Kevin Chung

March 9, 2016

Welcome to Season 2 and Episode 19 of the Building a Life and Career in Security Podcast.

Today’s guest is Kevin Chung.

Kevin graduated from NYU with a focus on information security, and became a consultant with Bishop Fox in New York City. In between, he did 3 internships, and many Capture The Flags, or CTFs.

Links Mentioned In This Episode:

Kevin Chung: “Whenever I helped younger students, I tell them that the most important thing is to have an idea, and to simply keep building on that idea or keep iterating on it. It’s more important that you keep building that idea, or keep building that tool. Then, you keep reading about different ideas, or different approaches. “ Speaker 3: “From the studio, this is the Building a Life in Career in Security Podcast. Now, your host, Jay Schulman. “ Jay Schulman: “Hey, it’s Jay. Welcome to season 2 of the Building a Life in Career in Security Podcast, the podcast where you get to hear other information security professionals’ career journey. Last week, in episode 17, Dan [Lion 00 = 00 = 42]. Dan started his career as a medical device engineer, and transitioned into a security role, and eventually to a security consultant. If you’re into medical device security, and you definitely should be, you should definitely give this a listen. If you’d like to keep up to date with the podcast text “Security” to 33444 to be added to the podcast mailing list. “ “This week on the podcast, we have Kevin Chung. Kevin graduated from NYU with a focus on information security, and became a consultant with Bishop Fox in New York City. In between, he did 3 internships, and many Capture The Flags, or CTFs. Here is Kevin’s journey. “ Kevin Chung: “Really, my story starts at high school whereas, like a lot of kids were doing things like math and science, I spend a lot of time playing around with my computer, as a lot of computer people tend to do when they’re young. I didn’t learn how to program until I was a junior. I guess the term would be computer literate, then you have things plugged in, and have things work, I guess. I didn’t know how to program. I had finished high school with the intention that I was going to become a developer. I was going to go to school. I was going to know how to program and build whatever you need, like a website, some kind of company, or whatever. “ “During high school I have competed in a competition run by [Poly 00 = 01 = 52] called CSAW high school Forensics. For those who don’t know what CSAW is, it stands for Cyber Security Awareness Week, which is an event that NYU Poly does, or NYU [Tandon 00 = 02 = 02] as they’re renamed now, does every year. High school forensics competition was oriented to high schoolers. It set them up with a computer crime. You had to solve in this case a murder by forensically analyzing an image of the murderous computer, or the suspect’s computer. Me and a couple of friends participated. We won it. I ended up applying to Poly. I got in. They gave me the most money. I ended up going there. “ “Going to this school, I didn’t expect that I was going to be involved with computer security, although that was like one of the biggest things at Poly, and still is. I ended up going to their security lab there, which is it’s kind of unfortunately named because of the acronym is ISIS. It stands for Information System’s Internet Security. I think we renamed it now to something else. At that time, it was called the ISIS lab, very unfortunate. Instead of really prioritizing learning how to program, how to develop and how to create things, I started going to the security lab more often. I learned, on top of how to develop things, I learned the security concepts behind development, which I think is something that’s critical that’s lost on both sides of the coin. A lot of development is purely about using other people’s frameworks, using other people’s libraries. A lot of security concepts forget about the work and the time that goes into creating something. That’s like a side point. “ “As I learned more stuff while at the ISIS lab, the lab, I started getting more involved. I started running something there called CSAW CTF, which is the Capture The Flag competition that NYU Tandon runs. Through CSAW CTF, I started getting connections. I learned all sorts of different things. Because I was a CTF player myself, I learned about how to run them, and also how to play them. “ “Playing in CTF tends to gives you a very holistic view on the security world, because you poke a way to all sorts of different things. I had a pretty diverse internship life when I was at college. When I was, I think, a sophomore in college, I interned for Gotham Digital Science, which is a consultancy based out of New York City. That showed me a little bit about how security consultants do go about their lives, and how, let’s say, financials or let’s say, larger companies, handle security, and how they offload security to consultants very often. I did that for, I think, close to 8 months. Then, I was doing it during school, after the summer, and stuff like that. “ “Then, I’d interned for a defense contractor called Reythoen [Asay 00 = 04 = 36], which was pretty heavily involved in their own CTF, called Ghost Michelle code. That showed me a little bit more about how government approaches, I don’t want to say security, but for projects in general, because not all of it was security oriented. It was more about how, I guess, defense contractors approach projects, and what it’s like to work in a place that requires clearance, requires a sense of secrecy about your life. In general, my whole tactic here while doing internships was to gain a little bit of perspective about each portion of the security