Qasim Ijaz - Hacker MBA Soft Skills For hackers

is this what you're supposed to be good cool I want to thank some of our sponsors here before we get started on this lecture course st. Mary's University USA a trend micro digital Defense National Security Agency X abeam Accenture federal services open security titanium level cybersex jobs Denham group alamo issa landmark solutions and others for those of you who did not know there's a raffle down at the registration table be sure to get in that and then stay for the after-party this lecture hacker MBA soft skills for hackers cussing each AHS thank you alright it's too late to change your minds so stuck here now for an hour so this is basically things I learned from my MBA

thanks student loans and you know just working as a pen tester trying to put it together and in a way that pen testers hackers cybersecurity professionals can understand it but to take out those boring topics like accounting you talk about what applies to us all right so Who am I I've been asking myself that question a lot but currently I lead a fantastic group at Colfer labs we do pen testing risk advisory and whatnot I teach adaptive penetration testing course at blackhat and have performed quite a few nutrition tests and HIPAA hydrous assessments if you are in healthcare field I want to know how awesome it is not you can talk to me and that's my twitter handle if you want to

you know follow my rants so the agenda today we are going to talk about teamwork we're going to talk about time management and task management ethical decision-making leadership skills and then we get into some communication hacks before we open it up for questions all right so size doesn't matter when you work as a team but what is team we right now are a team okay we're all working towards a goal that's what team really is and you don't have to be a team of multiple people you could be team of one you're all teams at home with your family your team at work even if you're working by yourself towards some research project maybe you're

writing a blog post it could be a team of one at that point all right so we are all playing the role of a team and there are different pieces of project sometimes that require team and here I'm thinking of a project of maybe a penetration test maybe your clients hired you to perform a pen test for HIPAA high trust or for mine a PCI or FedRAMP whatever you are gonna require some complementary skills maybe you have in that penetration test scope a web app and you have a network maybe you give the that application portion to somebody who is really good at that apps and then you give the network portion to somebody who's really good at networking and then

you have a project manager or somebody who is playing that media role between you and the client all right we like to combine the knowledge of expertise in those teams and that's what really makes them excel so we'll talk some more about teamwork but of course there's gotta be some memes right and teamwork does get Shi T done in school so I have to be pg-13 so it's this research done by J Richard Hackman he's a professor of social and organizational psychology at Harvard and what he came up with were enabling conditions of great teamwork and therefore positions to it number one you've got is compelling Direction you have to have a direction that you are

working towards and is compelling to you it energizes and Orient's you right pentesters we want to go get that domain admin blue teamers I have to stop that hack right or if you're a TV of course you have to use two keyboards but not many people got that all right you gotta watch CSI but a good team has to have a compelling direction that they work towards okay and that compelling direction must also reduce confusion if you've got a hundred directions and everybody is working towards their own goal it is going to cause confusion and you're gonna end up with shadow teams within a team you have to have a strong structure what I mean by that is there

are multiple things in there you have to have you must have some defined processes you can't just wing it all the time right what happens when one of your employees leaves is it a process for that you just hired somebody is there a process on how you put them on a client project or do you just throw them in and then find out that or exclude it afterwards or do you create a process that is you know understood by you that is a result of your work over the years and the team follows that and team can contribute to that process it doesn't have to come from top down it could go from bottom up it has to offer goes from

bottom up because it's people that are working in the field that understand how things are done and then the income of those processes and the worst thing I talked about here doesn't have to be and it really isn't ever see if you know you're gonna hire somebody from out of the country or you gotta hire somebody of different skin color it it means diversity of skillset diversity of experiences the difference experiences you have different skills that you have it together reduces the groupthink and the good thing is everybody just thinks or assumes that we're going towards that one direction while they might be working elsewhere or groupthink is where for example some of the things

