Dr. Sunny Wear: Swiss Army Knife Tips for Your Cyber Success (Keynote)

Thank you for participating. Thank you for being here. So that is uh retired Air Force um responsible for selecting our speaker. He's going to he's going to introduce our keynote speaker. >> Good morning everyone. So, I want to introduce uh Dr. Sunny Wire, author of many books, including the B Sweet uh cookbook. And uh please come up and and start the the day off.

Can I just talk like this or >> I can hear you back here? >> Okay. So, um, welcome everyone. Thank you for coming this morning. It's quite early, but thank you for making it. And uh yeah, we're going to talk today about uh the Swiss Army of tips for your cyber success. So, full disclosure, uh the costume I think it's a costume, obviously. It's I'm I'm not even sure what you call these things like or something. I don't know. Anyway, I got this at the RV supply store in um and I've been told that I wear it well. So, thank you explain to me that the hat. Um but anyway, uh I want to uh honor our

event. Um I have a lot of respect for you guys. Um so, but I wanted to wear this sort of in in uh in the uh what we're going to talk So I I've got almost 30 years of experience in IT and security. That's a long time. And I've made a lot of mistakes along the way. And I thought, okay, what am I going to talk about for this keynote? Well, why don't I just share um some of my mistakes and you know maybe we can get some troubles out of that and maybe you guys could you know glean some things from those um and possibly avoid the same pitfalls. So obviously the the anecdotes

that I'm going to share um and the things that I'm going to advise you on your mileage may vary but you know just take it in stride. So the first thing is and what I did was I every slide uses a military term. Now these could be from different branches. So, um, but this first one is a 11, which basically means 10 lbs of maneuver in a 5 lb bag. Um, this first tip is for all of you out there that are starting your cyber security career and you start realizing that there just aren't enough people doing what you do. And because of that, your skill set is going to be very much resilient. And so,

you're going to be asked um by other cyber security companies in addition to your full-time job if you want to do extra work. And the extra work, you know, it's 10.99 work. It's good work. You can get really good pay. Um, and if you haven't been approached already, you will be cuz it's just a natural part of the fact that we just don't have enough people. So, you're going to be very excited about this, especially if you've been in a situation where you're not making a lot of money and you know, somebody presents you with an opportunity to make uh $90 an hour or $100 an hour, you're going to want to jump at the chance.

So, my first tip is before you sign the contract, please read it. Um, and what I've done is, and full disclosure here, the samples that I'm going to read, of course, I'm not going to name, you know, who the companies are, but these are real uh these samples are from actual 1099 contracts that I was presented. I don't work for these companies. Um, but I wanted to read to you some of the garbage because I want you to realize that what you're signing um could have lasting effects. So, the first one is kind of the first one it kind of reads like as if you're an employee. Um, but remember this is for 1099. So it says if the contractor

during the period of this agreement creates, produces or develops any ideas or services related to or capable of being used in those aspects of the business of the company in relation to which the contractor provides the services or works. The contractor agrees that all such works and products shall upon their creation be considered and deemed a work made for hiber and that the company the company shall be deemed the sole and exclusive author of the works. So what does this mean? It means, hey, you're doing a pen test and um you decide to write a script, you know, to test, I don't know, DEOS or something like that. Guess what? What you just wrote, they now own.

So, yeah, it's kind of crazy. And other people have come up to me and said, "Well, nobody's going to really, you know, enforce that or go after that." It doesn't matter. Just don't sign it. I mean, in a lot of these cases where I'll read the contract, I just go back to the to the company and say, "Yeah, I'm not going to sign it because of these clauses." And guess what? They take them out. So, in a lot of cases, you might be able to work with the company. In some cases, you won't. And I've had the other happens. So, let me read to you this next sample. It says, and this one is a real doozy,

any intentions, in inventions, improvements, concepts, or ideas made or even conceived by the contractor during the course of the contractor services performed for the company, past, present, and future shall be the sole and exclusive property of the company. The contractor agrees to and does hereby assign to the company all of their rights, titles, and interests in such inventions without any claim or right by the contractor to additional costs. So, I I hope that that tip stays with you because chances are um you will be presented with these types of protection. Uh just make sure you protect yourself. All right. Fire and maneuver. This is a basic modern military low-level unit tactic used to maneuver on the battlefield in the presence of

the enemy. Now, fire and maneuver, I just kind of saw it as two things. You fire and you maneuver. Um, in cyber security, you know, this is a vast area of discipline. You can you can do network engineering uh network security, you can do pen testing, you can do um web apps. What I recommend to you particularly if you're new in the field is that you just pick two things. Just pick two things. In other words, two areas of focus that you're going to dedicate your time. Because when I first got into the field, I wanted to do everything. I wanted to do Wi-Fi hacking and I wanted to do reverse engineering and I wanted to do

