Tag Archives: InfoSec

InfoSec Talent Shortage

So this has been an ongoing discussion in the industry for a while now.  As companies continue to grow and expand their digital footprint, they expose themselves to a greater number of threats.  In turn they need people to manage the monitoring and mitigation of those threats as well as the remediation when things go south.  So the solution that all the research firms recommend is to hire an MSSP, because they can do all the things!

How do the MSSPs fill their positions?

That is a question that should be asked when considering that path.  Some suggest the MSSPs pull from cheaper labor pools.  If that is the case, then what are you actually getting when signing up with these providers?  If you are getting cheap labor then you are either getting under-skilled analysts and engineers, or barely entry level prospects with the ability to read a script and follow a basic procedure.  The information security industry is not an entry level service.  The “junior” analyst needs to have a general understanding of what the based technologies are and how they work.  If they are looking through logs and see an IP address, they should know how to look that up and find information about it.  Or if a website isn’t loading correctly, where to look to see if it is a network issue, web filtering, or simply just a bad site.  On the flip side, a junior analyst would need to know how best to pull in a lot of data and turn it into a presentable format to show to the customer.  That being said, are their “senior” analysts just the juniors with more training?  How many of the MSSP’s staff are actually veteran IT/InfoSec professionals?  How many have had to build and support their own infrastructure?  Or are they just good readers and simply email you a canned alert from your SIEM and say “it might be something…”  Or are they truly skilled people and the MSSP is offering some pretty good incentives to come work for them?

What are we not offering to entice the skilled labor our way?

  • Are we not offering competitive salary and benefits?
  • Do we not provide enough training opportunities?
  • What are prospects looking for?

Salary and benefits are great to peak some interest, but frankly if it is truly competitive, at some point there is a ceiling and it won’t mean much to a seasoned security architect or engineer.  They might be looking for a fun challenge or perhaps a good balance between work and life.  This industry provides its share of challenges both fun and frustrating.  That last bit can lead to some pretty heavy burnout which then leads to people exiting those positions or worse, staying too long they become a toxic member of the team.  Burnout and stress can lead to poor health, so all the money in the world is no good if you are spending all your time in doctors’ offices trying to figure out why you aren’t sleeping or have a sudden heart condition.

Training!  Offer it and don’t be cheap about it.  It’s the old argument “what if we train them and they leave… but what if we don’t and they stay”.  Those of us in the industry are not new to self-education but you as an employer cannot expect that we want to use our free time to learn something that is related to a specific technology we use in that particular job.  For example, if we are interested in IoT security research and we spend our free time in our home labs tearing down the latest IP camera to see how it works, we don’t want to share that time with going through the vendor training for our latest spam filtering service.  That should be done with reserved time in the office.  Now if you offered the latest in SANS training, then you might peak our interest.  This is vendor agnostic training that promotes principals and techniques over various subject matters in InfoSec.  Sure the classes are expensive, but they are worth every penny.  Many can be done remotely or in self-paced virtual classes.  That means no travel expenses!

So money isn’t everything, do you offer decent enough vacation time and will your prospects be able to take it?  Time off is no good if the prospect is the only member of an incident response team and is on call 24/7.  Be realistic in your expectations of the position and be able to support time off for your staff.  But even vacation time may not be a big seller, specially if it includes sick time as part of the bank (generic PTO vs separated vacation and sick time).  Maybe your prospect is looking for an employer who is active in the community and in turn encourage speaking opportunities both inside and outside of the company.  One other possible opportunity is what career paths are available to your prospects?  Will there be manager opportunities or senior lead/sme positions available?  Not everyone wants to be a CIO and there are usually plenty of managers.

So how do we fix this?

There will be no simple solutions to this, in many cases, you have to realize there is not a lot of difference between your org and the one next door.  You both have similar problems to solve and need similar positions filled.  At the end of the day it makes little difference to your prospect if you sell X widget and they sell Y.  In the end we like puzzles that have possible solutions, not a mess of knotted Christmas lights that keep coming.

n00bsec – but what is it to be a n00b in Infosec

So there was some minor drama at this year’s hacker summer camp (Defcon, BSidesLV, Blackhat).  It appears to have been around a possible con from the group @InfosecN00bs (#n00bsec).  You can read the full blog post on what went down here.

