Hack the Hustle!

[Music] morning moderate that doesn't sound like you

Johnny I'm all right FEA Midland um so my name's Eve uh AKA hacker Huntress and uh I'm going to be talking about gerbs uh hacking the hustle and uh I need display would probably be good or I could just

talk everybody moving

closer so SQL injection walks into a bar starts to quote something but stops drops a table and dashes [Laughter] out tcpip walks into a bar and TCP I walks into a bar no that's wrong that's the vrp one that's the redundance W TCP IP walks into a bar says hey I'd like a beer bartender says you want a beer TCP I says yes I'd like a

beer oh yeah I'd tell you UDP Dr but you wouldn't get it Ah that's out slide

yeah so so this is um we're doing this kind of cash right so as I say um my name is Eve I'm with halock security labs in shamberg and uh I essentially long story short do recruiting exclusively for information security jobs I do this people ask me are you a corporate recruiter or are you like an agency recruiter closer to a corporate recruiter in that I stab positions for my company but I also stab positions for other companies um so there's this myth right there's no unemployment in information security right right uh it's kind of like there's no crying in baseball there we're we're all happily employed and there's you know this myth statistic that uh you know I

think it was the executive director of ISC squar who said yeah there's zero unemployment in in information security and the statistics sort of bear this out uh these are from the Bureau of Labor Statistics uh they found 0.9% in PC unemployment in calendar year 2012 they also found the security Workforce in calendar year 2012 was 52,000 which seems awfully low to me just for reference there's something like 57,000 cissps uh raise your hand if you work in infos keep your hand up if you have a CP yeah no no these these statistics are not right so but that's actually that's actually really Illuminating right because they could not find enough information Security Professionals to include in their study and that's

perfect right they couldn't find enough people for a representative sample size um I think that's beautiful I think that is um a statistical anomaly that is worth looking at but for reference uh web devs whom we all love to hate experienced 4.7% unemployment in 2012 and they're projecting 22% more infoset jobs by 2020 including the 4,000 cyber Warriors that the Pentagon wishes to hire and if you are a cyber Warrior by the way please send me your resume because I'd love to know what a cyber Warrior is thank you um so right so I mentioned web devs partially because if you remember back in the bubble days like in the late '90s early thousands when it seemed like nobody could hire

enough Java developers and you were just set if you were doing webdev uh and yet the security hiring Trend was kind of me uh well now it's starting to level off for developers and the job market for infosec pros is completely awesome probably because they hired so many Java developers so um but the problem is right so we we've got this great job market lots of demand but the problem is highly desirable skill sets like yours lead to highly volatile job markets and this is for a couple reasons money and bidding wars uh I like money I assume the rest of you do and the uh money that you can command as an information security professional is

pretty darn good uh that BLS with their terrible statistics uh puts out a nice round number as an average annual salary for people involved in security as 100,000 that's pretty good um I've seen way higher I've seen criminally lower but that's still nice uh General it Churn it in general there's a lot of turnover this is just due to the volatile nature of the macro industry of Technology as technology changes people are going to change jobs uh burnout uh Jack Daniel is the person to talk to about this but yeah you see it a lot long hours uh people who don't necessarily understand what you do being highly billable all the time being the person people run to

when something is on fire leads to burnout and part of that is working for idiots um there's a lot yeah thank you uh there's there's a lot of this you know and this is a whole other talk topic business doesn't get what I do the business side will not give me buyin and there's a disconnect between getting the buyin that I need to implement a security program that works so they're not constantly screaming at me when something's on fire and what I need to do what I'm expected to do how I'm expected to perform so if you're working for this guy you're probably going to quit so people ask me all the time all right great I'm looking to make a change

and what do I do this talk is going to focus uh in pretty large part on resumés because that's what I get the most questions about um here are the problems that I see specifically for Security Professionals uh you need to verb all the nouns I'm going to talk more about that uh things your resume is not include a race car a pretty princess and a junk drawer and the tldr that you need to keep in mind is tell me what you can do don't tell me about every tool that's ever been in every office where you've worked don't give me vague job titles which I'm going to talk about more tell me what you can

do for me and let's get a little bit deeper into that um this is a terrible resume this is from a real resume all of these rum samples are from Real Legit resumés which you may found find profoundly unbelievable in a moment uh this is this is terrible uh use the following Technologies for client security assessments first of all why are you using Splunk for a security assessment but more about that later perform code review what code review why what is a security assessment are you pen testing are you phone scanning I don't know so uh this is epic fail right I see this a lot and people just list out just chunks of tools and say nothing about what they

do with them first of all I'm not that interested in tools second of all I need to know what you're bringing to the table I need to know what verb you're verbing to the nouns your resume is not a race car this is from an actual real resume