network pin testing and I wanted the OCP and I wanted you know because everybody was doing all these things and my advice to you and what I give to students I teach classes is just pick two things that you're very interested in and it would be nice if they sort of complement each other. So the two areas I picked um is web penetration testing and reverse engineering and they kind of complement each other because when I do mobile testing assessments um I have to reverse engineer you know the binaries of of the mobile app. So um but we have we have limited amount of time right we have families we've got other obligations. So this is one of the tips I would give

to you. There are superstars out there, you know, that seem to know everything. Maybe they just have been around long enough that they can acquire the knowledge. But um but this is my my tip for you to begin. All right, this guy, the FMG. Okay, so this next tip, by the way, FD, you know, you can read what it says. Afternoon, guy. Know what the tool does before you start using it. Okay, so funny story. So, I was at the beginning of my penetration testing days and I had learned about this really cool tool called SQL and I thought, "Wow, this is awesome." So, as long as I can find an exposure point, all I have to do is point this

thing at that, you know, wherever my exposure point is, and boom, it's going to give me a whole dump on all the tables, and everybody's going to be wound, and they're going to be, you know, praising my name, but probably not. But, um, what ended up happening was I'm doing this pen test. I got my SQL map running and I'm talking to the DBA uh of this database that I'm basically um hitting against and I'm talking to her about something unrelated to the pen test and all of a sudden she says, "Oh, I got to go." Why? What's wrong? My database just went down. Oh, so I'm at my keyboard going Ctrl + CRL C.

So yeah, the FN that was me. Um what I didn't realize was that out of the box SQL map runs 10 threads and the environment that I was running against it was a production luckily but you know it was a a pre-production type environment and it didn't have a lot of uh connection pools and things like that. So I very quickly brought that system down. I learned my lesson. Um, so when when you're taking your classes, you know, you learn about a lot of the tools and they don't always tell you the things that are relevant for when you're actually using those tools in an assessment. So, so there you go. Don't make my mistake.

Okay. So, you know those insignia things that you know whatever? Well, they're they're called canary clubs or chess candy or fruit salad. Um so I don't know if that's a compliment or what, but I guess the military guys would know. My I'm I'm sort of equating those officers to like a manager. So, my my tip for you here is that you choose to work for a manager that supports you. Now, let me explain what I mean by that. You want a manager that's going to be fighting for you. You want a manager that's going to be trying to get raises for you. You want a manager that's going to be looking to promote you. You want a

manager that appreciates you. If you are right now looking for somebody that does not do these things, find a new manager. Um, this career area is just not enough people doing it. So, I'm sure someone else would love to have that one do those things. Um, and this is a hard one because I know in the beginning, you know, you're very anxious to get a job and start making good money. Uh, but but please keep this in mind and it might take a a few years, you know, under your belt before you start seeing uh the benefits of this, but it's really important. All right, the buddy system. I think we all know what the bunny system is, even

outside of the military. This is really hard to find. It was hard for me to find in the beginning, actually. Um, I have a dear friend that's here today that helped me get into cyber security. Um, and then also enlightened me along the way, and I'm very appreciative of him for that. and and as the years have gone by, I've I've acquired other buddies that have helped me because after you acquire so many um certifications uh and I don't want to tell you how many I have cuz I'm a little bit embarrassed now by it, but um you know after a while you kind of start losing your enthusiasm for the continuing education thing because remember every that you get

costs money and you have to CES. So bear that in mind. Um cuz it started getting like I was spending like $1,000 a year just on all these shirts. Um but anyway, besides that, there was this one um certification that my buddy really wanted. I was only interested in the in going through the course. He really wanted to do the the whole certification part. So, um, he sort of started it for us cuz we said, "Okay, we're going to do it together." So, he started the certification and he really helped to inspire me to get through it. Because I was just not enthusiastic about getting another certificate. So, the moral of the story is that if

you can have somebody else that sort of helps you along in those times when you're you don't feel inspired, um it can it can really go a long way. And I know that it's hard to find that like that connection, but um but it's events like this where you can sort of get introduced to people and and find Sorry, one sec. Okay, tip number six. Uh, cool hand. I like this term. I don't know how often it's used in the military, but I really like it. Uh, it's a person who's not easily upset, so don't sweat small stuff. Um, there's been lots of mistakes particularly in IT areas where things go bad in production. Um, I remember one

time we I this was very early in my IT career. I was doing a deployment and I had this cornhell script and for whatever reason my script was not deploying the code and it just was taking a long time and I had like a senior engineering guy in my queue and that's when we all sat in cubes and and I was like man what is wrong with my script like it's exactly the same script that I always use I wrote it I wrote it So, well, come to find out, um, corn shell, and I don't know if it's like this with bash shell, uh, but I had an extra line at the bottom of my screw.

And that extra new line was preventing it from getting kicked off. So, I said to the senior engineer, I said, "What if I delete this last line?" You can see it. Like, can we vi it, right? I I don't want to get into the Emacs VI thing. Um, so but anyway, I just I just, you know, did a a DD, you know, delete line, and then I saved the file, and it worked, and I felt like a million bucks, only I had delayed the production in small wine the entire day. So anyway, but in the big picture, you know, it's it's the mistakes that you make that you end up learning the most from. So So don't sweat that.

