BSidesAtlanta 2019 - Ben K. - Your Infosec Career

hi everybody who here has a job in information security anyone who doesn't have a job in information security and is looking to get one who's got a job in information security and what's a better one all right we're all in the right place so I switch presentation software but it looks like okay all right it might be a little tiny bit off we'll fix it in post so as my find volunteer introduction said and as everybody is aware there is a lot of information security cyber security work and also there are lots of jobs not necessarily the same thing a lot of folks are trying to break into the industry a lot of us are in the

industry looking to figure out how to advance and frankly there's a lot of misunderstandings so I'm going to try and clear up a few things but my overall theme is that if you want to help with our problems if you want to work on information security we really want you to come help us you need a plan you got a lot of work ahead of you I want to make sure that you understand what that work looks like how you can go through it and what some of the obstacles or concerns that you need to worry about as well as the ones that aren't real and that people are giving you bad information or perhaps just a

misunderstanding are like and I trouble a lot of InfoSec jargon and a technical process stuff in here but the talk is intended to be very very open very high-level and not specific to any particular InfoSec specialty as I hope you all know we have lots of them and if you're particularly good at this career stuff you might end up inventing a new one that actually happens all the time our field is very dynamic smart motivated people are always making new jobs for themselves making new areas of research for all of us so one of the the threat intelligence themes if you will is the idea of a whitelist a blacklist and maybe a great list so the purposes of

the talk the white list is a list of things I think you should do and it is not the list of everything that you have to do it is not a complete list but it's the recommendations that I have for you four things that you should definitely look into and almost certainly belong in your plan to some degree or another great list of stuff I'm a little shaky about sometimes it's good sometimes it's bad applied carefully it can help you apply it on wisely it can harm your chances of getting the next job and advancing your career and then there's some blacklist stuff which I'm going to beg you not to do and unfortunately we

have to hit a few points like that as we go through the talk because there are some there's some bad behavior there's some poor choices that some folks have made that I want to help you not make so that you do get to advance your career and so the I and the folks that I work with get the help that we need so it's a collaborative effort there are absolutely jobs in InfoSec there are no unskilled or entry-level jobs in InfoSec if somebody told you that they're selling something probably an education program and you need to to check into that get another source get a second opinion all of our jobs require some skills skills that you can pick up

skills that you may already have I'm going to talk more about those as we go along you will it always benefits you to have knowledge and experience from other work so the classic path into InfoSec was to go through IT first right you work on the help desk you work as a system you work as a developer and then if you're good at that and you're interested security and you pass your exams you get to go and work security full-time I mostly followed that road but it takes a long time it's not for everybody and it's not the only way to get there and although there are benefits from taking that road there are skills and knowledge and abilities that

you develop that way that are hard to reproduce it is by no means the best path there are other ways to get into security there are other ways to help us with our problems and we need the diversity right people who have a systems background people who have a network background are not necessarily the right people to solve all of our problems for one we are constantly finding and looking for new ways to solve problems sometimes knowing how it's been done for 20 years is beneficial to that effort sometimes it isn't right we need new energy we need new ideas but even beyond that having done something else in your life having a previous career having

undergraduate collegiate experience in another field is incredibly valuable to us because we secure real things we work with real people and their businesses and organizations and you need to be able to communicate with them and talk about a lot and understand what it is they actually do to be able to help them it is not a we just need to pay enough money and get the smart people and apply the security to the thing and now the problem is solved and we can go do something else there are a few of the problems that our field actually work that way and that is never a good strategy another odd thing about our field that is mostly good and benefits

you especially as a career changer or somebody trying to break in is that our fields are young and surprisingly well-documented there are not for the most part centuries of history and academic research and papers in most of the computer security information security and cybersecurity fields mostly there's only a few decades sometimes a lot less than that there are not for instance a few decades of research until worldwide web application security because none of those things have that long and although there's some theory going back a little bit farther than that that might be useful to you the practical research only started when the technology became available the good news is that that information is available the bad news is that we don't

