Title: How To Make A Fortune in INFOSEC (or S/W Development)
1How To Make A Fortune in INFOSEC (or S/W
Development)
DISCLAMER Some of the views and opinions
expressed in this presentation are presenters
alone, and may or may not reflect or align with
organizations policies, and certain sections of
the material should not be viewed as an official
enforcement by any organization or person. This
presentation may be freely distributed.
October 22, 2010 Kurt R. Schmeckpeper, CISSP, GCIH
2DISCLAIMER
- The thoughts, statements, and ideas presented
here are not representative of or claimed by
Motorola or any past employer, ASU and their
faculty, or anyone else you might meet, and they
are in no way responsible or liable for them.
3Brief Professional Resume
- BSEE, MEE Okla. State University - 1975
- NASA, Houston, Texas 1975 to 1996
- Space Shuttle SW Developer Flight Controller
- Space Station (US Russian) System Design
- Tomahawk Cruise Missile SW Tester (St. Louis)
- Apache Helicopter System Tester (Mesa, AZ)
- Engineer, Motorola INC. 1996 to present
- Chandler Arizona, Basingstoke UK, Copenhagen DK
- Iridium SW Tester then Test Manager
- Authentication Centre Test Manager
- Information Assurance System Designer Analyst
4Current Job Role
- Educator System Designer
- Bringing the gospel of Information Assurance and
Computer/Network Security to the masses - Designing IA into our Private Radio Systems that
we sell to Government agencies. - Consulting on IA with other Corporate Product
Teams
5Brief Personal Resume
- Bay Area Comm. on Drugs Alcohol Abuse Crisis
Help Line 1977-1980 - Volunteer, Trainer, Board of Directors
- Galveston Co. Fair Rodeo 1981-1996
- Computer Geek, Secretary, Treasurer, Board of
Directors - Greater Corona Home Owners Assoc. 2000-2004
- Contracts Mgr., Secretary, Board of Directors
6How to Be Wealthy
- Have Rich Parents
- Marry a Rich Spouse
- Win the Lottery
- Become a Successful Black Hat
- Work as a White Hat (this presentation)
- YOU WILL MAKE YOUR OWN CAREER!
- Others may help, but its ALL ON YOU!
7What is INFOSEC (from ISC2)?
- Access Controls
- Telecommunications and Network Security
- Information Security and Risk Management
- Application Security
- Cryptography
- Security Architecture and Design
- Operations Security
- Business Continuity and Disaster Recovery
Planning - Legal, Regulations, Compliance and
Investigations - Physical (Environmental) Security
8Technical Skills You Should Have
- LEARN the Operating System
- LEARN the Coding Language
- LEARN Assembler Shell Coding
- The Art of Assembly Language by Randall Hyde
- www.ollydbg.de (an Excellent Disassembler)
- www.safemode.org/files/zillion/shellcode/doc/Writi
ng_shellcode.html - LEARN Metasploit www.metasploit.com
- Consider becoming Certified (CISSP or CEH)
9Occupations using these skills
- Penetration Tester
- Incident Handler
- Secure Software Development Test
- When you can Hack your own code, you know that
you have to make it more secure - Cyber Warrior (DoD needs 3000)
- Auditor
- Additional training in whatever standard you are
auditing against is required
10What Else Should You Know?
- Learn English Grammar, Syntax, Punctuation
- unless for a Foreign company, then substitute the
official language for English - Learn Social Engineering
- How to Listen/Motivate/Evaluate People
- Pick a Technical Specialty or two
- But then become a Generalist
- Be as Technology Agnostic as Possible
- Dont be a Fan boy or girl for any technology
unless you are going into SALES as a Career - Learn PowerPoint and Public Speaking
- Join Toastmasters for the practice and the
connections
11If you want a MGMT career
- Learn some FINANCE stuff
- Start with an Engineering Economics textbook
- You dont need to be an MBA
- Unless you aspire to be a CISO
- Learn some Project MGMT tools
- Microsoft Project is a good one
- Learn how to play Golf
- Learn about Cultures other than yours
12Prior to Post-Graduation
- If you know the job you want, go after it!
- Otherwise, search until you see an appealing job
- If your job hunt is not immediately successful,
consider volunteering at a Charity or Hacker
Space, while you keep looking - Or consider getting a Masters Degree
- Or consider the Armed Forces
- Keep learning new skills practicing old ones
13Your First Job
- Lower rungs of the tech or mgmt ladder
- Unpaid Overtime is Expected
- When offered company training take it
- Expect to make Mistakes
- Learn from them
- Be friendly to the Admin Asst (Boss Secretary)
- Do your Job well before you Volunteer to take on
new jobs unless your boss asks you to take it
14Your First Job (continued)
- Sign up for
- ALL the Health Life Insurance they offer
- Its the cheapest you will ever buy
- 401-K
- at least to get the full company match
- Savings Plans or Company Stock Plan
- as much as you can afford
15Your First Job Attitudes
- Read the HR Policies LIVE Them!!!!
