From Paupers To Queens: The Tale Of Two Wannabe Hackers

brilliant so welcome to our talk we're just going to be talking about our journey for breaking into cyber from paupers to queens so basically through university to now and some of the challenges we've faced some of the fun stories we've got from being in being in industry so welcome we hope you enjoy it and disclaimer i do i was doing a workshop yesterday and a very lovely guy put it out to me that i tend to slap my thighs a lot when i'm doing a talk i don't know what to do with my hands so i would count how many times it happens or do it with me and then i'll hopefully stop eventually at the end of this time

we'll see i don't remember doing it so we'll see what happens cool you've already done it amazing um so just a little bit of an overview about what we're going to talk today about today um so first we'll talk a little bit about us what's the community queens is a little bit about our individual journeys um it's about how we broke into the industry um our career journey so far through university the very scary adult world of helping us manage ourselves what kind of barriers we faced as well getting into industry what plans we have and also a few top tips so this is quite a high level talk nothing too technical there might be a

few more stories if you're lucky and also obviously a q a at the end it's very chill talk so i'm ginge aka sarah i am a security consultant at ncc group and a security queen like you all know now um i'm also a ladies of cheltenham hacking society admin so the security queens eventually joined forces and now we're a lovely little group that will work together on workshops i'm a forensic computing and security graduate from bournemouth university and we actually had our graduation last year even though we graduated in 2020 and the b-size london 2019 rookie track winner which i'm extremely surprised about every time i think back to it because i just thought it was horrific

when i presented at the time and from my talk i decided to do a workshop on the digisparks that i used when creating my talk and that was for g3c back in 2019 as well and it was their first ever conference at the same time i'm also a lover of foreign places so i got to go to vienna when i won the rookie tracks a little picture at the christmas market and it was a lot of fun going there and having to explore but more recently i am the lover of myself i love her of my sofa because lockdown has hit different and i had to get to know it very well i haven't been

able to go anywhere and i would severe cool so um i do studied at walmart university i did a slightly different course so i did cyber security management um which is a little bit more high level but i'll explain the differences in due course um i too i'm a security consultant for ncp group um in the pen testing sort of department may have seen me on tv um hopefully not eating a sandwich on channel 4 was handed as a cyber hunter won a bunch of stuff so most recently last year for rescue awards europe and cyber security student of the year lover of horses i've always loved horses since i was year high but it's a lover of horsepower as well a

little bit of photographic evidence i can drift if any of you saw the abysmal attempt i did on the rig earlier and um i too um are part of lchs as well so that's a new venture i suppose so back in the day in b-sides london 2019 myself sofia and morgan who is in the audience today started security queens over a year ago um which is crazy to think that the time's gone so quickly um and by this point now we've ran over 40 blog posts and when we first started out we actually won the best new up-and-coming blog at the european cyber security bloggers awards and we were interviewed by infosec magazine and we've started speaking at different

conferences like cyanam when we collaborated with the lchs to do the breakout sessions and we've also been dubbed cyber security influence influences so morgan actually found this little snippet it's so weird that that's actually a thing i don't know if that's definitely a thing but someone mentioned it so it has to be true because it's on the internet it has to be true everything on the internet um so yeah i guess we'll talk a bit about how we started really so we both met at university in second year um as i said i did a slightly different course sarah i did cyber security management with one year placement hashtag class of covered graduated a year late

so focuses on very high level strategic cyber security so things like business continuity incident response policies um and we had some odd units like cyber psychology which is actually quite cool um and law i won't comment on law but i really enjoyed it and it was kind of a jack-of-all-trades i learned a lot of different aspects of cyber security through that degree my degree was still at bournemouth university but slightly different so i did forensic computing and security which meant that my first year was a baseline computing year and when i started university i hardly knew anything about idea and especially cyber security so it just taught you basic concepts like what is a computer and how

does it work what components really really um my low level to high level stuff and i eventually went into networking in my final year and in my second year i did an ethical hacking and forensics module so that was really interesting and i got hands-on experience with things like i want to say nessus but i'm pretty sure we wouldn't have had the budget for that i think it was open vaz or something like that too that was too long ago now to try and remember um yeah so i basically looked into that tried out some tools um and from there i went into my dissertation and started specializing in what i was actually interested in