this is from an actual real resume this is from the header of a resume this is like this is like the neck tattoo of resumés all right CS are great and again whole another talk about CS I don't care that much about them but whole another talk these do not tell me anything about what you can do these tell me about tests you've passed and that in terms of putting you on engagement with a client useless and the se's not back right so that's fail I thought sanch certified Specialists look kind of lonely over there so I'm just going to put the fail s right there uh this uh I changed the verbiage on this

just to illustrate but yeah uh weird fonts like Algerian uh different uh horizontal lines charts I have seen this I have seen the charts and I am here I have I've been through hell looking at these resumés and it's you know this kind of this obfuscates what you can actually do I don't want to remember you know your Microsoft Word formatting chops I want to remember the impression that you gave me about how you're going to kick ass at my company right this is fail I formatted it nicely just general five uh this is something I see a lot too you tell me everything that you've ever done and it's not focused on the POS the

position you're applying for or the position that you want so all of these things are not like the other I don't get this is this a qsa is this a reverser is this a firewall jockey this person may have done all these things and this is actually a real problem and I get this I'm deeply sympathetic to this problem a lot of you have really diverse backgrounds a lot of you have actually been a part of all of these things or other different things and you asked me well Eve I've done risk assessments I've done reversing I've done auditing and how am I supposed to cram all that into this bite-sized piece of paper don't make different bite-sized

pieces of paper have different targeted resumés so if you're out of work or you're miserable at your job and you think well heck I could be a firewall architect or I could do auditing doesn't really matter to me I like them both equally you're weird if you do by the way but that's okay um then you can use those targeted resumés those tailored rums to apply for both jobs at the same time I'm not confused you may actually get the jobs so this is maybe fail can't tell split it up this is when this is from an actual real resume from my dear friend jenq infos uh who worked for ethic Financial meac Corp was on the job market recently

uh actually got a counter offer that was quite attractive and uh Jane Q infosec has verbed all the nouns I know exactly what Jane does good summary uh we have job titles that actually make sense but look web application security engineer in uh Jan's verbing of the nouns I'm not confused as to whether Jane's a web app pentester I understand looking at this looking at the integration of the tools of the different platforms Jane has used what Jane actually did with them and what Jane can do for me so this is totally win big win for Jane this is really good too uh this in the same way just going into a little bit more

granular detail you can throw the tools in there don't just dump them all at the bottom of your resume or at the bottom of your work experience tell me what you're actually doing with them vs and exploits particularly I love to see that because that tells me okay I can actually put you on an engagement and you're not just going to do a scan job you're going to pentest that's an example so that's equally applicable if you're doing know firewall engineering auditing any particular role that you play in a security profession you got to integrate the technologies that you're working with into what you actually do with them win all right so so much for

resumés I could go on and on but um once you have that sick resume how do you get a cool infosu job there's a variety of strategies with this you can post and pray this is really traditional toss your resume up on the job boards wait uh wait for the recruiters to be all over you like you're the only girl at an infoset con and and then complain about how they ping you about jobs that have nothing to do with what you do I know they do it to me too made the mistake of putting on my resume that I know how to use people soft and now people want me to be an oracle peopleof soft architect

and okay um you could spray and pray you can apply to what's posted this is really problematic too for reasons I'm about to get into or you can Network in and most of you already know this most of you are like oh yeah I know person at company and I just hit him up got a job there it's been very effective you can learn about jobs before they're officially open you can also have people create jobs for you this is really fun and really gratifying when you can do it Uh current employees events such as bsides such as meetups even recruiters can help and this is not to be a recruiter apologia but if you find a

clueful recruiter we do exist uh they can actually help you to network into companies that maybe they're not even recruiting for they can help you to find positions as though they were working for those companies and I'm going to talk more about that the problem with uh post and prey and spray and prey going by job descriptions seeing what's out there looking at uh job postings they're so vague they don't make any sense and they may have little or no bearing on what you're actually doing so the it security engineer is responsible for design development and implementation of it Security Solutions for Network systems and applications the it security engineer also manages the INF what what does this mean does can

anybody tell me what this means double rainow excellent thank you what what what does this actually mean I don't I just don't understand what what I'm supposed to take away from this this could mean absolutely anything so before you actually get a live human on the phone you're not going to have any idea what you're actually doing at this job so get a live human on the phone as soon as you can I'm sorry you had a questiony and respons excellent sounds like a great job can I apply sometimes the requirements are actually impossible uh like five years of experience in K Linux these ridiculous shts that have nothing to do with each other PhD and