Essentially this started out as a group of “n00bs” trying to break into InfoSec.  If you dig around they are not the first group of this type but what is interesting is they tried to start a crowd funding campaign to pay for certain members to attend the big cons.  Well it was a big scam apparently, but we won’t go into that.  This whole thing got me thinking and it is one of those topics that grinds my gears!

What is it to be a n00b in InfoSec?  Well in truth, there really shouldn’t be too many.  Infosec is not an entry level career.  Many of us in the industry did not start here.  We stumbled, fell, or accidentally opened the wrong door.  But before all that we worked the help desks, built servers, created web sites, and told users to “turn it off and on again!”  We started our journey learning how to do all these things.  Some of us did them well enough to realize that these systems had flaws.  At that point we decided to switch those gears into a security focused career.  I still laugh at the fact that someone is paying me double to tell them the same things I told them years ago as a Sys Admin.

So what I am trying to get at is, that although we may have been new to the InfoSec industry, we were hardly inexperienced.  We had a good deal of base knowledge to work off of.  That is what is important when it comes to experience.  Now for those entering the scene today, there is a wealth of information available.  Many of the pros are willing to help new folks along, but they will not be there to hold your hand.  You will need to work a bit.  Do your own research, study the topics, and make your way out to the local community events.  You don’t need to head right to Defcon, but maybe try a local Security BSides event or a meetup activity.  This is not a career for those looking for a handout or in it just for the money.  It is for those who will throw up a learning lab at home or a virtual lab on AWS just to try things out.

And some final thoughts… You are ultimately on your own when it comes to building your skills.  But when you get stuck and google has failed you, reach out and someone will point you in the right direction.  You can also reference my previous post to get a list of places to start.  If a pro offers you guidance, accept it and thank them, maybe buy them a beer if you see them at a Con.  But don’t get pissed if you try to pump them for more than they are willing to provide.  They don’t have lots of free time to devote to mentoring.  Rather why not follow them on social media or subscribe to their podcast or blog.

Go out there and learn n00bs! 😀

 

 

 

AnyCon 2017 Review

I will preface this review by stating that putting on such events is by far not an easy task.  There is a ton of planning that goes into these.  On the day of the event not everything will go as planned and you will have to improvise.  Speakers will pull out, a sponsor may not deliver, or your CTF has a bunch of technical problems.  But you push through and rely on your team to help you through it.

On to the review…

This past weekend I was able to attend the first annual AnyCon security conference which took place at the Albany Capitol Center.  Overall, it was not a bad conference for a first time run.  It was the typical large conference setup with keynotes from Dave Kennedy (TrustedSec, Binary Defense, DerbyCon) and Sanjay Goel (University of Albany).  There were three tracks – Offensive, Defensive, and Educational.  For the full track listing you can hit the site up http://www.anycon.info/agenda/.  In between the talks you could head over to their onsite CTF, hardware hacking village, or play some ping pong.

The Content – As expected for a first run conference.

It was your typical set of conference talks.  Irongeek (Adrian Crenshaw) has them all posted up on his YouTube Channel.  I will let you be the judge of their quality.  Some of the talks certainly showed that pool of submitted content was not very deep and no real due diligence was done to vet the speakers.  One speaker, in fact, claimed during his talk that he single-handedly brought down the Teslacrypt C2 servers and forced the attackers to cease their DDoS attacks on his employer’s network.  That prompted some investigation by conference attendees on the legitimacy of the speaker, there is a pretty entertaining thread on Twitter.  But these things happen and will continue to happen so long as proper vetting isn’t done.  But as a first run conference, you can’t be too picky.  Speakers are not exactly knocking down your door to get accepted.  But that all comes with time.

It was pretty clear their target audience was not the seasoned professional, but that is ok.  In fact, you are hoping that those guys and gals will fill in your talk slots.  There were a good number of students attending which, I think, is great!  Hopefully they came away with more than I did from the conference and will continue to grow their skills and get out to some of the bigger conferences.

The Cost – No swag, no food, what did my 125 bucks get me?

