Making Our Profession More Professional - Bill Gardner

[Applause]

[Applause]

[Music] so everything I say today is not good news Marc University we say to take this trip that I'm not here representing them that users lies so disclaimer things drop me back in this year's my second year besides absolutely actually my grandmother's family that's from Nashville here you know so I could come back if you're gonna take off you're not from here the main thing of amazing attraction things to do here Nashville oh please check out torski Steffensen 35 i-20 crowd ready you come to stop crimes against somebody kept putting off to going to presentation so I did this last night so a presentation thoughts were with me and I didn't misspell anything I ain't dyslexic so that's part of the

problem at each did for instance in information strips of Marshall that's my main job arts it's because no workers being to say

Alexis you're neat lon no one tells you how to do the United - books including how to do it did not pass later so it's very straightforward it's for non-technical people people happy walk and Justin Brown and sure yeah officer September what I think they have that they providing for my book the name drop fluted they very good words for the book soon good print networks get out is the project that my students are doing that I 200 regular students long time I had an idea for a network to find soprano has very high he plugged it in the inside for that no suit on each physical plant didn't even with monetary recycletown work very abstract so the

market is talking about to this gives engineer your basic allowed to do with networks cap will catch that and then work you should never seen any enough you need I so it's a inside a so its water and dust resistant another slide when there's down there actually did you soon as we did this we take this your splashed your dirty cop you're teaching a class on how to build in sold out there you're going up staff how to set it up was pretty cool he's got sort of the craftsman's Johnny found graduated he's looking for a job in it he's one of my best outlets and it's he taught himself I thought he and we picked up this

project moving forward he also volunteered his time to teach it reading school students Python and spare time so yeah if you're that's the beast kids are looking for a job this is my ideas security practitioners need to start talking to people outside of our community outside of the bubble and this is an attempt to do that so if you want to be on reboot it let me know the I call reboot of the security product security podcast that my mother could listen to so we don't do a lot of talking about locker room jokes don't talk a lot about cigars or drinking nothing against other people who do but we're not your average podcast so please

check it out so what's a profession a profession is an occupation it involves prolonged training and formal qualification because InfoSec a profession based upon this definition it could be I think it's becoming that and I think we're moving from I hate to use the word paradigm the next thing I'll be talking about thought leaders but we're moving from one yeah we're gonna get the cyber later drink wait a minute I can't say cyber and to tell you to drink ni we're moving from a time where you know hackers I'd self-identify as a hacker Pete you know people who working InfoSec have become self worth self-taught you know I was a system administrator for 20 years I have degrees of political

science and journalism which makes me perfectly qualified to teach digital forensics right well we're just moving into a time where have formal education and things like information security and digital forensics so it's a brave new world so well I'm gonna talk about today is how we're becoming more profession and how that's changing and some of the things that we probably need to leave behind and some of the things that we need to think about so what's the difference between education and training well training is basically the sort of hands-on stuff you know training in the past was things like you want to become a plumber so you followed another plumber around until you figured out

what you were doing and then you credential discipline right probably still to this day I mean there's no formal education to becoming a plumber if you were a craftsman in the Middle Ages if you were a Cooper made barrows you know you've learned it through an apprenticeship and that's sort of where we are in information security I think we're moving to a time where it's more about education we're a young industry the personal computers roughly 30 40 years old I think I miscalculated that Apple Apple one if you want to call that the first personal computers what 1976 it's a little bit more than 30 years this you know we had the non-academic internet came to being

the internet that we can get on thanks to Microsoft and Windows 95 we finally got on this thing called the Internet this commercial internet which sprung from military and the research community so 1995 who was born in 1995 anybody or you all as old as I am I hope not so I mean there's people who who are old as the Internet but yet the Internet is relatively new right first shmoocon well first Def Con 1993 for shmoocon 2005 first Derby con which seems like it's gone on for ever 2011 first besides in Asheville last year where a young community and breeches get bigger we suck how many records have been lost and this is doesn't even clewd recent Oh Oh PMO MP

