BSidesSLC 2021 -- {Clever InfoSec Career Title Here} -- Speaker: Colin Jackson ( d1dymu5 )
Show transcript [en]
everyone can you all hear me okay sweet all right so marv actually said hey you should submit a talk for besides it's like okay uh kind of want to talk about this like okay i don't know what to call it yet so like so i just put you know clever infosec career title here thinking you know once it gets accepted i'll think of the actual title well it got accepted and i never thought of something clever so that's the actual title sorry in advance i guess so awesome so agenda you know this is what i'm gonna kind of talk about um yeah infosec basics uh experience and different stuff like that and you know you never started
never start a conference presentation without a disclaimer so i saw this tweet i thought it was pretty accurate so yeah take my advice of the grain of salt by all means i'm not an expert you'll learn that in about one slide so let's launch into it all right first i wanted to show this clip i saw it on linkedin totally snagged it and yeah hey do you want to make a difference fighting bad guys and making six figures well do we have the job for you you don't have to be iron man you can work in cyber security hell yeah the us government estimates a labor shortage of about 400 000 people over the next few years in this industry
here are the three simple things that you need to fill these jobs one you need to have 10 years of related job experience 2. need to have multiple accredited certifications and three most importantly you gotta be a rock star does this sound like you no no that doesn't sound like me at all awesome come on down and apply at entry level cybersecurityjobs.com we're waiting it's time to sell drugs he said it better than i could have ever said that and i thought man that's funny i'm gonna laugh and then cry a little cause that's the impression i've got like who's seen this like entry-level job you need a cissp and eight years experience who's felt that
it it sucks and and i don't like it i disagree with it but we're going to talk about that so um a little bit about me colin jackson i go by didymus um i'm a security engineer i do mostly blue teamwork security monitoring our sim different things like that incident response because you know that's that's where you get like really good hands-on experience and get to stress the entire time until it gets results sort of a thing um hoggy hoggies wow it's early hobbies um i like lock picking that's kind of what got me into info security to begin with i did lock picking before i got into you know info and cyber security uh ocean i
always found that fascinating kind of got into ocean did a couple ctfs that uh had some local com cons and things like that and then you know other stuff like do puzzles crypto puzzles i mean obstacle races things like that so yeah all right going to talk about me a little bit because they accepted my talk and put me in front of a microphone so i'm going to talk about me because i'm selfish anyway a little bit about me i've been doing security for about 13 ish years and the reason i say ish and put an asterisk by it is it depends on when you count start counting uh this is something i'm going to talk
about here in a second but you know a lot of times in job postings and stuff they'll actually say things like x years of experience or relevant experience and things like that so i thought okay if i count the number of years where i had security in my title i have you know four you know four or five ish years experience but i don't count that because i kind of don't think you have to have security in your title to be a security person i i believe that vehemently so um so i graduated in 2008 from utah state university anyone anyone yeah anyway um and i got a job at utah state like like a full-time you know grown-up big
person job at utah state and i was a cis admin and i was i worked at the library in their systems department and it was one of those it jobs where you had many hats where you did everything you designed a random web page or you maintained the databases or you did this or someone downloads a virus and you have to fix it you know so we got to do a little bit of everything and what's interesting is like i had taken um i did mis information systems i remember thinking i want to be a dba because they'll get paid a lot of money and i like databases and then i took a security class it's like this is so much
cooler than databases this is really cool i want to do that so you know i graduated anyway and i thought i want to get into security but you know i got the sysadmin job there is some security components and then i just started volunteering with my team like hey so-and-so got infected again it's like i'll take it i know that's not the fun part but that's the most security related one today i'll do that like if it's anything security or like the annual audit hey we need to review our firewalls central i.t security wants us to do it you need to do it's like i'll do it like volunteer for the security grunt work even if it's
like even if it's a mini-hat's job okay after that i was a government contractor worked at hill air force base for a couple years as a software security engineer sounds really cool we basically downloaded patches loaded them on air force systems tested them and wrote a report it wasn't as glamorous as it sounded we did some other things as well but you know uh so i got some actual security in my title experience and then they changed the contract and everything had a different thing so i've never announced this publicly but i was a sharepoint admin for six weeks so and that whole time i applied for jobs and interviewed so i mean we we all have
