How to Get Started in Cybesecurity - john Stoner

it's getting started in cybersecurity by mr. John stoner and I'll let him go ahead do his introduction here and yeah let's give him our attention all right hopefully everybody can hear me so you're here cuz you're either in cybersecurity and that other truck is full or you want to be in cybersecurity so thanks for coming to my talk today so here's my legal disclaimer I starter include that so I'm only here representing myself not anybody else not my employer so I will real briefly talk about this but it seems really weird to spend much time on this I have about 18 years of experience in national security and Intel I have all the different certifications that you can get unless

you really want to stand sir I actually have my first sans class next month so that's exciting and I really like soccer as well I secretly joined the army and got married I don't necessarily recommend any of those options to anybody all right so to get started cyber security when I'm entering some people which I was actually just doing before because it was even cynical not to do that and then present this and tell people they should get a mentor people say I want to do something in cyber security awesome that really doesn't tell your mentor what you want to do in cyber security enough to maybe give you proper advice right that's essentially saying I want to work in the

medical field okay well I could use more to go on so that's why I start off with this particular explanation here so there's a lot of different roles in just IT and there's a lot of different roles just in cybersecurity so when you're first starting out if you don't have an IT background that's gonna be critical is to get that underlying IT fundamental background if you do have you know some of the basics in IT already then you really should start to narrow down your search a little bit into what it is that you want to study or what it is that you think you want to study in cybersecurity there's gonna be some underlying themes

in IT and cybersecurity they most people will generally have some baseline knowledge about but it can start to get pretty divergent in cybersecurity depending on what it is typically you're interested in studying in cybersecurity and there's there's room for all of you in cybersecurity there's lots of different roles that we need in cybersecurity there's lots of jobs that are going unfilled in cybersecurity so I just kind of I like to start with this to sort of in case you have conversations later with your friends or colleagues or other mentors it helps us give you more specific information if you know for sure you know what forensic sounds interesting or or something like that so if you haven't

really thought about that aspect yet I point people back to the NIST the National Institute of Standards and Technology they have 52 very well-defined cybersecurity roles they break out all the knowledge skills and abilities or KSA's for all of those fifty-two roles so if you're not even sure where to start you don't even know where to go to to see what in cybersecurity you might possibly be interested in then I highly recommend taking a look at that and even though they have 52 they don't have all of them right so even that in and of itself does not encompass every possible role that we have in the cybersecurity field so pen testers are not specifically called out in there

they have exploitation analysts it's a little bit of a military flavour to a pen tester there's not too many companies that hire particularly for that field they don't call it that job name and they really don't have cyber threat intelligence called out which just offends me and everybody else who specifically does cyber threat intelligence but it will at least give you a starting point to look at the types of fields and look at the knowledge skills and abilities that are generally required for entry-level or intermediate levels for those types of cybersecurity job roles so I think that that's a really good resource if you haven't used that before and again this is to sort of help you scope down what

it is you're interested in studying in cybersecurity you can also kind of think of it like starting to pick a major when you go to school right you can't study every single thing so there's lots of different analogies I use to explain why this is helpful when you ask for specific advice about getting a job or studying so that you can get a particular job in the cybersecurity discipline so also if you have questions throughout the presentation let me know and I we'll have time at the end for questions so a lot of people have some hesitation just getting started there's some initial maybe fear or a lack of confidence to even start studying on

their own so some of that I believe is because people haven't scoped down what they want to study and that in and of itself is then intimidating because you're trying to study everything in cybersecurity which is if you want to have a normal life I don't recommend that so there are some underlying things that are probably going to be pretty beneficial you need to have that IT background you need to understand some basic cybersecurity underpinnings as well for most job fields in cybersecurity and I also want to make sure that you're studying something that you like I would never recommend somebody study something they don't like that's not a good life decision I am not

good at programming thank God for Google I passed that class I'm not a programmer I'm not a script er I have still been able to work as a cyber threat intelligence analyst I'm also not good at learning second languages so I have chosen not to try to learn more second languages it didn't work out for me so that's just some general sort of career mentorship advice find the thing that you're interested in and then you can sort of start to shave what you're studying around things that you find interesting a lot of people have will come up and say I want to be a pen tester I want to be a red teamer that's pretty cool I want to look like the rock

