Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
DIY Education in Cyber Security
Kelly Shortridge July 30, 2015
Agenda
My goal is to help you figure out where and how to
start your learning journey by answering:
 What careers are the...
Who am I?
Hi, I’m Kelly Shortridge
 Currently doing exciting things on the business side
of infosec
 Previously advised ...
Career Paths
5
The “You Can’t Sit With Us” Myth
InfoSec as a professional field can seem a bit opaque,
insular and unapproachable.
In r...
6
InfoSec = Opportunity
Diverse potential paths to follow within infosec:
 Application Security
 Compliance & Policy
 D...
7
InfoSec = Flexibility
Roles often overlap and have fuzzy boundaries
 Cover different aspects of the lifecycle of securi...
8
Current Hotness
9
Skill Sets – Example #1
Network Security Engineer / Ops & Monitoring
 Understand network design & architecture
 Famili...
10
Skill Sets – Example #2
Vulnerability Research & Reverse Engineering
 Analyze malicious code, shellcode, packed &
obfu...
11
Skill Sets – Example #2
Application Security
 Audit applications for vulnerabilities (XSS, SQLI, logic
flaws, etc.)
 ...
12
Potential Employers
Major hubs include SF, NYC & DC – each city has its
own “flavor” driven by employer base
Government...
13
Broader Applicability
Security can serve as a differentiator in non-sec roles
 Anyone in the development process (desi...
14
Find Your Purpose
Intersection of what you love doing, what you’re good
at doing, what is paid for and what the market ...
Learning More
16
Where to Start?
Regardless of whether you’re a complete beginner,
switching fields or already successfully entered the
...
17
Formal Education
Academia
Certifications
 Helpful if no other means of vetting abilities
18
Online Education
There are now tons of online resources available for
learning languages, development and data science
...
19
Old-School Resources
If you prefer the more traditional book approach, try:
 The Art of Software Security Assessment
...
20
CTFs & Other Games
Allows you to improve & show off your skills
 CTFs: DEFCON CTF, CSAW CTF, Ghost in the
Shellcode, M...
21
Conferences
Cons are often how people stay in touch
 Check out talks, or find them online
 Social events – great for ...
22
Meetups & Local Events
 Meetup.com is a great aggregator of
different meetups in your locale
 Code as Craft: Engineer...
23
Trainings
 Practical education with focus on
specific professional roles in infosec
Training sessions can quickly brin...
24
Academic Papers
Explore emerging areas of research
 arXiv
 IEEE
 Microsoft – Security & Privacy Research
 Reddit.co...
Networking
26
Step 1: Trust
InfoSec is a trust-based industry.
Don’t violate trust and be wary of those who do.
27
Networking Strategy
Get as many “at bats” as possible
 Meet many people across various areas of
expertise, employers &...
Awkwardness is a Part of Life
28
29
#hatersgonnahate
Don’t let anyone convince you that you won’t be
successful or don’t belong in the industry
 People li...
30
Contact Maintenance
Regularly follow-up, but be mindful of people’s time
 People generally like getting a “free” coffe...
Keeping Up to Date
32
Socializing
Staying in touch and meeting new people helps
enormously in knowing the “latest”
 Not all research / proje...
33
Mainstream News is Not Ideal
Mostly a lot of this:
34
Suggested News Sources
 Twitter – where the industry “chatter” happens
 CyberWire – aggregates InfoSec news daily
 I...
35
Short InfoSec Twitter List
 @0xcharlie
 @4Dgifts
 @alexstamos
 @aloria
 @bcrypt
 @c7zero
 @cBekrar
 @chrisrohlf...
Conclusions
37
You Do You
 Consistently build your personal portfolio of
skills, experience and industry connections
 The field is r...
38
A Closing Quote
“Work as hard and as much as you want to on
the things you like to do the best.
Don't think about what ...
Upcoming SlideShare
Loading in …5
×