dark times in our past you know we have little hiccups in our security journey that was one of mine after that i worked for a finance company as a senior security analyst that was really fun and that was great because i had a mentor and he said hey have you ever done an internal pen test like no he's like cool you're coming with me we're going to do this like hey there's a server no one remembers the password so we're gonna dump the passwords and we're gonna i'm gonna teach you how to use uh john the ripper it was so cool because i got to do these hands-on things it's really neat it's my first
introduction to like sims and then shortly thereafter they laid off the security team i was one of them so i got a job as a monitoring engineer and i had that year let's see i did that for about three years or so it was interesting um so full-time job and i didn't just do security monitoring we also did like application performance monitoring and basically we would build and maintain the tools that the sock and the noc would use which was pretty interesting um but it was it was like general monitoring and one of the things i discovered was like you know i want to get involved in the security community especially here in utah like we have
great resources here and local cons and stuff and so i'd go to my boss and say hey can you can i go to this like i was a full-time employee i want to go to this like no you're not a security person it's like yeah i am i i did this before i worked here i have some security search i'm a security person like no you're a monitoring engineer it won't get approved i was like seriously like it it's like it's like you know it was st con or something it's like it's like 300 bucks like well you're not a security person so we're not going to send you it's like fine so i would take pto and i'm going
to talk about those later i'd take pto and i go so i get involved with these and still get security stuff um eventually i moved over to the security team within this company and then i got to go to conferences like and they're like oh you're a security person now yeah you can go it's like anyway and then my current job um been there since uh 2018 do a lot of you know stuff on the site before so there you go so how do i get a job in infosec by the way not an expert so spoiler depends um what i have found in talking with several people is like if you're just graduating or just
getting out of you know whatever and you want to get your first full-time job in security the three easier ways to get in are the following and i'm up for other suggestions as well but this is what i've had experience with or people have told me so first one is if you can get a job as a sock or a knock analyst like if you're like finishing up school and you can get one of these jobs it's great especially graveyard shift because then you can get paid to study but anyway um these are these are definitely entry level you get hands-on experience it's good so that's one way another way this is kind of my my way in
was the many hats i.t job you wear many hats and you're like you're like the everything person you you do all the stuff and then the third way that i've been told is go into development become a become a you know an engineer like a development engineer of some kind and then you can like transition into application security this is also the path that a lot of pen testers will take you know kind of stuff so this isn't an exhaustive list this is like three like there's it's easier to get in these i guess okay rant i kind of already mentioned this you don't need security in your title to be a security person it it i
think it was that one job that really got to me where it's like you're not a security person it's you're a monitoring engineer it's like no i swear word no i'm not and then another thing that i like to rant about is security is everyone's job security can never scale but if you can like train with your train your co-workers and stuff to like look for security concerns or security problems and report it to the security team or whatever like if you notice something like if you've if you see something say something kind of a thing i really like that so all right so basics of info security careers i i saw this i thought it was funny um
don't just go straight into pen testing because a lot of times i found is they want to make sure you know basics because yeah otherwise they might label you as a script kitty or whatever or you may not land the job but a couple of things so foundational knowledge and technology this is this is important you can learn it it covers lots of things so understand networking and protocols i mean you don't have to be an expert in any of this but you need to have some basic understanding there's free resources there's youtube videos there's books there's all sorts of stuff um programming at least basic programming or understand how programming works and runs a program sort of stuff
