PG - Engineering My Way Into InfoSec - Nitha Suresh

here is engineering my way into information security with Nita Suresh hi all thanks for the applause and I'm here to talk about just as he said talk about how I came into info SEC so info SEC is hot and it's getting hotter are you moving into info SEC so this is these are not my words these are the words that I saw in the fertility brochure but I do second it so that's why I am here to say why I I am in the field of info SEC Who am I I'm a passionate infoset professional I'm a pen tester I love doing aircraft data network security researchers and I have published papers on that well I like to

blend in statistical analysis with cybersecurity because that's what's going to happen now we need to have start Stickle analysis in cyber forensics in Big Data and author of to I Triple E papers and employed with a big fall and my resume a stands glittering with my certifications so how it all began it all began with with me having an interest in information security in breaking things in securing things well my interest dates back to those times when I saw movies with those themes and I liked it when it's just not an anecdotal evidence that movies form a part in shaping your career but it's also a part it has also been a part of researches that movie stir to form a

part in your career and I love picking locks when my dad used to lock the TV in one of smoke one in a small box and my favorite hobby was to pick that lock and I would spend the whole day picking that lock and that's how I first broke into something hacking the dial-up password so the same thing my dad would put a password for the dial-up and that was one of my interesting things more than science or max I love to hack in the dial-up password and I was in love with the art of questioning and researching and so that I had the curiosity to do that and that forms a bigger part of the

information security because we have to research on the mysteries that are built in information security so some time back we used to say that a carrier is all about having living under the Sun and having fun and making money but days have gone by and now our career is a passion and this carrier is a passion for me and I'm going to share with you how I chose to fuel my passion so my first point was in choosing my masters so after my undergraduate in I had the option of taking campus placements or probably settling in some other job in IT information technology but I chose to think on what I want to do what where I

want to settle I started analyzing on my own what all previous things I have showed you what things I like what are my strengths what do I value most and what am I most interested in and that's how so I narrowed down into some topics like forensics investigation and so on and then I searched google for courses based on that and that's how I came to know that there are some security courses back in my country India and that and I went for information security and computer forensics master's so I did a lot of background research before I did Trent for the course another thing is master's only is just a spark that gets you going

it's not a complete thing it does not give you everything in security and so I went beyond to do certifications so I loved learning about hacking but I didn't get what all that I want in my Master's so I decided to do certified ethical hacking course so that I get an in-depth learning in hacking and I really got that I would say certification is definitely a glitter that stands out in your SEO when an HR or a cybersecurity recruiter looks at your s you mean for me as a beginner it definitely helped me learn concepts without experience so I learned a lot of things like if I I like breaking into things basically I like pen testing but

if I do just pen testing how about reporting it to the client or how about streamlining that information to present it to somebody in the form that they like present it to somebody in a managerial position so I learned a lot of concepts like that from cissp how to present things to the management based what are the perspectives of the management so all that I learned from some of the certifications another thing is in some of the certifications like osep we get hands-on experience so even without a job I got hands-on experience guide through guided labs and that helped me a lot in my career

sometime back maybe a decade back information security was a passion it's just like you say about the film industry when it all started with Street plays and then went on to become we call it a film industry now we don't call it an art so just like that some time back when information security was a passion there wasn't a way to measure the passion and we didn't have to have certifications at that time but now information security has become a big industry and what I have seen is according to the percentage 35% of the recruiters look on for certifications for hiring so that is definitely turning to be a benchmark to validate a person's skill and knowledge it's an ethical way

of highlighting that you're passionate about developing in this field well you can definitely hack into a system and do certain things to where you can hack and send an interview letter to yourself but this is an ethical way of highlighting all recruiters don't understand that so this is a definite way of highlighting to the management recruiting management that you are passionate about developing and learning in this field from an organizational perspective it measures your ability to learn so when someone hires you they look at the perspective of how the ability to learn because information security is an ever growing industry and we need to keep learning every day and it and certifications definitely measure the ability to learn

memorize and remember that's what we need to keep learning are we are we Eve I'll be a good learner that's what most organizations look at another thing I did was I was very curious and I went on to do I'd some I Triple E publications so I research so there are different kinds of research I have done literature surveys so survey through many papers I Triple E papers Ellesmere Springer many other articles and go through them and research and find some good findings from that that was my first paper on security concerns for cloud computing in aircraft data networks and so it's it's good to analyze when you read a paper it's good to analyze it from a security

perspective and understand if there are any if there can be any more defenses added and if there can be any if there are any Falls or jobs in that and this can be contributions to the security industry as well another thing I did was I built my own lab so when I was doing an internship in a confidential organization I went there and didn't have security so one thing they asked me was can you please hack our systems and show us so I had no options I was just an intern I didn't know I didn't really know how to hack a system they had a big network upon financial network and I had to build my own lab to understand that

and find a vulnerability put my put their system in my lab create a virtual machine and find a vulnerability and then reproduce the same thing in Dell lab so I had to build my own lab and practice and that helped me a lot that was my first learning experience and I did many things I did many I've tried many other things like data exfiltration and I and that also contributed to one of my researches so I relied on a lot of online resources so many times I did not find good guidance so I lied on online resources for more guidance like in it this is a Google world and you search Google for all answers you get

