How To Make A Fortune in INFOSEC (or S/W Development) - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

How To Make A Fortune in INFOSEC (or S/W Development)

Description:

DISCLAMER: Some of the views and opinions expressed in this presentation are presenter s alone, and may or may not reflect or align with organization s policies ... – PowerPoint PPT presentation

Number of Views:129
Avg rating:3.0/5.0
Slides: 57
Provided by: cactusEa
Category:

less

Transcript and Presenter's Notes

Title: How To Make A Fortune in INFOSEC (or S/W Development)


1
How To Make A Fortune in INFOSEC (or S/W
Development)
DISCLAMER Some of the views and opinions
expressed in this presentation are presenters
alone, and may or may not reflect or align with
organizations policies, and certain sections of
the material should not be viewed as an official
enforcement by any organization or person. This
presentation may be freely distributed.
October 22, 2010 Kurt R. Schmeckpeper, CISSP, GCIH
2
DISCLAIMER
  • The thoughts, statements, and ideas presented
    here are not representative of or claimed by
    Motorola or any past employer, ASU and their
    faculty, or anyone else you might meet, and they
    are in no way responsible or liable for them.

3
Brief Professional Resume
  • BSEE, MEE Okla. State University - 1975
  • NASA, Houston, Texas 1975 to 1996
  • Space Shuttle SW Developer Flight Controller
  • Space Station (US Russian) System Design
  • Tomahawk Cruise Missile SW Tester (St. Louis)
  • Apache Helicopter System Tester (Mesa, AZ)
  • Engineer, Motorola INC. 1996 to present
  • Chandler Arizona, Basingstoke UK, Copenhagen DK
  • Iridium SW Tester then Test Manager
  • Authentication Centre Test Manager
  • Information Assurance System Designer Analyst

4
Current Job Role
  • Educator System Designer
  • Bringing the gospel of Information Assurance and
    Computer/Network Security to the masses
  • Designing IA into our Private Radio Systems that
    we sell to Government agencies.
  • Consulting on IA with other Corporate Product
    Teams

5
Brief Personal Resume
  • Bay Area Comm. on Drugs Alcohol Abuse Crisis
    Help Line 1977-1980
  • Volunteer, Trainer, Board of Directors
  • Galveston Co. Fair Rodeo 1981-1996
  • Computer Geek, Secretary, Treasurer, Board of
    Directors
  • Greater Corona Home Owners Assoc. 2000-2004
  • Contracts Mgr., Secretary, Board of Directors

6
How to Be Wealthy
  • Have Rich Parents
  • Marry a Rich Spouse
  • Win the Lottery
  • Become a Successful Black Hat
  • Work as a White Hat (this presentation)
  • YOU WILL MAKE YOUR OWN CAREER!
  • Others may help, but its ALL ON YOU!

7
What is INFOSEC (from ISC2)?
  • Access Controls
  • Telecommunications and Network Security
  • Information Security and Risk Management
  • Application Security
  • Cryptography
  • Security Architecture and Design
  • Operations Security
  • Business Continuity and Disaster Recovery
    Planning
  • Legal, Regulations, Compliance and
    Investigations
  • Physical (Environmental) Security

8
Technical Skills You Should Have
  • LEARN the Operating System
  • LEARN the Coding Language
  • LEARN Assembler Shell Coding
  • The Art of Assembly Language by Randall Hyde
  • www.ollydbg.de (an Excellent Disassembler)
  • www.safemode.org/files/zillion/shellcode/doc/Writi
    ng_shellcode.html
  • LEARN Metasploit www.metasploit.com
  • Consider becoming Certified (CISSP or CEH)

9
Occupations using these skills
  • Penetration Tester
  • Incident Handler
  • Secure Software Development Test
  • When you can Hack your own code, you know that
    you have to make it more secure
  • Cyber Warrior (DoD needs 3000)
  • Auditor
  • Additional training in whatever standard you are
    auditing against is required

10
What Else Should You Know?
  • Learn English Grammar, Syntax, Punctuation
  • unless for a Foreign company, then substitute the
    official language for English
  • Learn Social Engineering
  • How to Listen/Motivate/Evaluate People
  • Pick a Technical Specialty or two
  • But then become a Generalist
  • Be as Technology Agnostic as Possible
  • Dont be a Fan boy or girl for any technology
    unless you are going into SALES as a Career
  • Learn PowerPoint and Public Speaking
  • Join Toastmasters for the practice and the
    connections

11
If you want a MGMT career
  • Learn some FINANCE stuff
  • Start with an Engineering Economics textbook
  • You dont need to be an MBA
  • Unless you aspire to be a CISO
  • Learn some Project MGMT tools
  • Microsoft Project is a good one
  • Learn how to play Golf
  • Learn about Cultures other than yours

