getting involved in network security
TRANSCRIPT
Getting Involved in Network Security
Jeff McJunkinCCNA, GSEC, GCED, GCFA, GPEN, GCIH
Web Application / Network Penetration TesterAppSec Consulting, Inc.
Obligatory Disclaimer
• I speak for myself, not for my company.
• My views may or may not bear any relation whatsoever to the views of my employer
– Or anyone else for that matter.
Outline
•Gain skills
•Use those skills
• Talk to people
About me
This talk is especially relevant for me recently
• I graduated SOU in 2011– Computer Security / Information Assurance, emphasis
in digital forensics
• City of Central Point from 2008-2013– Systems / Network Administrator
• Now working for AppSec Consulting– This is my first week!– I’m telecommuting, too
About me
• I’ve won a few security challenges– SANS Network Security 2011 NetWars
– US Cyber Challenge Northern California, 2012
– 3rd place, NetWars Tournament of Champions, 2012
• I’ve been involved in the Collegiate Cyber Defense Competition– Red Team is the fun team, believe me
• I gave a Tech Segment on PaulDotCom Security Weekly last year, as well
My Coworkers
• Bill Sempf (Black Hat Speaker, OWASP author)
• Josh Brashars (Black Hat Speaker, Author)
• Travis LeeCISSP OSCP
OSCE GPEN
eCPPT GREM
GCIA GCIH
GCFA GSNA
MCSA
Goals of today’s talk
• Meta-advice
– Not about specific skills, but how to gain those skills
• Follow this advice, and hopefully you’ll be talking to the right folk
• Follow this advice, and hopefully you’ll be interesting to the right folk
Outline
•Gain skills
•Use those skills
• Talk to people
So, what do I do?
• Build a home lab
– www.reddit.com/r/homelab
– BackTrack, Metasploitable, and Windows XP go a *long* way
– Keep notes! You’ll need these later
An aside on money
• Don’t be afraid to spend some money on this
– You’re all in college, which is already costing you how much?
– Purpose of a liberal arts education
– Consider VMware Workstation, Microsoft TechNet (or MSDN:AA)
An aside on SOU…
• SOU can provide the foundation
– *If* you apply yourself
• Job-specific skills are for *you* to obtain
– Most won’t be taught in the classroom
Don’t expect to float through and then get a job!
So, what do I do?
• Blog about your work
– Seriously, no research is too small
– WordPress.com is free, grab your name and go
• By the way, you should all own “yourfullname.com”
• Hang out on IRC channels
– You’ll see what folk are actually up to, including some big names
– #pauldotcom, #metasploit, #backtrack-linux, for starters
So, what do I do?
• Learn a solid foundation first– Systems experience (Windows and Linux at a minimum)
• Administration• Forensics• Defense• Attack
– Networking experience (Priscilla Oppenheimer will be here next week!)• Network forensics
– Programming• Pick one of {Perl, Python, Ruby}• Pick one of {Bash, PowerShell}• Optionally, pick one of {C, C++, Assembly}• Learning Windows Command Prompt (cmd.exe) is helpful as well!
So, what do I do?
• Specializations are complicated. Learn the foundation first.• Examples:
– Attack or Defense• Wireless
– 802.11{a,b,g,n}– Bluetooth
• Web– Microsoft stack (ASP, ASP.NET, etc.)– Linux stack (LAMP, jQuery, etc.)
• Application– .NET– Java
• Systems– Windows– Linux– Mac
So, what do I do?
• Listen to security-oriented podcasts
– PaulDotCom
– Exotic Liability (NSFW language, great content)
So, what do I do?
• Read blog posts from smart folk– I’d recommend Google Reader, but Google recently said
they’re going to take it offline– Feedly is quite popular recently
• To start you off… (Google these to find the sites)– IronGeek’s Security Site– Krebs on Security– Metasploit Blog– PaulDotCom– TaoSecurity
• Email me for more if you’re interested– apparently I now have 305 RSS feeds
Outline
•Gain skills
•Use those skills
• Talk to people
Use those skills
• Consider security challenges– In-person:
• Collegiate Cyber Defense Competition (talk with Daniel and Lynn, then sign up as a school for next year)
• United States Cyber Challenge
• NetWars (paid)
– Online:• DC3
• pen-testing.sans.org (search for Holiday Challenge)
• forensicscontest.com (Network Forensics)
Use those skills
• Blogging helps here, too!– Play with a new tool, then write a quick blog post about it
– 500 words and an hour of documenting
– Post it to reddit.com/r/netsec and ask for feedback• Be prepared to get it
• Find a problem with another person’s research?– Write up a nice blog post, post it, email the person
• Find a problem with another person’s tool?– This is where coding helps!
• Sign up for GitHub, pull their code down, fix it, send a pull request
• Those of you in Daniel’s classes will know Git, right?
Building the habit
• Building the habit is more important than the actual work at first
– Spend 10 minutes every morning reading a few blogs and try one command in BackTrack
– After a month or so, consider putting a bit more time in
Outline
•Gain skills
•Use those skills
• Talk to people
Talking to the right folk
• Half the challenge is just showing up
• Just ask!
1. Find folk in the valley doing interesting stuff
2. Ask to help them for free
3. …Profit? Learn!
• Carl, Jesse, and Lana are great examples!
Talking to the right folk
• Southern Oregon Geek Group (sog.gy)
– Attend a monthly dinner (first Thursday of the month, 6:30pm at Four Daughters in Medford)
• Standing Stone Thursdays
– But shhh, it’s a secret
– 5ish to 6:30ish
• Ask your professors about industry contacts and internships!
Conclusion
• Looking to get into network security?
– Good news, everyone!
– Unemployment in this field is hovering around 0%
• Don’t get into it for the money
– Be prepared to work hard
– Keep up-to-date
• Latest threats, attacks, defenses
Questions?
• Email me at [email protected]
– Want a lesson plan? I just made one for a few of your fellow students…
• Care to chat later? Let me know, I’m always up for coffee!