I've seen is client thought everything was fine right they were like yeah we got to factor authentication nobody can get in well they're missing two-factor authentication in some areas but they don't have anybody with the skill set to understand that all right so you've got compelling direction you've got strong structure you also need supportive context without context it's just a bunch of processes just a bunch of paper you know words are said they don't mean anything okay so in the supportive context it doesn't necessarily mean that you have to give people raises I mean that always helps it's good we all love raises and bonuses but there's other forms of support you can provide for example IT right and my

job we have a separate IT department dedicated to pen testers so they provide us that support so we don't have to worry about those things or some other kind of rewards program for example if you're training people internally maybe have some kind of badges you get a green badge once you finish our onboarding you get a yellow badge once you watch this other video that we have as part of our you know advanced onboarding program or you get a blue badge and I'm just throwing up colors out there you get a blue badge when you are training somebody these types of rewards help people and well the talks I was at Burk on yesterday talked about having one of those w ee ee

ee belt those wrestling belts they had those and they just set some you know geeky things on them or they just said some rewards programs and binary and things like that and that's what they gave out to people when they did something cool shared Direction is very important so you're working towards a goal but where does that go take you I know we all say journey is what's more important than the direction but fostering that common identity and having that common understanding of where we are going is very important for example if you know that the company is going to hire 40 more people you know you're going towards the direction of a bigger company and if your folks don't know

that that is going to be a very challenging all of us on the start seeing more people coming in so that communication is important and that comes into this supportive context and attraction so you've got four things in here right you've got compelling direction you have strong structure you have supportive context and you are sharing a direction all right VA teamwork so one thing I want to talk about is how do you have a shared mindset that's what I find a lot of people struggle with is yeah we've got a team and everybody wants to hack but a lot that could mean a lot of things maybe somebody does not want to do application tests at all and that's all

we're getting maybe somebody does not want to do red team's but they're being pushed into it so ensure that everybody in your group regardless of where they are feel empowered what that means is if you are let's say multi-regional company we the coalfire have our headquarters are in Colorado I run the Atlanta team we have Denver team Westminster team we've got garlic California and I'm gonna stop bragging but all those offices if they don't feel empowered it's going to start making people feel like everything only happens at headquarters we can't do anything right and that affects the team or even if you're all remote maybe send your remote workers some something nice maybe send em a shirt that has company's logo

on it maybe says something cool like you know I work from home or whatever we come up with or send them blankets just come up with something cheesy something good that makes them feel empowered and same thing goes not just by region but also goes by skillset okay if you've got some folks who have been doing a certain type of project for a long time maybe they've only been in blue team and they want to move into red team or the other way around work with them help them feel empowered in feeling that they can do that lateral movement within organizations is very important because it not only helps Skeens helps create that teamwork but also you know gives

you retention and gives you strong skill set if somebody was a blue team er and now they moved into a red team they're a very strong red teamer because they understand both sides now you want to create shared experiences for people and that would mean maybe you all go to be SCI San Antonio together maybe you'll do black hat DEFCON or you go to an escape room one thing that f1 really works very well with my team and I've been trying to schedule it again is axe-throwing have this basis you can go in throw some axes or those smash bars we can smash things whatever works for you maybe you just get together and you just do a hackathon

maybe you go grab some beers whatever works for your team you just have to have you just want to have those shared experiences to talk about to feel like you are a part of a team okay one of my favorite things is structured unstructured time that could be maybe one Friday a month you get together and you just talk about something stupid are you stuck with something that has nothing to do with work maybe you want to talk about your family life maybe you want to talk about the game maybe you want to talk about some new hack that you saw maybe you want to go watch a movie together that structured unstructured time while some

might still feel their work the things in there in yourself and makes you more off of family all right I hate how I kind of hate using the word family but for work because you got to have that you know family and work time separate but the more clothes you feel the closer you feel as a team the better you will perform so structured unstructured time go watch a movie once a month it doesn't cost much okay you might even find that your teammates want to pay out of their pocket the third method usually would be that your company pays for it or just create some stupid stickers I've got some get some afterwards all right but

for this structured unstructured time be sure nothing else gets scheduled at that time okay we usually have a calendar block for that on our calendar so nobody in a different time zone or different office ends of scheduling call at that time because that is going to have a negative impact of course all right so you all know that King understands the importance of teamwork and if you don't watch Game of Thrones don't tell me it's okay it's okay all right so we just finished teamwork and next we're gonna talk about time management through task management okay the idea really is don't try to manage time manage your tasks okay because then you can accomplish more in a short amount of

