How to Get Started in Cybersecurity

thanks guys so apparently looking on the schedule you could have gone from attract upstairs on how to get started in cybersecurity to my presentation on how to get started in cybersecurity so hopefully that just means that this is an important topic for a lot of you guys that's my email if you want to get in touch with me and that should be funny to you hopefully xkcd is great so that's not funny to you and you're trying to get into cybersecurity go look up SQL and then eventually that should become funny to you and once you understand all of these inside jokes and you're definitely part of cyber security I may swear I see some kids up front I

may try not to since you're here but I'll do my best I'm not gonna spend a lot of time on Who I am on no technical technical difficulties okay we're good maybe alright I've done a lot of different things in my career I think a lot of people who have passed in some form of cyber security have a lot of different paths and life stories so if you get a mentor they can talk you through how they got into cybersecurity I secretly joined the army at 19 and got married one of those things has worked really well for me I have a whole bunch of certifications we can talk about that a little bit later

as well so when people say I want to get in cyber security that's awesome but that doesn't really tell me anything because cyber security is a terrible term and I've lost the presentation again so this is going well so we have to get a we have to get an understanding of what you and I mean with cyber security so there's a lot of different resources that we could talk to in terms of what is cyber security I particularly like the 52 job roles that the National Institute of Standards and Technology the NIST has they break down all of those 52 particular cyber security job roles into in the u.s. we call them knowledge skills and abilities KSA's so

they're very detailed but even with those two even with those 52 cybersecurity job roles they don't cover every possible cybersecurity job role they don't specifically have one that's a pen tester they don't specifically have one that's a cyber threat intelligence they don't have a malware reverser so that still isn't even all-inclusive into all of the different cybersecurity job roles there are so when I mentor someone who is trying to break into cybersecurity out of college or pivot mid-career into cybersecurity we have to have some understanding and they probably need to do some research to to see what they think is interesting within cybersecurity so that's my first piece of advice generally is if you're trying

to break into it you should probably do some research I particularly like that if you're the type of person who represents the meme on the slide then this may be a field for you at some point because a lot of people in cybersecurity have started out in IT but again it's not always a traditional path I am still that person I just proactively fix everybody's computers during the holidays I just plan for it right it's like the day before Thanksgiving fix all the inlaws computers and make sure everything works well why is your internet so slow so if if you're that kind of person already and that interests you and it doesn't drive you insane you know you may be on

the right track so to get started in cyber security I don't think it's particularly difficult other than trying to focus down what it is you want to study because it's such a large field right so if if somebody tells you that they work in cybersecurity they haven't really told you anything that's the same as saying I work in the medical field right I could be a brain surgeon or I could be in medical billing they're both in the medical field that the same thing happens in cybersecurity or the term cyber the term cyber is becoming more popular in the US and that's an even worse term in my opinion because it tells me even less about your particular

career field so a couple of points on this slide if this is new you're trying to get into cybersecurity I would not I would try to find something that you find interesting so if you don't find programming interested and it drives you mad then programming is probably not something that you should continue to study and you probably don't want to be a programmer you may need to understand some programming or understand basic scripting but there's a lot of other roles within cybersecurity that maybe your skillset and personality is geared for because we have so many so I've lost the presentation again so some other things in terms of getting started there's a ton of free resources

available on the internet so YouTube cyber re lots of people's blogs follow follow a number of people on Twitter in the cybersecurity community are all great free resources I'm also gonna if you get two slides then later I have a lot of free resources and links in here as well sure so I know in the United States at least and I don't know if it's the same here there's this huge infatuation with the certifications right that's a big I say it's kind of a big problem some of them are better than others I have a whole bunch some of them really carry some weight and some of them don't so if you're interested in vulnerability

testing and pen testing OSC PS and is really something that still holds a lot of street cred basically but the training that is offered in these courses does not require you to necessarily pay for it because a lot of the books that are available that are going to teach you the basics of ethical hacking or the basics of network security you know you could get that book for $40 you don't need to spend $3,000 on a CompTIA security plus class and the value of it is super questionable and I say that as somebody who teaches that course what you are gonna have to do is practice on your own if you're gonna be a hands-on hands-on