OPP okay thank you OPM hack our breach picture word you use the word hack when talking about breaches so that's a lot of Records are we getting better or getting worse a lot of people say we're getting worse so we need to find a way for our forward there was a lot of drama over the Sony Entertainment breach and I think there still is there are people who are getting paid a lot of money that I call it the cyber industrial and military complex who is getting paid a lot of money to tell the government things that I don't know there are particularly things that US government didn't be using to make foreign policies decisions on and then there are people

inside the community who looked at the Sony breach and said it's not North Korea mark Rogers is an example of that some other people but we need to find a way forward and forward how do we become more mature as a profession so education the difference between training and education training teaches you to do a specific thing right education is a lifelong process we have formalized education in the United States because well we pay taxes to have schools right we go through that and then we go to universities and colleges that sort of teaches us how to do a job but most the time when you're done with a college degree you're not going to go out and

say hey I can do this job why education does it make you train about and it exposes you to a world beyond just that what you would do if you were learning through training so how did you become a lawyer 19th century Abraham Lincoln became a lawyer by reading books and following another lawyer around he was an apprentice right well nowadays Johnnie Cochran with the law school you didn't have to follow another lawyer around and read a bunch of books so it became more formalized how did you become a doctor in the 19th century well another doctor you told you how to use leeches and bleed people in order to make them better nowadays we have

formalized education so if we're going to become a profession we need to move from being self-taught apprenticeships and training to formal education and this talks about some of the different things I just talking about self learning I'm a self-taught hacker I mean I got a no SCP which is training but a lot of it thanks to the magic of Facebook I can talk to a lot of really smart people out there Facebook Twitter YouTube free resources you can learn all kinds of really cool things about how to use different tools using YouTube there's training out there we can take offensive security which I met I mentioned the o SCP even though it was the hardest thing I've ever done and it

wasn't cheap it was the most rewarding thing I've ever done I can't talk highly enough about it then we got blackhat training blackhat def cons coming up here in a couple weeks where you can pay a lot of money to get some very good training and then we have education like I said it's lifelong learning formal college level courses of study does anyone in here currently involved in a InfoSec education are students or professors so

so what's the future we're changing we're changing community we're changing profession we all want to be penetration testers because we're going to be cyber ninjas and break in and stuff and still things but InfoSec is more than just penetration testing it's blue teaming it's system administration the easiest penetration tests are easiest thing the assessments I've done have been misconfigured networks you walk in with default passwords those sorts of things you're going to have to start begging we need two big security into our processes developers are part of the UNICEF community as well as building tools they also need to move toward more secure coding does anyone have is anyone political science I mean a political

science computer science background did you learn secure coding right that's why I'm saying we need to teach everyone secure caddy

information security well I think that you should at least a my own personal opinion is if you don't learn secure coding in a university setting you should learn it when you never you go to get a job then and yeah it's just something that we need this has to be a holistic approach you can't just be penetration testers against Network defenders most the time when you show up for an assessment they think you're there to get them fired in the first place I've had some very interesting conversations with blue teamers where I show up to do an assessment who are basically sitting around sharpening up the resumes because I think they're thinking I'm there to get them fired and

then you have to tell them now I'm here to help you and usually it works out in the end but we can't go around dropping Oh days and being cyber ninjas all the time we have to be more well-rounded and part of me more well-rounded is education once again we also need to set up standards and I think the PTO's in is that is an excellent example of a standard the penetration testing execution standard so a bunch of luminaries in our field got together and said these are the different things that compose a penetration test because there were people selling nessus scans charging tens of thousands of dollars as penetration tests the peat has really

sets up a standard a formalized codified standard that either people who are doing penetration testing or a buying penetration test can go look at and say this is what I'm buying or this is what I'm being sold and this is basically the different steps when I teach my classes and we talk about penetration testing we use the pee test we go through the entire pee test standard we go through the technical guidelines and we follow the steps of the pee test all the way through all the way from assent open source intelligence or pre-engagement interaction we actually talk about how do you scope a penetration test how do you charge for a penetration test pee test addresses