I love this picture in this whole Maria say is that it >> okay who so it's does it say is it different IN THE ARMY >> okay thank you awesome I love this um my My whole point to this slide is that you guys take the time to balance your work and your life. So, every every year on New Year's Day, which almost all of us get New Year's Day off of work, um I I like to sit and talk with my significant other about our plans for the year and start working to schedule those things for the next 12 months. It's important because I mean life happens and it comes very quickly and so if we can just take that

time to play as hard as we work then I think it'll help us to be emotionally uh you know more more balanced and we all know about the burnout rate um in cyber security field. All right. Arrange for recon. So, uh, this is a Marines term from what I understand. It's gaining information to mitigate risk, but I would imagine each branch has a similar term. Um, but this is about interviewing uh the interviewer. So, when when you're in an interview, um, make sure first of all that you do research about the company, make sure that before you sign on the dotted line for that cyber security role that they already have a cyber security group. This is important because

if you take a job where you're like the only web pen testing guy or gal and you're new in the field, how are you going to know when you, you know, run a scan or do some pentest? How are you going to know what the real vulnerability is? You won't have any senior person to go to to say, "Hey, is this a finding or is it not a finding?" So, it's important that if you're looking for um support and help in your role that you make sure that it's there already. Uh, I had a guy uh that was one of my students and he he landed a job right after the cyber boot camp and um but he

was the only web pesting guy and they had another guy who was doing the network stuff and he didn't have anybody to lean on and so he would, you know, call me a lot in the first year which is fine but um you know it's not the same as being there with somebody. So, just make sure that you do your recon. All right, TNT. Uh, usually TNT we say is the neon temple. Um, but in this case it's today, not tomorrow. So, my my tip number nine for you is keep learning. And it's definitely a today type thing. Um, this is the type of field where you have to constantly be learning about new attacks and new

mitigations and be pipeline into either newsletters or sites that you might go to or things that come to your phone because otherwise um let's see there's something that uh somebody said to me this past week. He said um uh the death of this job is to stop learning. So basically he was saying look if if I stop learning I I'm not going to have this job. So very very good advice. All right. This one tip number 10 is to stay humble. So, uh, there's this saying, it's in in the military, you're always rude to someone. Move meaning, you know, someone who's inexperienced. So, my advice to you is that you realize that um, you're never going to know

everything about feel. It's just not possible. And that if you come across as arrogant, you will be unapproachable. and most of us don't want that. So, make sure that you keep your ego in check and realize that um you know there's there's probably somebody that knows a lot more. I have a story for this. So, I was at an event local here in Tampa and um I was meeting a bunch of people that were new in the field and um this young woman comes up to me and she's she's talking. She doesn't she doesn't know really who I am and she says um she says, "Oh, yeah." And then there's this thing, this bird suite. Oh, yeah. I

know everything about Burpsweet. I don't need to learn anything else about that. And I just chuckled to myself. Um, so I don't know how many of you know this, but like Burpuite is sort of my thing. Um, I've I've written three Pluralsight courses on it. I've written a book on it. I wrote a mobile app that's about verb the Verb tool buddy. So Verb Suite's my thing. So when she said this, I just sort of chuckled and thought, "You poor Trump." Um, so, so just realize that, you know, you're always rude to somebody, so just bear that in mind. All right. Now, I want to give you a homework assignment. Uh, so there's something that I did with

um my day job. I call it my day job. Not my 1099 job. It's called my day job where they had me fill out like a survey. And I know you all have seen like these personality things, but this one I really got a lot of value out of. It's called the Gala Krypton Strength. And what it'll do is it'll identify to you the three things that you're strongest in. Now, I found this interesting because um my number one strength is learner. And what it means is that I love to learn new things and I don't even necessarily, you know, want to get to the end of it because you kind of almost never do. I

enjoy the journey as well, the process of learning. How I do this in my daily life is I take uh anywhere from 15 to 45 minutes every single day to go through either an online course and there's like tons of them that are cheap, right? Like Udemy and things like that. Um and Tester Lab is another good one. Or I might watch a Twitch stream that's of a hacker. Um, but I take time every single day to go through that material. Um, because it's something I really enjoy and I want to be able to share this information like with my team. Okay, we're going to see you attack. Let's try it out. Um, and if you can

surround yourself with other people who also have the same primary strength, um, it makes for a lot of team cohesion and, um, and it may even help you to understand if you have some leadership abilities. Uh so I remember one of the other uh strengths of not my strength but another person it was wow which is it's it's not the game um but it's the uh wanting to win one over or something like that and it's basically like this people person I am not I'm an introvert but you know that was their strength and so that's their most important focus when they're doing any activity. So I think it's helpful to know and I think that it will help you to identify

with other people if you know what that strength might be. Um so and you can just Google um those words gallop clipon strengths and you'll find the site. So bravo zoo I love this. Uh it's a military term that means well done. And um I want to say that all of you have done a great job listening today and I hope that there was something here that you could take away with you um to help you in your community. So thank you for your time.