take good advantage of it so as someone in the field looking to move up I beg you to read our history as someone looking to break into the field and wants to impress us with how your background your skills and your studies are what we're looking for please read our history understand which problems have been solved understand which problems cannot be solved and so maybe you should have spent too much time working on them especially for like a computer science or a physics perspective if a computer scientist tells you a problem is hard that's not a judgment that's not them being lazy they're actually giving you the answer to an equation that says that at least

that method of solving that problem is impossible so we need new methods of solving the problem or a new understanding of the problem so that we can develop a new method so on the one hand there are no entry-level jobs there are definitely jobs another thing that is commonly misunderstood or perhaps miss applied is that for folks who are switching into security but also who are folks who are already in security you're going to be learning outside of work in fact most of us study all the time even when we're not taking a class or trying to pass an exam we are constantly studying the systems that we defend the businesses and organizations that we protect or new

attack techniques that other clever humans have come up with that are themselves innovative and new and we want to try and stay up-to-date with and this is the key point this is the thing that makes our business different almost any other we are up against human adversaries with giant powerful brains just like ours and sometimes they have bigger teams and more money to spend than we do so not only do we need to be good with what we're good at but we need to constantly be understanding the changes in the environment that we work in we need to be aware and respectful of our intelligent adversary and we need to stay flexible and we are always learning

so again as someone trying to break into the field this is part of what you need to demonstrate both at a loved level for sorry at a specific level in terms of actually doing your homework maybe getting some certifications or taking the right classes but at a higher level being able to talk in an interview get to at the end about how you study where you get your security news from we like to ask what's in your home lab right these are the kinds of things that show that you get it that you understand what our business is like what our challenges are like and that you really want to help us so the qualifications that I put

up the barrier if there is one that I would say is not college or certifications or technical skills or your background or anything like that it is genuinely do you want to help us solve our problems and are you going to put the work in there's a few others communication skills are incredibly important you need to be able to talk to other humans and we do have some ethical requirements we are most of the time the enforcers of the rules which means you have to be someone who follows rules and even though it's uncomfortable sometimes you have to be someone who can enforce those rules against other people while still being a compassionate human being

and a professional and if that sounds easy then I hope it is for you it is not for everybody and my other top-level qualification for you is an understanding of what your contribution is going to be we're not looking for cogs I'm not looking for somebody who has a set of technical skills because frankly I can teach those to anybody who is receptive I need someone who is genuinely interested to solve our problems whose unique background whether it's their undergraduate major the job they had before where they grew up what culture they were raised in anything like that brings new ideas to our heart problems brings new diversity of every kind diversity of thought as well as

background and demographics of course to our teams and to our problems and frankly especially because everybody who's in the running should have most of this stuff and most of them are going to have college most we're going to have technical certifications this is where you can differentiate yourself this is where you can start to shine out from the pack of other applicants and believe me there are always going to be other applicants so skills the core skills for all security jobs are I would argue the same and there are communication use of computer systems and data analysis now I put communication up here twice because it's that important and there's lots of different ways to think about it data

analysis statistics research methods heading towards cool stuff like data science and machine learning but please get the basics down first incredibly important to everybody working in security and this is not to talk about a specific part of security right this is not about sock or forensics or app setec or compliance or governance or any of the wonderful different things that people do in security everybody works with data everybody needs to be smart about data and you really need to have basic skills about how to do some analysis of that data yourself you need to be able to use effectively the computers and applications that are available to you and the general idea here is that you should be a power user

and whatever systems are common in your environment so if you're in an organization and you're following this path because you want to move up into a security role you have access to the applications and systems that that company uses if it is a Solaris 10 shop running up an office probably unlikely you should be really good with those things before you start talking to people about making opportunities available to you to help with their security problems for a couple of reasons one getting better with using computers will actually improve your quality of life if you learn keyboard shortcuts if you learn how to do stuff without picking up the mouse if you learn a little bit about