time and what I love about task management is when you can check off those tasks and of the day it makes you feel like you just accomplished something and it's of course gonna help you with multitasking because you can take multiple tasks and you can break them down into smaller tasks because whenever you are multitasking you really are not we don't really multitask it's not like you have that hacker in CSI and I'm grieving that reference again with two keyboards you can't do that you only have the one keyboard you're working with so what you're really doing is you spend 30 seconds and then on this email and then you spend 20 seconds on the

text you come back and spend 30 seconds on the email so the task management you can actually keep track of those things and you will realize that you're doing it better okay nobody and miss Wilkins is right so instead of fitting your work into eight hours if you still work eight hours or 10 hours or whatnot think about what are the tasks that I have to accomplish today and can they fit in the time I have well that's going to help you with is saying no learn to say no to people even if it's your boss the sooner you learn to say no the better you'll have your work-life balance the battery will be able to manage your time and do

your work okay and it's always the hardest thing to learn to say no to somebody spirit and I'll give your boss or VP of the company or somebody who's been at the company for a long time but it's important for the other side to also understand that when somebody saying no to me they're not really saying I don't want to do this for you they're telling me why so tell them why why you are saying no my favorite thing is hey I wouldn't have to do this for you but I won't be able to do it well if I do it now so how about I come back to you or how about you find somebody else

Joe is pretty good at it maybe he can do it right you give them an option that way you are doing that cold core consultant speak you're not really you know straight up saying no but you're actually saying now [Applause] it is a tangible thing and a task management specially if you are using sticky notes anyway still use sticky notes I still do sometimes yeah and you can just take that in Berlin people either in your office just just take off the smoke sensor and just you know this video saying that awesome but but you have finite time in your day to do things and you can't just take on everything I know sometimes we love

taking on more work because something new came up that's really cool and we want to do it well then you have to balance it you have to start with are the things that I have to get done they're important and handle things I want to learn and they're all coming towards me I have to balance find that balance and make sure you don't work too hard alright and I'm not gonna say all that you know that you only have so much time in your life and whatnot but the reality is the more work you do less productive you will be and the less productive you are the less you are going to learn the less you'll be able to perform and the

more you will hurt the team's goal or the company alright so in the end all of that is going to factor into your own career so learn to say no so how do you multitask like a pro always look at the big picture look at look ahead so if you've got a project coming up let's say you are doing a security assessment okay you are starting with meeting with the client understanding their scope understanding their objectives and you're going to go all the way at the end towards giving them bad report the writer steps down and put some timelines on them and start thinking what are the tasks I'm gonna have to perform in that

time when I give the client that report what are the smaller tasks I will have to perform for example in that report you'll have to prompt QA you have to fix things that come back from QA then you have to provide decline the report you have to email the client about the report there's sent many small tasks that you could break it down to and then you want to sequence those tasks in a strategic way okay here are the tasks that must be done sooner because something else depends on them I can't start my Pam test unless I have a scope so the scope comes first alright I cannot provide the client a report unless the pen test is completed

or unless the team has provided all the findings so you want to strategize you want to prioritize those tasks and next point is not important protect yourself whenever you are agreeing to things my preferred way is through email because then there is this written chain that talks about I agree truth is this time right now okay I'll get it done next week well now your boss can come to you tomorrow and say hey you haven't done yet well you can refer them back to that email and bosses are not always going to be malicious about it it's just sometimes you forget for all humans or if you forget you'll have that email in there that you might

look at one things I like to do with my emails is I don't market read honest I've done what was asked of me in that email that ends up becoming your task management tool right there I've started seeing a lot of people do this we're gonna set up an auto-reply or out of office for anytime they have to really dedicate to a project if you're a client site for example set up an out-of-office so folks don't keep handling you with an email I expect you to respond you could always have a reply in there saying hey if you need me urgently call me and folks are usually and I say usually except when there's spammers less likely to call if it's not

urgent okay so have something like that in place we're talking about the task management there are a few tools that I've tried and I want to talk about them you've got your list based to-do lists all right some of you may have used wonder list to-do list or toodle-doo they're pretty good for organizing your tasks maybe by a priority maybe bad date you have the list of things that you can go through I've seen a lot of people do that in OneNote I've seen folks do that in sticky notes on their write board whatever works for you one of the things I like to do in my toodle-do app I use Trudel do and I use to-do lists because