passion this is kind of a bigger thing i was listening to a webinar just this week from black hills info security talking about uh getting hired as a threat hunter but one of the things the guy said is like it seems interesting like between the baby boomers gen x it's more like years experience and stuff but then like millennials on it's like what how passionate are you about this or are you teachable like because we can teach you this but if you have the drive and determination it's a lot easier to work with it was kind of interesting you should look it up so passion okay why do you care about security what what gets you excited what keeps you up at
night is a question we ask a lot of the time and think people do good so it's kind of a security mindset like when you look at something do you immediately start thinking how can i break it because my kids do but you know also things like how could this be a weaponized like oh i have this new thing like you don't even have to sign into this website and you can see our database like let's think evil about this for a second how bad of an idea is that like you don't want to like just throw fud and everything but you kind of do want to see like you know let's let's think evil
how would a hacker use this or how would they exploit this kind of a thing let's see people skills this is important not just for security jobs this is important for every job but people skills are extremely valuable i'm not saying i have great people skills but they do help so can you convey complex ideas or can you convey um like an idea or a project or something to someone regardless of their background like could you talk to someone who's highly technical saying like here's what we want this pro this project to do or whatever or can you go to finance and explain this is this project here's why it's beneficial for you it's going to generate this revenue
or it's going to reduce this you know can you kind of steer it to like know your audience sort of thing um project management now nowadays it's like everything you do if you can organize work project manage it just helps like even when you're applying for jobs if you have project management skills and you're applying for jobs approach it kind of like a project like okay i'm going to do resume tweaking at this time and i'm going to apply for these jobs this week and kind of plan it out and track it like you can use these skills not just for like work but also like finding work so tomato leadership why security is important this is kind of
this is like don't just doom and gloom and fear because fear doesn't really help but like this is why it's important it'll help us in the long run this way it'll we can land bigger deals if we're in a for-profit company we can you know protect our students our you know patients our their data and stuff so um this is extremely true nowadays this this wasn't the case when i first got in but cloud computing everyone's in the cloud several people you know aws gcp azure seems like the majority is in aws but at least having a basic understanding knowing how this works you can get free accounts you can also get not so free accounts and get
scared by the bill really quick you know that that's called experience so i've been in interviews before i was like do you have aws experience like well yeah you know i had a little pet project here and then i also had you know a 200 build that i wasn't expected so yeah i'm experienced in aws and then you get a chuckle out of them and they're like this person is funny so cloud computing at least basics learn it um get familiar with it let's see and python because yeah security i don't know python but yeah uh who's seen this before who feels this way i'm looking at jobs i hate it so big red x boo
i wish so i'm not a people leader unfortunately which i'm actually okay with but i wish more places were like this it's like hey we want to hire you you'll get your experience here we're willing to take the chance to like you know take a couple months to get you up to speed or give you projects and things like this like if i start a company i want to do it like this but anyway throwing in memes to keep people awake mostly myself but there you go all right so experience this is this is interesting especially now because you know back in the day i'm not that old but back in my day it was like
i saw very few jobs that didn't require a degree a bachelor's degree in computer science or i.t or related field you know the catch-all related field that they get to determine sort of thing and but now more companies are moving towards experience like you don't need a four-year degree necessarily do like could we take certificates or boot camps or things like that so i kind of want to talk about degree versus experience for a minute i took the degree path you know some jobs like it could be a mandate it could be a contractual agreement it's like no we have to have degrees it's it's just something written in like they may not have wiggle room on it
which is you know it is what it is but you can get degrees like i'm gonna yeah there it is wgu i'll talk about that in a sec um nice thing about degrees is you it covers like the plan like so information systems for example you learn about web design and stuff like this but you also learn these auxiliary things like project management or economics or accounting which can be valuable in the long run like okay it's not just this narrow focus but they also have some of these other skills that are a bit more well-rounded great and with some graduate programs some degrees you actually graduate with some certifications wgu is one of those they have