the automation capabilities that your office software your operating systems your and your data platforms provide it will just make your life better you will waste less time waiting for the computer and doing repetitive tasks that nobody wants to do but it also helps to demonstrate your commitment and it makes you look good in front of the client or the Constituent right they're coming to you with their hard possibly scary computer related problems demonstrating that you are beyond competent with a computer that you're actually pretty good with one giving them tips being able to show them how to do stuff they didn't know how to do with their own computer then they might have been using

longer than you have really helps to build a good relationship right you want them to believe that you're the expert you're the trusted advisor you know what you're talking about and all kinds of communication communication in different media email I am Chad and whatever else we have these days this is telepathy a thing yet but also in person and there is many kinds of in-person conversation as there are kinds of electronic communication and understanding the communication is bi-directional if you're just shouting at people in one sense or another if you're just pushing out information but you're not getting feedback and not pay attention to it you're not communicating and that's probably not what you need to

be doing sometimes we broadcast information but only in very limited circumstances so those are all technical skills really and you can go to school to learn any of them but the technical skills that most people are concerned about for a security role are pretty specific to the role so if you know which specialty you're going into if you know which job title is your dream and you're trying to build up - if you know you want to be a web application pen tester if you know you want to be a cybersecurity legal expert that helps you figure out what technical skills you're going to need and you won't necessarily be able to develop those on

your own before you have that job but you can figure out where the path is what the prerequisites to those skills are and how you could get those sometimes the answer is college a lot of times the answer is self-study and your own experimentation depending on your target role and your target specialization these are going to look very different there is actually awesome data available to help guide you in particular there is a data set available from the National Institute for Sanja Technology NIST cybersecurity workforce education project that is available through Web Services you can also just pull it as a spreadsheet and you can go to a job role main they have an identifying code for every single one of

them and you can literally see an annotated list of all of the knowledge 'iz skills and abilities that's the KSA's that they believe that their team of experts who did the data analysis believe are required for that job role so from a hiring manager perspective we might look at this to figure out who we're trying to hire or what skills we need to train two people we're going to put into that role as someone trying to break into that role this is your road map this is the list of skills that a whole bunch of experts believe our nest to that specialty and experts will of course disagree on things the more experts you ask a question the more

answers you're going to get but it's really good guidance and it's free it's online you can use it I'll have the links in the notes when I post them later your online presence and the way that you interact with people in the public you can have a significant impact on your success in seeking career advancement whether you're just trying to break into InfoSec or you're moving up trying to stay in the field looking to move into a different specialization thinking about leadership as someone trying to bring into the field having an active online profile and being in the community helping out is a huge thing this is something that we give us advice all the time but very few people follow

it if you can volunteer in person say to help set up and wrangle speakers at events thank you sir that's awesome not everybody to do that right understanding your own resources the time that you have available your own family community commitments figuring out what you can do that's part of your responsibility can you fall into your online can you help with the tech support forum for one of the awesome Allah open source pieces of software that we all depend on so a number of the the security packages that we use have vibrant busy online communities that are always looking for moderators and people to help answer questions on chat channels in IRC or slack on bailing lists and Google Groups

and so on this is a way to not only actually get into the community and start to help us which is pretty cool but to show that you're doing it and to start to create this data trail this evidence if you'll forgive my use of forensics terminology that you are on our side that you want to help us solve these tough problems that you want to be involved you can help out with those projects in terms of code that's fantastic if you can compete especially in certain disciplines like attack oriented stuff there are a lot of online or in-person competitions where you can earn a name for yourself even while you're still studying before you actually try to

switch jobs this is a pretty good option for some folks you should definitely have some kind of online professional network of people either that you've worked with before who would recommend you again mentors who are helping you develop your skills and helping you find your way through this path you don't have to display that publicly but a lot of people choose to I tried very hard not to recommend particular applications or platforms because I want to be inclusive and I don't really like any of those vendors but it is a useful thing for a lot of people to have an online professional profile that is linked to a bunch of other professionals right it makes it look like you belong it makes

