HACKING DIVERSITY
We talk a lot about why diversity is important and we are all familiar with the woeful inclusion stats. In this talk we will discuss why diversity is important from both the perspective of an organization’s bottom line and the individual contributor.
7. #the problem
www.hackerhalted.com 7@marcellelee
● 3.5 million cybersecurity job openings by 2021
● 74% of orgs are facing a cybersecurity skills shortage
● Cybercrime is predicted to cost the world $6 trillion
annually by 2021
● 60% of small businesses go out of business six months
after a cyber attack.
indeed.com search for cybersecurity,
October 2019
10. #stats
www.hackerhalted.com 10
ISC2
@marcellelee
● North America leads the world in female participation
rates in cybersecurity at 14%.
● 51% of women in cybersecurity have experienced
discrimination.
● 87% of that discrimination was associated with
unconscious bias.
● People of color represent only about 12% of
information security analysts.
16. #benefits of diversity
www.hackerhalted.com 16@marcellelee
When companies commit themselves to diverse leadership, they are
more successful. More diverse companies, we believe, are better
able to win top talent and improve their customer orientation,
employee satisfaction, and decision making, and all that leads to a
virtuous cycle of increasing returns. This in turn suggests that other
kinds of diversity—for example, in age, sexual orientation, and
experience (such as a global mind-set and cultural fluency)—are also
likely to bring some level of competitive advantage for companies
that can attract and retain such diverse talent.
McKinsey & Company
21. #solutions
www.hackerhalted.com 21@marcellelee
Change how you write your job postings:
● Avoid terms like “rockstar” and “ninja”.
● Set reasonable expectations for what is required for the job
and don’t ask for more.
● State that training and professional growth are supported
(and then actually support).
● Avoid listing gender-oriented perks (foosball anyone?)
22. #solutions
www.hackerhalted.com 22@marcellelee
Responsibilities:
Actively hunt for Indicators of Compromise (IOC) and APT Tactics, Techniques, and Procedures (TTP) in network and on host.
Find evidence of attack, and attackers actions thereafter.
Work with team to produce effective countermeasures against found evidence. Also, contributes to mitigations for future attacks of a similar nature.
Follow Security Operations Center (SOC) policies, procedures for incident reporting and management. Create a detailed Incident Report (IR) and contribute
to lessons learned. .
Analyze infrastructure build sheets, Configuration Management Database (CMDB), NIST 800-53 ATO artifacts, Vulnerability scans, Access Control Lists
(ACL), and vendor documentation to thoroughly understand software behaviors and interactions. .
Monitor open source and commercial threat intelligence for IOCs, new vulnerabilities, software weaknesses, and other attacker TTPs.
Study and understand IANA, W3C, IETF and other internet bodies’ protocol RFC definitions to understand violations and security weaknesses.
Conduct forensic testing and operational hardening of multiple OS platforms.
Analyze network perimeter data, flow, packet filtering, proxy firewalls, and IPS/IDS to create and implement a concrete plan of action to harden the defensive
posture.
Work with SOC shift team to help contain intrusions.
...
Desired Experience:
Thorough understanding of network protocol behaviors. Ability to understand netflow and PCAP.
Thorough knowledge of open source tools to visualize PCAP data (Wireshark, TCPDump, etc.).
Detailed knowledge of various forms of social engineering, including the ability to recognize and handle spear-phishing campaigns or other forms of social
engineering attacks.
Comprehensive knowledge of Windows and Linux behaviors, logging, vulnerabilities, exploits, and known attacks.
Use of IPSec packet filtering and Windows firewalls with specific application to defense in depth of network based attacks, data corruption, data theft,
credential theft, and administrative control.
Red Team/Blue Team experience from a federal agency
Actual job posting. But wait, there’s more...
