Becoming a Cyber Warrior

[Music] so I saw that I was like wow yeah that would be awesome something that you can get together on a team and you go after hackers and so that was one of the inspirations for some of the stuff for me to go through this talk so I hope you guys enjoy it it's a lot of stuff here put all the time into it and stay for the end a lot of good stuff in here and I'll let you guys know at the end how to get the slides if you want them so anyway Who am I started out in this journey my name is Ralph calm I work for a company in Columbia South Carolina named training

concepts basically I started out as a server admin got went through and did the mcse track and way back in server 2000 and Server 2003 and then since then I've been a consultant and or a trainer instructor for training concepts since then so that's kind of what I do I focus mostly on security I am a cool organizer of wasps Columbia a group in town that in Columbia that does application security awareness and our more security adverse key we have a meet-up coming up in December if you guys are interested so you go to all US Columbia find out more should be good also a member of Colo sec local security meetup group and Columbia South Carolina so both of those

really fun to do as well as my passion is kind of just kind of spreading the word when it comes to information security kind of a kid of the 80s so everything 80s I am huge fan of stranger things and the new season today just came out with so that's have a little bit about me I guess where we're gonna get started and kind of go through this long journey to get you guys into information security or even if you're in information security kind of tailor what you should be doing maybe some of the things that have enhanced my journey as far as an information security and then we'll kind of talk about the general state of

things as well as we go through this project so to speak here so what is computer security in today's world well as Frank my other Corgan eyes were Colossus had said this morning we're kind of in a stuck in a mess and we've been there for a little while but ideally a lot of what's referenced in information security originally kind of just to protect our assets and that's really what the goal should be but now it's kind of been immortal sighs to buy things like our media and or cool shows like mr. robot and or you know everything on from 60 minutes to you know everything that's covered today so a lot of cool things there that kind of

give it a lot of press coverage as well as some of these sites are amazing it kind of giving you an idea kind of a foothold of where our current climate is from a regards to information security and so we we need to kind of raise up cyber army so to speak and that's kind of what prompted me to kind of bring to light this particular talk today my quote of course a lot of people use the Sun South a lot in their presentations Mike what's a little bit different who controls the information wins the war and that's really where at today and information security and you see it with a lot of the nation-state actors that

are out there China and all the Bears and as well as Russia and North Korea so ideally it's a scary climate to be on but it's also an exciting time to be in information security as well so I'd like to kind of go over that a little bit now you don't have to go far to see some of the big issues that are out there from everything from Equifax to ebay to Target and everybody else and so here ideally it's not a matter of when we've probably heard this before but just is it happening right now is it happening tomorrow eventually everything will be going down the road to everything needing to be protected today and so

that's kind of what you see a lot in the news and of course that's been publicized pretty well this year were things like not Pecha and want to cry and all the various other types of mess out there and that's the complexity of things internet-connected stuffed animals and/or webcams that you know are nanny cams and stuff like that that are being hacked so we put a lot on the internet and IOT and or network of things is becoming more and more popular and so that's kind of the next evolution and security of trying to kind of protect some of these devices when our fridges start to get ransomware and our TVs it's a pretty serious business right so those

are some of the things that are my highlights at least from the last couple years on where information security is in its current climate as well as if you look at what's the definition for information security and so ideally I said in the beginning for me information security is about protecting assets and those assets are digital assets those assets are of physical and/or non tangible assets and the concept of things like intellectual property we're losing a lot of that there's some great books out there like glass houses that you can read that kind of talk about how our intellectual property is being mishandled and so when we say protecting assets that's any item of value and we

look at that that's what infra SEC is really is trying to protect those assets and preventing things like data theft and/or identity theft those types of things are really where we're looking in the future even things like securing big data is super important to information security all right so why emphasize right ultimately why pick this as a role I get that question a lot being a trainer Inc or instructor at the place I work and see lots of students come through and ask well why should I focus on information security well it's very popular today to say that these are some of the reasons one is the big biggest discussion point for a lot of people is that well ideally

information security is a place that has a very high demand however is very much craftsman oriented which means basically you can't know everything in information security if you think you do then you're probably in the wrong spot so ideally the cool thing about it is like when they come to me and say I want to information security that's like saying you want to be a doctor you have to choose a specialty tour something that you're interested in are you interested in reverse engineering or you're interested in pen testing are you interested in security analysis or whatever the case may be there's many many different roles in information security today and or as you probably have seen through several different news

