I had a absolutely fabulous time chatting with fellow Chicagoan @HashtagLaToya (of shenomads.com) about information security careers, OPSEC, the Chicago security community, and the accuracy of the Mr. Robot TV show. I highly recommend checking out her outreach and education work!
Listen as Gary and Lesley discuss incident response, digital forensics, security engineering, security certifications, and more.
(In this presentation, penetration tester and “TSA Key Guy” Johnny Christmas and I discuss the problems inherent to the disconnect between the information security community and the public and media at large, and how to bridge the skills and stigmas gap between “us” and “them”.)
Chapter 7: Landing the Job
So, we’ve come this far in your infosec journey. You’ve studied hard, attended conferences, played a CTF or two, updated your resume, and networked a bit within the information security community. Great work!
Let’s prepare for your very first information security interview.
=== What to Say ===
There have been nigh infinite pieces written on the subject of interviewing, but I’d like to briefly share some basic interview skills that have really served me and my candidates well:
- Make sure spend at least 30 minutes researching the organization you will be interviewing at. What are their strategic goals or products? Where do they have offices? What’s their corporate culture like? Consider what interests you about their mission, and how you feel you could benefit them as a security professional.
- Always bring several printed copies of your resume and references to your interview, formatted the way you intended. HR systems will often remove formatting and line breaks before routing your resume to a hiring manager, and your copy may be more pleasant to read. You will also want a copy to reference, yourself.
- Bring note taking materials to your interview, and make sure you’ve written down a few relevant questions to ask your interviewers about the position and the organization.
- Arrive 15 minutes early for your interview, and be polite to everybody you meet. You never know if the person you make eye contact with and say “good morning” to in the hall will be interviewing you, later.
- Make eye contact, and pay attention during the interview. Most of us are introverts, and this can be a challenge. Make the effort to be personable and show that you are listening to your interviewers.
- Put your phone away and on silent. I shouldn’t have to say this.
- Answer questions honestly. Most of my colleagues and I would very much prefer, “I’m not sure”, to an evasive answer or an outright lie, particularly on technical questions. Often, knowing where you would look something up is an okay answer to a technical question. When we ask you questions about where you could improve, there should be a real response that verifies you are a human. Everybody has some area they can improve in, and we will never believe you’re utterly perfect.
- The initial interview is not normally the appropriate place to ask about compensation. Yes, infosec is an understaffed and in demand field. You have better chances than most at landing the job. No, your Masters in Information Security does not guarantee you the position immediately in lieu of a technical interview.
- Do talk about your (legal) infosec-related hobbies and activities! We want to hear about the security lab you built in your house, the book you read, the CTF that you participated in, or the security related talks and projects you’re participating in. They show you are an interested and involved candidate, and a good fit for our teams.
=== What to Know ===
The previous chapters in this blog series suggested ways to build your foundational skills in the key areas of networking, systems administration, and security, so I won’t dwell too much on the necessity of knowing the fundamentals of these things such as common ports and protocols, malware types, and operating system functionality in an entry level infosec interview. Suffice to say, this is where the free educational resources, formal training, and your home lab really come into play.
You should ensure, before going to an interview, that you are up to date on the basics of current threats and security news. What you learned at your university is almost certainly not current enough for most interviews. There are a lot of great resources that provide information on ongoing threat activity. For instance, I really like the exploit kit status dashboard at (ProofPoint) EmergingThreats. SANS ISC posts botnet and scanner activity from publicly submitted data, and Sophos posts a nice free malware dashboard that shows their overview of currently detected malware. Threat trackers, coupled with the blogs, news services, and educational resources we’ve previously discussed, should enable you to go to your interview ready to answer general questions about the top threats that are currently plaguing organizations.
=== What Not to Say ===
In May, I surveyed a broad swath of security professionals to share the statements they hear from interview candidates that are the most indicative that the person is inexperienced in professional information security work. I’d like to share a few of the most popular, and why they carry that connotation. Keep in mind, the selected statements by candidates aren’t necessarily technically wrong; they more often tend to oversimplify or ignore administrative and business-related problems in security. It would be wise to choose your words diplomatically before saying any of the following things:
“Antivirus is obsolete, and a waste of money! Get rid of it.”
We can’t all be Netflix, dramatic headlines or not. It’s true that antimalware programs have a lot of problems to contend with in the 2010s. Between a cat and mouse game with well-funded malware authors, and polymorphism and regular botnet updates, simply maintaining a library of static signatures is indeed not effective anymore. Most decent antivirus vendors recognize this, and have implemented new tactics like heuristic engines and HIPS functionality to catch new variants and unknown threats. Antivirus is one component of a solid ‘defense in depth’ solution. It has a reasonable potential to mitigate a percentage of things that slip past network IPS, firewalls, web filters, attachment sandboxes, and other enterprise security solutions.
