Embarking on Your INFOSEC Journey in Military City USA

The Echoes okay we are going to start in a few minutes but a quick introduction I am Dill Cruz I will be today's class monitor I'll be in the back just helping the presentation go through if you take me 10 minutes 5 minutes it's not for you don't worry um if you could hold to your questions at the very end this five minutes will be for you if the presentation goes longer than five minutes you will see the slide room just to go get's attention um thank you all for coming if this is your first Side Event hope you like it if you're a season veteran pretty much the same thing goes we're going to do the

presentation we do questionnaire uh if you want to stay behind for a little bit we do have another session at 10:30 uh we'd like to thank our sponsor AR W if no one knows what Artic fit is a 247 service that helps companies with cyber threats they offer expert responses and all the good things um 5 our presenter if you don't know do you know who our presenter is I'm K perfect not a lot of people know but yes it is Mr Alex Higgins correct yes perfect uh he was an Empower graduate uh where was that loc I'm so sorry uh it's actually online but here at in San Antonio he is a penetration tester at

right Point labs and was recently a a a for hiring of Heroes program fun fact about him he has over nine certifications and licenses don't ask me how I know that but link open on my desktop that's a good bit of O we going to start in a few minutes Joy

minutes yeah that'll work it's no worries a little more casual anyway i' rather have a little it's okay nothing wrong with

that and then defitely 10 all right good morning guys all right I recognize a few faces in here I think I've met some of you guys some all right we'll do a bit of a lessons learn kind of thing some different things I learned since I got into the industry about a year ago I was a mechanical engineering student who was working on motorcycles and things like that designing clutch systems and went into cyber let's see here right so start PCS now this was me about a year ago dumped in the middle of San Antonio forever State away trying to figure out where do I go what do I do now my love wife join

the Air Force she is a sitting up here in the front you guys she's a a badass medical nurse out here trying to help save lives so why to consider cyber well first off there's such a massive massive F and I will walk around a lot I I like the pace that's just how I am I don't do the whole sit and down but um there's a huge demand for cyber so so many people need cyber careers right now and there's a skill Gap that's existing right now in our environment of so many people that just have demand for it um average cyber security expert most of us make around six figures that's the average in our

career cycle whether it be red team blue yellow we'll get into what the colors being later um remote work Everyone likes the idea of what happened from Co The only positive that came out of Co was being able to work on slack and zoom and things like that for home awfully nice laterally moving to other spaces this happens to be my favorite is that no matter what if you're working in a specific position in cyber it's very easy to pit it somewhere else I'm a penetration tester I do offensive security poking holes in people's networks and things to see what I can find if I get bored of that I can PIV it into defensive or I can help create

tools or develop malware there's the possibilities are Limitless and it's also a constantly evolving industry we stay learning all the time because there's always new new things happen there's always new developments in our field so if you're wanting to go into this the best thing to do is if your what you want to do because the biggest problem that exists in this is there is a giant sea of certificates the navigate there is everything everyone offers a certificate and there's a new one that drops almost every week and knowing what to get and what to do so that you can pursue your career you know you can take Cas or something like that but if you want to

be a penetration tester that may not help you that much whereas something like the ocp or something may be in your space find you a plan of attack the best thing that helped me was planning out what I wanted to get and pursue so that I could get the career that I wanted to be and then this is extremely important no one told me how much this would be necessary in our field learning the difference between a technical resume and a regular job resume all right let's talk education since we're in a university I want not the university it is a thing that is very powerful and very useful it does help you skip some of the more entry level

roles or it or things like that but the biggest thing with education is you get what you get out of it by what you do while you're in the most important thing you can do is have that Hands-On Keys experience while you're in here if it's not being offered in your course do it yourself pursue it find it whenever I was going through EMP power I was building honeypots on the side I was putting up projects on GitHub on vault or on Source Forge and other places like that so that I have something to pad my resume it can be kind of expensive if you're not course riding on the scholarship um that is kind of more so

