HG - Fast-track your Hacking Career – Why Take The Slow Lane? - Joe Klein

okay can everybody hear me and those in the back that are talking I'm gonna go to my radio voice wickets loud how's that so this is actually a one-hour presentation so I've got a lot of talking and 15 25 minutes so I took it I had a lot of slides I suspect I'll be presenting on this in the future my background well it was 1978 when I was taking a class in computing and I decided I learned about a game and I decided well I don't like losing games so I modified the code then I went back to the system administrators and said hey I modified the code this is really cool and they said you're responsible

for security so that's how I got into the industry okay and it happened again and again and again and story's over adult beverages are always good so the goal of this is to take the hacker mentality and apply it to finding not only jobs but your career now to begin with how many people are actually looking for jobs and okay how many people are recruiting here oh I knew you yes so there's information about both my biggest concern in this industry is there's a wide gap between the needs and the definitions of the people that are hiring and the ability to be able to translate that information into making a match so this particular set of slides

specifically to hopefully help both sides of the debate okay so we'll have to do this fast yes find a job you love yeah I've been doing it for a while so I love it so let's hack the actual process of the HR so you are on the left hand side the organization which includes your HR person you're hiring manager and who actually funded it or funding it the organization or the HR manager specifically the organization is going to be looking at two types of hire so gonna be looking at a tactical hire a tactical hire you're going to go sit in a seat based on set of definitions and maybe be a sock monkey or whatever it's a typical issue

especially in the government contracting domain but essentially you want to be a strategic higher okay strategic higher you need to provide extreme amounts of value to that company and give new ideas and new concepts to actually help them meet what their objectives are so they define the job position the next thing that happens is somebody has to break that out into tests these tasks may have been sitting there for years there are job presentations out today from specific companies that still include mainframe as one of these lines and they have not used mainframes and years okay that particular company is no longer so this is a real challenge to go through this particular process for a lot of

organizations then we have the actual mesh between you and the actual tasks you're looking for this is where the knowledge skills and the abilities come in oh by the way there is a link to the very bottom that if you allow me to bounce out go okay if you're a hiring manager make it simple on us so that we can get hired here is a product that DHS offers for free that you can use as a template to create these particular items all you have to do is provide the job description it makes it simpler for us you notice how I just hacked the HR system it's awesome okay the next thing it happens is you have to go through

performing a performing a job so what they're looking at is for the tasks they're looking for things that are can be performed and less or learned in less than 90 days you know I need to learn VI okay you can do that in an afternoon on the next one which is the creating the interview questions check-in a check lists retention bonuses things like this this is actually where you want to be is you want to make sure the tasks are met with what you're trying to accomplish but you want to be a strategic hire with the items on the next line and we'll map those for you for the manager or what you bring to the table is your your

knowledge experience and training everything else but you have a resume and please make sure you update the resume if you don't if don't do it here go find a mentor to help you actually design your resume to be focused on what your passion is in this field and also you're gonna be interviewed get somebody to actually walk you through the interview process some of us have gray hair in this audience so we've been through it once or many times so this don't so be aware your resume better include the right training certification this is a point that slows down the the hiring process if this information is not right so make sure this is unlined so other things carefully read

the Job Description carefully read what the feed sar if you are a Microsoft person they're talking about Linux it's gonna make it harder to get through the door to have that conversation go learn Linux yes I'll have links to how to do that later match your job experience with what you see oh by the way if there's something missing there are so many resources out there that within a week you can actually pick up a specific experience has anybody ever loaded elasticsearch has anybody ever implemented security on onion I mean literally these are one week type things just to get that primary knowledge about how this stuff works and has have a conversation Oh for a professional

standpoint please if you're young please don't use the email you did within heist in high school in grammar school get a professional email put a LinkedIn in your Facebook know get rid of that put a professional one end so these are really important to think about because recruiters are now looking at this about you reboot yourself so that you can get this this job opportunity also does anybody belong to any local groups where you live is si a hacker group a meetup group not as many people that should be everybody basically should be part of that particular group why number one it's free education training number two if they are there those companies have jobs okay

