BSIdes Delaware 2018 All Day Steam Sat Track 1
Show transcript [en]
Morning everybody. Thanks for coming. Everybody get their coffee? Hopefully. Yeah, I did. I'm probably going to wish I had brought more. Really excited to be here. Thanks for coming. Really excited to be speaking at this event. This is a really awesome event, I'm sure. How many folks have been here? Is this their first time at B-Sides Delaware? That's a lot. That's a lot. That's great. That's really good. Yeah. My first year was three years ago. It was really great. I love the event. I love how passionate everybody is here and how kid-friendly it is, really. My kids are a little young for this, but in a few years, they'll be interested in some of the events that they set up.
So that's really cool. So... Today, I'm going to be talking about cybersecurity effectiveness. I'd really appreciate it if folks would be willing to raise your hand, ask questions. Don't throw anything, ideally, but get my attention. I definitely want to have a dialogue and hear your experiences. So how many folks here work in IT security within an organization? Decent percentage. And are there any consultants? Anybody does IT security consulting? So some of this-- I do IT security consulting, and this is basically just what I've learned over the years is an effective strategy for helping organizations really determine whether or not the work that they're doing with their cybersecurity program is time well spent, money well spent. Oh, I've got this
clicker, so see how it goes. This is me. This is a little bit about myself. CISO and founder at Rule4. Like I said before, we do cybersecurity consulting. Drexel Dragon. My wife is a Drexel Dragon, too. She won't admit it. She got her second degree at Drexel, but she's a blue hen at heart, so she's much more of a Delaware fan. Cat Lover and ex-theater geek. As you can see, this is what I spent my youth doing. I didn't get into IT until I was in late high school, and I didn't know that hiking was a special ability, but you can put anything you want on a resume or on a headshot. So I've been helping clients with their IT security strategy for over 10 years now. One
consistent theme that I've seen is a lack of metrics, lack of an ability to define success within cybersecurity. It's always been a challenge, right? Most business units are required to have some sort of a metric to say, here's my plan for the year, here's how I'm going to define success over the next year, two years, three years, five years. And cybersecurity has always struggled with that. It's one of those, you know, it's like being a ref, you know, nobody notices you until something bad happens, right? And And I don't necessarily feel that that's fair or true. I think that there are methods that you can use to try to create some level of measurement, and
that's what we're going to talk about here today. I even had a client the other day ask me, hey, can you send me some talking points for this assessment we want to do so that I can share that with my boss? It's a challenge for us to convince people that the time that we're spending and the money that we're spending and the projects we want to do are worthwhile, that they're things that we should be spending our time and money on. And what I'd like to do is I'd like to help our clients be able to do this, be able to measure this, the effectiveness of their programs, be able to communicate the purpose, the reasoning behind their initiatives without hiring us to help them necessarily. This
is my Thanksgiving tie-in. So my takeaway, so my basic point here is that when it comes to measuring return on investment, key performance indicators, effectiveness as a whole for cybersecurity programs, we're mostly just winging it, right? We don't really have a strong way to actually communicate to management, hey, this is how... we're effective in our jobs. Like this is how we define success. Other than, you know, no breaches, of course, right? Like we haven't had a breach this year, that's a success, sure. But how else can we measure whether or not we're effectively using our budget or the projects that we're choosing are the right ones? So a few definitions, terms that I want to make sure we're all on the same page about while we go
through this journey. Effectiveness is to produce the intended or expected result, right?
I think it's given up. Oh, here we go. Efficiency. So efficiency, so one definition, the ability to accomplish your job with a minimum expenditure of time and effort. I think we all get that, right? I'm going to tie in efficiency into the effectiveness conversation because I think they're really closely related, especially with what we do in IT and IT security is an extension of that. I like this definition better, and I'll tell you why. So the ratio of work done or energy developed by a machine compared to the energy supplied to it. And the reason I like this definition of efficiency better in this context is when we're talking efficiency within IT, a lot of
times we're talking about leveraging automation, leveraging technologies to be efficient. So in my mind, it does function a lot more like this kind of a definition of is our system working efficiently? So I created this definition of cybersecurity effectiveness as the ability to measure the value and success of a cybersecurity program against organizationally relevant metrics. And in my mind, that's what we're all striving for. And I think that my goal here will be to express to you what I feel like is an effective method for doing that.
A little bit of stats about this area in general. A third of companies-- this is psychotic state of cybersecurity metrics report, which is basically a survey of executives in CISO and CIO type roles. So a third of companies invest in technology without a way to measure it. to measure effectiveness. Four out of five companies are not satisfied with their cybersecurity metrics, which makes sense if a third of the companies aren't even investing or measuring effectiveness in the first place, you can't possibly be satisfied with your metrics. You don't have any. Four out of five fail to include business stakeholders in cybersecurity investment decisions. And that's going to be a theme, too, we'll talk about is
working across teams. And 75% don't even know where their sensitive data is located. And that's kind of a-- I mean, if you don't know where your sensitive data is located, it's going to be really hard to have a cybersecurity program that's effective, much less measure effectiveness of it. So I thought those were interesting. I imagine that 2018 won't be much different. I do not want. That is not the state we want to be in. As fast as technology is moving and changing, as more and more connected we get, as we start moving into these IoT realms, as we start leveraging technologies that we understand even less, like machine learning, it's going to be critically important that we have an understanding of how we can measure that the work we're
doing, which is incredibly important, is effective. So not only for our own selves, so that we can feel like we have an understanding and a grasp of what we're trying to accomplish, what our goals are, what our indicators of success are, but also so that we can make an argument to leadership to say, hey, spend the money. This is worthwhile. We're doing a good job. Those orange slides, I'm sure they're blinding you as well, but they're really blinding coming out of the thank you. Yeah, no, it's good, right? Yeah, I'm going for that. This is the only way I'm ever going to get a tan. OK, so we're going to go through a couple scenarios
here, right? So there's two scenarios I'm going to talk through. They're generic. They're obviously not all encompassing. But the idea here is to set the stage a little bit about what organizations are doing today. OK, so step one, a typical cybersecurity program. Find a checklist. or a standard to start with. So can folks just start shouting out standards checklists that they use or standards that they're familiar with, cybersecurity standards, and I'm going to throw candy at you to get you to engage. RMF. Who else? Let's see how well I can throw. PCI? Ah! Wow, these do not-- these don't fly well. FISMA? I should have picked candy bars or something. What else? NIST? Ah! Wake
up, everybody. It could be coming your way. Anybody else? HIPAA, right? The cybersecurity framework. What was that? HITRUST. HITRUST. Critical security controls. Jesus. Okay. I'm going to stop there before I hurt somebody. So we all know the security standards, right? Whether they're regulatory standards, compliance standards, or just generic IT security standards that we can apply as we choose to apply them. So we pick a standard, follow that checklist or standard, and profit. That's how it works. So as long as we have a standard, we're OK. And I think everybody-- I don't think this is anything that people here think is crazy. Tell me if you disagree with me. I mean, for sure, compliance does not equal cybersecurity. It does play an incredibly important role. That's where the caveat is.
Not alone, not by itself. But I think a lot of organizations, that's OK. So what are we going to do? We're going to-- so we have credit card security. We're going to follow PCI. We are a healthcare organization. We'll follow HIPAA, which is fairly a standard, really. So that's one scenario. So I wrote an ode to security standards. I'm not going to lie. I actually just went online and found a poem creator. Security standards have their place. They're important. And we'll talk a little bit more about how they fit into that cybersecurity effectiveness model when we get a little further down. Scenario to find the next hot tech product right. No machine learning is going to fix all of our cyber security
problems right. Find the next install it right maybe you pay the vendor to help you install it or maybe you do it on your own maybe you have the skills in house to tune it correctly maybe not. It just depends, right? But a lot of times we're being driven by something that somebody at the executive level heard, a term. We went and saw some vendor reviews or went to a conference and had some vendors talk to us about their products. And what we're trying to do is we're trying to solve problems, but we're solving them through, in this case, by finding a solution, putting it in place, and hoping that that gives us what we're looking for from a protection perspective. But products don't equal cybersecurity
either, not alone. They have a place, are important to have access to, whether they're a product you pay for, whether they're SaaS, whether they're on premise, whether they're open source or not. We have to have a suite of tools in order to be effective at our jobs. But if we start by looking for a product and then go figure out what problems it can solve, we're going to end up in a state where we are spending money that we don't necessarily need to spend and aren't necessarily effectively protecting our environment. I didn't even-- I was going to do a limerick, and then I realized that it's not something I'm any good at. OK, so those are the scenarios. I just
want to kind of set the stage. And I see this a lot. In consulting, we are brought in with our clients to help with all sorts of problems, whether it's picking a product. Sometimes a client will come and say, Help us select this solution for SSO. And so the first thing we'll do is say, take a step back. What problem are you trying to solve? Well, we want SSO. Well, that's not the problem you're trying to solve. You have an identity management problem or an access management problem or whatever. Well, what's that look like in your organization before we start laying products over the top of it, right? And so that's kind of the point
behind SSO. those scenarios is to remind us all, okay, well, we need to start from the right place before we can really leverage things like tools or before we can effectively leverage standards and compliance regulations. So how do, you know, share if you want, how do you measure effectiveness of your program, right, if you're in a place to do that? Like, do you have a method that you use? Do you feel comfortable with understanding how well you're doing with your cybersecurity program? Data-driven, number of firewall blocks, anybody else?
Sure. Absolutely. For you. Right. And how often are they really digging into it or really understanding what you're putting together right? Yeah. Yeah. Right.
I love that. I think that's great. And so there's ways that we figured out how to do this. And we're trying, and we're evolving. I like to think about the folks that are really driving these types of conversations in IT security a lot of times taught themselves all this stuff, like I did. I studied some of this in school, and I wasn't a security major. And certainly back then, those programs were not what they are today. And so we're all learning how to do this. Coming from a technical background and then being asked to do something like measure effectiveness or figure out what is a KPI and how do I use it? Those are all
things that don't come naturally necessarily to all of us. And some people easier than others, but definitely challenging. My report says I'm compliant. So that's when we hear a lot. We had somebody come do a report and they said, we're good to go. My software security as a service dashboard is green. Clearly, that means I'm good to go. I'm busy, right? So if we're like a fire drill driven organization, which many most are, I mean, obviously we're all going to have fire drills to deal with, but some are crazier than others. I have some good stories I'm not going to go into now about that, but definitely a spectrum when it comes to that. But,
you know, so if I'm busy, I must be, our program must be working. You know, that's a tough question, right? Like we just talked about. It's not an easy question to answer. Compliant versus non-compliant is one piece of a larger puzzle. Products are tools. They're not solutions in and of themselves. Standards are guides. Regulations, they're scope limited. PCI cares about credit card security. They could care less if you have availability problems. They don't care. They just want to make sure the credit card numbers are being protected. There's a better way. At least I think there is. And hopefully you guys agree. And I'm super excited to hear your opinions on what we talked about today. And if you think I'm full of crap, or if you have
thoughts on ways to improve this. But my goal is to try to help us all think about, well, how could we effectively, more effectively be effective? That doesn't make sense. But how can we really understand what our goals are from a cybersecurity program and be measuring? OK, so where do we start? Foundations are super important. If you don't start with a strong foundation, a strong understanding of your environment, you're going to struggle to make good decisions. So step one, if you don't have an inventory of your environment-- system inventory, asset inventory, including especially data-- if you don't have a clear understanding of where your data is, what kind of data you have, you're not going to be able to measure anything effectively. And that's important. And to some
folks, this might sound really obvious. And it is, to some extent. But the number of organizations that, you know, IT or IT security, if they're their own team, where they don't have full insight because the way that the organization is built, right, from a process perspective. So you've got, oh, well, I'm in IT security, but I don't have any control over if the developers decide to go put something in AWS. Or there's no way for me to know if the marketing team hired somebody to spin up a website. Or those types of things make it really hard for IT security to be effective at their jobs. And so having an understanding of, if I'm going
to be effective at building this program, I have to have some insight. I don't have to have control, but organizationally, we have to make it a commitment to ensuring that IT security has insight into these processes, whatever they are. And so sometimes that's easier said than done, but definitely important. Without that, it's going to be a real challenge for us to be effective. We can be effective in bits and pieces, but not have a full program. Back to compliance and regulatory requirements. If we understand our data, we know where our data is, what kind of data it is, we can then make sure that we understand our compliance requirements. That's really important, but we have
to understand it in order to make good decisions, and we'll talk about why in a minute, but I think we're all familiar with the dangers of not realizing you have a bunch of PCI data in your environment and then you have a breach. Suddenly you're putting your entire organization at risk of not being able to process credit cards or getting fines and things like that. No, just kidding. We're not ready to do that yet. There's more than two steps, surprisingly, to being able to measure effectiveness of your cybersecurity program. I really like Parks and Rec. I don't know if you can tell. So then the next step, threat analysis, risk analysis, risk indicators. And this all sounds like a lot
of work. And it is work, but it's worthwhile to do. And so I've worked through these processes with organizations. And a lot of times, they'll come to a consultant, us or someone else, whatever, because they don't really have the drive or the understanding to do it themselves internally. But if we can-- teach them these tools and let them do it themselves moving forward, it allows them as an organization to take ownership and make better choices and be less reliant on outside parties. So I don't mean like this kind of risk assessment. Not that these are bad. I've done lots of really super detailed risk assessments with lots of categories and ratings. And there's lots of standards around risk assessment that give you
a lot of options. But this is not what I'm talking about here. Not today. This is more than what we need. This is more like what I'm talking about. Something simple that just says, what are our threats? And what is the likelihood of that threat being realized within our environment? What is the impact of that threat if it were to be exploited, if it were to come to fruition? And just having an understanding from a low, medium, high, extreme risk perspective does wonders for our ability to define what is effective for us in our cybersecurity program. Just those little steps, just to be able to say, yeah, this is a really high-risk area. We have PHI in AWS. That's where our most sensitive data is. Probably
we should spend more money there than on... an MDM solution when we don't even allow our employees to have access to email or whatever. Just defining where is it that we should be spending our time and focusing. Because we all have budgets. We all have limited resources from a team perspective. And we have to make hard decisions on where we do decide to spend our money. So then we move on to, we've done this inventory, we've ensured we have an understanding of our regulatory requirements, and we've done a very high level light risk exercise. Now we can start talking about, well, what are our key performance-- what are our key risk indicators? That's what we just did. What are our key risk indicators? What types of threats should we
be worrying about? How do we define that for our business specifically? We should come out of that process with a list of high and moderate extreme risk areas. Excuse me. And then how do we define performance? So in order to effectively define these, especially the key performance indicators, we have to be engaging subject matter experts across the business. That's a really important piece of this is we can't be making decisions or measuring effectiveness in a vacuum. If we're not willing to reach across the aisle, engage, and ensure that we're a partner for the rest of our business, it's going to be really hard for us to have key performance indicators that we're going to have any kind of control
over the success of. You can create a KPI, and if you have no control over how the performance actually is accomplished, you might as well not even do it. So you have to have the buy-in. You have to have the business to say, come in and say, yeah, we agree that that's a reasonable thing to measure, and we agree that we're going to spend time and energy with you to try to spend time ensuring that we're securing that or that we're working towards that goal as a team. And that's going to take work on our side too, right? So that's That teamwork piece of it is incredibly important. We have to get out of the
mindset of security are the people that slow us down and stop us and move more into the mindset of security is an ally. The security team are a resource and we're here to work together to try to accomplish the same goals. And if you can do that, it's not easy, but if you can do that, you're going to be able to create much more effective security. performance indicators. Performance indicators that are really going to be tied to things you can control and that you have buy-in for across the business. Identifying your priorities through the work we've done before and then designing those combos and then testing them. You have to be able to test and
confirm your KPIs. Just a quick word on risk assessments. I talked about this a little bit, but they can be simple. They can be light. They can be easy. They don't have to be scary, right? So I think risk assessments, you go Google, like, how do I do a risk assessment? And it's like, oh, my god. First of all, the concept is from the financial world, and then it's overlaid into all these different business areas. And then we're talking about IT security, and you're trying to fit what can be sometimes a very complex process into IT security, which is not It's not an easy leap sometimes to go from, to take a look at like, if
you look at the NIST standard for risk assessment. It can be challenging. You read that through the documentation and you're like, I don't want to do that. Like, that's insane. It doesn't have to be that hard. Really, we're just trying to do a simple exercise to understand at a high level what does the landscape look like for our business. And then you compare. So you want to compare your assets, your risk indicators, against what you're doing today. What does your cybersecurity program look like today? Where are you spending money? What resources have you invested in? And are they aligned? Like, if you... have gone through this exercise and you compare that to where you're spending money today, there should be some pretty clear indicators of whether or not
you're spending your time and energy effectively. So I used the example earlier of where is your sensitive data? Is that where you're spending your time and money protecting? Do you have a problem with access control, access management? Do you have a lot of remote workers? Do you have disparate data across a lot of different locations? Do you work with a lot of vendors that provide data? There's so many scenarios that define how you as an organization should be building a cybersecurity program, having an understanding of what that looks like, that foundation, that landscape before you, well not before, but and then comparing it to how you're spending money today, whether you're doing that during budget
cycle or whatever, is it allows you, it gives you the tools that you need to be able to actually effectively say, yeah, we're spending the money where we should be spending money. Or we could save some money. Maybe we're spending money on a tool that is overpowered for us. I know it's sacrilege to say spend less money on cybersecurity. And I'm not saying necessarily we should be going to cut our budgets. But there may be opportunities. There might be opportunities to say, hey, this should be focused elsewhere. So is it worth the effort that I just talked through? Is it worth going through all these steps Before you even start creating key performance indicators and things like that. I think it is right. There's a lot of
value here Not only have you had defined your critical assets. Well, that's much nicer on the eyes Not only have you defined your critical assets you understand where your systems and your data reside you've documented and communicated your relevant regulatory requirements you've taken the effort to do this risk process and and review and now you have an understanding of what the value is of your current cyber security spend if you have this data here you can make an informed decision you're not just going off of what you know I heard that social engineering is the most dangerous attack you know exploit or or attack vector today which you know I'm not saying that's not true but maybe for your business it's not as a big of a problem you
know for whatever reason maybe you don't use email I don't
But having an understanding of what the profile for your environment looks like lets you make informed decisions. It lets you make informed decisions around budget spend, around head count, product and solution selection. Strategy planning, that's a big one. When we do a strategy session with an organization, the first thing we do is a quick risk exercise. And we ask for information up front about Assets and things like that. You know, we don't necessarily go through this whole process every time but when we can we do right? It's really hard to do strategy planning for one two three years. You don't have an understanding of your foundational environment beforehand It lets you make risk management decisions. Are you going to outsource this part of your business? Well, is there