leading towards the downside but it does help some employers hire you just on your commitment to the field from this like I mentioned though you definitely are going to have to have that hands- on ke that having all of these degrees or asserts or things that tell me that you've looked at this information is great but if you can't tell me what you did that doesn't help you that much we'll talk certifications a little bit here ktia a few of these are kind of necessary to work in the field it's just kind of the the evil of it um they're very multiple choice based though um SE plus of course you have almost half a

half in this IND Network plus is another one that I pretty much recommend almost across the board um but since they're multiple choice exams for the most part it doesn't weigh quite as heavy as some of these next ones like for in for instance my field ocp oswp things like that where it's more of a technical exam where your skills are put on display you know hack these different networks and then 24 hours and now they give you a detailed report right up about what you did how you did it because that shows real Hands-On keys and as I like to call it from the military retir from living on base for so long my dad would call it

embracing the suck cuz you're supposed to struggle through it that means the world to it um of course there's Sans courses as well and there's a lot more than what's just on this list Sans courses have a lot of really great information as well as a good bit of difficulty they are multiple choice Bas but that's not really their downside they're expensive if you don't have someone put the bill for you uh the average sand cour R around 10 000 sometimes more than that depending on what level you're taking and then of course since we're isc2 has an Alm chapter here I would be remissed if I don't mention them they have a lot of

good especially blue team oriented certificates like the cisp all right so this is a nice little thing I like to throw in there being a military spouse myself these are some different organizations and things that offer stuff for those of us that are military veteran or military spouses cuse university has the veterans career transfer program where they'll help pay for a couple of your certificates if you're a military spouse is one if you're military I believe it's either two or three sigma forces offers free training um as well as Uso Pathfinder they actually have a lot of good fores on their page for military veterans and Military spouses um corsera and UD Demi those are free for military members you

just have to sign up for it there's a military sign up page and you can take everything across the site for free yes sir I thought you mention this if you are going to theut campuses you also get I am getting into that too um as well as corsera like he mentioned for UT campuses you can get it for free through them and you Demi if you have a library card here in the state of Texas you can sign up with that library card number for free and take anything on the site skill storm and empow skill storm is a little bit more military oriented um it is a paid training program they pay you at the rank of E5 don't ask me

what that figure is off the top of my head I actually don't remember um but it is a Hands-On they do labs and things with you it's a great program um one of the recuiters who works here in town McKenzie he's awesome um in power this is the one that I did this is not just for military and it is free um we have a slide that goes into them here in a second too as well my CA this is specific for military spouses this is the scholarship that they give you for being a military spouse it's about four grand uh it'll get you about three certificates out of it for free at no cost to you and then of course fed TV or

fed vtv they uh offer a lot of training and things like that it's free for all of our military and Veterans professional networking oh it looks like it ate my little Reddit symbol oh well um LinkedIn this is becoming our new resume Everyone likes the easy LinkedIn and the quick apply as as well as anyone can reference you like that it's wonderful Twitter uh or X now still don't like that um it's a good place to follow people in the community um and of course some forums blogs and some companies too they'll make posts about things that are going on keeping in the know and being able to talk about what's going on in our

industry means a world of difference and whenever you go to interviews or things like that it helps you stand out from the other people because it shows you have a passion and this F blogs of course the same kind of idea but just on different pages staying up to date with new developments or what's going on in existing in our industry some new attacks or developments in software or new defensive tools great old YouTube University you can learn so many things on here and it's free of course with ads but there's so many things you can learn from this that cost you nothing this is a great tool you should use and I know a

lot of people like to scoff at Reddit but there's our SL pages for all of our careers and all the things that we do whether it be net or you know building in the industry or pin testing advice there's a lot of big leaders in the industry who post on there regularly about things and advice to help us we'll point out some some different groups professional networking in person yes because you are inside you still have to talk to people it makes a big difference I got in because I sold myself and network myself that's what got me there Asia AIA does events like twice a month it's like 20 bucks for a membership and