12
Prior to Post-Graduation
  • If you know the job you want, go after it!
  • Otherwise, search until you see an appealing job
  • If your job hunt is not immediately successful,
    consider volunteering at a Charity or Hacker
    Space, while you keep looking
  • Or consider getting a Masters Degree
  • Or consider the Armed Forces
  • Keep learning new skills practicing old ones

13
Your First Job
  • Lower rungs of the tech or mgmt ladder
  • Unpaid Overtime is Expected
  • When offered company training take it
  • Expect to make Mistakes
  • Learn from them
  • Be friendly to the Admin Asst (Boss Secretary)
  • Do your Job well before you Volunteer to take on
    new jobs unless your boss asks you to take it

14
Your First Job (continued)
  • Sign up for
  • ALL the Health Life Insurance they offer
  • Its the cheapest you will ever buy
  • 401-K
  • at least to get the full company match
  • Savings Plans or Company Stock Plan
  • as much as you can afford

15
Your First Job Attitudes
  • Read the HR Policies LIVE Them!!!!
  • Acceptable Computer Use Policy
  • Information Classification Handling
  • Cultural Diversity Policy
  • Be Pro-Active in reporting violations of these
    policies (however discuss it with the person
    first, they may have been ignorant)
  • HR exists to protect the company first and you
    second.

16
Your First Job Attitudes
  • Identify your internal/external Customers
  • Its all about Customer Service
  • Your Boss and co-workers
  • Companies/Groups you deliver to
  • If I received this product, would I be
    Happy/Satisfied with it?
  • Dont date co-workers, customers, or competitors
  • Not a hard fast rule, but it makes your life go
    smoother.

17
How to Present to MGMT
  • It will probably be in Powerpoint
  • NO Animations
  • Only people that like animations are being
    trained or they are in SALES
  • Problem Statement
  • Clear, Concise, and Why
  • Possible Solutions (the no more than 4 Best)
  • Again, Concise, with Pros and Cons, and Cost
  • Your Recommendation (Optional)

18
First Job After Work Activities
  • Have Fun with some caution
  • Volunteer Expands your network Social Circle
  • Learn a new Skill/Hobby
  • Doesnt have to be a work-related skill
  • Woodworking, Plumbing, Computer Repair
  • Dancing, Golf, Bartending, Foreign Language
  • LIVE WITHIN YOUR MEANS!!!!
  • Make a Budget and stick to it.
  • Save for Retirement

19
A Word About Social Networking
  • Social or Business Related (Personal)
  • Facebook Limit what you post your network
  • MySpace see Facebook
  • Linked-In Strictly for Business Work-related
    stuff
  • Plaxo Avoid Check out their Privacy policy
  • Naymz Avoid Check out their Privacy policy
  • Dont friend any boss or co-workers on Facebook
    or MySpace (its just a bad idea), Linked-In is
    OK.
  • Keep your Work Life and After-Work Life as far
    apart as possible.

20
How To Get Promoted
  • Do Your Job Very Well (and know the promotion
    requirements)
  • Exceed your Boss Expectations!
  • Make Your Boss Look Good
  • When they get promoted, they will be looking for
    a replacement
  • Transfer to Another Job
  • Repeat 1) 2) above
  • If your Boss wont cooperate, go to his Boss
  • But make sure you are solid on 1) 2) above as
    you may have to do 3)
  • Live Long Enough
  • Sometimes its just a matter of being in the
    right place at the right time and knowing the
    right people

21
First MGMT Job
  • When you exceed Technically, you will probably be
    promoted to Supervisor This is not a BAD Thing,
    although it will take you a while to realize it.
  • Alternatively, if you are Totally Exceptional
    Technically, you may want to quit and hire
    yourself out as an Independent Contractor. This
    pays VERY, VERY well, but you will be paying the
    Full Cost of your Benefits Package including both
    sides of Social Security, remember to save money
    to pay your Taxes.
  • 95 of the comic strip Dilbert by Scott Adams is
    REAL LIFE!
  • With Luck, you will be doing 50 MGMT/50 TECH
  • But that rarely lasts two or three months, and
    then its 90 MGMT/10 TECH
  • Get over it, thats the way LIFE is!!! Learn all
    you can.
  • Your friendly non-friendly co-workers may be
    reporting to you
  • You have to put some personal distance between
    you and them
  • You will have to evaluate/counsel/mentor/placate/m
    otivate them