a piece of data around that risk assessment process that would have helped us make a decision from a business perspective on do we want to leverage this vendor to outsource this part of our business? Well, often there is a talking point there or something that we as cybersecurity professionals have to add to that decision, to that conversation. Like, yeah, OK, so you have all these other business decisions in relation to that. But here's something else to think about. Here's what the risk is from a cybersecurity perspective. And if we outsource, maybe we reduce our risk or shift the risk to this other organization. Those conversations, I think, are often not happening. And if we've gone
through this process, we're already armed with that data to be able to help the rest of the organization make good decisions. And you're also then able to communicate measurable success indicators and the value of your program. So for example, if you've gone through this process and you have an understanding of where the risks are within your business, what are the high critical risks, threats to your business? Where's the high critical risk in relation to the threats of your business? You can then create a key performance indicator such as through the implementation of X tool or X tool suite our expectation is that we will have less than two major, or less than one or zero major Events defined as whatever in the next 12 months right you can
make now you can make those anyway You can just make them up today. Maybe we do but if you have data that lets you Focus on and define where the risks are within your organization you can the performance indicators you create are going to be better defined and more actionable and more measurable over time and so you know I can make up a lot of examples, but the important piece of that is that they are based off of the steps we took earlier to really define where the risk is associated within your business and where you need to be focusing your time, attention, and
Well, so part of it is, OK, so the breach thing, we talked about that. And maybe that's not a great example for-- sometimes it's hard. Organizations don't want to codify like we expect to have three breaches in the next 12 months. They just don't want to do that. But there are other ways to measure to say, first of all, don't use the word breach. Because half the time, if you don't use the word, people are suddenly OK with using synonyms. OK, fine. Define it differently. But ultimately say, OK, here's what we've implemented within our organization. you know we have PCI data so yes we're going to focus on reducing our PCI scope through these methods
thereby you know so in the next so our key performance indicator from a cyber security perspective would be in the next 12 months or maybe in the next 24 months we're going to eliminate all card processing where we store card data that's a key performance indicator are we going to accomplish that in the next 12 months that defines whether or not we've been successful in that particular endeavor in relation to that you can have a key performance indicator that says, our expectation is that if we do periodic risk assessments within our organization, the overall risk profile of this environment, maybe our PCI environment, will be reduced from high today to moderate in the next 12 months. Again, you can just say that
12 months later and probably get away with it. But if you're really trying to measure, like if your PCI environment is a high risk right now because you store data or because you control the form that credit card numbers are filled into instead of doing a redirect or an iframe or something, those risk reduction methods for PCI specifically, If you know that that makes your environment high risk today because you've done all this work to identify where's our data, what kind of risks are associated with our environment, you can create a key performance indicator that says we're going to reduce the risk of that environment through these steps. And the KPI is not going to
have all the steps. But you say we're going to reduce the risk of that environment. We're going to assess it again in six months or in 12 months. And we're going to feel confident that we're going to change that from a high to a moderate. And that gives you an indicator that you can measure against for what your program will do over the next six to 12 months. Now, it's not everything your program's going to do. You're going to have more than one KPI. You're going to have a bunch of them, probably. But it gives you something to go back to leadership and say, hey, we said we were going to reduce the risk of
this environment. And you have to have a risk assessment process that's legit so that people are like, oh, you didn't just call it medium, moderate, now, right? But assuming you have that framework in place within your organization, now you have something that you can come to them in 12 months and say, yeah, we were able to accomplish that, and this is how we did it. And so there's-- go ahead. I think that's a great point. Yeah, there's definitely-- back to the engaging with the other business units conversation, that's absolutely true. There are going to be indicators within other aspects of the organization that could have a direct impact on the work that you're doing. And so
yeah, if you determine that phishing is a big risk, you can take the steps to work with that business unit to say, how can we find a definition of success here together as a team? And ensure that we have control over that to some extent. But yeah, you can leverage-- I think that's great. And it fosters that communication and integration across teams. And I think as security is a supporting business unit in so many organizations, or really any organization really, it should be treated like that. That is the right approach, right? We are, our customers are the rest of the business. And so being able to work with them to define these makes a huge
amount of sense to
100%. Absolutely. And these are foundational challenges that we face as cybersecurity professionals. And I think we're starting to see a change in that as organizations start to understand, like, hey, we can't just wing this. We have to really-- I mean, how long have CISOs existed in their current form, even as a role, for instance? Understanding that we have to bring security into the conversation. And part of that-- there's two sides to that. One is the business. hasn't treated that part of our business or that part of our role with the respect that it needs to have and understanding that it's important that we're a part of that conversation. And part of it is also, I
think, a lot of times an adversarial relationship exists between security and the rest of the organization, which just plain makes that hard. But yeah, if we don't have a seat at that table, we don't have insight, again, we don't have to have control. We have to have insight. And without that insight, we're kind of dead in the water. So we can ask the right questions now, right? So we have enough data to say, what are the highest risks? How do those assets align with those risks? Where are we spending money that we shouldn't? Where should we be spending money? And are we failing to spend to secure assets that we aren't today? And really, I'm going to tell you a secret. My underlying hope behind talking about these things
is to... continue to drive to organizations that they need to be thinking about the basic blocking and tackling of IT security before they start worrying about the next big thing. If we can just get folks to-- and these processes, these steps will help. I'm not claiming any of this is rocket science. What I am saying, though, is that if you do the work-- I've seen this in action-- if you do the work, that I've outlined, right? The steps, the asset inventory, really understanding that, like the risk assessment, understanding your compliance requirements, and then putting that together and using that data to assess how you're doing with your cybersecurity program, with your budget, with your initiatives that you've outlined. You're going to, as an organization, reduce the risk
And that's going to draw out things like, oh, well, we should probably focus on patch management. We're not doing a very good job there. I know we just implemented this really cool network monitoring solution, which might be great, but we're not even patching. Well, maybe we need to focus on the high-risk areas, and then we'll work our way up to that. Just being able to go in with an informed decision, it makes a difference. It makes a difference, especially when you're trying to convince folks that don't necessarily understand what we do and why we do it, what our decision process looks like. It helps to have some sort of ammunition there. This clarity allows you to make better decisions. It gives you some effectiveness metrics to be able
to really measure, okay, these are the initiatives I've outlined this year. These are the performance indicators I've assigned in relation to those. Now I can measure that over time. You're going to measure that in a bunch of different ways, and you're going to have different steps below your KPIs. That's not the end-all, be-all. That's just the high level. Here's what you communicate up to management, let's say. But it gives you something to drive towards. And if you create a KPI that's directly aligned with the projects and things that you're working on, it's going to make it easier to express how you're being effective in your job and how your program is effective. visibility over time, right? This is not a one-time process. This is something you have to
build in and do on a regular basis. And that even includes doing a risk assessment every time you decide to bring on a new solution or tool or bring on a new system, right? Risk assessment is a multi-layered approach. And then efficiency, right? If you understand where the risk is in your environment, you can You don't have to take this blanket approach or the shotgun approach. You can be more efficient with where you spend your time and energy. And it allows you to spend the time up front in those specific areas to create efficiencies. Let's say, OK, we have a log management solution, and it covers-- how are we doing on time? We're a log
management solution, and we've got all the logs, all the logs. Got them all. They're all coming in. It's great. Centralized log management. What are you doing with that data? How much of that do you need? Are all those systems high risk? Should you be pouring all of that into your system? Is it becoming more of a burden than a help? Being able to understand where your risk is can help you make that decision to say, hey, yeah, we're going to store those other logs, but we're only going to pour these critical systems into this centralized dashboard or only set up monitoring or alerting for these specific systems. And that's going to allow us to spend
time to make that more efficient, to automate some of that. Yes? Oh, yeah. That's what I said. We're going to collect it all, but not all of it's going to be alerting us or being put into dashboards that we look at, making that decision, tuning. Exactly. As long as you have it, that's important. And you have to understand-- You have to have a good enough understanding that you're not shunting something off into storage for forensic purposes when you really could be using that data. But you don't need all of it. And trying to use all of it is one of the things that we're constantly trying to overcome. That's an example, but we're often overwhelmed
with data, right, and where to spend our time as IT security professionals because there's a million places we can spend our time. If we can define or narrow down where we should be spending our time and most of our focus, it allows us to take, to be focused and take our time and then maybe create efficiencies in that area. Like I'm going to spend the time to create a script to do this action that I've been doing manually because I haven't had time to write the script because I've been doing 400 other things that are probably really low risk and I should be spending less time on them. The goal is to empower you to
be able to make better decisions and create efficiencies so that you have a healthier program over time. Other benefits-- employee engagement and retention. If you have a defined program and a plan, you'd be astonished. how much easier it is to keep people if they feel like the people you work for know what they're trying to accomplish and that you can measure your success as a part of that. It makes a big difference. It's really hard right now. All of us know how hard it is to hire and retain IT security professionals right now. If you can create an environment where they feel like they're making a difference and that they can clearly understand how and where, and that you have a plan, it's going to
make a huge difference towards retention. It's not all about the money. Yeah, you can go make a lot of money. And of course, everybody wants to get paid a reasonable amount. But you can go out and get paid 30% more and work for a really bad company, and you're probably going to regret that decision. And maybe you don't even do that. Maybe you decide to say, hey, I really like this place. I like who I work for. I like knowing that I'm making a difference. I feel like I understand where I fit. makes a huge difference. The value of the cybersecurity program will increase within the rest of your organization if you function in these
ways. Show that you have a process for this. Because that's what they do. Most other business units have a process to define their success. Maybe they stink at it. Maybe they are good at it. But regardless, they probably have one. And this will speak to them, be able to say, hey, we do this just like you guys do. Increased collaboration, really important. Continue to hammer that home. If you're not collaborating with the rest of your business You're going to have a hard time being successful from a cybersecurity perspective. And it improves your project and your team velocity, your ability to move quickly if you have defined goals and you're not just trying to do everything for everybody. I talked about efficiency a little bit. So with that,
I suggest that everybody do it. Just do it. So that's... What I've got for you guys today, I would love to open up the floor for questions. We've had some folks with some really good thoughts and feedback. I have more candy if you want to. I'm afraid to throw any more of it, but what do you guys think? Thoughts? Your experiences? Not necessarily, but what I do is I look at Octave, NIST, Dread, Stride, whatever, and I take the pieces that I like from it and I make my own. I feel like If we understand what we're trying to do, what we're trying to accomplish, we don't have to read the whole standard. We just need to say what... And
just at a really basic level, super simple definition of risk assessment, you have threats and you have the impact of those threats and the likelihood of those threats in the context of your business. And then out of that, you rank those by moderate, high, low, and then you come out with a risk level. I mean, that's super simple definition. you know very and there's a million ways to make that more complex and maybe that's something you get to do next year or something you know but if you start with a simple definition of at least going through that effort that process that's worthwhile versus getting wrapped around the axle around do I really know how
to do this risk assessment of my you know it doesn't have to be quantitative you know it can just be I need to have a rough understanding at a high level for my organization and so you know I'll take bits and pieces from each of those. But for the most part, I try to keep it really, really light and simple. And I also try to curate it when I'm doing those for a group of people. If I can get people in a room to do a risk assessment, like different business units, and have them involved in it, you have to keep it simple and light in order to keep them engaged. So it has to start from the top in that
regard. Not that you can't-- I mean, obviously, you can bring these ideas up. but support for something like that to be able to say, hey, we're going to have a security culture. Because you're right. Security is everybody's responsibility. You might have people that are experts in it that help drive the initiatives or specific tasks that they manage or whatever. But really, it is an organizational responsibility. And the responsibilities differ depending on your role, your department, things like that, your level. But it does need to be organizational in the perfect world. That's hard to achieve because we're talking about organizational cultural change. And that is a challenge. When we come in, we've done virtual CISO projects forever. And the first sign of success or failure is
whether or not leadership feels like Are they going to really push this? Are they going to talk about it? Are they going to back you up? And then you can define really quickly, like, hey, guys, this is not going to work. If you aren't supporting us, I'm just the consultant guy that nobody has to listen to or doesn't want to listen to. And it's the same thing with security. If you don't have the support from the top down to say, hey, this is something that we think is important for everyone, and we're not asking you all to become security experts, but we are asking you to implement engage and be a part of the process.
And so if you can create an awareness program for that, it can be successful. And we have seen it be successful, obviously a lot easier in smaller organizations, much easier in organizations that are in the technology field. But definitely doable regardless. I mean, I've walked into organizations. We've done social engineering at organizations that do marketing, basically, right? They do data and analysis. And you can't even get in the front door because the front desk woman's like, I don't think so. I know how this works. You're not a real printer, fixer person. We don't even have this kind of printer. And you're like, wow, they've taken the time to create that. And everybody has their role,
and they embrace it, and they believe in it. And it's positive reinforcement and And so I think that you do need to be able to push that out to the whole organization, but that's a much longer process and it's a bigger project. I follow this hardening list and I don't know why I'm doing that. It's true. I think that makes sense. And that's a great point. You can make a difference at that level if you take-- and I think the challenge that we face is a lot of times those of us that are in these roles maybe aren't the type of people that are used to going out and training people on how to do stuff.
Part of it is a cultural piece. Right. And so who is that person? And so it's hard because it takes us out of our comfort zone to say, oh, now I have to sit down and-- I'll be honest. When my aunt is like, hey, can you go look at my laptop? I'm like, I don't know anything about what's going on with your laptop. OK, hold on. Let me take a deep breath. Help you. It's like being able to have that patience to help people understand the concept that they don't necessarily have experience with is not something we all have. naturally. We're not all natural teachers. And that's what I think is a really important missing
piece is that being able to do that work, to be able to teach why this is important or express it in more than just a transactional method. Well, and at the level that we talked about, you're right. So we're talking about at the very highest level creating those kind of metrics that might be measured over the course of six months or a year or two years. But below those metrics, you would dig in and you would create actionable goals, tasks, projects, you know, you would flesh it out to the point where you would be able to more easily, more granularly measure success. Now, how that aligns with other business units or other teams or, you know, even if you're talking about within your own security department, you know, maybe
you have it segregated out by network security versus server security versus, you know, I don't know, whatever, but, you know, that just takes... constant communication, and that doesn't mean constant meetings. I'm anti-meeting, but it does mean the ability to communicate across groups and have, you know, whether that means our, you know, the output of this is put into some sort of a visual form that we put somewhere that people refer to a lot or someplace that we, you know, like having Providing people with that data and the constant reminders is a part of it. And the other part of it is making sure you're communicating and knowing who you should be communicating with if things
start to get out of sync. If you have different teams with different initiatives, how do we ensure that we're all driving back towards that key performance indicator if we have a joint one? And it's not easy, but these are very high level. You would then drill down and try to create goals that are a little bit more actionable in a shorter time. But it isn't like you can't. probably go through this process necessarily and then in a month how am I doing you know my 25% there or not it's not necessarily that granular but you would get more granular as you kind of build out your strategy below it exactly yeah right I mean so and that's it the idea is like if you so
we're all making decisions we're all picking projects to do we're all doing work we're busy But are we starting in the right place? Are we making those decisions based on the right data? That's really what this is about. All the other stuff you're probably already doing, and maybe there are things you need to do better with how you approach them or not, but really the key here is are we starting with the right foundation so that we really can determine if we're being effective or not beyond just saying, yeah, we implemented that tool, that's what we said we were doing this year. I mean, it's really dependent on how much of a bite you can take, but you want to start as...
you can probably apply these concepts in more than one way, right? So if you wanted to apply the same concept on a more scoped down. So for instance, you can go through this process strictly for your PCI environment. Yeah, if that's easier, if you have different teams, different resources, or if they're very clearly defined, there's no reason why you couldn't break this up. As long as you're keeping organizational, like, departmental whatever, rolling them up to some sort of higher level. Yeah, you can absolutely break it up. Because, yeah, I mean, this could be a several week process in the right organization, and that's not really what you want to do, right? So, yeah, absolutely break it up. So,
dig a little bit more. Are you saying, like, if you give somebody one... That's hard, right? I mean, part of that is organizational culture. Part of it is... Part of it is how you create those KPIs, creating them in a way that is less prone necessarily to manipulation in that way, in that sense. And maybe not all of them are, but maybe some of them are. Maybe one of them is pretty all-encompassing. So to your point, maybe you create a bunch of KPIs, and they're all met, and you're still a target, and you're still hacked. Somehow you're PCI compliant, and you still are not PCI compliant. There are ways to... get around any kind of data point you create, like you said. But
what you're trying to do is, well, first of all, you should be creating the KPIs so that you can show your value to others, and hopefully you're doing that from the right place. Because if you're trying to make up KPIs that are easy to hit and not necessarily value add to the organization, that will come out at some point. Unfortunately, probably in a really negative way. If you're creating KPIs to try to force other people to do things, you're going to have-- that's harder, right? This is really more about you as a leader within an organization saying, I want to have an understanding of how I can express my team is doing a good job. And
so that is a challenge that kind of goes above and beyond that and is more about holding people accountable and measuring effectiveness of people and them, those specific people in their jobs. They're not hard enough.
Having that checks and balances. Well, I really appreciate you guys taking the time and being a great audience and asking a lot of really good questions. And I hope you got something out of this. I certainly enjoy talking about this topic. And I feel like there's a lot of value here, even if it's not the sexiest topic we're going to talk about over the course of this conference. I'm excited to go see some other talks. Thank you guys. Really appreciate it. And yeah, I'll talk to you all. Thank you so much. Yeah, seven minutes. Okay, okay. Oh, there is a web. Is this the thing? Continue. So let me see. Awesome. Now I'm feeling, I
know, right? Now I'm feeling the font is, I cannot actually see through it.