there's a lot of work I have to do for that to happen may or may not be very realistic but it's a but this is not something you're like I want to start learning about cybersecurity so I can be a pen tester in six months because if you guys have curriculum that does that you will be the next multi-millionaire becoming a penetration tester is a really lengthy process so I'm not saying that shouldn't be your goal but that's a lengthy goal that requires a lot of expertise that's developed over a really generally a number of years so I will always tell people you should look at monitor ability testing or vulnerability assessments is a more natural path to

gain expertise that will then help you get that first type of a role so that's one little rabbit hole and we can talk about that as much as you guys want you know some people are really interested in pcaps log analysis or you might really be interested in forensics there there's lots of different things you can consider to particularly narrow down the scope of to study and get some skills applicable to a particular job field so how else can you get started well there's lots of free stuff hopefully you guys will be able get my slides I link to a lot of free websites and and powerpoints and YouTube videos and things like that in here to

again give you a resources give you some resources to start the one thing I want to say about boot camps and the particularly highlighted text on here and I can say this because I used to teach boot camps boot camps are good for one thing and that's to get a certification anybody that tells you that you should take a boot camp to learn anything don't listen to that person because we as an instructor there's very little time for me to teach you anything then the basic core things and how to pass that particular exam and that's what the boot camp is for the boot camp is for that instructor to get you to pass that exam so you get that

certification and a lot of cases that's how the instructors are actually paid alright so that was it my case but a lot of the instructors are actually paid based on the student pass rate of that class so that kind of gives you an idea of what their focus is and I don't care if it's a net plus class in a d-plus class is a certified ethical hacker class the CISSP class it's pretty much the standard across these boot camps and they're also really expensive and frankly not all the instructors are really good again I'm allowed to say that I was an instructor so you can study all of that stuff on your own just go get the book from the bookstore or

Amazon or the library or take a college class that teaches that particular skill so the other problem with those boot camps are you're trying to learn about 700 pages worth of material in a lot of cases in like 40 hours so a lot of people really aren't learning things during the boot camp so you could take a networking class or a cybersecurity class or an ethical hacking class through a lot of different universities this semester long courses now as well so even the online colleges that offer those classes which may not be the world's best class on the on the planet it's probably going to be a better experience than a boot camp in some

cases so some of this is going to depending on what works for you but my general advice is if you're just trying to start out don't spend a lot of money on a boot camp just because you think you need net plus or a set plus certification study on your own there's lots of free websites and if you can ever get anybody to pay for a sans course I still highly recommend that like I said hopefully next month I'll go to my first one so some people who are here are in college or younger than I am and just trying to break into the work job field in general and some people are here sort of pivoting mid-career or

pivoting blade career as it were so some of those people are gonna have IT networking fundamentals but some of the younger people in the audience might still be working on those IT networking fundamentals so you're not gonna have to necessarily be network engineer level of underpinning here depending on what you want to do in cybersecurity but you really have to understand a lot of the basics you have to understand tcp/ip and UDP in the three-way handshakes and ports and protocols and how Windows doesn't work and how Linux works and etc right you have to understand a lot of these basic fundamental things that are happening in the operating systems and with the data moving back and forth and

how a security appliance works or how it doesn't work or how I want to break it or why it needs certain security settings a lot of that is on the IT side and then it will translate as you start to focus on that particular cyber security job role that you've picked out earlier that we talked about so again these are all links to various things like I'm a big fan of professor Messer it's not just because he's bald to think he does a really good job of explaining these concepts so I like to link to his stuff there's lots of free resources online so I tried to collate some of these things in this presentation so you'll have you

know a place to start you can go to here and then there's Google or Bing does anybody who's been so education and training so just like anything else in education and training everybody has preferred learning styles as well so some people do really good one-on-one some people need that in-person classroom interaction with the other students and the professor and hopefully you'll at this stage you kind of understand how you learn best some people could read a Berk read a book and just it's not the way they learn you know they could take notes they could highlight they just don't it just doesn't come across that way maybe somebody is better at watching all these videos online right so you'll kind of

have to figure that out a little bit too but there's lots of resources regardless of your preferred way that you start to absorb this information so I just think that I want to stress that because it kind of goes back to my bootcamp point as well some people do good in boot camps and that's fine that boot camp drinking from a fire hose just isn't for everyone and some people were in that environment get very frustrated there's also MOOCs online I didn't list particular ones but I think Harvard and MIT have some in particular that are available online for free and there's a lot of free resources that's my main thing here is there's lots of free

resources to help you on your path to start researching and learning whatever it is that you want and then bottom how do you get how do you start to actually practice some of these things that you're reading about or learning about online is you need to have a lab you're gonna have to do some of this experimentation on your own so as a ceh instructor one the easy console labs are terrible I hope they don't watch this video but they're terrible and they're not realistic so anything you do in your home lab is pretty much better than what most of the ec-council provides you for CDH so go buy an old computer from eBay or freecycle or