degrees in like cyber security and part of the plan is you graduate and you have x number of ccna degrees or wow certs wow it's tired i should have slept better so that's nice we'll talk about certs in a second so versus experience so let's move over there so instead of like graduating and then going into a four-year program it's like hey i want to get right into the job field let's do that so it's a quicker path to employment because you're not taking a four-year you know get my degree before i start working full-time possibly less debt possibly you won't have all that student that you would get if you had gone with a degree
and then build build skills more hands-on you know technology or hands-on learning than necessarily like you're in a class and you're learning about stuff like so book knowledge book smarts versus hands-on i've actually done this like oh yeah i worked for a small company i had to i was there one it guy and i had to you know set up the firewalls and i did all that stuff and i learned it this way instead of you know theoretical like learning about it in books or something i don't know just making sense i feel like i'm rambling just mumble rabble rabble okay okay certifications just get assist that's all you got to do get assist you'll get a job
if you don't know javid he made this several years ago it's the it's a youtube video called the benefits of being a cyst he talks about how you can be pretentious and you can get like a wallet with a clear thing and basically flash it like a badge and you could just bust in and be like sisp and so i had to throw that in because it's a great video but for real though okay certifications versus not certifications um are they good are they bad little it depends spoiler alert it depends it's gonna be every slide by the way um so when i see an entry-level resume come across or whatever it's like hey they're just about to graduate or
whatever but hey they have some certification they have like security network plus or something's like hey they have something that that stamp may helps you stand out from a crowd also if you're a student you can usually get a student rate at comp tia certs that's what i did i was like oh yeah it's like half price i'll totally do that um certs are helpful it does depend on the cert you know if you're applying for you know oh i don't know like a network degree or network degree calm down geez if you plan for a network admin or a network security job and it's like hey you've got some ccna certs or you've got you know network plus or
network specific certs that tells me okay they don't just memorize ports and protocols but you know they had to pass a test and actually did this or even the ones where you you have to build a home lab or to pass a test that's helpful um what kind of security are you interested in so this is kind of like which cert would be the most bang for my buck or the most beneficial and which certs are more like generalist and it's kind of a it's a kind of a higher bar so they can like discriminate against people who don't have it it's lame and if you're getting searched just so you can have alphabet soup after your
name on linkedin then maybe you don't get certs otherwise you look like a north korean general so anyway there you go okay so starting on the top left i should have animated this but um some general security certs these are like i would say these are entry levels you can get them right now they don't require like prerequisites that i know of um comp tia a lot of the star plus ones you know security plus network plus um that kind of stuff ceh i don't have this there's been some rumblings in infosec twitter about that but i i know people who have it they say it's good it's more hands-on it's definitely for ethical hacking so
more of that red team purple team pentester type track and ine they have their elearn security certs which you can sign up for and you can get a couple of those certificate of completion type things it's kind of i mean it it's way easy like low barrier to entry and it's like you can put that on your resume all right so moving to the right these are advanced security search so these are more general or slightly more specialized so cissp you know so you can you know flash your badge it's a mile wide and an inch deep it covers the 10 security domains it's great like because it's you know it covers everything and unfortunately a lot of times recruiters
like oh i know what cissp is so i'm just going to look for that it's like well about that you shouldn't like there's other things out there so i i said earlier like know what kind of security you're going into if you want to go into like auditing or something the cisa would be something more like that it's like certified info systems or security audits something like that um then there's more specialized like sans puts out a lot through their g-ac organization so g-sec gcih things like that um yeah and then specialized security search these are more advanced that you know i'm using pen test an example but you can get the you know giac
penetration tester web app pen tester pnpt that's the cyber mentor great content i love he has really good stuff osce which is kind of more advanced than the oscp pen test plus so see where i'm going ramblings they'll call in okay anyway community involvement this always helps so the very first security con i ever went to was b-side salt lake city it was in 2015. it was down at thanksgiving point and i thought this is cool this is what i want to do um so you're already doing it you're here this is awesome also there's b sites all over the world so lots of major cities have a b sites like b-sides you know las vegas besides you know north