“Why are you wasting money on $x commercial product? I can do the same thing with this open source project on GitHub”
We love the philosophy and price tag on open source projects, and it’s great that commercial vendors have open source competition that drives them to improve and enhance their products. This doesn’t mean that free tools are always a viable replacement for commercial tools in an enterprise environment. There are intangible things which usually come with the purchase of a good quality commercial security product: support, regular updates, scalability, certifications, and product warranties. Those intangible things can have a tangible cost for an enterprise implementing an open source product in their stead. For instance, the organization may have to hire a full time developer to maintain and tweak the tool to their needs and scale. They may also be solely legally liable if a vulnerability in free open source software is exploited in a breach – a risk many organizations’ legal teams will simply not accept.
“They deserved to get breached because they didn’t remove Java / Flash / USB functionality / Obsolete Software…”
Most organizations exist to provide a product or service, and that’s usually not “security”. As security professionals, we’re just one small part of our organizations and their mission, and we never function in a vacuum. Oversimplified assertions like this are a dead giveaway that a candidate is not used to compromising and negotiating inside a business environment. Yes, in an ideal security world, we would use hardened operating systems with limited administrative rights and no insecure applications. Few of us actually operate in that ideal world, and many of us work at an operational scale alone that renders this unfeasible. We do what we can; navigating the political risk management game where we must to provide the most secure environment we are capable of.
“Just block China/Russia/x… IPs.”
Once again, this indicates a candidate is thinking only as a security person (and a biased security person) and not as a member of a business. Unfortunately, it also shows a lack of technical knowledge, as many attackers use large, global networks of compromised hosts to launch attacks.
“Security Awareness is a waste of money. Users will always be stupid.”
This is an appalling lack of confidence in your own ‘team’. Yes, some end users will probably always click / ignore / fail to report. (Most security people will also click when properly socially engineered.) The point of security awareness is not to create a perfect environment where nobody ever clicks on a phishing message or ignores an alert window – if your management has made that their measure of success, they’re doing security wrong. The point of security awareness is to improve awareness of threats, encourage some employees to report potential threats so you can respond, and decrease day to day problems so you can focus on the more severe ones.
“[Fortune 100] should have already have gotten rid of $OS and gone to $OTHEROS, because it’s more secure / real security people use $OTHEROS.”
This is dogmatic elitism without real business or technical foundation. Any up-to-date operating system can have a valid use case in business and in security work. A good red team or blue team security professional should be able to secure, compromise, and use tools on OSX, Linux, and Windows effectively (and indeed, there are valuable tools unique to each). It’s okay to have an operating system preference and to intelligently discuss the merits of $OperatingSystem for your specific use case. Don’t assume everybody else’s use case is the same.
“Hack them back / have the attackers arrested…”
We all crave the movie ending where the black hat hackers get their comeuppance and are thrown in jail. Unfortunately, unless we work for a LEO, the military, or a huge global telco, we’re rarely likely to get it. “Hacking back” of any sort is usually wildly illegal (especially because attacks are almost always launched from compromised hosts that belong to law-abiding people). Arrests happen when time-consuming coordinated efforts between security firms, global law enforcement, and lawyers are successful. Even the terrifying financial spearphish to your CFO is likely to not be chased down by law enforcement for some time. When permitted, absolutely do share your threat intelligence with law enforcement and working groups to aid in these important efforts. Expect any response received will take significant time.
“Don’t you monitor every brute force attempt against your perimeter? I count the dictionary attacks against my honeypot every night!”
No, monitoring this would be a waste of time in most large organizations. Behavioral trends and specific sequences of events that could indicate a compromise are more valuable to monitor. Time is money.
Any statement beginning with, “Why don’t you just…?” or “It’s simple…”
It pretty much never is that simple, so don’t personally insult your interviewer by assuming it is
This concludes the InfoSec Career Megamix! I hope you’ve enjoyed this blog series and that it has been helpful to you in furthering your own security career. Many thanks to everybody who has commented on my blogs or provided input and suggestions. Please do check out the links to other peoples’ wonderful work on the subject which I have included throughout the blogs.
[You can find the previous chapters in this blog series here:
> Education & Certifications
> Fields and Niches
I do quite a bit of InfoSec résumé reviewing and critiquing, both personally and professionally, so I’m repeatedly asked for tips on common problems. In order to ensure that these problems were not exclusive to me, I recently had a lengthy discussion with a number of InfoSec professionals involved in hiring (thank you!). We discussed our “top 10” pet peeves when reading candidates’ résumés.
So without further ado, here is an illustrated example of some common problems we see on many résumés, and some suggestions about how to fix them.
(If these images are hard to view on your phone or at a specific resolution, you may click them to view them full screen.)