Craigslist run some VMS on there and practice things so this really brings us to this next point is that you need to have some of this you need to bring this curiosity this intellectual curiosity this intellectual initiative to understand really why I stress having a whole lab is so critical so that you can practice whatever skills it is that you're learning at that moment if you've never hack tap ass word then download Kali in a VM and stand up some Windows 7 server that's not patched and see what it's like to actually hack some passwords right wait you're saying well I want to study policy no better way to understand password policy than trying to hack a password and learn what

password entropy really means the next time you write a ridiculous password policy all right so sidebar so the the college courses that I have heard mostly from my friends and colleagues still aren't doing a very good job providing a lot of hands-on skills and there's a lot of reasons that many programs struggle with this a lot of times its online it's very difficult to have the lab set up but there are some colleges who specialized in in their cybersecurity programs a lot more so you want to do some research as well and get reviews about particular organizations and what they do or don't offer like I would not necessarily recommend the program I went through all right and that has widely

been the opinion of my friends and colleagues that took classes with that institution but there are better institutions as well so again you that all those things cost money so just get some reviews first and find out from other people whether the classes you're considering have good reviews if that for whatever purpose it is if you're taking that to learn hands-on see whether their labs are any good there's lots of different ways you can set up your home lab again just buy some cheapo computers that somebody's getting rid of or if you're interested in forensics buy some cheapo computer somebody's getting rid of and then see what's on them still buy some cheapo electronics devices and

phones on the internet and see what's on them still like some people who are interested in forensics wanted some advice and my advice was buy stuff on the internet and find all of the data that's still on it like that's your own it's choose-your-own-adventure CTF for forensics honestly but you should be able to set up some VMS and there's lots of walkthroughs to set up VMs you don't have to use VMware there's there's other options for you you'll probably want to look into that but I can't stress enough how critical this is so why is he stressing all about these labs because a lot of people will say well I don't have practical hands-on experience because I can't get a job

because I don't have practical hands-on experience because I can't get a job all right so this is where my crazy advice comes in you probably want to take a look at how you have your resume formatted and have a section on there for inner independent research or continuing education or independent study and list the things that you're doing I'm going to particular CTS I'm going to besides Pittsburgh I'm part of the is e-square chapter I go to issa events and describe your home lab and the specific things you're working on for that job that you're trying to break into right because not everything is applicable you can also have multiple versions of your resume depending on what it is that

you're applying for as well so maybe you could have a section in your cover letter cover letter that covers that if you don't want to change your resume and there are people that are out there to help you build your resumes as well but I would say if you're practicing in your home lab because you really want to be good you know a sock entry-level sock Tier one type of analyst which is how a lot of people get started and you know you're gonna have to be doing a bunch of log analysis practice Windows log analysis in your house practice packet capturing and be able to find different information in the pcap itself and then

you could list that under independent study it's not the same as professional experience but it it may catch someone's eye and that's you're really trying to differentiate yourself so I really like this slide this slide is called why my mom thinks I know everything about computers or Google it would be the other name of this slide so this is a really big skill in IT and cybersecurity and it's hard to characterize it's called the it's called Tuesday and something has happened and no one knows how to do that thing right that's anybody in cybersecurity will hopefully agree that this is very true so we tried the thing did that work no and then we try the next thing well that didn't work

either well go to Google did that work no now call other people now we call their departments now we call our professional colleagues who work in other areas because that's how we solve problems at cybersecurity but this is true even at the beginner level so as you're working with mentors or friends who know you're trying to get into here and you're having trouble doing something in a CTF maybe an online CTF or you're just trying to understand something in a book and it's not working your home lab if you're if you're asking for help from professionals they're probably going to ask you well what have you already tried right and that's where we want to see

that you you know if we're mentoring you or were one of your professional colleagues that you are trying different things for whatever that situation is in your home lab and again that tells me that you have that initiative and curiosity to to excel in this field if you're like well I googled it and I tried that thing that came up and I didn't work that's you're gonna have trouble finding technical people to continue to help you right so this is an area cybersecurity where a lot of people will bang their head on the wall and try lots of different things to solve a problem or solve a situation and that that process is related to to learning