articles on the internet but very short supplied to be a hacker you got to think like one so oftentimes when I do classes on ethical hacking or hacking or whatever you want to call it a lot of it becomes that what can we learn from an attacker we can learn their methodologies that we can learn their tactics we can learn and get an understanding of what they're after now you could say that the defense is where a lot of your money is made and that's absolutely true but you'll find a lot of red teamers out there as well so it's both of those we want to think like a hacker or an attacker we want to learn

from how they attack so that we can better our systems and better our networks so offense informs the defense you oftentimes hear that as well we also sometimes see a heavy placing on things like compliance today gdpr is being implemented right now and will be in effect next year and there's a big it's fine stiff fine and penalty for organizations that are doing business with European nations that aren't up to par in compliance and so that will be a big initiative for companies next year you'll see is making sure that they're in GDP our GDP our C compliant privacy compliant so maybe it's compliance and wanting to just be compliant today so those are among many other reasons to

want to be an information security today although then it's a lot of fun if you're a tinkerer or if you're a person that likes to take stuff apart break it build it that's definitely the place to be if you're just inquisitive about different things information security is definitely for you all right so what's the current threat landscape the threat actors a lot of these we talk about in some of the classes I teach we talk about the gray hats we talk about the black hats white hats state-sponsored espionage we talk about you know you're anonymous or you're hacktivists crowd so looking at the current threat landscape as far as what is out there there's a

lot of different types of attacks that that we're going under and then usually it kind of falls into three camps is it that the cybercrime is an organized you know state agency that has a lot of backing it has a lot of resources that they can put behind themselves to go after an organization that's maybe us-based to get more Intel about US relations or US military intelligence or is it somebody as a simple ass someone wants to basically go after an organization for some of the thoughts and views and their political side of the religious side of things so we've got those as well as in our activist and then of course we're starting to see an

increase in people that are trying to do espionage and people that are trying to do internal attacks as well so the threat itself can be internal it can be external and also can be somewhere under these hats that are described commonly with a threat actors today the threat motives that we see in most cases what would be the biggest threat motive what do you guys think why do bad guys do what they do money a lot of times it's that right it could be some other things it could be for fame and notoriety it could be some kind of revenge plot right I've seen several of those in the past it could be blackmail ransomware has hit

a tipping point and will continue to go further and further in advance things like I was saying earlier into your fridge into your TV and so that's a non-stop market for a lot of organized crime syndicates as well as maybe the desire for power as another option here we see a lot of that and smaller nations maybe like North Korea that are trying to get more one up upon the u.s. and so a lot of motives behind attackers today and why they do what they do now as you talked or had a talk in the beginning this morning Frank was talking about the deeper inner ization of security today so exactly what does that mean well the current threat climate is

growing it's no longer that we can set things up at the front in the fence and make sure that everything is good at at the edge so to speak so we've got cloud we've got IOT we've got mobilization and everybody bring in their cell phones and their tablets into the organization and that's changing the actual landscape for security look at the clap right as a good example as well so our ability to outsource to the cloud now a lot of people and I'm one of those too there's many many benefits to using cloud services today or managed services one of the biggest things that sticks out in most people's minds though is the loss of control of

that data and then how thinly that the cloud provider themselves have to spread themselves they're thin with handing out other resources to other potential service providers and things that they can't provide themselves so maybe in this case our ability to control a chain of distribution is becoming harder and harder today so a lot of that is where the current threats are and you know all threats are new like Jack was mentioning in the earlier presentation I mean dde a very popular a thing back in the early 90s or maybe even mid 90s now becoming something else that we have to deal with right now so DD and DD e injection attacks inside of office is the new range and so we

start to see things that were all become new again and so that's a that's kind of interesting as well as the botnets that are taking off of course with things like Mirai botnets one of my favorite botnets of course is the what was it called the get the go spot botnet was the one that basically went around and basically started stealing um you know balances off of your gift cards and stuff like that so you start to see those types of attacks becoming more and more popular and more and more in the media today now when you look at threats and how they think and how they act these are kind of some of the different