all that all way through reporting which is the funnest part of the penetration test how many people of you know do you all know they're highly technical to go around dropping O'Day's on everything and it's brother but can't write a report or they can't talk to management about what their findings are and this is unfortunately is a problem so education seeks to make people practitioners more well-rounded better communicators because guess what if you're getting a degree in info sack or degree in digital forensics you're going to take English classes you're going to take public speaking classes etc so that's going to make you a more rounded person it's beyond training PETA's is an emerging standard I really hope that we

adopt PETA's formally inside the community I believe PCI DSS actually looked at PJs and said hey you know this is something we can use in setting up our standards and it is suitable for an operational environment this just isn't 10,000 foot overview you can put this into practice accreditation processes how do we accredit professionals and I want to give Kevin Johnson a shout out a lot of what I'm talking about today basically based upon one of his talks I believe I saw recorded at besides Orlando and I am wearing the professionally evil lanyard there's a shout out to Kevin Johnson the CISSP isn't working the CSSP is not a good measurement we need more standardized

meaningful standardized meaningful standards this was written at 4:00 o'clock this morning we have a lot of certifications but how many of those are worthwhile you on getting you beyond the the human the HR filter I mean I think the SCT the ICP is a good is it good certification for people who are technical but doesn't mean well you'd have to write a report but we need the moves to a place where it's sort of a combination of CISSP and OS CP right blend it it's both training and education and those outcomes that are result from training and education where people are more well rounded you know I know people I've never taken us as a cissp I don't need it I mean I

teach college it's not really a requirement for my job neither was the u.s. CP but we need to move from a time where technical and non-technical people can come together I'd like the coke commercial and saying in perfect harmony so education formal security information security education is really seeking to move toward that point this is another thing Kevin Johnson alluded to and I'm not sure how you fix this problem do we really want to license penetration testers

exactly exactly specially here's the digital forensics you're dealing with criminal activity you may need but what is there out there for it I mean what is an example private investigator in some states yes there's also yeah okay we don't have it in West Virginia Tom's trying to think of what else was out there who the people who to give the CHS has the ceh has a yeah l PT c fi yeah so they've got a bunch of those certifications you know I think that really has to come from the governmental organization you know the the problem really is we don't want to break the paradigm even more in order to fix the problem so I'm not I don't have

solutions I'm asking the questions and that's one I don't know where how we fix that problem but you wouldn't hire an accountant that didn't pass accounts once again so I'm sorry I'm gonna stay in the front of my misspellings you wouldn't hire an accountant if he didn't pass the CPA exam right you're not going to hire a doctor that isn't licensed to practice in your state and pass all of the different medical products but yes sir doctors and lawyers typically the majority of the work that gets done in the doctor's office right that's true and so could it be that the media is talking about how there's a requirement for a tremendous amount of personnel for

the mobilisation in information security and yet if the solution is a four to six year program with licensure in order to get people in place that's a problem you're running way behind and you know to say that for instance I mean if you're gonna build a thousand a thousand foot skyscraper you're gonna need plumbers right but you're also going to need laborers you're gonna have people that are going to be able to fit pipe and drew those menial tasks and when you can find those people now and that's not necessarily the thing that requires a four six year degree right I understand let me say one thing I use these examples we're not here now this is what we subscribed

strive for the next 10 to 20 years in information security there come a more mature to become a more professional profession we need to look at things like credentialing and I think that these are examples sort of really high-level examples we can look at the other thing you were talking about was how in law firms most of the the big work is done by paralegals right people who are a lot without professional licenses you know in the case of like cue essays you know if you're doing a PCI audit if you have hire an organization that has a qsa that can review your work you're good to go and that's another example perhaps of accrediting in a profession maybe that's

