Your Path into Cybersecurity: Be a lifetime learner (S1: Ep10)

A series based on the original 10 step pathway

This industry will require consistent drive and a love for learning. The beauty of it all, is that most of what you need or want to know is available free or low cost on the “interwebz”. The flavors vary, including, organized training sites, traditional e-learning/e-books, publications, reading rooms, forums, etc. A few that come to mind, are as follows: 

  • Cybrary - a platform providing access to high quality, exclusive cybersecurity and I.T. video learning resources;  

  • Humble Bundle - a digital store front. Stay alert for when a bundle related to cybersecurity is available. You can snag a collection of great books for a fraction of the price;

  • Reddit - a discussion site with a variety of groups and threads available for intake, depending on your interest; “We know what reddit is, Q”, said the peanut gallery. But, just in case you didn’t, since I come from a world of no assumptions. 

  • SANS Reading Room  - a collection of published cybersecurity papers, mostly from current practitioners. 

  • Medium - A platform where words matter…and one of my favs. 

  • LinkedIn Learning - A platform for online courses taught by real-world professionals. 

Read/Watch/Learn. Do. 

I’m proud to be part of a community full of folk who are interested in contributing. There is always opportunity to learn from others, and in turn, provide your contribution. 

There are several ways to reap and sow - some that come to mind are as follows: 

  1. Start or contribute to open source projects. To give you an idea of what others are working on, check out some Github repos below:

    • Security Showcase - open source projects to help build and operate more secure systems, along with tools for security monitoring and incident response.

    • Awesome Incident Response - a curated list of tools and resources for <drum roll, please> security incident response, aimed to help security analysts and DFIR teams.

  2. Organize and/or participate in meetups

    • Do you even network? ...and I don’t mean on LInkedIn or Twitter. As an ambivert, most of the time, I rather go home than to an event, so trust me, I get it. But I realize the value and once I’m there…it’s on.

    • Review the security focused meetups, on, <drumroll please>….meetup.com. Meetups vary, based on your location, of course. 

  3. Publish papers/articles

    • What are you working on? It is probably interesting and we could probably learn from you. So, publish!

    • Jump into discussion board topics (oh, you can only do that on facebook/Instagram…hmmm, I see you, ok)  

    • Submit a talk - You learn more when you have to present and/or talk about a topic. So pick one of which you connect and bring your prowess to the discussion.

  4. Be open-minded. 

    • There is always someone who can/will benefit from your experience. This is something of which I have to consistently remind myself. 

    • Approach all situations with an open mind. There is always something to learn. 

    • Seek understanding in areas outside of your discipline. For example, I’ve been working in Information Security for over 10 years. However, I find that studying psychology makes me a better responder, leaders, and mediator, amongst other things. 

If you consider yourself to be a lifetime learner, you’ll remain in a position to be open and receptive to new ideas, perspectives, and opportunities. Security is a WE sport, and it is important that we continue to create, collaborate, and contribute.

Your Path into Cybersecurity: Mentor and be mentored (S1: Ep9)

A series based on the original 10 step pathway

To be a mentor and be mentored is an important part in securing your path. This doesn’t always need to occur in the traditional sense (aspiring professional seeks out experienced professional). While that is still a viable path, it isn’t THE path. In this digital age, if knowledge is what one is seeking, much of what we need and want to know is within reach. Whether it be books, online courses, workshops, forums, blog posts or other community channels -  this is the Information Age; and many successful people document parts of their journey which impart their experiences, wisdom, etc. 

These are not replacements for relationship building. However, mentorship can come in many forms. The older I get, the younger are my teachers. We can all learn from one another. A few years ago, I participated in a “reverse mentorship program”, where as a budding executive, I reverse-mentored a senior executive. He concluded one of our sessions with saying “I learned as much from you as you did me”.

So, next time you feel like you want a mentor, consider some core outcomes you are looking to satisfy by spending your most valuable asset with someone, and asking them to spend theirs with you. 

  1. Contemplate what you can provide to your prospective mentor - Conduct some preliminary research on your prospect, identify their strengths and possible areas where you can assist. Perhaps they have stellar expertise in a particular discipline, but a poor digital presence. Perhaps, you are diligent about yours and can offer assistance in this area. Wow - we’ve just discovered opportunity. While providing a need to your mentor, you will also be a sponge and soak up all that you find necessary. Your conversations will be different when you are offering a service. Remember the reverse-mentorship I mentioned above? You can be as much of an asset to your mentor as he/she is to you; and if he/she finds you to be an asset, you can surely 10x your growth opportunity vs the traditional mentorship model. 

