Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Breaking Into Security

34 views

Published on

I presented this talk to Leeds Beckett University Students on how to break into the security field in 2016.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Breaking Into Security

  1. 1. Breaking Into Security @LewisArdern
  2. 2. Whoami – Lewis Ardern • Leeds “Met” Beckett Graduate • Ph.D. Student • Founder of Leeds EHS • Consultant/Researcher • Impersonator
  3. 3. • Providing software security services since 1992 • World’s premiere software security consulting firm • 450+ professional consultants • Washington DC, New York, Santa Clara, Bloomington, Boston, Chicago, Atlanta, India, and London • Recognized experts in software security • Widely published in books, white papers, and articles • Industry thought leaders
  4. 4. Agenda • Why? • Quotes From Professionals / My ‘Day Job’ • The InfoSec Career • State of the market • An ideal candidate? • Ways To Learn The Required Skills • Online Presence • Be Part Of The community • Internships/Placements • Certificates • Q/A
  5. 5. So you want to get into InfoSec?
  6. 6. Why?
  7. 7. Why? • Fed up with your job? • Uncertain you'll find a job when you finish University? • Is it the travel and lifestyle? • Learning of new things? • The rush of breaking into a “secure” environment? • Wanting to learn how something works
  8. 8. You’re half way there! • Coming to this is an awesome start. • You can learn so much from your peers. • Let’s step into the minds of some professionals…
  9. 9. Quotes: Kosta “Personally, watching Hackers and reading the book did it for me. The whole point is finding a purpose, calling and in many cases something to do. I remember sitting in IRC and helping out people with hackery type questions and learned that way. No one gave you the answer, so you had to do your own research. This was before Google existed, of course. ”
  10. 10. Quotes: Dr. Grigorios Fragkos “I always wanted to know how things worked. I saw WarGames (1983) when I was about 10yo, and it was fascinating. It was magical to know how to speak the computer's language. The scene where the computer lost the game of tic-tac-toe by realizing it is a draw always blew my mind. I actually sat down working out for days, the perfect sequence of moves (I did not know it was called an algorithm back then) so I always win my friends and especially older people (if not a draw). So, that one scene changed everything for me, that realization of thinking outside the box is awesome!”
  11. 11. Quotes: Christos Tsopokis “One part of it is: the inherent presence of an “enemy” always there to react so as to displace your actions. Hence, there is not standard prescribed way to succeed but only to be one step ahead and able to predict.”
  12. 12. Quotes: Grant Douglas “I loved problem solving. I loved IT, and I loved hacking around with things (code, OS's, websites, etc.). It mainly started through curiosity, jail breaking Iphones and modifying applications.”
  13. 13. Can we see a trend? • Is this mentality ingrained? • Films • The ability to learn how things work • Stopping the bad guys, by being the bad guys.
  14. 14. Personally • Fascinated by Hackers, Sneakers, War Games. • Got into computer gaming quite early. • Always wanted to learn how things work. • My true hacking enthusiasm began in University
  15. 15. What I do
  16. 16. What I do • Application Security
  17. 17. What I do • Application Security • Code Review
  18. 18. What I do • Application Security • Code Review • Network Security
  19. 19. What I do • Application Security • Code Review • Network Security • Red Teaming
  20. 20. What I do • Application Security • Code Review • Network Security • Red Teaming • Threat Modelling
  21. 21. What I do • Application Security • Code Review • Network Security • Red Teaming • Threat Modelling • CI/CD Building security into existing build, delivery, deployment pipelines Creating a culture of security that does not inhibit the existing pipeline but supports it Shifting the secure mindset to risk management (don’t stop the process).
  22. 22. What I do • Application Security • Code Review • Network Security • Red Teaming • Threat Modelling • CI/CD • Research/Training
  23. 23. The InfoSec Career
  24. 24. Hard truths • It’s nothing like the films • Information security is hard. • Expect to work long hours (At the beginning). • Expect to travel. • You’ll have to step out of your comfort zone. • You will need to leave the lab eventually. • Expect to get thrown in at the deep end
  25. 25. Things I’ve experienced (University) • It sometimes feels like the films • It takes a lot of work to get into InfoSec • Leaving the comfort zone • Travel • Leaving the Lab
  26. 26. Things I’ve experienced (Work) • It sometimes feels like the films • Leaving the comfort zone • Travel • Leaving the lab
  27. 27. Overall 2 cents • Hacking is fun! • Money is an incentive, but not everything. • This industry has much to give. • Ability to work with some very intelligent people. • You will learn more in your first few months than your degree. (Sorry Cliffe/Emlyn)
  28. 28. State of the market
  29. 29. TL;DR
  30. 30. The state of the market • The truth is that in the current market there just aren't enough security specialists out there to meet demand • High paying • We are seeing a drop in skills to meet this demand • That’s a good incentive, right?