what we look at we accredit organizations instead of individuals but I don't have the answers I'm just posing the question I think this is where we need to be you know 20 years out it can't happen today it's not going to happen today cultural change too a long time I'm just trying to set up the question I don't have all the answers either goodness knows I don't have all the answers so I'm just trying to pose the question and sort of point to some some solutions there's a path forward you had a question I actually do because this is a little close to home my fiance's uh has a master's degree in psychology with counseling and she's

basically because she moved States for the last several years she's stuck in this licensing hell yeah which is basically you need not apply you're not welcome here and the job that you have to have to get the hours to become licensed is not available to you because you're not licensed right and so I don't know that we actually want to create that same sort of situation in our industry well like in South Carolina you can't practice law individually unless you pass the bar but if you're a corporate lawyer and you have passed the bar in another state if you go to work for an entity that entity has a right and has an authorization by the state to

perform law so therefore you're under their kind of umbrella and that kind of comes to the question earlier about you had how do you train everybody to go through six years you don't you find somebody who's going to be your lead forensics guy you find somebody who's gonna do each one of those tasks and you make them specialists I mean when you go to a doctor and you have a general ailment you send out a general Assessor that's okay this is your problem that's what the pen not a pen tester would do but a general incident responder would do and then they go back and say okay I need the wireless guys because this is

wireless intrusion right I need the guys we're gonna do you know analysis on the database this is the same basic principle and then you could start credentialing each one of those individually and it won't take six times it'll go by much I think that's a good idea and it sounds like the situation that your fiancé is in it's just a broken licensing system and nobody wants to create a system that's broken I think that's the reason we need to start to discussion now about how do we do this you know is it going to be Oh if the CISSP is going to be the gold standard I think that we need to change some change that with the CISSP

process is there any CSS PS in here before I know that offending people sorry so who has a/c eh ain't see EHS so you know where I'm coming from right any OS CPS no SCP is I'm the only one I'm the only survivor so Security Plus which is another one I have a master's degree in computer science within Cossack as our emphasis but cool was that hands-on or was it theoretical I did the policy track there was some handles on and it's a changing program it was worth it was worthwhile there's a few of these popping up around Georgia Tech yeah very good program also a very good program we at Marshall we have different tracks we have a computer

science department the teaches engineering and then we have integrated Science and Technology where we teach game development application development web development digital forensics and information assurance that's really hands-on so it's really what you want to get really what we need is a blend of the both of them and you can do that in four years but I think that once again we're talking about two different fiefdom that are not really talking each other we need to talk to each other so they put us all in the same building we're in a new building on Marshalls campus and my hope is since we have offices next to one another will actually talk to each other and we can

move forward with maybe an emphasis SEC degree at Marshall which we don't have right now does anyone have any questions before I go to fort further on my rant how much time do I have time Dave Keene was so so excited to have these things these cards you know so step one is education I think that we've entered a time where you really need to have degree to be an InfoSec professional step two is hands-on skills everyone including your CSO should have some some ability to understand what nmap is what I was in a meeting recently where two guys got in an argument because one of them said wait a minute I'm a CIS sp

I know what a VPN is why I mean it's it's it's frustrating and if you've ever dealt with a non-technical manager you know we've got people who spent 20 years on the helpdesk in governmental organizations who are suddenly thrust into these roles of being leads or CSOs or whatever they are and they have no technical skills and you're trying to talk to them about making sound decisions and they have no idea what you're talking about that needs to change I can tell from bad the reaction to back the room that you all have been there I think we all have so education is and we need some sort of formal education I mean formal qualifications

or credentialing and we've talked about that I think we started a conversation on that education is a lifelong or learning process and you need to keep your education current how much do things change in InfoSec all the time so we already have certifications that require continuing education this is true in other professions as well law I work for 20 years we've talked about keep talking about lawyers I work for 20 years in a law firm there's actually different law firms they have very strict continuing education requirements in order to continue to keep their professional license I think that I talked about some of this before I made then repeating myself but basically need a blended R approach approach we need