categories I just picked a couple of the things I like to do when I'm going over and trying to evaluate an organization today so one of the big ones is reconnaissance oftentimes we skip this phase a bit much because of the time constraints maybe possibly but you should because there's a lot of information that can be had today with assent and the ability to evaluate an organization and how you can Mack relationships between employees within an organization some of my favorite tools will course talk about some of that and but where you see a lot of this being a problem is in things like hard-coded credentials hard-coded a key API keys or things that are pushed out on the

internet that should have been sanitized before they are out there on the Internet and so in general that's another large cost for concern today for business of course the malicious software will never get any easier it's just going to be something that continues to grow and grow and grow and so with things that are now starting to put together a series of events that take place to hack an organization chaining or malware or chaining malicious code together there's a very popular type of attack technique that a lot of organizations are looking at so malicious software and ransomware will continue to grow will not get rid of denial service I mean again it's protocol manipulation so unless you're

gonna get rid of the protocols or build new protocols that don't have some of those same things that's gonna be a big cars for concern and of course as it goes to the mobile marketplace and our cloud as we continue stretch ourself in we'll continue to have that more and more to be a concern and then of course we can't get rid of users right so they are also one of our big threat targets so we look at threat modeling now I'm not the person to be an expert in threat modeling but it just makes sense to me if you would want to understand better your organization and what some of the insecurities your organization are you

might want to come up with a way a bad guy would attack those assets in that environment that's kind of in essence what threat modeling offers us so if you implement threat modeling in an organization today it'll give you faster detection it'll make you more self-aware of what's around you and in your environment it will help to reduce the overall effect that if an attacker does compromise on organization what effect that has on the overall organization itself and there are lots of different types of methodologies that you can follow lockheed-martin course the one that a lot of people throw out there for threat modeling in the use of the kill chain but then there's also the use of

things like threat intelligence feeds with some people you know called snake oil or something else there but you should definitely look at and evaluate threat intelligence and threat modeling in your environment to make sure that you're covering your basics so risk management we can't also look not look at this so ideally a lot of times when we look at risk in the organization it's all a measuring stick so as Frank mentioned this morning we talked about metrics and that's really the prime principle behind what can we do to lower the threat if you're gonna lower the threat you've got to understand your vulnerabilities in your environment you've got to have be able to map the threat to the vulnerabilities

in the environment you've got to understand better your risk so and those risks themselves they're not something that we can put in a package put a dollar number on it's more than that we have to understand what's the ideal threat so I could say you have a huge vulnerability in your environment well what's the likelihood and then of course look at the impact as another part of that and so when you're looking at risk management in general it's not just buying insurance it's not being able to say all we'll just deal with that later it has to be method methodology that you're applying in your environment to make sure you're dealing with risk in an

appropriate manner all right so then what do you got so you've got several frameworks to follow one of the things that I'm a believer in is methodologies now I don't say you can't run off of a hundred percent one of these methodologies that are out there but there is some great resources out there that you can go in and grab so you can look at for example with with regards to risk you can look at some of the NIST 800 series there's a lot of good stuff in there some of it's out of date obviously but you can look to apply some type of methodology and make it work for your business and that's definitely a

road to go we looked at the CIS controls earlier I mean there's the NIST 853 which deals with security controls for your environment so that's definitely something to look at as well as there's a lot of cool things in the NIST standards that you can evaluate for for your business and see if there's anything that they can stick now as we move the corner here kind of look at some of the stuff that I personally like a lot of times it comes to the discussion of is it that I want to be a red teamer or do I want to be a blue Timur or somewhere in the middle maybe purple team or something like that for

me you know it started out as a red teamer I want it to be nothing but being able to break and bang on stuff but now as I get a little older and I start wanting to understand things more I'm in the middle right so I like to be able to understand both the red side and the blue side you don't have to pick a side most cases unless that's your design job and even if it is your design job you can still learn from both sides of the puzzle and so I think it's an extremely important and extremely important thing to not have these things that Diana was talking about this morning and the use of things

like silos or maybe it was Frank I can't remember that's an extremely important and valuable solution for us in information security today I start breaking down some of those silos so what does ethical hacking or hacking a lot of people put that term out there a lot of times that the term hacking itself gets a very or people think of it as a very a very derogatory term it doesn't have to be an ethical doesn't have to be the word you use with it and in general hacking is being able to take something apart to the point that you understand what what is doing and understand more product of what you can do to to manipulate it and modify it and