- Acceptable Computer Use Policy
- Information Classification Handling
- Cultural Diversity Policy
- Be Pro-Active in reporting violations of these
policies (however discuss it with the person
first, they may have been ignorant) - HR exists to protect the company first and you
second.
16Your First Job Attitudes
- Identify your internal/external Customers
- Its all about Customer Service
- Your Boss and co-workers
- Companies/Groups you deliver to
- If I received this product, would I be
Happy/Satisfied with it? - Dont date co-workers, customers, or competitors
- Not a hard fast rule, but it makes your life go
smoother.
17How to Present to MGMT
- It will probably be in Powerpoint
- NO Animations
- Only people that like animations are being
trained or they are in SALES - Problem Statement
- Clear, Concise, and Why
- Possible Solutions (the no more than 4 Best)
- Again, Concise, with Pros and Cons, and Cost
- Your Recommendation (Optional)
18First Job After Work Activities
- Have Fun with some caution
- Volunteer Expands your network Social Circle
- Learn a new Skill/Hobby
- Doesnt have to be a work-related skill
- Woodworking, Plumbing, Computer Repair
- Dancing, Golf, Bartending, Foreign Language
- LIVE WITHIN YOUR MEANS!!!!
- Make a Budget and stick to it.
- Save for Retirement
19A Word About Social Networking
- Social or Business Related (Personal)
- Facebook Limit what you post your network
- MySpace see Facebook
- Linked-In Strictly for Business Work-related
stuff - Plaxo Avoid Check out their Privacy policy
- Naymz Avoid Check out their Privacy policy
- Dont friend any boss or co-workers on Facebook
or MySpace (its just a bad idea), Linked-In is
OK. - Keep your Work Life and After-Work Life as far
apart as possible.
20How To Get Promoted
- Do Your Job Very Well (and know the promotion
requirements) - Exceed your Boss Expectations!
- Make Your Boss Look Good
- When they get promoted, they will be looking for
a replacement - Transfer to Another Job
- Repeat 1) 2) above
- If your Boss wont cooperate, go to his Boss
- But make sure you are solid on 1) 2) above as
you may have to do 3) - Live Long Enough
- Sometimes its just a matter of being in the
right place at the right time and knowing the
right people
21First MGMT Job
- When you exceed Technically, you will probably be
promoted to Supervisor This is not a BAD Thing,
although it will take you a while to realize it. - Alternatively, if you are Totally Exceptional
Technically, you may want to quit and hire
yourself out as an Independent Contractor. This
pays VERY, VERY well, but you will be paying the
Full Cost of your Benefits Package including both
sides of Social Security, remember to save money
to pay your Taxes. - 95 of the comic strip Dilbert by Scott Adams is
REAL LIFE! - With Luck, you will be doing 50 MGMT/50 TECH
- But that rarely lasts two or three months, and
then its 90 MGMT/10 TECH - Get over it, thats the way LIFE is!!! Learn all
you can. - Your friendly non-friendly co-workers may be
reporting to you - You have to put some personal distance between
you and them - You will have to evaluate/counsel/mentor/placate/m
otivate them
22Thoughts on Certifications
- Passing a Certification exam says that
- You have the minimum knowledge to be considered
for certification (at the time of the test) OR - You are very good at taking tests.
- CISSP - www.isc2.org
- A mile wide and two inches deep
- SANS www.sans.org
- MGMT TECH Hands On Tech
- CEH various
- See Resource presentation at the end
23Thank You For Your Time!
24Resources
- How to protect your privacy (11 slides)
- IA Certifications should I get one?
- Compare/Contrast CISSP CEH
- Used with permission of the author
25Should We Expect Privacy?
- http//www.theregister.co.uk/2008/10/07/symantec_t
hompson_privacy_bunk/ - Consumers ought to accept that loss of privacy
is the price they pay for using internet service,
according to Symantec chief exec John Thompson. - Echoing Scott McNealy's opinion that "you have no
privacy, get over it," the Symantec boss
expressed surprise that information such as IP
addresses is regarded as sensitive.
