developing.

How did you get your first job in the industry?

When I was in the Army, I served for eight years as a signals intelligence analyst, Russian linguist, and cryptanalyst. After the Army, I worked as a Systems Administrator, with more of my work being on the defensive side. However, knowing that systems were comprisable and wanting the chance to prove this gave me a unique security-focused perspective.

At one point, I was doing policy exception work and was on an internal conference call trying to get approval for security modifications. The head of the pen testing group happened to be on the call, too. During that conversation, I started asking questions about testing and requesting reports of completed scans. When the head of the pen testing group recognized that I had a strong red teaming perspective, we started a conversation and I was eventually offered a spot on his team. I was still very interested in the defensive/security architecture side, but when this opportunity came up – I jumped at it.

Where would you like to be 5-10 years (career wise)?

While I love what I’m doing now, I’d love to get more back into teaching and writing. I was an Associate Professor at Colorado Technical University and really enjoyed teaching.

What was one unexpected challenge you have encountered?

It’s not necessarily unexpected, but for me a challenge is how important communication is, both oral and written. Hollywood promotes this idea that hacking is all fun and glorious, and while it can be, when it comes to doing it professionally, it boils down to communicating with customers. Customers need actionable results. The ability to communicate this effectively is a critical component that most people don’t understand. You must be able to document findings and provide tangible advice/information.

What advice would you give to someone wanting to break in and/or advance in security?

Become a guru in one area. To me, there are three areas that most successful people in the security space come from – system administration, networking, and programming. Almost everyone has exposure to these areas but to excel at security, you should become a guru in at least one of these.

What is the greatest resource you have found?

I think one of the most untapped resources out there is the Internet Engineering Task Force’s (IETF) RFCs. They are supported by IEEE and basically say what standards there should be and provide guidelines on how to write them. When communicating with customers, if we don’t know what the current standards are or the best practices around them, then we are not giving our customers the best advice. If we stay on top of the current RFCs and changing protocols, we can better recommend change and improve communication with customers. I’m not saying they are the most interesting things to read, but they are essential.

What’s the biggest misconception in security?

I think the biggest misconception is that we can stay ahead (or even on par) with hackers or malicious attackers. A lot of people I’ve worked with think that what they are doing will 100 percent prevent attacks on their network. In security though, there is no 100 percent.

With enough time and resources, anything can be hacked. If you have a persistent threat, you almost certainly will be compromised. I’ve never seen a pen test where they didn’t find at least one way to compromise a system. The amount of time and resources that attackers have far outweigh the resources that an organization has to defend themselves. Organizations will always be at a disadvantage and everything will always be a tradeoff. I try to educate companies that there is no such thing as “We are secure.”

I don’t say this to be negative, but to remind companies that you are never at a point where you can stop. We must always be continuously improving and stay diligent. Your customers and your employees rely on you, and we must always be trying to better understand how hackers are adjusting.

What is your current security obsession?

Right now, my security obsession is detection evasion. The biggest goal of most protection agents is to detect attacks. I want to compromise a network without anyone ever knowing I was there. Also, anything related to network attacks, protocols, protecting systems, firewalls, etc. Some people love web or applications, I’ve always loved networks. If you break into their network, the entire infrastructure is yours.

Tell me one interesting fact about yourself.

I was a guest star on “Extreme Home Makeover” with David Duchovny in 2002. A couple years beforehand, I anonymously donated bone marrow to a young mother who needed a transplant. After recovering from leukemia, her house caught on fire, and she ultimately was given her dream house as part of the show. I appeared as a special guest and met her for the first time during the filming of the TV show. After the episode aired, over 10,000 people signed up for Be the Match, even though there was no advertisement for the organization. I’ve since volunteered with Be the Match for years, sharing my story and running an event to support donations at DEF CON every year.