everything so I that was one of my options connecting to other InfoSec professionals I have I used to attend many conferences so I in my period of two years when I was doing job search I used to attend conferences I did certifications and I attended some security courses to develop my learning and I always kept in touch with those people who have coached me whoever I have met in conferences and whenever I was stuck with something or the other I would just contact them and they were always helpful for me now coming up to the challenges I feel one of my challenges was the lack of guidance I had during my post graduation days on

what I should do how I should streamline so I had a variety of things in front of me in security I loved everything in security but I didn't know on what to focus on and I didn't get good guidance on how and what to focus on and how to streamline my interest I have had responses we learned it the hard way so why not you definitely in security we all learn it the hard way it's security in security we have to give a high cost and it's difficult to get resources to learn and probably we need to here are many criticism so so that was that was the output of all those pain processes so we learned in the hard way so why not

you and I did many certifications without the hope of landing in the right job because I was I wanted to learn security I wanted to develop in security so when I was doing I was in the Middle East in that time and no one was ready to take it freshers but I wanted to work in security and I kept waiting for the right job in the meantime while waiting for the right job I didn't just want to wait like that so I did some certifications that's when I did some security courses that was available and I attended some conferences so I could connect with people make contacts so certifications I I did certificates I did cissp without

even having a job and CSP definitely gave me an experience and in the hopes I did it in the hopes of landing in the right career so I went for an interview for a pen casting post they wanted to take in an associate consultant and they asked me this question where do you plug in your laptop on the client site in order to conduct vulnerability assessment so I didn't have the right answer to be frank I didn't I hadn't conducted a vulnerability assessment and the client site at that time because I was a pressure and I hadn't had experience

this is always a discussed topic joys of being a woman in pen testing so I have had these clients who have the feeling of can she do it can you do it like we never had women pen testers so are you able to do it I mean why did that guide not come this time so those questions and well it was difficult to adjust to that culture of sitting in the front of a terminal for hours with just a coca-cola it was I had to overcome that factors and I had less opportunity to build a mentor-mentee relationships so it was met I have I had not found a good mentee mentor unless I came here and I started working here so

it was I found it difficult to find a mentor and I I was not aware of this fact that mentoring has an important role in your career and I also did not take an active role to initiate mentoring another thing is well I have heard this a lot you need to hack your company attack into a company and send yourself an interview letter so this was another thing I had to face a lot of that you need to be a technical geek in order to get the role of a pen tester so what I have for you is I would suggest you that you define your passion if you have a passion for information security

define the information say define your information security passion why are you passionate about information security who is inspiring you to be in information security and what is it what is it that inspires you to take that realizing what you want to do and still icing your passion so the initiative must come from our side that so we need to research we need to understand ourselves and we need to research about this industry we need to keep learning so that's what I meant by revitalizing then constant learning just like I said constant learning is a part of this ever growing field today one ransomware tomorrow another ransomware and it it's all different vulnerabilities and zero day exploits so we need to be constantly

aware of what's going on in our field we can act if you ask me where can I get the basics from I have suggested people that the basics can be got from some certification study books like security plus CCNA like if you want to know about security you need to know about networking so you can learn it from networking plus security plus CC and need Linux to learn about nuts so you can refer to such folks for that well finding a mentor is one important thing in information security when I came it came to Canada so first thing I found was I talked to some people and I found someone who has the same interest as

mine and what was willing to mentor me and she is somewhere here and so I got a good mentor and I would suggest to you can find mentor I got a mentor from B sides so there are a lot of mentoring opportunities here and you can go to a mentor the thing is when you go to a mentor do your research first and make it easy for them to help you let that not be a parasitic relationship it should be mutually beneficial and so that the mentor also takes gets benefit from that and you also develop get connected to impose at communities online so join InfoSec groups on Twitter DEFCON group or finally if you have a

mentor of you if you have some guidance you can ask them on how to join whom you should follow and they can guide you on whom you have to follow and follow conversations of people who have similar interest as yours so if you you keep up to date with their researches as well so you know what is happening in that particular field so that can help you a lot submit your research ideas and the various conferences we belong I know everyone in InfoSec is a researcher and we will all be curious all the time and all the time there is a research coming up so you must submit your research at some of the conference's so that it gets

published it gets noted and you get to connect with more people on those researchers play around with open source security tools like nmap and Metasploit so you can play around just like I said you can build your own lab play around with sites like walnut row to the hub if you have seen that and tools like nmap and Metasploit can help you those are open source tools so they can help you learn more about that achievers have a can-do attitude that sets them apart from mere dreamers they are sold out to success no matter the obstacles and are willing to put forth the effort and pay the price of success so self experience does not come from any University

let's take initiative to get into information security just like I said at the beginning it's just getting hotter and we need more people into it thank you [Applause] are there any questions out there I actually have a question how you mentioned that one of the problems which I've seen where it's hard to get experience and get a job if you don't have experience already yeah do you have any tips on breaking through that initial barrier yeah I would say one thing I would say is like according to my experience you can actually do certifications some I would say some hands-on certifications and attend various other security courses then attend conferences like besides many other conferences Network and that's one

way you can get over that barrier and you can connect with people and make people know that you know you are you have a passion towards this field you are learning in this field you are up-to-date in this field and you have an ability to learn and work with the organization to attain their goals all right well thank you everybody

what were some of the techniques that you use to kind of present yourself to a client and kind of reassure them that yes I can do it so I would I would sought resort to talk technical terms with them so that they understand they are assured of that I am technical and also I would be patient enough give them regular updates and and keep updating them and then give good reports to them so that I keep the client patient enough so that he gets to know that I can work with him thank you