  2. Go in with clear outcomes - Your mentor will be happy to know that you have a strategy and see this opportunity as a stepping stone. It’s simply not enough to say, “I would love to pick your brain” or “Can you mentor me?”. People like to help those who help themselves. You don’t need to have all the answer (none of us do), but at least a strategy. For example, if I admire someone’s leadership style and how they’ve built their business, I would be interested in understanding how they consider their people (this is huge for me), their business strategy, efficiencies they’ve built into their business, how they find growth opportunity, and measure success. With that in mind, I can easily develop questions and data points that could drive my focus with this individual. 

  3. Leverage the relationship - if your new mentor is connected with someone else you’d like to know for a particular reason, request an introduction. But again, be methodical in your approach. Recognize that you are now representing your mentor as well as yourself. A person of integrity values their reputation, thus will think twice when vouching for someone. Help them to see the connection as a fruitful gesture and one that will help make them look good as well.

The aforementioned list is not all encompassing, but should steer you in the right direction along the journey of securing you path; and always remember to pay it forward. 

“You will get all you want in life, if you help enough other people get what they want.” - Zig Ziglar.

Your Path into Cybersecurity: Stop being such an introvert, already (Series 1: Ep 8)

A series based on the original 10 step pathway

Stop being such an introvert, already! I know it is hard, but in this industry, like many others, it is mostly about who you know. Building that community allows one to learn and share, to build courage, trust and keep connections open and warm for when they are needed.  

Some of us thrive in this arena and its not necessarily about being an “introvert” or “extrovert”. Coming from a social introvert (me), I understand that proactive networking may not be the most exciting thing on some of our to-do lists. Personally, I connect quite well with people. I like to believe that I have great energy and a particular flare, which contributes to the ease of conversations. However, to be honest, networking events exhaust me; so a fan, I am not. But, in my opinion, true networking comes from being of value to others. If you are of value to others, they will remember you, connect you and promote you. They will promote you, even when you are not in the room - now, that’s the kind of networking I like. There is a saying, “You will get all you want in life, if you help enough other people get what they want.” - Zig Ziglar.

You should “network” when you don’t need anything, so when you do, it is not uncomfortable. A simple hey, long time no speak; how are you?, a link to something they would like, etc. I don’t consider myself a connector, but once connected, I maintain it. This is a key point for me, as the Universe has blessed me with friends (strong connections) that are what I consider to be connectors - they are social butterflies, they tell others about me and me about others and facilitate connections. However, traditionally, I have strong and weak connections that have stayed in tact, but not because of my doing - because of theirs.

fullsizeoutput_2752.jpeg

Every time someone would call, text or email, I’d say to myself, wow - I need to reach out more. I’m still not great at this, but I am improving. I try to set a small amount of time aside for reaching out, setting dates for re-connection, etc. - pick a few people and spend 10 minutes sending out pings. A small effort for a great reward of keeping a connection alive.


When someone you know lands a job or starts a company where they are building out a team, who do you think they call to help fill the roles?? <drum roll> their weak connections - the people they’ve worked with in the past, the smart people on their slack channel, their colleagues’ connections, etc. Weak ties bridge networks, so keep them alive. 

Get out there, check out security related events on Meetup, follow some cool people on Twitter - here is a list, submit and present on a topic - you’ll meet a ton of people by providing value to others. Also, check out The Power of Weak Connections. 

My thoughts and musings are always of my own and not necessarily shared by my employer. :)

Your Path into Cybersecurity:“PoC your Skills”(Series 1: Ep 7)

A series based on the original 10 step pathway

In my original post, I mentioned PoC’ing your skills as a necessary component to securing your path. So, bear with me while I break this down. 

PoC your Skills…and by PoC, I mean, 'Proof 👏🏽of 👏🏽Concept 👏🏽' 

Glossary: 

Proof - evidence or argument establishing or helping to establish a fact or truth of a statement;

Of - expressing the relationship between a part and a whole;

Concept - an abstract idea; a general notion;

Skills - the ability to do something well; expertise

I listed the aforementioned terms, not in a comedic manner nor to discredit any reader’s ability to formulate words and their meaning, rather to dissect frequently used terms and the underlying value of conducting a PoC. 