23. #solutions
www.hackerhalted.com 23@marcellelee
Required Skills:
Expert knowledge of network routing and switching fundamentals to include knowledge of Multiprotocol Layer Switching (MPLS)
Deep technical understanding of operating systems, network architecture and design, Active Directory (AD) application log consumables, systems design as
well as superior knowledge of technical operations process and procedures
Knowledge of how encryption, key management and cryptology works in the enterprise and in cyber data
Understanding of Enterprise Architecture Standards such as the Department of Defense Architecture Framework (DODAF), Service-Oriented Architecture
(SOA), the Open Group Architecture Framework (TOGAF), and/or the Amazon Web Services (AWS) Well Architected Framework
Knowledge in the Risk Management Framework (NIST 800-37), Security Controls as described in NIST 800-35, and the Federal Information Security
Modernization Act (FISMA) operating standards and applicable guidelines (risk profiling, control selection, control assessment, control monitoring)
Expertise in performing threat modelling, risk analysis, root cause analysis, risk identification, and risk mitigation
Expertise in Application Penetration Testing (fuzzing, reverse engineering, Fortify or similar, IDA Pro, Kali, BackTrack, OllyDbg, SQLMap, etc.)
Expertise in Proof of Concept (Exploit) development
Understanding of Secure SDLC (threat modelling, security requirements, secure design, secure implementation, secure testing, secure maintenance)
Knowledge of Mobile Application Security and MDM sensor data
Expertise in Embedded Device Security
Expertise in Malware Analysis
Expertise in a variety of web application protocols, web services (components including JavaScript, XML, JSON), scripting capabilities (Powershell, Python,
BASH) software development frameworks, operating systems, and networking technologies. Understanding of various web application frameworks such as
ASP.NET, J2EE
Organizational Skills: Proven ability to plan and prioritize work, both their own and that of team. Follows tasks to their logical conclusion.
Problem Solving: Natural inclination for planning strategy and tactics. Ability to analyze problems and determine root cause, generating alternatives, evaluating
and selecting alternatives and implementing solutions.
Results oriented: Able to drive things forward regardless of personal interest in the task.
Education Requirements:
Minimum of 8 years of experience and a Masters, 10 years of experience with a Bachelor’s, or 12 years of experience with an Associate’s Degree
This job description could change at any time, without notice.
24. #solutions
www.hackerhalted.com 24@marcellelee
Review the “face” of your
organization:
● Is diversity depicted in external
materials?
● Are your recruiting efforts geared
to various audiences?
● Do you provide conference swag
that appeals to a diverse group?
25. #solutions
www.hackerhalted.com 25@marcellelee
Is your company culture
universally appealing?
We take our work and our fun seriously. We
refuse any work that isn’t hard and engaging.
We make sure our engineers have the tools
they need to do their jobs, and focus on
recognizing results. Surfboards, pirate flags,
and DEFCON black badges decorate our
offices, and our Nerf collection dwarfs that
of most toy stores
Would you like to work at an office that
celebrates International Tabletop Day,
May the 4th Be With You, and Alan
Turing’s birthday? A place that built
their conference room table from
Legos? An office that regularly breaks
out in Nerf Wars? Do you want to work
for a CEO that drives a DeLorean?
Actual job postings.
26. #solutions
www.hackerhalted.com 26@marcellelee
Do your benefits appeal to a broad audience?
● Paid maternity/paternity leave.
● Flexible work hours.
● Gender reassignment assistance.
● Domestic partner benefits.
● Student loan debt assistance.
● Accessible facilities.
27. #solutions
www.hackerhalted.com 27@marcellelee
Treat candidates like the valuable assets they are:
● Be respectful of candidates’ time.
● Provide a salary range for the position.
● Respond promptly to questions.
● Don’t sugarcoat realities of the position.
A Glassdoor study found that 82% of candidates felt that the interview
process should take no more than a month.
28. #solutions
www.hackerhalted.com 28@marcellelee
Address the impact of unconscious bias in your hiring process.
● Create a diverse team to conduct interviews and rotate the
members.
● Have a consistent and repeatable interview process.
● Educate your hiring managers and interviewers.
● Use blind hiring processes.
30. #solutions
www.hackerhalted.com 30@marcellelee
Support organizations that promote the interests of
diverse populations:
● Women’s Society of Cyberjutsu
● Out & Equal
● Hire Our Heroes
● Women Who Code
● Lesbians Who Tech
● International Consortium Of Minority Cybersecurity
Professionals
To name a few...