Destination Unknown: Career Musings Of A Former [Redacted] Agent by Sam Humphries

hi everyone lovely to see you all uh and your little lovely avatars I do like gather Town super cool it's much better than just doing a glorified Zoom call as we can walk into each other and through each other and stuff so um this store on its first year in a skate park in the dark in the cold and it rained in the building and by the time I was time for me to present uh I was wearing a ski jacket because it was that freezing so thank you Leeds for being a warmer and not having weather inside buildings that really shouldn't be inside buildings um during the talk I'd like you to try and figure out what what um what sort of agent I was um you could obviously cheat and just go straight to my LinkedIn and have a look but let's pretend you haven't done that because you're great people and you don't cheat no no okie dokie right a bit about me I know some of you I'm sure that are in The Gather town right now but um if we're not friends yet now we are I am head of I'm going to say the m word marketing and security strategy at exiting for Emir currently I've been doing this way too long 23 years so hopefully I've learned something along the way um during that time I've had real jobs I always say that I'm a sort of pretended marketer but I've also been doing that for seven years so maybe I am a marketer who knows but I've worked in support I've worked in Internet response I said sorry a lot when I was at McAfee they didn't give me a business card that said Chief apology officer but it felt like they really should have done and I didn't product management there as well um I feel like I'm infosec mums sometimes and I also have both some offsprings so more about that later actually because it's kind of relevant to one of the one of the bits I play records I even did some cdjs at um cyber house party this week in London which was the first time ever and I played 80s music which I think Mark Avery likes secretly but maybe not who knows I love a bit of old school malware you want to get down and dirty on some uh some root kits or any of that kind of cool stuff from from years ago when when the library of malware lived in a book and I have the book in my downstairs toilet still at home um bragging undefeated three times bang face air hockey world's champion if any of you've been to bang face you'll know that's Quite a feat I hate licorice I love besides and you can find me on Twitter so let's be friends alrighty this is what we I said we would talk about um something about a redacted agency we'll talk about transferable skills which I think will be great for those of you who are kind of Crossing into the industry or are panicking that you need to know how to code before you can do anything in cyber security because that is [ __ ] you don't need to be able to code I haven't written a Live code since 2006 and the code that I did right then probably wasn't very good either how to find Opportunities how to tackle imposter syndrome uh as much as I can tell you I still suffer with it a little bit um despite going on stage a lot and talking too much and waving my hands around in front generally of memes okay this is not the agent that I was maybe it was who knows no that's not me uh I was not a secret agent either or was I this could be a lie wasn't this sort of agent would have been kind of cool not right and also was not an estate agent so that's good I think I think you'll appreciate that that there are no estate agents living inside me that I'm aware of I don't know why this is in the slide deck it was there from last time I left it in but still big that bag of notes I'm not prince Andrew thankfully um and everything really is down to John McAfee I wouldn't be talking to you now if it wasn't for John McAfee and I do have a slightly weird obsession with him um but I started my career at McAfee because of the agency that I worked with previously um and I do have a blanket just over my shoulder with John McAfee on it so if you want to talk to John McAfee let's do that tomorrow or indeed later in the other Town moving on quickly this is where my world started um if you know what these are your back hurts I guarantee that my nan decided that a spectrum might be a good idea when I was about four so the box turned up and the Box stayed in the room for a little bit because I was four but it wasn't too long until it came out the box and we started playing with it and on tapes decided that there might be something in this kind of thing after all I decided to bring a BBC Master into the house because she worked at a disc copying company way back in the 1980s something and then when I went to school we had one at school as well it was very cool but the Headmaster decided that I was a liar when I told him that I had one of those things that he would wheel around on a trolley because he was the only person out to wheel the trolley and he rang my mom and said Sam's Elia she doesn't have a computer and my mum went wrong um she does have a computer in fact she's got a double disk drive so go away man with one disk drive so that's how it started I have no degree I have no qualifications outside of stuff that I've picked up as I've gone through infosec I don't have Assist there's plenty of things I don't have but I did have a very curious interest in these things and indeed things that have evolved from this and that really is kind of how I got here um with also a bit of blogging probably the agency which is very very important and just loving computers because they don't lie really they're I like the fact that they think fairly logically and straight lines is good and you can have a lot of fun with them and do cool things but I wanted to be initially um Kate tady so again if you know who Kate a d is your back hurts Kate D was a war correspondent in the 80s um in fact she went to Tiananmen Square and stood there and in fact was shot in Tiananmen Square only a little bit I know you can being a little bit shot sounds strange but um she was she was grazed by a bullet in Tiananmen Square and the rule was if Katey turned up in a war zone you knew it was bad and I thought that would be a great career unfortunately I'm not doing that and no one's shot me today so that's good yes anyway I'm in Leeds who knows um could be worse could be Manchester sorry Manchester people but that's what I wanted to do I wanted to be a journalist I wanted to go out and like highlight truths and um really kind of get the news to people as to what was happening in the world when things went bad so if you squint you can kind of draw a little line there um