[You can find the previous chapters in this continuing blog series here:
Starting an InfoSec Career – The Megamix – Chapters 1-3
Starting an InfoSec Career – The Megamix – Chapters 4-5]
Chapter 6: Self-Study Options
In the previous chapters, I’ve discussed potential career paths, education and certification options, and the fundamental knowledge needed to become a successful InfoSec professional. Unfortunately, college degrees and certification courses aren’t financially or logistically an option for everyone, nor do they provide all of the skills and practical experience needed to become a desirable candidate for an entry level position. Without further ado, let’s delve into some options for improving InfoSec knowledge individually.
==== Home Labs ====
Building a home practice lab is an integral part of improving skill at any area of blue team or red team information security. Since most of us (hopefully) don’t want to break the law and get arrested while learning how to hack, conduct forensic investigations, or reverse engineer systems, we’re obliged to create our own self-contained network environments to practice and learn within. This will also improve network and systems administration skills, which as I noted in Chapter 1 are absolutely fundamental for being a well-rounded InfoSec professional.
A decade ago, a home lab looked significantly different. It almost certainly included multiple computers, and likely a network rack complete with switches, power supplies, KVM, and cabling. While this is still a great option, a rack of computer equipment is noisy, hot, and power consuming. Today, we have the tremendous luxury of virtualization. A single reasonably spec’ed ESXi host server can act as most of our practice environment. While we might still opt for some physical network hardware, we have virtualized network lab environments available for use, as well. I really prefer the virtualized option because as we exploit, infect, and otherwise destroy our hosts, we can simply revert them to an earlier snapshot and start over.
Regarding purchasing the physical equipment or host machine(s), we can get as creative as our budget requires. A great way to purchase server grade computer hardware is via federal and state government auctions. These auctions are fairly underutilized next to commercial sites like eBay, and can offer some great deals during regular equipment replacement schedules. Remember that local businesses, hospitals, and municipal services often replace their hardware and sell the older equipment for a fraction of the original price. For virtualization, we’ll want a decent server grade processor, a lot of memory, and enough disk space for all the operating systems we are interested in using to grow as expected. Everything else is fairly negotiable. Many folks buy a few old servers of the same model, pull all of the memory, NICs, and hard drives out, and put them into one chassis.
The hosts we install in our lab environment shall vary quite a bit based upon our area of interest and what we’re currently trying to accomplish. For instance, in my forensics lab, I selected SIFT and Windows 8 hosts which I use to conduct analysis, and an array of primarily client OSes which I conduct analysis upon. My network monitoring and incident response environment is very different, because network services, network IPS, and firewalls are in play in a more realistic network environment. A penetration testing environment will look different still. Before you purchase equipment or begin the lengthy process of building your lab, consider what you want to learn, and what hosts and services you will need to accomplish this goal.
I’m not going to delve much further into the technical details of building out a lab, as a lot of people have done great writing on this subject already. I recommend looking at Carlos Perez, Matt Barrett, and Adrian Crenshaw’s informative blogs.
==== Self-Study Materials ====
Every person has a different learning style. Some of us are more comfortable learning new skills by watching a video; others need hands on practice or reading materials to understand new concepts best. Fortunately, at this point people who wish to learn InfoSec skills have a plethora of freely available options to fit any learning styles.
For the Visual Learner:
Years of talks at information security conferences have been recorded and are freely available on YouTube. I’d avoid watching Joe from ACME computer shop explaining how to use Kali, but there are more hours of recorded talks on from reputable conferences than anyone will ever have time to watch. Archive.org hosts an immense number of conference talks. Adrian Crenshaw has recorded talks at conferences for years, and has a prolific archive of these videos on his channel. SecurityTube is also a great resource, (although some of their materials are paywalled by PenTester Academy, which may or may not be in your budget).
For the Auditory Learner:
Check out the amazing range of InfoSec podcasts available for free. There are so many more great podcasts than I could discuss in a blog of their own, but some highlights are PaulDotCom, Southern Fried Security Podcast, Security Now, ISC Stormcast, Defensive Security, Liquidmatrix, and Braeking Down.
For the Reading Learner:
There are two major resources you should investigate – textbooks, and blogs. This will, of course, vary quite a bit based your area of interest. My personal ‘essential reading list’ for Information Security professionals would include the following:
- Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition)
- Rtfm: Red Team Field Manual
- Hacking: The Art of Exploitation, 2nd Edition
- Windows Internals, Part 1 (6th Edition) (Developer Reference)
- Social Engineering: The Art of Human Hacking
- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
- The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and DeceiversThis covers a wide range of red and blue team fundamentals. However, DEF CON also provides a great reading list which branches out much further by interest and subject area.
There are an immense number of amazing security blogs out there, but a very short list of my favorites includes Dark Reading, Krebs on Security, McGrew Security, Graham Cluley, Naked Security, Lenny Zeltser, Troy Hunt, Andrew Hay, Threatpost, and Andy Ellis.
For the Kinesthetic Learner:
As we previously discussed, a home lab is a great option, followed by Capture the Flag exercises and Challenges, which I discuss in the next section.