things in your lab as well and the other thing while I'm on this slide I'll talk about your lab is it some people who are trying to pivot into cybersecurity have sort of a fear factor an intimidation factor because they're gonna mess something up yes you are I have bricked a number of computers and those were great learning experiences and I have never scared of a computer exactly that way since then all right but that's true right think back to when we were in middle school we didn't get every test answer right like there's a learning process that occurs here so you will probably make some mistakes so don't do this on your family's only

computer that you pay the bills on go get something from ebay you know find out what's still on it do some experiments get some VMS because you don't want to ruin the only computer that you have or the one that you need for a college or whatever so that's why I'm saying there's some other options here but you shouldn't be afraid to experience failure as part of this learning experience in your home lab that you should actually embrace that a little bit or probably scary when it happens and then windows doesn't boot for some reason anymore because you've changed some files or whatever and then you just learn how terrible it is to install windows is an operating

system which is a good learning experience that's why everyone should use Linux so some other specific things so when we talk about sort of entry level security type jobs you know I wanted to give another example of some specific tools that you might want to use in your lab as it pertains to sort of security defense security analyst these go by any number of different names and are in our world that would you could practice in your home lab to find out what's really going on all right so this is like if you're one of those people that's like control-alt-delete and then we can see all the processes windows running because Windows running 186 processes

and that's why it's terrible all right this is sort of all the next level of everything else Windows is doing that's terrible or whatever operating system so for instance if you've never really messed around and understood Windows then when sysinternals is a really interesting tool suite and there's a lot of different Administrative Tools available for that to help you understand what's really going on on your Windows system why do you have ten thousand tcp/ip connections open right now I have no idea probably because it's Windows not that I hate Windows that's uh that's how this is coming across if you're really interested in forensics there's a bulk extractor tool there are some specific forensics et CTFs that are

out there where you'll have to use some CTF some forensics tools in the CTF there's a bunch of free stenography tools that are available if you want to really understand how stego works so again I don't want you to study forensics tools if you're interested in you know being a vulnerability tester right then then go to necess right so again that's how scoping this will help you sort of narrow down some of the things you could be working on in your lab because there's way too much and again password cracking tools if you've never passed it I don't care what role you want go cracks and passwords that's pretty cool it's a very interesting experience to actually crack some

passwords you know whichever way you want to try and crack the password it's very interesting experience to see that happen you know try to hack into a Windows 98 VM just to see what it's like even if that's not really the thing you want to do that's a very interesting experience there are still windows 98 boxes out in the world so there I work in the DoD so so again if you're if you're in your home lab and you're working on all this stuff and there's a couple different tools that are probably related to that job you want again try to be as proficient as you can be with those tools in your home lab so when you write

I'm proficient with Wireshark and necess on your resume you're not lying but you're not you're not misrepresenting it either right you're listing that under independent research right don't list it under some sort of professional career area make sure you call it out but that may get you past that 10-second screening because it shows that you obviously are doing things that other people aren't doing who are trying to break into the industry so I know it's been almost 30 minutes and you're like this guy still hasn't told me how to get a job sorry so there's again what type of specific job are you trying to get so a lot of people don't want to hear this advice

that you have to develop a whole bunch of technical skills some of this you're gonna have to just invest time on your own in your own lab right and then you're gonna have to network like in person which you guys are doing all here today and then there's going to be an opportunity and then you hope that that guy that you met on LinkedIn that you've connected with remembers that you were looking for the job people don't like to hear that that still hall job happens but in my experience that's how a lot of actual openings get filled so lots of people apply online to the websites and they don't hear back because if I know

that my colleague is recommending somebody that he knows wants a job I'm much more likely to consider that candidate because it's coming through my professional network now that's not good fare bad it's just in my experience what very typically happens so go to the IC Squared go to you know CTS continue to go to events like this you got a bunch of colleges here in Pittsburgh so I'm sure they have tons of events if you're local here to go to all of their events that you can so you may need some certifications it depends on the job you may not need certifications you may want to take a look at you know the job descriptions that are related to

that particular field you're interested in to see if that's coming up as a requirement so again we've talked about sans a little bit I still think certified ethical hacker has a little bit of weight there will be people that disagree with me that's why they're called opinions I still think possibly having that certification means that you at least understand the basics of hacking and that's very helpful if you're on the defensive side we need to know what the attackers are doing or else what what else are we basing the defense on so it's pretty important to understand what the attackers are doing can you do packet analysis may be your job to cert require you to do packet analysis but if