but the point here really is and I think this sounds very much for cyber security you might start off thinking you want to do one thing and your career can end up going all over the place it really can and things will pop up as you go if someone you know if you think I want to go work in cyber security but I don't really know where I want to go first of all there are some great people who've been doing this a short amount of time a medium amount of time and probably way too long um and have Painful backs that will be able to point you in the right direction and at least give you ideas about what you might want to do and even if you do that for a bit you don't have to stick to it that's the beauty of this industry is there are so many ways you can go and not all of them have to involve tanks so that's good all right let's go back in time I told you I like old school malware um when I was at redacted agency there was this company called McAdoo that I worked with and there was a there was a bit of a big virus outbreak that went on called Melissa that was rather exciting and it sends a lot of emails out Mass mailers were definitely the um the virus du jour I guess the Zeitgeist indeed of um the very very early 90s that's mailers were a thing very much so and they would go through the address book they'd send out lots of things sometimes it would be something exciting like a bit of corn sometimes it would just be copies of itself to try and spread more sometimes with a payload sometimes it was just making a noise I was trying to make email servers fall over lots of lots of different ones Melissa hit whilst I was outside travel agency and it was uh there we go very difficult to get through on the phone so this is the things that people didn't know they needed at the time that Mac if you sold so antivirus that sounded like fun um people would tell us that they didn't need it because they didn't have viruses um that we sell something that was ultimately a hacker in a box at that time nobody knew they needed it this thing could do a very rudimentary or like automated pen test and it was pretty cool but what was a pen test no one knew that we did encryption that was free so you could steal it no one knew they needed that and then we had this brilliant thing called sniffer which had nothing to do with dogs or drugs that would actually go and look at your your network and it would be able to sniff what was going on on the network and send out loads of cool reports horrible uis and often with disks that you would have to predict you tried so again you know what that is sorry about your back support was really really cool you'll find many people on cyber security have had some sort of background in a in a help desk maybe in an agency at a help desk who knows um tech support is a good way to kind of get your chops sorted out um you learn a lot of skills in support you learn how to deal with angry people and through all of you have phone the support desk or message them because who phones people anymore and you know you're having a bad day your computer's being a prick and you're raging please be nice to support people because they are there to help you and it's generally not their fault but it's very easy to get rage at them um and log files do take a little bit of reading sometimes so you know patience is good that said I hate bad customer service so that's when I will get really across but yeah eight years in support um at a time when being a woman in support was very very strange um I mean there were some of us we had four in our support team which actually was quite High out of a team of maybe 40. for those of you who know Rick Ferguson Rick and I used to work in support together way back in the day when he had short hair he didn't have short hair he looked exactly the way he does now the man has not aged um but very often I would get people saying hello would you put me through your support please and they'd be very surprised that I was a support person because uh of the toilet that I use so there we go this is what the world looked like in those days I would run around paper that said this is today's virus outbreak this is what you're dealing with we even had to practice is your back will hurt soon um we had to fax sometimes the code over for people to hand write their own update files from the numbers that were on that fax because they they were completely down to the outside world and that was that was a world it was fun uh happy days but um we did support at that point and we had people who were product people very good at very good at working on products problems and we had also people then working on virus outbreaks who um also did products not everybody is as of that mindset dealing with virus outbreaks are indeed um breaches or incidents is a different mindset to potentially being support for a product um and also we had terrible management and we had something called the tier 2 circus which was every time they came back through to see us they would say you just get back on the fence please because we can't deal with stuff um and we would play this which is lovely please work Sam have a moment so there we go that was what working in tier 2 was like it was a circus lots of coming in on weekends what are weekends who knows what they are um but nonetheless I find support people until they get too jaded are are generally good people who want to help so it is a good routine um I've been in benderland for my entire cyber security career pretty much um so vendor is an option Bender also pays quite well it's a secret there so um they can be a good place to go the the vendor thing can be a bit um plus and minuses some people hate vendors there are some bad vendors out there I'm not gonna lie um exabe are not one of those I love it but it can be a good routine as well as going to do cyber security for the reels at at you know just a normal organization there's not a vendor vendors also need cyber security people too to run their own cyber security that is the thing that gets missed quite often uh in the thought process so I I'm a big component of vendoland if you do do a support type role and you're expecting a Monday to Friday nine to five that is um that's interesting um good places will always make sure you get your time back something actually what we do we lived in a while that then evolved into this is kind of the the precursor for ransomware um it was a fake AV it looked like it was antivirus software these things were popping up all the time and I went over to Matthew labs and said look we've got this this is basically an outbreak scenario this stuff is everywhere and they