22
Thoughts on Certifications
  • Passing a Certification exam says that
  • You have the minimum knowledge to be considered
    for certification (at the time of the test) OR
  • You are very good at taking tests.
  • CISSP - www.isc2.org
  • A mile wide and two inches deep
  • SANS www.sans.org
  • MGMT TECH Hands On Tech
  • CEH various
  • See Resource presentation at the end

23
Thank You For Your Time!
  • Questions?

24
Resources
  • How to protect your privacy (11 slides)
  • IA Certifications should I get one?
  • Compare/Contrast CISSP CEH
  • Used with permission of the author

25
Should We Expect Privacy?
  • http//www.theregister.co.uk/2008/10/07/symantec_t
    hompson_privacy_bunk/
  • Consumers ought to accept that loss of privacy
    is the price they pay for using internet service,
    according to Symantec chief exec John Thompson.
  • Echoing Scott McNealy's opinion that "you have no
    privacy, get over it," the Symantec boss
    expressed surprise that information such as IP
    addresses is regarded as sensitive.

26
So what do we do now? - 1
  • Surf the web with a proxy server
  • www.anonymizer.com
  • www.torproject.org
  • www.the-cloak.com
  • www.megaproxy.com/freesurf/
  • None of these have been evaluated by me except
    analytically

27
So what do we do now? - 2
  • Use encryption (your email Hard Drive)
  • www.truecrypt.org
  • www.gnupg.org (Free PGP)
  • Turn on/Install scan and update weekly
  • Firewall (Windows, ZoneAlarm is better)
  • www.zonealarm.com
  • Anti-Virus (AVG)
  • free.avg.com/download-avg-anti-virus-free-edition
  • Anti-Spyware (SpyBot Search Destroy)
  • www.safer-networking.org/en/download/

28
So what do we do now? - 3
  • Setup many email addresses
  • Dont use AOL or Hotmail
  • GMAIL is OK, but its a target
  • Use them for different purposes
  • Use a private email address for your close
    contacts
  • Web Browsers
  • Turn off scripting or use Firefox with NoScript

29
So what do we do now? - 4
  • Keep all your software up to date!
  • Get Secunias Personal Software Inspector (PSI)
    Its Free
  • http//secunia.com/vulnerability_scanning/personal
    /
  • Use IT!
  • Be Careful Using Bluetooth!
  • Google Josh Wright Bluetooth Video
  • or www.ihackforsushi.com

30
Other Things To Be Careful About
  • Internet Kiosks
  • WiFi in Hotels, Airports, Coffee Shops
  • Never check bank balance or shop online
  • ATMs (especially if it keeps your card)
  • Shopping online
  • Use One Credit Card with a low limit
  • Dont use a Debit Card

31
What Do I Do?
  • All of the above plus
  • Separate computers for work, play, risky
  • One laptop is disposable and has a plug-in
    wireless card that is only used for risky
  • When installing Windows, I use a fake name and
    company
  • Otherwise I use Linux, which doesnt need it
  • I also use LiveCDs and Virtual Machines

32
What Else Can You Do?
  • Educate yourself
  • Learn your Computer, Operating System, and
    programs
  • Read the latest hacking literature at (you might
    have to use Firefox instead of IE)
  • www.defcon.org
  • www.toorcon.org
  • www.shmoocon.org
  • Google Yourself Weekly!

33
Risky Work Defined
  • WiFi in Hotels, Airports, Coffee Shops
  • Unless its work-related, then I use my work
    laptop with two-factor authentication and a VPN
    encrypted tunnel
  • Checking the security of a neighbor (with their
    permission, of course!)

34
Closing Thoughts - 1
  • In the 2006 Census, there were 225,633,342 people
    in the US whose age was 18 years or older.
  • You will have your PII exposed
  • With luck, you wont lose any money
  • A last quote from Symantec chief exec John
    Thompson
  • "Businesses have a responsibility to protect
    sensitive data. The public should not expect the
    government to protect them."

35
Closing Thoughts - 2
  • The odds of anyone trying to track you down are
    low!
  • There are trillions of pieces of information
    stored in the ISPs and search engines of the
    world, so your stuff is not easy to find.
  • Your non-online Credit Card History is probably
    more exciting than your web browsing
  • However, if you run for political office, become
    a political agitator or become very wealthy, all
    bets are off!

36
Information Assurance ForumHow and Why to be a
CISSP and CEH
DISCLAMER Some of the views and opinions
expressed in this presentation are presenters
alone, and may or may not reflect or align with
organizations policies, and certain sections of
the material should not be viewed as an official
enforcement by any organization or person. This
presentation used with the authors permission.
May 20th, 2010 Gedi Jomantas, CISSP, CEH, CCNA,
CCNP, CCSA, CCSE -gt CBSA, AECDM, MCDMMM
  • Outline
  • Nothing matters but your resume
  • Certifications and different schools of thought
  • Not all certifications were created equal
  • Certified Information Systems Security
    Professional - (CISSP)
  • Certified Ethical Hacker - (CEH)
  • Certification value to you and your company
  • Where do you go from here?