ask the question so I'm coming to this is si or this ISACA or whatever meetup I'm looking for this kind of job do you guys do that okay finding the person that's going to hire and going around HR is the simplest way to kid to get hired and then make sure HR processes the paperwork let's see oh how many people have a home lab yes we're almost halfway everybody in this field should have a home lab that might be a single computer with virtualization virtualized networking and things like that or it could be like I had in January with 96 cores and 35 terabytes of drive space I was experimenting with a couple things so

you can go either direction but go set up a lab because there's going to be times you're gonna want to ask a question you're gonna go home and actually be able to test it out and come back with new solutions on the other side get to know the company okay we call this open source intelligence go learn open source intelligence I presented at DEFCON what 16 years ago about how to do this please go do this go find out about the company why when you're in the interview what is the first thing they say do you have any questions for us this gives you context to say why see you just bought another company what does that mean to me coming

onboard or hey I see that your stock prices are going down what is that impact how does that impact me in the industry and the thing or I see you're getting into a new product line ask those questions the the hiring manager appreciates that that you've done the due diligence and started learning about what the company does okay a job is really simply earning money a career is connecting all your employment opportunities to get to your greater job some people early in your career you're only want to make one hop and that's what you're looking for some people want to say hey I'm in my early 20s I've done this and this and this I want to now be

a chief security officer by the end of my end of my 20s or early 30s okay start mapping your career out number one it will save on burnout because you have an ultimate goal it also allows you to control your your career here's what my career look like okay because in 78 there really wasn't a job role for that what that was was hey something's weird with this thing can you look at it it's not working and finding very strange things that's another discussion later well Nationals to to Technology NIST started working on a project while back called the National yeah basically for cyber education what they're attempting to initiative for cyber education what they're attempting to do is standardize

this framework many organizations do not know this exists the organizations that don't know this exists their job recs are out of sync many times they're not as easy to read you can't you you're not actually able to get to what your goal is take a look at this I want to bring up the webpage for this this is actually very cool so in this category NIST is defined these particular categories as general topics sir oh my god I didn't do that sorry can you say it now yay okay so let's see so what the challenge there is there we go you see each of the major roles there's a lot of categories in here when I got started I

was the security guy the only one for a fortune 500 company okay now they have dozens and sometimes hundreds and I have a lot of friends that have gone through this process go find a title that looks interesting go read the Job Description it's interesting if you're passionate about this this can go very well very quickly okay and all the links by the way are in the slides just in case you're interested in okay so witness did was they created this great set of qualifications currently seven categories Wow who would have known 33 specialties 52 work roles oh by the way these are major categories these are minor categories if I'm doing forensics I may be doing a forensics on an IOT

device or an automobile or I may be a specialist in a and hard drives from a forensic standpoint dead boxes or I may be network forensics okay even under these categories there's lots of specialties make sure when you're looking at the the job request that you can determine what that specialty is that they're looking for so you can align yourself with that particular goal again there's a link on here that will give you lots of details please take the time to do it because it it helps you will again figure out what job position you're passionate took for or - okay the next thing mapping your career goals so as part of the newest initiative they

and had support from the industry and what the industry did was they created some really cool applications to help people track their career I'm going to bring the webpage up again if I can see it tab what though I came and see the tabs and it's bring it over oh my god tab 2 ah there we go so doing some study what they found out was that the vast majority of people that got into this field they may have their degree or their background in something else but as part of their their development they had to learn something they became interested in networking they were the networking guy for a university or firmus firma school

or they were the software development person because they learned software development so they could do this other career or they were systems engineer too because suddenly you're the only guy that knew about computers therefore for this biological system to do genome you basically have to set up a network for us ok this is a real typical issue each of these oops here each of these have categories and information general prey of general descriptions on price if we click on this we can see connections these connections hopefully you can see it and it's not too small these connections between nodes are the optimal path that they've determined what that means is instead of learning a whole new industry or a bunch of stuff