both education and training here's an example of the cultural divide inside of our community we have suits versus hoodies right we've got people wearing the black hoodies are highly technical and then you've got the non-technical people the people would like to throw around the word cyber a lot we need to come together as a community we need to come together as a community or we're going to have further breaches we're going to have continued loss of data and I don't know how much worse do we get we keep hearing about cyber Pearl Harbor when did it happen hasn't happened probably been happening the entire time and for the love of God quit using the word cyber

before everything I am I actually started a community on Facebook about to eradicate the word cyber now I was trolling but we can't put cyber in front of every word I mean cyber war is a thing actually teach a class on cyber warfare very happily but you can't you know you can't talk about cyber ninjas is not a thing

cyber rockstars not a thing I mean if you're talking to somebody in government that's their word that's what they use that's their speak but we're talking to each other and someone starts saying cyber cyber cyber I'm gonna look at you like are you trying to blind me with your cybers you know we've got it my whole personal jobs just looking at me fighting back there my whole personal thing on the word cyber is that we have words that succinctly describe what we do which is protect information information security is perfectly good word so to constantly throw this word around is confusing it may be useful when talking to non-technical people because they've heard it before but for

the love of baby Jesus quit using the word side all the time does anyone ever watch congestion huh it's the same thing I mean I I'm awful I'm honest I'm also on a on a program of basic rehabilitating the word hacker so that's the first thing I ask when I'm in my classes is what's a hacker and I try to take whatever bad connotation to have and flip it on their head by the end of the semester because hackers the same way I self-identify as a hacker the good kind not the bad kind and that's part of this too is mass media have latched on to these words so it's just not doing us a lot of favors we

need to stop the drama yes we have these great resources of talking to each other Facebook Twitter but we fight with each other way too much in public there's a difference between what Marcus does which is call out people when they're being stupid or they don't agree with them to fighting like children we need to stop fighting like children doctors don't do it online

right that's what I'm saying I'm saying that if we want we can I'm that I'm off were lively debate we I don't think that we should as professionals to be having loved these fights I mean I've gotten in to a lot of drama because of my fights my trolling of people and then troubling me back and it got personal or we've had disagreements before but should we really be talking about that and it openly in the community or can we just take that one to one right I do think that we're all still trying to figure out things like oh gee are going to call ourselves and folks have professionals okay why sighs that's not what I'm

talking about no no we have it no there's a lot of issues like that right right we're all still struggling with and trying des I find just who we are that's I decide who you are is that a lesson I agree okay so am I still in our adolescence you're good I think you're gonna see this kind of drill I think that's debate that's not drama I don't know if you've ever actually seen some of the drama that goes on I think people get way too personal they get into personal fights on line in public and I think that that's not helpful and what you usually have to do when it happens with me and I've gotten it I got

a big fight with somebody on line one time and then I realized I was being a jackass so I stopped but it's happened before on Facebook and on Twitter I think there's there's a point where you take debates they've gotten personal offline or you take it to someplace where it's not public there's a lot of people I mean you almost have to operationalize the term drama and then some people just don't care yeah you're right I agree yes yeah yeah yeah I think that's true too and I think once again it is us being a young industry but you know I don't know I think it makes us look shallow and pedantic and that's also true of a lot of people over system

administrators you can't tell me something I don't know because I know everything and unfortunately some of these people move into our community and they're just as bad here as they were foul language I cost damn it as much as anyone else but when you're on Twitter and you're communicating how can well you don't go into a boardroom and say or stuff like yeah we raped you today in the pen test to me that's a problem and that's a problem suits versus hoodies people come in you know there's a there's an element in a side of our community or Linda is a little anti-social anyway and it's just not it's not productive to sound like you know a high schooler when you go in