you can if that question comes up in an interview and you're able to describe the process or possibly even show me how a TCP 3-way handshake looks at the packet level that tells me you have a certain level of understanding at that point even though it may not be a core skill that you're going to use you know a lot of admins in cybersecurity people protect windows because it's what most people use but do you really understand Windows Server do you understand domain functionality do you understand Group Policy settings all right if you don't download a Windows Server ISO stand it up in your lab break it lots of times look at all the configuration settings

figure out everything there is about that you're gonna have to know VMware I think for a lot of different hands-on technical jobs I think that's a pretty critical skill it's also critical for you to play around in your home lab or do CTF s-- in some cases if you're doing anything with malware you're gonna want to do it in a VM Linux you probably should know some flavor and ability to navigate in Linux it's not necessary for every field or every job but knowing that there's operating systems beyond Windows is pretty important and knowing how to use them is going to be pretty critical you know you might want to look at all the ocean tools a lot of these

ocean tools are used across different cyber security disciplines and different jobs virustotal is a really big one sites like central ops tools like multi go I think necess is a really good you know free vulnerability scan you could play around with it your house and understand if scan your house look at the vulnerability report if you've never seen one before and burps we will show you the horrors of the Internet and why internet websites are bad right there is no better tool than burp suite for you to never buy anything on the internet again which of course we will all do anyway so again use this is just some advice I think that if in your if

you're using that home lab and trying to have that portion of your resume or be able to talk to a variety of tools is useful so the other problem with getting that first job is that first I was like well we need somebody who don't understand Splunk okay well I might not understand Splunk but I could possibly speak to related tools that allow me to do maybe similar analysis right so it depends it's gonna depend on what that interview panel really considers are they hiring somebody that knows spunk or are they hiring somebody that has the initiative to be an interesting and in curious cyber security engineer right not all panels and not all people who

make the final decisions are gonna have the same outlook when they're hiring a candidate and some people really like breaking things and hacking things and there's obviously room for all people in this world in cybersecurity so again this is not something you're probably going to get many entry-level jobs into so I don't want to dissuade you from having the goal of being a white hat hacker an ethical hacker but there's a process there's a lot that you need to know to get that first entry-level job on the red team or that first entry-level job is a white hat hacker so again there's lots of free resources on how to go about that particular journey once you know all the IT fundamentals

once you have a pretty solid cybersecurity background as well then you could move on to start doing yourself study to try to get that next role if you want to really be a pen tester if that's your goal so I don't I don't want to make it sound like nobody should be a pen tester because trust me we need pen testers I just want to make sure we're setting some ground rules for what's kind of realistic versus entry-level jobs so there's a lot of different resources up here as well and there's lots of other things that I had some resources too there's cyber counterintelligence roles if you're really interested in sort of the DoD and

defense contractor world that starts to get a little bit more specific I have some things linking in here about advanced persistent threats if you're really interested in cyber threat Intel I can give you a lot more resources about that so I debated a lot about whether I want to keep this slide in or not but I get a lot of questions about this and there's not really a good answer about cybersecurity career paths so I don't like any of the graphics that came up so I picked one so in this one it it looks like oh the pen tester like that's the epitome and clearly there is some some sense that that's correct because they do require so much

knowledge and engineering and it also requires the the right people to be pen testers right we all probably know some pen testers and there's a certain mentality and a personality that goes along with somebody that's a really good pen tester but that doesn't mean everybody wants to be a pen tester either which is fine because we need you know the guy on the sock or the girl on the sock who's been there for 15 years and every time nobody can answer the question anymore we all turn to that expert who's been there a long time we need that person to and they may never want to be a pen tester and that's fine we also need people like myself who've

managed to work themself into management yeh so we need people like that who can lead teams for whatever discipline that you're in so that we can understand the team and whatever technical aspect the team is and then talk to non-technical people right talk to the board talk to management talk to leadership so I'm not a big fan of cybersecurity career paths I know some people who started out who are pen testers who started out as EMTs I started out in the Army and Intel there's lots of different ways people can find themselves involved in cybersecurity and in this as a profession so if anybody has told you well you can't do this you don't have

that background well screw that person I don't know who they are but there's lots of people who eventually become cyber security experts and work in this field who come from all sorts of different types of backgrounds some people are just gonna have to work at it a little harder or it may take a little bit more time if you don't have that IT background first so I think anything's possible you're willing to put in the effort so other things about getting that first job and really pivoting here into cybersecurity so continue to network have some business cards I don't know maybe I'm getting too old and people don't have business cards for like 20 bucks you can go on vistaprint and print