I hope it's visible. We will see. I'll ask if something is not visible, I'll just enlarge it on the go. But we will see. Oh yeah, yeah, I hope it's visible. The font is too small? The font is too small? No, right? In the microphone? Okay, so like this is the normal tone or pitch or should I just? Okay, no problem. Okay, so I'm going to start. Good morning, everyone. And today I'm going to talk about the Bro or Zeek NSM. But before doing that, I would like to introduce myself. My name is Fatima, and I work as a security engineer in University of Delaware. I am also a part time PhD student. And I have been working in their
security group for the past three years. And I have been working on Bro and/or Zeek for the past three years. And I'm going to share some of my experience and how I learned more about Bro and how we are using Bro in university in the production environment. So let's get started. So I have mentioned Zeek because they have been calling Bro, Bro for past 20 years. And they have been dealing with the renaming of the project because it was giving a wrong connotation. Because whenever I would say to my colleagues that I'm going to Brocon this year, and they're like, wait, which conference you're going on, Brocon? Is it like conference with bros? And I
was like, no, it's not a conference with bro, it's the bro idea system. And I work on that, and that's how I'm going to Brocon friends. So they have been planning to rename it, and they actually actually announced the new name of Bro NSM this year at BroCon 2018 in October and they renamed it to Zeek. So I might be like toggling back and forth between Bro and Zeek but whenever I say Bro or Zeek they both mean the same. So jumping into the talk, since it's a fire talk I will be really quick and if you guys have any questions just raise your hand and I will try to answer it in my talk.
So So what is Zeek? Zeek basically is a network security monitoring tool that is actually, I define it as a passive scanner. So if you have it on your network, what it does is it just passively listens to your network. Whatever traffic is going on on the wire, it will capture the traffic, it will try to analyze it, parse it, and it will produce logs in flat ASCII format for you. And they're like human digestible. They're flat files and you can just go through the logs and see what's going on on your network. The good thing about Zeek is apart from the normal PCAP capture solutions we have, a PCAP consists of everything. Each and
every packet you have seen on your network will be dumped into a PCAP file. And it becomes hard to analyze it when it grows in size, right? And you have to be very pro in the Wireshark filters or TCP dump filters to actually pick the packets that you really want to see. What Zeek does is it does a pretty neat job of analyzing the traffic, analyzing the application layer protocol, what is in the traffic, and then it logs that particular protocol in the particular log file. For example, if I'm getting a lot of HTTP traffic in my network, what Zeek will do is it will produce a file called http.log and log everything, each and
every packet that it sees is an HTTP packet to that log file. And it's like flat AFTI file, so it's pretty easy to digest. And if you have some centralizing tool where you are monitoring or aggregating your data, it's a really good place to aggregate the logs and search through it. So that's what it is, it just sniffs the traffic and it produces a whole bunch of log files. Currently it has more than 50 types of protocol parsers and it has been in development and whenever there is a new protocol coming up, they start writing the protocol analyzer for it and whenever there are some protocols that are very new, like industrial protocols or SCADA
protocols, which Bro doesn't support yet, it will log it as an unknown protocol. So if you want to implement something and if you want to see what exactly is logged as an unknown protocol, there is a file called weird.log that Bro generates apart from the normal conventional protocol files that you can actually see through the weird.log file and see what kind of protocol is not currently parsed in Bro. So that's a quick overview of what Zeek does. And the deployment, so how you can deploy Zeek in the network. Right now, our Zeek has the capability of running into a cluster environment, so it's not like a standalone, but if you have very big organization where you have a lot of servers and a lot of clients and you want
to load balance the traffic, you can run Bro in a cluster environment as well. At UD, what we have is we have 10Gbps uplinks and downlinks. We are monitoring just the north-south traffic. We are not doing east-west anything with Bro. We have four physical boxes, and each box is running a Bro instance. not a bro instance each box is running almost 36 bro instances and all all of them are working as the worker mode they all are the workers so we have like four bro sensors they all are um workers and then there is a manager which is another physical box and all the logging is done on the manager there is another um instant
called logger so when you run bro in the cluster environment it has like the roles defined for your physical box whether you want that box to be the worker or you want to want that box to be a manager or the log aggregator So we have one bro box that is actually the manager that is aggregating all the logs from all the four bro sensors and we are basically monitoring our 10 Gbps uplinks and downlinks. Basically all the north-south bound traffic like we are we are doing the internet to the network like internet to the UDN, UD to internet traffic. We are not actually monitoring anything internal but we would really like to because Bro
is so good at detecting some things and picking up some things automatically. You do not have to be like Bro pro to deploy Bro, you just have to deploy it and watch for the or monitor the files. It's pretty neat and we will be talking about some of the quick detections that Bro does which are really neat and they are like right off the bat. You do not have to do any kind of customization to get that kind of traffic. Why Zeek? First of all, it's a great open source free tool and universities like free tools because we do not get a lot of budget to install very commercialized tools for our environment. So we have Bro as just because it's free and open source and people like
it and we do not have like a full packet capture solution. It's It's really great if you do not want to have a full packet capture solution because of the size of your network, because of the storage requirements, because of the infrastructure and maintenance requirement, it's really decent to have Bro because it logs everything, pretty much everything. by default and if you want some fields which are not getting logged currently you can actually get that. Bro is a full protocol parser so even if Bro logs very few fields but if you really want some fields extracted out and get logged you can actually do that as well. So one example, we recently deployed a TLS
fingerprinting where we really wanted to fingerprint the TLS clients that do all our connecting to our TLS servers. So all the fields were getting extracted. But the SSL.log file that Bro generates, it has very specific fields that Bro thinks that is valuable for a user or valuable for an analyzer to look at. But when we were implementing TLS fingerprinting, I wanted the fields like the hash mapping, like how if the client is advertising that these are my algorithms that I support, what does server respond back? So those were the intricate fields that were extracted by Bro, but were not logged. And we wanted those fields. So we knew that they are getting extracted. We just
wrote some customized code to actually use that. So it's really good. And if you do not know what exactly fields you are looking for, you can ask the Bro community that for this DNS protocol parser, do you extract these fields? And they say, yes, we extract it, but we do not log it. And they will give you the right pointers how you can go ahead and get those fields from the traffic. So coming back, why Zeek? So it's dynamic. It's full packet capture solution. It has really strong scripting and logging framework. I have already mentioned the logging that it has more than 50 different protocol parsers, and it can log each and every protocol in
its own file. Like dns.log will have all the DNS-related traffic logs. HTTP.log will have all the HTTP related traffic. They recently included support for Windows logging as well. So they now log RPC, DC RPC logs. They now log NTLM logs, et cetera. And apart from the logging framework, they really have a really good scripting framework. What does that mean is they have their own scripting language. They call it Bro Programming. And it's pretty easy to learn because there are so many scripts out there that you do not even have to write a script by yourself. Somebody might have already written it, and you just have to pull it down and install it and run it
on your cluster. So yesterday there was a talk about the Bro Primer, which was not a talk, which was a class that actually described how you can get your feet wet in Bro, like how you can install it, how you can run it in the bare minimum mode, how you can configure it to run on the tap or sniffing mode. So if you guys were there, you know how to run Bro, but if you missed the chance, there are a lot of tutorials out there that can actually show you how you can actually install Bro and get that working in your environment. And I will talk more about the scripting framework later on. But moving
ahead, I have Bro running now what? So a lot of times what people think that it's an ID is like snort. That for example, if I have snort running, it will produce the alerts and then I will get alerts saying, somebody was trying to hack my network and I will go ahead and look. Bro is not actually designed to be an IDS. It is designed to be a network security monitoring tool, basically. If you want to look something, you have to search it in your logs. A lot of people have misconceptions that I had Bro running and it didn't produce any kind of alerts for me and I didn't know what it's doing, so I
just kept it running. It's not really like that. Bro and Snora are two different tools to target different problems. Previously, they had signature framework as well. So if you are very pro-SNORC, and if you like to write signatures, and if you like to detect things in the network, you can absolutely do that. You can absolutely do exact same thing in Bro as well, because they have strong scripting and strong signature framework as well. But it's really-- meant to be a monitor of the network. And I will talk about some of the quick things that it automatically detects. You do not even have to turn some plugs on or turn some switches on to have those
kind of detections. So some of the quick things that it automatically by default comes with, like it comes with the scripts that detects those kind of attacks automatically for you. So for example, some of them are like scanners. Broke comes with a scan script that automatically detects different kind of scanning attempts that are targeted towards your network. And all the things that I have listed, I have examples of the things in the following slides of how you can actually go through the logs and search for those kind of activities on your network. We actively detect scanners each day on our network, and we almost block tens of thousands of IP addresses who are just scanning
our network. Because scanning is the first part of the recon, right? When a pen tester wants to know about your network, the first thing it has to do is to scan your network. It has to collect all the information on how the IP address of your organization is laid out, how many servers you have, how many HTTP servers you have, how many DNS servers you have, and how open your network is so that he can attack or exploit any vulnerability, right? And that process is very noisy. He cannot be very subtle in that process. So if you can detect scanning, you have blocked their first step of doing or pivoting in your network. So Bro
really does a neat job in detecting scanners. There's a scan ng package that is in the bracket. That is a customized package that is written by one of the people from Lawrence Berkeley National Lab. What the package does is it not only detects the normal scanning attempts, but it detects some of the highly innovative scans. Like if the scanner is not running Nmap, but it is doing a subtle scan of each and every server, you might not be able to pick it up in your network traffic if you are going through the traffic. But that scan ng package, ng stands for next generation. So it has like four different kind of scanning detection automatically built
in in Brawl. So it detects like knock-knock scan, it detects landmine scan, it detects low port throttling. So those were the scan types that are very subtle in your network. And if you are really looking for that, then only you will be able to pick it up. That's a custom package you need to install it in Bro to detect those kind of scans, but Bro comes with a standard scan, standard address scan and code scan, and we will be looking into the examples later in the slides. Bro automatically detects the SSH brute forcing, HTTP password brute forcing, and SSL injection, SQL injection attacks as well. It's a built-in script. You can disable them. If you
are having a performance impact, you can automatically disable them. But it is by default enabled so that you know what's going on in your network. IOCs, Bro has Intel framework integration as well. So if you guys are very big fan of IOCs in your network, like if you have the list of bad IPs, if you have list of bad DNS domains, if you have bad hashes for the files, if you have that Intel data and you want Bro to detect that in your network, then you can absolutely do that using the Intel framework. You just have to enable Intel. Intel framework is by default disabled because of course it needs the Intel input. If you
do not have input, there's no point in enabling the Intel framework. So the first thing I did when I got into the university environment is, university is pretty decent in sharing the Intel. If you have the university network called Ren Isaac, they share Intel pretty decently. We get really good Intel for free. being a part of university, an educational institution. So I was thinking that we are getting all this Intel, cool Intel feeds, so how can I integrate it with our NSM system so that whenever it sees that kind of IOC in the traffic, I should get notified and I should know what's going on in my network. So Bro has great support for Intel
framework as well, and we already blocked the IP addresses that are like, that are reported by different sites as malicious, with more than 85% of confidence. So we automatically block that as well. So we have Bro not only just as a packet sniffer, but we also do active blocking on Bro alerts that we get. We have a Google bot detection using Bro scripts. I will talk about it later. And then the OpenVASN VM EU scanners. They are the vulnerability scanners that people use and you can easily find them in row logs and I have examples for that as well. So moving along, those were the very basic things I talked about that you can automatically pick up from Bro logs.
And I will have the slides to show you how you can do that. But apart from those basic use cases that we came up when I started working with Bro, we had some advanced use cases as well. Because when I was analyzing the log files, I saw so much of information that was so useful in the network that actually resulted in some in some really high level or advanced use cases. And I think I have mentioned five of them. The first one was detecting firewall misconfigurations. So our bro sensors sit between the routers and the firewall. So it sees everything before it hits the firewall. And then firewall filters the traffic it wants to, and
then it hits to our servers or our clients. We had a use case recently in PaaS that We have some restricted subnets that we do not allow SSH into because they are our servers and they should not have SSH put open. And Bro was seeing internet traffic and all of a sudden I was just going through the SSH.log file in Bro and I was just looking into the subnets and all of a sudden I saw an IP address. It was from the restricted zone and I was like, wait a minute, why Bro is reporting SSH service open on that IP address? So I went back, I talked to my manager, I asked him that, okay,
do we allow SSH in that subnet? And he said, no, we should not. And Bro should not be able to see the SSH connections to that IP because we are blocking it. So how firewall works basically is if I have a rule saying this is the subnet and this subnet is not allowed for like drop all the connections to the subnet, firewall would just block the SYN. So if Bro is seeing a SYN packet and it is getting dropped on the firewall, the client would never reply back within SYNAC because client never got the SYN, right? So the connection will not establish. And then since the TCP handshake is not complete, there is no way
to figure out that it's an SSH connection because if there is no data transfer, then how Bro would know it's an SSH connection, right? I was getting all those connections logged as SSH connections in the SSH.log file. That meant that there was a successful TCP handshake and some data got transferred and that's how Bro detected that it was an SSH connection. So, I was like that, okay, if Firewall is blocking the same packets to their IP address on port 22, then why Bro is reporting that SSH port is open? So it was a desktop, it was a Linux desktop, and it was not used, like nobody was using it. So I actually went back and
I asked them that, do you have this SSH service open? And he said, yes, we have this SSH service open. So we went back and forth and we figured out there was a misconfiguration in the firewall that actually leaked the packets into that subnet. So that was a very crucial finding that we had that, okay, now we were thinking that firewall is doing that, but it is actually not doing that. So the advanced use cases were like we were able to determine the firewall misconfigurations using Bro. Enumerating servers and services, there's a really cool log file that Bro generates called knownservices.log. whatever bro sees in your network and if there are servers on your network
that is responding back with the service, it will log that server as an HTTP server or an SSH server. So we were able to determine how many DNS servers we have open to the internet and there were very many because other departments had their own DNS servers who were open recursive resolvers. So we had a project of shutting down or of of narrowing down over attack service by shutting down the services that are not required internet accessible. So you can easily find all the servers and services that are on your network and who is serving what on your network. For example, do you have 500 HTTP servers? Why there are 500 HTTP servers on your
network? Who is monitoring them? Who is watching them? Stuff like that. Policy compliance, there's another log file that Bro generates called software.log file. It logs all the software that it sees on the network. For example, if you're using a browser and if you have browser plugins enabled, Firefox does a pretty decent job of advertising all the plugins it has and with the versions as well. So Bro detects that and Bro logs it into the software.log file so you can easily find out the clients running old versions of PHP, running old versions of Adobe, running old versions of Flash. And if you have a policy in your organization saying that you should not be running PHP
version 5.4 or less, then you can actually pull out the list of all the IP addresses who are using PHP older version and you can actually give them the notice saying you have to either upgrade it or we will nuke you down from our network. So we did that as well. Few more advanced use cases is malware detection, of course. If we have a compromised system, we want to see the network traffic from that system going back and forth for determining command and control and what kind of software was that server using, how many ports were open, what was the communication look like during that period of time. So we do a lot of malware
triage using Brologs. And then recently, we came up with a project called fingerprinting of unconstrained systems. University of Delaware has a lot of clients who are unconstrained. They do not control what goes on our students' Mac or what goes on their phones or iPads. if you want to fingerprint them that what software they are using we have done that using Bro. There was an actual real talk of like almost an hour in last year's BroCon that I presented on just on the fingerprinting of unconstrained devices. So if you guys are interested that how you can fingerprint your devices and come up with an inventory of the system then you can go back and check that
out as well. It's a pretty long talk so I'm not going to go into the detail because we are already running of the time. So fake Googlebot detection, these are now some of the slides I have that will actually show you some quick fix from the logs. So Google bots, what actually Google does is Google crawls. They have the web crawlers. And usually you have robots.file on your web browser to allow Google bots so that if you're running a web server, you should be recognized by the internet folks. So what people were doing that since if I'm running a web crawler, your robots.txt file will block me because I'm not Google. So what I would
do is I would fake that I'm Google bot. So please allow me. Robot.txt file allows Googlebot based on the user agent. So if the user agent has Googlebot somewhere in it, it will get allowed. So we realized that some of the characteristics of Google for running the web crawler is Google always uses that slider block, like 66.249. If you reverse DNS, like if you look into the DNS name of the type address, it always ends with the Googlebot.com. And it has the user agent, of course, as a Googlebot. So these are from the notice.log file. They're automatically getting detected. Bro has a script to detect the web crawler activity on your network. So what we
did was I just wrote a command line query that get me all the logs that have a web crawler in it. And it has Googlebot as a user agent. And just exclude the IP address range of the Google that Google uses. And then just print me some of the fields. And I realized that these were the three IP addresses that we got, or two IP addresses. very weird domain name like telia.com and they were using Googlebot as the user agent string. So that means that they are faking that we are Google, but they are actually not Google. So we directly block those IP addresses because they are just faking out that they are Googlebots, but
