How to Become an InfoSec Autodidact

Transcript

1. Kelly Shortridge November 11, 2016

2. Agenda My goal is to help you figure out where

   and how to start your learning journey by answering:  What careers are there?  How do I learn more about the field?  How do I meet people / network?  How do I stay current on industry trends? 2

3. Who am I? Hi, I’m Kelly Shortridge  Doing exciting

   things on the product side of infosec  Co-founder & COO of IperLane, a security startup  Previously advised infosec companies on M&A and private capital raise deals  No technical background  Built a knowledge base and network within infosec from scratch 3
4. None

5. 5 The “you can’t sit with us” myth InfoSec as

   an industry can seem opaque, insular and unapproachable In reality, it’s a growing field offering exciting opportunities for a variety of skill sets and interests, not just with cliquey “mean nerds”

6. 6 An overly cautious word of caution InfoSec can be

   a pessimistic field, since ultimately there’s no easy fix and it can seem like everyone is doing it wrong / nothing’s improving

7. 7 InfoSec = Opportunity Diverse potential paths to follow within

   infosec, with growth opportunities:  Application Security  Compliance & Policy  Incident Response & Data Forensics  Network Security Engineer / Ops & Monitoring  Penetration Testing  Security Architecture  Security Solution Development  Vulnerability Research & Reverse Engineering

8. 8 InfoSec = Flexibility Roles often overlap and have fuzzy

   boundaries  Cover different aspects of the lifecycle of security operations Some areas of study are broadly applicable  Data Science  Math  Network & System Architecture  Software Development

9. 9 Not all security companies are the same Working at

   a security vendor could involve disparate experiences:  Mobile security vendors (like Duo!) might require knowledge of mobile internals  Security consultancies might require more “people skills”  Startups will have faster development times, less clear product direction but greater chance for big innovation  More mature security vendors will have a clear product / market fit, so greater certainty but likely less innovation

10. 10 What does a “Security Engineer” do? Oftentimes the title

    is “information security engineer,” or “information security specialist,” which is admittedly pretty vague  Typically a “generalist” role touching touches security strategy, risk management, security architecture, incident response, etc  Requires a CS degree plus general knowledge of security practices, architectures and tools  Good starting role to get a sense of what specialty you might prefer

11. 11 Skill Sets – Example #1 Network Security Engineer /

    Ops & Monitoring  Understand network design & architecture  Familiarity with security tech – IDS/IPS, SIEM, firewalls, vulnerability detection & remediation  Develop custom tooling for security monitoring  Some knowledge on machine learning is a plus

12. 12 Skill Sets – Example #2 Application Security Engineer 

    Audit applications for vulnerabilities (XSS, SQLI, logic flaws, etc.)  Understanding of application architecture  Help development teams implement SDL, optimize processes  Build tooling to improve testing & auditing  Example languages: Java, PHP, C / C++, Objective C, Python, Ruby

13. 13 Skill Sets – Example #3 Vulnerability Research & Reverse

    Engineering  Analyze malicious code, shellcode, packed & obfuscated code  Identify attacker methodology  Strong math abilities, particularly graph theory  Familiarity with IDA Pro and user & kernel-mode debuggers  Languages: Assembly (x86 & x64), C/C++, Python

14. 14 Skill Sets – Non-Tech Don’t be a jerk, don’t

    be a jerk, don’t be a jerk  Have respect for the non-security people at your company…  …and listen to them! What are their challenges? How can security work with them rather than being the “no” people?  Assume you have a lot to learn (you do)  Sexist, racist or other –ist jokes have no place in the workplace – you may be the next Mark Dowd, but no one will want to work with you if you don’t respect others

15. 15 Potential employers Major hubs include SF, NYC & DC

    – each city has its own “flavor” driven by employer base, though need is nationwide

16. 16 Broader applicability Security can serve as a differentiator in

    non-sec roles  Anyone in the development process (design, UX, etc.) should have the ability to consider security implications of their decisions  PR, legal and finance personnel should understand their organization’s security risk profile  Product managers (often with liberal arts degrees) can better understand customer and engineering needs  Security vendors themselves need all the typical non-sec functions

17. 17 Find your purpose Intersection of what you love doing,

    what you’re good at doing, what is paid for and what the market needs  Talent shortage in + known need for infosec means you can focus on what you love + where you excel
18. None

19. 19 Where to start? Regardless of whether you’re a complete

    beginner, switching fields or already successfully entered the field, there are plenty of ways to acquire knowledge and skills

20. 20 Formal education Academia Certifications  Helpful if no other

    means of vetting abilities (but meh)

21. 21 Online education There are now tons of online resources

    available for learning languages, development and data science  Some free, some paid (often you get a certificate)  Consistency is key; set a daily goal for practicing

22. 22 Old-school resources If you prefer the more traditional book

    approach, try:  The Art of Software Security Assessment  Hacking: The Art of Exploitation  The Shellcoder's Handbook  Android Hacker's Handbook  iOS Hacker's Handbook

23. 23 CTFs & other games Allows you to improve &

    show off your skills  CTFs: DEFCON CTF, CSAW CTF, Ghost in the Shellcode, MITRE STEM CTF, NECCDC, picoCTF  Wargames: Hack this Site, Over the Wire, Smash the Stack  Reference list: http://captf.com/practice-ctf/  Vector35: Free challenges via hackable video games

