Breaking in to Security

2

INFORMATION SECURITY : A SHORT VIEW

“I’d like to get a job in security, how do Iget started?”

6

“What programming language do I need tolearn to be a penetration tester?”

7

“What certification should I get?”

8

Answering these one at a time isinefficient, biased and time consuming

9

Lets ask the community and get adefinitive answer

10

11

But before we get started...

12

Is this what you want to be?

13

Or maybe this

14

The reality

15

A lot of time in here

16

Meetings

17

Still Interested?

18

For those still here, letslook at some stats

19

<1year 22 7%

1-3years 64 22%

4-7years 81 27%

7+years 128 43%

Time In Industry

20

Penetrationtester 173 59%

Vulnerabilityauditor 143 49%

Sys-admin 130 45%

IDS/Firewalladmin 102 35%

Policywriter 97 33%

Loganalyst 97 33%

Incidentresponse 74 25%

Other 66 23%

Manager 64 22%

Malwareanalyst 49 17%

ITForensices 48 16%

Reverseengineer 38 13%

Exploitdeveloper 36 12%

Helpdesk 35 12%

PCIauditor 33 11%

Job Types

21

No,butithelps 182 62%

Yes 78 26%

Other 17 6%

Don'tknow 12 4%

No 6 2%

Do you need to be able to programto be a pen-tester?

22

Python 227 81%

BashScripting 221 79%

Ruby 122 43%

C 116 41%

WindowsPowershell 104 37%

PHP 101 36%

BatchScripting 102 36%

C++ 62 22%

Java 63 22%

Other 51 18%

Perl 46 16%

VB 29 10%

C# 25 9%

Lua 23 8%

What Language?

23

Yes 144 49%

Yes-butonlytogetthroughHR 137 46%

No 14 5%

Are Certifications Useful?

24

SANS/GIAC 189 69%

CISSP 187 68%

OffensiveSecurity(PWB,AWEetc) 111 40%

EC-Council(CEHetc) 64 23%

CompTIA(Security+etc) 63 23%

Vendorspecific 60 22%

Other 55 20%

CHECKTeamLeader(CREST/TigerScheme) 31 11%

CHECKTeamMember(CREST/TigerScheme) 30 11%

Which Certs?

25

Other Certificates Include

•OSSTIM•ISACA•Cisco•Microsoft•Linux/Unix

•Whatever gets you the job•Anything management has heard of•Networking

26

Yes 259 88%

Other 24 8%

No 12 4%

Are Conferences Worth Attending?

27

Which Ones?

All of them got a mention

28

That’s the end of the stats

29

What do you know now thatyou wish you'd known when

starting out?

31

People skills, managing managementand clients

“I think it's important to note that information securityis a role in a company that involves dealing withpeople. Brush up on your public speaking and

negotiation skills. I'm much better at hacking siliconthan I am hacking carbon, but each is important. Take

time to learn and practice those soft skills.”

32

Business skills

“Business skills are more important thantechnical skills.”

33

Report writing skills

“It's all about the report... you can be thebest penetration tester in the world, but if

your report sucks, so does your test!”

34

Networking is important

“Get out there and network, don't be shywe are a friendly lot”

35

You can't secure everything and can't be100% secure so live with it

“Security is a balance between riskmitigation and corporate earnings.Companies must continue making

money to pay your salary. Ergo, the bestsecurity may not be the right security.”

36

“You will live in hotels”

“Pen testing is not so glamorous as itappears”

37

“Cons are bad for your liver”

38

What one piece advice wouldyou give to someone wantingto start a career in security?

39

Learn, learn and learn some more

“Study hard, do the labs and exercises,experiment with tools.”

40

You need your own lab

“Set a lab environment up to practicewith, virtualisation makes these easy

these days.”

41

Get an all-round education

“Develop skills in other areas of IT(system administration, network

management, development, etc.) eitherbefore or in addition to InfoSec.”

42

Make sure you enjoy what you do

“Do it for love of what you do, not tomake money. The money is good, but ifyou really enjoy it, it's the best job in the

world.”

“Make sure its something you really wantand can keep up with, not just something

you enjoy on the side.”

43

More about soft skills and businessknowledge

“Be tolerant of the non-techs, teachthem, but don't talk down to them. Be

aware that sometimes, the businessneeds trump security best practices.”

44

Repeated from earlier, programming is auseful skill

“Learn to program (scripting at least).”

45

Get yourself known

“To get involved in different projects andcontribute, there are a lot of open sourceprojects you can contribute to in different

ways.”

46

“It's all about reputation. Certs areuseful, but if you are unknown you won'tbe taken seriously. Get out there, meet

people, and learn from them!”

47

“Start a blog.. not for fame and glory butmore for keeping a record of what youlearn. Doesn't matter if no one reads it,

do it for yourself.”

48

Find your local community - 2600,hackerspace, DC group

“Find your local community & onlinecommunity”

50

Don’t just trust tools

“Learn whats going behind the tools youare using”

51

“Get in bed with the operations andfinance people (not literally, however this

might also help)”

52

“Work your ass off! Everyone else doesso you better get used to it.”

53

Is it OK to “practice” on sites/companies without permissionif you don't do any damage?

54

Overwhelming opinion - No, there areenough resources out there you don’t

need to

55

“Only if you want a new ‘room-mate’called Bubba......”

56

What I’ve not covered

What do you see as the next up and coming area?

Is there anything you feel you did wrong that youwould advise against?

57

Conclusions

If you aren’t passionate it is just another job

Get stuck in, learn and show your interest

Don’t be afraid to ask questions - but show you’vetried to find the answer yourself first

It isn’t all about the tech

60

Big thanks to all whoresponded

61

Lets play a game, whowants a question

answered?

62

Facebook/D3pak@D3pakDeepakniit14@gmail.comabout.me/D3pak