1. So you want a
JOB
in
CYBER
SECURITY?
@TeriRadichel
2. My Background
Tech: Software Engineer > Cloud Engineer > Cloud Architect > Cybersecurity
Entrepreneur (3x): > Writing, E-commerce & Web Hosting, Cybersecurity
Degrees: BA Business, 2 Master’s Software Engineering, Cybersecurity
Certifications: Many, including SANS GSE
CEO of 2nd Sight Lab > Training, Assessments, Penetration Tests
IANS Research Faculty > Phone consulting
Infragard, AWS Hero, SANS Difference Maker’s Award
Professional Speaker: Conferences around the world (RSA, OWASP, etc)
Author: Cybersecurity for Executives in the Age of Cloud
https://medium.com/cloud-security/women-in-tech-cyber-security/home
3. Organizations I’ve worked for (that I can say)
…as employee, consultant, took my classes…
Subcontractor
4. Hey, what’s that?
Something weird is going on here.
Hey, someone’s on our machine!
Investigate systems and network.
Obsess over figuring out how they did it.
Try to make sure it never happens again.
That’s my story.
How people used to get into cybersecurity
Security Operations
Intrusion Detection & Response
5. Misfit messing around with computers.
Hack something.
Maybe get arrested.
Or not.
Attend hacker conferences.
End up working for the government.
Or Corporate America.
Or both.
Alternatively….
Cybersecurity legends ~ Hackers
6. Also check out:
RSA
OWASP AppSec
BSides
ISACA
Black Hat
ATT&CK CON
REcon
DEFCON
https://www.youtube.com/user/DEFCONConference/videos
8. Exposure in mainstream media.
More training options.
More certifications.
Cybersecurity degrees.
Training at technical colleges.
More meetups and conferences.
More books, blogs, videos.
Cybersecurity today
No cybersecurity degree existed when I started
11. PCI: Payment Card Industry
https://www.pcisecuritystandards.org/
HIPAA: Health care data https://www.hhs.gov
GDPR: Data of European Citizens https://gdpr-info.eu/
NERC: North America Power System
https://www.nerc.com/Pages/default.aspx
State privacy laws https://iapp.org/resources/article/us-
state-privacy-legislation-tracker/
GSA Privacy Act: PII https://www.gsa.gov/reference/gsa-
privacy-program/rules-and-policies-protecting-pii-privacy-act
Examples of Regulation
Follow rules!
(Compliance)
12. NIST (National Institutes of Standards & Technology)
https://www.nist.gov/
ISACA (Information Systems Audit & Control Association)
https://www.isaca.org/
SOC2 Compliance
https://www.aicpa.org/interestareas/frc/assuranceadvisoryse
rvices/aicpasoc2report.html
ISO27001 https://www.iso.org/isoiec-27001-information-
security.html
Cybersecurity Audits Prove it.
13. Compliance is a minimum
Cybersecurity fundamentals
Industry knowledge and information sharing
Good cybersecurity architecture & processes
Vendor guidance
Monitor the news! What are attackers doing?
Adjust security practices accordingly.
Best Practices (not laws)
Regulatory compliance
does not equal
security.
14. CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/
CIS Controls https://www.cisecurity.org/controls/cis-controls-
list/
OWASP Top 10 https://owasp.org/www-project-top-ten/
MITRE ATT&CK https://attack.mitre.org/
CWEs https://cwe.mitre.org/
Top 25 most dangerous software weaknesses
https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.
html
Vendor security documentation – especially for cloud systems.
Industry Guidance(More lists…)
15. Vary widely in scope and objectives.
Run a scan and generate an automated report for a customer.
Evaluate system architecture and networks.
Ask questions about tools, systems, and processes.
Review company standards, policies, and procedures.
Consider most common attack vectors.
Interview development teams, business professionals, or
others.
Evaluate system code or test security product functionality.
Cybersecurity AssessmentsMinimum.
Not great.
Also, cheap.
16. Find and exploit system vulnerabilities.
Sort of like a hacker, but not really
Much more limited time frame
Limited by scope (provided by customer)
Network, internal, cloud, deployments, applications, products
Some access to expose vulnerabilities
Objective: Coverage or target?
Approaches: scanning, reverse-engineering, social engineering
Penetration Tests
Try to break in!
Then write a 40-80+
page report (in my
case)
17. Software & Hardware Vulnerabilities
Input
bad
stuff.
Make bad things
happen here
19. Systems exposed to the Internet are attacked
Attackers scan for open ports
System vulnerabilities
Exploit to get foothold
Call home to C2
Send commands
Get credentials
Repeat
23. Verify it’s a security problem.
Capture evidence in a way that proves no one tampered with
it.
Handle evidence in a secure manner (chain of custody).
Contain the malware to prevent spread.
Potentially observe it or use the copy for analysis.
Remove it from systems – completely!
Report and learn from the incident.
Digital Forensics &
Incident Response (DFIR)
Sample breach
notifications in
my weekly news
feed.
24. Q: How did our systems get breached?
A: An attacker got ransomware onto our systems.