24. 24 Hacking for fun (but maybe not profit) Junk hacking

    or “things” hacking can be a fun way to learn  Figure out how to hack a mobile game to get unlimited lives or energy, or create cool desktop game mods (e.g. Skyrim)  Mike Coppola gave an amazing talk at Summercon 2014 on reverse engineering a Furby  So many “smart” things out there now to try to hack  Lots of guides online for interesting RaspberryPi projects, too

25. 25 Conferences Cons are often how people stay in touch

     Check out talks, or find them online (Black Hat, CanSecWest, HitB, Troopers all have archives – highly recommend this avenue)  Social events – great for networking  Parties requiring challenges (Caesar’s Challenge at BH/DEFCON)

26. 26 Meetups & local events  Meetup.com is a great

    aggregator of different meetups in your locale  Duo Tech Talks here in A2 :) Find local events to explore different areas of interest, learn or practice skills and meet new people

27. 27 Trainings  Practical education with focus on specific professional

    roles in infosec Training sessions can quickly bring you up the learning curve, but typically are expensive ($2,000 - $5,000)  Conferences aggregate trainings from a variety of companies, though additional trainings are generally held year round as well

28. 28 Research papers Explore emerging areas of research (though academia

    often lags private research)  arXiv  IEEE  Microsoft – Security & Privacy Research  PoC or GTFO  Reddit.com/r/NetSec  USENIX Make note of particular topics you find interesting and don’t be shy in contacting the authors directly

29. 29 Industry guides & compliance This part can be perceived

    as boring, but can be valuable to understand the basic “blueprint” of a security program and what compliance requirements exist  PCI, HIPAA, etc. – either official guides or writeups by people who ELI5 them  Vendors often publish basic security guides, e.g. mobile security, cloud security – take with a grain of salt because of bias  Organizations like the Cloud Security Alliance have guides that are less biased  NIST publishes their security standards and other documents on the topic  Some con presentations are more about “here’s how we operate our defensive security program” vs. vulnerability research, so look out for those
30. None

31. 31 Step 1: Trust InfoSec is a trust-based industry. Don’t

    violate trust and be wary of those who do.

32. 32 Networking strategy Get as many “at bats” as possible

    & follow up  Meet many people across various areas of expertise, employers & career stages  Not everyone will be responsive, so need to maximize your hit rate by trying to connect with more people  Expand your network by asking new contacts (politely) if they know anyone you should meet based on your interests  Be humble – recognize you are but a padawan

33. Awkwardness is a part of life 33

34. Talk to different types of people 34 Try to talk

    to people with different roles in infosec  Infosec “rockstars” (i.e. vuln researchers) are lovely (maybe a stretch) and can give you a great perspective on the bleeding edge  CISOs, in-house security experts can tell you how defense is done in practice vs. in theory  If you want to work at a security startup, understanding the problems of buyers is key – what their day to day challenges are, what keeps them up at night, how they buy products, etc.

35. 35 #hatersgonnahate Don’t let anyone convince you that you won’t

    be successful or don’t belong in the industry  People like passion and want to support “winners”  Persistence is key (true of most things)  Define your own measure of success  You will bring a valuable perspective to the table, no matter your background

36. 36 Contact maintenance Regularly follow-up, but be mindful of people’s

    time  People generally like getting a “free” coffee Even starting out, consider how you can be helpful  Try to maintain a 50/50 ask to give ratio  Keep an eye out for potential hires, introductions / connections or research they’d find interesting

37. 37 Make friends! This all sounds somewhat cold and formulaic

    – take the opportunity to make genuine friends as well  Shout-out to hockey, raid and snare for historically entertaining the brunt of my random questions  I’ve also given advice to friends on M&A, pitch decks, fundraising, stock options and other finance-y things  Friends help each other out and make your dumb questions feel less dumb
38. None

39. 39 Socializing Staying in touch and meeting new people helps

    enormously in knowing the “latest”  Not all research / projects are discussed online  Gossip and chatter can also inform you of career opportunities or new, interesting companies  Fills in gaps in news you might have missed

40. 40 Mainstream news is not ideal Mostly a lot of

    this:

41. 41 Suggested news sources  Twitter – where the industry

    “chatter” happens…seriously, InfoSec ThoughtLeader-ingTM on Twitter is almost like a FT job for some  CyberWire – aggregates InfoSec news daily  Individual websites:

42. 42 Short InfoSec Twitter list  @4Dgifts  @alexstamos 

    @aloria  @bcrypt  @c7zero  @chrisrohlf  @collinrm  @dinodaizovi  @djrbliss  @drraid  @egyp7  @esizkur  @evacide  @halvarflake  @haroonmeer  @hdmoore  @headhntr  @hypatia  @jessfraz  @jessysaurusrex  @jonoberheide  @justinembon  @mattblaze  @matthew_d_green  @mdowd  @nils  @nudehaberdasher  @pencilsareneat  @pinkflawd  @quine  @RCISCwendy  @runasand  @s7ephen  @semibogan  @snare  @thegrugq  @violetblue  @WeldPond  @window
43. None

44. 44 You do you  Consistently build your personal portfolio

    of skills, experience and industry connections  The field is rich with options, so you’ll likely find a role you enjoy and in which you excel  On the infosec industry treadmill, remember that it’s a marathon, not a sprint

45. 45 A closing quote “Work as hard and as much

    as you want to on the things you like to do the best. Don't think about what you want to be, but what you want to do.” – Richard P. Feynman

46. 46 Questions & contact info  Email: [email protected]  Twitter:

    @swagitda  LinkedIn: kellyshortridge