BSidesCharm 2023 - Entering the Cybersecurity Field as a 17 Year Old - Sully Vickers

foreign [Music] okay guys so this is my talk on entering the cyber security field as a 17 year old my name is Sullivan Vickers you can just call me Sully oh this picture here I use on everything so if you try to connect with me on LinkedIn this is what you'll see I'm a content creator at meta CTF and a senior at Glen Allen High School I was searching for an analogy of what getting into the cyber security field at a young age is like and this is what I came up with I was sick about a month ago and I took a ton of day cool and NyQuil and I found it stupidly hard to tear across the perforated lines on these on these packets and so I I typically always ended up using scissors similar to cyber security there are non-traditional ways to break into the field before I got into cyber security I started out I started my love for it in fifth grade I started my love for it in fifth grade when I when I was introduced to scratch through our hour of code program just a super easy kid-friendly block coding platform that teaches you the fundamentals of programming in sixth grade I joined the computer science club in which I learned HTML CSS and python through code academy also code academy can be used for adults too it gives you a good fundamental understanding of everything when I when I first got it got into cyber security I started out using try hack me I'm sure you guys have heard of it I started out with a pretty rough start I spent like a week trying to set up my first VM but then another week trying to figure out how to connect to the VPN and I actually almost gave up but in the end it was totally worth it because it gave me a good understanding of how to do a good a good amount of things cyber security wise I then moved on to hack the box which really challenged my skills and as you guys probably know it's it's a good bit harder and I took some anti-siphon training courses along the way my first ttf competition I competed in the U.S cyber challenge in the U.S cyber challenge there's a preliminary competition in which you have to analyze a packet capture with Wireshark and then answer a bunch of questions the top performer in this the top performers in this competition are invited to a week-long camp with various Sans instructors and in addition to the the technical content there's also a resume writing course uh CIO and CSO panel and then a job fair um uscc is open to all ages so anyone can participate and I highly suggest you do at the end of the week There's a three hour long CTF and my team actually ended up winning the CTF and so we we were invited to the Cyber ball in the Cyber ball they give you a vulnerability two weeks in advance and then you you study the vulnerability and develop a sort of risk assessment and give it to a present give a presentation to a panel of judges following that there's a 24-hour long CTF we were then invited to DC in which we got to tour scissors sock we got we got to go to a dinner sponsored by Maximus and network with like all sorts of people and we went to the ACT IX cyber Summit so you can check out uh uscybertallenge.org if you want to participate and I highly suggest you do high school and college competitions there are there are a ton of high school and college competitions like CCDC there's there's a ton more but I competed in a the national cyber League if you haven't heard of it there's a gym that opens up about a month before the competition and you get to practice your CTF skills and really understand how it all works following that there's a weekend-long individual competition and then and then another weekend long team competition this is more of a Resume Builder but it's it's certainly worthwhile so I started my the high school club the cyber security club of my high school and as you can see that's the link to our website there initially it was really hard to get a teacher sponsor because no one wants to to sponsor a club that's based around hacking because hacking has that has that horrible the horrible stigma around it and so I ended up talking to the principal and I convinced him I wrote up this set of rules basically saying No One's Gonna Do anything bad or else they get kicked out and and he was okay with it so I talked to the head of Tech for a county and he actually wouldn't let us get Wireshark I wanted to use it just to teach people how to analyze packet captures and he saw it as a security risk what what lots of people in education need to do is weigh the risk and reward on this sort of thing of course it can be dangerous But ultimately it can teach you fundamental skills on how to get into the workforce I resulted in using cyber start America since it doesn't use many penetration testing tools and it consists mostly of source code analysis and cryptography and there's actually also a sand scholarship if you if you uh score high enough and so you can get a free stance Foundation scores we also had various speakers one of them being the chief technology evangelist of coptia as well as a few from Bank of America they spoke on how to get into cyber security as well as what entry-level positions are available oh also here's my video that I used to market the club the world relies on technology what's vulnerable everything infrastructure Finance smart technology everything is connected so everything is at risk during the going out in high school cyber security club today make the world a safer place [Music] so we actually had someone in charge of marketing as well because it it's kind of a big deal like if nobody knows about a club at your school no one's going to join I'm currently working at meta CTF as a content creator and I have been since January I started out auditing the anti-slip in cyber range and I would go through and I'd check all the challenges for grammar functionality and like learning Effectiveness I then created summary files and put them