I'm crazy only use one but internal do want is I like to do is the right context so if I'm creating a task I'm going to find a task that has to be done before the second task can occur and I have created a sub task instead so you don't have a separate task you know you got to finish these sub tasks before you finish the one on the top it creates that hierarchy creates that structure and structure helps us especially when you run the security field we are in a security field because we love structure okay we don't find it unfortunately but it helps and especially in task manager is very useful second thing I mean

seeing a lot of people use is can been like Trello does that that's pretty cool or if you could just do sticky notes again the three fields I like to have in that or three decks of cards are in progress to do and done okay there's an additional one we'll talk about in a minute that's pretty useful but these are the three ones to do in progress and done I'm not a big fan of these lately because a lot of my tasks now have a required date so if you've got a date something like Kanban can be a little difficult but in the end whatever works for you and if you love command line there is tasks while you are that's

pretty useful I also see people use vim or Nano you don't have to prove anything just just just use sticky notes whatever works for you though but in the end use what is best for you everybody has different styles so you don't have to stick with one style you don't have to stick with one tool I tried a lot of tools before a stuck with one or two that I like okay if you like Evernote stick with Evernote if you find that having a notebook with you all the time looks better go with that everyone learns and does things differently so just be mindful of that one thing though you have to be mindful off when

you're using these tools is don't put any confidential or any proprietary information in there we're all security folks we know these things have data breaches the Trello boards often have our public and you can see what people are talking about you can see that cake recipes so just be mindful of that alright one thing I wanted to finish it with was delegation and not to do list when you are given a task think about if you have to do it yourself okay and if you don't have to do it yourself delegate find somebody who is really good at it or wants to learn it and give them that task it has two benefits number one you just feel some some time

for yourself and number two you train somebody in your organization to take some routes tasks in the future maybe replace you one day when you move up okay I don't have to be the side that could be this side too if if you don't have to do this task at all maybe not today we don't have to do it this year can I eat and not to-do list or do later list and add it there this could be your future ideas of things you want to do you want to start a company you want to get your masters you want to get your assist add tasks like that to that list and do review that list periodically

don't just forget about it but you have if you're using Kanban or whatever have that list of things that you will do sometime in the future okay keeps track of your goals all right and end of the day when you check out those done today lists that's gonna feel very liberating and then you can do all the things tomorrow whenever we talk about time management task management teamwork oftentimes you got think about procrastination okay and what I've learned is it's not really a and this actually comes from this book solving the procrastination puzzle procrastination is not a logical thing it's an emotional response to what's called seven triggers okay and those seven triggers are maybe the task is

boring or frustrating you've been telling your boss you don't want to do this penetration test or you don't want to you know do this low fantasy for this software or whatever else so you've been telling your boss you don't want to do it and keeps coming back to you it's gonna get frustrating and it's going to be something that just goes to the back of the pile okay maybe the task is too difficult for you you need to break it down for you need help maybe it is too ambiguous we all know those tasks that are very vigorous you know can you do this report tomorrow okay and what is it about you know give me specifics

maybe it's very unstructured tasks except those Friday movies look good maybe the task isn't rewarding okay we while not everything has to be rewarding in financial sense or you don't have to get stickers for everything if you don't feel any kind of reward for something we don't feel that we accomplished that day all right even if it means just getting up tanks just gonna get thank-you from your boss or you know good job there or your teammates acknowledging that and number seven is really lacking in personal meaning maybe you just got the job because you need a job and now you just don't like it because it wasn't something you wanted to do with your life it's lacking in

that personal meaning and that is why you're procrastinating if you have to do the task one things ever just says just do something just doing one thing in that task if you're writing a book and even if you just write down a title there's something you've done next they come back and just look at the title and see what could be the first line just one thing at a time could eventually turn into something okay so anything that can get you started of course I had to put that in there anybody ever watched it Chuck I'm glad somebody admits so whenever you are working in security field office usually are they come some decisions that aren't

necessarily right forces right or wrong there are just like questions of legal it becomes an issue of ethics and that's what we're going to talk about next any questions of although should've asked awake all right so that's not ethical decision-making have to go hackers so I talk about ethical hacking in here because whenever you think about ethics and security that's one of the things that comes up but it doesn't necessarily have to apply to that but think about it if you are a penetration tester and you were performing a pen test against a client but one of you associates one of your juniors ended up running a vulnerability scan against everything including things that were not in scope