On any journey, especially one embedded within Cybersecurity, educating oneself is a major part of that experience.

You can go to school (or back to school), read more books, listen to more lectures or podcasts, attend more conferences and meet-ups, and if you never actually turn any of that theory into practice, you DON’T HAVE SKILLS.

So make it a habit to merge the theoretical with the practical…and what better way of doing so than working on some sort of project that you can call your own (or partially your own). The InfoSec community is quite awesome and I’m really glad to be a part of one that welcomes all hungry, willing and smart participants. So, take advantage of it - soak up all that you can from the community and in return, give back. Perhaps, you sponge a great deal of knowledge for a year, work on some project(s) of your own and once your are comfortable, contribute to larger scale projects or offer your own to the community. 

Project based learning has been proven to be more effective than passive learning. Passive learning does not prepare one for the real world; project based learning does. So, work on a project of interest, based on a challenge you face; create the solution and share it. It also acts as an assistant to building a portfolio of knowledge assets. These assets compound, as you become more equipped. By working through or completing projects, you become more resourceful and you can demonstrate the theoretical knowledge you’ve amassed. This may be the tipping point in an interview process that leads an employer to choose you over your competition. Not only did this help me in landing my first internship, but it is also one that I use to this day in my interview process. I want to see what candidates have created, I want to know where you failed, how you used those lessons, how you regrouped and redirected the energy, did a new idea evolve out of the “mishap”? If one hasn’t made any mistakes or screwed up on the job or on a project, then you simply haven’t done enough. You’ve been playing it safe and I’m not impressed.

Napolean Hill said, “Tell the world what you intend to do, but first show it!”

Your Path into Cybersecurity: “Yes, coding is important” (Series 1: Ep 6)

A series based on the original 10 step pathway

It’s been a while since my last post - hey, ya girl has been busy! But I plan to expedite the remaining 4 topics in this series.

I’m often asked, “Do I need to know how to code to work in Cybersecurity?” The short answer to this is yes and no. It all depends on the area of InfoSec (and I use this interchangeably with Cybersecurity) in which you are interested. Either way, it will only help. In many disciplines of the field, it will be a powerful skill. Your skill level can also vary and that is ok. 

Let’s take a moment to think about some areas of the industry where coding will serve you in a meaningful way:

  • Incident Response

  • Malware Analysis

  • Reverse Engineering (duh!)

  • Penetration Testing

  • Web Application Security

  • Dev SecOps

As defenders, we have many doors to secure, so automation is key - we need all the help we can get. Automation may come into play when integrating toolsets, triaging events, such as sending suspicious files to a sandbox or checking domain/IP reputation. It may also assist in your response efforts, such as automating the ability to globally block hashes. Your coding skills can be very beneficial in this area. 

If you are a responder, analyzing malware will be a necessity; so understanding it beyond dynamic analysis is a advantageous. As you may know, malware may not run as intended in certain environments. Analyzing the malware statically will afford you the ability to step through the code, identify where certain activities should occur, work around encryption routines, etc. It can be beneficial at very basic levels to simply understand the flow or on a more advanced level, such as reverse engineering. I can hear folk saying “But I can use <insert cool malware analysis tool>”. Yes, of course. However, in my opinion, tools should be used to help enable and for efficiency . To use them without understanding core concepts is like using a calculator without understanding math. A team of Responders is best with a diverse set of skills, so not everyone on the team will need a deep understanding of Assembly language. 

As a PenTester, you will use code to craft exploits or write scripts to make your offensive activities more efficient. When you “pop” a box, you may want to take advantage of the shell resident on the machine or add code to a compromised web server. With creativity, the possibilities are endless. 

In working with the Web Application teams, at the least, you will need to review code to ensure security best practices are being adhered to. You’ll need to understand how flaws in the code lead to vulnerabilities and how to fix it. 

On the opposite end of the spectrum, coding is not as much of a necessity if you are interested or working in an area, such as Compliance/Governance. A role within this discipline will be less technical and focused on high level policies and reporting. So, yes, you can skip the coding course, if you'd like to focus your efforts along this line. 