they actually are not. You can detect the web calling activity on your network, which is suspicious. Which is like why they are saying they are Googlebot when they are not, right? The second thing is quick events. These all are based on notice.log file. Notice.log file gets automatically generated by Bro if you're running Bro on your network. You do not have to enable anything or do anything special for it. So the scanners, so one of the slides talked about the quick wins previously. So these are the scan attempts that got detected by Bro. So the knock knock scan, backscatter scan, address scan. We absolutely block all the IP addresses that are reported by notice.log file. And
not only that, it also lists the criteria of detection. So for the first one, it says that that IP address has scanned a total of 12 host on port 8080 and the distance was around the one mile. The backscatter scan, it says that it gives you the basic information that what port got hit by what IP address and how many times. So these are just some quick wins. SSH and HTTP attackers, you can see that the first attempt was detected as the HTTP bootforcer attack. Second was the SQL injection, and the third one was password guessing. So these all are just looking into the notice.log file. We haven't done anything special. We just ran Bro on our network, and we just found all these things, and we actively
blog those IP addresses periodically whenever we see that. And it's really cool, it says that IP address was actually guessing the passwords and it was seen in 42 connections. It's not like somebody legit is trying to get into the server and it failed 42 times. It was actually someone trying to brute force an SSH password in 42 different connections. Lastly, I was talking about the Intel framework that Intel.log will only get logged when you have Intel framework enabled. So since I have talked before that we really use Intel framework a lot, that one was for the Intel address. So we have a list of blacklisted IP addresses and we tell Bro that if you see that IP address, just log it as an Intel.log file and we will
work through that. So we have automated scripts written that whenever there is a log generated in the Intel.log file, we pick up what was the IOC and whether we want to block it using DNS blacklisting or using our IP blocker on the borders. That is because of our IOC detection and we block everything that is reported as 85% or greater confidence as a blacklisted IOC. The second one, the weird.log, that log file also automatically gets logged by Bro. What it actually tells you that Bro has the ability of parsing the protocols, right? So if something is not complying with the TCP/IP protocol stack or the RFC of the protocol, it will log that activity as the weird log. We get a lot
of activities weird like Bro saw Sin packet with data or Bro saw a data packet before Sin. So those were all in, Those all anomalies are logged in the weird.log file. That is also a very cool log file that we keep looking at. And we also block all the IP addresses that are listed as the bad ICMP checksum connection. Listed all the things that we actively block on. And there are a lot more. So I couldn't put together everything in just 20 minutes. But these are some quick wins that you can actually have right on top of Bro, like you do not even have to do anything to get these kind of information. And this
is very basic attack activity that might be happening on your network and you might be blind to it because it might not pick up some of the things, but since Bro is detecting everything on your network, it is just getting logged as the weird or anomalous activity on your network. And lastly, there's an http.log file. You can do very simple command line kung fu. A lot of times, scanners, they do not go and bother changing their user agents. So many times we have found that OpenVAS is scanning our network and they have not even changed the user agent. So if you just grab an OpenVAS and HTTP.log, you can actually see the OpenVAS scanners getting
hit and you can actually absolutely block that IP address. So the first example is the OpenVAS scanner and the second example is the ZMU scanners, sophisticated scanners, they try to mimic some legit user agents like Mozilla, Firefox, or Chrome, or Safari. But if they do not care and if they don't bother, they just scan your network with the default user agents and you can absolutely pick that up using the HTTP log file as well. So these were some really quick things that you can get out of the Bro logs, just looking at the log files. and you can do really sophisticated stuff as well using scripting and signature framework as well. That was it. 27 minutes, so I didn't
do bad. Still have three minutes, so any questions? They are hitting our clients as well as servers that are behind, that are internal to our network, but since our bro sensors sit outside the firewall. If they would have been placed inside the firewall, firewall might have blocked those attempts before even hitting Bro. So even if it's just a SYN attack, Bro would be able to see it and Bro says that this person is doing a SYN attack on your network. So that's a good thing, right? You have layers of security. Because firewall eventually might block it. But just to know that somebody was trying to create the password or someone was just trying to do a SYN attack is useful information because that IP might be trying something else
in future on your same network. If that makes sense. It's just the internet. It's just the north-south traffic we are monitoring. We are not monitoring the internet traffic. IOCs, you actually load in Bro. Bro automatically, when there's a hit on that IOC on the network, it produces the Intel.log file. We have scripts that goes through the Intel.log file actively, and whenever there's a hit, it picks up that IP address, and we have another script that blocks it on the border. It's an automatic script. Yeah, it just pulls out all the blacklisted IPs that got hit on your network, it puts it in a file, and then our different block lists, they just pick them up
and they just add them in their configuration, so it's all automatic. It was just one time manual, you have to write scripts to pick that up, and that's after that, it's all automatic. You don't even have to go ahead and change anything in future. Absolutely. So there is, if you go to the Intel framework, There are the whitelist.bro files where not only you can define an IP, you can define the site and location. We have a lot of whitelisting done. So when I started that, I accidentally blocked the Google SPF IP range. And I was thinking that Bro was picking that up as the scanning attempt. And what was happening was Google was trying to
send emails using SMTP. And it was saying there is an SMTP scan. And Bro picked that up and Bro blocked it. And I was like, oh, wow, it's detecting all the activity and it is blocking it. And some of our admin said, we have delay in the emails. The email was sent at 8 o'clock and we are going to get it at 10:00 AM. Why is it getting delayed? And I was like, oops, let me check. I checked the blacklisted IP address and the complete Google SPF range got blocked. Then we learned the lesson that we should whitelist the Google SPF range, Microsoft SPF range, and the cloud ranges so that they do not get
accidentally picked up as the scanners and get blocked by Bro. Bro has really decent support. You can block it with IP address, you can block with the CIDR, you can block it with the FQDNs, and you can block it with the Star like the what is it called? File card you can you can write list the bike I don't think so they have regular expression support I might have to check that back but you can absolutely write is the white list the Wild card like if you do not want to block anything with the google.com in it you can do the asterisk dot google.com and it will be by to step from whatever Intel IOC
support bro has and for whatever type, it has a whitelist for it. So even for the hashes, if you have file hashes and if you have a whitelist of file hashes, you can actually do that with the hashes as well. Whatever it has a support for blacklist, it has a support for whitelist as well for that type of Intel IOC. And if not at grow level, you can whitelist the things at the level you're blocking. So we have a centralized whitelist That is our second layer of protection. So Bro whitelist is perfectly fine, but just in case something happened and Bro didn't pick that up, we have a central whitelist that is sitting right before the router BGP calls so that
whenever there's a BGP call, it will go to the whitelist and see if that IP address is listed as the whitelisted IP addresses. It would not advertise the null route for that IP address. In Bro you are talking about, what would take the precedence right
how Bro detects the Intel IOC hit is based on your blacklist. So if you have an IP address that whenever there is a traffic pattern, Bro will accept out the IP address. It will go through the list that you have. If you have it in the blacklist, it will put it into the Intel.log file. But eventually, if it checks into the whitelist, and if it's whitelisted IP address, it will not log it in the Intel.log until you explicitly mention that it should be logged no matter what. So that you can actually log and see how many IP addresses that are in the white list are actually getting hit in your network and picked by Bro.
Bro has a very versatile logging framework as well, so it all depends on what you want to log. So you can enable and disable that as well. It is in the Intel framework, if that makes sense. Bro does not block anything. Bro just picks up and Bro just logs it. All you get out of Bro is logs, that's it. Bro does not have anything active unless you are using the packet broker. They have IPS mode as well. We do not use Bro in IPS mode because we are pretty scared to use it, anything in the IPS mode which we are not 100% sure of. So we use it in the IDS mode, but whatever it
logs, we take actions on the logs that were created or generated by Bro. And that is all the manual and automated parts. The things that I have shown in the quick fix, we just pull out the IP addresses that we want to block and we just put them in the null routing algorithm that we have. We don't think about it that way. We might have to think about that in the future.
Oh, you want me to wear a mic too? All right. Get my pocket. I can do that. Sure thing. Yes. Yeah, you're like, wait, is this the right guy? I don't know. Oh, good. I can see my slide from there. That's awesome. That would have been handy to know five minutes ago when I was trying to get the thing to maximize. All right. We good to go? Okay. I guess we'll get started then. All right. So you're here for my talk about how to start a podcast. I want to preface this with I'm not a pro, but for two years, me and a couple friends have been running a podcast, and it wasn't exactly intuitive to set up, so I thought I would talk about how I
did it. I also run some video stuff on YouTube, which was also not exactly straightforward, so I thought I'd sprinkle that in here as well. So who am I? I'm Gangriff on Twitter. You can also call me Nate. I'm a sysadmin of like 20 years. Well, I've got 20 years in IT. I've been a sysadmin for about half of that. A couple certifications. I'm also one of the admins of a DEF CON group up in eastern Pennsylvania called DEF CON 610. If you're in that area, check it out. It's a fun time. First Wednesday every month. You can find us on Meetups. I don't have the URL handy, but sorry. Whatever. And I run the Iron Sysadm podcast. This was an idea I had about two years
ago. One of my co-hosts right here was the first guy that we decided it was just me and one other guy set this up. He's busy looking at his phone. He's ignoring me. So that's one thing I do. And the other thing I do is I'm a Jeep enthusiast. I run a YouTube channel about just like stuff I do in the garage and trails and, you know, some more sort of down to earth real life stuff. So I'm going to talk about both of these things. This isn't meant to be like an advertisement for either of my things. It's just the things that I know and the things that I know are the things that
I talk about well. So there it is. So it's just a quick... you know general outline of what i'm going to try to cover that last item making money is still sort of elusive but i'm going to talk about a little bit both of my endeavors don't currently make any money tiny little bit that we get from patrons on Iron Sysadmin. But basically, figure out your show, start recording it with what you've got, how to host your show, how to improve once you've got it hosted and you actually have a listener base, and how to improve hosting once you're maybe making a little bit of money out of your show, or you've just decided that
you're going to spend the money to have it hosted in a nicer way. And of course, then what you might do to make your YouTube channel or your podcast make some money for you. So, um, the first thing to starting a show is to figure out what the heck you want your show to be about. So choose yourself a totally unique topic, totally agonize about this, never talk about anything anyone else has ever talked about ever being sarcastic. Um, What I mean to say is it doesn't matter if someone else has already covered the topic. If you want to talk about brain surgery, make sure you know what you're talking about. But if there's a hundred other podcasts on brain surgery, then just make yours a little bit unique
and that's good enough. We started our show... We talk about systems administration, operations stuff, and it was mainly because I didn't find a lot of shows that really filled that niche. Some of them have shown up since then. There were a couple when we started. I feel like we do a pretty good job of it, but others do a good job too, and really it's just all part of an ecosystem. So one more voice in the crowd isn't necessarily nothing. It's beneficial. Bring your own perspective to the topic, whatever your topic is, and get it out there. And if people want to hear it, you'll have listeners or viewers. Then you want to choose a
format. So you could do, and what I mean by format is not media. We're going to cover that later. But what kind of show do you want to run? Is it going to be a how-to show? Is it going to be like a news show? Is it going to be something a little more freeform than that? Is it going to be an interview show? Did I cover that? I don't know if I covered that. Iron Sys Admin is sort of a combination. We do a little bit of news. We do a main topic where we just sort of put our opinion out there on certain things. And we also just have some general chit chat
and banter between a bunch of people that work in the IT field. Something like an interview show, like we've done an interview or two, and that may expand in the past. That's a great way to get content into a show that may be, you know, that way it's not 100% generated in your head. It's a conversation between you and some pro in the industry or whatever. But again, just make it what you want it to be. You don't have to stick to a certain mold, but think about what you want it to be before you start recording. That way you're not sort of scattershot and all over the place. The next is choose a medium,
and by that I mean, do you want it to be just audio only, like a podcast? Do you want it to be a video podcast, which is the thing that people are doing now? Do you want it to be just a plain old video channel of some sort, where you're making episodes of something? And it doesn't matter what those things are, it could be, like I said, how-tos, it could be, maybe you're making cartoons, whatever it is that you want to produce and put out there. But you want to figure that out at the beginning, obviously, because that informs a lot of how you're going to do it, how you're going to host it. And
then choose hosts. So I find this to be really important. I actually did not record a single episode of Iron Sysadmin until I found a co-host. Luckily, Jason was happy enough to join me once we figured out scheduling that worked for both of us. I don't feel like a show like Iron Sysadmin would be successful if it was just me talking into a mic, because I think it would get bland and I think it would get repetitive. and I find it to be a lot easier when you've got someone to sort of banter with, right? And it's a lot more entertaining that way. If you're doing something like an interview show, maybe you can do
that with one host. You've always got a partner that is the person you're interviewing. You have banter. Not to say that two or three people can't interview a person, but if you get too many people, then that could just get really chaotic. So I always use the example of like Pulse Security Weekly. They've got a bunch of hosts that rotate in and out, And they do interviews with, sometimes just with Paul or with one or two people, or sometimes they do it with three or four people. And sometimes it gets really chaotic and hard to follow, and sometimes it's really well put together. And he's been doing this forever. He's got a whole series of
shows. So it's just, you know, another example. Make sure your hosts are dependable, or at least that you have enough hosts that you can always get at least one of them around to record a show. We have skipped episodes of Iron Sysadmin because I couldn't get hosts to show up on a given night. And it's fine, life happens. I hate missing shows, but whatever. I'd rather have at least one co-host than just me sitting in front of the mic. Because I think it's just, I don't know, I don't think Iron Sysadmin would work with one host. And importantly, make sure you have a rapport with your co-hosts. This is just a quick screen grab from
one of our, we record live on YouTube. so people can watch us live when we're recording. And this is just a quick screenshot from one of our sessions. You can see everybody's smiling, everybody's animated, and I think that's really important. If you have dry co-hosts, you have a dry show. So the folks that I co-host with are people I've known for years. In Jason's case, I think I've known you, what, 20 years? We carpooled for a long time before we ever decided to make a show like this. So we've had a lot of conversations. I knew that we could chat together. people we've added in since then are just people that I consider friends, not just co-workers or professionals in the industry. I think that's important.
Otherwise, you could end up with just a bunch of arguments on your show. You could end up with a dry show or a show where things don't flow as well. That could be things that we do sometimes, but there are things we disagree on. So, you know, that's fine. So now, you've got the checklist. You've got A unique topic you've agonized over for months. You've got a format, you've got a medium, and you've got a host. Or hosts, I should say. So, what do you do now? And this is the part where things get a little murky, right? Getting all that stuff together is relatively easy. I think I threw that together in a couple of nights. The next thing I did was I tried to
pick out, like, a theme for the show and whatnot. But you don't necessarily have to do that right off the bat. You can just start recording. the microphone you've got on your headset you use for Skype calls or the internal microphone in your laptop or whatever and just get on a call with your co-host or get on a call with the people you're interviewing and just start recording. I don't care yet about the quality. I don't care if you've got syndication on iTunes and all the other places where people get podcasts. I don't care if you even know you have an audience yet. start recording. Get it out there. Let people know that you've got
a show. Let people start listening to your show. The biggest thing that I've seen when people want to start a project, whether it's a show or anything, that they worry too much about how to get it perfect for the first show. And while That's okay. It's okay to come out the gate with an awesome show. I'm not saying you shouldn't do that, obviously. If you have the capability and you have the equipment, then do that. But if this is your first show, the first time you're trying to set something up, the first time you're trying to record something, you may not have expensive equipment. You may not have a mixer and a good mic and
a soundboard and great internet service, right? Just start recording something. When we started Iron SysAdmin, Well, I'll talk a little more about how to get recording done. When we started Iron System, I couldn't even figure out how to get a recording of an internet call. Just to, like, we were going to use Hangouts, right? I couldn't figure out how to get the audio out of Hangouts onto my machine. So we ended up with a workaround that I'll talk about a little more later. Some, well, like I said, we'll talk about that later. This is the first video that I made for my YouTube channel. It's literally me sitting at my dining room table, recording me, myself, working with some paracord on the camera on my tablet. Okay, and
I can't play it because we didn't arrange sound and whatever. Basically, I'm not in frame. You can't see my whole face. I mean, the whole point was to show the paracord, but whatever. It's blurry. It's bad quality. It's just not a great video. You really want to... No, it's okay. If you want to see it, go look up my YouTube channel. It's one of the oldest videos I have up there. Another video that I did was I had bought this portable tire changer. I don't think anybody's ever changed a tire. I don't just mean change a tire off your car. I mean actually unseated the tire from the rim, the thing you normally pay a professional to do. Well, I had this idea that I was
going to try to mount my own tires for my Jeep. And I bought from Harbor Freight. If anyone has ever worked with, like, cheap tools will know what I'm talking about, Harbor Freight. They sell anywhere from, like, cheap crap to, like, decent tools for a good price. And you never know what you're going to get until you've bought it. So I got this cheap $20 manual portable tire changer, which is basically like a post that stands this high and has a flat surface to put a wheel on. It's got this big breaker bar, and you can unseat a tire and reseat a tire. And I thought... I'm going to record myself learning how to use
this thing and I'm going to make a YouTube video out of it and that's going to go up on my YouTube channel. I mean, not a great video. I think I recorded it on the same tablet I recorded this on. It was hanging on the wall in my garage. The sound isn't great. It was a really long video which people say you shouldn't really do on YouTube so I had to cut it down. I was using open source. to do the video editing, because I didn't have any money for expensive editing software. The video came out, I mean, not great. It could have been worse, I suppose. And I didn't know what I was doing.
