securingyourpath

Your Path into Cybersecurity: Be a lifetime learner (S1: Ep10)

A series based on the original 10 step pathway

This industry will require consistent drive and a love for learning. The beauty of it all, is that most of what you need or want to know is available free or low cost on the “interwebz”. The flavors vary, including, organized training sites, traditional e-learning/e-books, publications, reading rooms, forums, etc. A few that come to mind, are as follows: 

  • Cybrary - a platform providing access to high quality, exclusive cybersecurity and I.T. video learning resources;  

  • Humble Bundle - a digital store front. Stay alert for when a bundle related to cybersecurity is available. You can snag a collection of great books for a fraction of the price;

  • Reddit - a discussion site with a variety of groups and threads available for intake, depending on your interest; “We know what reddit is, Q”, said the peanut gallery. But, just in case you didn’t, since I come from a world of no assumptions. 

  • SANS Reading Room  - a collection of published cybersecurity papers, mostly from current practitioners. 

  • Medium - A platform where words matter…and one of my favs. 

  • LinkedIn Learning - A platform for online courses taught by real-world professionals. 

Read/Watch/Learn. Do. 

I’m proud to be part of a community full of folk who are interested in contributing. There is always opportunity to learn from others, and in turn, provide your contribution. 

There are several ways to reap and sow - some that come to mind are as follows: 

  1. Start or contribute to open source projects. To give you an idea of what others are working on, check out some Github repos below:

    • Security Showcase - open source projects to help build and operate more secure systems, along with tools for security monitoring and incident response.

    • Awesome Incident Response - a curated list of tools and resources for <drum roll, please> security incident response, aimed to help security analysts and DFIR teams.

  2. Organize and/or participate in meetups

    • Do you even network? ...and I don’t mean on LInkedIn or Twitter. As an ambivert, most of the time, I rather go home than to an event, so trust me, I get it. But I realize the value and once I’m there…it’s on.

    • Review the security focused meetups, on, <drumroll please>….meetup.com. Meetups vary, based on your location, of course. 

  3. Publish papers/articles

    • What are you working on? It is probably interesting and we could probably learn from you. So, publish!

    • Jump into discussion board topics (oh, you can only do that on facebook/Instagram…hmmm, I see you, ok)  

    • Submit a talk - You learn more when you have to present and/or talk about a topic. So pick one of which you connect and bring your prowess to the discussion.

  4. Be open-minded. 

    • There is always someone who can/will benefit from your experience. This is something of which I have to consistently remind myself. 

    • Approach all situations with an open mind. There is always something to learn. 

    • Seek understanding in areas outside of your discipline. For example, I’ve been working in Information Security for over 10 years. However, I find that studying psychology makes me a better responder, leaders, and mediator, amongst other things. 

If you consider yourself to be a lifetime learner, you’ll remain in a position to be open and receptive to new ideas, perspectives, and opportunities. Security is a WE sport, and it is important that we continue to create, collaborate, and contribute.

Your Path into Cybersecurity: Mentor and be mentored (S1: Ep9)

A series based on the original 10 step pathway

To be a mentor and be mentored is an important part in securing your path. This doesn’t always need to occur in the traditional sense (aspiring professional seeks out experienced professional). While that is still a viable path, it isn’t THE path. In this digital age, if knowledge is what one is seeking, much of what we need and want to know is within reach. Whether it be books, online courses, workshops, forums, blog posts or other community channels -  this is the Information Age; and many successful people document parts of their journey which impart their experiences, wisdom, etc. 

These are not replacements for relationship building. However, mentorship can come in many forms. The older I get, the younger are my teachers. We can all learn from one another. A few years ago, I participated in a “reverse mentorship program”, where as a budding executive, I reverse-mentored a senior executive. He concluded one of our sessions with saying “I learned as much from you as you did me”.

So, next time you feel like you want a mentor, consider some core outcomes you are looking to satisfy by spending your most valuable asset with someone, and asking them to spend theirs with you. 