it's a minimal amount of things as an example if I'm a professional investigator I probably am NOT a guy that needs to know the bits and bytes of networking but to become a professional investigator I have to know other things and this stuff okay so kind of minimalize is that what you need to do again a worthwhile website to go to at the very bottom and again I'm not unsure what the size of that is if you can see it all can you say it there this provides general pricing which categories it gives you a good framework to understand how to make certain decisions and what decisions you need to make by the way you notice it has certifications on

there certification is what you need to get that current job and certifications to move to the next level okay that's pretty cool huh so next topic evaluate your knowledge one of the biggest challenges that I see in resumes was I want 20 years of golang development okay go legs really been public for five years but I see people do that or you know I want you know 18 years of Android we had Andrews for 18 years I don't think so so you have to actually understand where are you from the hiring managers standpoint if you notice there's a levels and these are I went out and looked at hundreds of resumes to say you know is a basic level or entry

level these are just the terms that are used the hiring manager wants to know different things to find out how qualified you are for a job for the first level it's I want to know that you have knowledge of and you could read a book and learn this the second is that you have the skills to because you've already read the book and you've applied those capabilities the next level for expertise is I could take that book and I could teach a class to my field or people in the industry the last one really is hey I develop things that are completely different I've developed books I've supported the development of IETF re RFC's or I Triple E standards or

you know whatever that is that's the real levels of capabilities you need you wouldn't expect a junior person to be told hey you need to help rate our FCS with no networking experience for an IETF so please help the if you're looking at a company where there's a mismatch have a conversation with them about it and if they're not willing to have the conversation maybe that's they're not the right place to go okay next item geography so there's so many jobs out there except they're clustered in specific areas okay I'm always told well I'm gonna leave in the desert someplace and I'm going to do the job there well there's no employer mismatch doesn't work as you can see

from the right lower hand side we can see the amount of job openings of each different area oh by the way I have my email address at the end of this if you wish please email me and I'll send you these slides as they are and the notes and things like that so feel free so if you notice on the left hand side it says States it says metro and states in the upper left hand side it says size of area you want to be in some people want to live in a small city and want to see that there's actually jobs there especially if you have family or you're doing something with parents or whatever

the other thing in the upper right hand corner we have the public sector and we have the private sector do you want to work in government do you want to work in the private sector do you want to work in both you're looking for the best places and jobs okay I am going to bring up the next slide which should be there we go they're up there so if you fly over you can get an idea of the amount of jobs if I click on it I can get a detail if I go down here I can see what the match of how many jobs there are in a specific area apparently this is updated about once a month so it

gives you an idea things that you need to be looking for if you're somebody that once peers to learn from peers you want a larger population in an area I lived in a place at one point that I was the right one running the security group and the Lennox group and the networking group I mean there weren't a lot of people in the area I was with I now live in an area where basically there's dozens of groups and I can go to different meetups almost every night sometimes - if I could be two people but you know this can't do that but if you take a look at it it gives you see the

certifications the orange is how many certifications in a specific area the blue is what the hiring manager and the company is looking for can you see if there's a mismatch one required jobs versus certifications and also you can see things like you will find certain fields where just being a high school or just being having an associate it's not going to be enough they're gonna expect having a master's degree or a PhD so again this gives you a framework to start managing your career the current we go mentors how many people have a mentor one of Mines by the way he's been served the father of the Internet so that's kind of common kind of fun how

many people help other people as meant as mentor ease Mentors okay cool the best way in this industry to learn is to mentor somebody else because you're gonna push yourself to understand what their needs are you're gonna start reading about it you're gonna start understanding it I put together a list of the nine major types of mentors some people can only do one or two some people in their career as they've gone on they've been able to be a mentor for each of these categories one of my one of my talents is a connector I have lots of people because I've been in this industry for years and years and years and years years anyway you know educator

coach cheerleader idea generator Hey you're I'm having this particular problem and you basically want ideas and sometimes you just want an ear you want somebody to listen to what you have to say so please go out become a mentor and go find people in each of these categories it will help your career it'll help you from not getting burned out in this field this this is a real benefit okay final thoughts before I show you the list of good good links a job is something where someone else controls your investment in your future that kind of feels uncomfortable doesn't it okay a career is something where you define your future but you work with the