==== Capture the Flag and Challenges ====
Once you feel ready to leave the safety of your own home lab and delve into another network, a great option is Capture the Flag events, and similar challenges. A large percentage of hacking conferences provide some kind of CTF event, which will pit your skills against challenges they’ve designed as well as other participants, in a structured, legal environment. The challenges usually vary from simple to extremely difficult, and points are awarded to participants as they find or reach ‘flags’ hidden in the challenges. Don’t be daunted; most CTF events are rarely restricted by skill level, and they’re a great way to test what you’ve learned. You’re competing against yourself as much as other teams or participants.
CTFs and challenges are not restricted to red team penetration testers. There are plenty of open and paid practice challenges in many areas available now, both in person and online. DFIR challenges test investigation and forensics skills, while malware challenges test participants’ ability to reverse and analyze malicious code. Check out the great list of online challenges at captf.com.
==== Conferences ====
There are no substitutes for in-person networking or training events. I strongly recommend attending InfoSec / hacking conferences, but I also encourage you to choose the right ones for you. Regrettably, the events with the biggest budgets often get the most hype. That does not translate to them being the best environments to learn in. Cost is often a factor that bears consideration, as well. Tickets to InfoSec conferences range from free (or nearly free) to thousands of dollars. Hotel and airfare costs vary by venue. All these factors should weigh into your decisions, but there’s a conference for everybody.
Hacking conference size and content vary a lot, but there are some commonalities. There are normally one or more tracks of speaker talks, selected by the organizers from outside call-for-paper submissions. Capture the Flag type events are fairly ubiquitous. It’s also not uncommon to see an option for longer, hands-on training classes for an additional fee. You’re likely to see some vendors, as well as hobbyist groups such as locksport organizations or makerspaces sharing their expertise. Evening parties sponsored by the conferences or vendors can provide an opportunity to network and have fun.
Let’s discuss a few popular conferences. A couple caveats. Firstly, I’m quite certain I am going to offend one conference or another by not listing them here – for this list I selected some better known representative examples and it is by no means comprehensive. Secondly, I’m based in the US, so my examples are primarily in North America. Hacking/InfoSec conferences are a global phenomenon, and the types of conferences I list have equivalents in Asia, Europe, Africa, and South America. Please feel free to ask me for assistance in finding ones in other locations as needed.
DEF CON – Las Vegas, NV, USA
One of the oldest, most famous, and largest hacking conventions in the world, DEF CON is held in August on the Las Vegas strip. The attendees are a mix of everybody from the most dubious black hats to corporate security professionals, from journalists to Generals, from researchers to federal agents. Events and talks run the full gambit in every sense of the word. The parties are wild and so are the attendees. DEF CON tickets current cost $230, (cash only!).
>> Pros: This is where you’ll see some of the most cutting edge research released, and meet many top notch pros. Everybody should DEF CON at least once, for the sheer experience.
>> Cons: Over-the-top parties, crowds, and hangovers can overwhelm actual learning and networking. If this is your first hacking conference, or you’re not reasonably cautious, you may be targeted for pranks (or worse).
BLACK HAT– Las Vegas, NV, USA
Black Hat (USA) occurs the week prior to DEF CON, and offers more structured training opportunities on a variety of topics. There’s a heavy vendor presence. Black Hat is more targeted towards security professionals and executives, and offers organized networking events and a bevy of courses and high profile speakers. The talks are well vetted. This doesn’t come cheap; regular tickets are currently $2195. Training courses cost significantly more. If money is a factor, I certainly wouldn’t recommend paying your own way to Black Hat unless there is a course you desperately want to take that isn’t offered anywhere else. Wait for a scholarship or corporate sponsor.
DERBYCON – Louisville, KY, USA
DerbyCon is a relatively new but very popular conference, and acts a bit like a more community and family-friendly alternative to DEF CON. It occurs in September in the heart of downtown Louisville. While it’s not as big of a conference, DerbyCon offers five simultaneous talk tracks, as well as hosting a few special interest working groups and CTF. DerbyCon tickets are $175, and given the reasonable cost of living in Lousiville, this can be a pretty economical conference, without quite as much of the shock value. Although there are bad apples at any hacking conference and basic precautions should always be taken by attendees, DerbyCon is policed pretty well and is a very safe bet for a first con.
SHMOOCON – Washington DC, USA
Shmoocon was founded by a husband and wife team to become a relatively small, friendly, community and education focused conference. It occurs in January, and costs $150, making it the most affordable of the ‘big name con’ admissions. Due to its location and educational reputation, it’s popular with federal government, military, and federal contractors, and the networking, vendors, and talks can reflect this a bit. The downside is that Shmoocon has grown much more popular than its size allows, and tickets sell out quickly – very quickly – a matter of seconds, making attendance a bit of a lottery. If you plan to attend Shmoocon, (I do recommend it), read up on the ticket purchase process well ahead of time.