These are just a few areas in which those coding skills could be put to use. If you are wondering what language you should learn - I would hedge my bet on Python for interpreted languages or C for mid-level. I don’t have a huge amount of experience with it, but Go looks pretty interesting and I’d like to spend some time with it. Check out Learn Python and Python for Security

Have fun Securing Your Path!

Your Path into Cybersecurity: “yes, but/and…” (Series 1: Ep 5)

A series based on the original 10 step pathway.

Cybersecurity tends to be considered an operational expense to a company, as it is not income generating. However, we do save the company money, reputational damage, etc., if done properly. But, at the end of the day, we are not the business! We support the business; and in supporting the business, we have to learn to work with and not against.

Take time to learn the business, how it operates, what is important and the best way to secure it. This approach allows us to "yes, but(or and)...", instead of no. If we understand what the business or business units are trying to achieve, we should be in a better position to build security into it.

In Sales, they are taught to say, "yes, but(or and)..." instead of no. This leaves opportunity to suggest alternatives rather than turning down an idea. We can learn a great deal from that approach. For example, if the business wants to move towards the 'cloud' but Security folk, being ultra apprehensive advises against it - what does this do? Does it get us closer to a more secure organization? Many times, it leaves a business to accept a certain amount of risk and move forward with their plan - most likely without the guidance of the Security team. What if the Security team mentioned that if moving to the cloud has a significant advantage for the business, the teams (including Network and Application teams) should consider a 'zero trust model'. This may spark additional conversation and lead to projects which will increase the security posture of the organization.

My point is saying this is that the Security team should welcome new ideas and approaches to doing business, work to understand the end goal, why it is important and determined the best security measure(s) to be implemented. This approach makes the Security team a partner in the game, instead of the team that gets engaged when something goes observably wrong. We all know it is typically a tad bit late at that point.

We aren't the gatekeepers (or maybe we are). But let's focus on building security in from the onset!

Your Path into Cybersecurity: Hone in (Series 1: Ep4)

A series based on the original 10 step pathway.

Carving out your little corner in this industry is quite important. In a world that is ever so dynamic, it helps to have a specialization. This allows one the ability to focus and expand one's knowledge in a particular area.

But before you do that - how do you know which area you'd like to focus?

This can be a difficult decision for many people and for others they are thrown into a particular area. Let's stick to the basics on this - how does one find answers? No, this is not a trick question. We find answers by first asking questions. So, lets break this down.

Check out the 'Find Your Focus' mindmap I put together, based on fundamental questions one could ask of themselves.

Each branch of the mindmap asks a couple questions related to a particular discipline within Cybersecurity.

Screen Shot 2019-03-26 at 12.03.58 AM.png

If you can answer these questions, you'll be more equipped to align your interests with a specific field.

From there, it is up to you to seek out opportunities, people in some of the aligned areas and project of which you could work. Be strategic and intentional in your pursuit. Tell others about your interests, tell them about your plans and what you are working on. People love to help those that are helping themselves.

So, whatever path you choose, give it your best, take what you can from the experience and continue to grow. Remember, if you are not uncomfortable, you are not growing; and if you are not growing, you, my friend, are stagnant...and who wants that?!

If you find any more my articles helpful, I'd love to hear from you!

Your Path Into Cybersecurity: Familiarization (Series 1:Ep3)

A series based on the original 10 step pathway

Hey guys, I'm back with point three. As stated therein...

"Familiarize yourself with the many disciplines in the field - It is hard for me to answer questions about getting into the field, when one does not have an idea of the area in which they’d like to focus. Do you want to be offensive or defensive, project focused, or on the front-lines, reactive or proactive? Guess what? There are also areas that are not technically focused. For a list of disciplines within the field, check out the Cybersecurity Workforce Framework."

Familiarizing yourself with many disciplines in Cybersecurity does not mean you need to try to be a master of them all - who can do that?! With an industry as dynamic as a growing child, it is best to gain a base level of knowledge across disciplines and hone in on an area of particular interest to you.

What appeals to you, is something of which you need to discover. NICCS provides a helpful framework through common language that breakdown different areas of discipline.

Buzzwords aside - think about what part of the security spectrum you want to focus; from Security Architecture to Research and Development (and everything in between).