a business card that has your name and email and phone number on it so I mean that's how that's how I operate I'm gonna take all the business cards I got here and try to find everybody on LinkedIn and try to link up right not everybody does that lots and lots of people are using Twitter nowadays but you have to have some sort of way to network to build that professional association of people who work in this field so whatever works for you you should continue to do that again I think it's all about knowing the right people having some skills for a particular opening and then there is a degree of luck right but you can you

have some power here in that process to influence it and that's kind of what I'm trying to tell you is if you've been applying for jobs in and it's not working change your resume blog write some code on github if that's your thing do some things that make your resume stand out during that 10 to 20 seconds that it gets that initial look so you make the next cut that's really what you're trying to do right and also be realistic about the types of jobs you're trying to get if you are entering into this field as a new person you are not going to be a tear to pen tester like that stop applying for that job just

stop applying for that job if you don't have that background and the experience so shift jobs definitely apply for those use headhunters on the internet right there there's some other strategies potentially available too if you're really struggling and we we could talk about that or you you should have a mentor that can talk through some of that as well I would say definitely prepare for your interview if this is a new field for you and you don't have you know lots of experience in 19 cybersecurity then I would definitely prepare for the interview there's lots of there's lots of questions you can get on the internet about what's really likely to be asked there's really in in a standard

interview there's a couple core technical questions that will probably be asked and a couple core non-technical questions that will be asked and you should be able to answer those ones that are very typical in a manner that makes it seem like you've also prepared for the interview so this is the other thing when you go into that interview as somebody that hires people I am hiring the whole person right I don't just get your cybersecurity skills I get your social interaction skills your presentation skills I'm hiring that whole person into the organization so I'm taking everything into consideration how interested do you seem to be in the job if you don't seem to be interested I

don't understand why you're interviewing with me that has happened more than one time I really don't understand maybe it's a weird government thing I don't know all right but if you don't even seem like you want to be here you I mean we'll go through the motions because I have to but you're not being selected so there's lots of different types of people in cybersecurity as well so I wouldn't change your hairstyle don't get caught up and all that kind of stuff as a mentor be who you are because if the if you're trying to get hired by an organization and they can't accept you for the person you are that's not somewhere you want to work either so I'm

gonna throw that out there too because not only are you interviewing for the position you are also interviewing that organization is that somewhere you want to work you do want to keep that in mind I know you want the job but you want to keep in mind is that a place you want to work and I have been burned before and lied to in an interview so you just kind of want to keep that in mind too the interview is a two-way process when you get a question that you don't know the answer to there's one way you can answer that and there's a there's a better way you can answer that question if somebody

asks you a question and you don't know the answer you can say no I don't know the answer or you could say I don't know I don't know that answer yet but I would first research it on the internet and see if I could figure it out and then I would go around on my co-workers and see if they knew the answer and if that didn't help maybe I would go to my professional network right there this is why you want to practice interviews there's there's places and people that can help you with interviews or you could just ask your friends and family and random people in Pittsburgh help that might not be good idea again study what you enjoy don't

study things that you hate and try to find mentors the one thing I will say about mentors is that you shouldn't only have mentors where you work all right because I have mentored people and it was clearly time for them to go to another company to get another job and I told them that I didn't really care I was their mentor but you will find that if only if your mentors are only at the organisation you work out most of them probably aren't going to tell you when they think it's time for you to actually leave that organization if you are trying to pursue career advancement and it's not happening so there's another thing to keep in mind

so have some varied mentorship perhaps as well the last thing about mentors I want to say is that if you've been in this in cybersecurity for a couple of years you know you're on your first or second job maybe the high school or your alma mater could really use you to come back and talk and you may not think of yourself as a mentor because you're not old but you're old enough to provide really valuable insights to that 19 year old 20 year old kid or the high school hacker team or whatever they've got so think about that as well we need more mentors in this field so I would encourage you to try to look for

opportunities to give back to those that need advice at whatever level or age group they are so there's a lot of other links in here I really like the career advice because I don't think that career advice and mentorship across a career or something that is done very often or as widely as I would like to see it in cybersecurity so just a lot more links there and then a lot more resources so when you get to slide deck you gonna have all of these but I would like to entertain questions now if you guys have some questions so I don't have a particular silver bullet but hopefully I have some advice that will help you