Not just on the recording part, but using the dang tire changer. I changed one tire, and then I recorded the second one. It's like, well, I don't know. I don't know how to describe it well without making myself sound terrible, but... I'll just say that it's not a great example of how to use this thing. It is the top viewed video on my channel. I have like 15,000 views on this thing. The next view I have is maybe like 3 or 4 thousand. People either love it or hate it, and they all talk about it. There's hundreds of comments either telling me what a moron I am or thank you for making this video to
show how the average person could change a tire. So that's the sort of viewers you're going to get. But the point is, I didn't agonize over getting a 4K video camera before I recorded my first video. I just made the dang thing and put it out there. So that leads pretty well into how the heck do we start recording. And of course, this depends on a couple of things. One, whether you're doing an audio show or a video show, and two, how many hosts you're going to have. So in the case of an audio show, like I was hinting at before, getting yourselves all on a Skype call or a Hangouts call or whatever and
doing a show is relatively easy. Just take some time, start talking about something. Recording it, I found to be less intuitive, or at least two years ago when we were doing this. Free services generally didn't offer a way for us to have a call and then quickly download a recording of it. I know some do that now, but at the time, Like Skype, for example. There were these third-party tools you could use to record Skype calls. It seemed kind of hokey, and I heard from other podcast hosts that it was hit or miss. It didn't work well, or it worked well, but you had to pay for it to get it to work well, or
whatever. And we were trying to get this started with little or no money out of pocket. So what we ended up doing, if anybody's familiar with the Defensive Security Podcast, Jerry Bell, I had chatted with Jerry Bell years ago at DerbyCon, so I kind of had a little bit of a relationship with the guy, and he had just recently started up a Slack channel. So I went out on a limb and I just asked him, "I want to start a podcast. How would you recommend I record?" And he suggested this, looking back at it now, I don't know how we ever survived this way. He suggested this idea where Jason and I both get on
a call, fire up Audacity or something on your laptop, because your speaker, your microphone goes into your laptop to get to it, and just record yourself locally. because that'll record your input, but it doesn't record what's coming back out of the call. The trick is you have to get yourself synchronized. So I'd be recording me, he'd be recording him. to get the conversation synchronized again. We did this weird thing where we would count down from five. He would go five, I'd go four, he'd go three, or I'd go back and forth. And then after the show was over, he'd have to upload that to me, which would take half an hour, depending on how long of a show it was. And then I'd have to stitch this together. And
once it was stitched together, I'd have to edit out any mistakes I thought we made. I'd have to put in intro music. I'd have to put in any transition music we used, which I don't think we were at the time. Outro music, you know, it ended up being a two-hour production after the show was over, just to get the show back out. So we pretty quickly upgraded, and I'll talk a little more about that when I talk about how to improve afterward. But the point is, we did it, and our first dozen shows or so were produced perfectly. produced that way. Maybe not even a dozen. I think I was really sick of that procedure
pretty quickly. As for the YouTube channel, like I said, I started, when I first started really making videos, not the two examples I just gave you, when I finally decided, like, I'm going to make a thing out of this channel, I used just a handheld camera that we had already, didn't even do 720p, and that's what I was using on a tripod that I had that was like 30 years old that I found in the attic. No sound gear, just set it up in the garage, start doing a thing. Again, that I've also improved over the year and a half or so that I've been doing that channel. Right, so this I sort of already
covered, I'm sorry, it's kind of a repeat slide, but basically get yourself a mic of some sort. It could be the internal mic on your laptop, it could be a headset. We started... For our mics, let's see. I had a gaming headset from Kensington, I think it was. I still use the headset today because the headset's nice, but the microphone was like a detachable thing. Just a plain old gaming headset that was decent quality. And I think Jason was using a Bluetooth headset that was a couple years old. And you could tell the audio quality difference. We actually had listeners write in and say, like, you sound great, Nate, but Jason sounds terrible. I don't
know what's up, but you should improve his stuff. And that was like a running gag for a while. And it was because of the Bluetooth mic. I'm sure there's high-quality Bluetooth mics out there, but for whatever reason, the one he had, and I had the same one, and I didn't use it because I noticed this before I started recording, it sort of digitizes your voice. And when you had the analog mic I was using compared to his digitized voice, you could tell the difference. You could absolutely tell. If we were both using digitized mics, it probably wouldn't have been as noticeable. But mine was like plain old RCA jack analog. Sound pickup is just a
little bit... We'll fix that later, and I'll talk about that when we talk about upgrades. Recording conversations I sort of already hinted at. Like I said, this wasn't straightforward. I thought it would be easy. I thought it would be like, oh yeah, just fire up a voice call, and there must be some way to record it. Can't I just hit the record button on my laptop and get it all? Well, it doesn't quite work that way. We ended up, once we decided to do live shows, we ended up using Hangouts On Air, which is basically how you do YouTube Live. So, Iron SysAdmin has its own YouTube channel and all we use it for is
to do a live show every time we record. And like I said, I'm sure there's services out there that will let you record your calls. Look into that. If you're going to start a show and you don't want to go through the craziness I just described with the two recordings, see if you can find a place, see if you can find a service that will let you just record the audio and output it. I'm sure someone exists, but I just didn't find one readily accessible when we started Iron SysAdmin. Recording videos, like I said, just start with what you've got. I mean, I know a lot of YouTubers that are very successful now who started by recording on their iPhone. Get a video, make it as best you
can, stabilize it somehow so it's not all shaky and weird, and just do the best you can with what you've got and start producing videos. And if your channel catches on and you start making money or you get a sponsor or whatever, you can upgrade later. I still don't have really good camera equipment for my... I actually use my smartphone sometimes. I have a couple GoPros. I've got about that little more too. But I've got a couple GoPros that I can use for different angles. GoPros are great for this kind of thing, at least for that setting, because they're durable and they have the nice wide view, so you don't have to worry about whether
you're in frame or not. Some people don't like the fisheye look. And then, once you've got your show established, you've got some listeners, maybe you have income. I don't know. Like I said, none of our shows make money yet. then start thinking about what to improve. In our case, the first thing was the mic. So we wanted to get Jason a better mic, so he ended up buying himself the same mic that I had, which was an Audio Technica. It does USB or it does XLR. So USB can go right into your computer. It works just like any other microphone, and it's good to go. I ended up putting in a mixer, and then I have an input for a tablet to do like a soundboard on,
and then I bought a voice recorder that the whole shebang outputs to. So the whole show gets recorded out of the mixer, right? So my mic goes XLR into the XLR is those three or four prong mics you see like professionals using that goes into the mixer the output from my PC goes into the mixer The output from the mixer goes back into the PC so this gets confusing right so that the people on this on the Hangouts call can hear me speak because my mic goes into the mixer not the PC It's all kinds of convoluted, but the point is the mixer gives you the control to do that kind of stuff I can
set it up so that input from my PC gets out to the sound recorder but doesn't go back to the Hangouts call because that would cause an echo for all the people on the call, right? So that's not a good thing. You don't want to have an echo. It makes it sound weird, especially for the people watching live on YouTube, right? So, but yeah, that works out really well. And the little sound recorder is literally like, it's like the size of this thing. And I just plug the output of the mixer into the the recorder, and then if I want to take that on the road, like if I'm at a conference and I want
to do an interview with somebody, I can just take the sound recorder with me. I can even plug in an external mic if I really wanted to, and I can get the same quality recording just right there in my hand without all the extras. And like I said about the cameras, I think I already... I'm still not up to 4K cameras and whatnot for my Jeep stuff, because 4K cameras are expensive. I just really like one for lots of things, not just my YouTube endeavors, just to record life with, you know? So, yeah, I got a couple GoPros to get angles, and I already said that. Hosting was not as difficult for me as it
might be for some people, because of the IT credentials that I've got. I've done web hosting for, like, half my career. So it really wasn't that hard. I already had a website stood up. It was running on Drupal, and I decided to host the podcast Iron System in on that, which was not as easy as you might think. Drupal isn't... Drupal's are great, but it's really freeform, and it's not as easy to use as something like WordPress. I was able to make it host the podcast. It was a lot of work, and I needed a lot of knowledge of how Drupal did things to really make it work the way I wanted it to. So
I would recommend, unless you've already got a Drupal site set up, you probably want to avoid that for hosting your podcast. And as much bad press as WordPress gets, you just make essentially a blog entry and attach an audio file to it, and your podcast is published. Simple as that. It already has built-in RSS feeds, which I'll talk a little more. I'll do that now. The RSS feeds, getting it syndicated and whatnot, I'll talk a little more about. That's like iTunes and all that stuff. iTunes and Google Play and Stitcher, they all want a certain format to your RSS feed. Google has a service called FeedBurner, which if you've ever subscribed to a podcast, you've
probably used the FeedBurner URL to do it if you've done it in an RSS feed. FeedBurner cleans that all up, adds your logo art to it, adds all the metadata that all of these various consumption places want. and then publishes it back out for you. It even keeps some metrics for you. So that's handy. And WordPress and FeedBurner, it just works really well together. If you don't have a site already and want to figure out how to host it, I would say use WordPress. And you can pay someone to run WordPress for you. If you don't want to be a web administrator, just go someplace that hosts WordPress. You can find them all over the
place for like $5 a month WordPress hosts.
Right, so I already sort of covered this. This is almost a duplicate, but basically publish the RSS, let FeedBurner clean it up for you, and then you can syndicate that, which is something you get in a feature. Professional services for podcast hosting. I haven't gotten here yet, but I know some podcasts that have. If you want to avoid all that and you just want to spend about $80 a month, letting a professional host your podcast for you. You can do that with places like Libsyn and I think there's a couple others where you pay them. They give you a website to host show notes and whatnot on. They give you media hosting for your audio
files. They give you metrics. You can pay them a little extra and they'll make you like a mobile app for your podcast. Like they have all kinds of these extra value added services that you don't have to worry about if all you want to do is record and publish. So, Libsyn's one of them. I haven't looked into a lot of them because we're just not there yet. What we do is we host on WordPress, and then I had a couple complaints about the download speeds for our shows because it was hosted on a server in my basement. We ended up putting them onto an Amazon S3 bucket, and then from the podcast, from the WordPress
site, I linked to the show on the S3 bucket, so when people download the show, it comes right from Amazon. It's super fast. That, of course, costs money. We're spending like 30 bucks a month right now on hosting our shows. That goes up a little every month, obviously, because you're paying for bandwidth and you're paying for storage. Once that gets closer to 80, 90 bucks a month, I'm probably just going to throw it at Libsyn because I'm going to be paying that much anyway. I may as well get the benefit of having a professional hosting service. I don't know if we're going to get there anytime soon, but when we do, I think that's what
we're going to do. So there is value. spending that money, as long as you're not trying to do this on the super cheap, which is how we started Iron Fist, because I do everything on the super cheap. Video hosting, this one's not quite as mysterious. If you're going to host video, just use one of the platforms that exist. There's YouTube, there's Vimeo. I've seen a lot of podcasts showing up on Twitch. I don't know what the attraction is to Twitch, but a lot of, especially live shows, are showing up on Twitch. I don't know if it's because these people are gamers and they like Twitch because it's the platform they use to stream gaming and
they just think, oh, I'll do a podcast. Or if it's really that much better for it than YouTube is, I can say that YouTube is convenient, but you're their product, like any other Google property. Getting money out of your YouTube videos, like in the case of my YouTube channel, not IronSysAdmin, because IronSysAdmin, I don't expect to make money from YouTube. It's just not that kind of channel. It's really just to facilitate the live shows. But my Jeep channel was... monetized for a short time and then YouTube changed the game they changed their their Monetization model and they basically just put it back away from me which was really annoying but They're happy to show ads in your video And
they're happy to collect the money for those ads and until you hit their thresholds which are now really hard to hit for small channels You know you see them see a dime once you get their thresholds. You like fractions of a dime so I always whenever I run into someone who's like, "Oh yeah, you run a YouTube channel. I want to be like a rich YouTuber." My first response is, "Nobody makes money on YouTube." Because, yes, people make money on YouTube, but this many people make money on YouTube. The people that are famous, Logan Paul and whoever else, they're making money on YouTube because they're this big. Little guys don't make anything on YouTube. So
if you're trying to pick a platform because of its monetization, YouTube might not be a great choice. Now, we can talk a little more about how to Augment that with advertisers or whatever. Then syndication, I've already hinted at this. If you're running a podcast, you're going to want to get it on all of the big podcast platforms. The ones that we do for Iron Sysadmin are iTunes because, sorry, Apple Podcasts, they've rebranded, because everybody, if you have a podcast, it's got to be on iTunes, right? They're like the podcast game. And then Stitcher is all about podcasts. Some people have never heard of Stitcher. Some people have. Some people, that's the only place they go for shows. And if they're not on Stitcher, they don't
listen to them. Whatever. So you'll want to be on there, too. And then Google Play Podcasts, I did just because it seemed like a good idea. I don't know how many viewers we really get from Google Play's podcasts. It's there. And that's all from that RSS feed I said that's on FeedBurner. Every single one of them, I point to the FeedBurner URL, and they just do their thing. There's almost no work that you have to do to make sure that... Every now and then, you'll want to check in and see if you've got any reviews or whatever. But as far as getting the show listed, once you get it accepted and they're happy with your
URL, with your RSS URL, it just works. And this is important, I think. Especially with a YouTube channel. So imagine that you're watching cable TV and there's a show you watch every week on Tuesday night, 8 p.m. You're going to tune in every Tuesday night at 8 p.m. to watch it. Now I'm going back to the days when on-demand wasn't as easy as it is or you didn't have a DVR, right? People have just come to expect that from any content they consume. So if you're going to make a show live, You're going to want to do it at the same time roughly every week or every other week or whatever your schedule is. You
don't want to stick to the schedule. If you have to, you have trouble with a certain night, don't get too stressed out. You know, so last week, two weeks ago, I think it was, we were supposed to record Iron Sis Admin and stuff came up and we just couldn't get the host together and whatever. Like, all right, we'll record Thursday and then Thursday didn't work. Okay, we'll record Friday. Friday didn't work. We ended up just skipping the show. Because that's the way it generally goes. You know, I've got Wednesday night picked, and if we miss Wednesday night, probably there's a 50-50 chance we're going to record it later in the week. Generally, it just doesn't
happen. But people are going to want consistency out of your show. So if I'm going to go subscribe to a new podcast, if they've got one show listed there and it was from two years ago, I might not even bother subscribing because... They don't appear to be consistent. They don't appear to have a lot of content to listen to. Maybe that one show is awesome and I'll listen to it. But if they've got two dozen shows that are consistent over the course of several months or weeks or whatever, I'm going to be more likely to listen to their show just because it's... Just because it shows that they're actually there to produce something that they want to produce, and they'll have repeat content out of them. With a
YouTube channel, it's even more important because the more consistency you show on a YouTube channel, the more likely YouTube is to recommend your channel to people. And this all comes down to Google's mysterious algorithm. You'll hear YouTubers talk about the algorithm as though it's like this god they have to appease. But basically, what it really comes down to is if you want your videos to show up in YouTube search or if you want to show up in that little suggested YouTube viewers or suggested videos when you're watching a video, you need to have, your channel has to fit a certain It's got to have content. It's got to be consistent. It's got to have a
lot of viewers. Your videos have to have a lot of likes. People have to be commenting on your videos. You have to make it look like you're engaged. Otherwise, YouTube ignores you and no one sees your videos. No one sees your videos, you don't get subscribers. You don't get subscribers, you never get money out of your... So, it's annoying to have to deal with all these weird constraints when all you really want to do is make content and put it out there. But if you don't do it, you don't get what you want out of your channel. If you've got a channel and you're producing content, I'm assuming you want people to see it. Otherwise,
why would you be doing it? It's unfortunate. And there are probably hundreds of YouTube channels that just talk about how to be successful on YouTube. So, it sounds kind of meta. There are people that sell... services that they'll come in and help you build your YouTube channel so it appeases the metrics that they want. It's kind of mind-blowing. And that comes down to making money. Personally, I don't love when I'm listening to a show and they have to take a break for ads, but now I understand why they do it. Because it's your time, it's costing money to run the show, you're buying equipment or you're paying for hosting or whatever, Some people can afford to just play that out of pocket, and that's what we've been doing
so far. It's really nice to make a little bit of income on that, so that you can really produce the best show that you can produce. The sort of stuff I'd be doing, both for Iron SysAdmin and for my Jeep stuff, if they had income, would be a whole different game. Because I'd actually have income to put back into the channel. It's just like running a business, except a much smaller scale. As a business, you've got a lot more expenses to deal with. So yeah, a few ways that you can make them without advertisements is built-in monetization, like I already talked about, with whatever platform you're on. That's mainly something like YouTube. I don't know
if Vimeo and I think Twitch does something with subscribers. When you subscribe to a channel, there's actually a monetary component along with that. But Patreon is what I've been using for both of my channels. My Jeep channel has zero patrons. Nobody's given me any money to do what I do. I wish they would, but... Iron System, it sort of ebbs and flows. We were up to like $30 a month we were getting out of it. That's dropped off because people are potentially donating to you. And unless they're seeing a lot of value there, that tends to drop off. So it's gone up and down. I think we're at like $10 a month now. But that's
one way to do it. I know some successful podcasts make a couple hundred bucks a month out of Patreon. And that would be plenty to run a podcast. Not a lot of expensive stuff that goes along with running a podcast. So anyway, that's most of what I got. If you have any questions, you know, feel free. This is me, where you can find me and the channels that I talked about during this talk. So if you have any questions, shoot, we still got some time left. So I haven't really approached that because we've made so little. I think if you were making a decent amount, yeah, you'd have to report that on your income taxes. At that point,
I don't know if you want to incorporate the podcast or something so it's its own entity. I'd imagine if you're big enough, that's the way to go about it. But yeah, I can't say I'm a tax expert, but I can say that if we were making hundreds of dollars a month on the show, I'd probably be reporting it to my accountant at the end. That I don't know. I hope it doesn't burn me. Like I said, we're making so little, it's more like pocket change, right? So with the mixer and everything, podcast night is about three hours for me. We'll start around like 6:30 or so, and then all the hosts have to get together, and then we're generally live by like 7:00 or 7:15, and then we record
for anywhere from an hour and a half to two hours, and then maybe an hour after that, I'm editing, because the output from the mixer is almost ready to go. Basically clean up the audio a little bit, edit out stuff that was obvious mistakes or gaps or like we made a mistake that there was something said that shouldn't have been or whatever, you know, we'll edit that kind of stuff out. The YouTube, the video, we leave public afterward. However we record it, it stays up there unless somebody makes a really big mistake, which we only had once. One of the guys who's now a co-host was on and he said something about another person that
he knows about how they were doing a thing technology-wise. And after the show, he's like, you know, I don't mind if you leave it in, but can you edit this one little piece out? Because I think that was data that was something that they wouldn't want published. So in that case, I went and I de-published the live stream, downloaded it, which YouTube lets you do once you've recorded it, edited that piece out with a video editing app, and re-uploaded it. And I, of course, edited it out of the audio. But otherwise, not a whole lot of editing that goes into the show now that we have the mixer and all that. Everything just comes out
of the output of the mixer, ready to go, almost.