37
Nothing matters but your resume
  • well, not exactly

but when your career hits a brick wall.
or
38
Nothing matters but your resume
.when the job winds change the question is.
.... what will your sail look like?
Search CISSP Results Dice.com - 1050
Monster.com - 1000
Search CEH Results Dice.com - 40 Monster.com
- 40
Courtesy Johnklund.com, 123rf.com
39
Certifications and Different Schools of thought
  • Experience
  • 20 years of government experience in secure
    systems engineering, certification and
    architecture
  • BS Business Admin/Mgt BSEE MS CS with a focus
    on Secure Systems Engineering
  • 10 security related patents
  • NSA accreditations
  • Complimentary, not a replacement!
  • Your buddy does, but HR rep may not know you
  • So you have the piece of paper, hung it on the
    wall
  • Certification vs. Professional Lifestyle
  • vs. Certification?
  • CISSP, CEH, CISA, etc.

now what?
40
Not all certifications were created equal.
Orientation
  • Management vs. Individual Contributor
  • Policy Oriented vs. Technical
  • - CISM, CISA, CISSP, CEH, QSA, etc.

Concentration
  • Security Domain
  • Domain Segment
  • Technology Area
  • Industry Specific
  • Vendor Specific
  • Cisco, Microsoft, Nortel, RedHat, Solaris, etc.
  • Provider specific
  • ISC2, EC-Council, SANS, etc.
  • GIAC, CEH, CISSP, etc.

Method
  • Boot camp vs. Self study
  • Classroom vs. CBT
  • On-site, instructor led

41
Certified Information Systems Security
Professional - CISSP
Marketing Alert!
  • The Certification That Inspires Utmost
    Confidence
  • If you plan to build a career in information
    security one of todays most visible
    professions and if you have at least five full
    years of experience in information security, then
    the CISSP credential should be your next career
    goal. 
  • The CISSP was the first credential in the field
    of information security, accredited by the ANSI
    (American National Standards Institute) to ISO
    (International Organization for Standardization)
    Standard 170242003.
  • CISSP certification is not only an objective
    measure of excellence, but a globally recognized
    standard of achievement.

42
Certified Information Systems Security
Professional - CISSP
  • The CISSP Domains Include
  • Access Controls
  • Telecommunications and Network Security
  • Information Security and Risk Management
  • Application Security
  • Cryptography
  • Security Architecture and Design
  • Operations Security
  • Business Continuity and Disaster Recovery
    Planning
  • Legal, Regulations, Compliance and
    Investigations
  • Physical (Environmental) Security

http//www.isc2.org
  • CISSP certification pre-requisites
  • Professional experience in two or more of the
    CISSP domains
  • Minimum 5 years of experience in information
    security
  • Complete the Candidate Agreement, attesting to
    the truth of his or her assertions
  • regarding professional experience and legally
    commit to adhere to the (ISC)2 Code of Ethics
  • Successfully answer four questions regarding
    criminal history and related background

43
Certified Information Systems Security
Professional - CISSP
  • Additional CISSP Concentrations
  • Information Systems Security Architecture
    Professional (CISSP-ISSAP)
  • The six domains of the CISSP-ISSAP CBK are
  • Access Control Systems and Methodology
  • Communications Network Security
  • Cryptography
  • Security Architecture Analysis
  • Technology Related Business Continuity Planning
    (BCP) Disaster Recovery Planning (DRP)
  • Physical Security Considerations
  • Information Systems Security Engineering
    Professional (CISSP-ISSEP)
  • The four domains of the CISSP-ISSEP CBK are
  • Systems Security Engineering
  • Certification and Accreditation (CA)
  • Technical Management
  • U.S. Government Information Assurance (IA)
    Governance (e.g., laws, regulations, policies,
    guidelines, standards)

