diy education in cyber security
TRANSCRIPT
DIY Education in Cyber Security
Kelly Shortridge July 30, 2015
Agenda
My goal is to help you figure out where and how to start your learning journey by answering:
What careers are there?
How do I learn more about the field?
How do I meet people / network?
How do I stay current on industry trends?
2
Who am I?
Hi, I’m Kelly Shortridge
Currently doing exciting things on the business side of infosec
Previously advised infosec companies on M&A and private capital raise deals
No technical background
Built a knowledge base and network within infosec from scratch
3
Career Paths
5
The “You Can’t Sit With Us” Myth
InfoSec as a professional field can seem a bit opaque, insular and unapproachable.
In reality, it’s a blossoming field offering exciting opportunities for a variety of skill sets and interests…and not just full of cliques of “mean nerds”
6
InfoSec = Opportunity
Diverse potential paths to follow within infosec:
Application Security
Compliance & Policy
Data Forensics & Incident Response
Network Security Engineer / Ops & Monitoring
Penetration Testing
Security Architecture
Security Solution Development
Vulnerability Research & Reverse Engineering
7
InfoSec = Flexibility
Roles often overlap and have fuzzy boundaries
Cover different aspects of the lifecycle of security operations
Some areas of study are broadly applicable
Data Science
Math
Network & System Architecture
Software Development
8
Current Hotness
9
Skill Sets – Example #1
Network Security Engineer / Ops & Monitoring
Understand network design & architecture
Familiarity with security tech – IDS/IPS, SIEM, firewalls, vulnerability detection & remediation
Develop custom tooling for security monitoring
Some knowledge on machine learning is a plus
10
Skill Sets – Example #2
Vulnerability Research & Reverse Engineering
Analyze malicious code, shellcode, packed & obfuscated code
Identify attacker methodology
Strong math abilities, particularly graph theory
Familiarity with IDA Pro and user & kernel-mode debuggers
Languages: Assembly (x86 & x64), C/C++, Python
11
Skill Sets – Example #2
Application Security
Audit applications for vulnerabilities (XSS, SQLI, logic flaws, etc.)
Understanding of application architecture
Help development teams implement SDL
Build tooling to improve testing & auditing
Languages: Java, PHP, C / C++, Python, Ruby
12
Potential Employers
Major hubs include SF, NYC & DC – each city has its own “flavor” driven by employer base
Government Private Vendors
Defense Contractors & Gov’t Agencies
Tech, Finance, Media, eCommerce, etc.
Security Vendors & Consultancies
13
Broader Applicability
Security can serve as a differentiator in non-sec roles
Anyone in the development process (design, UX, etc.) should have the ability to consider security implications of their decisions
PR, legal and finance personnel should understand their organization’s security risk profile
14
Find Your Purpose
Intersection of what you love doing, what you’re good at doing, what is paid for and what the market needs
Talent shortage in + known need for infosec means you can focus on what you love + where you excel
Learning More
16
Where to Start?
Regardless of whether you’re a complete beginner, switching fields or already successfully entered the field, there’s plenty of knowledge and skills to gain.
17
Formal Education
Academia
Certifications
Helpful if no other means of vetting abilities
18
Online Education
There are now tons of online resources available for learning languages, development and data science
Some free, some paid (often you get a certificate)
Consistency is key; set a daily goal for practicing
19
Old-School Resources
If you prefer the more traditional book approach, try:
The Art of Software Security Assessment
Hacking: The Art of Exploitation
The Shellcoder's Handbook
Android Hacker's Handbook
iOS Hacker's Handbook
20
CTFs & Other Games
Allows you to improve & show off your skills
CTFs: DEFCON CTF, CSAW CTF, Ghost in the Shellcode, MITRE STEM CTF, NECCDC, picoCTF
Wargames: Hack this Site, Over the Wire, Smash the Stack
Reference list: http://captf.com/practice-ctf/
21
Conferences
Cons are often how people stay in touch
Check out talks, or find them online
Social events – great for networking
Parties requiring challenges (Caesar’s Challenge at Blackhat/DEFCON)
22
Meetups & Local Events
Meetup.com is a great aggregator of different meetups in your locale
Code as Craft: Engineering talks sponsored by Etsy here in NYC
Find local events to explore different areas of interest, learn or practice skills and meet new people
23
Trainings
Practical education with focus on specific professional roles in infosec
Training sessions can quickly bring you up the learning curve, but typically are expensive ($2,000 - $5,000)
Conferences aggregate trainings from a variety of companies, though additional trainings are generally held year round as well
24
Academic Papers
Explore emerging areas of research
arXiv
IEEE
Microsoft – Security & Privacy Research
Reddit.com/r/NetSec
USENIX
Make note of particular topics you find interesting and don’t be shy in contacting the authors directly
Networking
26
Step 1: Trust
InfoSec is a trust-based industry.
Don’t violate trust and be wary of those who do.
27
Networking Strategy
Get as many “at bats” as possible
Meet many people across various areas of expertise, employers & career stages
Not everyone will respond, so need to maximize your hit rate by reaching out to more people
Expand your network by asking new contacts (politely) if they know anyone you should meet
Awkwardness is a Part of Life
28
29
#hatersgonnahate
Don’t let anyone convince you that you won’t be successful or don’t belong in the industry
People like passion and want to support “winners”
Persistence is key (true of most things)
Define your own measure of success
30
Contact Maintenance
Regularly follow-up, but be mindful of people’s time
People generally like getting a “free” coffee
Even starting out, consider how you can be helpful
Try to maintain a 50/50 ask to give ratio
Keep an eye out for potential hires, introductions / connections or research they’d find interesting
Keeping Up to Date
32
Socializing
Staying in touch and meeting new people helps enormously in knowing the “latest”
Not all research / projects are discussed online
Gossip and chatter can also inform you of career opportunities or new, interesting companies
Fills in gaps in news you might have missed
33
Mainstream News is Not Ideal
Mostly a lot of this:
34
Suggested News Sources
Twitter – where the industry “chatter” happens
CyberWire – aggregates InfoSec news daily
Individual websites:
35
Short InfoSec Twitter List
@0xcharlie
@4Dgifts
@alexstamos
@aloria
@bcrypt
@c7zero
@cBekrar
@chrisrohlf
@collinrm
@crypt0ad
@dinodaizovi
@djrbliss
@drraid
@esizkur
@halvarflake
@haroonmeer
@j4istal
@justineboneait
@k8em0
@mattblaze
@matthew_d_green
@mdowd
@msuiche
@nils
@nudehaberdasher
@pencilsareneat
@quine
@runasand
@s7ephen
@semibogan
@_snagg
@snare
@SwiftOnSecurity
@thegrugq
@WeldPond
@window
Conclusions
37
You Do You
Consistently build your personal portfolio of skills, experience and industry connections
The field is rich with options, so you’ll likely find a role you enjoy and in which you excel
On the infosec industry treadmill, remember that it’s a marathon, not a sprint
38
A Closing Quote
“Work as hard and as much as you want to on the things you like to do the best.
Don't think about what you want to be, but what you want to do.”
– Richard P. Feynman