RSA CONFERENCE – San Francisco, CA, USA
If you missed that RSA occurs in February, you’re not tuned into information security news. I can draw a lot of parallels between RSA Conf and BlackHat, but personally favor Black Hat as an event. They’re both targeted at executives and professionals, throw star-studded vendor parties, come with a hefty price tag (standard RSA tickets are currently $2,295), and get plenty of press. They have the biggest vendor expos, and often boast high profile speakers. I don’t recommend RSA to entry level infosec folks, even if the price tag is in your budget. For the money, I’d attend a course at Black Hat or REcon. The glitz and glamour do not make this the best environment to learn fundamentals or network, and despite some very good speakers, in my opinion RSA Conf continually commits public security faux pas to the ire of hackers and security professionals.
RECON – Montreal, QB, Canada
If reverse engineering malware, hardware, or software is your cup of tea, there’s no better conference to learn more than REcon, which focuses exclusively on sophisticated reversing. Ticket prices for RECon increase through the year leading up to the event, currently starting at 700 CAD and culminating in 1200 CAD in June. Student tickets are discounted. The ticket price is hefty, but includes snacks and lunches. The available hands-on training courses will run you around 2000 – 5000 CAD, so once again, you may want to wait until you’re eligible for some sort of sponsorship for this one. I have not had the pleasure of attending this conference myself, but I’ve heard nothing but glowing reviews from my colleagues in this space.
CIRCLE CITY CON – Indianapolis, IN, USA
Circle City Con is newer than Shmoocon and DerbyCon, but fills the same educational / community friendly conference niche. Circle City Con occurs in June, near the Indianapolis Convention Center. Tickets are currently $150 and include optional training classes, aside from any required materials. Circle City Con is another safe bet for a first conference, and for family participation.
HOPE – NYC, NY, USA
Hackers On Planet Earth is still a bit of a ‘hidden gem’. Although it’s one of the oldest annual hacking cons, it remains reasonably small and attended by industry greats. HOPE occurs in July, and tickets are currently $150. HOPE offers some of the most unique and varied events of any conference outside DEF CON, and boasts film festivals, art, and robotics along with the usual offerings. It’s a bit more eclectic and nuanced than other conferences. HOPE is worth serious consideration, especially for East Coast folks.
GRRCON – Grand Rapids, MI, USA
GrrCON specifically states their goal of avoiding elitism, and as a result they’ve earned a reputation as a positive and friendly environment which is heavily geared towards great networking and security education. GrrCON occurs in October and regular tickets are currently $150. Another location with very reasonable room and board, it would be a great choice for a first con. GrrCON also offers opportunities for family participation.
BSIDES EVENTS (Global)
Perhaps you looked at this long list of conferences, and balked at the locations, travel costs, and ticket prices. All is not lost. Seek out your local BSides event, which occur in many metropolitan areas. BSides events tend to be organized by local hacker groups, and most are one or occasionally two days. BSides also tend to be smaller and less expensive, with tickets usually ranging from $0-50. There’s rarely a good excuse to miss your local BSides – it’s a great opportunity to network with security folks in your area for a nominal fee. BSides events also make a great excuse to travel to cities on your bucket list across the world, learn about hacking, network with people, while enjoying the local culture, sights, and cuisine.
I’d be remiss if I did not briefly discuss hacking conference safety and preparedness. As I’ve mentioned above, the level of ‘threat’ at conferences varies and exists everywhere, but regardless of the event you should take common sense precautions. (All of these precautions should translate into everyday life, because bad gals and bad guys are everywhere!)
- Consider whether it is necessary for you to even bring a laptop to the conference if you’re not attending a course that requires one. Given insecure networks full of hackers, safely using a laptop adds an extra layer of preparation required and gives you another bulky, expensive item to carry and keep track of.
- If you must bring a laptop, I highly recommend using a new hard drive with a clean OS image, full disk encryption, and as little personal data as possible that you only use for the conference(s). Ensure you have a standard array of vetted security tools if you plan to connect to any network, including VPN. Ensure wireless and Bluetooth are fully disabled when not in use. Use common sense about what you log into.
- It’s hard to function today without a smartphone, but consider ways to make your phone more secure. Burner phones or faraday bags are popular options. At the very least, ensure wireless and Bluetooth are off, and that the phone itself is encrypted. VPN if possible. Do not connect to WIFI. Do not borrow phone chargers.
- Bring cash for as many purchases as possible. Bring as few credit/debit cards as absolutely necessary, and ensure they’re in a vetted RFID safe wallet (but certainly don’t expect those to be foolproof). Don’t bring unnecessary stuff in your wallet or purse such as your work ID, social security card, or passport. Do not use an ATM within an easy walk of the event. I have rarely been to a conference where the hotel ATM wasn’t obviously and amusingly hacked by the end of the first day.