44
Certified Information Systems Security
Professional - CISSP
Getting a CISSP Author Kerry Thompson think of
it as a journey ...
  • Myth 1 A CISSP certification is easyWell, some
    people may think that it is easy. Most people
    find it hard work you need to have at least 3
    years in IT security before you even apply for
    the exam. You need to cover an extremely broad
    landscape of IT security - many areas, such as
    physical security, few people will have any
    experience in. And you'll need to do a fair bit
    of reading and studying to get through that exam
    250 questions to answer in 6 hours isn't much
    fun.
  • Myth 2 Once you get it, just sit back and
    relaxNo. Once you pass the exam you need to earn
    CPE credits in order to keep your certification.
    If you don't then you'll need to resit the exam
    after 3 years to keep the certification. Getting
    CPEs is fairly straightforward if you publish
    papers, attend seminars, do some presentations,
    and basically remain active in the IT security
    arena then you should have no problem here. But
    it takes a little work this isn't a get-it and
    forget-it sort of certification.
  • Myth 3 You'll get more money/better job/more
    recognitionIn actual fact, you probably won't.
    I've found (at least here in New Zealand) that
    many employers and even employment agencies have
    no idea what a CISSP is. They tend to think in
    terms of the product-certifications you know,
    the Cisco CCNA and Checkpoint CCSE sort of thing.
    They have no idea that you need 3 years of
    experience to get a CISSP, and they have no idea
    that it is an ongoing professional-level
    certification like a CPA (Chartered Accountant).
    Ergo, you probably won't get a better job or more
    money from waving your CISSP certificate around.
  • So, why would you want a CISSP?
  • Its not easy to get, it takes maintenance, and
    may not gain you much. Why would you want to go
    through all that hassle? Here's some good
    reasons
  • To expand your knowledge in security concepts and
    practices.
  • To show a dedication to the security discipline.
  • To meet a growing demand for security
    professionals, and to work in a thriving field.
  • To join a professional organization and to link
    up with like-minded individuals

http//windowsecurity.com/whitepapers/Getting-a-CI
SSP.html
45
Certified Information Systems Security
Professional - CISSP
46
Certified Ethical Hacker - CEH
47
(No Transcript)
48
Certified Ethical Hacker - CEH
49
Certified Ethical Hacker - CEH
  • CEH Certification
  • The goal of the ethical hacker is to help the
    organization take preemptive measures against
    malicious attacks by attacking the system
    himself all the while staying within legal
    limits.
  • Catch a thief, by thinking like a thief Certified
    instructors will take you through practice exams
    and real world case studies that prepare you to
    become the Security Professional your
    organization can depend on.
  • What is an "Ethical Hacker"? The Ethical Hacker
    is an individual who is usually employed with the
    organization and who can be trusted to undertake
    an attempt to penetrate networks and/or computer
    systems using the same methods as a Hacker.
  • Hacking is a felony in the United States and
    most other countries. When it is done by request
    and under a contract between an Ethical Hacker
    and an organization, it is legal.
  • The most important point is that an Ethical
    Hacker has authorization to probe the target
  • The CEH Program certifies individuals in the
    specific network security discipline of Ethical
    Hacking from a vendor-neutral perspective
  • Skills span across multiple domains social
    engineering, in-depth technical expertise,
    vulnerability assessment, penetration testing,
    principals of forensic analysis, etc.
  • The CEH certification will fortify the
    application knowledge of security officers,
    auditors, security professionals, site
    administrators, and anyone who is concerned about
    the integrity of the network infrastructure.
  • A CEH is a skilled professional who understands
    and knows how to look for the weaknesses and
    vulnerabilities in target systems and uses the
    same knowledge and tools as a malicious hacker.

50
Certified Ethical Hacker - CEH
  • Other CEH related certifications
  • Advanced Ethical Hacker
  • Certified Penetration Tester (CPT)
  • Certified Expert Penetration Tester (CEPT)
  • Certified Application Security Specialist (CASS)
  • Certified SCADA Security Architect (CSSA)
  • Certified Data Recovery Professional (CDRP)
  • Certified Reverse Engineering Analyst (CREA)
  • Certified Computer Forensics Examiner (CCFE)
  • Etc..

51
Certification value to you and your company
  • You
  • Opportunity
  • Continuous Professional growth
  • Company
  • Market specific training requirements
  • Mandatory certifications

52
(No Transcript)
53
  • DOD 8570 provides guidance and procedures for the
    training, certification, and management of all
    government employees who conduct Information
    Assurance functions in assigned duty positions
  • DOD 8570 requires that anyone who has access to
    Information Technology system, must be certified
    with one of the external certifications listed.
    This includes contractors and vendors by 2010

54
Where do you go from here?
  • Assess your career objectives
  • Remember, nothing matters but your resume )
  • Talk to a CISSP or CEH and decide if it is a
    right certification for you
  • Discuss with your manager if a security
    certification is the right fit for you in your
    current or future roles
  • Understand how security certification aligns with
    your organizations business goals

55
In conclusion...
Keep in mind
sometimes, certification is nothing more than a
56
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com