so if you haven't and if you're starting in information security you know I tell a lot of people start from a background of understanding some of these protocols so look at RFC 793 look at RFC 791 look at some of these protocols that define tcp and UDP and ICMP because that's really when you look at hacking that's what we're doing we're taking those protocols that are already in green and very well used today and we're manipulating them so that's really what hacking is it's the ability to kind of take something that's already in existence and modify it right now when you look at the types of attacks that are out there today I just pick some of

the very fine few that are out there denial of service distributed in our service and so again it could be protocol manipulation maybe we're looking at the app server and doing some type of slow loris variant type of service or whatever or maybe we're doing some type of brute force where we're doing like user side denial services we've got lots of different types of denial of service attacks that are out there a lot of attacks today are in regards to being able to implement social engineering will do spoofing or masquerading as an attack another of attack very popular today's man-in-the-middle so in order to do a man-in-the-middle attack the first step of it is ARP spoofing so we go through

the process here of manipulation and each from one of these and then we've got great tools like from Black Hills Information Security the male sniper right being able to do you know password guessing basically is what it's doing so you can feed it a password list and a bunch of users or a password and a bunch of users and you can go through and you know access outlook or exchange whatever it is so lots of cool attacks and that's one cool thing you'll see in information security you never get tired of researching or looking at the various different attacks that are out there so we look at the attacks we learn about the attacks we learn about how the

attacks are being implemented and then we start looking for controls what kind of controls can we put in that resource environment to mitigate some of these types of techniques alright so I picked another particular type of attack that's very useful today social engineering social engineering works 100% of the time most of the time so ideally this particular attack is just a human manipulation so you're going in to a targeted environment you're looking at some of their social media maybe LinkedIn because we don't put anything fake on LinkedIn and then you're trying to manipulate that person into doing something that they're not understanding how sensitive that is and it might be disclosing password to just giving off a

handful of attributes about the company that helped that social engineer to be able to access that company a lot easier today some of the tactics we like to use at least that I've done in the past very popular to use some of these so you'll go in and you'll send an email and it'll have something like well here I'll show you some of the fishing stuff I was gonna show you in a second it'll have something like this where it'll say in order to access this particular document you've got to enable content right or you know oh I sure need to read this document this presentation or whatever it is because it was sent to me by this

person that I trust within the organization or at least they it looks like someone I trust so I click a link and then by clicking that link against me access to that particular user in that environment and that's all an attacker is looking for is a pivot point so you get the first be Chet into the environment and then from be chat you start the pivot and pivot all throughout the organization using a variety of different types of tools and so you know maybe simple as something you know sending a phishing email right could be a good example social engineering today of course as we talked about ransomware is on the rise it becomes more and more of a huge problem

for a lot of organizations today and there's really not a lot to to get to the point of fixing it now Windows 10 does have protected containers which is a new feature that they enabled in the creator's update that they just released here so that's something in the right direction and some of the other options that they're doing even though they're terrible privacy are in the right direction with micro virtualization and some microkernel rose realization that they're doing in Windows but we're also still getting the simple self right like I said just getting something you click on it and then BOOM compromise that for organization through that click link yeah so attacking ICS is another big

problem for us today so as we start to look at things like black energy I'll let you guys read that for a second so black energy from the Ukraine and some of the issues that they've been having here recently it they're kind of all fathered around the Stuxnet worm and it's getting worse and worse and so we're at the point now of critical infrastructure and or I do ot that we're starting to see it more and more attacks using that particular platform of choice so until we understand better how to protect around these systems and add controls around these systems sort of things like patching that's going to continue to be a big problem for us and

so and zero days are there too so you look at Stuxnet as a classic example of using multiple zero days to compromise organizations so what are some of the other issues that a lot of organizations have so big ones policy weakness so you'll go into an organization I'll just give you an example here if I'm on an engagement I'll go in there and I'll ask them oh you want us to look at and review your policies for any things that are you know standout that are things that you should be looking at and implementing that you're not so it all starts here right person is not implementing a acceptable use policy with email and then they wonder why