- Don’t leave valuables unattended at the bar or in your hotel room, in a hotel full of hackers who can trivially open (any) hotel doors. Double lock your room when you’re inside.
- Know who you can contact and how to reach them if there’s a security or medical issue at the conference – most hacking cons have a staff of security ‘goons’ who are always present and reachable. Any large event can have its share of bad apples, rowdiness, alcohol overuse, and drugs, and they’re there to keep things from getting out of hand. That being said, hacking conferences should not be treated like Mos Eisley cantina. Look out for the safety and well being of your friends and the people around you, and get them help if needed.
==== Local Hacking Meet-ups ====
Aside from organized conferences, many metropolitan and regional areas have formed hacking meet-ups of varying structure and activeness. I recommend finding your local group as soon as possible and participating as much as you can, as it’s a really important way to network with local hiring managers and security teams. Name recognition in this community is absolutely invaluable when applying for jobs.
There were ways that hackers met two decades ago that still work, but they’ve been impacted by Web 2.0 and social media as much as anything else. So, I’ll both discuss the more traditional ways to find your local hacker and InfoSec folk, as well as newer options.
The Old Ways
- DEF CON local groups: They’re named by area code, globally. Unfortunately, in my experience, some are now defunct or inactive. (Check and make sure before showing up.)
- 2600 : 2600 meetings occur in public spaces to be inclusive to everybody, but be cognizant that they are more ‘hacker’ meetings than ‘information security’ meetings. Their active group list is maintained pretty well.
- CitySec meetups: A more ‘security professional’ focused set of informal meetings in many global metropolitan areas.
The New Ways
- Meetup.com: I’ve seen quite a few various information security organizations start posting their meetings through this site over the last few years. It’s always worth a look.
- ISSA: A formal professional organization with chapters around the world.
- Twitter – Plenty of these organizations post their scheduled events.
- LinkedIn – Plenty of these organizations are listed as LinkedIn Groups.
In case you’ve been living under a rock for the past several days, IBM posted, then ultimately removed a video promoting STEM fields for women via “hacking hairdryers”, to a great deal of public outcry from STEM professionals. The unhappiness stemmed not only from perceived sexism, but also tremendously poor timing as the ad was released close to the anniversary of the École Polytechnique massacre of 1989.
I will apologize from momentarily veering away from my usual structured technical guides. However, I’d likely to briefly state my own experience and thoughts on the matter, because I feel there are a couple things that still need to be said.
Before I continue, I’d like to make it clear that I see no purpose in badmouthing IBM further regarding their campaign. I genuinely believe they meant well, and I have many exceptional friends (both male and female) employed in STEM fields there. I’m not offended by their campaign; I merely feel disappointment. The ad (probably generated by an unrelated advertising team) was symptomatic of what I perceive as a systemic misconception about how to interest girls and women (and in a larger sense, minorities) in STEM fields.
I’m fairly straightforward about my interests and experience on social media and my blog. I hope I have properly expressed over the years that I truly have keen interest and skill in an array of tech, without compromise. Tech isn’t merely a career for me – it’s something I live. I also publicly enjoy a fair number of things that are often traditionally categorized as ‘feminine’. I own a gratuitous amount of makeup. I enjoy subversively playing with the ‘sparkly’ and ‘pink’ tropes. I will admit that it took time for me to reconcile these things as a young adult. These things are not mutually exclusive, nor are they particularly interrelated apart from my persona.
I’m not a girl hacker – I’m a hacker. I am not a hacker because somebody taught me to hack on a pink keyboard. I learned to hack, code, and solder the same way most everyone else did. I don’t personally know any female hackers or technical professionals who state that they owe particular success or interest to being approached with anything pink, sparkly, or remotely associated with Barbie. Your mileage may vary.
I owe my skill at tech not to campaigns targeted at me as a girl, but to the fact that by the time that people told me that I could not do things because I was female I was already confident in my ability to do them. By the time my sixth grade science teacher reminded me to, “Remember what happened to Joan of Arc”, I had coded my first text based RPG and soldered circuit boards, and I had found that it was something I enjoyed.
My parents never gave me any presumption of advantage or disadvantage in life to being female. It had no bearing. There was an expectation that I would learn to play a musical instrument and appreciate fine arts, but also help fix the car or TV when they broke and have a solid fundamental understanding of science. My parents both firmly held the assumption these were things an informed human being should do. If I showed an interest in something beneficial, they encouraged it.
Outside of my immediate family, who I firmly believe were instrumental in me freely pursuing an interest in a variety of fields, I also can point directly to youth organizations like the Girl Scouts. Although I can absolutely name cases where I’ve seen them stoop to the same fallacy, even in the 80’s and 90’s, their youth programs still offered a wide array of science and tech teaching that was presented in a great, unbiased, non-condescending way. Our telescopes never needed to be sparkly. We just had to know that we were looking at Saturn through the eyepiece in a cramped observatory on a chilly night, and that was enough.
