cybersecurity-careers

1. So you want a
JOB
in
CYBER
SECURITY?
@TeriRadichel

2. My Background
 Tech: Software Engineer > Cloud Engineer > Cloud Architect > Cybersecurity
 Entrepreneur (3x): > Writing, E-commerce & Web Hosting, Cybersecurity
 Degrees: BA Business, 2 Master’s Software Engineering, Cybersecurity
 Certifications: Many, including SANS GSE
 CEO of 2nd Sight Lab > Training, Assessments, Penetration Tests
 IANS Research Faculty > Phone consulting
 Infragard, AWS Hero, SANS Difference Maker’s Award
 Professional Speaker: Conferences around the world (RSA, OWASP, etc)
 Author: Cybersecurity for Executives in the Age of Cloud
 https://medium.com/cloud-security/women-in-tech-cyber-security/home

3. Organizations I’ve worked for (that I can say)
…as employee, consultant, took my classes…
Subcontractor

4.  Hey, what’s that?
 Something weird is going on here.
 Hey, someone’s on our machine!
 Investigate systems and network.
 Obsess over figuring out how they did it.
 Try to make sure it never happens again.
 That’s my story.
How people used to get into cybersecurity
Security Operations
Intrusion Detection & Response

5.  Misfit messing around with computers.
 Hack something.
 Maybe get arrested.
 Or not.
 Attend hacker conferences.
 End up working for the government.
 Or Corporate America.
 Or both.
Alternatively….
Cybersecurity legends ~ Hackers

6. Also check out:
 RSA
 OWASP AppSec
 BSides
 ISACA
 Black Hat
 ATT&CK CON
 REcon
DEFCON
https://www.youtube.com/user/DEFCONConference/videos

7. Military, Government, & Cyber Spies

8.  Exposure in mainstream media.
 More training options.
 More certifications.
 Cybersecurity degrees.
 Training at technical colleges.
 More meetups and conferences.
 More books, blogs, videos.
Cybersecurity today
No cybersecurity degree existed when I started

9. When most people think of cybersecurity...

10. How others
feel about
cybersecurity…

11.  PCI: Payment Card Industry
https://www.pcisecuritystandards.org/
 HIPAA: Health care data https://www.hhs.gov
 GDPR: Data of European Citizens https://gdpr-info.eu/
 NERC: North America Power System
https://www.nerc.com/Pages/default.aspx
 State privacy laws https://iapp.org/resources/article/us-
state-privacy-legislation-tracker/
 GSA Privacy Act: PII https://www.gsa.gov/reference/gsa-
privacy-program/rules-and-policies-protecting-pii-privacy-act
Examples of Regulation
Follow rules!
(Compliance)

12.  NIST (National Institutes of Standards & Technology)
https://www.nist.gov/
 ISACA (Information Systems Audit & Control Association)
https://www.isaca.org/
 SOC2 Compliance
https://www.aicpa.org/interestareas/frc/assuranceadvisoryse
rvices/aicpasoc2report.html
 ISO27001 https://www.iso.org/isoiec-27001-information-
security.html
Cybersecurity Audits Prove it.

13.  Compliance is a minimum
 Cybersecurity fundamentals
 Industry knowledge and information sharing
 Good cybersecurity architecture & processes
 Vendor guidance
 Monitor the news! What are attackers doing?
 Adjust security practices accordingly.
Best Practices (not laws)
Regulatory compliance
does not equal
security.

14.  CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
 CIS Controls https://www.cisecurity.org/controls/cis-controls-
list/
 OWASP Top 10 https://owasp.org/www-project-top-ten/
 MITRE ATT&CK https://attack.mitre.org/
 CWEs https://cwe.mitre.org/
 Top 25 most dangerous software weaknesses
https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.
html
 Vendor security documentation – especially for cloud systems.
Industry Guidance(More lists…)

15.  Vary widely in scope and objectives.
 Run a scan and generate an automated report for a customer.
 Evaluate system architecture and networks.
 Ask questions about tools, systems, and processes.
 Review company standards, policies, and procedures.
 Consider most common attack vectors.
 Interview development teams, business professionals, or
others.
 Evaluate system code or test security product functionality.
Cybersecurity AssessmentsMinimum.
Not great.
Also, cheap.