their employees are signing up for Dick's Sporting Goods with their company no and they're wondering why they have a massive problem with spam and other things and so the issue here that I see a lot today is there's no policy around something nothing that governs resource access nothing that enforces what are the consequences if you violate policies today and so you'll even see you know the change management and some of the turnover be a part of this as well so or people leave organizations and they still have access to email six months later down the line and so that's a big disconnect for a lot of organizations today is making sure that they apply a policy that is enforceable

and understandable throughout the organization access controls are being a problem too so will implement some fancy system but until it's after its provisioning phase whatever you wanna call it it's disabled even though we've spent a lot of money and of course one day the service technician will come in and he'll turn it on and we'll get trained on it and then that's another year later that after we've had this device that was supposed to be helping us in the first place with security so those types of things are real-world scenarios that are out there for sure enough and then things like not properly planned segmentation so one thing that'll happen a lot it's a really cool

attack Kerberos ting so you'll have an organization that creates a service account and it's managing sequel managing SharePoint or whatever it is and they're using one standard password that's got the main access in the environment and then you go off in Kerberos that environment and the problem here is now you have no segmentation years and crappy passwords and so it's easy to crack those passwords and now I've got access as a system or access as a service account that has higher privilege in the organization so there needs to be more policies I know that's some problem nobody wants to hear that are not only concise not only understandable but also enforceable in organizations today and

then also other stuff too so you can see here a non-existent incident response plan or nonexistence disaster recovery plan what's the number one way you're probably think in your head to fight this thing called ransomware well maybe have a good backup or have a strategy for disaster if something happens I'm just thinking out of the box you know so we still have human error and there's no way to get around this it's a huge step right for an organization to change the behavior of the employees for the organization becomes a huge hurdle for any organization that has to look at this so we have to get management on board like they were talking about here earlier

upper level management and having incentives as another big process to this and maybe it's not that we have security awareness training once a year maybe it's an ongoing effort that continually tries to make adjustments and tries to make incentives and changes to the organizational employees to to move the needle a little bit in that direction and we have to have metrics we have to have ways to measure the effectiveness of it so what do you do well you assess right so you've gone through all this security awareness training how do you know what's working you assess right some of those to see if that actually is working are you changing the attitudes are you changing

behavior of the employees and then the configuration weaknesses this one's aggravating a little bit so obviously I understand every service that we use pass configuration every technology that we use has a some kind of said default I understand it but the problem here becomes more and more you see that those defaults are getting us into trouble so here we might not have applied a patch that turned off something that we should have turned on or turned off scuse me Oh or maybe it's a something that is being turned off that actually helps us right and as a layer of separation between maybe standardly run processes and elevated run processes and so those types of things are huge and what you

see is a lot of this right so we move things to the cloud and you know there's tools out there on the cloud but we move the same crap from on-prem to off prem and in this case we'll call it today we just expected it'll be more secure because hopefully that vendor has their stuff you know up to date and their stuff in this case lockdown which is not always the case so you're still seeing lots of verbose error messages lots of defaults lots of issues within organizations today and it all boils down to defense-in-depth now I understand as we said the perimeter is changing but that doesn't mean you still can't have this methodology of

defense-in-depth so take those see is on top critical xx controls that we can apply in an order is a start with number one right number ones pretty simple right maybe not I don't know no what you got right you can't protect what you don't know you got right so you've got to go through and evaluate what's out there in your environment and then focus on authentication are we doing multi-factor authentication or are we doing things or everything that we can to evaluate the privilege for resources and users in the environment so is there a standard you know group on it right or user behavior monitoring in the environment these are all great things that you can apply takes a lot of

work but these are the things that we have to do to get better as an industry and of course I like this part this is my fart so penetration testing one of the things about pen testing that's kind of unique and kind of interesting all the same is it never gets old there's always new ways to manipulate different types of protocols right or always neat tools that you can learn about or build yourself your own tools and so why do a pen test well one it prevents or it kind of reduces hopefully the chances of a breach having a very very large impact in organization so it does help a little bit there but think about it like this a

pen test if you're given a week if you're given two weeks it's a very small format so you're only gonna get a little taste of what the resource really is in that environment and so it's not a replacement full full system security and your environment should be the last series of controls you have sometimes you'll do it to meet compliance so that's also another very big reason that a lot of organizations get pen tests at least on a yearly basis it should be a part of your standard software development life cycle so as a part of that you should be looking at the threats that that adds as you add new features into your software systems and