Actuarial math must be local to know Alaska got to be there and make amazing coffee ability to lift 700 pounds is something I've actually seen in a job description they meant 70 but if you can do that you should also hit me up because uh may have a requirement for you what what what is the idea behind these job descriptions okay so first of all why are they so weird first of all they're written by HR and H here's the way it works for those of you who don't know HR gets together with the hiring manager which is usually an infosu jobs going to be your boss HR tries to listen to the hiring manager and tries to make

some HR legal friendly translation of what the hiring manager will say so the hiring manager will say something like I need a hardcore Red Team web app breaker we all know what that is H's like what and tries to put that into HR friendly language so the other problem is they can be legally binding documents uh usually written by non-practitioners IE HR uh so there's a lot of vess there's a lot of cya again Ask it's like a Tex support call you want to get a live person on the phone as soon as you possibly can um ideally maybe somebody who works there ideally the hiring manager or failing that a clueful recruiter um right so learning about

jobs before they're open friends and Associates we talked about that social media is often neglected I have found uh LinkedIn to be uh Twitter is awesome underutilized there's a hashtag infos jobs uh we're all posting all the time and not just recruiters but people internal to companies I think we can all testify we're out there it's a really easy way to just casually say huh interesting and talk to somebody who's not HR talk to somebody who has the need at the desk next to them for the position they're managing what is this job and circumvent the ridiculous sometimes impossible job description um so we're talking about Bridging the Gap between the Hunter and the haunted that's me by the way um and how

are we doing this so I have FAQs about this how do I um good question how do I incorporate like gray hat potentially black hat Community involvement into my resume I get this all the time uh you may encounter mistrust if you talk about this with people who are not so much practitioners a way around that is you need to establish trust you know show that you're not like zero cool or something and then talk about what you learned don't say yeah I hacked into Paris Hilton sidekick and I learned about mobile pen testing that way just leave off the first part say I did in independent exploit research in my personal lab just put a nice face on it

and that's cool I mean most of the time frankly the hiring manager isn't going to want to know how you learned what you learned Community involvement highly underrated people ask me all the time should I put that I went to Defcon or bsides or that I go to meetups on my resume yes all the time mention all the things because for anybody who is clueful anybody who is involved in the community they're going to say oh this is not a mercenary this is not somebody who's like I heard there's money in security so I went into security this is somebody who's passionate about what they're doing and that's what I want uh other projects patents

Publications great uh be prepared though to uh talk about their relevance one other thing people ask me about is how long can my resume be thousand Pages as long as it's all relevant content so if you're doing stuff that is only like vaguely tangential related to the position you're in one good example I know a guy who does circuit design uh but he's like a blue team defense architect type person went in talked about circuit design and it turned out the hiring manager was a big Electronics geek so that was helpful but that was a lucky Break um you need to if it's on your resume be prepared to talk about how it's relevant to the job you're

going to be doing why is my resume getting so many irrelevant bites or no bites at all well to answer this question we need to uh understand something about how recruiters work dumb recruiting software and our Andor process you know I hear it all the time stupid recruiters the recruiters may be stupid but it's more to do with the way uh recruiting software works we use uh these software platforms that basically crawl the internet looking for keywords we do bullan searches and they call resumés and a lot of the time they send automated mass emails right this is really stupid this is why I get you know pings for positions about people soft Developer jobs and why you guys if

you're Java Breakers get emails for jobs about Java developers so it's dumb uh what's the fix for this we years away just give up there there's nothing we can do about this right now there's a Brazilian recruiting companies out there they're like mushrooms and uh this is standard operating procedure they basically think of it as if one in 1,000 people uh is qualified in response they think of that as good Roi that's not how I operate but I'm obviously awesome so it's and humble but but we're years away that's just the way it's going to work and just the delete button right there so um your local market might suck uh I hear about this a lot you know if it's

not going to bites it may just be that there's not opportunities where you are I think we've all been in this position at some point you can get flexible uh you could think about moving you could really focus on remote jobs or you could pound pavement you could go out and try and sell your skills to companies that might be interested hey I noticed a massive gaping SQL eyeball on your web page would you like somebody to help you with your security I have seen this actually be effective um possibly you didn't do what I told you to do the fix to this is obey me fix your resume Network in get involved in the

community um do you care about certifications no fix and you can't make me but it says they do in the job description fix ask all job descriptions are negotiable as we uh have established job descriptions are works of fiction and you don't need to take them as gospel some organizations actually do like the government this is a funny story uh I talked to somebody on Twitter recently he said oh yeah I was there at the disa conference a couple years ago when they went uh when the council went and told the government that in order to work on government contracts or projects every practitioner should have a cissp and now the government requires a cissp for a lot of its contracts which

yes it's good knowledge to have but it by itself doesn't necessarily mean anything so what's the fix to this if you AB absolutely must have the job get this CT but be aware that in a vacuum it's nothing and doesn't matter um I interviewed for a job I can totally do uh why didn't I get it the biggest reason that Things Fall Apart is soft skills so I've interviewed a lot of people who were technically unbelievable sick um sometimes they didn't communicate well or a lot of the time were really arrogant and that turned me off because I thought okay I don't want to manage an arrogant person fix work on your communication skills sales skills

