Successfully reported this slideshow.

DIY Education in Cyber Security

6

Share

Loading in …3
×
1 of 38
1 of 38

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

DIY Education in Cyber Security

  1. 1. DIY Education in Cyber Security Kelly Shortridge July 30, 2015
  2. 2. Agenda My goal is to help you figure out where and how to start your learning journey by answering:  What careers are there?  How do I learn more about the field?  How do I meet people / network?  How do I stay current on industry trends? 2
  3. 3. Who am I? Hi, I’m Kelly Shortridge  Currently doing exciting things on the business side of infosec  Previously advised infosec companies on M&A and private capital raise deals  No technical background  Built a knowledge base and network within infosec from scratch 3
  4. 4. Career Paths
  5. 5. 5 The “You Can’t Sit With Us” Myth InfoSec as a professional field can seem a bit opaque, insular and unapproachable. In reality, it’s a blossoming field offering exciting opportunities for a variety of skill sets and interests…and not just full of cliques of “mean nerds”
  6. 6. 6 InfoSec = Opportunity Diverse potential paths to follow within infosec:  Application Security  Compliance & Policy  Data Forensics & Incident Response  Network Security Engineer / Ops & Monitoring  Penetration Testing  Security Architecture  Security Solution Development  Vulnerability Research & Reverse Engineering
  7. 7. 7 InfoSec = Flexibility Roles often overlap and have fuzzy boundaries  Cover different aspects of the lifecycle of security operations Some areas of study are broadly applicable  Data Science  Math  Network & System Architecture  Software Development
  8. 8. 8 Current Hotness
  9. 9. 9 Skill Sets – Example #1 Network Security Engineer / Ops & Monitoring  Understand network design & architecture  Familiarity with security tech – IDS/IPS, SIEM, firewalls, vulnerability detection & remediation  Develop custom tooling for security monitoring  Some knowledge on machine learning is a plus
  10. 10. 10 Skill Sets – Example #2 Vulnerability Research & Reverse Engineering  Analyze malicious code, shellcode, packed & obfuscated code  Identify attacker methodology  Strong math abilities, particularly graph theory  Familiarity with IDA Pro and user & kernel-mode debuggers  Languages: Assembly (x86 & x64), C/C++, Python
  11. 11. 11 Skill Sets – Example #2 Application Security  Audit applications for vulnerabilities (XSS, SQLI, logic flaws, etc.)  Understanding of application architecture  Help development teams implement SDL  Build tooling to improve testing & auditing  Languages: Java, PHP, C / C++, Python, Ruby
  12. 12. 12 Potential Employers Major hubs include SF, NYC & DC – each city has its own “flavor” driven by employer base Government Private Vendors Defense Contractors & Gov’t Agencies Tech, Finance, Media, eCommerce, etc. Security Vendors & Consultancies
  13. 13. 13 Broader Applicability Security can serve as a differentiator in non-sec roles  Anyone in the development process (design, UX, etc.) should have the ability to consider security implications of their decisions  PR, legal and finance personnel should understand their organization’s security risk profile
  14. 14. 14 Find Your Purpose Intersection of what you love doing, what you’re good at doing, what is paid for and what the market needs  Talent shortage in + known need for infosec means you can focus on what you love + where you excel
  15. 15. Learning More
  16. 16. 16 Where to Start? Regardless of whether you’re a complete beginner, switching fields or already successfully entered the field, there’s plenty of knowledge and skills to gain.
  17. 17. 17 Formal Education Academia Certifications  Helpful if no other means of vetting abilities
  18. 18. 18 Online Education There are now tons of online resources available for learning languages, development and data science  Some free, some paid (often you get a certificate)  Consistency is key; set a daily goal for practicing