in our gitlab Repository from there I moved on to redeveloping our privacy policy to comply with gdpr standards as well as the newer California privacy laws as you've probably seen on lots of websites now they have the consent to cookies button that you the super annoying button that you have to click every time you come on the website and currently now I'm actually working on creating ctfs I got I got the chance to participate in the anti-siphon office hours live stream it was on Powershell for infosec with with uh Kerry Roberts this was actually the first time that I had the opportunity to learn one-on-one with some sort of teacher or someone that's a professional in the field I think companies should open up opportunities like this to other people there aren't many of these and they can help people a lot now I haven't started well starting in June I have an internship at a fortune 300 company so age is just the number as you can probably guess I had lots of issues doing things with my age like like participating in anything some things you can't change like getting a hotel room or a rental car but other things you can I tried to participate in the alpha omega Federal networking day and I was actually initially rejected because I I'm not currently pursuing a bachelor's degree because that's kind of hard to as a high schooler so yeah so so what I ended up doing was sending them my resume and saying okay so sure I'm not currently pursuing a college degree but can you substitute this what you can do is you can think outside of the box you can reach out to recruiters directly and say hey while I may not be doing what everyone else is doing here's something else and then after that I also got rejected again unfortunately because I'm not 18. so what I did is I asked to bring a chaperone and I brought one of my friends who recently recently got out of the military and so he actually ended up getting a job interview after it look but majority of the time it doesn't end out the end up that well uh my dad's right there I have to bring him everywhere um and so I always can't go to stuff like because he has to take off work and you know it's kind of a big deal um we drove five hours to come here I'm located in Richmond Virginia so yeah but what companies can do is they can come to schools instead of bringing people to them so in this way basically people can get some sort of an education so I networked a lot and networking is super important in the cyber security field because it's hard to get into and connections can really get you places so here's some of the companies I talk to so I talked to a lot of people I enjoy it and I I suggest you guys do it as well so here's some tips that I have for LinkedIn whenever you connect with someone you don't know send a note in your connection request you have the option to send a note if you don't already know this and what you can do is say hey here's a little info about me here's why I want to connect with you and do you think you'd have a time to call with me at some point in the future and something else you can do is find commonalities so let's say I've recently stopped teaching and I'm looking to get into the cyber security field what I can do is I can look through their job experience and if I see that they were also a teacher and they made that jump to cyber security I can bring that up in my note and ask specific questions based on that and then they're more likely to accept that connection request keep a list there are obviously going to be lots of people you want to talk to and if you roll out like a hundred connection requests in like one weekend you're not gonna be able to talk to all of them so keep a list and gradually roll them out and then eventually you can set up calls and conversations adjust your vertical so if I'm trying to talk to the CSO of Google he's probably not going to respond and so so what I can do is I can move down a level maybe I go to the deputy C so maybe I go to the head of red team those are all good options and you can honestly learn a lot from them so you've already made that initial connection and now you're ready to have a call or meet them in person as you're going to be driving majority of the conversation you want to prepare questions ahead of time come into the call with a set list of things you want to learn from this person be engaged something you want to do is be present in the conversation you want to ask questions about their questions and ask them to expand on their answers ask for an introduction if they bring someone up in the conversation something you may want to do is ask if they can introduce you to them because if you're making a connection request to someone that you don't know on LinkedIn they may not accept it but if it's a connection made from a co-worker or a friend that's you're you're more likely to get in touch with them follow up your meeting ask if you can follow up in six months this is of course if it was a good meeting asked to follow up in six months this way you can maintain that initial relationship and be thankful these people are taking time out of their day to talk to you and they don't honestly owe you anything after you've had that call create a spreadsheet you want to retain this important information that you've gathered so what I've done is I made a spreadsheet with the name of the person the role and the company they work for as well as the date I talk to them the reason for the conversation and my three main takeaways what this does is let's say I meet you in person again and I have no clue who you are then I can just pull up that spreadsheet and you're just right there so for that six month follow-up you want to set a reminder on your calendar you will probably forget if you have that reminder there then you're good send a thank you this goes back to that thankfulness thing you really you really want to be thankful and Express gratitude toward towards whoever's talking