it look like you are doing the work to be a part of the community that you are participating that you're talking to people and that you're open to all of those things working towards a great list of the black list please do not put a lot of information about your current employers technology stack on your public or even semi public online information does anybody know why this is a bad thing is anybody participating in the ascent CTF event attackers whether they're attackers who work for us like pen testers Red Team folks or attackers who actually work for criminals and adversary groups can't take that information and use it to figure out what technology those organizations are

using especially if you tell the version numbers it is a gift to the attacker that you do not need to grant you should be able to talk about your work in a way that recognizes your contribution without talking in detail about the applications that your employer currently has deployed especially if you're in a security role please do not tell me what av you're running this is a gift to the attacker that you should not give and for my admittedly biased perspective causes me to wonder if you understand things like upset and OS ends and what risk our organizations are really at what a motivated one might say persistent adversary is likely to do and a lot with that

I still see home addresses on people's resumes please don't do that I don't want your home address I definitely don't want our HR department to have it unless they need to actually send you something through the mail so implementation details vary sometimes you might need to do that for some reason I don't understand but especially when it comes to an online profile like that you might keep on an unnamed service please do not tell me exactly where to find you any more than you should say when you're going on vacation anybody familiar with please Ravi calm [Music] and on the blacklist please do not post to the internet any evidence of unlit unethical or illegal

behavior seriously this doesn't help anyone it's not a good idea anyway and it will be a problem especially trying to get into a security or information assurance role at a number of large organizations and certainly any government role any kind of government anywhere this is going to be a big problem for you so if I offer advice generally but no specifics about what your career path looks like what your process to hunt for your next job or position should look like I just urge you to have one and maybe more than one right one play will never survive contact with the enemy but planning is essential to Mangala quo here are a number of processes from different parts

of InfoSec that I think have some application to looking for a new position or were exploring a different career field up top we have our instant handling cycle and I'll pick her all you know some folks are smiling and laughing their preparation and having a plan and being prepared for when that plan fails and still having a fallback making sure that you have stuff in your go bag like your laptop and your power supply having a second presentation program in case the first one randomly manifests the bug you've never seen before

identification understanding what problems you're facing putting a plan together to remediate those problems whether it's I'm applying to all these jobs but I don't hear anything back or the numbers that people these ta people are quoting me salary numbers that don't make any sense for where what's gone wrong identified these problems researching them putting a plan together grabbing your other resources like your mentors like your support network and working through them without squinting too hard you can see how you could apply it instant handling or an instant response process to this and if you spend enough time in that business you apply pickerel to everything even shopping for groceries because you never know you might need more milk you don't

want to run out of milk definitely don't want to be in traffic or on a train on the way home to have your significant other or housemate tell you that you're out of milk because you know now you're looking at a critical service failure next up we have an attack lifecycle this one is miters but it's pretty similar to the Lockheed Martin one which is more famous here we emphasize reconnaissance understanding your target and while I don't really want to characterize your job hunt as a security attack against the people that you want to work for because that goes back towards that unethical behavior thing that I'm asking you to shy away from if they pay you to penetration test them

then yes do all of this if they have not done that and you do not have a contract saying that it is legal for you to conduct these activities then I'm concerned and you should talk to your lawyer before moving forward but in terms of information gathering this should absolutely be an essential part of your job hunt at a strategic level in terms of hey I'm thinking about a career in compliance maybe I should read ten or a hundred job postings for compliance jobs and talk to some people who work in that field to see if that's worth looking into more or on the more tactical end I know I want the position in application security at this

particular financial company well before applying and/or showing up for an interview you should be looking into that organization and finding out what you can for public resources about what's going on there making sure that it is what you are looking for and other silly things like are they gonna be around in here right these are things that you can probably start to get a handle on from from us at data right from public data sources and this would be part of a good process you should probably not weaponize exploit and deliver malware again unless you have actually been paid to do it or otherwise how to get out of jail free card another perspective may be