Sure. So I started with, so I'm generally a Linux guy, even though I'm running this MacBook. I started with an application called Kdenlive. It's a KDE open source video editing app. And it worked okay. The UI was kind of horrible, and it would crash every now and then. I'd lose the work I was working on. So I started looking for a different one. I upgraded to another one called LightWorks. is a little more popular. You can actually pay for this one, or if there's a free version that'll do only up to like 720p, it doesn't do high def, or true high def, or 4K. That worked pretty well. That also runs on Linux. I would
have stuck with it, but I did run into a couple issues with it. The UI still wasn't great. You'll notice a trend. When it's software that you can get for free, it's generally not as intuitive. Eventually, I realized that through work, I had access to Adobe's suite of applications. And I started using Premiere. I checked with Work first to make sure it was okay for me to use it for a non-work related thing. And they're like, "Yeah, you know, go ahead. As long as it's on your work laptop, go ahead." And it changed my life. Adobe Premiere is night and day different than any of the free tools that I use. I'm not saying you
should rush out and spend all the money on Adobe Premiere, but if you have the means, I also use Adobe Audition now for the podcast editing, which isn't quite as night and day. Audacity was a pretty good app, I'll have to say, and that's free. Metrics is a hard thing for me. I'm not good at this sort of thing. I can tell you that we have what could be thousands of people downloading the show. Like, that's just from the metrics that I get out of S3. I have a sort of other service called S3 Stat, which just... It basically gets you like weblog analytics out of your S3 bucket. I don't know if those are bots.
I don't know if we really have thousands of listeners. It doesn't feel that way because we don't get a lot of feedback from people. I do say we have a decently strong listener base and we have people tune into our YouTube channels and whatnot or the YouTube channel to watch us live, which makes me feel like people are really listening and they're tuning in to really see us do this stuff. I can say that on the YouTube channel, after the live broadcast is done, almost no one goes back and watches the videos. Maybe it's because the channel is small. Maybe it's because I don't tag them well. I don't know. But people aren't just stumbling across our shows on YouTube. Yeah, I can say that we
have listeners. We have more than one or two. I have trouble believing that we have thousands, even though that's what the statistics from S3 are telling me. So that's another thing that something like Libsyn would help with. They put the work into getting meaningful statistics to the podcast owners. Is the mixer in the sound recording? How are they or what are they? I want to say that... The mic, mixer, and the audio recorder might have run me, if I had bought them all at the same shot, might have been like $300. The mixer was under $100, if I remember correctly. The mic was like $80. The sound recorder, believe it or not, was like $110. That was the most
expensive piece out of the whole thing. And all the cables to connect everything might have cost me another $30 or so. Yeah, it's not terribly expensive. It was enough that I had to think about it before doing it. Going twice? Okay, we're good. All right, thank you, everybody, for coming. I'm glad people showed up to this talk.
I'm glad you liked it. This goes in here. There we go. The mic we ended up with is an Audio Technica. The Kensington was the one I was using when we started. That was just the... You're going to look at it, and you're going to go, that's it. It's the fake chrome on these things and everything. I'm like, it's another podcast. I've used it even just for... It was like $110. If you talk to whenever they're on site. Yeah, right. I'm a
Hey guys, my name's Matt. Today I'm going to be giving my presentation on why we as a security community should be moving towards more of a direction of being multidisciplinary in our knowledge and being an expert in more than just one field. So, like I said, my name's Matt. I'm going to Deltec Terrier Campus. I'm a freshman right now in ITN security concentration, and I like rock climbing, paintball, and physical security. All of us, I'm pretty sure, can remember in spy movies how they can always somehow just get inside of a building, go into a broom closet, find like duct tape and some cat hair and a light bulb, and somehow they can blow a
hole in a broom. So this whole idea is that these individuals are trained in multiple different areas. For example, they have like their trade crafts or their spy techniques. Maybe they have some chemistry background in the terms of like MacGyver or Burn Notice with Michael Weston. All these people are experts in multiple areas and the whole idea is becoming what's known as a polymath. What is a polymath? A polymath according to Wikipedia is a person whose expertise spans a significant number of different subject areas, drawn on complex bodies of knowledge to solve specific problems. And I think we can all agree that in security all of our problems are extremely specific. It's all about locking
down ports and protecting our infrastructure from external attacks. They're trying to either steal our information, destroy it or get someone hurt in the process by taking over the systems. Why might you want to become a polymath? The meat and potatoes of this talk is all going to be about how you can start going in that direction and hopefully trying to convince you that this would be advantageous for you as a security professional. Now keep in mind, I'm a freshman in college, no idea what I'm doing, so take this with a grain of salt. So the pros and cons of it. As a polymath, you're going to have a very unique view on the world because
you're going to be able to pull from, say, mechanical engineering or politics or some other wildly distinct field that isn't specifically cybersecurity. You're not going to be just studying to be, say, a cryptographer or a web app pen tester. You're going to be able to pull from other areas and look at a problem and say, this reminds me of X, so I know I can do Y. You'll be able to most likely get a pay raise if you're good at your job the whole point of this. The only issue is that people may oppose you because you're going to be doing things that are counterculture for the most part. And the other thing is future-proofing
yourself. All this information is already out there. We have Google, the internet, it's massive. We have loads of information out there. Other people can already do this, so why not make it better for yourself to get ahead of the game? I'm going to talk about the idea of learning and how you as an individual can work through the process to become an expert in multiple different areas. So this is the idea known as the four stages of confidence. And breaking down in this pyramid right here, you have unconscious competence, conscious incompetence, conscious competence, and unconscious competence. And that pretty much states your level of skill in an area from something like a baby looking at
a car, not knowing what it is to say a professional NASCAR driver. Now keeping with that example of driving, unconscious incompetence would be, remember when you were a kid before you ever touched a steering wheel? You just look and you're like, oh, cool. My parents are taking me someplace. were just, you had no idea what was going on, honestly. Then if you moved up, when you started becoming a teenager, and we started doing, for example, driver's ed, you started becoming in this stage of conscious incompetence. You realize just how little you don't actually know. You moved from that stage of not knowing anything about it and not even having a grasp, to saying, I know,
I don't know all of these things about this specific skill set or specificity. Then, who's staying with an example after you got your driver's license. You were conscious in confidence. That means that you can do the task well, but it requires mental faculties. It took a lot of thought. Like that first ride home from the DMV, and you're just crying and praying that you weren't going to hit a car. And finally, unconscious competence would be where you can do a skill or competency without any thought process. Those would be like drawing on instincts. Like a hunter in the woods who's been doing it for years would know that those tracks mean there's a deer about
100 yards that way. When some random person, if you walk through the woods, would be like, oh, cool. There's something in the mud. This is where the goal is to be with being a polymath, because you're able to just look at a problem and, without having to think about it, know that you can do these things with this specific problem. Now, another thing with learning is understanding what's the best way to learn and what will help you retain the knowledge the most. Put out by the National Training Laboratories in Maine, broke down in rough methods what the retention value is of different learning techniques. Now, this is highly debated, and I don't even say that you have to agree with this model. I think the biggest thing
should be that it just gives an idea of what we can be doing as a community. The big thing is you want to start at the bottom of this pyramid. You want to make sure that you're doing. You want to make sure you're teaching and practicing and you're actively going out and working with the skills you want to become a master of. Because without that, you're ultimately just a textbook, no follow through with you. You want to write after every session you spend learning. Say you dedicate two hours a week in one block to say learning networking. I would suggest after that, write down and summarize it because that information will be connected in your
brain And you'll also have a journal that you can use to track your progress. So as you're going, you can say, I know on this day in January of 2017, I had no idea what subnetting is. And now, I made my own subnet calculator. You can show progress over time instead of having to say, oh yeah, I failed this the first time. Now I passed it. I must have moved up. It gives you more detailed and fine grained results over time. And another thing you can do is watch. So YouTube and conference talks are just an extremely, extremely useful resource. Because ultimately, if you're new to a topic, you're not going to really know what's
going on. So why not get some useful background on it, right? Watch people who are experts in this field and try to break down what they're doing. And also for topics where it may not be feasible for you to learn on your own. For example, say you're trying to learn warfare. You don't want to or your own troops in the process would be useful to see someone else's failures or success instead of having your own failures and success. And this can also follow through with, say, financial damage, ethical damage to your own. You want to be safe with what you're doing with the least amount of collateral. The other thing is you can watch videos
at two times speed. So even if it's at a slow portion, you're actively engaged the entire time trying to keep up with it. The other thing is if you come to a section that you don't understand, rewind it, play it back at one times, Honestly, just make sure that you're getting every single portion of that content that you're trying to absorb. And then finally, make sure that you're reading and listening whenever possible. I know that in the mornings, it's a really good idea to wake up with a book or some kind of content to get your brain flowing. On top of that, you can carry it anywhere. Say you're at an airport and you have
time to kill. You can read a book for, say, an hour instead of watching kids run around the airport and run amok. You can learn speed reading and the forms, articles, like I said, books. It's also a really good de-stressor for making sure that you're keeping your stress levels down so you can function at an optimum state as a human being. On top of that, you can pair audiobooks and physical books. You're getting your content through a visual medium, and you're also hearing it back in your ears with a better chance of retaining what you're reading and learning. In addition, everyone here has a job to work, right? That's kind of what we do. You
can listen while you're riding to work. You can listen during chores, during workouts. You're using time that would otherwise be wasted and using it to gain something. And even if staying with this model, say listening is only 5% retention. 5% over, say you spend an hour a day in your commute, five hours a week, however many that would be in a year, just growing over time, even 5% is more than zero. So even if it's not very beneficial, you're still getting retention. And even especially on new topics, Even just hearing the words over and over again and starting to be able to create connections between what you think they mean and what they actually mean
is beneficial to you over time. And also, with this, we want to make sure there are plenty of podcasts out there and lots of lectures. For example, even YouTube videos. We'll put lectures up on there, and you can just play that in the background whenever you're doing anything else. And also, make sure you're diversifying what you're doing. Don't just strictly do things. Don't just strictly read or something else. Because our brains contain information and they absorb it in multiple different mediums. And if you can maximize your absorption, you'll have the best chance of learning as quickly as possible. So you can become an expert in as many things as you want with as much speed
and efficiency. And also, make sure you're taking care of yourself. Because your mind rests inside your body. That means you want to make sure you're getting eight hours of sleep or however much lets you function well. Why don't you drink water, working out, eating well. Because if you can take care of yourself, you don't have to worry about nagging pains or issues within your own body. And you can focus on more important things, like figuring out how to cure cancer. Now I'm going to get you guys involved real fast so we can have some fun with this. I'm going to put some pictures up on screen. I want you guys to figure out in 30 seconds some different
connections between us so we can try to practice making connections between different topics. You guys ready? Anyone got any ideas? Okay, airplanes. Got anything else? Anyone else got any different connections? This one, the thing that I was getting at in like a real world situation is that Leonardo da Vinci actually created a wingsuit that was mimicked directly after birds. And if you look at like all different types of stealth aircraft, they're modeled directly after birds because of their ability to cut right through the air. Everybody ready for another one?
I like it. Anyone got anything else? During the Cold War, the CIA actually took on magicians to teach their operatives how to do tradecraft in the field with an audience, being Russian operatives trying to figure out what was going on in information exchanges. So now I'm going to cover some different accelerated learning techniques to leverage the fact that you want to be efficient with your time. If you're trying to become an expert in, say, mathematics, or you're trying to become an expert in, say, chemistry, or these different larger subdomains, you have a lot of content to cover. And the faster you can do it, the better it will be for you and less painful, hopefully. But first off, you want to make sure you can find community. Go out
to conferences like this one. Find local organizations in your area like OWASP or InfraGard or InfoSec specifically. Just make sure that you're finding people you can communicate with. They can not only motivate you, but they'll give you some type of-- they're going to make sure that you're actually doing the work that you say you're going to be doing. They can make sure that you're going out and learning the things that you want to. They're going to keep you accountable for your actions, and they're going to keep you accountable for your path you want to take. If you can get a like-minded group of people, that everyone can work together towards this goal. And make sure
you're setting goals for your knowledge or performance, depending on the skill. Because if you're just going in blindly, you're just going to wander a path that may or may not be effective. But if you know you want to go from point A to point B to C to D, and eventually all the way over there, be able to do any number of things you want in that subdomain, You want to make sure you're setting goals. It not only will motivate you, but it will also keep you accountable, like I was saying with the last one. It'll just make sure that you're pushing yourself. And with goals, you want to make sure that they're specific and
that they have a time frame dealt with them. Say that you want to learn Python, but you don't give it a time frame. You could do that in five years from now. You could do it next week. There's no urgency in it, and you're not going to be motivated. And also, make sure you're creating connections between different things. Because you call one idea, but with it, you're able to call other ideas in unison. And you can jump between different ideas rapidly. You'll be able to access the information that you have inside your mind extremely quickly. And the whole point of having this in security, that you'll be able to look at a problem that's going
on and know umpteen different ways you can attack that problem and solve it and protect infrastructure or whatever your end goal is with it, whether you're an attacker or a defender. I'm going to get into some specific methods And to start off, we're going to talk about the DIS method by Tim Ferriss. So this is a rapid method to pretty much get the main idea of a content area before you're diving in and really getting the nitty gritty of it and the specifics. D stands for deconstruct. So you want to determine the smallest possible unit to learn by. Like, say if you're using some kind of online learning content, you have modules, you have different
chapters. You want to break it down so you're learning a chapter at a time or a module at a time. Or for example, at Dell Tech, we use TestOut. So you'd want to go through one module at a time and make sure you're hitting all these concepts. Next, you want to interview or talk to experts to see what they find as the most important information in that content area. Ultimately, they're the ones who know what's going on in it. Then you want to select what 20% you should focus on. The general idea is that 20% of the content will give you 80% of the results. You won't be all the way there, but you'll be
the majority of the way there. And you can fill in that other 20%, or however much it ends up being in your content area. on your own time, but in a much more concentrated and confined matter, so it'll be more rapid. You also want to sequence it. So figure out what order to cover these blocks in. If you want to learn networking, you don't want to be learning about internet routing before you understand how IP addresses work. It's going to be in the horse before the cart. and then stakes. You want to give yourself some type of cost for failure. Figure out what happens if you don't get this goal done. If you don't figure
out what this new content area or process or whatever the information you're trying to gather is. It will give you motivation and it also will give you some type of urgency to say, I need to get this done or I need to work on this and I need to make time every week. Because the whole point of going towards a polymath is that this is lifelong learning. You're not just going to sit here, learn two topics, and be done with it. The whole point is to go out into the world and continuously be growing and learning. You should be learning as much, if not more, now than you should be in 10, 20, 30 years.