DIY Education in Cyber Security

1,142 views

Published on

NYU Poly Women's Cyber Security Conference 2015 - DIY Education in Cyber Security (Industry Education)

Published in: Technology

DIY Education in Cyber Security

  1. 1. DIY Education in Cyber Security Kelly Shortridge July 30, 2015
  2. 2. Agenda My goal is to help you figure out where and how to start your learning journey by answering:  What careers are there?  How do I learn more about the field?  How do I meet people / network?  How do I stay current on industry trends? 2
  3. 3. Who am I? Hi, I’m Kelly Shortridge  Currently doing exciting things on the business side of infosec  Previously advised infosec companies on M&A and private capital raise deals  No technical background  Built a knowledge base and network within infosec from scratch 3
  4. 4. Career Paths
  5. 5. 5 The “You Can’t Sit With Us” Myth InfoSec as a professional field can seem a bit opaque, insular and unapproachable. In reality, it’s a blossoming field offering exciting opportunities for a variety of skill sets and interests…and not just full of cliques of “mean nerds”
  6. 6. 6 InfoSec = Opportunity Diverse potential paths to follow within infosec:  Application Security  Compliance & Policy  Data Forensics & Incident Response  Network Security Engineer / Ops & Monitoring  Penetration Testing  Security Architecture  Security Solution Development  Vulnerability Research & Reverse Engineering
  7. 7. 7 InfoSec = Flexibility Roles often overlap and have fuzzy boundaries  Cover different aspects of the lifecycle of security operations Some areas of study are broadly applicable  Data Science  Math  Network & System Architecture  Software Development
  8. 8. 8 Current Hotness
  9. 9. 9 Skill Sets – Example #1 Network Security Engineer / Ops & Monitoring  Understand network design & architecture  Familiarity with security tech – IDS/IPS, SIEM, firewalls, vulnerability detection & remediation  Develop custom tooling for security monitoring  Some knowledge on machine learning is a plus
  10. 10. 10 Skill Sets – Example #2 Vulnerability Research & Reverse Engineering  Analyze malicious code, shellcode, packed & obfuscated code  Identify attacker methodology  Strong math abilities, particularly graph theory  Familiarity with IDA Pro and user & kernel-mode debuggers  Languages: Assembly (x86 & x64), C/C++, Python
  11. 11. 11 Skill Sets – Example #2 Application Security  Audit applications for vulnerabilities (XSS, SQLI, logic flaws, etc.)  Understanding of application architecture  Help development teams implement SDL  Build tooling to improve testing & auditing  Languages: Java, PHP, C / C++, Python, Ruby
  12. 12. 12 Potential Employers Major hubs include SF, NYC & DC – each city has its own “flavor” driven by employer base Government Private Vendors Defense Contractors & Gov’t Agencies Tech, Finance, Media, eCommerce, etc. Security Vendors & Consultancies
  13. 13. 13 Broader Applicability Security can serve as a differentiator in non-sec roles  Anyone in the development process (design, UX, etc.) should have the ability to consider security implications of their decisions  PR, legal and finance personnel should understand their organization’s security risk profile
  14. 14. 14 Find Your Purpose Intersection of what you love doing, what you’re good at doing, what is paid for and what the market needs  Talent shortage in + known need for infosec means you can focus on what you love + where you excel
  15. 15. Learning More
  16. 16. 16 Where to Start? Regardless of whether you’re a complete beginner, switching fields or already successfully entered the field, there’s plenty of knowledge and skills to gain.
  17. 17. 17 Formal Education Academia Certifications  Helpful if no other means of vetting abilities
  18. 18. 18 Online Education There are now tons of online resources available for learning languages, development and data science  Some free, some paid (often you get a certificate)  Consistency is key; set a daily goal for practicing