again the cool thing about this is it is not an exact science so you can feel free to reach out and go outside of the box so to speak and so when we look at methodologies and information security we should think of it like a framework right or skeleton we add all these cool parts on that make it much much better and so when you look at hacking yeah its recon yet scanning gets exploitation post exploitation and then writing the report but it's much more than that that really is just this the skeleton of what kind of comes all around it and so you know when I look at pentesting today and and and hacker methodology these are some of the

types of tools I like so might be hard to see from that list but of course recon ng probably one of my favorite and as well as spider foot at recon tools now you can use a ton more right shodhan is a great place to go Josh mentioned the o cent framework earlier that's another really great place to go Mike Roselle's web site and some of the tools he has to offer a great place to go to learn about OSINT all right and being able to do effective recon in addition to that after you get through your recon you find email addresses you find phone numbers you find all that good stuff that can be used to to link and

attribute relationships of employees within the organization they get scanning so scanning is kind of fun you can use various tools for scanning you can use in map you can use unicorn scan you can use HP you can use any kind of packet crafter you want you can use scape e so these various tools help you to poke and prod and and as well as some enumeration of your service domains so understanding better what version of this or that they're using within the environment and then it comes to exploitation so the cool thing is go to exploit VB look around right after you've discovered what's there you might find an exploit on exploit dB that you

can craft to be your exploit that you use to go after an organization now you can use a ton of other tools as well you can use Cobalts try it you can use a Metasploit you can use a variety of different other tools for exploitation the idea there is we want to take advantage of the vulnerability we want to plant a payload in the resource environment and then we want to utilize that as we go through and pivot and pillage so just a taste of that these are some great sites I did a talk last year here of hiding from the internet was a real good experience if you ever get a chance go to Justin Carroll's a

web site he has a 30 day security checkup it's a kind of a challenge that he has there that kind of walks through how can you be less internet visible and so it's kind of neat to do stuff like that and there are lots of good resources out there but you know going through this list here Spokeo or pipl or you know some other ones that are listed here what am I gonna find well I'm gonna find out a lot of information about employees within the organization what's their job role I'm gonna find out the things like their email address I'm gonna find out relatives and what happens a lot of times is you connect

the dots with a lot of this information you can use something like DNS map for finding some other information through reconnaissance there's lots of domain crawlers out there like DNS dumpster that are really good at mapping out an organization and some of the things like subdomains in trying to link some of those and then going through simple stuff so some of this is what I like to do is Google hacking right it's amazing go to the google hacking database literally twice a week at least and kind of look at some of the different new ones that are listed and published out there so this one right here basically goes through and looks for SharePoint sites within

organizations now I don't know about you guys but I hate SharePoint it's a great target I'll say that much but a lot of organizations put a lot of money and time and effort into using SharePoint today there's a lot of open stuff out there by using SharePoint target that one a lot LinkedIn try to search for employees within organizations a lot of the stuff that you put on LinkedIn is real stuff so that's why I like LinkedIn so much because you're not gonna fake stuff there as much and then you could always build your own self a social profile that's less connected to you you can use things like the pseudo app it'll give you a phone number that's

anonymized it'll give you an email address that you can use and some of those things you could use something as well there's lots of options there privacy comm might be a good place to go and then Oh sent some of the information there I get a lot of times is going to sites like Intel techniques comm and looking at some of the links they have alright so here is the grand finale we've finally reached the climax so to speak so how do I get into emphasis right ultimately all the other stuff was just talking about all the cool things you get to do in emphasize right so what makes InfoSec so cool like I said you

don't think of it as a job right so any type of job you have all right gosh I really have to go to work today right or you think of it as a job gosh I got off work then that's really not something you want to be an InfoSec will burn you out in those cases so you want to be definitely passionate you want to be excited about the career one of the cool things about emphasized like I said is it never gets old there's always something new around the corner that you can poke at and product new tools new techniques all these fun things information security someone said this in their talk a couple at Derby con

