Jeff McJunkin discusses various information security specializations including penetration testing, forensics, incident response, systems administration, audit, management, and legal. He provides an overview of the skills needed for each specialization and next steps one can take to develop those skills and become employable in that field. Some key specializations he highlights are penetration testing, computer forensics, and intrusion analysis which often involve consulting work. He emphasizes getting hands-on experience through challenges, labs, and internships to develop skills for these careers.

1. Negative Unemployment and Great
Job Satisfaction?
Why Infosec is AWESOME
Jeff McJunkin (GSEC, GPEN, GCED, GCIH, GCFA, GMOB, CCNA, CISSP)
Senior Technical Staff
Counter Hack Challenges
jeffmcjunkin.com

2. Obligatory “About Me” slide
●
Graduated SOU in 2011
–
●
Computer Security / Information Assurance, emphasis in
digital forensics
City of Central Point from 2008-2013
–
Systems / Network Administrator
●
AppSec Consulting from April 2013 – January 2014
●
About to start working for Counter Hack Challenges
–
I start the 27th!
–
I'm telecommuting, again

3. Wait, what?
Yes, I've changed employers since my last talk in
April.
Read more at
https://www.counterhackchallenges.com/
In short, I'll be designing hands-on challenges for
teaching infosec (NetWars, US Cyber Challenge,
Cyber Aces Online)

4. My new boss
●
Ed Skoudis
–
Author of Counter Hack and Counter Hack Reloaded
–
Speaker
–
Expert witness
–
SANS Fellow-level Instructor
●
●
Author of SEC 560: Network Penetration Testing and Ethical
Hacking
Author of SEC 504: Hacker Techniques, Exploits, and
Incident Handling

5. Outline of last talk
●
Gain skills
●
Use those skills
●
Talk to people

6. Goals of today's talk
●
See what infosec specializations exist
●
How to find which interest you
●
Next steps to becoming employable

7. How to enter and advance into
infosec
1) Find what's interesting to you by “tasting” multiple
specializations
2) Pick one, develop the skills further (resources and
challenges exist online)
3) Have an online presence
4) If it's still interesting, find paid employment
5) Over time, specialize further and consider consulting

8. An aside on infosec...
●
I'm not saying infosec is for everyone
●
I'm biased, though, so if you...
–
–
Spend spare time playing with new software
–
●
Enjoy daily and weekly challenges
Communicate well, both verbally and in writing
...then infosec could be for you!

9. An aside on SOU...
●
SOU is a liberal arts college
–
●
NOT a job-specific technical school
Job-specific skills are for you to obtain
–
...which is what this talk is about!
If you float through college, your
employability in infosec approaches 0%

10. D&D analogies, anyone?
●
NPC classes (“student”, “help desk”, “junior X”)
–
●
Starting classes (“sysadmin”, “web developer”)
–
●
Fighter, Rogue, Mage, etc.
Prestige classes (“exploit developer”, “malware
analyst”, “SCADA forensics expert”)
–
●
Nobody wants to hire a 12th-level Aristocrat
Heavy prerequisites, equally strong returns
World of Warcraft works, too

11. Having a public presence
●
GitHub matters
–
●
Learn enough Python to solve real problems, post
those scripts online
Your own website (often a blog)
–
–
●
Share your learning experiences
Since you're in infosec, have a GPG key and share
it publicly
Look at my previous presentation for more

12. Seeing what skills people want
●
Troll job advertisements
–
–
Monster.com, CareerBuilder, etc. are common
–
●
Not nearly all jobs are advertised, but if you see the
same emphasis enough times, consider it
www.reddit.com/r/netsec “Hiring Thread” of the
quarter is my favorite
Cold emails to people in the field
–
Remarkably effective. People like free coffee!

13. Employee vs Consultant
●
Employees have more stability
●
Consultants have more flexibility
–
●
Often more income, though less consistent
My suggestion –
–
Get your training as an employee
–
Build ~6 months emergency fund
–
If you're confident, consider jumping ship (the grass is
greener, by the way)

14. Employee vs Consultant
General rule – the more specialized, the larger
an organization it takes to have that role
internally

15. Specializations
●
Penetration Testing (usually consulting)
–
Web (“Web Security Analyst”)
●
●
–
Programmers can do “white box” code review and
pentesting
Else “black box testing”, web app pen tests
Network (“Penetration Tester”)
●
Network Penetration Tester (consulting)

16. Next steps for penetration testing
●
Look at my previous presentation (email me at
jeff.mcjunkin@gmail.com or look on my
website)

17. An aside on web app pentesting
●
If you:
–
–
Are able to move to a metropolitan area
–
●
Have web application development experience
Have great communication skills
You're 3-6 months away from being ludicrously
hire-able
Seriously, there's a huge need right now.

18. Specializations
●
Forensics (usually consulting)
–
Civil (“Computer Forensics Analyst”)
●
–
Criminal (“Computer Crime Investigator”)
●
–
Big shops have internal teams, otherwise consultants
Usually requires law enforcement background
Further specializations:
●
●
●
Network forensics
Specialized software (e.g., SCADA) forensics
Mobile forensics

19. Next steps for forensics
●
Systems administration helps
–
–
●
●
Get to know what features exist, and what artifacts they leave behind
Start developing the forensic mindset
If criminal forensics is interesting, see if you can talk with the
Southern Oregon High Tech Crimes Task Force
Run through some challenges
–
https://www.dc3.mil/challenge/
–
http://www.honeynet.org/challenges
–
http://pen-testing.sans.org
●
Search for “Holiday Challenges” - created by Counter Hack!

20. Specializations
●
Incident Response
–
Overall (“Intrusion Analyst”)
●
–
Even mix
Malware Specialization (“Malware Analyst”)
●
Usually consulting

21. Next steps for incident response
●
IR is a mix between sysadmin and forensics
–
Knowing the attacker mindset is useful as well
–
Develop an ability to quickly understand how a new
network works
●
●
Chatting with many sys/network administrators helps
here
The additional challenge of doing forensics on an entirely
new network is considerable

22. Specializations
●
Systems Administration (usually internal,
“Systems / Network Administrator”)
–
–
●
IT Security
I'm totally biased, but this is a great place to start
for just about any specialization
Audit (usually consulting, “Security Auditor”)
–
Many specializations
–
PCI is huge!

23. Next steps for systems
administration
●
Build a home lab (sound familiar?)
–
●
MSDN:AA
–
●
Www.reddit.com/r/homelab
Windows 7, Server 2003/2008/2012, build a
domain, multiple users
Internships are fairly plentiful
–
“Junior sysadmin” is a great position to learn in

24. Next steps for audit
●
Mix of sysadmin and project management, with
lots of communication

25. Specializations
●
Management
●
Legal
These specializations are full of deep magic.
Tread carefully.
(Or at the very least, I don't pretend to understand them)

26. Questions?
●
Email me at jeff.mcjunkin@gmail.com
–
Want more info on a specific specialization?
–
Want specific learning plans?
–
I'm happy to help!