Also, check out, the list of "20 Coolest Careers" posted by SANS (and listed below), which also provides job descriptions, courses available to increase your knowledge in the area, why it is cool, and why it makes a difference...I don't know about you, but I want to make a difference, dammit!

Disclaimer: "Coolest" is subjective and relative, so don't shoot the messenger.

The field is wide and vast, and the industries of which that are making it a priority, is every growing.

So, happy searching, hunting, analyzing, researching, exploiting, testing, developing, managing, and all the other adjectives that apply to what we do on a daily basis.

I hope this helps. See ya in my next post.

Your Path into Cybersecurity: Understand Networking (S1: Ep2)

A series based on the original 10 step pathway

To “Understand Networking” was the 2nd point in my original 10 step pathway article.

Networking is a fundamental component of Cybersecurity. How can one protect a network that one doesn’t understand? <I’m out in cyberspace waiting on the answer>...still waiting.

So, some people may be thinking - “Ok, computer networks, got it! But what exactly do I need to know?” Well, there is great deal to explore, and the depth of your knowledge will only make you that much more desirable. I can't tell you the best mode for you, as we all have different learning styles. But remember, the development of computers began in the 1950s; and there has been much iteration and innovation since then -- I think this is debatable. I actually think we experienced slow and steady growth, then a surge in innovation. But, I digress.

Understanding basic concepts, such as, the OSI model, protocols (e.g. TCP/IP, DHCP, ARP, ICMP, HTTP, FTP) will give you a foothold on how networks function under the hood. It’ll allow you to discern how packets are being transmitted and if typical methods of transmission are being used. You’ll be able to identify how data moves across stacks, and if traffic you are observing follows expected RFC (IETF Request For Comment) standards.

You should understand network infrastructure - the resources that enable network connectivity. If you have a grasp on the way infrastructures are setup, you should understand how the hardware and software of your network work together to allow communication flow, organization and management of the enterprise - within and between intra, inter and external networks.

With that, you’ll be able to ascertain why communication is occurring between certain IP addresses, why traffic is being off-loaded to another server and a host of other important types of activity on your network.

Think about it - a network designed for high availability, which is true for most enterprise networks, should be highly available, fault tolerant and redundant. If you understand how your network is setup to achieve these goals, you should have much of the information you need to be in a better position to protect it.

There are tons of free resources online to get you up to speed on your networking knowledge. However, my favorite suggestion, is to work on a project to reinforce theoretical concepts.

So, queue project proposal. If you are just starting out, build a small home lab. Check out all the home labs with varied complexity at /r/homelab/.

I promise not to wait a whole month before writing Ep 3. Geez! Time waits for no one.

Your Path into Cybersecurity: Ask Yourself (S1: Ep1)

A series based on the original 10 step pathway

As stated in my last article, if there was enough interest, I would make this a series. So guess what - series, it is! I’ll break down each of the high level topics I mentioned in the first article. If you don’t remember or did not read it, you can catch up here.

To summarize, the 1st point was “Ask Yourself - can I work well under pressure and can I deal with the ebbs and flows of a highly dynamic industry?”

 

What does this mean?

Incident Response, for example, is often compared to a fire drill. It’s like ummm, what happened here, I need this, have to analyze that, I need to provide a status update to stakeholders, my colleague needs assistance, and so on, and so on…

Whoa…that’s some stir crazy, squirrel chasing type behavior.

I’m sure you can understand the need for a calming force - one who is knowledgeable, can set expectations, delegate appropriately and keep the incident flowing. This skill is beyond pure technical abilities. This individual encompasses technical prowess, strong communication skills, leadership abilities, conflict management and influence. Go you, you unicorn.

Additionally, due to the dynamic nature of the industry, I believe individuals that function well with identifying and working on new problems on a consistent basis thrive and can survive a lucrative career.

How do you become one of these unicorns?

I know, you thought they were mythical creatures. However, proper training with regards to the aforementioned qualities can be delivered. It’s just up to you to seek it out, if it does not come naturally. Think about that one colleague on your team that commands an incident, that seems so calm amidst the madness, that keeps you all on track. Talk to him/her - ask their advice. More often than not, it is fear, confidence, and non-existence of accountability that stand in the way of your ability to level up in this arena. So, toss those feelings aside and live outside your comfort zone for a while. You will soon find that you are now comfortable.

