A Career In Information SecurityAs Described By Animated GIFs

Mark Stanislav <mstanislav@duosecurity.com>

Your Presenter, In A Few Bullet Points

‣ 12 years of experience with roles in UNIX systems administration, PHP/Ruby development, and many areas of information security

‣ B.S. in Networking & IT Administration (EMU)

‣ M.S. in Technology Studies, Information Assurance (EMU)

‣ CISSP, Security+, Linux+, CCSK certifications

‣ Presented for around 50 conferences/groups in past three years

‣ Currently the Security Evangelist at Duo Security in Ann Arbor

What Are We Doing?

‣ I’m going to talk about having a career within information security!‣ This will be done with GIFs from an awesome site found at http://securityreactions.tumblr.com/

‣ Questions are encouraged as time permits. You can always reach out to me afterwards as well via e-mail, Twitter, etc.

‣ Let’s warm up...

Many Roads To Go Down And They Always Converge

‣ Even if you start your career as a network engineer, system administrator, or web developer, you can still be “in infosec”

‣ Don’t think you have to be an “ethical hacker” to participate or be well regarded in the industry

‣ The experience you can gain being in one or more of these roles can result in huge advantages over your security-centric peers

Don’t Believe Me?

‣ Understanding how a technology works by either developing for it or having to defend it puts you way ahead of other attackers

‣ There is entirely too much emphasis on how to use tools in modern information security curriculum -- build stu!/break stu!!

‣ Tools are always getting better so that means you need to continually bring more to the table to be an in-demand hire

Not All Of Information Security Is Hacking

‣ There are plenty of high-paying, somewhat technical jobs in security like being an auditor or on a digital forensics team

‣ The mind set of a hacker can easily be applied within di!erent roles, not just writing exploits or cracking passwords

‣ Information security professionals have many ways they can pivot in a career; don’t get frustrated, be creative with your skills

Roles In Information Security... A Short List‣ Penetration Testing

‣ Web Application Security Review

‣ Cryptography

‣ Security Analyst

‣ Security Architecture

‣ Vulnerability Management

‣ Standard/Regulation Auditing

‣ Vulnerability Assessment

‣ Digital Forensics

‣ Policy Development

‣ Network Security Engineer

‣ System Security Engineer

Don’t Plan Your Career For One Niche‣ If you plan your entire information security career around one

singular aspect you think you’ll always enjoy, you’re cheating yourself out of a lot of great career paths

‣ Being a “jack of all trades” isn’t a bad thing, it makes you valuable

‣ I call a fixation with one sexy job role “Social Engineer Syndrome”‣ Social engineering is almost always a part of a job in information security and not a job its self

Information Security Can Be Stressful

‣ When you’re working on a client’s network, accidentally knocking over their production server, deleting critical data, or locking their team out can happen if you’re not careful

‣ Any idea how long you’re going to stay employed carelessly running automated tools? =)

The Reality Of Being An Ethical Hacker

What many people think it’s like

What you usually feel like

Spending Your Day As An Ethical Hacker

Reports20%

Calls5%

Emails5%

Hacking45%

Recon25%

A Typical Security Engagement

...but what it feels like when you own a client’s network and/or data

Certifications‣ If you’re looking to get your first job in information security,

certifications are a great way to set yourself apart from peers

‣ After you have a career, however, most people only get certifications if they have to per their employer’s request/need

‣ Having a certification does not make a person an expert‣ While we’re on the subject, PLEASE do not put “expert” anywhere on your resume. Seriously.

Learn To Hack And Then Learn To Automate‣ Try to attack an application before scanning it for known issues‣ Being able to find an issue rather than being told there is an issue makes a better attacker

‣ Once you find a vulnerability, try to write a custom exploit‣ Knowing how to exploit a SQL injection issue means way more than knowing ./sqlmap -u

‣ Make a “lab” with penetration testing virtual machines to learn!‣ http://pentestlab.org/10-vulnerable-web-applications-you-can-play-with/

Try Your Hand At Security Research

‣ Scour GitHub, Source Forge, and Google Code for applications that contain vulnerabilities... then responsibly report them!

‣ Have an IP camera on your network? How about a “Smart” TV?

‣ Does you company have a security team? Volunteer to test code.

‣ Have friends/family with a business? Ask to evaluate security.

Participate In Team Activities Like Capture The Flag‣ Information Security Talent Search (ISTS)‣ http://www.sparsa.org/?q=node/5

‣ DC3 Digital Forensics Challenge‣ http://www.dc3.mil/innovations-outreach/dc3-digital-forensics-challenge

‣ Cyber Security Awareness Week CTF‣ https://ctf.isis.poly.edu

Tips To Maximize Your Career Potential‣ There are lines to not cross. Don’t break into anything without

permission, even if you have the best of intentions in doing so.

‣ Be humble. There are plenty of people who know everything you learn and about 100x more. Humility is a lost art in the industry.

‣ Learn how to explain yourself to non-technical people. It’s not their fault if they don’t understand you, it’s yours.

‣ Don’t say you know “how to hack”... it doesn’t mean anything.

How To Keep Informed, Part 1/2‣ Pay attention to information security news web sites‣ Forbes Security: http://www.forbes.com/security/

‣ Threatpost: http://threatpost.com/

‣ SC Magazine: http://www.scmagazine.com/

‣ Read mailing list postings about vulnerabilities‣ Full Disclosure: http://seclists.org/fulldisclosure/

‣ Follow security professionals on Twitter

How To Keep Informed, Part 2/2‣ Attend conferences around the area:‣ B-Sides Detroit: http://www.securitybsides.com/w/page/33949981/BSidesDetroit

‣ Secureworld Detroit: http://www.secureworldexpo.com/conference/39

‣ GrrCon: http://grrcon.org/

‣ Attend security meet-up groups:‣ #misec: http://michsec.org/

‣ ARBSEC: http://arbsec.org/

‣ MotorCity ISSA: http://www.motorcityissa.org/

Funny Attacker Stories...‣ Story #1: Medical Insurance Company - Penetration Test‣ Very well coded web application was the primary point of attack... not much else to go after

‣ Almost gave up when I tried https://website.com/admin/ and “became” an administrator

‣ Gave the web developer his own password during the close-out call :)

Story #2: Property Insurance Company - Penetration Test‣ During Open-Source Intelligence (OSINT) gathering via Google, found a development web site

‣ The developer building their new web site had installed a plugin that had a vulnerability

‣ I compromised multiple user accounts and logged into their Intranet and e-mail systems

Thanks! Questions?

mstanislav@duosecurity.com

@markstanislav

http://www.uncompiled.com

https://speakerdeck.com/mstanislav