Getting Into Infosec

Steph is brand new to the infosec field! We go over her interesting and eventful path into Information Security, reflections on her role today, and some fascinating war stories! BIO: Steph is a Security Analyst for a retail company makes up the team of one. She has a background in journalism and web hosting. She is the creator and editor of StephAndSec.com, a blog focused on technology, inclusion, and lifetime learning. Stephanie's life work is to encourage and fight for more diversity and inclusion in tech spaces for more innovative and original collaboration. She spends her time mentoring high school students, hosting virtual labs via Women In Tech-a-thons, and learning as much as she can about anything and everything. Stephanie believes that giving back to the community at every stage is very important. In addition to technology, Stephanie has a secondary passion for Psychology, so don't be frightened if you hear her discuss cognitive distortions or attachment styles. She hopes to develop research that explores the dichotomy between human beings and technology. She is currently on a mission to speak at three events in 2019 and has already been booked for one event. Notes: Dreams of Creative Writing, but chose Journalism for practicality Encouraged to Computer Science by her mom Had her eye on Security, through IT or Web Hosting... eventually. A story of being so close, yet so far Was very close to giving up on the whole industry due to the difficulty and lack of encouragement... but was NOT comfortable with quitting. Quotes: "You have to talk to strangers about their story... you want me to walk up to a complete stranger as an introvert? Uh.. what?" "The type of person I am, I can't fully commit to something without getting my hands dirty." "The way that I learn is situational." "We had a vulnerability scan tool and so I just tried to work with that."  "It's kind of like what doctors have to do before they [can] become a doctor." "So many people are trying to get into the industry and facing the same issue. I've done all these things people have told me to and it hasn't gotten me anywhere." "Just do a bunch of stuff until it sticks!" "Twitter was one of the best... decision I made." "Get a champion that is more senior than you." "Don't count yourself out, before someone else has counted you out." "The lessons that are best learned are the ones that resulted in catastrophic failure." "When you want to be a lawyer, you go to law school, you sit for the bar. There ya go! There's a plan."  Links: Steph's Website: https://stephandsec.com/ Speaking engagement next year: https://2019.tabgeeks.com/speakers#steph Steph's Tech a Thon's: https://mailchi.mp/70c8010c3320/tech-a-thon-comeback WISP - Women in Security and Privacy: https://www.wisporg.com/ Intro - Cascadia by Trash 80: https://trash80.com/#/content/133/weeklybeats-2012-week5 Outro - That Night In Your Car - Spazz Cardigan: https://www.youtube.com/watch?v=1yzuoAOd238 ...

Today's episode is a reading of an amazing written by Kyle Kennedy, president of brainbabe.org. The reading is performed by Allison, an IBM Watson personality. I also go through some recent resources discovered to help you on your journey to a Career in Infosec. BIO: Kyle F. Kennedy is a social cybersecurity expert and president of brainbabe.org. His organization provides foundational soft-skills training for a small fee (supported by corporation donations) and plans to launch soft-skill Masterclasses in 2019. They helped organize an event called Day of Shecurity for women of diverse backgrounds to have one day of learning: tech/ hard skills, soft skills. They had opportunities for mentorship and guidance. Day of Shecurity was FREE to attendees! Links: Article: Stories, not resumes: Breaking educational and other barriers in cybersecurity Google Image Search for "cybersecurity" Associate of (ISC)² Adrian Kaylor's talk "Sales Engineering and getting into infosec" https://www.joesecurity.org/ Flaws2 City College of SF Cybersecurity Program CCSF Information Security (Cybersecurity) Analyst Apprenticeship Sam Bowne's Classes Article in IBM Watson's Expressive SSML used on the show Intro/Outro Music: Cascadia by Trash80 Full Text of Article: When you search for images under the key word “cybersecurity,” a familiar shot always turns up: a guy wearing a hoodie, operating in a dark room, fingers on a keyboard. I’d like to replace that image with…anything. To be a cybersecurity professional, you can be anything. And anyone. We’ve heard the statistics. There is currently a human capital crisis, with 1.5 million cybersecurity jobs available and no takers. The number is projected to balloon to 3.2 million by 2021. But who exactly are these cybersecurity professionals we are looking for? For so long, we have had our own definition of who can fit that talent. A good cybersecurity professional has to have a computer science degree. They must have solid professional background. They have to be male. This pattern of defining success has led us to the shortage we are experiencing today. It’s kind of like insanity, really: Doing the same thing over and over and expecting different results. What really makes up a good professional? Every human being brings a different experience. You need critical thinking and creative thinking, both. A variety of educational, ethnic, geographical, backgrounds. For example, cybersecurity is not the obvious career path for someone with a biology degree; however, a biology major might help throw a new perspective on cybersecurity given that advancements of technology will eventually interface with the human body organically creating a scary threat landscape. Often too we talk about cybersecurity in the context of oil and gas, or transport, or finance. Cybersecurity today and going forward, is a...

