cyber education: your options & resources mapped out

Cyber Education:

Your Options & Resources Mapped Out

Kelly Shortridge October 18, 2014

Shortridge – Cyber Education NYU Poly Cyber Symposium 2014

Agenda

Your burning questions:

What careers are there?

How do I learn more about the field?

How do I meet people / network?

How do I stay current on industry trends?

2


Who am I?

Kelly Shortridge

Currently an Entrepreneur in Residence

Formerly advised InfoSec companies on M&A

and private capital raises

Absolutely no technical background

Built an InfoSec knowledge base & professional

network from scratch

3


At first…

4


And then…

5


But mostly…

6

Toward a Career


Very General Advice

No one can ever predict what they’ll be

doing 5 years from now, let alone the rest of

their lives

Learn the “basics” and cross-over skills…

…but make sure to learn about things you

find interesting, too

8


Careers in InfoSec

9

Not just about hacking the mainframe.


Careers in InfoSec

10

Also about hardening applications


Careers in InfoSec

11

Also about developing security strategies


Careers in InfoSec

12

Also about monitoring systems


Careers in InfoSec

13

Also about responding to incidents


Careers in InfoSec

14

As well as attack-centric R&D


InfoSec Jobs

A career in InfoSec offers many options:

Application Security

Compliance & Policy

Data Forensics & Incident Response

Network Security Engineer / Ops & Monitoring

Penetration Testing

Security Architecture

Vulnerability Research & Reverse Engineering

15


The “Basics”

16

Roles often overlap and blend together

Cover different aspects of the lifecycle of

security operations

Some areas of study are broadly applicable

Network & System Architecture

Math

Software Development


The Future!

17


Skill Sets – Example #1

Network Security Engineer / Ops & Monitoring

Understand network design & architecture

Familiarity with security tech – IDS/IPS, SIEM,

firewalls, vulnerability detection & remediation

Develop custom tooling for security monitoring

Some knowledge on machine learning is a plus

18



Vulnerability Research & Reverse Engineering

Analyze malicious code, shellcode, packed &

obfuscated code

Identify attacker methodology

Strong math abilities, particularly graph theory

Familiarity with IDA Pro and user & kernel-

mode debuggers

Languages: Assembly (x86 & x64), C/C++, Python

19



Application Security

Audit applications for vulnerabilities (XSS, SQLI,

logic flaws, etc.)

Understanding of application architecture

Help development teams implement SDL

Build tooling to improve testing & auditing

Languages: Java, PHP, C / C++, Python, Ruby

20


Potential Employers

Major hubs include DC, SF & NYC – each city has

its own “flavor” driven by employer base

Government Fortune 500 Industry

Defense Contractors

& Gov’t Agencies

Tech, Finance, Media,

eCommerce, etc.

Security Vendors &

Consultancies

21


Guiding Your Education

Find a few areas of interest / passion

Determine what abilities are required

22

Learning the Field


Where to Start

24

When I first started exploring InfoSec, someone

told me Phrack was a leading industry publication.

So I read every issue…

Including the first 40, which are just about phones.


Where to Start, continued

25

Diving in head-first actually isn’t a bad strategy;

there is some truth to learning by osmosis.

Luckily, there are both formal and informal

channels to help you live and breathe InfoSec.


Formal Education

Academia

Certifications

Helpful if no other means of vetting abilities

26


Certifications

27

Provides professional certifications in InfoSec

Covers a wide breadth of security topics

$250 - $600 per examination

Variable years of experience required:

<1 year 1 year 2 years 4 years 5 years

Years of Experience


Informal Education

Take advantage of valuable informal channels:

Visit conferences (or find talks posted online)

CTF competitions

Trainings (usually expensive)

Social events (usually exclusive)

Academic papers (contact authors)

28


Conferences

Cons are often how people stay in touch

Check out talks, or find them online

Social events – great for networking

Parties requiring challenges (Caesar’s Challenge

at Blackhat/DEFCON)

29


CTFs

Test your skills & gain recognition

Industry – DEFCON, Ghost in the Shellcode

(Shmoocon), company-sponsored CTFs

Private – Smash the Stack, Over the Wire,

others hosted by hacker groups

Collegiate – CSAW CTF, NECCDC

Government – DARPA, semi-public or 100%

private IC-focused CTFs

30


Trainings – Roles

Practical education for professional

security roles

Multi-week courses

Both on-demand & in-person

Expensive (typically $4,500 - $5,000)

Value depends widely on the teacher

31


Trainings – Skills

Expensive ($2,000 - $4,000), but can substantially

improve your skills & teach you new techniques

32

Private Conferences


Academic Papers

Helps you find emerging areas of research

IEEE

Microsoft – Security & Privacy Research

Reddit.com/r/NetSec

USENIX

ACM Digital Library (search by keywords, e.g.

malware)

33


Academics

Don’t be shy about contacting authors!

They’ll most likely be flattered.

34


How to Break In

InfoSec is more open now than

ever on how to find people – they

just aren’t always welcoming…

35

Meeting People & Networking

Shortridge – Cyber Education NYU Poly Cyber Symposium 2014 37


The Social Network

InfoSec is a trust-based industry.

A strong social network is critical.

38


Tl;dr on Networking

Get as many “at bats” as possible

Meet many people across various areas of

expertise, employers & career stages

Not everyone will respond, so need to maximize

your hit rate by reaching out to more people

Expand your network by asking new contacts

(politely) if they know anyone you should meet

39


Persistence & Haters

Don’t let someone convince you that you won’t be

successful, or don’t belong

40

People like passion and

want to “back winners”

Persistence is key (true

of most things)


Social Events

NYC – NYSec & iSec Open Forum

Look @ “CitySec Meetups” on Reddit NetSec

Non-Industry Events

NYC – Hack Nite @ NYU

Nationally, check out local OWASP events

Niche (e.g. hardware) meetups (meetup.com is

helpful)

41


Maintaining the Network

Regularly follow-up, but be mindful of people’s

time

Coffees are generally quick & easy

Even starting out, consider how you can be helpful

Try to maintain a 50/50 ask to give ratio

Keeping an eye out for potential hires, making

introductions, etc.

42


On Randomness

43

Life is random – you never know

what opportunities will come from

your connections.

Staying Up-to-Date


Socializing

45

Staying in touch and meeting new people helps

enormously in knowing the “latest”

Not all research / projects are discussed online

Gossip and chatter can also inform you of career

opportunities or new, interesting companies

Fills in gaps in news you might have missed


News – A Word of Caution

46

News is important, but not always directly

beneficial to your learning & career development

Hard to weed out signal from noise in the media

Why???


News Sources

CyberWire – aggregates InfoSec news daily

Reddit NetSec – consistently updated content

Twitter – where the industry “chatter” happens

Plus individual sites:

47


InfoSec Treadmill

48

As a (relatively) nascent industry,

InfoSec evolves rapidly – exciting,

but with the potential for burnout.

Conclusion


Your Personal Brand

50

Consistently build your personal

portfolio of skills, experience and

industry connections.


Take It from This Guy

51

Work as hard and as much as you

want to on the things you like to do

the best. Don't think about what

you want to be, but what you want

to do.

– Richard P. Feynman

cyber education: your options & resources mapped out

Technology