um so a big sort of part from my journey um actually sarah joined me in a few csc uk um events so cybersecurity challenge uk is basically a government-backed program that hosts a series of national competitions learning programs networking career days to help people break into the cyber security industry so myself i got introduced to them through attending a career fair they did at my university um but we ended up doing loads of their like competitions just general like boot camps that kind of thing so that played quite a big part in a stepping stone up into industry i suppose and of course we have to give a mention to our our pride and joy university yeah

the bourbon university now computing security society used to be cyber security society but we weren't going to politics um so what this was it was basically once a week hacking and computing meetups we do the usual nerdy stuff ctf's programming had the odd guest lecture but it was mostly focused on skills workshops so one week we focus on web another week we focus on forensics and then we have like databases random stuff but it was a really good way to sort of network with other like-minded open campus maybe not necessarily from a stem background we had sort of like non-techies such as law students there was environmental studies there's some aub which is the arts uni

they joined us in a couple of those as well that was interesting trying to teach them how to use the command line how to use the command line when i first joined another thing that we did was lots of field trips to conferences like this so that kind of helped us network bletchley park one of my favorite places to go i need to go there covered ruined those plans and as we said we did a lot of university level ctfs especially with cyber security challenge uk but also a lot of online ones like pico ctf as well and of course zero day ctf so zero days is an irish competition based in dublin which i think we came second yeah i

think we did come back and um it's also a very interesting story about that we nearly got a tattoo of the zero day ctf in the name of ctf points because we were that desperate to win it was what clinch does the second place because they had lovely challenges and when i say lovely i mean horrific challenges where some people even had to drink from a shoe and not anyway do you want to know about that more probably grab us at the purpose probably not no not for your friendly and i guess we move on to placement now so for me what was really valuable was not necessarily the academic part of university was actually doing placement

year and i can't i don't know if you can tell what i did for my placement i actually went into pen testing um so it was quite technical for me coming from a managerial degree i didn't really know much about sort of like metasploit um nessus nmap i was like oh my gosh what is this um so it was really good to be able to be exposed to that but also the companies i worked for had a lot of internal material that i could work through and learn off as well um it was really hands-on so i was able to shadow other consultants about what kind of jobs they did anything from web apps to him to i did lots of reach

research stuff as well um so a niche for me was i really wanted to go into transport research and i was really fortunate to be able to do an agricultural white paper about hacking like tractors and stuff which i never thought you could do but you can which is really cool and i would say this was where i kind of got sacrificed to appear on hunted and never looked back i'm now back for second season getting ahead in january you want to try for you can't wait to watch and i was again really fortunate to be offered a graduate role from that as well and it's always great to tell your non-techie friends what you work as now

i know i don't really think i've told many of my friends yet i don't think usually i just say hacker that's pretty like um so my placement was very different to spears placement mine was more blue team-based so i was a security operations analyst for g research um and this is me catching all the uh horrible red themers i kid there really wasn't that much action when i was there um but i did get a lot of experience with security appliances so firewalls proxies dlp which is just data loss protection and things like that so it was interesting to get to know these devices and how they actually worked in the wild because all of it was just

theory for me um and yes i did find out that it was always the proxy that was the issue and definitely not when you do a deny or rule so no i can access the internet i swear it actually wasn't me that happened to me once changes within the business business meant that it was time for me to change so i did get to experience a little bit of royal shake-up when i was there um they had a security reel to try and streamline some of their processes and it just meant that i got to play around with new things so even though they might have moved the firewall to the networking team and things like that

which does make a lot of sense um i actually got to try and automate some of our processes that we had that i didn't want to just click a button and say oh yeah this has been approved i can do this now i didn't want to just be one of those monkeys that did that um and my communication skills were strongly developed whilst i was there so we had an issue once internally and i just remember thinking from people that were having issues with it why don't we just speak to the team like why why are we here arguing about it by ourselves when we can literally go and ask them to stop doing the things that they're actually

doing and of course also if you don't communicate with anyone you can't have any communication issues okay so i guess the next chapter of our journey was dissertation and finally a very scary concept um but funnily enough it helped us find our niches i guess beforehand i knew i had an interest in transport but i didn't know that was the specific route i wanted to go um so i ended up doing a very long-winded titled dissertation of studying towards motor packing and the rise of connected and autonomous technologies an in-depth research paper and education exercise my supervisor did not like me for that one because it was a bit of a mouthful to read out um but it was really good um