  19. 19. 19 Old-School Resources If you prefer the more traditional book approach, try:  The Art of Software Security Assessment  Hacking: The Art of Exploitation  The Shellcoder's Handbook  Android Hacker's Handbook  iOS Hacker's Handbook
  20. 20. 20 CTFs & Other Games Allows you to improve & show off your skills  CTFs: DEFCON CTF, CSAW CTF, Ghost in the Shellcode, MITRE STEM CTF, NECCDC, picoCTF  Wargames: Hack this Site, Over the Wire, Smash the Stack  Reference list: http://captf.com/practice-ctf/
  21. 21. 21 Conferences Cons are often how people stay in touch  Check out talks, or find them online  Social events – great for networking  Parties requiring challenges (Caesar’s Challenge at Blackhat/DEFCON)
  22. 22. 22 Meetups & Local Events  Meetup.com is a great aggregator of different meetups in your locale  Code as Craft: Engineering talks sponsored by Etsy here in NYC Find local events to explore different areas of interest, learn or practice skills and meet new people
  23. 23. 23 Trainings  Practical education with focus on specific professional roles in infosec Training sessions can quickly bring you up the learning curve, but typically are expensive ($2,000 - $5,000)  Conferences aggregate trainings from a variety of companies, though additional trainings are generally held year round as well
  24. 24. 24 Academic Papers Explore emerging areas of research  arXiv  IEEE  Microsoft – Security & Privacy Research  Reddit.com/r/NetSec  USENIX Make note of particular topics you find interesting and don’t be shy in contacting the authors directly
  25. 25. Networking
  26. 26. 26 Step 1: Trust InfoSec is a trust-based industry. Don’t violate trust and be wary of those who do.
  27. 27. 27 Networking Strategy Get as many “at bats” as possible  Meet many people across various areas of expertise, employers & career stages  Not everyone will respond, so need to maximize your hit rate by reaching out to more people  Expand your network by asking new contacts (politely) if they know anyone you should meet
  28. 28. Awkwardness is a Part of Life 28
  29. 29. 29 #hatersgonnahate Don’t let anyone convince you that you won’t be successful or don’t belong in the industry  People like passion and want to support “winners”  Persistence is key (true of most things)  Define your own measure of success
  30. 30. 30 Contact Maintenance Regularly follow-up, but be mindful of people’s time  People generally like getting a “free” coffee Even starting out, consider how you can be helpful  Try to maintain a 50/50 ask to give ratio  Keep an eye out for potential hires, introductions / connections or research they’d find interesting
  31. 31. Keeping Up to Date
  32. 32. 32 Socializing Staying in touch and meeting new people helps enormously in knowing the “latest”  Not all research / projects are discussed online  Gossip and chatter can also inform you of career opportunities or new, interesting companies  Fills in gaps in news you might have missed
  33. 33. 33 Mainstream News is Not Ideal Mostly a lot of this:
  34. 34. 34 Suggested News Sources  Twitter – where the industry “chatter” happens  CyberWire – aggregates InfoSec news daily  Individual websites:
  35. 35. 35 Short InfoSec Twitter List  @0xcharlie  @4Dgifts  @alexstamos  @aloria  @bcrypt  @c7zero  @cBekrar  @chrisrohlf  @collinrm  @crypt0ad  @dinodaizovi  @djrbliss  @drraid  @esizkur  @halvarflake  @haroonmeer  @j4istal  @justineboneait  @k8em0  @mattblaze  @matthew_d_green  @mdowd  @msuiche  @nils  @nudehaberdasher  @pencilsareneat  @quine  @runasand  @s7ephen  @semibogan  @_snagg  @snare  @SwiftOnSecurity  @thegrugq  @WeldPond  @window
  36. 36. Conclusions
  37. 37. 37 You Do You  Consistently build your personal portfolio of skills, experience and industry connections  The field is rich with options, so you’ll likely find a role you enjoy and in which you excel  On the infosec industry treadmill, remember that it’s a marathon, not a sprint
  38. 38. 38 A Closing Quote “Work as hard and as much as you want to on the things you like to do the best. Don't think about what you want to be, but what you want to do.” – Richard P. Feynman

×