26So what do we do now? - 1
- Surf the web with a proxy server
- www.anonymizer.com
- www.torproject.org
- www.the-cloak.com
- www.megaproxy.com/freesurf/
- None of these have been evaluated by me except
analytically
27So what do we do now? - 2
- Use encryption (your email Hard Drive)
- www.truecrypt.org
- www.gnupg.org (Free PGP)
- Turn on/Install scan and update weekly
- Firewall (Windows, ZoneAlarm is better)
- www.zonealarm.com
- Anti-Virus (AVG)
- free.avg.com/download-avg-anti-virus-free-edition
- Anti-Spyware (SpyBot Search Destroy)
- www.safer-networking.org/en/download/
28So what do we do now? - 3
- Setup many email addresses
- Dont use AOL or Hotmail
- GMAIL is OK, but its a target
- Use them for different purposes
- Use a private email address for your close
contacts - Web Browsers
- Turn off scripting or use Firefox with NoScript
29So what do we do now? - 4
- Keep all your software up to date!
- Get Secunias Personal Software Inspector (PSI)
Its Free - http//secunia.com/vulnerability_scanning/personal
/ - Use IT!
- Be Careful Using Bluetooth!
- Google Josh Wright Bluetooth Video
- or www.ihackforsushi.com
30Other Things To Be Careful About
- Internet Kiosks
- WiFi in Hotels, Airports, Coffee Shops
- Never check bank balance or shop online
- ATMs (especially if it keeps your card)
- Shopping online
- Use One Credit Card with a low limit
- Dont use a Debit Card
31What Do I Do?
- All of the above plus
- Separate computers for work, play, risky
- One laptop is disposable and has a plug-in
wireless card that is only used for risky - When installing Windows, I use a fake name and
company - Otherwise I use Linux, which doesnt need it
- I also use LiveCDs and Virtual Machines
32What Else Can You Do?
- Educate yourself
- Learn your Computer, Operating System, and
programs - Read the latest hacking literature at (you might
have to use Firefox instead of IE) - www.defcon.org
- www.toorcon.org
- www.shmoocon.org
- Google Yourself Weekly!
33Risky Work Defined
- WiFi in Hotels, Airports, Coffee Shops
- Unless its work-related, then I use my work
laptop with two-factor authentication and a VPN
encrypted tunnel - Checking the security of a neighbor (with their
permission, of course!)
34Closing Thoughts - 1
- In the 2006 Census, there were 225,633,342 people
in the US whose age was 18 years or older. - You will have your PII exposed
- With luck, you wont lose any money
- A last quote from Symantec chief exec John
Thompson - "Businesses have a responsibility to protect
sensitive data. The public should not expect the
government to protect them."
35Closing Thoughts - 2
- The odds of anyone trying to track you down are
low! - There are trillions of pieces of information
stored in the ISPs and search engines of the
world, so your stuff is not easy to find. - Your non-online Credit Card History is probably
more exciting than your web browsing - However, if you run for political office, become
a political agitator or become very wealthy, all
bets are off!
36Information Assurance ForumHow and Why to be a
CISSP and CEH
DISCLAMER Some of the views and opinions
expressed in this presentation are presenters
alone, and may or may not reflect or align with
organizations policies, and certain sections of
the material should not be viewed as an official
enforcement by any organization or person. This
presentation used with the authors permission.
May 20th, 2010 Gedi Jomantas, CISSP, CEH, CCNA,
CCNP, CCSA, CCSE -gt CBSA, AECDM, MCDMMM
- Outline
- Nothing matters but your resume
- Certifications and different schools of thought
- Not all certifications were created equal
- Certified Information Systems Security
Professional - (CISSP) - Certified Ethical Hacker - (CEH)
- Certification value to you and your company
- Where do you go from here?
37 Nothing matters but your resume
but when your career hits a brick wall.
or
38 Nothing matters but your resume
.when the job winds change the question is.
.... what will your sail look like?
Search CISSP Results Dice.com - 1050
Monster.com - 1000
Search CEH Results Dice.com - 40 Monster.com
- 40
Courtesy Johnklund.com, 123rf.com
39 Certifications and Different Schools of thought
- Experience
- 20 years of government experience in secure
systems engineering, certification and
architecture - BS Business Admin/Mgt BSEE MS CS with a focus
on Secure Systems Engineering - 10 security related patents
- NSA accreditations
- Complimentary, not a replacement!
- Your buddy does, but HR rep may not know you
- So you have the piece of paper, hung it on the
wall - Certification vs. Professional Lifestyle
- vs. Certification?
- CISSP, CEH, CISA, etc.
now what?
40 Not all certifications were created equal.
Orientation
- Management vs. Individual Contributor
- Policy Oriented vs. Technical
- - CISM, CISA, CISSP, CEH, QSA, etc.