they share that that was extremely useful information security is thought of as a journey not a destination so you'll ultimately like I said you'll do say I want to be in InfoSec but that's like saying I want to be a doctor you can't be that all in one person you have to kind of focus on something you're interested in really and dig deep one of the most important things you can see and like I already mentioned you can go to those RFC 791 793 some of those ones that are the core networking protocols that are out there today dig into those because what you're going to do as an attacker you're going to start manipulating some of those different

protocols they're out there I don't have any usually show up I usually drink a lot of rock star not a lot but once a day at least so you got to have a lot of caffeine so that's one of the cool things in information security that keeps you going kind of a lifeblood of information security today you also have to be technically adept and so one of the cool things you know I wasn't really always a windows person I started kind of doing Windows server and server administration and I kind of moved into the security side so anybody that is interested in security it's hard to say that you can kind of just start out and maybe you can

just going into information security understanding protocols understanding how the network works troubleshooting system administration those types of things really build on top of each other when you get into information security today but you have to love the tinkerer that's one of the important things about information security today so these are some of the skills what questions I would ask right I would say what moves you right what are you passionate about what Wow's you those are the things that you know you get explore as an information security professional you read a lot right I'm always constantly looking at new blogs or I'm constantly looking for on Amazon books to find new books that I'm interested in and I want

to learn about everything as much as I can get my hands on so you'll read a lot watch a lot so iron geek makes a lot of his videos available from all these conferences his web site will be your best friend as well as YouTube right there's a lot of good be sides on YouTube there's a lot of good conferences on YouTube you know even if you're a Microsoft person you try to get in Microsoft a lot of their ignite stuff they put on YouTube so there's lots of stuff there that you can watch and then participate so practice a lot come to these events go to see TFS try to find a local meetup you know those types of

things and then once you get to that point you start teaching a lot and trying to be kind of presenting this information out there for everybody to consume trying to become a mentor those are also very key things to you know pushing this emphasize information security for love to solve puzzles write persistent passionate those are all keywords that a lot of people in influence X say you need has to be successful in information security podcast right so on the podcast junkie right I'll be honest with you guys there's lots of good ones out there this there's some in my notes I didn't even miss and I mentioned you guys a chris sanders source code podcast course I

already mentioned iron geeks YouTube channel the complete privacy and security podcast from Ike Brasil is another really good one if you're a more privacy prone or you want to learn more about Osen so maybe you've got that you know long commute in the morning or in the afternoon you could use something like that as a place to kind of learn something or you know catch up with things or if you're cutting the grass or whatever the case may cleaning the house those are types of things that you can use these podcasts for to fill the gap right so I think podcasting really helps a lot especially you know I like to get reading and/or listening and or

participating do your research right I already mentioned the RFC's right you can go to a whole bunch of other sites out there on the internet and find out information about particular vulnerabilities here recently I was just doing some research on eternal blue and internal romance and some of the vulnerabilities that came out this year so learning more about how those particular vulnerabilities are grossed and building your own exploits right after that point and so it I would I would definitely say that in information security you'll find yourself research and a lot of things so using some of that you know maybe using some of these like the Verizon data reach port as a good litmus test to find out you know

what is the current market of where's everybody being at from so some of that is definitely a part of it being able to look at blocks like literally at least once or twice a week I'm opening up like I don't know 50 or more tabs and Firefox or Chrome and just reading through all the various different types of security articles and blogs are out there there are a ton of really good ones out there information secured in physics and lers a daily blog so you can go to that one that's another one I've been I didn't put in a list but it's in my notes a lot of the subreddits I love those man they got good hacking

ones they've got good anti forensics ones computer forensics ones there's lots of good subreddits out there but find some some easy to digest type of tool that you can go through these different blogs and learn information through different security books I already mentioned security books there's so many of these I'd say buy a Kindle because I used to have a look case fool but it just got too full so what's the next step right just kind of getting it in more of a digital format so you paperwhite is the one I'd like to use but you can find another one Palo Alto Networks has their cyber Canon definitely go check that out it basically is a list of cool books to

read and they even kind of do a little award ceremony of some of the different books that are out there so find some good books there are tons of ones out there or write your own book it's easy to sell published today training so you can go to training at conferences you can come to a local group Meetup training at Cole ASEC um I did a class on wire just Wireshark so one day class on Wireshark or whatever it is so go to the meetups find out if there's anything offered there maybe go to pay training so there is some of that I know at the place I work at we do lunch and learns