industry, right? Consultancy, defense contractor, and then, eventually on a security team. “ “My next internship was at [Etsy 00 = 05 = 20] where I was a part of their security team. I learned a lot about how, I guess, security works its scale, and how different teams approach different problems. Also, how … Well, Etsy is very specific, in that they cultivate a very specific culture at the company. The teams work very well together. I guess, they also had heard, or maybe had seen horror stories about how security teams work at other companies. It’s much less cohesive. The most important thing that I took away from Etsy was their deployment process of pushing to prod. They’re constantly iterating on their code, and constantly iterating on the website itself. With that, there are certain challenges to security, right? With the code base, it’s constantly changing. How do you make sure that everything is security, or not like, leaving some holes somewhere. “ “After Etsy, I went back to school, finished everything up. I graduated. I now work as a security analyst, so consulting again, with Bishop [Fox 00 = 06 = 24]. I’m still pretty heavily involved in the school. I still go back and, I guess, advise the security lab there on things to do, things that they could be doing better. I think one of the things that makes my life a little interesting is that probably that I still maintain my school connections. It’s really important that the industry gives back to, I guess, not necessarily where they came from, but the places where they learned things. I would say, if you’re a CTF player who plays by themselves, it’s important that you write blog posts and write ups on your challenges. If you’re a consultant that learned things from the school, you should go back to your school and give talks and help educate the, I guess, younglings, the students about the things that you did. The whole purpose of this podcast, really, would be something that’s really important for the security industry, and I think industry in general of computers. “ Jay Schulman: “Very cool. I agree 100%. One of the really interesting things is making sure that the educational part matches what we end up doing in real life. I think, having you being in the work force and going back to school to advise, I think, is a great idea. It keeps it much more relevant. While you’re in school, you did a ton of CTF’s, you did this forensic challenge, how was that as a learning experience? Would you recommend that people go out and do a lot of these CTF’s or challenges? Is that a great way to learn some of the techniques that you use today at Bishop Fox? “ Kevin Chung: “It’s great. I think the most important part is just pure exposure. Like, it’s harder to stop a moving object, right? As long as you’re poking away at different ideas, you’ll learn something. Since CTF’s exposed you to so many different concepts, you’ll learn a lot faster than if you weren’t, right? Whereas, in a class, you kind of just get shown these X,Y and Z set of topics. That’s all you learn. With the CTF, you have multiple [inaudible 00 = 08 = 27]. While you’re learning one thing, you, let’s say, determine that it’s not feasible. It doesn’t work. Then, you try a different approach, different approach, and so on and so forth until you find something that works. All while you’ve been trying 10 different things, you’ve learn 10 different things. While one of those may not work here, it could work elsewhere. “ Jay Schulman: “It sounds like, I’m taking a guess, that you ended up with a Reythoen internship directly by doing CTFs? Do you think that played a part in Gotham and Esty and even Bishop Fox? Was that part of how that networking aspect how you got in there? “ Kevin Chung: “Yeah. In some sense yes, because the security industry is very tight-knit. It’s very small. A lot of people, especially in New York City, a lot of people know each other. By playing CTFs and by, let’s say, running CSAW, you gain a network. Because the security network is so small, and you really can just go to one conference, and all of the sudden, let’s say, you’ve met, let’s say 50 or 60% of the people in the security industry right off the bat. People tell you all the time, networking is super important, right? I guess you could say it’s CTF related. I think a lot of it more would just be that security industry’s so small. Then, you talk to one person, and that person is, let’s say, working for a company. They’re looking for interns. Boom. “ Jay Schulman: “Fair enough. You interned at Gotham, on the consulting side. You interned at Reythoen, on the government side. You interned at Etsy on the corporate side. You’re graduating. You’re looking for that first full time gig. Talk to me why you end up going consulting, especially given the fact that you’ve gotten a lot of experience in just about every aspect that you could have from a security perspective. “ Kevin Chung: “Consulting is kind of like … It’s one of those things where you’re trying all sorts of different approaches, and learning all those approaches and figuring out what works. Even though I felt like I had seen a whole lot of the industry, it’s still small. Etsy’s very unique in their approach to lots of different things. They’re super open. What about a financial corporation that is not necessarily willing to give you all of their, not code … Let’s say they don’t push the prod so often. Instead, their code bases are slow, and very static. How do they approach security? How do companies that have never even heard of approach security? How do all sorts of different things do things differently? Consulting is the only place that will give you that diversity in, I guess, approach, because you switch projects so often. “ “I think it’s