vulnerability analysis scanning job listings targeting the roles that you're interested in the orgs that you might be interested in crafting and effective big load but here thinking about cover letters and resumes something the same technological problems face you there social engineering as a way to bypass HR careful there but it's a good perspective a really good resource here is a book by Josh Moore called job recon where he actually models the entire job search process around advanced reconnaissance he also spent some time talking about having done all this making the organization that you want to work for create the job you want to have and that takes a lot of work and a little bit of luck but if you do your

research you do your homework and you get lucky you might just pull that off and it's pretty great when it happens before we talk about your resume and I've tried very hard to focus everything in the talk about your plan and your data and your success going back to helping with some large-scale misunderstandings I'm not going to try and explain the whole thing here and it's different at different organizations but let's just say that there is a process and that it is primarily computer driven for how your application your cover letter your online profile and you resume are processed is masticated a bad word chewed up that easier processed in parsed torn apart put back

together in queried as part of the first of many stages of filtering that happens before in most of these processes you have any possibility of talking to a hiring manager or a technical contact of the organization you're trying to get into now there are sometimes shortcuts around this I mentioned having a powerful professional network because that's one of the best ones but just up front ear I wanted to make sure everybody understands that some of the advice that you get from people with different expertise about how to design the presentation of your cover letter or your resume as something that is beautiful that it's visually stunning that is cool looking and eye catching is not going to help you at all in this

phase and so the simple answer here is to make sure that you have a plain text resume and anytime it's going anywhere near a computer system certainly anytime that you're uploading it to any application system or mailing it's anybody you provide that version if you think that you are conversing with a human rather than a chat bot you might provide both and you might tell them hey here's the computer format version of the resume for you to upload I also have a pre printed version if you'd like to look at it and you can provide both if that's appropriate but if you're only providing one and you're not communicating right know no feedback you might want to send the plain text one or

the lightly formatted one because keyword matching is a huge part of how these filters work they also do other stuff regular expressions white list black lists scoring algorithms and yes even machine learning and more terrible buzz words besides are all involved in what is apparently its own industry of processing resumes for companies who are trying to hire people so another area where some reconnaissance some mentoring some talking to your your your guidance counselor you got one might help you for your resume on the good side I really want to emphasize that you keep it tightly focused of the things that make you different and that make us interested in you in a pool of people

with similar qualifications because especially if you get through all those filters that is probably what you're facing right they also match the keywords they have they're cissp or their GSCE or some other harebrained thing I can make fun of those exams because I passed them as I talked about at the beginning understanding what makes you special what makes you awesome what makes you different and especially if you've had a job before what you accomplished right not what you did everyday not what technology you worked on what did you actually accomplish what impact did you have did you make things more efficient did you help them serve their customers better to just save them money businesses always love to hear about

that this is the kind of stuff that I would like you to put in your resume so that I can tell apart folks who are likely to help us from somebody who might have the technical qualifications but who is not my preferred candidate please do not include every technology you have ever used as specially if you are not an expert in that technology there's a there's a pretty common habit and it's not a terrible thing on itself which is why we're in great lists category now of listing a bunch of technologies like having like a skills grid or a technology Liz your resume bet I've got one yeah mine is pretty tightly focused to try and

explain what my utility is around those technologies so I say I can support your environment if you're running on Mac Windows Linux OS 2 Solaris BSD whatever I do not say that I wrote those things or then I can write couple patches for them I say that I can code adequately in a couple of languages because I passed some of those classes in school and I practice a little bit but for years and years I would get calls from recruiters asking me if I wanted to apply for a senior job or developer position now I'm not a senior developer and I'm not really that good with Java but it was on my resume as a while as a language I was

familiar with not as something I was coding myself but actually I was you know basically doing tech support and but really stretching application security work with people who were coding in Java the funniest version of that was in about 1997 when I got a call from somebody who was asking me if I had five years of experience with Java programming language and we're trying to hire for a senior developer it's a little bit of an age joke but Java had only been in beta two years before that the guy who invented it James Gosling might have used it five years before that but it wasn't called Java then it was called oak and yet no understanding

