1. DIY Education in Cyber Security
Kelly Shortridge July 30, 2015

2. Agenda
My goal is to help you figure out where and how to
start your learning journey by answering:
 What careers are there?
 How do I learn more about the field?
 How do I meet people / network?
 How do I stay current on industry trends?
2

3. Who am I?
Hi, I’m Kelly Shortridge
 Currently doing exciting things on the business side
of infosec
 Previously advised infosec companies on M&A and
private capital raise deals
 No technical background
 Built a knowledge base and network within infosec
from scratch
3

4. Career Paths

5. 5
The “You Can’t Sit With Us” Myth
InfoSec as a professional field can seem a bit opaque,
insular and unapproachable.
In reality, it’s a blossoming field offering exciting
opportunities for a variety of skill sets and
interests…and not just full of cliques of “mean nerds”

6. 6
InfoSec = Opportunity
Diverse potential paths to follow within infosec:
 Application Security
 Compliance & Policy
 Data Forensics & Incident Response
 Network Security Engineer / Ops & Monitoring
 Penetration Testing
 Security Architecture
 Security Solution Development
 Vulnerability Research & Reverse Engineering

7. 7
InfoSec = Flexibility
Roles often overlap and have fuzzy boundaries
 Cover different aspects of the lifecycle of security
operations
Some areas of study are broadly applicable
 Data Science
 Math
 Network & System Architecture
 Software Development

8. 8
Current Hotness

9. 9
Skill Sets – Example #1
Network Security Engineer / Ops & Monitoring
 Understand network design & architecture
 Familiarity with security tech – IDS/IPS, SIEM,
firewalls, vulnerability detection & remediation
 Develop custom tooling for security monitoring
 Some knowledge on machine learning is a plus

10. 10
Skill Sets – Example #2
Vulnerability Research & Reverse Engineering
 Analyze malicious code, shellcode, packed &
obfuscated code
 Identify attacker methodology
 Strong math abilities, particularly graph theory
 Familiarity with IDA Pro and user & kernel-mode
debuggers
 Languages: Assembly (x86 & x64), C/C++, Python

11. 11
Skill Sets – Example #2
Application Security
 Audit applications for vulnerabilities (XSS, SQLI, logic
flaws, etc.)
 Understanding of application architecture
 Help development teams implement SDL
 Build tooling to improve testing & auditing
 Languages: Java, PHP, C / C++, Python, Ruby

12. 12
Potential Employers
Major hubs include SF, NYC & DC – each city has its
own “flavor” driven by employer base
Government Private Vendors
Defense Contractors &
Gov’t Agencies
Tech, Finance, Media,
eCommerce, etc.
Security Vendors &
Consultancies

13. 13
Broader Applicability
Security can serve as a differentiator in non-sec roles
 Anyone in the development process (design, UX,
etc.) should have the ability to consider security
implications of their decisions
 PR, legal and finance personnel should understand
their organization’s security risk profile

14. 14
Find Your Purpose
Intersection of what you love doing, what you’re good
at doing, what is paid for and what the market needs
 Talent shortage in + known need for infosec means
you can focus on what you love + where you excel

15. Learning More

16. 16
Where to Start?
Regardless of whether you’re a complete beginner,
switching fields or already successfully entered the
field, there’s plenty of knowledge and skills to gain.

17. 17
Formal Education
Academia
Certifications
 Helpful if no other means of vetting abilities

18. 18
Online Education
There are now tons of online resources available for
learning languages, development and data science
 Some free, some paid (often you get a certificate)
 Consistency is key; set a daily goal for practicing

19. 19
Old-School Resources
If you prefer the more traditional book approach, try:
 The Art of Software Security Assessment
 Hacking: The Art of Exploitation
 The Shellcoder's Handbook
 Android Hacker's Handbook
 iOS Hacker's Handbook