The whole point is to be lifelong learning and always growing as a person. It's not just some type of static goal. Next, the Feynman technique by Richard Feynman. This is really useful for determining if you actually fully understand a subject or not. What you do, you get a piece of paper, pick your topic, and then you write that at the top. So say using networking again, say I want to make sure I understand subnetting. I write that at the top of my paper, and I explain that topic as simply as possible, as if I were trying to teach it to a child. You want to determine your weaknesses in that. So what that makes you
do is say, I can explain this much of it, but this part's still kind of fuzzy, and this part I can't even hit at all. You can go back and refine in step three what those areas actually mean, what they, like your understanding of them. You're going to repeat that back and forth until you can fully explain this topic on such a simple level that anyone can understand it. And after that, you want to go back and start implementing analogies with that whole idea of creating connections in your brain. Say you reference an orange in your explanation of subnetting. You can connect many things over multiple similar subjects or objects. You'll be able to rapidly
pull ideas out of your brain just like that. You also want to try to make it fun for yourself. So game-based learning is new and on the rise and up and coming. For example, this is a screenshot of a game called Screeps. What you do is you control these little robots that spawn out of a little dot on the screen. But the entire control of the game is through JavaScript. Everything you do is controlled through a terminal or through scripting. This could be really useful, say, in a programming setting of teaching students how to learn JavaScript, because instead of having to say, oh, OK, make this calculator, or make this database query, or any different
number of subjects or topics or projects you could be doing, tell them you want them to be the best on your personal server. Cool thing. Buy the game. It's like $15 on Steam. And then you can host your own server. And it's run on MongoDB. And your students can just connect in. And it's always running around the clock because they're programming scripts, which means there's no real user interaction needed to be done with it. And you can also use it, say, in a larger scale setting to test different ideas you have about AI learning because it's compatible with that too. And just the whole idea of if you can find fun ideas and fun concepts
to make your learning more interesting, you're going to enjoy yourself more. And on that topic, specifically in our domain, make sure you're doing CTFs and competitions. Things like National Cyber League or Cyber Defense Competition or even like at these conferences how they'll have like pros versus joes or net wars from SANS. Make sure you're competing in different events that are actually testing your information security skills. The whole point of this is to make sure you are extremely rapid and extremely effective at determining what knowledge you want out of an environment. And right there from my teacher, he was talking about how either push you into the pool where you can do it yourself in terms
of learning from CTFs. And it's your best bet to get in there as soon as possible. Like for me, I'm a freshman. I did a US cyber camp over summer. These CTFs alone, like National Cyber League, have just been the biggest help. I didn't understand what Wireshark was or how to use it beforehand. And thanks to these competitions and having to learn what the tools do, I can semi-effectively use Wireshark to analyze web traffic now, which I never would have known before. It puts you in different situations that are more real world than saying, hey, write this paper, or hey, do this small quiz from a textbook that you may or may not be learning
about. Now, for really stubborn topics, I would suggest Anki flashcards. What they are, is they're flashcards online set up with audio, visual. So that means you'll be able to absorb multiple mediums at once. And I know a lot of people use these for, say, languages or things, like German, Japanese, Russian, any kind of language. complicated language. They're going to use this because it lets you really just absorb the content. It lets you pull it from different areas. Now, on the topic of working, I'm going to pull up a couple different Japanese methods that are really effective. For example, Kanban. What you do in the topic of learning, you figure out all the different skills you want to learn in that subdomain. Like using the dis method, you figure out
the different blocks you want to learn. Put them on sticky notes over in a to-do column. Then you have your "Do Today" column. That's what you're going to focus on in this specific time. And you could set it for any time from you want. Do this week, do this month. Just something where you're organizing it down by "These are my next goals." Have those over here. When you effectively start working on them, you're going to move them over to an in-progress area. And you limit this to, say, four to six items at one time. Because the more you divide your attention, you're wasting brain power by dividing between multiple topics. I think it's 5 or
10% you lose every time in concentration you're switching between topics. So if you really focus in, you'll be time efficient, but you're also going to be able to make really close connections between these different areas. And finally, going back to the idea of you want to be always motivating yourself to keep going. This is a lifelong thing. This is a marathon, not a sprint. Have a done category that shows you what you've already accomplished and what you can go forward and say, I've done all these things, which means I know No matter how long it will take me, I will get to this point eventually. Now, Kaizen is this idea that every day, if you
improve in very minuscule ways, you'll be exponentially better in a year or even in a longer scale. This idea says you improve 1% every day. For example, if you want to say have a goal of working out in the morning, the first day you just wake up early for when your time would actually start. The second day you put your shoes out. The third day you put your clothes out. And over time, because you're slowly ingraining small, minute details, over time it's going to just become a habit. It's kind of like if you're playing music. You keep playing one section over and over and over again. You slowly build up a song throughout the measure
by measure. You're going to know that first measure really well, and the last one might be a little bit shady or flaky, but you're going to understand the majority of that extremely quickly. And if you're only improving 1% every day, that's 365% in a year, which is a lot better than not even starting or being able to start but then stopping some point soon because you just don't know where to go from there. This is a really good technique you can pair with Kanban, which is the Pomodoro technique. It says you study for 25 minutes, take a five minute break, and you repeat that Pomodoro, that 30 minute cycle, one to three more times, and
take a 15 minute break. What that does is it keeps you moving quick, but also lets you intensely focus in that 25 minutes because you know you get a five minute rest. And in that rest, you can do whatever you want. Say you want to go text a friend, or go play solitaire, or go for a walk, or get some food, or something. You always have a little five minute break to look forward to so you know, even if you're intensely focused and you get frustrated on something, you have a break in the future. And then every couple of Pomodoro's, you can just take a long break and just get away from the subject and
then reconvene on it later. The other useful thing for this is if you're tracking your progress and trying to build yourself up over time, that Kaizen technique, you can just add another Pomodoro in. So say for one month, you're going to take one Pomodoro a day and learn about chemistry. And then the second month, you take two Pomodoro's and then so on and so forth until you have an amount of time that is reasonable for your schedule and your life. that still maximizes the amount of time you're spending every day or every week or every month learning about the subject you really intensely want to learn about. We're going to talk about this specifically in
the security fields now with all of that behind us. And specifically I want to talk about physical because that's what I really enjoy. I know that this is overall a cyber conference. Security as a whole goes outside of just the virtual environment. There are physical servers and physical machines that are being interfaced with. And if someone can get access to those machines, you're owned. Because they can do whatever they want to them. Whether that be reset the server or gain physical access to them and then escalate privileges. Visual skills for security professionals would be anything that one can focus on as InfoSec related specifically. So these might be good areas to start if you want
to hone in on your InfoSec skills first or if you find these really interesting. Like for example, forensics is massive and it's just constantly growing. They have things like cloud security now with the advent of cloud technology just growing and growing and growing. Where it's going. You have of course your red team and your blue team, so your offense, your defense. You have things like risk mitigation. Also you have computer science, that's where all of this came from. We're honestly just a small little niche portion of computer science. Because we're all either breaking things and figuring out how we broke them, take advantage of it, or fixing things, duct tape and super glue. That's all
we're really doing here. And just preventing it so that way people can't get access to data or information that they're not supposed to have access to. That's all our entire job is. We're banking on the fact that people are going to be rude and that other people need protection. There's also physical skills for security professionals as a whole. For example, you could look at the military as security professionals. They're providing physical security to a nation. Or you could look at cops, or you could look at security guards. any number of things that can go out and actually provide physical protection for your systems or physical protection for your assets. You have things like access control
systems and locks, so actually that human interface with it. You have imaging equipment so that way you can observe and really hone in on what's going on in that specific sector and should that be a threat or not. You have things like vehicles if you stay interested in that. Of course, there's always people trying to use vehicles to cause harm to other people. All the terror attacks in Europe now are starting to be with vehicles rather than just driving through crowds. How can you effectively stop that so that we can protect the public? That's, of course, an issue for us, too, because we're part of the public. If you say you want to learn personal
defense and take that to a more personnel security route, you have weapons, you have martial arts, you have fitness. Because if you can't run 100 yards, you can't really protect the president. Things like operational security and recon and escape and evasion and all these different skills that build up to more important, more things like things. You also have, say for example, social engineering. How cool would it be to just walk into any random building and be able to get into the CEO's office just with your mouth? Like, hi guys, and you just somehow get up there. Coolest thing ever. You have things like, say for example, public speaking. Being able to share your information with
other people and benefiting the security community by sharing what you learn and what you know. You'll be able to grow the community because if we can band together and share what we all know, It's like trying to take, say, password cracking. You put it out to 100 different computers. All of them are contributing, and all of them are helping back. So if we could all do that and make sure that we're all contributing back to each other, we can grow the community as a whole rapidly. And also, one thing that I really enjoy doing in my free time, making. Like learning how to interact with physical objects and take some random raw material and come
out with a useful finished product. And that can just really be, in my opinion, the most satisfying thing in the world. And then tying back in once more to the access control stuff, RFID and SDR. Upstairs right now, they actually have SDR going on in the wireless village. And they also have a lockpick village set up right now. So you guys want to check that out. I don't know how much longer it would be open after this. But maybe just give it an idea, give it a shoot or something. Like I was saying, I absolutely love making things. Specifically for security, maybe you want to look at soldering electronics because computers are developed on soldering
electronics. Those massive, like, full-room computers back in the '80s. or just giant capacitors and tubes that were doing all the transisting. Now, it's simple and easy for a home user. You have things like Arduino, you have Raspberry Pis, you have BeagleBone. All these different, like, $35 components, buy off the internet and go learn about machine code or learn about binary or figure out how to say with a Raspberry Pi, make a pie hole so that way you have your own personal VPN. Because the better you can understand these topics at a lower level, the more you can understand how to exploit them. And then you have things like, say, 3D printing. That would be useful in conjunction with the soldering electronics, because you can create cases for your devices,
or you can put them together and see how you can fit together and use the pad and all those different designing softwares. You have RFID and SDR, because ultimately, we share an absurd amount of information over the radio waves these days. Like our phones, we have NFC. We have all kinds of self-communications. We have Bluetooth. We have Wi-Fi coming out of them, going to them. and all these different things that interact with them. For example, how easy it is to crack WEP. You literally just point something at it, and boom, it's gone. And you're in. There's so much information being shared over radio waves. And even outside of that, you have, for example, restricted radio
bands. So say you want to get your ham license. You can interact with more things. Or say you want it to go out and play around with little access control cards. And then finally, this one's kind of a weird one, but music and photography. If you find these hobbies interesting, learning to use them can be really useful in social engineering engagements. Learning any kind of physical skill that can get you in a door or in a back room. Say, for example, you're doing a pen test in an area where they have news equipment set up. You can pose as a film crewman and go in there. And if you know what you can talk about and you know the subject matter, they're not going to be able to
just shoo you away real fast because you're going to try to turn the camera on and end up turning And the other thing is, you can hide electronics in other devices, or you can hide stuff in any kind of equipment. For example, in guitars, you can hide any kind of small electronic in the neck of the guitar. You can put them in acoustics, in the big, large drum. You just close it up, or even with objects inside of, say, the bell of a trumpet or the bell of a trombone, and it will be more obfuscated in terms of scanning of that object. And it ultimately just gives you more covers for, say, social engineering. And
that could go to other topics, too, and other skills that you may want to learn. But these are just two that I thought of off the top of my head. And then there's some other things you may want to look into. For example, these are things that aren't specifically security-oriented, but they will allow you more areas to pull from in your search of trying to Grab more ideas from different areas. For example, material science or physics. You could be able to say look at a server room and know that that wall, that's drywall, right? Go right through it. You just punch a hole in it and you can get to the other side of it.
Say from a destructive physical security side, you would know that putting a server room in something not made of gypsum would be more useful because someone can't just drop right through from the other side of a wall and compromise your systems. Maybe if you have really high value data storage, that would be useful in that situation. Or say, for example, high level math, pulling back to that computer science example, be able to better understand what's going on on a smaller scale by understanding the fact that all computer science was was just really advanced math back in the day. We're just looking at different comparisons and different contrasting statements. Specifically for cybersecurity, it would be really
useful to know your laws and know what's going on in your standards in that sector. is the best thing to cover your ass and make sure that you're not going to be able to go into an engagement and then have a book thrown at you because you did something outside of your rules that isn't covered. If you know that you can do X, Y, and Z, and you know for sure that's fine, and someone tries to throw the book at you, you have your cover, you'll be safe and you won't be spending three to five years plus in jail for something you didn't even really know was going to happen. And also just pulling back
to some other things, Say, for example, you want to learn more about chemistry or you want to learn about architecture. These are things that also have real world implications. You could have backup plans for your job. Say InfoSec doesn't pan out for you. Want to try cooking? Go be a chef. I mean, we're all people here. We all need to make money. It's useful to have more than just one idea. Like the whole part about this talking about being a polymath and being able to pull from multiple areas, you want to have backup plans. You want to have redundancy. That's what keeps you safe. That's the same thing in security, how you want to make sure that you can pull from as many topics as possible. That
way, you can attack every problem with as much ferocity as your attackers can. If you're blue teaming and you're only coming at it from one specific point of view, say the majority of education is coming at all problems from this angle, you still have the rest of the circle to deal with. You still have people over in, say, Russia, who have completely different philosophical ideas and like their societies are structured differently so maybe they would come at it from a different angle than you would. Or they have different skills that would make them attack a problem a certain way that you haven't thought of yet. Or that hasn't really occurred to you as something that
could be useful. The whole idea is that systems are just built and there's nothing we can do about that. There's always some way to get around something. But the thing is if we can figure out how other people are going to be getting around those systems before they can do it, we can get there before they can. And we can stop them from compromising our systems before it actually happens. Do one more thing with audience involvement. This one's kind of weird, and I'm interested to see what you guys have to say about it. You guys ready? That's very true. You ever got anything else? Wi-Fi and tank shells, since they both penetrate through objects, right? They both deal
with the same kind of idea, which is the angle of impact and the penetration factor through that object. For example, at 90 degrees perpendicular to a surface, Four inches of, say, a wall or armor is four inches if you're hitting it at 90 degrees. If you're hitting it at 10 degrees, that four inches in Wi-Fi and in the same area with tank shells becomes close to two feet. The shallower your angle of impact with any kind of surface, the greater the path through that object will be to the other side. And that's why to be careful, say, when you're placing Wi-Fi routers directly on a wall, and you're trying to, say, post Wi-Fi up through this wall and into a floor right above it, you could be coming into
interference issues. And the same thing with tank shells. Say there's a tank right in front of me, if I slant my armor to the side, there's a better chance it'll try to penetrate my armor, but it will be ricocheted or stopped by my armor instead, because it's not going to be able to go all the way through it. And this is 4K on the Road in the Talk. I hope that I can, I hope I've convinced you guys that learning more than just your little niche sector of information security would be useful to you in the long run. Because if you can be a subject matter expert and say your own little made up world,
your own little made up world can get you a $20,000 raise, it may be worth it. You can figure out how to make yourself a better employee so you can stay employed, so you can go to companies you want to work for, and you can just throughout your entire career advance like you want to. You make yourself more profitable for your employer, and you make yourself better as a whole, you're going to ultimately reap the rewards for it in the end. Our field is constantly changing, so why not try to stay ahead of things? You're going to be learning about the new and up-and-coming things in your specific niche. Why not learn about more areas?
You can also, say with your boss, be able to go to them and say, like, hey, I know this is happening in a completely unrelated field, but we should do this because of it. And you'll stand out to them more. On top of that, you can also just go to a conference and say, hey, guys, guess what I can do? What a giant list of everything here in Nevada. If you guys have any questions, I'm going to post up some different resources I would suggest you guys look into. Like I was saying, make sure you guys are going to conferences. Make sure you're competing. And there's also different community outreach organizations, like InfraGard or OWASP. Books are a really big help. Humblebundle.com will sell out different-- e-book bundles
for like $15, you'll get 20, 30 books in that little thing. And you just pop them on an e-reader, and you have hundreds of pages of information. Websites, you can practice different things, like for web app pen testing or for wireless. You have Hack This Site or Hellbound Hackers. And also, SANS has a website called cyberraces.org for anyone that hasn't fully jumped in to security yet. They have a basic course on Windows, Linux, and networking. You can get that start in it. Or for anyone else who you want to get introduced to security, Viberaces.org is a really big help. It helped me a lot, I know. And then for things like physical security, which I
really enjoy, speakers like Deviant Alam and Sami Kamkar are really, really helpful. Deviant Alam has a lot of talks on, for example, doors and locks and stuff. And Sammy Campcar is a security researcher that actually does different hardware hacking things. Like, for example, garage door openers using kids toys. And of course, make sure you guys are attending conferences. Coming up, we have ShmooCon in January. B-Sides Charms will be out in a bit. B-Sides Nova next year. If you guys can catch B-Sides DC, that was really good. And of course, you know, DefCon. Biggest one of them all. You guys have any questions for me? Yeah, I can post them up. If you guys want to
follow me on Twitter, it's @Ken_of_Limes. And it'll be on YouTube as well. You don't have any more questions? Oh, hope my first talk wasn't too bad. Thanks guys. Oh, and thanks for coming out. Hello? Is there anybody out there? I just wanted to get the audio check right. Ken, is there anybody out there? Can you read it? Okay. Apple thingy is good. Here, I may have to have a Red Bull.
Yeah, I know. Let me put this on my... You? Thank you, love. Yeah, I will. I think. Maybe. Yeah, I'm trying to find one that I may have. Okay, let's see. I have two of them, and one of them sometimes goes bad, and I'm trying to avoid that. Let's plug in and see what happens. We're down to two minutes, from what I can tell. Three minutes. Times relative, except for my HDMI. Yeah, let me log in and see if that's a... Might be one of the cables that are bad. Yeah, my... Mine might be bad because I'm not displaying it up here. Good. Then you won't be able to take pictures of me. It's just screen, right? So I
could have fun moving around the place. Yeah, that's what I'm saying. There's a couple of them that are basically... Yeah, I don't want to have you do that. Basically, it's a cable problem. So if I jump around and go into the audience and... Awesome. Yes?
Yeah, I don't want to flip in and out that basically destroys the video quality. Oh Yay, I have this I don't have one of those fancy fancy expensive X here. Okay. Let's see if it sticks. I don't want to flutter. Oh So much easy. Yes, if you want to email me for the slides or anything else or other lists that I have a picture that have a this year's read list and Also a list of conferences and volunteering opportunities. The second day besides Delaware, yay. Joe Klein, if you are here for anything besides fast tracking or hacking cyber career, low road, you're in the wrong way. So I've been part of the community for over 30 years. I've been mentoring
and helping others get through this particular process, mostly because I've played everything from a firewall guy to a chief security officer several times, chief information CEO. I've basically played all roles. And I've basically been doing this to give back to the community so others can get into a career successfully and grow into whatever you want to do. This is, I'm affiliated with MITRE Corporation. And this is my position. This is my opinion. This is my viewpoint.
Let's talk about, first thing we're going to talk about is understand the job process. A lot of people don't tell you that. I've played both sides of this process and it disturbs me how confusing it is. So this will simplify the process of coming on board and being able to create a relationship and set yourself up to really succeed at a job. We'll talk about ways of increasing your odds. Things about how to manage your career. From the time you get a job, you want to basically link multiple jobs into a career. Something you can go to, some goal that you can say, I want to be them someday. Or maybe not, I don't know.
Also, how important geography is. There are places that you can't find cybersecurity jobs. There are places you can find a lot of jobs. But it's based on the role of what you want to become and where you are today. So you can find the best places. The importance of mentorship and then a bunch of resources, which I'm going to take some time to go through these resources because I think that they're so critical. Nobody puts them in the same place. They're every place. So the cybersecurity job. So you have you on one side and the organization on the other side. And if you notice, I have a laser. Oh, yes. So you have an organization over here and you have somebody with a job title.
This job title may be the manager that you're going to report to. It may be an HR person. It may be some VP that has no idea of what your activity is going to be, what your task, what you're going to be performing is going to be. That's them over here. That's why I said job title. you basically have job experience, education, training, certification, and special circumstances. We'll talk about that as we go on. On their side, they have to define the responsibility for a job. They're looking for, they have a set of expectations, and they're trying to meet up those expectations. Sometimes those expectations are pretty outrageous. So does anybody write Go? Go programming language? The growth...