When deciding to put on such an event, the topic of cost will be a big piece of the puzzle.  The goal should be to keep the cost low for the attendees.  Not many people are going to want shell out a ton of cash for a first run conference.  Even with the cost of $125 for a non-student, I still registered to attend as I am an avid supporter of furthering the education of the community and Albany is not a far drive.  Unfortunately, I left the conferencing wondering what I actually paid for?  I didn’t get any real swag besides what was available at the vendor tables, no free conference t-shirt, the badge was a basic plastic card badge, there was no breakfast or lunch provided on either day.  I’ve attended BSides events with a much lower cost to register ($20 or less) that included a t-shirt, breakfast, and lunch.  That is what your sponsors are for!  Your purpose for this first run conference should be to get people in the door so that they will come back next year.  As your conference grows you can bump the cost up as the demand to attend may increase.  Now, thankfully, not everyone had to pay the higher cost.  Students were offered a $50 ticket, still pretty high in my opinion.  Hopefully they pay attention to their feedback survey and work to bring the costs down or at least offer more to justify it.

Other thoughts…

Time management certainly needs some improvement.  It did not appear that any of the talks had a time keeper.  This caused the more long-winded speakers to go well over their allotted time which ate into the next speaker’s block.  Things like this can certainly throw off the whole schedule if your talks are tight.  But you will luck out during these first runs by the less experience speaker ending early.  After the keynote on Friday, there was little direction from the conference organizers on logistics.  There was no mentioning of lunch possibilities or plans for later that evening.  We were kind of left to figure that out on our own.  You need to assume that there may be a fair amount of people coming in from outside the area.  You don’t need to have a big party but you should look to the sponsors for possibly hosting a happy hour.  After the last talk, attendees just sort of went off on their own as they were not sure what else to do.  Again, if I was paying $20 bucks for a BSides event, it probably wouldn’t be a big deal, but this was close to the same price as DerbyCon but with a fraction of the content.

Summary of suggestions for next year:

  • Better time management.
  • Better vetting of speakers – don’t pollute the minds of the young by subjecting them to charlatans!
  • Swag bag – give me something to take back with me other than your event program!
  • Food, at least cover breakfast for those driving in the morning of the event.
  • Keep in contact with the attendees throughout the event, not just at the beginning and the end.
  • Look at adding a lock picking village separate from the Hardware hacking village.
  • Make the CTF an internet based one so people can work on it from their hotel rooms.

InfoSec Career “Quick-start” guide

  1. Install Kali
  2. Pwn all the things
  3. Collect big paycheck!

So what I really want to accomplish with this post is to provide a series of sources to help you get going in your infosec career.  I had a much longer post going on about building a good base of other technical skills and such but lets just get to the meat of it.

Online Training

Free Resources:

  • Codecademy – Offers a number of free courses with added features if you upgrade to a pro subscription.  Great place to learn Python and Ruby.
  • Udacity – Much wider selection of programming courses, possibly better place to start for you App Sec types.
  • Microsoft Virtual Academy – Yes, even MS has a ton of free training resources.  Powershell to .NET C#!

Paid Sources

  • PluralSight – 30 bucks a month and a free trial.  They cover a wide variety of topics from CISSP to OWASP Top 10 for .NET with Troy Hunt.
  • ITProTV – Covers a wide variety of content spanning IT, probably a good place to start if you need to build up those base skills.  A bit pricier than PluralSight but has a stronger focus on IT in general.  Also you can probably find a discount code if you listen to Paul’s Security Weekly.

Podcasts

  • Security Weekly – They have expanded beyond the initial Security Weekly podcast to cover Enterprise, Startups, and Securing your digital life.  Listen to them all or pick and choose!  The team is great and you can’t go wrong, they will get you asking “What is the problem we are trying to solve??”
  • Risky Business – Covers the weekly security news from an Aussie perspective and includes special segments and interviews.
  • Southern Fried Security – Weekly-ish topical security discussions from the south.
  • SANS Internet Storm Center (ISC) – a quick 5-7 minute daily micro-cast covering security highlights.