In my experience it’s absolutely an unfortunate reality that women and girls often do face negative pressures, preconceptions, and lack of encouragement from many sources when they demonstrate any real interest in science, technology, engineering, or mathematics. Trying to advertise these fields through gross gender stereotypes is probably not the way to fix this problem. The ability to excel comes from being told it’s OK to pursue almost any interest by the formative people in a child’s life. This includes family, teachers, mentors, and the community. It comes from being provided exposure to varied interests at a young age. We have to counter the societal negative pressures with positive encouragement for everybody.
Give the kids and young adults in your life the exposure and support to explore and pursue things they wish to.
Get involved with the many great organizations like Hak4Kids and DefCon Kids that provide so much education and motivation to youths.
If you’re able, mentor and sponsor people in your community who don’t have support to grow and learn in tech fields.
Even once a person realizes he or she has a passion for information security, moving in the field can seem a daunting task. The education market is oversaturated with degrees, certifications, and training programs. Meanwhile, many prominent hackers mock those programs publicly. Although I’ve touched on security education and training quite a bit, I’m continually asked to provide a resource for people who are trying to transition from school or other fields into Information Security roles. Ours is a healthy job market and we do need qualified and motivated applicants. The jobs exist, but we repeatedly see candidates being given false advice to get them.
With tremendous and very much appreciated help from many of my colleagues and friends in the field, I have endeavored to compile a comprehensive blog about starting an InfoSec career. This is a very lengthy blog broken into sections that may help people as parts or as a whole. We want you to succeed in our field. As always, please feel free to ask questions or leave comments / gripes / suggestions.
Chapter 1: The Fundamentals
Unfortunately, for all the interminable hacking tool tutorials and security guides floating around the internet, many InfoSec job candidates haven’t grasped two fundamental concepts:
- To hack something (or defend it from hacking), you must have a solid understanding of how that thing works.
- InfoSec is not a career that can be put in a box once you go home from work or school. You must be passionate enough about the field to be continually learning and aware of quickly changing current events. If you want a career that you can forget about once you go home at 5:00 PM, InfoSec is probably not the right choice.
The really intriguing thing about InfoSec and hacking in general is how they draw heavily from knowledge of all sorts of IT subjects. It’s difficult to understand attacks, malware traffic, or intrusions without a firm understanding of network ports, protocols, and architecture. Similarly, it’s difficult to understand malware or identify system compromises without a firm understanding of operating system architecture, hard drive construction, or programming fundamentals.
There’s a misconception that sophisticated attackers use lots of malware and exploits. This is simply not the case. The better a hacker is, the more likely he or she is to leverage preexisting software and tools to compromise a network whenever possible. With malware comes more risk of detection and forensics. It’s a wise choice to use an excellent understanding of the command line and remote execution to move laterally across a network.
If you’re considering a career in InfoSec please evaluate yourself on your knowledge of basic computer science and networking concepts. If you’re weak in one of those areas, consider some outside study. Merely following a Metasploit or an Ophcrack tutorial will not teach you how to be a good hacker. Understanding how Metasploit modules and communication work, or how Windows passwords are stored and passed may eventually. (Almost universally, I find more value in a candidate who can read a pcap than one who can execute msf console.)
In regards to the second concept – in some ways we as a field are victims of our own success. InfoSec jobs are advertised as high paying and cutting edge, so there has been a surge of graduates and applicants. Unfortunately, being a good security professional is something tremendously difficult for any training program or school to teach. Without an outside interest in learning more, enhancing skills, and studying current events, entry level candidates are often tremendously skills-weak.
I often screen candidates with relatively simple questions based on malware and technologies commonly seen (and documented) in the last 3-5 years, as that tends to be newer than university curricula. It’s also very popular to simply ask candidates what they are doing on their own time to enhance their security knowledge. Often, this question leads to silence (which given the wealth of free resources available is a dead giveaway the person will probably not work out). We will discuss some inexpensive ways to improve InfoSec knowledge at home later on in this blog.
Chapter 2: Choosing Education and Certifications
The debate over the value of (costly) college degrees in InfoSec is a continual and heated one, and likely will be for quite some time. I’m often asked if getting a (Associates, Bachelors, or Masters) degree is necessary to get a foot in the door in InfoSec. In the US, the answer is usually no. As I discussed previously, InfoSec interviewers usually value motivation, critical thinking, and self-study above all else while selecting entry level candidates. It is quite possible to write a resume which includes volunteer work, talks, and personal projects related to the field, and these usually are much better conversation starters than a degree.
That being said, there are a few notable exceptions. Government agencies and large corporations still tend to value degrees highly and may even refuse to waive them as a requirement for their hiring authorities. So, without a degree, resumes may simply be ignored by mandatory computerized HR screening.
