Cyber Education: Your Options & Resources Mapped Out

Cyber Education: Your Options & Resources Mapped Out
Kelly Shortridge
October 18, 2014

Shortridge – Cyber Education
NYU Poly Cyber Symposium 2014
Agenda
Your burning questions:
What careers are there?
How do I learn more about the field?
How do I meet people / network?
How do I stay current on industry trends?
2

Who am I?
Kelly Shortridge
Currently an Entrepreneur in Residence
Formerly advised InfoSec companies on M&A and private capital raises
Absolutely no technical background
Built an InfoSec knowledge base & professional network from scratch
3

At first…
4

And then…
5

But mostly…
6

Very General Advice
No one can ever predict what they’ll be doing 5 years from now, let alone the rest of their lives
Learn the “basics” and cross-over skills…
…but make sure to learn about things you find interesting, too
8

Careers in InfoSec
9
Not just about hacking the mainframe.

Careers in InfoSec
10
Also about hardening applications

Careers in InfoSec
11
Also about developing security strategies

Careers in InfoSec
12
Also about monitoring systems

Careers in InfoSec
13
Also about responding to incidents

Careers in InfoSec
14
As well as attack-centric R&D

InfoSec Jobs
A career in InfoSec offers many options:
Application Security
Compliance & Policy
Data Forensics & Incident Response
Network Security Engineer / Ops & Monitoring
Penetration Testing
Security Architecture
Vulnerability Research & Reverse Engineering
15

The “Basics”
16
Roles often overlap and blend together
Cover different aspects of the lifecycle of security operations
Some areas of study are broadly applicable
Network & System Architecture
Math
Software Development

The Future!
17

Skill Sets – Example #1
Network Security Engineer / Ops & Monitoring
Understand network design & architecture
Familiarity with security tech – IDS/IPS, SIEM, firewalls, vulnerability detection & remediation
Develop custom tooling for security monitoring
Some knowledge on machine learning is a plus
18

Vulnerability Research & Reverse Engineering
Analyze malicious code, shellcode, packed & obfuscated code
Identify attacker methodology
Strong math abilities, particularly graph theory
Familiarity with IDA Pro and user & kernel- mode debuggers
Languages: Assembly (x86 & x64), C/C++, Python
19

Application Security
Audit applications for vulnerabilities (XSS, SQLI, logic flaws, etc.)
Understanding of application architecture
Help development teams implement SDL
Build tooling to improve testing & auditing
Languages: Java, PHP, C / C++, Python, Ruby
20

Potential Employers
Major hubs include DC, SF & NYC – each city has its own “flavor” driven by employer base
Government
Fortune 500
Industry
Defense Contractors & Gov’t Agencies
Tech, Finance, Media, eCommerce, etc.
Security Vendors & Consultancies
21

Guiding Your Education
Find a few areas of interest / passion
Determine what abilities are required
22

Where to Start
24
When I first started exploring InfoSec, someone told me Phrack was a leading industry publication.
So I read every issue…
Including the first 40, which are just about phones.

Where to Start, continued
25
Diving in head-first actually isn’t a bad strategy; there is some truth to learning by osmosis.
Luckily, there are both formal and informal channels to help you live and breathe InfoSec.

Formal Education
Academia
Certifications
Helpful if no other means of vetting abilities
26

Certifications
27
Provides professional certifications in InfoSec
Covers a wide breadth of security topics
$250 - $600 per examination
Variable years of experience required:
<1 year
1 year
2 years
4 years
5 years
Years of Experience

Informal Education
Take advantage of valuable informal channels:
Visit conferences (or find talks posted online)
CTF competitions
Trainings (usually expensive)
Social events (usually exclusive)
Academic papers (contact authors)
28

Conferences
Cons are often how people stay in touch
Check out talks, or find them online
Social events – great for networking
Parties requiring challenges (Caesar’s Challenge at Blackhat/DEFCON)
29

CTFs
Test your skills & gain recognition
Industry – DEFCON, Ghost in the Shellcode (Shmoocon), company-sponsored CTFs
Private – Smash the Stack, Over the Wire, others hosted by hacker groups
Collegiate – CSAW CTF, NECCDC
Government – DARPA, semi-public or 100% private IC-focused CTFs
30

Trainings – Roles
Practical education for professional security roles
Multi-week courses
Both on-demand & in-person
Expensive (typically $4,500 - $5,000)
Value depends widely on the teacher
31

Trainings – Skills
Expensive ($2,000 - $4,000), but can substantially improve your skills & teach you new techniques
32
Private
Conferences

Academic Papers
Helps you find emerging areas of research
IEEE
Microsoft – Security & Privacy Research
Reddit.com/r/NetSec
USENIX
ACM Digital Library (search by keywords, e.g. malware)
33

Academics
Don’t be shy about contacting authors!
They’ll most likely be flattered.
34

How to Break In
InfoSec is more open now than ever on how to find people – they just aren’t always welcoming…
35

37

The Social Network
InfoSec is a trust-based industry.
A strong social network is critical.
38

Tl;dr on Networking
Get as many “at bats” as possible
Meet many people across various areas of expertise, employers & career stages
Not everyone will respond, so need to maximize your hit rate by reaching out to more people
Expand your network by asking new contacts (politely) if they know anyone you should meet
39

Persistence & Haters
Don’t let someone convince you that you won’t be successful, or don’t belong
40
People like passion and want to “back winners”
Persistence is key (true of most things)

Social Events
NYC – NYSec & iSec Open Forum
Look @ “CitySec Meetups” on Reddit NetSec
Non-Industry Events
NYC – Hack Nite @ NYU
Nationally, check out local OWASP events
Niche (e.g. hardware) meetups (meetup.com is helpful)
41

Maintaining the Network
Regularly follow-up, but be mindful of people’s time
Coffees are generally quick & easy
Even starting out, consider how you can be helpful
Try to maintain a 50/50 ask to give ratio
Keeping an eye out for potential hires, making introductions, etc.
42

On Randomness
43
Life is random – you never know what opportunities will come from your connections.

Socializing
45
Staying in touch and meeting new people helps enormously in knowing the “latest”
Not all research / projects are discussed online
Gossip and chatter can also inform you of career opportunities or new, interesting companies
Fills in gaps in news you might have missed

News – A Word of Caution
46
News is important, but not always directly beneficial to your learning & career development
Hard to weed out signal from noise in the media
Why???

News Sources
CyberWire – aggregates InfoSec news daily
Reddit NetSec – consistently updated content
Twitter – where the industry “chatter” happens
Plus individual sites:
47

InfoSec Treadmill
48
As a (relatively) nascent industry, InfoSec evolves rapidly – exciting, but with the potential for burnout.

Your Personal Brand
50
Consistently build your personal portfolio of skills, experience and industry connections.

Take It from This Guy
51
Work as hard and as much as you want to on the things you like to do the best. Don't think about what you want to be, but what you want to do.
– Richard P. Feynman

Cyber Education: Your Options & Resources Mapped Out

Recommended

Recommended

More Related Content

Similar to Cyber Education: Your Options & Resources Mapped Out

Similar to Cyber Education: Your Options & Resources Mapped Out (20)

More from Kelly Shortridge

More from Kelly Shortridge (7)

Recently uploaded

Recently uploaded (20)

Cyber Education: Your Options & Resources Mapped Out