Q: How did the attacker get ransomware onto our systems?
A: They got onto one of the machines in our network.
Q: How did they get onto the machine?
A: General: Evil link in email, vulnerability, misconfiguration.
Q: What was the link? What was the vulnerability?
A: Specific: The actual link, CVE, IP address, port, software.
Breach reports need root cause
Ask the right
questions.
28. Risk Management
Reduce risk of a data breach and potential damage.
Attack vectors: The different attacks available on your
systems.
Attack surface: The amount of exposure available to
attack.
Blast Radius: How much damage unauthorized access
can cause.
Key to security
29. 1. Immutable software deliverables in Solar Winds
deployments.
2. Identification of C2 network traffic by affected customers.
3. Least-privilege for credentials on infected systems.
4. Just-in-time and conditional access for high-risk actions.
What could have prevented the attack?
Security architecture
Security operations or analyst
Governance & Risk Management, IAM
Governance & Risk Management, IAM
30. Security has a lot of rules and lists!
Where should you start?
How do attackers get in?
1. Abstract the details to core principles.
2. Prioritize fixing highest risk findings.
3. Avoid over-analysis.
4. Avoid repeat problems.
Getting a handle on complexity
What
Causes
Data
Breaches?
32. The same set of
principles can stop or
limit damage for a
myriad of attacks!
33. 20 cybersecurity questions
Key factors that drive data breaches.
Learn fundamental cybersecurity.
Study how attacks work.
Abstract common attack vectors.
Understand what stops them.
Reduce the chances you give attackers.
Create metrics that make a difference.
Automated reporting + Manual analysis.
34. 20 questions to ask your security team
How many CVEs? Developer security training? Network, data, app?
Percent of systems exposed to the
Internet?
What are our security policies?
Data exposed to Internet? Who generates most exceptions? Why?
Total attack paths on our network? Security checks built into deployment systems?
Potential damage if credentials stolen? Are we vetting our vendors? How?
Percentage of accounts with MFA? Proof that our security solutions provide value?
Percentage data encrypted when stored? Do we have an incident handling team or plan?
Percentage of network traffic encrypted? What percent activities can be and are
automated?
Findings from pentests and assessments? What is the overall risk level? Getting better?
Can we restore from backups? Tested? How is the threat landscape changing?
36. U.S. average cost of a data breach
https://www.ibm.com/security/data-breach
37. Measure risk and reduce it
$2.30M
Cost difference for
breaches with high vs.
low level of compliance
failures
- IBM Cost of a Data
Breach
38. Automation
$2.90M
Average cost of a data
breach at organizations
with security AI and
automation fully
deployed.
- IBM Cost of a Data
Breach
39. We still need
humans for
analysis.
Not all
problems can
be solved by
automation.
Analysis
40. Executives
Developers
Marketing
Human resources
Salespeople
Interns!
Contractors
Third-party vendors
Everyone needs security awareness!
All it takes is one mistake…
41. People need to understand why rules exist.
Communication is critical.
Email and videos not that effective.
Iterative fixes.
Test before blocking.
Get executive support.
The organization still needs to function
https://www.sans.org/white-papers/36837
Without this, an exercise in futility
42. Non-exhaustive list of security jobs
Chief Information Security Officer (CISO) Security Administrator
Risk Management & Governance / Privacy Officer Security Operations Center (SOC) Analyst
Auditors and Assessors Cryptography / Cryptology / Cryptanalyst
Blue Team (Defense) Penetration Testers / Red Team (Offense)
Security Engineer (Application, Cloud, System,
Network, Product, Hardware, Network)
Security Architect (Application, System, Cloud,
Enterprise, Product, Hardware, Network)
Security Researcher / Malware Analyst Security Sales, Marketing, Product Management
Digital Forensics & Incident Response (DFIR) Security Consultant / Specialist
FBI Agent / Counter Espionage Agent / Cyber Spy Cyber Intelligence Specialist
Information Security Analyst Security Manager
43. Catch hackers in the act? (Security Analyst, SOC)
Help companies after a cyber attack? (DFIR, CERT)
Study malware & attacks? (Security Researcher)
Hack? (Pentester, Red Team, Bug Bounties, Criminals)
Design & build secure systems? (Architect, Engineer)
Policies and risk reduction? (Risk Management, Governance)
Validate orgs follow rules? (Assessor, Auditor)
Implement policies and work with executives? (CISO)
Enforce policies? (CEO, Board of Directors)
What do you want to do?
Security Pros do
not enforce!
45. Obtain skills: Look at job descriptions.
On-the-job training: Find a company that will train you.
Certifications / Degrees: Get you past the HR department.
Establish trust: Security is all about trust.
Meet people: Get involved in the security community.
Get experience: Internships, personal projects, CTFs, volunteer.
Demonstrate knowledge: Writing, GitHub, speaking, videos (use sources!)
Continuous learning: Security is a moving target.
Be familiar with current events: Read, Twitter, my news blog!
How to get a job in cybersecurity