how the data on your resume is going to be viewed by computers versus by humans very very important and when it does get to a human to a hiring manager to somebody who to use a phrase I'm using a lot lately knows what the words mean you want to make sure that you are making the best case for yourself please do not include your entire work history or life history unless that somehow is part of your case for why you're awesome and special and why you should be in this role most of the time that's not what you need and it's not what we're looking for this next bit is probably gonna start a fight on Twitter again

so let me put it this way I've been at this a while some folks think I'm pretty good people that work tell me I'm smart I teach classes in this stuff so some of that has to be true my resume is two pages if you are not as far along as we in your career and I am reviewing a four-page resume from you it had better be full of awesome stuff or I'm going to start to slide your resume so that which is which wing is that I'm not going to talk to you this way so this is cultural so this country our region specific and some of its different in industries so for instance if you were applying for a

security position at an academic institution they might actually be looking for a CV even though they're not hiring you as an instructor knowing your audience doing your reconnaissance doing your own scent talking to your network all I'll help you out here another thing that I've encountered and yeah it was on these four and five eighths resumes is a whole bunch of jargon and acronyms from the places that you used to work if even I don't know what this stuff is I'm kind of a big nerd Minecon I don't know what this stuff is and I can't easily google it it is now either extraneous data which you made me scan which lowers my you know internal scoring or it's more stuff

for me to ask you about that if you can't explain what it is either now we have a different problem we'll get you an assignment on the blacklist as we started our fee Muir is stuff I wish I didn't have to tell you do not rely on your resume your not include stuff on your resume that you did not do do not include qualifications on your resume that you do not have especially when a simple ascent search or DuckDuckGo query or Google it's fine as long as we all agree nobody uses baby

if I take something on your resume or your cover letter and I google it or say I queried the board in question that you say that you've got this credential from and they've never heard of you well now we have a pretty serious problem and if we do that before you come on site it's actually pretty simple you're not coming on site you're not going to get the interview if you are actually on site and we ask you about someone your resume and it becomes clear that it is not your resume or that you don't know any of that stuff we're done because this is the easiest way out and it is not the way up if you have like to

be trying to get a job in the ethics business right because for the rule enforcers you might be interviewing for a social engineering position I might be hiring you for a potential position as a professional liar that might be your technical skill but if you lie to us we're done please don't do this and please understand that people do this all the time but I don't want to bring this up it keeps happening all the time things you didn't do technology that you're not actually that good with please don't put that on your resume if you have to cite a technology in one of your job words for like what you did and you don't have something awesome to say

you can talk about the fact that you have basic familiarity with it or that you used it daily for next years right that that's a true statement it doesn't suggest that you're an expert and it helps me judge how you might fit into the needs that we have and we have lots of different kinds of needs right declaring that your basic where the technology doesn't necessarily disqualify you I'm actually much more worried about you lying I can get you better with the technology myself and a number of other experts including a couple in the room here can teach you that stuff if you make it through the minimum bar of ethics and you know showing up for the meeting on time and

some other you know lifestyle requirements who are you long time

when you are successful at your career plan towards the end of your path to getting a new position whether it is in a new organization in your trying to get promoted or changeable where you are now or even if you're independent and you're just trying to land a new client because that's pretty much the same process just harder you're probably going to get to go on interview and it might be on the phone leave to start but it'll probably go video or live if we're very interested in you at least in my experience the organizations that I've worked with after a certain amount of screening to make sure that it's worth talking to you we actually want to talk

to you hopefully in some detail and depth about your experiences and we probably believe you have technical skills if you got to that part you might not you might turn out to a be lying to us and which point shortcut you're gone but we think you have at least the minimum qualifications before we bring you in for an interview before we get on camera with you for a video interview please be prepared for that interview and understand some of the questions we are likely to ask and be prepared to answer them and maybe have a few questions prepared for the interview team as well that you may or may not get time or have the opportunity to ask for