believe it or not and by sales skills I don't mean come on down to my used car lot I mean uh the art of persuasion I mean being able to write a report that makes a CIO take action I mean being able to walk onto an engagement and and say all right here is why you need to remediate this problem in a way that doesn't make people run for the door um you know you can have all the technical skills in the world but if you are problematic on a personal level that's actually where I've seen it fall apart you didn't do what I told you to do again obey me uh I've had people doing

like behavioral interviews so maybe hacking a lab maybe uh doing mock assessments things like that who just didn't read the directions who just kind of went off into a totally different area and just said okay I want to talk for hours and hours about uh hip a gap assessments and I'm like this is a PCI job so read directions respond just basic stuff like the little things count um you acted like the plague and you were Joey again you know I love this industry because I'm never the smartest person in the room there is an amazing amount of knowledge just in this room alone but confidence and arrogance are two different things I have at least one

conversation a day with somebody who says nobody knows more than me about X and it's always really funny when I have two of those conversations in a row I kind of want to conference them in and make them fight but you know maybe nobody does no more more about you more about X than you but show me don't tell me that show me actions speak louder than words and let me draw my own conclusions uh don't be the plague or Joey yeah so I guess the takeaway from this is again I see so much talent in this room I see so much knowledge in this room and in a lot of the rooms I go to

but it's just the basic stupid stuff that causes the Gap in understanding between the cool infos jobs you want and that Talent so don't be the plague or Joey have the skills have the humility don't be this guy don't be this guy be this [Applause] guy questions really uh that would be a one dot hack what about degrees verus great question what about degrees versus CS so uh are you asking would I prefer to see one versus the

other with cs that's interesting so things that degrees and Sears tell me include I paid the money I put in the time I took the test I passed it degree tells me something s similar usually unless it's from emu if it's from emu it tells me I am sick um there it is um so bypassing degrees with cs is fine what I'd rather see is actual hands-on experience I'd rather see exploit development I'd rather see Finding and Publishing uh V reports um you know a degree is great it tells me maybe you have some writing skills maybe although I've seen people with degrees who could not write their way out of a wet paper bad um S I just you know I I

just don't care sorry I'm sorry that really doesn't answer your question does it okay yes your rese

yeah you didn't do what I told you to do Fork your resume different resumés right for the different positions right um so all right uh if you have defensive skills and if you have architecture skills it shouldn't you don't have to like rip it all up and start over again in order to tailor your resume for those different positions right and yes it's a paa to have different ones but it will pay off like if you truly are are that good a subject matter expert at that many different things it does pay to say okay look here is all the content you want to see for this job and do the same for every job you're applying for the tricky

part is don't go by job descriptions find somebody who's going to tell you what the gig actually entails and do that anyone else in the back what the bake make

um again soft skills so one thing I see a lot in IT jobs in general uh and a big piece of advice I give is be enthusiastic if you actually want the job say so it's okay to say I want this job I want to work for you I think that this is a good fit for me I think I could be impactful in this organization I've turned down candidates because I was like he just didn't seem like he wanted it enough or he seemed like he was just kicking tires so that's a big one um yeah uh be humble be available and be enthusiastic this also applies to dating the back yes you yep uh yeah so in this hyperconnected

age uh a cover letter formalized like the way they teach you to do in I think High School I hope uh really not necessary but just a couple lines saying hi I'm Joe blue team I noticed your posting for whatever job and I think that I could be very successful in this position what time would be good to talk that's fine perfectly sufficient sir

you don't want to work there yeah oh okay um

so I mean that's a decent point but if they're that snuggled up with HR that and I understand what you're saying uh jump through the hoop no uh that may be demonstrating that you can follow directions but I would be cautious personally if it were me but yeah if there's a hoop that they say you got to jump through this hoop just jump through the hoop yes uh the gentleman in the weird blue shirt

uh that is legitimate factual information that people are actually interested in because that just demonstrates impact right this is the positive impact I had in this job yeah

oh I'm in trouble I knew I was going to be in trouble um so all right yeah so we got into a conversation about this somebody had uh accomplished highly intelligent in parenthesis menum member I mean that's kind of like saying I'm leap CA I have a c so no I mean it's just it just seems like a false false flag yeah yeah don't don't make me think that's the best thing about you if you have a CH or if you're in Mena if having a CH or being in Mena is the best thing about you you got problems on I feel bad for you son so that's we got time um I'm very friendly come talk to me I am very open

to being bought beer and um I'll be here all weekend so I'd be happy to answer any question questions thank you [Applause] [Music]

he