basically what i did was a huge risk assessment and very high level threat model of both current and future vehicle technologies especially focusing on connected and autonomous vehicles so i think driverless cars and vehicles vehicle communications and vehicles infrastructure smart city integration that kind of thing and then on the back of that i created an education exercise with a plan to be deployed into academia and industry to help promote awareness around cannabis hacking so it was kind of like a little raspberry pi which i implemented its own can network into which could then be deployed into the thing like a ctf platform they could just ssh into and mess around with the canned data um and for those of you that

don't know what can is it's basically um a bus within a car which sends loads of data to help deploy airbags or the brakes it's kind of the backbone of the car so it was a love-hate relationship but in the end i actually did love it so i just learned how to solder which was an interesting experience got a lot of injuries from that but it fueled my passion to break into automotive security so that was the kind of little raspberry pi didn't look very pretty but it did the job and that was my um summary of threat modelling for connection and thomas nichols it's my dissipation was completely different to that sofia's just closed my

mind so i definitely do not like specializing automotive at all um like to be said it did help us find our niches when she says love hate relationship i think mine was mostly hate when it came to the end i was so ready for my dissertation to be over it did help me understand the struggles of project management so i do realize now that you cannot spend all your time trying to develop all the things because that's where i went that's why i'm completely wrong i spent months trying to build my actual final project rather than actually writing a dissertation that gets marked um so my title was improvements to the secure proxy troll and the

implementation of https requests to protect it to protect against malicious and phishing urls another milestone it's just the thing is just you have to do that when you're doing a dissertation so basically i ended up creating proxy but i started out looking at the growing landscape of phishing in mobile devices which is really interesting especially because smithing is now thing it's not anything new it's quite old but it was interesting to look at all the different stats um from there i ended up looking at how mobile browsers protected against fishing and i did find that the majority of them do implement security protections but edge is a lovely little special case we all know and love edge

which is basically the newer version of internet explorer apparently there are no protections against phishing at the time of my dissertation when i was looking into this browser i spoke to one of the microsoft support workers there and they were like yeah we can't find any information i googled around i couldn't find any information if any of you know differently please enlighten me because currently my view on edge is just right now and from then i had to build a solution so my solution was to try and build a proxy i used the open source software called e2 guardian this is a google image of it because my desk my dissertation wouldn't load when i tried

to put the picture and i was too i couldn't be bothered to wait for it to load it was too big in google docs so basically it has some really interesting filter filtering mechanisms i went through the urls and the blacklist that i stored i did some stats on it so things like common uh tier top level domains where they're not top global names like dot dot r u and dot io but it's not i o so basically country codes and things like that i tried to do stats on there and implement some kind of filtering protections but really to demonstrate this i ended up trying to block asda and tesco's of all things so yeah my dissertation

wasn't that great you can tell there's a lot of memes in this we have to we have to live make it more lively we do have to do a shout out for james thanks james so i guess after uni it was the very scary step into going to a graduate role and working in industry um so we both actually started our ncc group's graduate program which is probably where we work at the moment and we did the six months sort of introductory program that paves the way to consultancy it's a good way to put it so it's basically a crash course and pen testing so learning a lot of basics about web app in testing in

testing soft skills being able to communicate because we all know how important that is and um report writing then there was also a few things like forensics which is quite good to see as well and um eventually we became probably flesh consultants so we must be doing something right and unfortunately this is still me because i'd love to be on a racetrack but i'm still stuck working from home [Music] so and that little war story even though we've been pretty much fully fledged consultants i want to say for four months maybe it's longer time goes very quickly when you're in lockdown even though we're now getting back to normal so we once had a web app test that

turned into a thick client assessment of space it's like a web app but it's more directly connected to a database um tools we'd never use we have to try and learn whilst we were on the job um and then the access to the application or the thick client ended up breaking and we had to try and test the thick client via teams with the other person the client watching us and i don't know if i've ever sweated more in my life i had 10 minutes of trying to get this thing to work stopping for a second and it magically all became fixed but we did find some extremely cool things some critical vulnerabilities sticky keys break out from