really important that before you start to defend things, you approach things from an attacker’s perspective, so you end up knowing … Well, let’s say I’ve seen this approach done here. I can replicate it here. I’ve seen something similar done elsewhere. I can modify that and use it over here. Instead of saying I’ll take what I already know, or not what I already know, but what I’ve see before in my limited scope, and just applying it somewhere else, I thought that it would be more interesting to see about how everyone does it. “ Jay Schulman: “Perfect. I have this theory, and we’ll see if I’m right. Going all the way back to high school, when you were playing on the computer, did you build your own PC? Were you tinkering? Were you pulling things apart? “ Kevin Chung: “I think I pulled everything. Yeah. That’s like a given. I think that’s like a prerequisite to doing anything in the security world. There’s someone, they’re always tinkering, pulling stuff apart. I did not build my own computer. I had a laptop. I think, yeah, I upgraded it with RAM. I had like 4 operating systems running at the same time, not just like a standard build-boot. It was just craziness. During high school, I did have a reputation of tinkering with stuff and pulling things apart. Like, I pulled apart my game consuls and reassembled them, and would fix them and model them and stuff. I would say it’s really important that a high schooler plays around with their computer and their electronics. I wouldn’t say it’s like the most important thing. I guess it’s … “ Jay Schulman: “Yeah. Not at all. It’s just interesting. “ Kevin Chung: “Yeah. “ Jay Schulman: “When … I’m old here. I’ll date myself and say, the program that you went through at NYU just didn’t exist when I was looking at schools. You learned a lot of the principles today by breaking stuff. Doing it at home. I’m curious. It’s very interesting that you started off the exact same way, even though a lot of it, you could have learned in school and certainly today. How do you think, how did school prepare you for your job at Bishop Fox? “ Kevin Chung: “I think that’s really the tricky question because I’m not even sure if it did. It’s just kind of maybe like a pessimistic outlook on school. I learned a lot more security concepts by playing around on my own, than I did from school itself. Classes give you the intro. Security is more about, I would say, tricks and fine details, which are not necessarily covered in school. In a web development class, they’ll cover Java Script. They won’t cover XSS. They’ll cover [SQL queries 00 = 13 = 55],but they won’t cover SQL injection, or if anything, it will be a very small piece of it. In the security field specifically, I think it’s really important that you do things on your own versus being taught in a school. Schools can introduce you to the concept. To really understand, and to really get it, you have to play with it on your own. “ Jay Schulman: “Great opportunity to ask you a philosophical question. One of the problems, I think, in higher education today as it relatesto development, is exactly what you said, when they teach Java Script, they’re not teaching how people have used Java Script. They’re teaching Java on and on and on. They’re not teaching you, I don’t know if you want to call it good security programming tips. They’re not coaching you about parametarized queries when you make SQL queries. Do you think there’s a place, since you’re fairly fresh out of college, do you think there’s a place to teach that? Does it make sense to incorporate that into the class, or it’s just the nature of the beast that these types of principles aren’t being taught? “ Kevin Chung: “I feel like it’s tricky, because you do learn a lot more if you’re taught this kind of … Let’s say, we’ll take the example in SQL. You learn a lot more if you just, let’s say, write the raw queries, and execute them. You get a low level of understanding of how SQL works, not that low, but a good understanding. If you take that same approach, and say, from now on, everyone just use parameterized queries, you forget the whole concept of the queries themselves. A lot of teachers are constrained by time. They’re constrained by time and the skill of their students. If you’re taking a class in school of, let’s say, everyone that’s played with computers. Like, they’ve all played with computers, and they all know how to program. All of the sudden, yeah, we can obscure … You can learn SQL on your own time. Boom. You can learn parameterized queries. You can learn about all sorts of different things, because these students will adsorb things so quickly. “ “If you have a student, and they’ve never written a line of PHB code, or they’ve never written a SQL query in their life, the teacher has to step them up and scale them to the point where they can confidently create a database. They can insert things. They can update things. They can do all that magic with SQL, before they can move on to concepts like parameterized queries, because there’s no foundation for them to teach upon, right? It happens to be the case of college that most of your students fall into that latter category, where they just don’t know everything. They haven’t been taught, or they haven’t been exposed to enough where you can teach them … I mean, it’s not really an advanced topic, right? More intermediate topics, because there’s no foundation with which to teach from. “ Jay Schulman: “I really like how you framed it up where if you talk parameterized queries too early on, you as a student aren’t going to get the depth, or the experience you need to really understand SQL, which also helps me frame up the idea that if you were to require everybody to take a security class, so to