or you were anybody ever used to I fight for hacking wireless hacking so it's a tool that makes other mates wireless hacking for you finds WEP or WPA networks and then gives you an option do you want to attack network one two three or do you want to attack everything I once had an associate just attack everything so now they were attacking not just the client but their neighbors and Starbucks and whatnot and that's where you have to start thinking about what are the ethical implications of these things or if you were looking at some traffic on your network your blue Timur and you start seeing somebody's plain text emails accidentally or so I've seen some

patient data what the ethical implications what what do I have to do at this point okay because right versus wrong is easy you can do right versus wrong decision using the scientific model of decision-making which generally is you know you define the problem you formulate a hypothesis you gather the facts you analyze them and then you have a theory a solution for example if a teammate in your pentesting form is stealing data and selling it okay did they go out patient records install and just selling in the black market or if somebody in your IT department is reading people's emails those are easy decisions to make however if you have to think about things like

truth versus loyalty do I want to speak truth about this issue I have I do want to stay loyal to my boss or my beliefs those are your right versus wrong to say right I'm sorry right versus right decisions so we want the histories we did my MBA program talked about these from I'm gonna pronounce this name wrong I already know it professor joseph better Rocco he's from Harvard and he put forth this right versus right decision-making framework he gave four questions to that forest is this decision I'm going to make good for most people and hurts the least people right to utilitarianism we hear about that all the time decision we made we up

it hurts Joe but it helps the company and then once you've decided that you take that decision you think about the rights of the humans the rights of the shareholders now that I've made this decision maybe I'm gonna fire Joe maybe I'm going and picking on Joe sorry Joe if there's a Joe in here is this decision going to hurt that person is this going to infringe on their rights as a human and then can I live for this decision think about what if this decision was printed in the newspaper next day and for us Millennials on Facebook next day right how would I feel about it and the last thing is if all of those you've

gone through is is this feasible in this world as is so when you make an ethical decision might have think about can I just stay the course that might be ethical at some time and of course all of these come after is it legal okay the laws of the land change often so you have to think about them too so involve your legal department and more of your you know folks and no law but these are the four things that you can talk about when you're thinking about ethical decision making right it involves your shareholders it involves the rights of humans but also involves not be able to live it's something that you didn't make

a decision of okay so you have to think so for example if somebody had if somebody got a job as an assistant in a company back in the day Buster 20 years ago and on their resume the leiden said they have MBA and after 20 years they've made vice president of a company and the requirement in the company for vice president is they have to have an MBA this person right about 20 years ago they wonder when applying for MBA at that time I mean for a vice president at the time but they've worked hard all these 20 years and they've made it to VP and now they might get fired because lied about it 20

years ago so decision like this is where you'll have to think about what's the best course of action where I'm not holding the most people I am holding on to the human rights and the rights of my shareholders also because of course business is about shareholders and I'm able to live with the decision I'm going to make and it is going to stay with the world as is it's not gonna modify the world too much or my company for example too much right so somebody like that you might think about maybe you give them six months to start enrolling in MBA maybe you only had two classes left go and finish them okay maybe if it comes to that maybe you fire

them but you have a good reason for that you have to be able to live with that decision and be able to see it in newspaper the next day and feel proud that would be an ethical decision okay so the last thing leadership and this is a book that I read in this video good book extreme leadership by jakka Willick and Leif babban they have another one that came out recently called the academy of leadership and the talk about these leadership lessons they learned as Navy SEALs and some of them apply to our world quite a bit somewhere way too extreme and I kept them out but one things I loved about that book that talk

about is everyone is a leader everyone is your leader at home your leader at your job you are doing that task yourself you are a leader of that task maybe you are treating someone even though your title doesn't say senior but you are leading them okay maybe you are a mentor to someone or you are putting your research maybe you're running a blog you're leading that team they also talk about how there are no bad teams so if you see a bad team you need to think about how they're being led okay they use the word they use a sentence there are bad leaders I don't think there are bad leaders I believe there may be bad