said no no no no outbreaks all have the same md5s so they all have the same hash these the files they drop will look the same these things are server-side polymorphic so they are changing the types of files that have been dropped across machines it's not an outbreak these are all individual um infections sorry about that we can't call outbreak um so I stood there and shouted at people for quite a long time until they listened but this was before ransomware pain in the ass would pop up on your machine would lock your machine pretty much if I'd be able to do anything until you paid money and it was money then not Bitcoin for um for someone to fix it they'd have a customer service number you'd ring up with your credit card and they would unlock your fake AV so that you could go back to your computer working again lovely Side Story from this was a lady that I spoke to when I was in support who had rung a company weirdly in South Africa was where the um the customer service for the fake AV vendors but this one was based and she didn't have a credit card so the command very kindly said look you've tried at least you phoned up uh I'll give you the benefit of the doubt here's the key to unlock it sorry about the fact you can't pay us any money so not all cyber criminals are horrible to some of them probably nicely okay um [ __ ] got very real not gonna lie uh when you when you're working an incident response if that's the route that you choose to go down uh there is a huge knock on effect quite a lot it's not just um it's but turning on the organization you work for if you work for an agency that does that then you'll find out very quickly that you know in business impact isn't always just people can't get to computers it can be people can't get to computers and then what can't they do the biggest one I ever worked on was a um well actually the biggest biggest one I ever worked on was a ramco um that was that was pretty catastrophic but on the um support end of things at this point I worked on an outbreak of pink slip Parts which went across five hospitals in the Netherlands and they had people they were going to have to move out of intensive care so if you ever think about like what's the benefit of working in cyber security the work that you do and the impact that you can have can literally mean life or death for people so um serious moment there despite the meme um you know it's not just a case of fixing code or getting computers back up again that knock-on effect can be absolutely vast um and when you when you get people through the other side they didn't have to move people from intensive care in the end uh we didn't to my knowledge I think the whole Hospital managed to continue functioning but um only just but we did get them back to normal and that was a very very rewarding moment uh this thing popped up quite a lot good old sality this was a final in Factor you still see this in Banks quite a lot in fact it's probably still out there I think somewhere um often you'll find in support roles when you're trying to ask people you know tell people what to do sometimes they don't really want to listen to you because you're just support they want to talk to the vendor skip through that hang on let's not get through that because comfortable is important um this was another one we saw a lot of you know how many XP boxes I found on Showdown this morning 110 very quickly without doing any real effort 110xp boxes sitting there or waving their asses about in the breeze configure was another thing that was very um very Rife in these times um and actually was a good way for people to get budget for those of you who want to move to the heady Heights of like see some of those kind of roles budgetary Authority um you'll find that a very a decent infection or a decent breach that actually shows people the value of what you do is a great way to get budget because um if you're being thought of as a cost sensor which often cyber security is uh a really a badly misinformed boards or um c-suite people who think that cyber security is just a nice to have or a thing you can do cheaply uh once the once you've been hit with something which is not a nice experience I promise you um generally in the aftermath you'll find people actually want to give you money to be less bad at stuff so that's a plus look forward to that um please don't have XP boxes on your network I put this on Twitter earlier and somebody was talking about the fact that they had been asked to support Windows 98 boxes um in a recent RFP so there we go now some things will never die this happened a lot being in sports people wouldn't listen to me then I went to Market labs and they would even though I was the same person telling them the same things um but job titles weirdly do sometimes matter not always but it was a lot of this um it was sometimes it was dealing with bad misconfigurations sometimes it was waving my hands around being Gandalf in the middle of um very very exciting Wars and then a lot of times it was saying sorry for something that somebody else done that wasn't my fault but um I'm good at that so sorry about anything that you've ever done I can do that for you incident response is uh is a lot of fun that's the route you want to go down let's talk about that because it is a ton of fun um you have to like coffee slash caffeine slash don't like hardcore drugs you'll be really bad at it but um definitely sleep is a lovely luxury you do it when you can product management is another another place you can go to in cyber security this was a place I went to because I'd had enough to be considered response from being tired um again it gives you it's very rewarding because you can start to build things that people need to be better at cyber security hopefully if you work for a good place and if you spend a lot of time talking to customers about what they want I had one product project that was so bad thing that was that was badly executed that when I turned up I lost my ship completely with with McAfee at that point not John he wasn't there anymore um but it hit the point that I actually decided the childbirth was a better option so we released the products the right way three days before I gave birth to Trinity so that was that was a lovely Moment In Time product management can be really cool and again it's one of those roles that you can do without knowing how to code without needing to know how to code there's a lot of people skills involved in this as well as understanding how technology works and how and how problems worked but um I'd say product management can be a really good career path in cyber security and one th