keyboard type of person which is how most of us generally get started and that was gonna require you to have a home lab with some kind so my laptop really doesn't like to present today ok we're back so there's a couple of different things here so you need some technical skills if this is going to be the field for you but this was actually talked about much earlier today that the guy from tenable was a track in one of the breakout rooms about the type of people they look for this drive the passion they innovate the initiative the curiosity those are really critical right and that's reflected in the Google flow chart which my mother asks how do you know

everything well I'm glad that my mom thinks I know everything but I don't because I google something and if that didn't fix her laptop well then you just go in the endless cycle of trying to figure it out until you get to the solution or eventually you call your friend because you can't possibly know everything in cybersecurity all right that's it's impossible to do that there's a few people that are on my short list that I will call first because they almost always know everything but there's no such person in this field so the other thing about initiative and curiosity is a lot of people seem like they have a hurdle this this hurdle to get started with things

so my my real quick story is I was mentoring a woman who wanted eventually one day to be a pen tester so I said well you're gonna need some home lads you're gonna need some VMs you're gonna have to set this up and I pointed her to some sites there's I don't know how many videos on YouTube about how to set up the ends and she kept asking me questions and she couldn't really figure it out and that there's that there's a hurdle there that if you aren't willing to kind of figure out some of the real basic things then then then I can't help you because this might honestly not be the right field for someone like that in

a discussion we had upstairs we've talked about breaking things during this learning process and you are going to break things it's part of the learning process you I have bricked a number of window systems I think that's part of the learning process not just for cybersecurity but but in general right it's why we're learning it but a lot of people have that intimidation of well I don't really know what I'm doing yet and I'm worried I might break something well if you can't figure out the VM you should at least you know get a cheap laptop or build a desktop and get some good learning experience that way because it's not very expensive to build

a desktop anymore and so anyway you're gonna have to practice hands-on skills you're gonna have to get over that initial fear of sort of messing up or breaking something in order to practice this on your own so in terms of tools that you want to learn and practice on as you get into cybersecurity it really does depend on which field you want to study right not all things are made equal so if you're gonna be on on a soccer team as a network analyst or a defender they go by a lot of different names there's probably some more specific tools I could point you to if you're really interested in forensics well there's a number of free forensics tools that you

could download and play with them and understand the process of forensics analysis I like bulk extractor I've used it on a couple of cts if you want to be a vulnerability analyst and maybe a pen tester one day right there's a different set of tools and software you should practice on your own so I'm happy to help drive you towards the types of learning activities once we have some better idea of where in cyber security you think your future lies right because if you want to do policy analysis and risk then I don't really necessarily need you to be really proficient at Metasploit all right we were kind of wasting each other's times at that point

all right so again it goes back to the first line is tried to do some research and find figure out what you find interesting so that your mentors can help you tailor the sorts of learning activities that are most geared to where do you want to put yourself because there you can't just study everything that's impossible and then the other thing here is when I say like knowing the tools it means proficient so I get this question quite quite a bit when you're trying to get that first job opportunity well how do how do I get these skills on my resume well if you spent 200 hours hacking vulnerable VMs with Callie and Metasploit and whatever

other tools you have I think you can put that on your resume as you know home lad use research whatever you want to call it somewhere on your CV or on your resume and when you get to the technical interview you know that one shows that you have that initiative which if they're actually a team you want to be on they should be looking for that kind of person who wants to do that initiative and research on their own all right it stayed up there for now so I know a lot of a lot of the talks today around how do you get your first job or hiring assistants and tailing your CV and I think this speaks to some of those

a little bit again it is gonna depend specifically on your job I thinks and certifications are pretty much the industry standard today I've lost the slide again just for a moment it should flick your back I guess so I still think sands are the best they're also really expensive which is why I haven't gotten anybody to pay for me to go yet I have some friends who teach cents classes they sound amazing most of the sense classes also do have some labs as part of them which a lot of the traditional boot camps in the industry right now don't I teach certified ethical hacker I've taught it 40 60 times something like that I don't