because we need all of you in cybersecurity so if you're not in cybersecurity already we want you in cybersecurity we the global we the mysterious we any questions yes the question is could I talk a little bit more about vulnerability analysts sure so so your vulnerability analysts are generally going to use a tool like nessus even the DoD has a renamed version and it's basically necess it's one of the most popular ones it's not the only vulnerability tool out there and a lot of vulnerability analysis today is done on websites web servers you know front end that's where a lot of the breaches are coming from is from vulnerabilities that are on web servers so that's kind

of a focus today but that's not the only thing web web vulnerability sorry web sites web servers are not the only thing vulnerability assessments and testing are done on but it seems to be very popular right now so some companies some big companies will have vulnerability assessment teams so this is very very similar or also a way to to talk about bug bounty programs to a little bit that could be another way that you could put something on your resume if you do find legitimate bugs you know and that's it's confirmed that that was a vulnerability or an actual bug you know you can add that to your resume as well more companies more of the bigger companies

are starting to understand they need some vulnerability management programs in place because so many of the breaches are just coming from unpatched and misconfigured externally facing devices and insights I don't that answers your question okay anybody else yes

yeah so there are there are a number of like legitimate bug bounty programs like hacker one there are some DoD ones my organization actually runs for DoD things but don't just randomly hack things on the internet as not advice you were given today like go through particular programs if you're interested in doing bug bounties a lot of times they're scoped and then you'll have legal protections for that as well so you just want to be careful with that if that is of interest to you that's great we you know there's a lot of crowdsourcing bug bounty type things out there so whether it's you know Google has a programs and I know Facebook has some programs as well so just make sure

you're going through whatever the company has in place for that so that you don't find yourself in any sort of legal jeopardy yes [Music]

yeah so the comment here is there are some other niche areas that are still starting to grow like compliance with HIPAA PCI some of the NIST requirements for DoD contractors so again this field is continually growing and changing so there there are some other new new skill sets sort of near compliance and policy where there may be even more jobs opening up I definitely know policy people have then pivoted into more technical roles as well so even if you don't love policy there are people who love policy I don't understand them I don't understand you sir but there are people who like because they know the policy so well then decide eventually to become more technical as well so again

there's lots of different career paths there's no there's there are no right or wrong ways to continue your career if you want to progress based on on where do you find yourself in cybersecurity so we sell have a couple more minutes if you guys have questions yes

yeah so there's there's some work/life balance issues that some people excel at and others don't depending on their personality and role may I have friends that have like stacks of equipment in their house and they're always researching new things and then I have people they go home at the end of the day and they don't do computer things so there's always gonna be a balance that you'll have to find and that may be something that changes over time so you may do a whole bunch of stuff because you're interested in something and then you sort of like ramp down and then you ramp back up again later you know as I said in my my intro like I do a lot of

stuff with soccer so I don't tend to go home and and spend hours and hours on end doing things but I follow things related to cyber threat information so I'm following the blogs I'm following people on Twitter and I'm trying to stay up to things that directly affect my job so I stay connected with that core sort of competencies but I think I think you have to find whatever balance works for you if you're trying to break into the field there's gonna be a lot more learning you have to do initially so when I'm hiring more junior people that's where I really have to see like you're passionate like you are interested in learning all about this

because there's gonna be a lot to learn as part of you know as being a new person onto my team but that doesn't mean that the people I have on my team shouldn't show some level of interest in and passion going forward to because there's continual learning I don't care what field you do end up in there's continual learning if you're not a person that wants to be in that sort of field and don't be an IT and cyber security because it's changing all the time so whether it's policy compliance pentesting vulnerability management it's changing very rapidly all the time so at a minimum you need to be intellectually curious enough to stay up to date with

whatever is required at a minimum for your job or your job field

if there are more questions I can walk over with the mic as well so feel free yeah we have a couple more minutes so I'm happy to try to answer a question or make something up so my question is I just graduated college I have four years of internship experience most of it has been an insider threat and I loved what I did it was a lot of fun and I'm very thankful for the experience I had but I'm finding more so that my passion might be somewhere else insecurity should my first job opportunity should I be seeking out something and insider threat and then try to move laterally within a company for that or should I

take the time now to kind of build some more of the prerequisites for some of these other positions and then aim for those for my first job I don't I don't know that there are wrong answers to that except move laterally in your company so I come from the Maryland DC Virginia in Northern Area and most of the time when people move laterally it's not with that same company there there are in today's market there is a lot of mobility in cybersecurity so and since nobody has retirement plans anymore basically there's very little incentive in a lot of cases again this is my opinion to necessarily stay at some company and have that level of