carolina like there's they have a lot um another local con which is great is st con i've been going there a few years i really enjoy that defcon it's right in vegas these cost a little more it's fine and then there's also non-security or less security oriented local conferences you could go to i'm talking utah specific but you know like open west and big mountain this is a great place a lot of them were dev conferences great things to go to and this one i really i believe in i'm a believer i'm not only a the president of the client sort of i'm just kidding i'm not the president but volunteer at cons like especially community cons it's you
know by the people for the people sort of thing when i was working as a monitoring engineer not a security engineer i would take pto and then i would volunteer it's great because you get to work the con you get to meet people and you usually get in for free a lot of the times which is definitely beneficial and if you don't want to work the con volunteer to speak like submit a proposal with a better title than this one submit a proposal so you can present at the con and then you usually get a free pass but you don't have to work for part of the con so that's actually what i would do i would volunteer and i would
also you know offer to speak of these cons that work wouldn't pay for and i'd take pto and then i could get a free pass and come in and network and hallwaycon and i would recommend it um local groups and clubs there's local defcon chapters you can join there's dc435 there's dc801 nato one labs here there's hackerspaces student clubs how many how many people are students here how many you know of a student club like info security or just info like tech they're around yeah so and then online they mentioned the b site slack there's discord channels there's there's lots of places where you can get involved virtually okay free resources youtube it's awesome i work for a learning technology company
but i still use youtube to learn stuff as well and i mean this is why it's free resources i really like network chuck he has some of the coolest things he's like do you want to learn networking cloud or hacking like it's awesome hands-on stuff a lot of times it's like go buy a raspberry pi i'm going to teach you how to do this or make a quick home lab like his stuff's really good i really like dc cyber sex channel i like null bite the cyber mentor he's the one who does the uh pnpt certifications for ethical hacking another free resource that i've been really liking lately is black hill info security bhis about every week they do a
webinar and a lot of times they will do a pay what you can threat hunting class it's like pay what you can if you can't pay anything it's still like here's a free six hour class on a saturday to learn threat hunting or something a lot of times with free open source tools really like it and ine that was a that elearn security certification thing so podcasts and feeds um this is one this helps because a lot of times in the interview one of the things that we ask on my team when interviewing is like what do you do to stay current how do you stay in tune with what's going on the security thing so it's like security
now you know they talk about current security trends on reddit there's netsec and there's other ones this is an exhaustive list um things that are like sometimes you just need brain candy but it's still security related dark net diaries if you're not listening to dark knight diaries you should listen to dark knight diaries because it's really good if you're a privacy nerd intel techniques puts out one with michael basil uh it's a security privacy and ocean show a lot of times he'll talk about current events and then interesting stuff and then uh infosec twitter that's that's my best source for human intel type thing um on friday there's usually the hashtag ff follow friday so follow
big names in infosec and a lot of times they'll do like ff and like they'll list like five people or ten people in that field and it's like hey wonder what they're talking about or whatever and you can follow them twitter's free you can follow it it's really great and you can get to know people so it's like you go to a conference like oh i'm i'm so-and-so like oh hey i'm marv like i follow you on twitter i know marv you know for example doc's new sorry um more free resources i mentioned discord there's some local ones that i'm a part of there's other ones that you know you can find it look for it you
can find it home lab projects this this isn't necessarily a free resource but you know raspberry pi's are cheap you can make a home lab out of raspberry pi's you could have like older computers like hey i want to learn linux but i have this old computer let's blow it away install linux on it and teach myself linux for example it's always helpful to learn linux by the way there's places where you can get downloadable capture the flags like vuln hub and ctf time where you can actually download them install like virtual machine environments and then you can actually some of them will have walkthroughs some of them you have to stumble through and do the ctf on your own this is great