they almost always have free food and free drinks if that's not inspiration to go I don't know what it is and they're wonderful wonderful people cyber Ops cyber Ops do meetings every now and then they usually have Cool Tech and they bring in some industry leaders every now and then they're awesome too mil City meet up I do mention this one of course being a military spouse um they're a big proprietary component and they have Partnerships with people who specifically hire military veterans and Military spouses with give us preference um and then cyber security conferences kind of like this one talking about home skills build a lab C Linux is free you just got to have space on the laptop or

a computer build a lab learn how to navigate in Linux it doesn't matter what team that you're on red blue yellow green more than likely you're going to have some form of interaction with Linux so it's good to know ha the box if you're going in my space where you're penetration testing or red teaming or things like that hack the box is I think 20 bucks a month for the premium membership and you get walkthroughs for every box that's a legacy box it is a great way to get hands on keys without having to work in the environment of course try hack me try hack me is actually kind of evolv from being just a red team oriented kind of

thing and they have boxes for people who want to work in a sock or in any blue team environment or development environments they're more diversifying their kind of online presence Splunk foret elastic all of these big vendors if you want to work in a blue team these are some good things that you can take too because they have all their training online for free you have a company that you're interested in and their stock uses Splunk take the courses on before you apply you go like I already know how to do all this I know how to work the tool cyber Ops there's quite a few companies that actually offer some free levels of training some of paid of

course but there are quite a few vendors like cyberops who offer free trainings that you can take and then of course like I mentioned earlier course s they have a monthly subscription but there's a lot of ways to either get discount codes or get it for free building soft skills this is the part no one likes to talk about that much communication teamwork and problem solving you're going to have to talk to people like I said just because we get to work from home doesn't mean you get to have you don't have that back and forth anymore critical thinking adaptability and attention to detail if you're not noticing things that are going on how can you do your job part of

what you do when you're in the blue team space you stare at logs and analyze scenes and source that little I notice one IP that's off or this pcap data doesn't look right that's where that little attention to detail adaptability is a big one too like I said we're ever evolving in our industry there's always something new that's happening whether you're an attacker there's a new method that's taking the Forefront or a Defender there's a new method that's taking the Forefront time management and ethical Integrity no one likes to talk about ethics but it is what it is we have to discuss this you gain access to a lot of things that can be really bad

if you misuse your power we'll get into ethics here in a little bit um that customer service orientation because at some point again you're going have to talk to people who don't just work for your company and resilience especially if you do red teaming because half of what we do is fail all the time I cannot speak highly enough about this find a mentor or be a mentor you'll be shocked at the little bit of what you do my favorite way to teach people what I do is I teach them and then try to have them teach someone else you'll be shocked what you can learn by having them try to teach just 30 minutes after

what you engage with it this will take you so far A little shout out to empower here you do earn real certificates ones that are used in the industry this is worth mentioning they also do social support and career development they're one of the few programs who will go and cover every single base that they can to support they have a careers manager they have a social support manager you need clothes to interview with they will help provide you clothes to interiew interview with you need a laptop to do your coursework on they'll help provide that too and not to mention that man there Dan and then I can't see Jose in this picture I'm way way way back there but

uh they go out and talk to companies every day and try to partner with all of these different companies to find connections for any of you trying to get into the industry and they work super hard for you and it's very very personal Hands-On instructors who care there's a lot of times they're working part in every second that they can to try to help you Hiring Our Heroes of course they have internships to companies that know cost they're a wonderful program and of course they have a lot of connections to companies who hire military veterans and Military spouses um that like I said doesn't cost the company anything and give you preference and hiring and a huge support system

across pretty much all 50 states at this point networking again you're going to have to know how a network operates to be able to do anything how are you going to be able to attack or defend a port if you can't tell me what a port is I also put some things off to the side here for some of these for things that how I look at things on this so like IP addressing a DNS to piig I look at poisoning or spoofing or other fun things like that or even the network segmentation and access controls I look at an opportunity to engage in some form of lateral movement or bypass limits like I said you have have