dedication now there's pros and cons to everything you don't want to always move around either alright that may say something about your personality but there are a lot of resumes where every three years somebody is moving on to a new company that is pretty standard MO in the contracting world in the greater DC area and that may not be true in other markets though so you'll want to take a look at that because in my opinion somebody that has stated a company now for a really long time in the same role may not be somebody that's my first choice to hire but now if they've moved throughout the company that's fine as well so it is hard to find a company

though that will Sara Lee let you do that it is frankly difficult to sometimes find the company that has enough flexibility in their structure and their management organization and their business unit lines too to let you go from one role to another role and I'm not gonna say it's impossible but you may face difficulties which is again why I think you should have mentors outside of that primary job that you have as well because there may be an opportunity if you if you take that cyber threat into a role and you're in it for two or three years and you know there's just empty promises that one day maybe we'll move you you know it

may be time to find another opportunity and then pivot into that other role that you think you might want more so I don't know if I really answered your question but those are my thoughts about it you know thank you sure yeah yeah we've got we've got two over here

you had mentioned making the slides available how do you get them I assume they're gonna there's a b-side Pittsburgh site that right besides Pittsburgh site oh and they'll be available and I think so or email me and I will send them out wonderful

right but if you want the actual slides well hyperlinks you can just email me I will send them to you that's probably the easiest way wonderful thank you yeah

hey John um so I'm currently in the process of building up my own lab but right now I'm kind of cash-strapped in space straps so what should I be getting myself a desktop so I can have a little bit more power and it or should I be getting a laptop and then Linux should I be going after Callie or what Boone C or any other version work as well what skills are you trying to develop I started out doing auditing and compliance but now trapped into doing more like pen testing CTFs just for fun and career advancement so so you'll probably want one computer that can run Kali Linux either natively just install it or in a VM and you'll need another

computer to probably run like a one at least one basic VM so you can hack and use all the tools and Metasploit against that other box you can try to do it on one box but then that box has to be able to run multiple virtual machines so it may be cheaper to get to get less expensive hardware all right and like $150 a laptop or something or whatever is available on Craigslist or freecycle or something like that and just like sort of the install an operating system and go go whack it a whole bunch of times and see what it's like to to break in or scan it and things like that so you know you'll just need at least one

computer that can run Kali probably because that's really where where you'll learn all the pen testing and red teaming tools not every pen test and Red Team tools in Kali but it is basically where everyone should start I think because of the Metasploit suite in particular that's commonly used by pen testing teams as the core the core operating system they're going to use there's got to be hopefully some cheap stuff either in free cycle Craigslist or Ebay so what you need at least one that will run Kali but it might be cheaper to actually have two cheap machines then one that will run multiple virtual machines and one more question if I may um you mentioned you work for DoD should

I be focusing on getting a CompTIA like Network Plus or security plus if I'm trying to get into governments or should I be going for other certs sure so a lot of DoD contracting and organizations require you to have a certain DoD 8570 level certification you can google that online and look that up it may make sense to at least get a network plus or a security plus certification but again don't you don't have to spend all the money on the bootcamp either you can self-study and then just try to take the exam but it I think having some certifications when you're trying to change roles or really break in are still worthwhile right it some people

have different opinions about that but I still think it shows that you you've done something you've obviously studied enough to go past the exam which means you should have some sort of baseline level of information so I I is someone who hires people looks at all of the things including certifications and on your own studying and attending conferences and I try to take all of that into consideration so I think there's more upside than downside to get in that plus or suck plus still so thank you yeah I think we're about out of time when somebody has a has a quick question I can answer in about a minute and a half yes

okay yeah uh-oh so the comment was you could use AWS or maybe other cloud instances to try to do some of this in my experience sometimes there's an intimidation factor with that that people just starting out in this field have but that's another option would be to use AWS or something like that alright if you guys have other questions I'll be around I don't believe it one last question maybe we got one minute here real quick there used to be Microsoft used to offer server for technical people Technion I think was called right and they don't anymore any recommendations on where to get cheap Windows server this handy collection of basic ISO files which so far I think is

still available that I'm hosting if you have trouble with them I can repost certain ones I don't know that I have the latest version of server but you can find server ISOs that are not loaded with malware still thanks thanks absolutely all right thank you guys so much for coming [Music] [Applause]