Secondly, within these types of organizations, pay grade or promotion may be contingent on having a degree, so an entry level person without a degree might have to go elsewhere to move up. Be cognizant of the requirements at the place you’re seeking employment.
Personally, I usually view degrees favorably when they’re financially feasible. They show dedication to a task for two or more years, and an interest in some subject. I also trust credible universities to teach students general business skills like reading, presenting, and report writing (all of which are underappreciated but valuable in security). Thus far I haven’t seen much value in specifically gaining an InfoSec degree – I have come to expect those general skills to be taught better at a credible university in a History program than in an InfoSec program at a for-profit degree mill or technical school. Also, as I previously mentioned, established IT programs such as Computer Science, Computer Engineering, and Network Engineering can bring a lot to the table in terms of general knowhow.
Certifications are a trickier question because there are so many out there, and they serve different purposes depending on the niche field the applicant wishes to get into. I’d consider certifications a ‘nice to have’ for an entry level candidate – they are not likely to tip the balance much in a hiring decision, but they usually don’t hurt. (One exception: Due to the employment requirements and the purpose of the certification, I find it inappropriate when entry level applicants with no experience have [somehow] obtained their ISC2 CISSP ®. The certification is made for people already employed in the field with a number of required years in the field, so it looks a bit fraudulent.)
More appropriate for entry level candidates is the CompTIA Security+. It’s cheap, and it serves two purposes. The first is demonstrating some basic security terminology and concept knowledge. More importantly, it makes candidates eligible to perform government contract work under 8570 requirements. The CompTIA Network+ is also a safe bet, as it shows a bit of that basic network knowledge we’ve been discussing. Neither certification shows an advanced knowledge of their subject, but they are a good choice for getting a foot in the door.
I’ve recommended SANS / GIAC line of certifications in the past because I find their training and tests some of the most legitimate. Their certifications are some of the most technically respected to have on a technical resume. However, their certifications are also extremely expensive, with courses and books in the thousands of dollars and tests in the hundreds. There are some options to decrease the costs like their community offerings or work study program, but they may still be out of reach for entry level folks. If you can easily afford a SANS course and GIAC certification, absolutely take one applicable to your field (good general choices are GSEC or GCIH). If you can’t, don’t take it to heart – wait until an employer makes them financially available to you.
Offensive-Security offers the OSCP certification and course which is a fantastic choice for InfoSec applicants who wish to take a more offense-based route (or indeed, as exposure to those techniques to anybody in InfoSec). It’s real-world lab heavy. The course and certification are still expensive at around a thousand dollars, but may be more realistic than the cost of a SANS course.
I personally do not recommend EC-Council certifications for entry level candidates at this time unless they are specifically required for a role.
I’ll suggest some specific training and certifications as we discuss specific roles later on.
Chapter 3: InfoSec Fields and Niches
There was a time in the 19th century where a ‘scientist’ often meant a generalist – a respected scientist might have knowledge of biology, physics, and chemistry. As those fields grew in complexity, it became increasingly difficult for one person to remain current with all of the research and knowledge involved in even a single broad field. Today, we see scientists specialized in very niche fields, each with its own wealth of research. InfoSec is very similar. While in the 1980s a single security specialist could conduct penetration tests, configure firewalls, and investigate breaches, today that is much less common. There are many disparate fields which make up information security and an important decision for any InfoSec professional is finding which of those niches is are a good fit.
The first thing we have to understand is the distinction between the ‘red team’ and the ‘blue team’. While there is often some overlap in InfoSec job roles, we generally separate them into two broad camps – offense (red team), and defense (blue team). You may wonder why legitimate, “white hat” hackers would need offense. Consider the people who conduct professional penetration tests of organizations to generate reports on their deficiencies, and the people who conduct research into vulnerabilities. These are “red team” jobs.
The path to becoming a Blue Team InfoSec professional is usually somewhat different than the path Red Team professionals take. That’s not to say it isn’t tremendously wise for the two camps to cross-train. It’s difficult to conduct good offense without having a general knowledge of defense practices, and vice versa. We will discuss specific red team and blue team roles in the next two chapters.
> 2 Education & Certifications
> 3 Fields and Niches
[I highly recommend visiting Daniel Miessler’s blog on the same subject, located here: https://danielmiessler.com/blog/build-successful-infosec-career/]
Around con time, I’m frequently asked ‘how to become a computer hacker’. Since it’s a delightfully non-specific question, I have decided to illustrate my response for posterity:
The most critical things when getting into infosec are the right attitude, curiosity, and interest, a solid foundation of technical knowledge, and the motivation to take advantage of the amazing resources that our peers have made available. Unfortunately, a lot of people forget the early steps and delve straight into hacking tool guides, without first covering the basics and developing a deep interest in understanding how to manipulate computers. This is what really divides the bad, from the good, from the great.