16.  Find and exploit system vulnerabilities.
 Sort of like a hacker, but not really
 Much more limited time frame
 Limited by scope (provided by customer)
 Network, internal, cloud, deployments, applications, products
 Some access to expose vulnerabilities
 Objective: Coverage or target?
 Approaches: scanning, reverse-engineering, social engineering
Penetration Tests
Try to break in!
Then write a 40-80+
page report (in my
case)

17. Software & Hardware Vulnerabilities
Input
bad
stuff.
Make bad things
happen here

18. https://cve.mitre.org/
Common Vulnerabilities & Exposures
Vulnerability Management

19. Systems exposed to the Internet are attacked
 Attackers scan for open ports
 System vulnerabilities
 Exploit to get foothold
 Call home to C2
 Send commands
 Get credentials
 Repeat

20. Network Security
https://medium.com/cloud-security/how-network-traffic-got-me-into-cybersecurity-
94796bb78c92
https://medium.com/cloud-security/what-is-packet-sniffing-f03f50aa230
https://websitenotebook.blogspot.com/2014/05/hexadecimal-to-binary-to-decimal-cheat.html
https://websitenotebook.blogspot.com/2014/05/decoding-ip-header-example.html

21. Malware on
infected
machines scans
for other
machines to
attack on the
Internet and
within internal
networks.
Zero Trust!

22. People Many security
incidents involve
human actions!

23.  Verify it’s a security problem.
 Capture evidence in a way that proves no one tampered with
it.
 Handle evidence in a secure manner (chain of custody).
 Contain the malware to prevent spread.
 Potentially observe it or use the copy for analysis.
 Remove it from systems – completely!
 Report and learn from the incident.
Digital Forensics &
Incident Response (DFIR)
Sample breach
notifications in
my weekly news
feed.

24. Q: How did our systems get breached?
A: An attacker got ransomware onto our systems.
Q: How did the attacker get ransomware onto our systems?
A: They got onto one of the machines in our network.
Q: How did they get onto the machine?
A: General: Evil link in email, vulnerability, misconfiguration.
Q: What was the link? What was the vulnerability?
A: Specific: The actual link, CVE, IP address, port, software.
Breach reports need root cause
Ask the right
questions.

25. https://www.giac.org/paper/gsec/35355/case-study-critical-controls-prevented-target-
breach/140127
Analysis of the Target Breach

26.  Domain Generation Algorithm
 CNAME pointing to C2 server
 DNS and HTTP C2
 IP Ranges
 Steganography
 Malware commands
 Attack techniques
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-
details.html
https://medium.com/cloud-security/solarwinds-hack-retrospective-part-1-8107671e3314
Technical Details Security researcher or
malware analyst

27. Reverse Engineering Malware
https://www.nsa.gov/resources/everyone/ghidra/
Disassembler /
decompiler

28. Risk Management
 Reduce risk of a data breach and potential damage.
 Attack vectors: The different attacks available on your
systems.
 Attack surface: The amount of exposure available to
attack.
 Blast Radius: How much damage unauthorized access
can cause.
Key to security

29. 1. Immutable software deliverables in Solar Winds
deployments.
2. Identification of C2 network traffic by affected customers.
3. Least-privilege for credentials on infected systems.
4. Just-in-time and conditional access for high-risk actions.
What could have prevented the attack?
Security architecture
Security operations or analyst
Governance & Risk Management, IAM
Governance & Risk Management, IAM

30.  Security has a lot of rules and lists!
 Where should you start?
 How do attackers get in?
1. Abstract the details to core principles.
2. Prioritize fixing highest risk findings.
3. Avoid over-analysis.
4. Avoid repeat problems.
Getting a handle on complexity
What
Causes
Data
Breaches?

31. The Concept of Abstraction
Less to manage.

32. The same set of
principles can stop or
limit damage for a
myriad of attacks!

33. 20 cybersecurity questions
 Key factors that drive data breaches.
 Learn fundamental cybersecurity.
 Study how attacks work.
 Abstract common attack vectors.
 Understand what stops them.
 Reduce the chances you give attackers.
 Create metrics that make a difference.
 Automated reporting + Manual analysis.

