A Career in Information Security as Described by Animated GIFs

Transcript

1. A Career In Information Security As Described By Animated GIFs

   Mark Stanislav <[email protected]>

2. Your Presenter, In A Few Bullet Points ‣ 12 years

   of experience with roles in UNIX systems administration, PHP/Ruby development, and many areas of information security ‣ B.S. in Networking & IT Administration (EMU) ‣ M.S. in Technology Studies, Information Assurance (EMU) ‣ CISSP, Security+, Linux+, CCSK certifications ‣ Presented for around 50 conferences/groups in past three years ‣ Currently the Security Evangelist at Duo Security in Ann Arbor

3. What Are We Doing? ‣ I’m going to talk about

   having a career within information security! ‣ This will be done with GIFs from an awesome site found at http://securityreactions.tumblr.com/ ‣ Questions are encouraged as time permits. You can always reach out to me afterwards as well via e-mail, Twitter, etc. ‣ Let’s warm up...

4. Many Roads To Go Down And They Always Converge ‣

   Even if you start your career as a network engineer, system administrator, or web developer, you can still be “in infosec” ‣ Don’t think you have to be an “ethical hacker” to participate or be well regarded in the industry ‣ The experience you can gain being in one or more of these roles can result in huge advantages over your security-centric peers

5. Don’t Believe Me? ‣ Understanding how a technology works by

   either developing for it or having to defend it puts you way ahead of other attackers ‣ There is entirely too much emphasis on how to use tools in modern information security curriculum -- build stu /break stu ! ‣ Tools are always getting better so that means you need to continually bring more to the table to be an in-demand hire

6. Not All Of Information Security Is Hacking ‣ There are

   plenty of high-paying, somewhat technical jobs in security like being an auditor or on a digital forensics team ‣ The mind set of a hacker can easily be applied within di erent roles, not just writing exploits or cracking passwords ‣ Information security professionals have many ways they can pivot in a career; don’t get frustrated, be creative with your skills

7. Roles In Information Security... A Short List ‣ Penetration Testing

   ‣ Web Application Security Review ‣ Cryptography ‣ Security Analyst ‣ Security Architecture ‣ Vulnerability Management ‣ Standard/Regulation Auditing ‣ Vulnerability Assessment ‣ Digital Forensics ‣ Policy Development ‣ Network Security Engineer ‣ System Security Engineer

8. Don’t Plan Your Career For One Niche ‣ If you

   plan your entire information security career around one singular aspect you think you’ll always enjoy, you’re cheating yourself out of a lot of great career paths ‣ Being a “jack of all trades” isn’t a bad thing, it makes you valuable ‣ I call a fixation with one sexy job role “Social Engineer Syndrome” ‣ Social engineering is almost always a part of a job in information security and not a job its self

9. Information Security Can Be Stressful ‣ When you’re working on

   a client’s network, accidentally knocking over their production server, deleting critical data, or locking their team out can happen if you’re not careful ‣ Any idea how long you’re going to stay employed carelessly running automated tools? =)

10. The Reality Of Being An Ethical Hacker What many people

    think it’s like What you usually feel like

11. Spending Your Day As An Ethical Hacker Reports 20% Calls

    5% Emails 5% Hacking 45% Recon 25% A Typical Security Engagement ...but what it feels like when you own a client’s network and/or data

12. Certifications ‣ If you’re looking to get your first job

    in information security, certifications are a great way to set yourself apart from peers ‣ After you have a career, however, most people only get certifications if they have to per their employer’s request/need ‣ Having a certification does not make a person an expert ‣ While we’re on the subject, PLEASE do not put “expert” anywhere on your resume. Seriously.

13. Learn To Hack And Then Learn To Automate ‣ Try

    to attack an application before scanning it for known issues ‣ Being able to find an issue rather than being told there is an issue makes a better attacker ‣ Once you find a vulnerability, try to write a custom exploit ‣ Knowing how to exploit a SQL injection issue means way more than knowing ./sqlmap -u ‣ Make a “lab” with penetration testing virtual machines to learn! ‣ http://pentestlab.org/10-vulnerable-web-applications-you-can-play-with/

14. Try Your Hand At Security Research ‣ Scour GitHub, Source

    Forge, and Google Code for applications that contain vulnerabilities... then responsibly report them! ‣ Have an IP camera on your network? How about a “Smart” TV? ‣ Does you company have a security team? Volunteer to test code. ‣ Have friends/family with a business? Ask to evaluate security.

15. Participate In Team Activities Like Capture The Flag ‣ Information

    Security Talent Search (ISTS) ‣ http://www.sparsa.org/?q=node/5 ‣ DC3 Digital Forensics Challenge ‣ http://www.dc3.mil/innovations-outreach/dc3-digital-forensics-challenge ‣ Cyber Security Awareness Week CTF ‣ https://ctf.isis.poly.edu

16. Tips To Maximize Your Career Potential ‣ There are lines

    to not cross. Don’t break into anything without permission, even if you have the best of intentions in doing so. ‣ Be humble. There are plenty of people who know everything you learn and about 100x more. Humility is a lost art in the industry. ‣ Learn how to explain yourself to non-technical people. It’s not their fault if they don’t understand you, it’s yours. ‣ Don’t say you know “how to hack”... it doesn’t mean anything.

17. How To Keep Informed, Part 1/2 ‣ Pay attention to

    information security news web sites ‣ Forbes Security: http://www.forbes.com/security/ ‣ Threatpost: http://threatpost.com/ ‣ SC Magazine: http://www.scmagazine.com/ ‣ Read mailing list postings about vulnerabilities ‣ Full Disclosure: http://seclists.org/fulldisclosure/ ‣ Follow security professionals on Twitter

18. How To Keep Informed, Part 2/2 ‣ Attend conferences around

    the area: ‣ B-Sides Detroit: http://www.securitybsides.com/w/page/33949981/BSidesDetroit ‣ Secureworld Detroit: http://www.secureworldexpo.com/conference/39 ‣ GrrCon: http://grrcon.org/ ‣ Attend security meet-up groups: ‣ #misec: http://michsec.org/ ‣ ARBSEC: http://arbsec.org/ ‣ MotorCity ISSA: http://www.motorcityissa.org/

19. Funny Attacker Stories... ‣ Story #1: Medical Insurance Company -

    Penetration Test ‣ Very well coded web application was the primary point of attack... not much else to go after ‣ Almost gave up when I tried https://website.com/admin/ and “became” an administrator ‣ Gave the web developer his own password during the close-out call :) Story #2: Property Insurance Company - Penetration Test ‣ During Open-Source Intelligence (OSINT) gathering via Google, found a development web site ‣ The developer building their new web site had installed a plugin that had a vulnerability ‣ I compromised multiple user accounts and logged into their Intranet and e-mail systems

20. Thanks! Questions? [email protected] @markstanislav http://www.uncompiled.com https://speakerdeck.com/mstanislav