preparation right planning this is practically a whole course itself and I strongly urge you to practice and work with your network mentors that are available to you if you've got counselors or guidance people available to you and we'll talk about the overall community network at the tail-end here shortly but just as a couple of freebies if you put it in your cover letter or it's on your resume we're probably gonna ask you about it if it was in your cover letter or on your resume and we ask you about it and you can't speak to it you don't actually understand it it's obvious you didn't do that then we're back on the last slide you're lying to

me and we're done this doesn't need to happen I'm not looking for you to the most advanced person in the world with Python or Kali Linux or Digital Millennium Copyright Act or everything unless that's what the qualifications for that job are in which case that's a high bar but that's not mostly what we're looking for and if you're trying to get into one of these first security job but not actually entry-level positions that I think are of interest to a lot of folks here having an accurate assessment of your skills and still making yourself sound as good as you can is where you need to be at and if you're doing that then I'll be pretty

happy I'll ask you some technical questions to figure out your depth and I will ask you some questions you don't know the answers to on purpose seriously why are people surprised by this okay for two reasons one because it's a fantastic way to check for character and professionalism issues seriously how do you handle a question you don't know the answer to do you freak it out do you like have a health of it obviously I don't want that to happen to anybody but if that's likely to happen when you encounter tough problems that you can't answer this may not be the right field for you or at least not the right specialty because that's what we do all the time some of

our questions don't even have answers we just come up with the best approximation we can install whatever is available from the repo and go with it well fix it in the next release right yeah so be aware are the kinds of questions that we're going to ask and be prepared to talk to your skills your special background your qualifications if we ask you about saying I don't know recent significant security news like some new breach or attack or cool-sounding malware that somebody announced and you go into dummy mode on us you're not helping your case and it's fine if you don't know stuff in fact please tell me you don't know stuff if you're trying to

get an analyst position like security operations group which is where I work I don't know is actually the best answer you can give me the only thing better than that would be I don't know but if I had access to this data I could tell you within this amount of time like that is a lead analyst right there almost but start with I don't know you asked me a question I don't know any of those words tell me that honestly but without like getting emotional about it and we're in a preview place because I'm not kidding I will ask you questions you can't answer me I probably won't make up stuff I mean legally good I don't

usually have to another giveaway for the folks here in the classroom as well of all the people that I've interviewed the last five years anybody who ever watches the video oh god I have been known to put evidence on the table literally I will print stuff I'm not the only one who does this believe me and I will put it on the table and I will ask you to tell me about it and if you are trying to get into any kind of analyst position whether it's Sark analyst Rancic analyst application vulnerability analysts anything where analysis is in your job role then even if you have never seen that data format before I would hope

that you can tell me some stuff about it and this is where without resorting to a lot of homework without like trying to get you to work for free as part of the interview process because that's gross right I'm asking you to do the job skill that you say you have that we're trying to fill the role for in the interview on a small scale I'm not the only one who does this it's not the only way it happens but please don't be surprised and now that you know this you can practice so if you're hiring or if you're trying to get a job in a security operation center or it isn't response group you might imagine that there are

some standard data types that we deal with all the time if you don't already know what those are well please ask somebody including me after the talk easy and practice with them if you are studying this stuff and you are sweating some of the exams that I am making light of because some of them are in my past and you know one I need to take a practice test on and take pretty soon so a lot of the same material is there and you know speaking personally as I said I teach this stuff so I have a pretty good understanding of the material and know exactly what to ask to figure out what your level is at

and your level doesn't have to be super advanced has anybody heard the story about when we don't allow some interviewed to work for Google so Google as part of their beard and vaunted interview process there's a lot of different things but one of the questions that they asked when it comes to your technical skills is they asked you to rate yourself against the rest of the world on a ten-point scale I mean is qualitative not quantitative so you know we'll take a swag at it right so they're talking to this one candidate for software engineering position it's a pre pretty well done guy and at the time Google's way into the Python programming language it's still pretty big they're

they like going now a lot too so they asked this guy they asked we don't in all the world all of the developers how do you rate yourself on a scale of one to ten with your skills at Python it was a pretty cool guy it's very humble smart person he said well I will give myself a nine because it is possible that there is someone in the world who knows the stuff better than I do Zubrin know who IDO is he invented Python you made it up but in a technical interview when asked about his skills there was room for doubt and humility in his heart that he might not be the best person in the world at that thing