have time in the ec-council certified ethical hacker class to give you labs and the labs are actually not very good that ec-council has available anyway it's much better for you to set up the labs in your own home and VMs and there's a number of free resources on the internet that will tell you how to get started with Kali and how to get stored it started exploiting boxes in the VM environment so there are some basic things in cybersecurity if you're gonna be any sort of technical hands-on you should have a really good understanding of Windows probably a pretty good understanding of Linux possibly a good understanding of Mac which is really a Linux build all right

so if you don't understand things like Windows domains that's gonna be critical because most of your big enterprises are running Windows for the most part probably having some basic knowledge of EMS would be applicable as well just general background information all right so those are the sorts of basic things you're gonna want to study if you want to do threat intelligence or open source intelligence Osen there's a whole other list of things I could give you that you should focus on and be familiar with right virustotal maybe mal t go central ops so there's a whole host of different tools if that's the direction that you think you want to go into cyber security so again you're gonna have to practice

whichever tools are most applicable in your home it's a good thing I don't have many slides since they keep breaking and I'm gonna open this up for questions I really want to entertain your questions for a couple minutes before everybody goes to get some beers this is the key that opportunity slide right there so you have to have some skills and you have to know people and then those things are gonna merge somehow they're gonna know of an opportunity you're gonna get a referral right so attending events like this is great attending capture the flags is great having LinkedIn or whatever other mechanisms you have online to stay connected to the community following people on Twitter

it's probably okay so at least you know what's going on but I think that's the most important one at the top also if you come into an interview with me I expect you to know something like even if it's your first job I expect that your following news about this industry so if you can't speak to any of the things that are happening in the industry that I'm gonna question whether you're really serious about working in this industry right so again it'll be tailored for specifically what it is you're interviewing for but I mean if you're not familiar that github was just purchased by Microsoft I mean that's pretty pretty big news or VPN filter

malware I mean there are some big things that it's not even cyber news I mean this is on like regular news sites in a large part I think some other specific tips for the hiring process is you really should practice your interview skills and your elevator speech your mom/dad your friends give them a list of questions they don't have to understand necessarily what they're saying but actually practice that you could practice in front of a mirror as well it sounds weird someone else said that for the social engineering you could do the same things for your interview as well the self confidence one you only know what you know right and this was this was actually talked about in one of the

other discussions I had today is it's okay to say I don't know because we can't know everything so how if you run across a problem what are you gonna do when you don't know and how do you speak to that does that shows that you have some way to get past though I've run into this problem and I don't know to do okay well you turn to Google what if Google doesn't really give you the results what's your next option alright and probably the next option is not being so what are you do you have friends you're gonna call on do you have a professional network you're gonna ask your co-workers how do you get past that

first hurdle where you don't know the answer to a particular question again I think you should study what you enjoy there's lots of opportunities in cybersecurity to study what you joy and the last bit up here that I'll talk to here is try to find a mentor that will stick with you through multiple career changes right so it might not be the person where you work now or the person at your first job because that person should be able to give you advice as your career progresses I think mentoring is something that's sort of going away and I think it's sad because I think it's really helpful and there's plenty of people that could be

mentors you don't have to be in the industry for 20 years to be a mentor if you're in your second job at a sock you probably know a lot it would be helpful to the graduates today right so yeah maybe you've only worked in the industry for four or five years that's four or five years more knowledge about your entry-level career and starting path that the graduate today wouldn't know so just think about that as well there's a whole bunch of references and links so hopefully when you get to slide you'll be able to get all of these the second one is particularly really useful because it's just an aggregation of a whole bunch of other InfoSec related

sites because he's old enough to go by the old term because at least InfoSec mean something as opposed to cyber so not all of these will be applicable to you right but again I'm also trying to show you that there's a ton of free resources online so you do not have to spend money to get started in cyber security right there there's lots of different training for all of those 52 job related areas within cyber security so again don't don't go read the IEEE CIT know your enemies if you're not going to be in cyber threat intelligence because that's all about defining advanced persistent threats so if that's not for you that's fine so this is my last slide which is good

because they keep disappearing anyway I really want to open it up for questions that you have for me now so hopefully you are gonna ask some questions before we all go get some beers later at the after-party