The Go programming language has only been around maybe six years for those that are interested. Most people just started recently. I have seen resumes or job requests that say, I want somebody with 10 years of Go experience. This is the kind of expectations that these guys have, that we have to understand and help rein in what they need. The second thing is they're looking for two types of jobs for you to fill. And you want to position yourself as a strategic, not a tactical. Tactical many times is they're hoping that you're the cog that fits into this machine and you will do this forever. Okay? One is you want strategic. Strategic will give you, they have future
plans for you. Maybe you're hired on to do this project for the next year, six months, two years, but they have a plan for you to actually drive you and help you succeed at your career, not just the job. On your side, you have a resume, which I hope you have one, professional or a friend in the cybersecurity community, review and help polish. I saw a no right there. Look, we're all friends. We can help. So there's a bunch of people here who can help you go through that process. You also want to have a bunch of interview questions. Why? Coming from the side where I'm the hiring manager and I'm asking all the questions and I'm just about to say, so, do you have any questions? And
I get, nope. No, it doesn't work. Okay, have some questions, engage, and we'll talk about how to frame that particular item. This is the gap we're trying to get past. So, job manager, again, we spoke that this may or may not have any idea of what this role is. Especially if it's a new role. They may not have any idea how to frame a new role. If it's an existing role, they'll typically take the other person's resume and they'll go, yep, yep, yep, that's it, that's it. So again, there's some expectations that don't work. What they'll do is they'll break it down to tasks because they're hiring you to accomplish specific things. I want you to manage the firewall in a
successful way, make sure it's logged. I want you to look at the IDS when you're doing pen testing. I want you to win every single time you do a pen test, whatever that may be. And then, by the way, write the report. So they're going to define this based on tasks. So this will take some time. Again, a lot of times they don't have the experience, they don't have a framework. And we're going to talk about that for those that actually do hiring. They can help you through this process to help fill this gap. Okay, tasks. From a strategic and a tactical standpoint, tasks can be learned from an OJT standpoint in less than 90
days. If you click... with the individual you identify what those are you can actually say look I don't know that today but with some help I could do this in 90 days or right now before you start doing the job hunting maybe you're in school maybe you consider picking up some of the classes and some of the actual techniques, because it's only going to take you 90 days, a few hours a week, maybe lots of hours a week, whatever. You've got to get off the Xbox for a while. So recognize this becomes real important. The more of these that you have, and by the way, you know what one of these are that a lot of people see as a strategic win? You're here. There's a lot of people
that want to be in the cybersecurity business, but you guys are here. But it's real important you include that on your resume that you're attending community events, be it meetups on a monthly basis, whatever it is. Next thing is the hard part for them. They then have to figure out for each task, based on usually somebody else's resume or some general idea that they have, what's the knowledge, skill, and ability that you need to accomplish something. these tasks. And as you see that there are some abilities that cross everything. There are some abilities that only support one task. And what they typically do or should is create a questionnaire to help them understand where you
fit. A lot of times people will fake this. Also, based on your time spent here, here, you have the ability here start discussing so do you guys have bonuses do you support retraining do you support additional training what is your training process can I go to conferences what is that the candidates need to will have other things that you can't learn in 90 days if you're again in school and a sophomore freshman junior this might be a chance for you to spend the time and get some of those longer-term techniques and learning behind you. The next thing, once you go through this whole process, recognize, better make sure that your training certifications, past employment, everything is
straight. Saves the process. This is the process that these guys hate. It takes forever Does I have to send it through a background check of some sort? They have to send it through other people to validate. This could take a week or two weeks depending on, sometimes a month. So if you have all this straight, it simplifies the whole process. The goal really is to fill this gap straightforward. Anybody ever seen anything like this? This is really what we see in both sides. And this is one of the problems, one of the cycle times if you're in business and trying to hire. This is one of the cycle time improvements you need to look at is how to do that. If you are, anybody recruiting? If you're recruiting,
there is a document that's free that will allow you to help fill in the tasks and knowledge to simplify this process. It was created by lots of different people. It's been updated multiple times. It's pretty cool. So the big checkbox is for your homework. Match the job with the experience. Figure out if that experience and the job can be done in... 90 days or it's going to take a lot longer. What does that mean? You sit down and you look at some YouTube videos, you do some reading, figure out how much. You set realistic expectations on how you fit into that particular job. It also grabs you for it. That includes education, training, and certifications. We have
a panel discussion after this. on discussing some ideas around here, but I won't go into that. Special circumstances. How many of you have a professional blog? You should have a professional blog. It should include, I went to B-Sides, and here's some notes that I took at B-Sides that are important about B-Sides. Here's a conference that I went to. Here's a book that I read. Here's my opinion. It doesn't have to be long. It can be 150, 500 words. It can be a reference to some other person's material. Keep a professional blog. Next thing, look at LinkedIn. Take that blog entry, cut and paste it to LinkedIn. So people that are looking for people like you
will see it on LinkedIn. Click on and actually start discussions. Does anybody write software and have a GitHub? Anybody write software? Do you have a GitHub repository? Have a GitHub repository. That's again an important part. Anybody that doesn't write software, lots of you. Take documents that you've created that can be open to the public. And put those documents on GitHub. GitHub's not just for software, it's also for documents. As a matter of fact, if you look around, you'll see people that post their standards documents up there to get opinions from other folks. Get yourself a GitHub. These are free. You have a Twitter handle. This is the Twitter handle not that you had when you were a kid or a teenager before. Maybe in
college, this is your professional Twitter. By the way, please make sure you also have a professional Facebook. That other one has to go away. Professional email like TC Wingsy Crazy Drinking Guy, you know, that's not a real good email address to have. That's funny. Okay, so please have a professional email address. This simplifies this whole process, right? Okay. Did you attend any security groups and conferences? So which ones? When? Where? How often? Do you meet presenters? You know, have that information with you. Did you volunteer? So how many people have volunteered or done an internship? Okay, volunteered? Okay, cool. Volunteer at a security conference. Why? Because you get to meet the most amazing people. You get to meet the
speakers. You get to sit in the speaker presentations and ask them questions. You get to go have lunch or dinner or breakfast with them to ask questions of. This community is very giving. We want more people in this community. We want amazing people to help us solve a big, big, big problem.
Please attend those. Let's see, volunteer. Also, how many people have a home lab? How many people have a laptop at home? You should all have home labs. Just put VMware on it. It costs, or VirtualBox, it costs nothing. I have Lynx. end of this for exercises you can use to become better at forensics, networking, system admin, all the other basic features and testing and things like that. It costs you nothing. You just have to spend the time to go through the process. And then recommendations from friends. We have, again, we're a pretty open community. We're trying to bring people in. Talk to people at this community and say, hey, I'm looking for a position. This is what I'm
looking for. Very few people will turn you down. Maybe they'll require you to get them a Red Bull or a beer or something. I don't know. So, about the company. We have a thing called open source intelligence. Has anybody heard of it? Guess what? You get to get really good at this. Because you want to know about the company. What do they sell? What do they do? Do they do services? Do they do product? What are their products? Are there big products, little products? Who's their customer? When you walk in and you know the person you're sitting across from about what their business is, they're far more excited than saying, "I'm a security guy and I'm here to help you." Okay? Versus, "Hey, I understand you do transportation, you
have these kind of threats based on maybe trucking or whatever. Can you talk to me about that so I understand what your environment is?" It becomes a two-way discussion and not a one-way discussion. It changes the goal. Find out with industry size, locations. Locations are important if you want to live someplace else. They have their data center in Ashburn, Virginia versus here. Or they may give you a chance to work at home in some cases. So those kind of things. Read their blogs. What's important to their management right now? What's their goal? What's their vision? News feeds. Before you go in for two or three days, watch their news feeds so you can bring that
up as a conversation. Just start the conversation. So what is it about? Also, for companies, if you know someone there, great. If you don't, ask the community. I bet you somebody will know somebody that works in security at that company. It only makes sense. You're a big community. And our big get-together is approximately 30,000 of your best friends called DEF CON. So there's a lot of really good people. Plus, in this area, you have lots of B-sides and other events, all within about 500, 400, 300 miles. What technology do they use? Go take a look at their other job requests. Are they using Oracle? Are they using Microsoft? Are they using Linux? Are they using AWS? Those are the skills that they're going to
ask you for not only on the resume, but everything else. Lastly, what interview questions do you think they're going to ask based on all this knowledge? Yes, Google actually, somebody leaked a, here's the 10 questions Google asks. Anybody do that for the company you're going to work for or maybe the industry? Get a heads up, this is a recon exercise. And by the way, look up open source intelligence in this community. This is a skill set that will save you lots of time and money and effort accomplishing things. So, a job is something you simply earn money for. A career is something that connects your employment opportunities together. A job has a minimal impact on your future. If
you're just looking for a job, That's a one-shot thing. With a career, it provides you the experience to fuel wherever you want to go in your future. That's a graphical representation of my career. Yes, I took a lot of experience, right? So I've worked for people that created robots for Disney. I've done electronics. I've programmed for just all kinds of things. I work for a banking company that does ATMs and stuff. safes and all kind of things like that. I've worked for medical companies, I've worked for consulting only companies, I've worked for government contractors. I've gone through a whole plethora of crazy experiences with these. Each one of them have different expectations. My career was going to some school,
learning, learning, learning, learning, taking classes, taking classes, continuing certification continuously. move and understand what's going on. By the way, how fast does knowledge about this technology has a half-life, one and a half years, certify every three? Think about that. If you were a physician and the lung moved on a regular basis, that would make things really difficult, wouldn't it? This is why it's called the hardest career, the most intellectually challenging career on earth right now. you're the people can help fix that. So let's talk about the NISC, National Institute of Standards and Technology out of Department of Commerce takes information from the community not only the government community but the community at large to determine when there's gaps
and problems. One of the problems they identified was the ability to educate workforce, to bring workforce in this particular career. So they worked on something called the National Initiative for Cybersecurity Education, NICE, Workforce Framework. And let's see, did the tech slide over? Just like any very good government document, it has really great And it has lots of other things. References for technology partners, employers, and things like that. The more important part is take a look at the categories, specialties, work roles, and everything else. The recruiting stuff, it's okay. But what I want to bring your eyes to is right here. Can you see that? We have many major roles. When I started, the job was... Something's matter with their computer or
our network, and it became I think maybe something's really wrong with our computer it be one of those hackers And then it became I think somebody's attacking our application then it became wait a second our business Applications being taken down it must be a security issue. Can you go fix that okay our career the career in this domain is We changed our relationship with the business people and with the people running the system. These are the major titles. Again, when I started, there was one major title, Guy That Fixes Stuff. Now we have all these major categories. If we go down a little bit further, we have a breakout of each thing, first section. So for
security provisioner, you may be a risk manager. Here's what your role is. oversight, evaluation, support documentation, validation. Does that make more sense to be able to go through something like this to figure out what matches you versus just going through resumes? So I would suggest taking some time looking through this. Yes, you may have to have a lot of these for coffee, your choice. But this will help a lot. And also recognize in most domains, They say junior, senior, experts. They use lots of terms for this documentation. Here's a framework if you're doing any federal business or any government business. This will describe to them what that means. Back to the show. So what is recognized is this. We
didn't have a standard lexicon. There are some jobs that have 85 different names in the field. That's pretty crazy. We didn't have any critical analysis on where did people come from in this field. People that were most successful, where did they start? And also, you know, how about analysis? So they basically created a framework to define this, that we have a capable workforce. Workforce, I'm the workforce, they're the workforce, everybody's the workforce. Here are some of the ideas, again, the major categorizations. Look at this, 33 specialties. That's pretty amazing. 52 work roles. And then within the corporate world, there may be slight variations. Matter of fact, if you're doing forensics, you may be a forensics person that does computers. You
may be a forensics person that does dead boxes or hard drives or phones or IoT devices. That's actually in these major categories. So the next thing to look at is look at the specialty areas. If you're into digital forensics, there you go. leadership, management, project management, grading education, defense analysis, right there. Risk management. So let's try an experiment. Okay, so I have a link at the bottom that goes to this. Can anybody see this? Okay, so can I pick somebody, somebody put their hand up real quick. Okay, you. Okay, so based on these categories, Analysis, operating, collecting and operating, investigating, whatever. What's interesting to you? Okay. Look at protect and defend. Okay. Which category is important for you?
Basically cyber defense analysis, defense infrastructure support, incident response, and vulnerability assessment and management. Defense analysis. Okay. So there's a set of related classes that are available. Here is the abilities. Remember we talked about the abilities they're looking for? Here's the general abilities they're looking for. No ping. Trace route. And let's look up. Bing! We're there! Okay. How about your knowledge? Seriously. This is what they're looking for. Okay. How about your skills? What skills do you need? Does that make it easier for you to understand what that role is? Okay. Oh, yeah. And here are some of the tasks that you get to do. I'm just going to cycle through. This is what they call the capabilities indicator. I'm going to give you a
capability indicator I prefer. But what the capability indicator is, okay, I know how to do ping. I know use the command line on ping and do other things. I know how to use ping and I can look at Wireshark and see if there's any variations. I can write ping. That's the four levels that you need to consider. When you're going through your understanding of any of these tasks, roles, and they have their own equivalent here. They like including that you must have a Ph.D. and things like that because the majority of people did this were academics. Not a complaint, just a reality. I'm going to suggest go to this link, do some research. You may find out you have a lot of
knowledge already because you've been doing IT. Kind of cool. Then it gives you a gap on what you need. Big picture. Based on analysis of everybody that's in the field today and have exited already, these are the roles, the major roles that people had. And a lot of times they did that because maybe they were doing biological science of some sort and they had to learn how to do a database to do their program. They had to learn how to do IT and their database and they went, "Hey, I like the cyber security thing," and they slipped into it. Or historians that had to do lots of searches and had to use analytics and had to go through that particular process. So
this is the majority of major roles that people start with. From here, when you're in the IT, here's the next level, the major roles. The next level for mid-level and the advanced. So I'm going to show you graphically what this is an example of. So say you're a systems engineer. There's the optimal path through your roles. You are two. So anyway, actually what I've been waiting for, I left my phone on to see how many people were picking on me and watching it. Hi, people at home. So as an example, you can see system engineer, maps to these and then say you want to become a pen tester so you probably want to become incident handling so you have an
idea of what type of attacks are being performed you can then learn about those attacks and death and then become a penetration tentative tester and then go into security architecture as an example so that you can defend against these guys which by the way really upsets it when you use their techniques the other thing is you want to map how many job openings enough job openings for you General tasks. Wow, sound effects. Thank you. Also, common job titles that you'll see in the commercial world, education, top certification, skill level requirements, and additional skills that you want to basically start picking up on. Okay, so that long list is consolidated into this particular list. So, if
I can get this to work again. Okay. Got at somebody in networking. Anybody do networking? Okay. So networking, we take a look at it. 245,000 jobs. Where do you want to go from networking? Okay. Here we go. There's the optimal path for that. Take a look down below. Cyber security specialist. Average throughout the country. Here's how many jobs are available. Job openings right now. Here's the titles you'd be looking for. In maintenance, we call, or in one of the major categories, the seven major categories, it's operations and maintenance or prevention. You could actually fall within two of those major categories. Here's the makeup of education, certifications, and other things you definitely need to know. Is
that helpful? Do you see how you can use this to figure out and understand how to go through this process? Okay, so anybody else? Any programmers? Okay, system engineer? Did I hear system engineer? Okay, yeah, I knew you were going to say something, by the way. Okay, so where do you want to go from here? Cybersecurity architect right here, okay? So from cybersecurity architect, here's the things to get there. Here's the things to get there. Cybersecurity architect, basically you want to drive through either pen testing, you want to drive through these capabilities. through pentesting and there's your cyber security architect. By the way, your cyber security architect, that's the approximate salary, type number of job
openings right now, and all the other items. That useful. So the other thing we can do is it's really cool that we have this list of all these jobs. I'm in San Diego problem, where are the jobs? So fortunately, I have an interactive map. Okay. These are the states that have the jobs. Except there's one little problem. There are places in those states that those jobs don't exist. Let's go to the metro areas. That's actually the highest possibility of getting a job any place in the area. Come up here to, there we go. Right now in your area. That's the job of, that's basically how many openings. I want to make note of this. There are
some decisions you'll make that you want to move someplace to get a really good job. This area has a very large pier. You can actually learn from piers and things like that. In one of the places I used to live, it was myself and four other people. And we were the security guys! But we really didn't have a lot of interaction. One was an auditor, one's a pen tester, things like that. This is an idea of making that decision. Also, what's the ratio? supplied workers that usually allows you the ability of supply to negotiate. This is the average internationally or nationally and within the region. Here's the titles you'll see. Take a look at this wrap-up.
This is a breakdown of how many things you want to do. As an example, say that you want to become an investigator. You're trying to be an investigator in the middle of you may find one person or two persons. But if you go to here, you may say, "Oh, Philadelphia area, 50, 41 investigators, forensics people, things like that." That is open jobs. Those are opportunities for you. Another match I want to mention is take a look at the certifications. Red is the holders. Blue is what they're asking for. See a mismatch? Everybody had Security Plus. Now, by the way, I do want to mention, If you're going for a CISSP, Security Plus will give you half of the knowledge you
need to finish the CISSP. So it's a half step so you don't have to sit for this crazy certification that's extremely hard for a lot of people. Okay, some of you guys get to go to boot camps and things like that. I had to read the 40 plus books because they didn't have those things. And outline and outline and outline and stress. So it's the test. It used to be a... five-hour test you sit down this room full people you have to drive to and I finished in about an hour and a half and the first thing I said was how you're in school and you're the first one to get up to go I got it
all wrong so I spent another hour looking through everything and I did well I I passed but just like any certifications have to actually match what customer wants wrecked okay
I'm glad you say that. I took a picture of you and looked you up. No, just kidding. So recognize this is current state. You're totally correct. There is a future state of things. I was at a conference just last week talking about how are we going to protect connected cars? How are we going to protect nanites? How are we going to protect limbs that are computer controlled? How are we going to protect all this other technology? You're right on target. Privacy is a big issue. But recognize this at least gives you a baseline and something to work from. Back to the show. Yes, and there's another one. If you're interviewing, you're going to be asked specific questions. What
do you think those questions are? You have knowledge of TCP. You'll ask something like, you know, hey, you know, tell me about TCP. You can pick that up from a book or a class. You can take class for that. Then you have the skill base, which I can apply the book itself. I know how to look things up. I can look for the commands. I can kind of figure how to get this thing done. I've applied it in class. I took a class and I did a forensics of a file or whatever. I have experience in. I can teach a class from a book. I spent the time to write it. Then you have the next category, which is
expertise, which is I've authored new material, I've authored training, I've written a book, or I've helped write RFCs and standards. This is how the community needs to look at this stuff. A lot of people also will have different capabilities in different areas. I'm known for my IPv6 expertise because I've been working on it for 18 years. I'm working on a book and help do a lot of these things. But there are some things that I'm up here at. So that's dependent on each person and what they're focused on. Geography. If opportunity doesn't knock, build a door. Yes, you will have to move for your work. You may have to fly for your work. You may have to ask that question,
especially if you have a family or prepare to have a family or whatever. I mean, I've been on the road for a while, at one point for 300 days a year. Really cool, until the day that I woke up and I said, what city am I in? What country am I in? That was a different story. Also, be real tenacious about this. This is important for you to chase this down and spend the time. Put it on your calendar and do this. Monday's a holiday. Put it on your calendar. Spend the time to do it. I need more peers in my community. Please be my peers. Yes, because a lot of people want to go
to Vegas. I just want to include this because I find it funny. Look at the offset of... all the certifications. Look at how few peers they are compared to here. Look at how few expertise in area they are from here. There's areas in the country that you're going to be able to learn faster and you're going to have bigger communities, especially early in your career, considering going
Related talks
31:02
28:25
48:45
57:35
22:25
40:35