so take that to heart as well don't shoot you low if you know something be able to demonstrate it but don't worry that you don't that you don't have the skills yet especially if you're just trying to break in nobody expects you to you have a tremendous number of resources available to you to help you in your career path at large and small scales so in the greater InfoSec community there are all kinds of cool orgs there are mailing lists and forums and meetings that you can go to there's some really great mentoring and and like job help communities some of those a lot of them honestly are invite-only so this is where your professional network can

really help you there are in those communities in our professional organizations and in our hacker clubs specific programs and competitions and volunteers to help you with this stuff you can get trial interviews you can get your resume review there's actually some fine folks out in 48 doing that for conference attendees take advantage of these resources both because it will help you but also because that demonstrates the kind of overall problem-solving that we're looking for in the Atlanta area specifically we have awesome professional organization chapters for soö us but CSA probably couple others that I forgot to mention we also have some really cool hacker clubs like our 2600 still meet net Linux DC 404 and manís tavern force Ave yep

third Saturday third Saturday and you see 770 out in carnage very far away near is already pretty far away so especially if you are the the canonical new person if you are trying to break in you don't know anybody and you don't know anything yet these orgs especially honestly the hacker clubs are other than the professional Lords are a really good place to start to find like-minded people to find people who are either in the same struggle or people who have been through it so I actually got one of the best jobs in my life and later the opportunity to go full-time in security from a posting to I think we figured out was DC 404 Keith's around here somewhere

was his fall that's how I got a net secure works in IT which I was later able to transition over to a full-time security job so hacker clubs pretty great they also have presentations a different educational value or sometimes some guy just gets up and starts ranting about career stuff in your personal community your family your other social organizations right because we're very open here people have different families different religions culture whatever you guys there are probably people available to you who can help with some of this stuff even if they don't know anything about InfoSec they can probably help you through dialog understand what's special about you and what you can do to emphasize that how you can communicate

about that how you can talk yourself up without lying or making stuff up different yeah so short answer there start going to meetings which you know is a little funny for me because I hardly arranged one so we just have a few minutes left is anybody in the room have any questions

okay so I tried to be a little careful because it's a controversial topic what I said is - two pages have as many pages as you need to tell the story you need to tell if you're trying to get a higher level position you may need to demonstrate that you've done this job successfully in a number of organizations of different sizes right that may be the the story that you need to tell but especially if you're just getting started I would I would shy towards the the shorter resume and remember that the computer cannot digest it before I get a chance - and you mentioned on the even text text format and that's the format

to upload it can I do it my resume review also so not to use RTF format is that it's probably okay it just causes security bells to ring in my head for a totally unrelated reason ASCII text is safe I was like it's safe because that's not the world we live in but it's a cup a lot safer than RTF because RTF has had some surprises okay

these have a boring version please so was there was there another question

[Music] questions like that but when you ask about my consistency 6/10 questions and what you say so if you're actually in an interview you might already be under NDA which helps if you're just talking to somebody about a job opportunity you kind of have to make the judgment call and sometimes it just depends on where you worked if you worked at a civilian organization with a reasonable level of security but you know you didn't have any kind of clearance or any kind of crazy government stuff then you just have to decide if you trust the people that you're talking to enough to share that information with them I just beg you not to make you public on the

Internet does that make sense if you did work for some of those places you absolutely are not allowed to talk about the technology that you used which is another reason to have all this other stuff to talk about right to have these other skills to have these experiences this stuff that's special about you if you actually worked in the intelligence community or if you've been enlisted for 15 years and you you honestly aren't allowed to tell me what you've been doing then we need something to talk about otherwise the interview gets really awkward those are not much fun either yes yep okay so thanks for the questions thanks everybody for your time hope you enjoyed

it I'll get the slides and links posted and if you're looking for me and haven't found me already [Applause]