Social Media

Twitter – Pretty much start with the people who host the above podcasts and the ones followed by our twitter account.  It is a great place to start interacting with the active security community.

Conferences / Meetups

  • Security BSides –  Spawned out of rejected CFPs from Blackhat 2009, Security BSides has evolved into a global series of events put on by local security communities.  This is a great place to get your feet wet and the cost is free to minimal.
  • DerbyCon –  5 day con down in Louisville, KY.  One of my personal favorites if you can fly and afford the hotel.  If you are in a reasonable distance you can also drive.  They have 2 days of training sessions before the actual conference.  It is a more intimate conference compared to the likes of DEF CON.  They also include nightly activities and a CTF that has something for all skill levels.  When you are there make sure to stop by the hardware hacking and lockpick villages!
  • CircleCity Con – I can’t speak on this one but the organizers are a great bunch.  If you can get to Indianapolis in June, check this one out!
  • Thotcon – another small con, it already happened this year but put it on your calendar for next year if you are going to be in the Chicago area.
  • DEFCON – Can’t mention the others without mentioning this one.  Without Blackhat and DEFCON we would not have the community that we have now.  I have yet to attend either of these but it is on the bucket list.
  • Meetups – Google search for local groups in your area.  Check around at Maker and Hacker spaces.

Other Resources

So that is it for now, hopefully you found this useful.  If you have other resources you come across feel free to message me on twitter and I will post an updated list.  Good luck and remember, if you are looking for your first official security gig, don’t be afraid to apply even if you think you are not qualified.  The smart employers may look past the lack of skills if you can demonstrate the right mindset for this work.

 

Goings on in and around the Nutmeg State…

Apologies for not posting anything in a while.  Hopefully that will change over the next couple weeks.  We will keep it simple and this will just be a simple events posting…

Source Conference Boston 2016
May 18-19th with training on the 16-17th.  Timing is great as this rolls right into…

BSidesBoston 2016
Training on May 20th, conference on May 21st.  Tickets are almost sold out!

Further down the line in July, BSidesCT comes back! CFP is open and it will once again be held at Quinnipiac University’s Rocky Top Student Center.

 

Regarding the Dell Security Bug

First of all read up on the details over at Krebs On Security.  He has a pretty good explanation as to what Dell did as well as additional reference sites on the matter.  The Reddit discussion in the reference section has some good technical details.  But what does all this mean to the regular folks out there who buy their Dell laptops and like to enjoy their drink while using the free wi-fi at the local coffee shop?   Continue reading

“But I need have local admin to run this!”

March is finally here!  The walls of snow are melting down quickly here in New England.  I can finally see grass!  Well ok… it is more like torn up chunks of sod from completely missing the side walk with the snow blower, but it has remnants of grass.

During my hibernation, I remembered some conversations from the past.  Mainly they had to do with “discussions” with users about their needs on their systems.  They commonly revolved around the requirement of administrative rights on their local workstations.  Which of course lead them to believe their current user account was the one that needed those rights.  Well most of us in security, as well as many others in the Systems Admin side of things, know that this is bad and should never be granted without a really good reason.  But does this mean it isn’t possible to grant these users their wishes? Continue reading

Network Security Protections when not in the office…

So in a previous life, I worked for a large enterprise which had many laptop users and a good size remote workforce. When I first took my laptop home for the night, I realized that for one, I could connect to any wireless network… and two I was no longer behind my web filtering servers. This article reminded me on how often this issue is overlooked: Postal Service Suspends Telecommuting

Continue reading

Last Week’s Meetup

We had a couple new faces come out to the kickoff of Nutmeg InfoSec Meetup. We discussed the state of the CT InfoSec community over some beer and pizza. Thankfully we all seem to believe that it exists and just needs a push to get more people involved. We eventually moved over to the classroom to a talk about Shodan.io.  The slides will be posted shortly, but you will get more out of actually checking it out and searching the “Internet of Things.”

If you couldn’t make it out to last week’s meetup, don’t worry!  We plan to do this every month.  We will most likely finish out the year at NESIT Hackerspace, but after the holidays we will look at moving around the State.  If you happen to know of  a good location between Hartford and New Haven, let us know!

Looking forward to the next one!