leadership principles or methodologies that are play so that they talk about in the book about these two training groups they were doing these Navy SEALs exercises in the boats and one group was always doing really bad while the other was doing really good disrupt the leaders and that made both of those teams start competing you know neck to neck and the reason for that was one of the leaders was always yelling at his guys and what the noticed is the that the team was the team all this fell they're going to lose because that's what the leader is telling them his colossal sank we're gonna lose your cut so tight but we're gonna lose well

they're like okay if that's the case we're going to keep course good leaders will always lead by example instead of saying you gotta go do this go with let's show you how to do this or let's do this okay even if you are not personally involved in the project or in that task helping the the folks working on that task feel like they are part of your team that they are also the leaders of it helps them perform better and always you know inspired and don't require don't be bill Lumbergh anybody know if everybody ever wash office space man are y'all too young for that I came to us in 2006 and I watched it so

the Knicks team ownership always whenever you are making the decision tell your team why I've seen a lot of teams fail because they don't understand why they're doing this task so explain why you were implementing this new policy explain to them why they're these changes being made explain why you're hiring more people or hopefully not have to but why you're firing people make them feel part of that decision-making process and keep that information sharing not just top down but also bottom up okay talk to your team get their feedback on decisions you don't have to do exactly as your team says but talking to the team and understanding what their concerns are and incorporating their skillset their

experiences into your decision are going to make you a better decision maker and will make you a better leader of course prioritize and execute we talked about that in your task management but prioritize your tasks and prioritize your decisions and help your team understand why never train them to be leaders one day okay if you tell you if you explain to your team why this task has to be done before the second task occurs you won't have to repeat that next time the same project occurs or you have similar project and of course keep it simple don't make things complex complexity actually is what kills the teams because if there are too many things happening at the

same time if you are you have gone way too deep into management of the project or of the task and you've got so many tasks at this point folks are gonna have a hard time keeping track of that not everybody in your team is going to be good at task management not everybody in your team is going to keep notes so a simpler the decision simpler the mission the better your team will perform and of course one does not need a title to leaders everybody is a leader if somebody tells you there that you are not a leader they are not a leader all right so the leadership is not an ego thing I've see a lot of folks get stuck into

an egotistic I'm a leader and I must be the only leader very well all right so quickly two things when it comes to communication for your email try not to use don't say do not I know it's a simple you know college English Composition thing but in nature look more professional and as you'll be professional in your email don't be over formal keep it semi-formal don't add too much verbosity don't do - we Vivi if you're in some landline but in the email don't be too verbose don't write an essay if you have to talk about something in detail use bullet lists and remember that email is an FYI think if you need someone to do something right

away call them if you email someone they might not only checking their emails because they're busy doing something else so if you need someone to do something right away give them a call but if you want them to read that email that day or within their to make sure your subject says something about it maybe just for something like important but don't overuse that if every email is important email there are no important emails right conference calls attend them I often find especially I'm not sure if it's the same in all security fields but pen testers don't like being on conference calls but when you are taught when you have a conference call scheduled with a client or with your

team's internally maybe with your HR department or with your finance department you're telling them about vulnerabilities found in their systems if you as the pen tester or vulnerability manager or security analyst does not join the call there is no subject matter expert to it now it's the calls useless and don't forget the mute button we've all been there I once said that's what she said on a call without realizing so use that meet button it's very helpful it doesn't take long to unmute yourself and you need to and everybody in a call has a leader while I love saying everyone is a leader the person who scheduled a call or is you know Gordon code the holder of the

agenda should play a good mediary role where they make sure one person doesn't take up all the time there's always somebody in a call who loves to talk who wants to make sure everybody knows what they are talking about well you have 30 minutes you have 25 minutes you have to make sure everybody gets the time to speak and one of the hacks have seen what very well with calls is don't schedule a 30-minute call schedule a 25-minute call don't schedule an hour call schedule a 50 45 minute call because if all the calls are 30-minute calls all day long you're going to be late to at least one or two of those calls so leave that five

minutes between each call maybe the person needs to take down some notes we need to compile their notes maybe need to get ready for that call next okay all right thanks for listening to you to be taught for a whole hour any questions about anything I've talked about well I'll be around if you all have any questions I've got a bunch of stickers here if you want them because I already fill up my space on the laptop but thanks everyone