I’m interested in helping more women secure their path into Cybersecurity. If you are a woman interested or looking to transition into in the field, feel free to reach out to me.

As always, all views are those of my own and do not necessarily reflect those of the company for which I work.

Your Path into Cybersecurity

I’m often asked how should one get started in Cybersecurity. I could probably write a multi-page article on this, but TLDR. However, here are 10 tips when considering a career in the field.

 

  1. Ask yourself - can I work well under pressure and can I deal with the ebbs and flows of a highly dynamic industry?

  2. Understand Networking. Prior to the term “Cybersecurity” and universities offering a major for the field, SMEs (Subject Matter Experts) came from Networks, Infrastructures, etc. and had a keen interest in Security. You can’t protect a network that you don’t understand.

  3. Familiarize yourself with the many disciplines in the field - It is hard for me to answer questions about getting into the field, when one does not have an idea of the area in which they’d like to focus. Do you want to be offensive or defensive, project focused, or on the front-lines, reactive or proactive? Guess what? There are also areas that are not technically focused. For a list of disciplines within the field, check out the Cybersecurity Workforce Framework.

  4. Build a base level knowledge bank across several disciplines of Information Security - Then hone in on a particular discipline. Know enough about a particular area of the industry, to where when people need help, they come to you.

  5. Learn to say “yes, but…”, instead of no! This is something I learned from a close friend who was in sales. He always said “yes, but”; even when he did not quite know how he would deliver. This ideology forces security folk to think beyond the innate security components and understand the business, and what it would take to put forth a business driven, but security focused product/service.

  6. Yes, coding is important. I’m often asked, “Do I need to know how to code to work in Cybersecurity?” The short answer to this is yes and no. It all depends on the area of InfoSec in which you are interested. Either way, it will only help. In many disciplines of the field, it will be a powerful skill. Your skill level can also vary and that is ok. As defenders, we have many doors to secure, so automation is key - we need all the help we can get. Your coding skills can be very beneficial in this area. If you are a responder, analyzing malware will be a necessity, so understanding it beyond dynamic analysis is very helpful. As a PenTester, you will use code to craft exploits or white scripts to make your offensive activities more efficient. These are just a few areas in which those coding skills could be put to use. If you are wondering what language you should learn - I would hedge my bet on Python. Check out Learn Python and Python for Security.

  7. PoC your Skills - Oh you got skillz?! Create a project - whether it be community focused, specifically for work, or for your own internal arsenal. This will allow you to gain a deeper understanding in the area, work through some real world issues, testing and implementation. Not only could it be beneficial to your upskilling; but it could also act as proof to a prospective employer or client that you know what you claim.

  8. Stop being such an introvert, already! I know it is hard, but in this industry, like many others, it is mostly about who you know. Building that community allows one to learn and share, to build courage, trust and keep connections open and warm for when you need them. Check out security related events on Meetup and follow some cool people on Twitter - here is a list. Also, check out The Power of Weak Connections.

  9. Mentor and be mentored - I believe in the saying “ be somebody before you say you need somebody”. This boils down to proving yourself and bringing something to the table before expecting it from others. People in the industry are more than willing to help those that also prove themselves to be resourceful.

  10. Be a lifetime learner - This industry will require consistent drive and a love for learning. The beauty of it all, is that most of what you need to know or would want to know is available free of charge on the interwebz. The community is full of folk who are interested in contributing, so there is always opportunity to learn from others and in turn, provide your contribution. People tend to ask, “Do I need certifications?” I’m of the mindset that thought provoking questions can be more powerful than answers. So, what are you trying to achieve by getting a certification and what is the potential value of attaining it? Are they helpful - yes, they can be. If you earn the right certification, it can prove to the world that you are knowledgeable in that particular area. However, that is not the only way to prove your skillset. Certs also tend to be expensive. But expensive is relative. So, for example, if a $5k training and cert yields you a $10k raise, its is more than worth it. What is the opportunity cost? That is what you should consider. I have 5 certs, so it is safe to say, I think they are valuable. However, mine were all employer paid - so the decision on worth, if self paid is much different. Check out SANS, for a list of training opportunities and the accompanying GIAC certifications.


 

You may have to fight a battle more than once to win it

- Margaret Thatcher