34. 20 questions to ask your security team
How many CVEs? Developer security training? Network, data, app?
Percent of systems exposed to the
Internet?
What are our security policies?
Data exposed to Internet? Who generates most exceptions? Why?
Total attack paths on our network? Security checks built into deployment systems?
Potential damage if credentials stolen? Are we vetting our vendors? How?
Percentage of accounts with MFA? Proof that our security solutions provide value?
Percentage data encrypted when stored? Do we have an incident handling team or plan?
Percentage of network traffic encrypted? What percent activities can be and are
automated?
Findings from pentests and assessments? What is the overall risk level? Getting better?
Can we restore from backups? Tested? How is the threat landscape changing?

35. Worldwide average cost of a breach
https://www.ibm.com/security/data-breach

36. U.S. average cost of a data breach
https://www.ibm.com/security/data-breach

37. Measure risk and reduce it
$2.30M
Cost difference for
breaches with high vs.
low level of compliance
failures
- IBM Cost of a Data
Breach

38. Automation
$2.90M
Average cost of a data
breach at organizations
with security AI and
automation fully
deployed.
- IBM Cost of a Data
Breach

39. We still need
humans for
analysis.
Not all
problems can
be solved by
automation.
Analysis

40.  Executives
 Developers
 Marketing
 Human resources
 Salespeople
 Interns!
 Contractors
 Third-party vendors
Everyone needs security awareness!
All it takes is one mistake…

41.  People need to understand why rules exist.
 Communication is critical.
 Email and videos not that effective.
 Iterative fixes.
 Test before blocking.
 Get executive support.
The organization still needs to function
https://www.sans.org/white-papers/36837
Without this, an exercise in futility

42. Non-exhaustive list of security jobs
Chief Information Security Officer (CISO) Security Administrator
Risk Management & Governance / Privacy Officer Security Operations Center (SOC) Analyst
Auditors and Assessors Cryptography / Cryptology / Cryptanalyst
Blue Team (Defense) Penetration Testers / Red Team (Offense)
Security Engineer (Application, Cloud, System,
Network, Product, Hardware, Network)
Security Architect (Application, System, Cloud,
Enterprise, Product, Hardware, Network)
Security Researcher / Malware Analyst Security Sales, Marketing, Product Management
Digital Forensics & Incident Response (DFIR) Security Consultant / Specialist
FBI Agent / Counter Espionage Agent / Cyber Spy Cyber Intelligence Specialist
Information Security Analyst Security Manager

43.  Catch hackers in the act? (Security Analyst, SOC)
 Help companies after a cyber attack? (DFIR, CERT)
 Study malware & attacks? (Security Researcher)
 Hack? (Pentester, Red Team, Bug Bounties, Criminals)
 Design & build secure systems? (Architect, Engineer)
 Policies and risk reduction? (Risk Management, Governance)
 Validate orgs follow rules? (Assessor, Auditor)
 Implement policies and work with executives? (CISO)
 Enforce policies? (CEO, Board of Directors)
What do you want to do?
Security Pros do
not enforce!

44. Security Salaries
https://www.wsj.com/articles/cybersecurity-chiefs-are-in-high-demand-as-companies-face-rising-
hacking-threats-11627551000
https://www.csoonline.com/article/3624670/cybersecurity-salary-what-8-top-security-jobs-pay.html
 Survey of 354 CISOs Published by Heidrick & Struggles International,
WSJ.
 Median Salary of $509,000 over $473K in 2020.
 Total compensation with equity grants & bonuses $936,000.
 May be inflated and depends on company size. Generally over $200K.
 Smaller companies tend to hire MSSPs, consultants, virtual CISO.
 Other security jobs…might not pay as much as software
development.
 Explains the shortage in cybersecurity pros? Hope that changes soon.
2nd
Sight
Lab

45.  Obtain skills: Look at job descriptions.
 On-the-job training: Find a company that will train you.
 Certifications / Degrees: Get you past the HR department.
 Establish trust: Security is all about trust.
 Meet people: Get involved in the security community.
 Get experience: Internships, personal projects, CTFs, volunteer.
 Demonstrate knowledge: Writing, GitHub, speaking, videos (use sources!)
 Continuous learning: Security is a moving target.
 Be familiar with current events: Read, Twitter, my news blog!
How to get a job in cybersecurity

46. https://medium.com/cybersecurity-news

47. Book:
https://amzn.to/3C1g3F9
Cloud Security Blog:
https://medium.com/cloud-security
Cybersecurity News Blog:
https://medium.com/cybersecurity-
news
@TeriRadichel
Thank you!
More on Twitter!