  31. 31. What roles are there?
  32. 32. • Software Security • Network Security • Reverse Engineering • Researcher Roles • Auditor • Sysadmin/DevOps • Developer • Red/Blue/Purple Teaming
  33. 33. LEVELLING UP • Becoming an expert in every field is practically implausible • I chose the Software Security track because: • Code • Applications • Research • Play to your strengths
  34. 34. • You have a lot of time to figure this out • You should try different roles • Leave your comfort zone Time
  35. 35. Ways To Learn The Required Skills
  36. 36. • People learn in different ways • Need more than an hour to document the amount of good material available • Reading/Listening (Theory) • Practical (Hands On) Learning
  37. 37. Reading • Pick a topic that interests you • Digest the information • Find a practical experiment from the reading
  38. 38. Reading Resources • Web Application Hackers Handbook • Red Team Field Manual • Art Of Exploitation • Mobile Hackers Handbook • Blackhat Python • OWASP • + More • Security Engineering • Software Security • Hackers Playbook 2 • PenTesting • Gray Hat Hacking • Hacking Exposed (Series) • Programming Books (GitHub) • Networking Basics (Free) • Hack your career
  39. 39. Humble Bundle!
  40. 40. Podcasts / Learning Resources • Silver Bullet • Paul Dot Com • Hak 5 (Metasploit Minute) • Tenable • OWASP
  41. 41. • Only attack systems you have permission to do so • Take time to understand how the tools work • Ask questions • Once you’ve done something, document it Practical
  42. 42. Practical – CTFs!
  43. 43. Practical – Hackathons (Dev)!
  44. 44. Practical Resources • Pentester Lab • Practice URLs • VulnHub • Metasploitable2 • DVWA • DVAA • DVIA • CTFs • root-me • juiceshop • The resources are there, use them!
  45. 45. Practical – Bug Bounties! Read the terms and conditions.
  46. 46. Certificates
  47. 47. My recommendation to you
  48. 48. What would make you a great candidate?
  49. 49. • Fundamentals • Networking • Operating Systems • Software • Cryptography • Access Controls What would make you a great candidate? The Thirst to learn more • Basic concepts • Authentication VS Authorization • Bugs VS Flaws • How to protect against • SQLi • Buffer Overflows • 1 Programming Language
  50. 50. Be part of the Community
  51. 51. Be part of the Community
  52. 52. Conferences
  53. 53. Conferences • Great way to get involved • Meet like-minded people • See interesting talks • Free “SWAG” • Generally free entrance + (Food/Booze) • Consider volunteering • You should stay for the after parties
  54. 54. Conferences? • BSides London • BSides Manchester • Securi-Tay • Steelcon • 44CON
  55. 55. Submit a talk! • Public speaking is a required skill as a consultant • Pick a topic you find interesting • Set a deadline you find achievable • Talks are generally an hour
  56. 56. Rookie Track! • Don’t feel up-to the main track? • Don’t worry, neither are the people who speak on them. • The rookie track(s) are a great way to get noticed • The talks are a lot less formal • Smaller rooms • Less pressure • 15-20 minutes
  57. 57. Lightning Talks • Still not feeling the main track? • Pick a topic, a subject you’ve been studying. • Lightning talks are short presentations. • Typically 5 minutes long. • Some discussions after the lightning have gone over the general hour..
  58. 58. Meet-ups
  59. 59. Meet-ups • Leeds EHS! • Leeds Computing Society • OWASP • Hack Spaces • Programming • Leeds Sharp • Agile Yorkshire • DC4420 – Defcon (London)
  60. 60. Online Presence
  61. 61. Online Presence • Most “Nerds” are very active online • It’s a good way to get noticed • Find news fast
  62. 62. Twitter • Create a twitter account • Best way to talk to InfoSec professionals • Follow who they follow • Some advice… don’t be a dick • + Proof read your tweets • Lists! • https://twitter.com/pacohope/lists
  63. 63. Linkedin • Unfortunately widely used. • Essentially a “professional” Facebook • Good for networking • Recruiters Galore • It can help you get a job • “That’s how I got my job man, I HATE IT” – Ritesh 2015
  64. 64. Blog • A blog can be of all things, not just InfoSec. • It’s a good way to express yourself • It can be used as a reference for your work • If your like me, collaborate with others
  65. 65. GitHub • Open source your code • Collaborate with your peers • Improve open-source projects • Find Flaws • https://education.github.com/
  66. 66. Internships/Placements
  67. 67. Internships/Placements • There are quite a lot of opportunities all over the UK • Apply early • Use Social Media • Look online! • https://www.reddit.com/r/netsec/comments/4qtz67/rnetsecs_q3_20 16_information_security_hiring/
  68. 68. Companies • Cigital • MWR • Portcullis (Cisco) • BT • Sec-1 • NCC • RandomStorm (NCC) • PenTest • Mandalorian • Encription (BlackBerry) • +More
  69. 69. We are hiring! • Full time positions • Placement students • Internships
  70. 70. Want to learn more? • http://tisiphone.net/2015/10/12/starting-an-infosec- career-the-megamix-chapters-1-3/ • https://www.corelan.be/index.php/2015/10/13/how-to- become-a-pentester/
  71. 71. Questions? lardern@Cigital.com
  72. 72. Come join me at the bar for drinks.

×