speak, that you probably want to do it fairly late in the curriculum so that you really do get to absorb so much of the learning before you actually correct your learning by doing it the right way. “ Kevin Chung: “Right. “ Jay Schulman: “I appreciate that thing. We ask everybody 2 standard questions. We’ll do the same here. Is there a time that you really were agonizing about a decision, but ultimately, it went the right way for you? “ Kevin Chung: “I would say the whole concept of going to college. When I was in high school … Even today, all sorts of students are like, “I can just go drop out and make an amazing start up, or just have some product, or just go start working immediately.” That’s totally true. You can totally do that if you’re fairly well versed with let’s say, computers. I felt similarly, maybe because of this whole anti-education meta game that’s going on in the world right now. My parents really pressured me to go to school. I was like, “Okay. You know what? You know maybe it’s not that bad. Let’s try it out. I ended up being in a pretty cool place where I learned lots of different things. I think I’m at a point in my life that would not have happened if I wasn’t involved in the security field, which never would have happened if I didn’t go to college. “ Jay Schulman: “That’s a great point of view, I think, that a lot of people talk about opportunities like [Corsera 00 = 18 = 28] and a whole bunch of other places that, on the internet so to speak, that you can get a lot of the education that you get in school. As you point out, you wouldn’t have gotten all the time in the not so appropriately named, ISIS lab. Just the community. It sounds like that community really boosted your opportunities. That’s a fantastic point. Everything that you’ve talked about today, everything has worked out fantastic, there have been absolutely no problems. I’m guessing that that isn’t entirely true. Is there a point in time that thinking back, you’d want to do it over differently, if you could today? “ Kevin Chung: “I’m from New York City, right? I’ve been here my entire life. I guess I’m, maybe a little jaded when I look at other places as the stereotype is for New Yorkers. When I applied to jobs, I restricted myself. I decided, I’m just going to stay in New York City for the rest of my life. I’m going to apply to places here in New York, or let’s say in San Francisco, because such the massive checks after there. I restricted myself pretty heavily when I was on the job hunt. What ended up happening is I feel like I restricted myself from a lot of opportunities that would have manifested themselves if I hadn’t restricted myself to New York city. Let’s say, maybe I had been more open to like say Texas, or maybe even going out of the country, or moving to let’s say the what is it, Marilyn. Yeah. Marilyn has a large defense sector. By restricting myself to a certain location, the location where I’m from, I guess it’s kind of like the safe play, versus a more risky play. Because of New York’s let’s say maybe not demographic, but businesses, it really restricts the kind of things that you’re supposed to, if that makes any sense. “ Jay Schulman: “I mean, it makes perfect sense. I’m sure your experience today from Gotham and Reytheon, and Bishop Fox is primarily in the service sector, because that’s what’s so strong and huge, not only in security, but in New York as well. Etsy is one of the rare dot coms, that kind of has a huge presence in New York, which was nice to you to get that alternative experience, as well. Thinking about your entire career, is there anything that we’ve missed that we haven’t talked about that you think would be really helpful to people either getting started or looking for a direction in security? “ Kevin Chung: “I think something that’s lost a lot is the value of just going ahead and doing something. Whenever I help younger students, I tell them that the most important thing is to have an idea, and to simply keep building on that idea, or keep iterating on it. In terms of computers, usually, it’s like it’s a website, or let’s say it’s a video game, or it’s some kind of tool. It’s more important that you keep building that idea, or keep building that tool, then you keep reading about different ideas, or different approaches. “ “I guess it goes back to that whole idea of it’s harder to stop a moving object. As long as a person keeps, I guess, say building things, they’re doing okay. It doesn’t really matter so much about the other things, like how much money I’m making in a year, something like that. The older you are, it matters more, but for younger people. “ Jay Schulman: “There’s definitely a value in learning and getting your hands dirty. I appreciate your advice [inaudible 00 = 22 = 12]. If people like what they’ve heard from you today, they want to reach out and get information for others, certainly, I’m sure it sounds like you’re an advocate for the NYU program, where can they find you? “ Kevin Chung: “You can reach me at Twitter, @KchungCO. “ Jay Schulman: “Perfect. Thanks for joining us today. “ Kevin Chung: “No problem. Bye. “ Jay Schulman: “Thanks, Kevin. Kevin really used his time at NYU to set him up for a good start to his information security career. If you’re just getting started, Kevin’s advice should be really helpful. Thank you for listening. If you’d like to keep up to date on the podcast, text “Security” to 33444 to be added to the podcast mailing list. All you’ll get is an email once a week letting you know what this week’s episode next week. Talk to you next week. Thanks. “ Speaker 3: “Thank you for listening to the Building a Life in Career in Security Podcast with Jay Schulman. For more information and to subscribe, go to “