now they're not recorded online or anything like that but that'd be something that you could use as another option and this this week actually I'm doing one on building an information Siddhant response program so those types of things go to those free learning events find free learning online so there's lots of options there go to check out webinars I know blackulas Information Security does some find a meetups look at the certifications now I don't see certifications everything even though I do teach certifications on some of the guys but it's a great opportunity to disclose lots of information and be able to kind of get a little on how well you think you're doing as far as some of the

information that's out there lots of options online as well cyber EIT another really good resource there for online free training of course you could go the route of certifications like I said in the beginning I I don't really use certifications as a crutch I like to use certifications now as a way to understand how to better help my students that go through some of my sort of my certification classes so that's really the only use of certifications to me today but it demonstrates a working knowledge of your information that you have that's probably the most important part of it you know it could be a career differentiate err for you and that's a reason that a lot of people go to

certification classes they're gonna try to get a job somewhere certifications are a must for some of that stuff established best practice is etc etcetera go to conferences well if you can't go to a conference I mean we have besides Charleston we have besides now it'd be Greenville coming out in December we have besides Augusta besides Charlotte besides Asheville so there's lots of East Side's around but then there's also conferences that are held that are larger conference as well so go to some of those different conferences that are out there Carolina con and Raleigh is a really good conference so those types of conferences try to get out and meet new people and networking and stuff like

that another big part of it I'm not gonna sugarcoat it for you guys you got to build a lab so every student that comes to my class I ask them what their lab looks like it's great as an interview question if you're interviewing someone you should ask them plainly what is your home lab look like right because you're trying to understand how passionate are they about learning things and applying new things in their information security career so I definitely think it's huge there's lots of good resources there you can participate even if you can't afford right now a lab you can participate on online CTF some you know some of the government's ring 0 I find myself every

Saturday night going kind of looking at ring 0 and working on some of the challenges there so there's some really good resources out there go to a meet-up CTF we did one at Cole the second those types of things you learn a lot of things through those resources it's easy to get images a lot of people don't know I don't know why but Microsoft developers have a site called modern ie you can download Windows 7 Windows 8 and I think Windows 10 and basically they're viens so if you're trying to get windows VM download it and you can pick VirtualBox or VMware VirtualBox is free and you can have that for a certain period of time now you can use it for

testing and then of course you know move on from there but there's also lots of great Linux distros out there so one of my favorite sites is von Hub right I go there at least once a week and kind of see what some of the new vulnerability app images are out there that I can download and paint on and bang on excuse me so that's a really good one of course oh wasps has a lot of broken web app projects we just did here a class on recon search-and-destroy for OS columbia and august and we were using one of the OWASP a vulnerable web app so lots of good resources out there and of course even with the use of things like

you know Kali mint Linux it makes it a lot easier there are other solutions out there for hacking distros though I you know try try black Arch Linux is another options got even more tools than Kali Linux does or parrot pen test or some of those other solutions out there and again Callie's kind of the gold standard so to speak but there are other options out there you play well with and then lastly here kind of learn to code so notice I didn't put this first you know I'm kind of biased towards things like a PowerShell and Python and I didn't want to feel like you know putting this up front especially if you're getting new

into information security you got to learn right away coding I definitely think it's a part of your path on being a better information security professional but it's not the first thing you have to do is learn how to code so the two primary languages probably want to focus on or Python and PowerShell every PowerShell class I teach I tell everybody go to the PowerShell survive a guy just google it it's a bunch of good resources that are put up there from Microsoft that provide you videos and and tutorials and a lot of things if you're trying to learn PowerShell and get in going with PowerShell and of course learn Python the hard way or some other different

resources out there to learning Python and helping you on that Python journey as well alright that's it guys uh appreciate your time any questions I think I did pretty good at their questions please I will tweet them out I guess I don't know how they do slide management here but um I'll probably tweet it out um or here there you go how about that one you can email me right there and if you want it I will send it to you guys thank you for your time I appreciate it guys if there's some more questions or you want to stick around chit chat please feel free I teach in Columbia South Carolina and place called training concepts we do a

wide variety of different types of a train not fly school yeah yeah I mean I'm up for anything I there's nothing I mean I can't do it through training concepts but I'll do anything outside sure alright thanks guys