  19. 19. 19 Old-School Resources If you prefer the more traditional book approach, try:  The Art of Software Security Assessment  Hacking: The Art of Exploitation  The Shellcoder's Handbook  Android Hacker's Handbook  iOS Hacker's Handbook
  20. 20. 20 CTFs & Other Games Allows you to improve & show off your skills  CTFs: DEFCON CTF, CSAW CTF, Ghost in the Shellcode, MITRE STEM CTF, NECCDC, picoCTF  Wargames: Hack this Site, Over the Wire, Smash the Stack  Reference list: http://captf.com/practice-ctf/
  21. 21. 21 Conferences Cons are often how people stay in touch  Check out talks, or find them online  Social events – great for networking  Parties requiring challenges (Caesar’s Challenge at Blackhat/DEFCON)
  22. 22. 22 Meetups & Local Events  Meetup.com is a great aggregator of different meetups in your locale  Code as Craft: Engineering talks sponsored by Etsy here in NYC Find local events to explore different areas of interest, learn or practice skills and meet new people
  23. 23. 23 Trainings  Practical education with focus on specific professional roles in infosec Training sessions can quickly bring you up the learning curve, but typically are expensive ($2,000 - $5,000)  Conferences aggregate trainings from a variety of companies, though additional trainings are generally held year round as well
  24. 24. 24 Academic Papers Explore emerging areas of research  arXiv  IEEE  Microsoft – Security & Privacy Research  Reddit.com/r/NetSec  USENIX Make note of particular topics you find interesting and don’t be shy in contacting the authors directly
  25. 25. Networking
  26. 26. 26 Step 1: Trust InfoSec is a trust-based industry. Don’t violate trust and be wary of those who do.
  27. 27. 27 Networking Strategy Get as many “at bats” as possible  Meet many people across various areas of expertise, employers & career stages  Not everyone will respond, so need to maximize your hit rate by reaching out to more people  Expand your network by asking new contacts (politely) if they know anyone you should meet
  28. 28. Awkwardness is a Part of Life 28
  29. 29. 29 #hatersgonnahate Don’t let anyone convince you that you won’t be successful or don’t belong in the industry  People like passion and want to support “winners”  Persistence is key (true of most things)  Define your own measure of success
  30. 30. 30 Contact Maintenance Regularly follow-up, but be mindful of people’s time  People generally like getting a “free” coffee Even starting out, consider how you can be helpful  Try to maintain a 50/50 ask to give ratio  Keep an eye out for potential hires, introductions / connections or research they’d find interesting
  31. 31. Keeping Up to Date
  32. 32. 32 Socializing Staying in touch and meeting new people helps enormously in knowing the “latest”  Not all research / projects are discussed online  Gossip and chatter can also inform you of career opportunities or new, interesting companies  Fills in gaps in news you might have missed
  33. 33. 33 Mainstream News is Not Ideal Mostly a lot of this:
  34. 34. 34 Suggested News Sources  Twitter – where the industry “chatter” happens  CyberWire – aggregates InfoSec news daily  Individual websites:
  35. 35. 35 Short InfoSec Twitter List  @0xcharlie  @4Dgifts  @alexstamos  @aloria  @bcrypt  @c7zero  @cBekrar  @chrisrohlf  @collinrm  @crypt0ad  @dinodaizovi  @djrbliss  @drraid  @esizkur  @halvarflake  @haroonmeer  @j4istal  @justineboneait  @k8em0  @mattblaze  @matthew_d_green  @mdowd  @msuiche  @nils  @nudehaberdasher  @pencilsareneat  @quine  @runasand  @s7ephen  @semibogan  @_snagg  @snare  @SwiftOnSecurity  @thegrugq  @WeldPond  @window
  36. 36. Conclusions
  37. 37. 37 You Do You  Consistently build your personal portfolio of skills, experience and industry connections  The field is rich with options, so you’ll likely find a role you enjoy and in which you excel  On the infosec industry treadmill, remember that it’s a marathon, not a sprint
  38. 38. 38 A Closing Quote “Work as hard and as much as you want to on the things you like to do the best. Don't think about what you want to be, but what you want to do.” – Richard P. Feynman

×