Elvis Chan is a Supervisory Special Agent Elvis Chan, who works cybersecurity matters for the FBI San Francisco Division. We discuss how we got into the FBI, Life in the FBI Cybersecurity Division, and how to get involved. The FBI is always looking for qualified applications for Special Agent and professional staff positions. Please see https://www.fbijobs.gov/ for more details. Notes: There are three main roles in CyberSecurity at the FBI: Special Agent (Gun Carrying Badge) Intelligence Analyst Computer Scientist It may be quiet on the outside, but you can bet the FBI is hard at work on the inside. Protection of the recent elections was discussed. The sheer number of people involved in protecting the elections from foreign actors couldn't be enumerated. Both the public sector and private sector are involved. In an incident response, there is often coordination with FBI headquarters and sometimes other 3 letter agencies. FBI San Francisco was the squad of record for investigating the 2014 Yahoo hack. Elvis goes into detail explaining more about Russian Hacking and how the FSB culture works. Placement in the FBI is based on a ranking system. Quotes: "There are a LOT of things behind the scenes I can't talk about." "If you see in the news that there is a hack, you can be sure that there is at least one, maybe two, maybe several, office mobilized to figure out what the heck happened." "On a regular day, I would love to just go through my email and have the scheduled meetings I'm gonna have." "Why are the Russians coming after us..." "Whatever happens to you... 'The Need of the Bureau'" "My current job, despite all the paperwork and meeting I don't want to go to is a 10 out of 10!" "People would not believe some of the stuff that we've seen or that we've gone through. They would make the worst movie plot because they would be so unbelievable!" Links: FBI Jobs: https://www.fbijobs.gov 2014 Yahoo Hack: https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions FSB: https://en.wikipedia.org/wiki/Federal_Security_Service InfraGard: https://www.infragard.org/ FBI Field Offices: https://www.fbi.gov/contact-us/field-offices See omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch

Clay Wells has been living in kernel/userland since Red Hat 4.0 Colgate. Worklife has primarily been in academia and has included programming, system administration, and information security. He's a point of contact for the DC215 group and one of the Blue Team Village coordinators at DEF CON. He also created unofficial CTF challenges for local hacker cons and organizers for the first annual WOPR Summit this March 2019 in Atlantic City. Clay, a security architect, musician, Defcon Blue Team Village Co-Organizer, and organizer of the first annual WOPR Summit, shares some really insightful tips on making it Information Security, as well as a fascinating recent war story. WOPR Summit is March 1st, 2019, in Atlantic City! Quotes: "My heart was racing... that was a huge rush, and that's when I was like yea... blue side F*** rocks!!" "Take a holistic approach to InfoSec, dive into the culture, different cons, music, people...volunteer, get out, get involved." "Learn a little about everything, then find what really interests you... and go for it!" "It's great to apt-get stuff... but try compiling a custom Linux kernel." "I'm a strong believer in embracing that creative side." "[Blue Team] certainly hasn't been the sexiest infosec job to have... yes, defense is what people want... there's a lot of defense work out there." Links: Clay Wells on Twitter: https://twitter.com/ttheveii0x Clay Wells on LinkedIn: https://www.linkedin.com/in/clayball/ Clay Wells Blog: http://www.cwells.org/ WOPR Summit 2019: https://www.woprsummit.org/ WOPR Summit Sponsorhip Prospectus: https://static1.squarespace.com/static/5b81b8f745776e48dcfb884d/t/5ba666dbf4e1fc68321a7a27/1537631964367/wopr-summit-2019-sponsor-prospectus.pdf DEF CON Blue Team Village: https://blueteamvillage.org/ Opensoc by Recon Infosec: https://opensoc.io/ Recon Infosec: https://reconinfosec.com/ BsidesDC: http://bsidesdc.org/ Graylog: https://www.graylog.org/ Kibana: https://www.elastic.co/products/kibana H.O.P.E Conference: https://hope.net/ No Starch Press: https://nostarch.com/ Outro Music by Clay: https://soundcloud.com/clayball/0x41-2-version-b See omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch

Robin Stuart is a debut author in cybercrime fiction with a short story called "SegFault" in the Sisters in Crime NorCal anthology Fault Lines, which is due in early 2019!!! Notes Wrote her first full-length mystery in the mid-'90s! Pitching is basically a job interview Honing your pitch You only get one shot at that first impression She has a backlog of stories to tell... Stay Tuned!!! (So Excited!) Links The New York Pitch Fest: http://newyorkpitchconference.com/ Mystery Writers: https://mysterywriters.org/ Sister in Crime Northern California Chapter: http://www.sincnorcal.org/ Paula Munier, Robin's Literary Agent: http://talcottnotch.net/index.php/agents/paula-munier Robin Stuart Full Interview: https://gettingintoinfosec/robin-stuart-from-paralegal-to-malware-researcher-and-cyber-crime-author See omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch

Robin Stuart started off as a paralegal until she was challenged one day to get her boss's password (hint: do not challenge Robin). Fast forward, she switched careers to technology but kept a lookout for a career in security. Bio Veteran cybercrime investigator and contributing author to the Handbook for Information Security by Wiley, Robin is a debut author in cybercrime fiction with a short story in the Sisters in Crime NorCal anthology Fault Lines, which is due out in early 2019. She consults on all things cybersecurity for Fortune 100 companies, television shows, and media outlets, including BBC and NowThis News. She was a significant contributor to the Tech Museum of Innovation's acclaimed Cyber Detectives interactive installation, one of the museum's most popular permanent exhibits, which earned praise from the Obama Administration. Notes Combination of Enthusiasm and Perseverance Creativity matters a lot! Setting up a home lab to train Robin's First "Hack"! EPIC! There isn't a linear path into information security, no need for a degree necessarily Quotes "[After] years of being a paralegal, I think like a lawyer and that's helped me very well" "My Google works a little better than other people's Google." Someone once asked Robin, "I've got an hour... can you teach me everything you know?" "Taught myself Assembly by writing a program all in assembly, just to prove to myself that I understood it." Links Robin Stuart on Twitter Robin's Upcoming CyberCrime Short Story Robin's Twitter Year Up Program Lexis Nexus DB Shellcoder's Handbook Information Security Handbook by Wiley Reversing Practical Malware Analysis Outro Music See omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch

Speaker Bio Rob Carson, the founder of Semper Sec, knows how to simplify the problem and deliver solutions. His clients base includes: Fortune 200 Companies US Government Contractors State and Local Governments Fuel Retailers Software and hardware manufacturers His distinguished career includes service as a Marine Corps Infantry Officer, as well as leading roles in IT and Security. Before devoting his work full-time to facilitating his client's success, he built highly successful information security programs for ISO 27001:2005/2013, PCI, HIPAA, NIST 800-171, GDPR. He also volunteers his time as the Chief Security Officer for BSIDES Las Vegas, a non-profit educational organization designed to advance the body of Information Security. Episode Highlights Matt reveals how much he made when he got out of the Marines Matt hilariously talks about the nuances he had to deal with when going to the private sector: Not saying "Sir" and "Madame" Figuring out what to wear How being early is too early Quotes "I wasn't getting shot at... I was working in climate control, you know, so people be all stressed out, and I was like, 'Well, no one's going to die.'" "I like to call myself a 'lessons learned enthusiast.'" "The hardest job you'll ever get in infosec is that first step in." "A first sergeant told me your hobbies should reflect part of your career." "You can be outside the box, but you need to stay inside the room." Links Sempersec: https://sempersec.com/ Rob Carson's LinkedIN Profile: https://www.linkedin.com/in/robcarson1/ See omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch

Matt Toth is a Senior Security and Veteran Sales Engineer. Having collaborated with the Department of Defense on War Games and advised senior leaders on possible cyber threats, Matt has two decades of IT experience with a focus on cybersecurity. With a passion for security, Matt is deeply engaged with the community to educate and prepare the next generation of cyber professionals. On top of that, he’s a good friend of mine in the industry with solid advice for those looking for a career in Information Security. In our chat, Matt breaks down a Sales Engineer’s role, explains his love of conference badges, and gets philosophical on issues related to those trying to make it in the field. Episode Highlights: The jack-of-all-trades nature of Sales Engineer work Matt describes one company’s dishonest approach to “AI” How a luxury car and stylish threads can make the wrong impression on your client Con culture and breaking through the shyness barrier Matt delves into #BadgeLife The surprising accuracy of Hackers and Mr. Robot How Matt’s art school’s aspirations shifted to IT InfoSec wargames and the “Russian nesting doll” scenario Matt encountered working with a client Why some companies prefer to live with a security problem rather than attempt to fix it Lastly: Have you been keeping an ear out for my Easter eggs? Listen closely Quotes: “I’m here, the customer trusts me to be here, and I’m gonna make sure that when they’re done, they’re happy with the situation so that they never come back and say, ‘Hey dude, you screwed me over.’” “You have to understand that you’re responsible for your own success. You can’t hide because you do have a quota.” “If you really don’t like the technology you’re dealing with, you’re not going to sell it well.” “It’s awesome... [and iconic,] that soundtrack is still incredible! On the way out to BlackHat this year, I watched Hackers on the airplane, and it was freaking me out… all of the attacks… are real world attacks we’re dealing with today still!” “When you’re meeting with your audience, understand who they are and understand what they expect.” “‘Hi, I’m Matt, and I’m an InfoSec addict!’ ‘Hi Matt!’” “If you’re just getting into the industry, recognize that all of us have our skill gaps. There is no one who knows everything.” “My thoughts on certs are, 'do you like to get paid?'” “Most insider threats aren't malicious: they're just people trying to do their job and oftentimes working around the system to try to be more efficient.” Links: Matt’s LinkedIn Matt’s Twitter - @willhackforfood Matt’s blog Splunk William Gibson and Neuromancer Grifter and #trevorforget Derbycon See omnystudio.com/listener for privacy

Christina Hanson is a security analyst working for Truvantis Cyber Security Consulting and one of my former boot camp students. She has extensive technical experience and a deep understanding of the collaborative nature of InfoSec, not to mention how women and other underrepresented groups in the community have a more difficult time navigating this industry due to institutional barriers. In our discussion, Christina touches on the wide variety of resources and events that helped her enter information security, why teamwork is just as important as technical work, and why InfoSec's responsibilities will continue to grow in the near future. Episode Highlights How Christina's aptitude for IT led her down the path to InfoSec The "elective" course Christina took that turned out to be career-changing Why cooperation and group work are so important in InfoSec The "soft skills" needed to work in security Infosec was not her 1st or 2nd career! An overview of Christina's day at Truvantis and how she works with clients Christina's experience at a SANS women's academy and the Day of Shecurity conference Why the InfoSec industry needs contributions from people from all backgrounds and how it benefits from diversity in general The increasing accessibility of conferences and other tech events for those who can't attend InfoSec's important role as companies have more and more access to users' data Quotes "I found that just the general atmosphere of security and the overall focus of what you're trying to accomplish was really helpful." "Anything you're gonna do in security, you're gonna do as a team." "Being open to learning new things is really important with this particular field." "Even if I don't understand everything they're talking about, it gives me at least a start and a basic understanding that I can then research later." "Being a professional in this field, it's so important that we are able to make other people safe." Links: Christina's LinkedIn: https://www.linkedin.com/in/christinahanson461/ Day of Shecurity: https://www.dayofshecurity.com/ SANS Women's Academy: https://www.sans.org/cyb Merritt College: http://www.merritt.edu/ Dr. Johannes Ullrich: https://twitter.com/johullrich SANS Daily Podcast: https://isc.sans.edu/podcast.html The Cyberwire Podcasts: https://isc.sans.edu/podcast.html OWASP: https://www.owasp.org Amanda Rousseau (@malwareunicorn): https://twitter.com/malwareunicorn Dead Drop SF: https://www.meetup.com/Dead-Drop-SF/ See omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch

0day (&ldquo;Zero Day&rdquo;) is a security researcher who specializes in distributed systems security. Throughout his career journey through a "Geek Squad"-like service at Circuit City ("Firedog") to trading floors and corporate information security, he&rsquo;s amassed significant experience in the industry. He is an example of how security consciousness is important even before you're an official security "pro." In our conversation, 0day discusses getting into computers as an inner-city kid, acknowledging how our hangups can affect the growth of InfoSec, the benefits of older technology, and much more. Episode Highlights 0day defines distributed systems and how he and his team ensure they remain secure How his first hacking experience arose out of necessity The inner-city program that fostered 0day&rsquo;s early interest in computer systems How the Modem Age's less-advanced technology gave him a clearer understanding of how computers and the Internet worked How Circuit City allowed o take his first step into the professional tech world His first taste of information security dealing with his company&rsquo;s most dissatisfied clients Tracking down a security vulnerability through a coworker&rsquo;s NSFW browsing habits Thoughts on the modern security industry and how it could be improved The importance of getting over prejudices and mentoring those coming into InfoSec Book and conference recommendations for those starting out or interested in the industry. Average routine at his current job Why computer science alone isn&rsquo;t a solid enough background to get into InfoSec Advice for overcoming shyness at your first security conference Quotes &ldquo;The malware I came across in those days, I still don&rsquo;t see anything as unique.&rdquo; &ldquo;We should really reach out to a wider swath of society to give them an interest in information security.&rdquo; &ldquo;We, as a community, need to be less exclusionary by default and be willing to look at some of these candidates who we are ignoring just for the sake of our feelings toward a particular certification or particular path.&rdquo; &ldquo;We, as people who are more seasoned in the industry, now have the responsibility to also make ourselves available to those who are coming into the industry.&rdquo; &ldquo;When you take away some of the complexity, it makes it more difficult for someone to understand the underlying constructs, but at the same time, it makes it easier for them to access so there has to be a balance.&rdquo; &ldquo;As you start to get really familiar with anything, you can see both the dark side and the light side of it.&rdquo; &ldquo;We, as professionals, have some responsibility to disseminate correct, accurate knowledge.&rdquo; Links 0day&rsquo;s Twitter account: https://twitter.com/0daysimpson Youtube talk about Twitter: https://www.youtube.com/watch?v=vRYOQeJng50 Outro: "Cyber Sunset" Getting Into Infosec: Twitter: https://twitter.com/coffeewithayman YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A Book: <a...

Permalink and Transcript: http://gettingintoinfosec.com/dan In this first episode, I chat with Dan Borges, a professional red teamer, blogger, and security tool developer. Dan Borges discusses his early experiences using and exploiting computer systems, how InfoSec experts work with companies, and the new tools he and others created and released this year! Episode Highlights: Dan explains how he became involved in information security,including his introduction to programming through a Lego roboticsprogram. His early experiences as a pen-tester&mdash;i.e. a penetration tester, wholooks for system security weaknesses&mdash;and why it&rsquo;s difficult to gethands-on experience in that field. The benefits of becoming an Offensive Security Certified Professional(OSCP). What does a red team do in an organization, and how is it differentfrom pen-testing? Dan describes the day-to-day life of a pen-tester and the kind ofconflicts they can run into. A few war stories from the trenches of InfoSec, as well as some ofthe tools pen-testers use. How being grounded led to Dan&rsquo;s earliest hacking experiences, and theways his parents fostered his interests and mentality. What conferences should InfoSec beginners check out? Fun and beneficial ways you can &ldquo;hack&rdquo; reading. Dan&rsquo;s tips for those starting off or looking to transition intoInfosec. An in-depth look at one of the newer tools Dan uses for his work. The rules and intricacies of InfoSec competitions. Quotes: &ldquo;It&rsquo;s such a catch-22 to get practical, hands-on experience to go to these jobs because, y&rsquo;know, hacking&rsquo;s illegal, right?&rdquo; &ldquo;We don&rsquo;t just go in and blow the brakes off people, we&rsquo;re trying to measurably improve security.&rdquo; &ldquo;It was a constant escalation war, cat-and-mouse like that. They&rsquo;d take something away and I&rsquo;d figure out how to use the computer with that limitation.&rdquo; Links: Dan Borges&rsquo; personal blog: http://lockboxx.blogspot.com/ Dan&rsquo;s LinkedIn: https://www.linkedin.com/in/borges1337/ Dan on Twitter: https://twitter.com/1njection Dan and Alex's DEFCON Talk on Gscript: https://www.youtube.com/watch?v=8yjMlMf8NpQ Gscript: Genesis Scripting Engine: https://github.com/gen0cide/gscript NationalCPTC (Collegiate Penetration Testing Competition): https://nationalcptc.org/ Outro Music: Missing You by Trash80: https://trash80.bandcamp.com/track/missing-you Getting Into Infosec: Twitter: https://twitter.com/coffeewithayman YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A Book: https://www.amazon.com/Breaking-Step-Step-Starting-Information-ebook/dp/B07N15GTPC/ See omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch

Hi there! I am Ayman Elsawah, the host of a new podcast focused on helping you learn more about the information security field and how to be successful in it. We will walk through the shoes of seasoned information security experts as well as those new to the field, learn from their experiences, and find out how they got started. Join me on this wonderful journey! Music: &quot;Modem&quot; by @SkilldrickSee omnystudio.com/listener for privacy information.Mentioned in this episode:Stay In Touch