20. 20
CTFs & Other Games
Allows you to improve & show off your skills
 CTFs: DEFCON CTF, CSAW CTF, Ghost in the
Shellcode, MITRE STEM CTF, NECCDC, picoCTF
 Wargames: Hack this Site, Over the Wire, Smash the
Stack
 Reference list: http://captf.com/practice-ctf/

21. 21
Conferences
Cons are often how people stay in touch
 Check out talks, or find them online
 Social events – great for networking
 Parties requiring challenges (Caesar’s Challenge at
Blackhat/DEFCON)

22. 22
Meetups & Local Events
 Meetup.com is a great aggregator of
different meetups in your locale
 Code as Craft: Engineering talks
sponsored by Etsy here in NYC
Find local events to explore different areas of interest,
learn or practice skills and meet new people

23. 23
Trainings
 Practical education with focus on
specific professional roles in infosec
Training sessions can quickly bring you up the learning
curve, but typically are expensive ($2,000 - $5,000)
 Conferences aggregate trainings
from a variety of companies, though
additional trainings are generally held
year round as well

24. 24
Academic Papers
Explore emerging areas of research
 arXiv
 IEEE
 Microsoft – Security & Privacy Research
 Reddit.com/r/NetSec
 USENIX
Make note of particular topics you find interesting and
don’t be shy in contacting the authors directly

25. Networking

26. 26
Step 1: Trust
InfoSec is a trust-based industry.
Don’t violate trust and be wary of those who do.

27. 27
Networking Strategy
Get as many “at bats” as possible
 Meet many people across various areas of
expertise, employers & career stages
 Not everyone will respond, so need to maximize
your hit rate by reaching out to more people
 Expand your network by asking new contacts
(politely) if they know anyone you should meet

28. Awkwardness is a Part of Life
28

29. 29
#hatersgonnahate
Don’t let anyone convince you that you won’t be
successful or don’t belong in the industry
 People like passion and
want to support “winners”
 Persistence is key (true of
most things)
 Define your own measure
of success

30. 30
Contact Maintenance
Regularly follow-up, but be mindful of people’s time
 People generally like getting a “free” coffee
Even starting out, consider how you can be helpful
 Try to maintain a 50/50 ask to give ratio
 Keep an eye out for potential hires, introductions /
connections or research they’d find interesting

31. Keeping Up to Date

32. 32
Socializing
Staying in touch and meeting new people helps
enormously in knowing the “latest”
 Not all research / projects are discussed online
 Gossip and chatter can also inform you of career
opportunities or new, interesting companies
 Fills in gaps in news you might have missed

33. 33
Mainstream News is Not Ideal
Mostly a lot of this:

34. 34
Suggested News Sources
 Twitter – where the industry “chatter” happens
 CyberWire – aggregates InfoSec news daily
 Individual websites:

35. 35
Short InfoSec Twitter List
 @0xcharlie
 @4Dgifts
 @alexstamos
 @aloria
 @bcrypt
 @c7zero
 @cBekrar
 @chrisrohlf
 @collinrm
 @crypt0ad
 @dinodaizovi
 @djrbliss
 @drraid
 @esizkur
 @halvarflake
 @haroonmeer
 @j4istal
 @justineboneait
 @k8em0
 @mattblaze
 @matthew_d_green
 @mdowd
 @msuiche
 @nils
 @nudehaberdasher
 @pencilsareneat
 @quine
 @runasand
 @s7ephen
 @semibogan
 @_snagg
 @snare
 @SwiftOnSecurity
 @thegrugq
 @WeldPond
 @window

36. Conclusions

37. 37
You Do You
 Consistently build your personal portfolio of
skills, experience and industry connections
 The field is rich with options, so you’ll likely
find a role you enjoy and in which you excel
 On the infosec industry treadmill, remember
that it’s a marathon, not a sprint

38. 38
A Closing Quote
“Work as hard and as much as you want to on
the things you like to do the best.
Don't think about what you want to be, but what
you want to do.”
– Richard P. Feynman