cyber education: your options & resources mapped out
Post on 01-Jul-2015
1.259 Views
Preview:
DESCRIPTION
TRANSCRIPT
Cyber Education:
Your Options & Resources Mapped Out
Kelly Shortridge October 18, 2014
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Agenda
Your burning questions:
What careers are there?
How do I learn more about the field?
How do I meet people / network?
How do I stay current on industry trends?
2
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Who am I?
Kelly Shortridge
Currently an Entrepreneur in Residence
Formerly advised InfoSec companies on M&A
and private capital raises
Absolutely no technical background
Built an InfoSec knowledge base & professional
network from scratch
3
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
At first…
4
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
And then…
5
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
But mostly…
6
Toward a Career
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Very General Advice
No one can ever predict what they’ll be
doing 5 years from now, let alone the rest of
their lives
Learn the “basics” and cross-over skills…
…but make sure to learn about things you
find interesting, too
8
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Careers in InfoSec
9
Not just about hacking the mainframe.
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Careers in InfoSec
10
Also about hardening applications
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Careers in InfoSec
11
Also about developing security strategies
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Careers in InfoSec
12
Also about monitoring systems
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Careers in InfoSec
13
Also about responding to incidents
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Careers in InfoSec
14
As well as attack-centric R&D
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
InfoSec Jobs
A career in InfoSec offers many options:
Application Security
Compliance & Policy
Data Forensics & Incident Response
Network Security Engineer / Ops & Monitoring
Penetration Testing
Security Architecture
Vulnerability Research & Reverse Engineering
15
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
The “Basics”
16
Roles often overlap and blend together
Cover different aspects of the lifecycle of
security operations
Some areas of study are broadly applicable
Network & System Architecture
Math
Software Development
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
The Future!
17
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Skill Sets – Example #1
Network Security Engineer / Ops & Monitoring
Understand network design & architecture
Familiarity with security tech – IDS/IPS, SIEM,
firewalls, vulnerability detection & remediation
Develop custom tooling for security monitoring
Some knowledge on machine learning is a plus
18
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Skill Sets – Example #2
Vulnerability Research & Reverse Engineering
Analyze malicious code, shellcode, packed &
obfuscated code
Identify attacker methodology
Strong math abilities, particularly graph theory
Familiarity with IDA Pro and user & kernel-
mode debuggers
Languages: Assembly (x86 & x64), C/C++, Python
19
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Skill Sets – Example #3
Application Security
Audit applications for vulnerabilities (XSS, SQLI,
logic flaws, etc.)
Understanding of application architecture
Help development teams implement SDL
Build tooling to improve testing & auditing
Languages: Java, PHP, C / C++, Python, Ruby
20
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Potential Employers
Major hubs include DC, SF & NYC – each city has
its own “flavor” driven by employer base
Government Fortune 500 Industry
Defense Contractors
& Gov’t Agencies
Tech, Finance, Media,
eCommerce, etc.
Security Vendors &
Consultancies
21
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Guiding Your Education
Find a few areas of interest / passion
Determine what abilities are required
22
Learning the Field
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Where to Start
24
When I first started exploring InfoSec, someone
told me Phrack was a leading industry publication.
So I read every issue…
Including the first 40, which are just about phones.
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Where to Start, continued
25
Diving in head-first actually isn’t a bad strategy;
there is some truth to learning by osmosis.
Luckily, there are both formal and informal
channels to help you live and breathe InfoSec.
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Formal Education
Academia
Certifications
Helpful if no other means of vetting abilities
26
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Certifications
27
Provides professional certifications in InfoSec
Covers a wide breadth of security topics
$250 - $600 per examination
Variable years of experience required:
<1 year 1 year 2 years 4 years 5 years
Years of Experience
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Informal Education
Take advantage of valuable informal channels:
Visit conferences (or find talks posted online)
CTF competitions
Trainings (usually expensive)
Social events (usually exclusive)
Academic papers (contact authors)
28
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Conferences
Cons are often how people stay in touch
Check out talks, or find them online
Social events – great for networking
Parties requiring challenges (Caesar’s Challenge
at Blackhat/DEFCON)
29
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
CTFs
Test your skills & gain recognition
Industry – DEFCON, Ghost in the Shellcode
(Shmoocon), company-sponsored CTFs
Private – Smash the Stack, Over the Wire,
others hosted by hacker groups
Collegiate – CSAW CTF, NECCDC
Government – DARPA, semi-public or 100%
private IC-focused CTFs
30
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Trainings – Roles
Practical education for professional
security roles
Multi-week courses
Both on-demand & in-person
Expensive (typically $4,500 - $5,000)
Value depends widely on the teacher
31
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Trainings – Skills
Expensive ($2,000 - $4,000), but can substantially
improve your skills & teach you new techniques
32
Private Conferences
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Academic Papers
Helps you find emerging areas of research
IEEE
Microsoft – Security & Privacy Research
Reddit.com/r/NetSec
USENIX
ACM Digital Library (search by keywords, e.g.
malware)
33
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Academics
Don’t be shy about contacting authors!
They’ll most likely be flattered.
34
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
How to Break In
InfoSec is more open now than
ever on how to find people – they
just aren’t always welcoming…
35
Meeting People & Networking
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014 37
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
The Social Network
InfoSec is a trust-based industry.
A strong social network is critical.
38
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Tl;dr on Networking
Get as many “at bats” as possible
Meet many people across various areas of
expertise, employers & career stages
Not everyone will respond, so need to maximize
your hit rate by reaching out to more people
Expand your network by asking new contacts
(politely) if they know anyone you should meet
39
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Persistence & Haters
Don’t let someone convince you that you won’t be
successful, or don’t belong
40
People like passion and
want to “back winners”
Persistence is key (true
of most things)
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Social Events
NYC – NYSec & iSec Open Forum
Look @ “CitySec Meetups” on Reddit NetSec
Non-Industry Events
NYC – Hack Nite @ NYU
Nationally, check out local OWASP events
Niche (e.g. hardware) meetups (meetup.com is
helpful)
41
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Maintaining the Network
Regularly follow-up, but be mindful of people’s
time
Coffees are generally quick & easy
Even starting out, consider how you can be helpful
Try to maintain a 50/50 ask to give ratio
Keeping an eye out for potential hires, making
introductions, etc.
42
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
On Randomness
43
Life is random – you never know
what opportunities will come from
your connections.
Staying Up-to-Date
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Socializing
45
Staying in touch and meeting new people helps
enormously in knowing the “latest”
Not all research / projects are discussed online
Gossip and chatter can also inform you of career
opportunities or new, interesting companies
Fills in gaps in news you might have missed
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
News – A Word of Caution
46
News is important, but not always directly
beneficial to your learning & career development
Hard to weed out signal from noise in the media
Why???
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
News Sources
CyberWire – aggregates InfoSec news daily
Reddit NetSec – consistently updated content
Twitter – where the industry “chatter” happens
Plus individual sites:
47
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
InfoSec Treadmill
48
As a (relatively) nascent industry,
InfoSec evolves rapidly – exciting,
but with the potential for burnout.
Conclusion
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Your Personal Brand
50
Consistently build your personal
portfolio of skills, experience and
industry connections.
Shortridge – Cyber Education NYU Poly Cyber Symposium 2014
Take It from This Guy
51
Work as hard and as much as you
want to on the things you like to do
the best. Don't think about what
you want to be, but what you want
to do.
– Richard P. Feynman
top related