because it's hands-on skills and like in an interview like have you ever done such-and-such is like well i've done these ctfs and we did this and you know i learned about you know sql map and you know learning sql injection how i was able to do that and this this pays dividends and interviews uh kringlecon is something sans puts on every christmas it's an online ctf it's kind of fun i think it's starting either this week or next week it's kind of fun hack this site try hack me these are free sites that you can legally hack it's kind of fun so all right so the best resource talk to people um i i love going to conferences and
people are like hey i challenge all of you to meet five people you don't know and ask their name or what they feel like sharing and what they do get to know people hallwaycon is the most effective way to meet people i don't know where it's going with that hallwaycon is a really effective way to like get resources to can like help you like oh you work for so-and-so do you know xyz person i met that person at b-sides there you go also this is actual footage of a tcp handshake it's not awkward at all anyway okay interview time here here are your dues have a linkedin profile that shows or showcases what you want
the hiring manager and the recruiter to see um do some research on the company actually know what they do you know poke around a little bit you can do open source intelligence and like you know i'm gonna go do a dns lookup this is like passive this isn't actual hacking but like passive's like oh you have your stuff behind cloudflare so i may need to understand cloudflare as a waff because i'm applying for the security team or whatever you know you can get information about that and it'll show hey this person did their research and they know some of the technologies that they would be doing if they get this job that's helpful does this company like line up with what
i do that's always helpful it's nice to work for a company you can actually get behind you know if you have that option of course oceans you know linkedin you can find people who work there you can find the technologies it's like you know i'm so-and-so the network manager and we and skills include palo alto and fortinet and you know you can glean information that way there's a besides talk about that several years ago i throw this on my on my linkedin just throw that in it says something in base 64. and part of it is like if you're coming in for an interview say this code word to me and i've had like three people and the
people i've interviewed who have actually said it so i was like oh you did some research you know base64 good for you interview don'ts don't hack their site that really takes them off just don't do it a job interview is not permission to hack their site don't social engineer your way into an interview i i have an example about that don't be a creep don't like facebook stalk the people i mean do it tactfully i guess i don't yeah okay so i'll tell a story i i've done a bad one and i've done a good one so i was working as a monitoring engineer and i wanted to get over to the security team internally
so i knew the hiring manager and they posted something on their app security teams like oh i want to get over there and i want to learn more about appsec or whatever so i just sent him an uh calendar invite he's like hey i'd like to go over like we sometimes talk about this position you know rec number and everything you know take a look resume talk about it he's like yeah throw something on my calendar half hour we'll talk about it so we met up he's like cool so let's look at these resumes and and so i like pull out my resume and i start talking through he's like okay interesting he's like so you got any other resumes like no i
just brought my own you're not with hr i thought we were going over resumes like no no i'm over on this team i want this job he's like oh well played well you got 27 minutes let's let's talk about this for a bit and he was kind of like okay i'll tolerate this weirdo do i want to hire this guy spoiler alert he hired me three years later at a different company so that's that that was the failure story that wasn't the success story okay this is the success story was hallwaycon so i was going to a conference downtown uh local community security conference and i applied for the job and then i went on
linkedin and i looked up the people it's kind of helpful to have a second linkedin that isn't your true name anyway i was looking up the security team it's like okay so there's this guy and then there's this woman here and then okay i'm going to bump into them and you know talk to him so i saw him at the at the uh conference or whatever in the hallway i was like oh hey who do you work for he's like oh such and such companies like i just applied there i was like oh really yeah fancy me yeah i just applied is the isn't it how i was how random is this it wasn't random
but i got the job so it worked i guess so don't be creepy but it's like oh i just applied for it are you do you work there are you on what yeah social engineering i guess but anyway so that's my advice again i'm not an expert my advice has no warranty attached but anyway um those are some of my thoughts does anyone have any questions or comments or heckling mostly heckling
it was a good one i copied this threw it into appendix i didn't know if i'd use it but those are some of the things um free resources i took this from that free webcast that i attended earlier but anyway that's my talk thanks for tolerating and listening to me so
you
Related talks
47:36
32:25
56:25
28:38
41:28
1:00:45