to try to explain to people what what you're trying to do and what you're trying to achieve or the findings of your penetration test we need to talk do better talking us people inside and outside of our industry including journalists I know when ever I'm interviewed for a story I'm very trying to be very succinct and what I'm trying to say I don't use the word cyber I try not to use hacker I've talked about online criminals you know acting like lack like an adult online which kind of addresses the foul language and the drama aspect you need to be well-rounded our our profession will not move forward and people will not take us seriously until

we become better communicators or good communicators and education is not training education produces better well-rounded communicators so that's my presentation as anyone have any questions yes sir we're comment perhaps or comment in that it slightly disagree with your basic premise ok if you're looking out at 10 to 20 years I would question the viability of a separate impose profession okay and the white people look at it now okay if you're still hiring pen testers and people like that so computers computer industry is fundamentally failed yeah offenders are not building security and in a meaningful way right in 10 to 20 years in ways that you know work with enough standards well enough that they can

interoperate and you can collect logs and join them from a bunch of different things right then it's just a losing proposition as an industry to come in and impose security on fundamentally insecure products yeah well I don't think that we be and I think that you know security is guarding whatever makes a company money so you're not really imposing as much as you're partnering with the business operation of the business so that you help them you enable their business process and that's really what I'm talking about here as far as communication being well rounded is you need to understand how to talk to different people just not people who are technical or people inside the community

and [Music] Yeah right that's true okay I agree I agree and I appreciate your comment I mean I don't know everything part of this is really close to our targeting a starting conversation if you want to come on reboot it we can talk about this that's cool I think this is a this is a conversation we need to have in public so that people understand yes I'm a information systems major at college Halton yeah in Charleston and how do we we're just now starting to get into the security role right and I helped with that by creating a cybersecurity Club and gaining interest among our students but yeah we bring the security education piece to our University well I think

you're still doing I think you're doing it right I mean here's the thing is that not all info SEC degrees are made equal some are way more tactical some are way more 10,000 foot ever view so you're doing the right thing starting a club if you looked into doing CCDC yes so yeah actually we were the only South Carolina team to make it to the southeastern cool congratulations I still haven't won with my team we still haven't gone to regionals because my kids team seem to be focused on the DFS and the attack side of it and they're not defenders so like one of the first things they did was locked himself out by miss configuring firewall so when

they were done in five minutes you know and I teach network protocols and network administration so I'm sitting there going okay this is a teaching moment so they got two weeks worth of how to configure a firewall so you're doing the right things the other thing you can do if you're if you're involved in InfoSec education that you don't feel as technical enough look at online resources part of being a hacker Goodkind is asking questions and finding the questions on your own finding answers on your not waiting for people to tell you things and when you become a practitioner there's a lot of things you don't know Google is your best friend and so I would say do that

and then if I know students I'll have a lot of money I'm a big fan of offensive security training but look for opportunities Derby con has training that was training here last night did you take the Python for information yeah but yeah something like that you can go to community events and get more technical hands-on training etc so I highly recommend it yes sir you have the Hat I think they're great cause mentoring is very important mentoring in Mike in this community is mentoring and apprenticeships are not the same thing okay mentoring is a relationship with somebody where you go to for an occasional piece of advice you can even talk on a fairly regular basis

right apprenticeship is where you work with the person and you learn by doing with that person yeah that effectively your junior partners yeah that's that's part of the training piece I think what you talked about apprenticeships before before you came in here we put them in like their years yes they're easy there what do you think that they also teach the communication skills now I worry about that I mean it depends on the person who's your who you're doing the apprenticeship with good point and in the case of formal education you have to take classes which makes sure you know how to write and speak in public and I think that's the difference but there is

definitely I mean there's there's a plus to that I wish I had an apprenticeship whenever I started out or someone who knew the ropes does it also have any questions I think I'm

and we talked about network scout which I did with two students that was as much a mentorship as it was an apprenticeship because they taught themselves Python with my help and then they did the project on their own based upon the skills were talking thank you everybody