to you so what are the common one of the questions commonly asked is should I even get a college degree you get a really mixed bag of answers if you talk to people in the public sector typically they'll be like yeah you need a degree um private sector I've noticed is more lenient they're more okay with you not having a degree what you can do is substitute that with other experience for example certifications if you haven't seen this this is Paul Jeremy's certification map I made a tiny URL there basically what this map does is it shows you how hard each certification is what categories of cyber security it hits and if you click on any certification it'll actually it'll actually take you to the website so if you just want to look at the link real quick make your own experience something else you can do is write articles on medium or LinkedIn compete in ctfs you can check out ctftime.org they have a whole list of like a billion ctfs and what you can do is you can go for the bigger ones as they look better on a resume Azure and AWS offer free 12-month services and you can practice setting up an Ubuntu server or a Honeypot or something you can contribute to your GitHub code repository just to develop a portfolio there you can also contribute to open source projects these all look really good and they honestly really stand out on a resume rather than saying I've studied for this you can say I did this make your Bad resume sexy so coming into any career you're not going to have anything on your resume and as you can see here these codes do this these scripts do the same exact thing but one looks way better so don't be Craig 's resume is super Bland it's black and white sure he may have more content than I do but at least mine looks pretty if a recruiter is looking through a stack of papers and they keep seeing black and white resume after black and white resume after black and white resume they'll see this one and they'll be like whoa that one actually looks a lot better and you can also include links if it's a PDF so to wrap things up here you can come in through the back of your DayQuil you don't necessarily have to come in tearing through the perforated lines like they suggest you to foreign take one thing away from this talk remember to make sure you only sound stupid once coming into any career you're expected to sound ignorant and you're also they're expected to sound ignorant you're going to ask stupid questions and you're going to feel stupid but remember the answers to your stupid questions this way you don't feel stupid again thank you guys for listening do you guys have any questions what's up what games did I make in scratch oh so I actually in fifth grade I made one based on Five Nights at Freddy's if you've heard of that it was horrible it was horrible but it taught me a lot it's a question home is on black so for a home lab something you can do is you can set up a network you can with like a router let's say even extra router laying around the house what do I do what do I have so I've just messed around with Azure and AWS pretty much I don't I don't like yeah yeah in some ways yeah answer questions sorry I was just saying he didn't mention gcp you got to get all the clouds what was your question how many languages do I know um so I know the fundamentals of a good number of languages I'm not necessarily crazy good at a specific one like I don't know like I knew HTML CSS python and a little bit of C plus plus as well and then I can typically just look through another language and be like okay I understand that but I I don't necessarily know how to just code from scratch so yeah it's your question so do I have any cyber security courses at my high school I have a computer science course um it's just Java and it's it's pretty bad like we code we code on paper we don't use a compiler we just write it all out yeah yeah no syntax highlighting nothing it's pretty brutal so no cyber security courses at all no so he's clear enough to use Visual Studio okay what really got your student cyber security why are you striving so hard so what got me interested in cyber security I've always been interested in I.T and I was bored and so I looked up how to hack and then it just it it really interested me from there and I got like addicted and I did a ton of ctfs I like figuring out how things work when I was younger I would take apart a pen and not know how to put it back together but just to see how it works so we have like a bunch of broken bins lying around the house but yeah I can't see you the light oh um Mr Robot that's more of a TV show though but and there's also well actually War Games technically but yeah yeah okay well oh sorry go ahead yeah that's one way to do it but also if you're going through if you're going through like so let's say you see a job a job opening online what you can do is you can go through and look at the keywords in the resume and just put that in yours I think they'll still pick it up and honestly majority of the time with my resume it won't get picked up and I'll get rejected straight away so what I do is I just go and message someone at the company or the recruiter and say hey can I talk to you so yeah I think that's a better way to go depression we used yeah we used cyberstart it was called cyber start America yeah and it's open to high schoolers I think you may be able to do it if you're younger but I'm not sure about that okay so that's your question I'm sorry what'd you say I've I've always emailed them but I'm sure you can do both and I'm sure they'll probably print them out like at the actual workplace so I always include links just in case it's my dream job I'm I'm gonna go for ciso I'm just going I mean I feel like that's a lot of people but that's my end goal yeah some sort of managerial position okay well uh thank you guys I appreciate you guys listening if you have any more questions feel free to approach me or connect with me on LinkedIn foreign