  1. Contemplate what you can provide to your prospective mentor - Conduct some preliminary research on your prospect, identify their strengths and possible areas where you can assist. Perhaps they have stellar expertise in a particular discipline, but a poor digital presence. Perhaps, you are diligent about yours and can offer assistance in this area. Wow - we’ve just discovered opportunity. While providing a need to your mentor, you will also be a sponge and soak up all that you find necessary. Your conversations will be different when you are offering a service. Remember the reverse-mentorship I mentioned above? You can be as much of an asset to your mentor as he/she is to you; and if he/she finds you to be an asset, you can surely 10x your growth opportunity vs the traditional mentorship model. 

  2. Go in with clear outcomes - Your mentor will be happy to know that you have a strategy and see this opportunity as a stepping stone. It’s simply not enough to say, “I would love to pick your brain” or “Can you mentor me?”. People like to help those who help themselves. You don’t need to have all the answer (none of us do), but at least a strategy. For example, if I admire someone’s leadership style and how they’ve built their business, I would be interested in understanding how they consider their people (this is huge for me), their business strategy, efficiencies they’ve built into their business, how they find growth opportunity, and measure success. With that in mind, I can easily develop questions and data points that could drive my focus with this individual. 

  3. Leverage the relationship - if your new mentor is connected with someone else you’d like to know for a particular reason, request an introduction. But again, be methodical in your approach. Recognize that you are now representing your mentor as well as yourself. A person of integrity values their reputation, thus will think twice when vouching for someone. Help them to see the connection as a fruitful gesture and one that will help make them look good as well.

The aforementioned list is not all encompassing, but should steer you in the right direction along the journey of securing you path; and always remember to pay it forward. 

“You will get all you want in life, if you help enough other people get what they want.” - Zig Ziglar.

Your Path into Cybersecurity: “Yes, coding is important” (Series 1: Ep 6)

A series based on the original 10 step pathway

It’s been a while since my last post - hey, ya girl has been busy! But I plan to expedite the remaining 4 topics in this series.

I’m often asked, “Do I need to know how to code to work in Cybersecurity?” The short answer to this is yes and no. It all depends on the area of InfoSec (and I use this interchangeably with Cybersecurity) in which you are interested. Either way, it will only help. In many disciplines of the field, it will be a powerful skill. Your skill level can also vary and that is ok. 

Let’s take a moment to think about some areas of the industry where coding will serve you in a meaningful way:

  • Incident Response

  • Malware Analysis

  • Reverse Engineering (duh!)

  • Penetration Testing

  • Web Application Security

  • Dev SecOps

As defenders, we have many doors to secure, so automation is key - we need all the help we can get. Automation may come into play when integrating toolsets, triaging events, such as sending suspicious files to a sandbox or checking domain/IP reputation. It may also assist in your response efforts, such as automating the ability to globally block hashes. Your coding skills can be very beneficial in this area. 

If you are a responder, analyzing malware will be a necessity; so understanding it beyond dynamic analysis is a advantageous. As you may know, malware may not run as intended in certain environments. Analyzing the malware statically will afford you the ability to step through the code, identify where certain activities should occur, work around encryption routines, etc. It can be beneficial at very basic levels to simply understand the flow or on a more advanced level, such as reverse engineering. I can hear folk saying “But I can use <insert cool malware analysis tool>”. Yes, of course. However, in my opinion, tools should be used to help enable and for efficiency . To use them without understanding core concepts is like using a calculator without understanding math. A team of Responders is best with a diverse set of skills, so not everyone on the team will need a deep understanding of Assembly language. 

As a PenTester, you will use code to craft exploits or write scripts to make your offensive activities more efficient. When you “pop” a box, you may want to take advantage of the shell resident on the machine or add code to a compromised web server. With creativity, the possibilities are endless. 

In working with the Web Application teams, at the least, you will need to review code to ensure security best practices are being adhered to. You’ll need to understand how flaws in the code lead to vulnerabilities and how to fix it. 

On the opposite end of the spectrum, coding is not as much of a necessity if you are interested or working in an area, such as Compliance/Governance. A role within this discipline will be less technical and focused on high level policies and reporting. So, yes, you can skip the coding course, if you'd like to focus your efforts along this line. 

These are just a few areas in which those coding skills could be put to use. If you are wondering what language you should learn - I would hedge my bet on Python for interpreted languages or C for mid-level. I don’t have a huge amount of experience with it, but Go looks pretty interesting and I’d like to spend some time with it. Check out Learn Python and Python for Security

Have fun Securing Your Path!