company you're with to get investments in what your future education is there was a presentation earlier today that showed that education training is very important especially when every three years the technology changes you know it's kind of like a physician going yeah three years ago the heart was here but now it's over here so things have gotten really weird also if you want to be in this field be the noun but you have to be the verb you have to take action before you can say you're a security professional and there will be a day that you go holy schnikeys I'm doing some really cool stuff which can be had over a dolt beverage okay some

resources because these are the things that I get from the men Tory's the interns and other friends which is where do I get training if I go to this link I can find out what training is available for my subcategory that I'm interested in and where is it located that's pretty cool we've never been able to do that in the past and it's really hard to find some of these really unique training things next thing two major links if you're going back to college if you have kids or grandkids that you want to get in the field and they're looking for money and they want to be in this field there's two opportunities that would you

go through the system you could have your you know bachelor's master's and PhD in some cases paid for so these are things that are really really important the next one if you're a veteran any veterans in here this is awesome these are free classes online sign up for them if you're a government worker a state local government this is also available to you you have to sign up and you go through the process sorry those that are don't aren't in that community but this is this is important community college anybody part of a community college go to Community College okay so if you do here's a set of links that you can give a professor and say look you can teach

one course in cyber security you can even just have a meet-up about information assurance so people can see if they want to be in this career pretty cool K through 12 one of the biggest problems this community had is we went from being kids to having kids and then realizing that during that period we didn't have new kids coming into the field so we actually had this gap of many years where we didn't bring people back into the field here are resources to bring your kids into personal note I brought my three nieces to a hacker con that was at MIT to M are going once going to school for as a EE the other ones a mathematician the other

ones thinking about going into robotics okay introduce the girls introduce the boys to this this is amazing stuff by the way does anybody hear of roots that's def cons conference for kids on the B side side there are the four kids and the hacker kid cons on about third of the particular conferences around the world these are really cool i friends in the audience that have brought their their kids to it and have just gone nuts this is basically then got them interested in all kinds of things by the way this includes teaching basics of cryptography tearing apart computers wireless security I mean this is awesome for kids and they'll teach you something okay if you're a recruiter here's two

links for you that DHS push-button PD awesome stuff and also career development toolkit to simplify the development of the job requests and also help you help us get into this field hope sorry did it I just flipped it you get it cool okay building labs this is a link go home please take this go home whenever you get home go try each of these labs literally you will learn a piece of every single job role by playing with these your labs I chose them specifically for offense/defense forensics penetration testing attack tack validation intelligence Sonny basically it goes through everything next one professional branding you have a brand as you get into this field your Linkedin

is your brand go do your LinkedIn 11 steps to create a professional WordPress go do that I have a blog that goes back to 2000 right now that's that's pretty fun that's pretty much just one or five times a year putting my comments and my references security conferences go fine security conferences a lot of more expensive besides I'm a big proponent of these sites shout-out to - besides DC Delaware Philadelphia and lots of others they're low costs are free oh by the way all these conferences don't don't it doesn't cost much if you volunteer ok by the way anybody want to take a sans course they have a volunteer program which costs you a lot less okay so

there's a lot of resources the other thing how many people know Lennox how many people know it's so well that you can do Colonel work okay so Lennox foundation has a bunch of free courses like free kubernetes and learning shell and things like that these things are free yes you can put a hundred dollars and they give you a certificate and you can put it in your resume awesome or you can learn and become a kernel hacker and they have all the details there okay lastly there is no real shortage in my opinion in this field what the problem is is a mismatch between our hiring folks and what you guys need for your careers

and that's it I'm done I've been cut off do I have time for questions one question sorry somebody behind you can you stand up I can't hear you please

it depends on the company and it depends on the job area I'd suggest to go into the job area the geographic and see what specific title you have to see if they're looking for PhDs masters or just having an associate's okay it'll some of those are different for every single career path you know go take and get a degree but understand this for your first job or your second job consider that a way of helping you make that decision okay I'm gonna go right outside because this wonderful lady is about is next and I hate to walk out and not see her presentation but I'll see it on video hi thank you so much really appreciate it

[Applause]