citrix and like file explorer breakout so it was a lot of fun and it was a baptism on fire but yeah very very very stressful very stressful i think that was one of our first web apps as well it won so definitely was a little bit of a shocking system and because obviously i i now want to work into australia i've had a really cool job a few months ago working on a head unit so that was really cool um basically just breaking it which is fun so now we are in the adult world we have briefly mentioned that we are members of lchs so it all started with that collaboration from cyan when we did a

breakout session with them this is our first promo video which did feature new alarms which i think we do a lot on our video calls i don't know why but it was a lot of fun yeah trying to do that with them and from there we've collaborated on different workshops so we've done an sql injection workshop with them and it's all virtual whilst we're in lockdown we've done a summer software special workshop with them which is also on youtube and just teaching people how to use python and the very basics journey is a wizard with coding and we have done another cyan breakout session where sophia also did a talk so that's on our blog if you wanted to check that out

again of the future of cars and it was all about iot and hacking and the fun stuff so i guess enough about us we've done 20 minutes talking about ourselves we're going to talk about obviously what kind of challenges we faced and sort of our top tips i guess if you are looking to get into industry or perhaps you're starting in your career journey um so yeah yeah we had a few diversity challenges yeah um obviously being females are very male-dominated industry you do have those mind a few that still prejudice against that um my favorite was women shouldn't be allowed in cyber security um so that was probably my favorite comment of all um

an ex-boyfriend told me i will never ever make it but i can flirt my way to the top hand on heart i haven't flirted my way to the top yeah and i also had you don't look like the usual it type and this kind of went right over my head so i started thinking about and i was like what do you mean i don't look like the usual id types this is what it is but i think overall we've both experienced that you're just a diversity pick that was for me in uni on my place yeah but the main thing to remember is it's not all doom and gloom like the cyber security industry they

really push for diversity and i think everyone here they're all friendly people no one's really like this this is just university challenges for the most part and maybe the odd one or two people ever um i personally haven't faced that much like any issues really but yeah i would say the cyber security industry is at the forefront of actually trying to push for device diversity and it's so important to try and push for it because you don't want the same people from the same background coming in there thinking the exact same way you need people from different backgrounds and not just women in tech you need people from all kinds of walks of life to be able to try and

solve the issues because at the end of the day we're all in we're all in the trenches so we really need to work together which is kind of what we do now and important parts is just that you need to keep up with industry these are just things to know is keep up with industry things are always changing look into new technologies because i try and break these new technologies i know a lot of people do iot hacking and there was a workshop on that um yesterday so that would have been really interesting to go to um and read blog posts and news articles etc just to keep up to date and that's part of the fun of being in our

industry is that it's constantly changing and you're constantly learning so don't ever get bored and you're not just pressing buttons every day is a very good day um and just so you know not everyone has to be from an academic cyber security background i mean before i went to uni anyway i did a a-level fashion um course basically and i actually did all right in it i did enjoy fashion i also did i do and sophia got four gcses and half of b-packs always are very good at school you'll find english eventually is this not yeah nothing to worry about and if i was still a fashion guru i'd design everyone their stress industry think the majority people of people like

this i mean i don't know maybe a 50 50 so i guess now we can talk about our different options obviously yes we had different backgrounds we did opt for the university and academic group but this is absolutely not the only way to get into security um so if that's your way if that's the way you want to learn through academia absolutely go for it but i know loads of people that have come straight out of school and gone into apprenticeships or internships just to get straight into the workforce and get those hands-on experiences um and certifications as well so some people just decide to do a little bit of self-study and get some ministries and

occasions to strengthen their cv that's another option as well and we thought we'd list a few things that we think employers kind of look for when you're looking for a job um so having to show that you have got a passion for whatever by doing like individual projects so either research based or if you want to like get little pies or arduinos did you sparks yesterday 266 chips come see me out like daddy um yeah so and networking i think was a huge one so actually getting yourself out there coming to events like this career days using organizations like csc uk it's really important to kind of get yourself out there and meet people and

utilizing online resources there's a huge amount of stuff out there that's really quite easily accessible as well through blogs podcasts youtube tutorials um and loads of labs which i know have been mentioned in previous talks such as like try hackney hyperbox merced labs that kind of thing as well for me obviously i came from a managerial background a lot of it was i learned technically was through things like ctf competitions even if you just want to do it because you want to do it not necessarily to win i learned quite a lot from it personally um or other online competitions as well or if you're the book type a little bit of a book worm