to know limits this is the one hill I'll die on because it will make your life so much easier you pull an entire yeah I do I did put a lot of pictures sorry um if you pull a network data from inmat for instance across a huge set of sl6s or 24s and it's like all right I want you to find everything on tailet now uh you can't grip or a or cut or do something to par some of that data it's going to make your life a lot harder a job that take 10 minutes now takes you 6 hours python you don't have to know this one initially but I wish I did because

this makes life so much easier now because repetitive tasks are now automated with python you can write scripts that will make your life a lot easier and shorten what it takes to do some of this word from our sponsor just kidding of course just kidding ethics and legality okay we do a lot of things in operating spaces where there's quite a few restrictions against what we do without express permission there's a lot of nasty trouble you can get in like all Equifax here in face Facebook getting some nasty finds for not doing their due diligence and then lying about it afterwards like should you if you find someone's World of Warcraft should you delete their account just cuz you can

yes maybe you might be saving it becoming a penetration tester I'm we'll dive in a little bit like what I do um this is one of my favorite ones because the world needs bad men because we keep other bad men from the door U my boss puts this every time he does this talk too just because it's just so good um some common cyber attacks in the workspace these are things I'm sure you've heard um zero day over here of course is the new boogy man oo fishing attacks fishing attacks will always be high and they're evolving and they're getting better it's not just some Nigerian prints anymore ransomware um a lot of them don't really use the

flash drive anymore it's usually some form of infected file or thing like that um of course dos and vs everyone probably has heard of that by now man in the middle SQ SQL injection is more so the one that everyone's in a lot of these CS that I took for like no one really does that anymore it doesn't exist or it doesn't happen I did SQL injection yesterday this is still a problem and there's a reason it's on the oos top 10 it's number three still cross- side scripting and of course DNS spoofing oh you can do a lot of cool stuff with DNS now impersonating DHCP has been one of my new favorite things all right let's

talk about it day in the life of penetration testing like I said you're going to fail a lot it's what we do you're going be studying all the time researching sandboxing because there's always something new and my favorite part is I get the mindset of how can I abuse the system how can I be the bad guy and of course the little caveat you get to lot write lots of reports some offensive security tools uh this is of course not all of there's a lot in here we'll go ahead and thumb pass just a little bit this is a bit of the pin tester methodology kind of like what we think reconnaissance assessment reporting remediation tracking and then

retesting um everyone kind of has their own deviation on these standards depending on whether it's NIS or OAS or things like that as well as kind of some breakdowns of how the assessment part Works get out of jail free card I I like to add this in here because this is great to talk about you have to get express permission to do what we do in the environment and make sure that the people you're talking to can give you that permission if you're breaking into a building and they don't own the building and another person gave you permission guess what you're going to jail you didn't do your due diligence it's still breaking and entering um this is if you start getting

into the federal space this is just kind of like a side note caveat these are some certificates and how the dod [Music] evaluates um and then a few links here some places I like to mention cybrary has a lot of free stuff of course oos they post Publications um the pin testing standard a few people on YouTube that I do like haab box trag bhub and of course Port swigger you can actually learn a lot from some of their courses they have really really good interactive videos too all right questions yes sir I got two questions okay uh can I get this for one of my coworkers we Pi someone up through skillbridge and he's

trying to go with cyber yes and he's Super Fresh to it yes I can email this to you or will you come up with something I'll give you the slide and TR hack me yes is super good because it has like basic Linux yes to help you yes where hacker box is primarily just red team and penetration testing Focus um TR Acme is kind of spread out and is in a few different areas they're about the same price believe it's about 20 or 25 bucks a month for the premium go with the premium it's a lot easier I I really do mean it they have their own standup box it's internet based it's really nice

instead of having a proxy in anyone else all good awesome well thank you guys any anyone pleas of any questions I'll hang out for a little bit

definely a lot of the