just get grab a book take some notes cases like ninety percent in five sec books and about fifty percent of them i've actually skim read so i go to show the books that can work um so with us now what we're gonna do in our futures sofia has touched on that she wants to be a car hacker you saw the meme she has had cars before it's very cool it's not my seat but i'm i'm more of a mobile person personally i started working on mobile apps i've done blog posts on mobile apps i want to start mobile hacking training i guess is the best word for it so that'll be in the new year when this is over exams are over

fresh start and we're just going to continue doing things like podcasts talks and workshops working with the community champion and diversity and partnership so next year is going to be a really busy year and i think we want to get involved with cyan again that's good i know yeah so that's our plans for the future i guess just to round things off we'll talk about i guess what our top tips are learn from experiences but take this with a picture so everyone has a different experience coming into this industry or when they're actually in industry as well and so i guess the top one for both of us was choose something that you enjoy there's loads of

different paths and security you don't necessarily have to go down the pen testing red team route you can do like the blue team stock stuff or you can do the audit and compliance um risk management policies there's so many different ways or i know cyber psychologists and all sorts yeah so there are don't have to be hackers what i'm saying um and nothing is easy starting out i think the 80 20 rule definitely applies to most things particularly this yeah 80 failures for that 20 of sweet success out of nowhere as well one day you'll just experience it and you'll be like this is awesome yes i don't know how many times we've mentioned this but

communication is absolutely key and people are sometimes better than google and this kind of links into our next point of just network not the computer type but actually you know unfortunately face to face in the room talking to people really sorry to break that to you but it's really good to network with potential employers other like peers people in the same boat as you as well and i didn't only make some really good professional connections versus some friends as well which isn't too bad and i think just go for it really it's a bit scary kind of trying to start out in your career but i know we spoke a little bit about doom and gloom but i think in

general there are so so many people around to support you one way or another and there's such a huge amount of accessible kind of resources as well to help you along the way and kind of bolster and hold that knowledge to get you into the industry i mean alex just said his talk on the rookie track and he said no one knows everything and i thought that's such an important point to make like you can never know everything and no one knows everything so don't worry if you don't know something no one knows everything exactly and um i guess that's us really we yeah we just thought we'd enlighten you by talking about our personal journeys yeah

and also a little bit advice from two people that finally made it um so we hope you enjoyed this feel free to contact us on any of our socials we've always got we've obviously got the securityqueen stuff in there and please do check out our blog website um but we've also got our twister handles if you have any i don't know car hacking questions or mobile hacking questions i'll try it out please reach out we'll google together it will be fine i think we've got yeah many questions have we got much time for questions two or three minutes i'm not sure yeah

oh need one of these mic because these are pretty cool [Music] um so obviously like i've known about youtube for like quite some time i've met sophia before and stuff and um in terms of like this sort of you know young older teenager young 20s kind of circle like you two are pretty well known when it comes to like dealing with how many people like us girls like how many of us look up to you but also how many people sometimes try to bring you down how do you like mentally stay resilient and like keep in touch with how much skill you know you have i mean it's a tricky one isn't it because i think we both faced as i said the

prejudices yeah minor minor for the most part people are very supportive but it's sorry i interrupted carry on i think it's important to have a network of people that you really trust and can actually support you because at the end of the day the people you work with the people you see every day and people that support you through things and you learn from each other and i think they're the most important things if you have an online troll saying you can't do something they're just an online troll who cares people would worry about them or whatever i couldn't care less about social media hate to be honest i think sarah said the nails ahead there that

you know you will have some bad apples but i think in general people just want to help each other succeed and coming to events like this i mean not necessarily running between talks but having a chat in the hall or going to the pub having a pint just talking about whatever really it doesn't have to be about security you help build those relationships and if they can offer you a job or a way into industry that's great if not you've got a friend on the sideline cheering you on so i i know it's really hard to say this when you're obviously faced by trolls and that kind of thing yeah but ignore them they've got nothing best to do you focus on you

you focus on your career or whatever and people will still be there to support you yeah yeah any other question no yeah oh cool well we're we'll be at the pub if anyone has any sparking questions but thank you so much for your time