Concentration
- Security Domain
- Domain Segment
- Technology Area
- Industry Specific
- Vendor Specific
- Cisco, Microsoft, Nortel, RedHat, Solaris, etc.
- Provider specific
- ISC2, EC-Council, SANS, etc.
- GIAC, CEH, CISSP, etc.
Method
- Boot camp vs. Self study
- Classroom vs. CBT
- On-site, instructor led
41 Certified Information Systems Security
Professional - CISSP
Marketing Alert!
- The Certification That Inspires Utmost
Confidence - If you plan to build a career in information
security one of todays most visible
professions and if you have at least five full
years of experience in information security, then
the CISSP credential should be your next career
goal. - The CISSP was the first credential in the field
of information security, accredited by the ANSI
(American National Standards Institute) to ISO
(International Organization for Standardization)
Standard 170242003. - CISSP certification is not only an objective
measure of excellence, but a globally recognized
standard of achievement.
42 Certified Information Systems Security
Professional - CISSP
- The CISSP Domains Include
- Access Controls
- Telecommunications and Network Security
- Information Security and Risk Management
- Application Security
- Cryptography
- Security Architecture and Design
- Operations Security
- Business Continuity and Disaster Recovery
Planning - Legal, Regulations, Compliance and
Investigations - Physical (Environmental) Security
http//www.isc2.org
- CISSP certification pre-requisites
- Professional experience in two or more of the
CISSP domains - Minimum 5 years of experience in information
security - Complete the Candidate Agreement, attesting to
the truth of his or her assertions - regarding professional experience and legally
commit to adhere to the (ISC)2 Code of Ethics - Successfully answer four questions regarding
criminal history and related background
43 Certified Information Systems Security
Professional - CISSP
- Additional CISSP Concentrations
- Information Systems Security Architecture
Professional (CISSP-ISSAP) - The six domains of the CISSP-ISSAP CBK are
- Access Control Systems and Methodology
- Communications Network Security
- Cryptography
- Security Architecture Analysis
- Technology Related Business Continuity Planning
(BCP) Disaster Recovery Planning (DRP) - Physical Security Considerations
- Information Systems Security Engineering
Professional (CISSP-ISSEP) - The four domains of the CISSP-ISSEP CBK are
- Systems Security Engineering
- Certification and Accreditation (CA)
- Technical Management
- U.S. Government Information Assurance (IA)
Governance (e.g., laws, regulations, policies,
guidelines, standards)
44Certified Information Systems Security
Professional - CISSP
Getting a CISSP Author Kerry Thompson think of
it as a journey ...
- Myth 1 A CISSP certification is easyWell, some
people may think that it is easy. Most people
find it hard work you need to have at least 3
years in IT security before you even apply for
the exam. You need to cover an extremely broad
landscape of IT security - many areas, such as
physical security, few people will have any
experience in. And you'll need to do a fair bit
of reading and studying to get through that exam
250 questions to answer in 6 hours isn't much
fun. - Myth 2 Once you get it, just sit back and
relaxNo. Once you pass the exam you need to earn
CPE credits in order to keep your certification.
If you don't then you'll need to resit the exam
after 3 years to keep the certification. Getting
CPEs is fairly straightforward if you publish
papers, attend seminars, do some presentations,
and basically remain active in the IT security
arena then you should have no problem here. But
it takes a little work this isn't a get-it and
forget-it sort of certification. - Myth 3 You'll get more money/better job/more
recognitionIn actual fact, you probably won't.
I've found (at least here in New Zealand) that
many employers and even employment agencies have
no idea what a CISSP is. They tend to think in
terms of the product-certifications you know,
the Cisco CCNA and Checkpoint CCSE sort of thing.
They have no idea that you need 3 years of
experience to get a CISSP, and they have no idea
that it is an ongoing professional-level
certification like a CPA (Chartered Accountant).
Ergo, you probably won't get a better job or more
money from waving your CISSP certificate around. - So, why would you want a CISSP?
- Its not easy to get, it takes maintenance, and
may not gain you much. Why would you want to go
through all that hassle? Here's some good
reasons - To expand your knowledge in security concepts and
practices. - To show a dedication to the security discipline.
- To meet a growing demand for security
professionals, and to work in a thriving field. - To join a professional organization and to link
up with like-minded individuals
http//windowsecurity.com/whitepapers/Getting-a-CI
SSP.html
45Certified Information Systems Security
Professional - CISSP
46 Certified Ethical Hacker - CEH
47(No Transcript)
48 Certified Ethical Hacker - CEH
49 Certified Ethical Hacker - CEH
- CEH Certification
- The goal of the ethical hacker is to help the
organization take preemptive measures against
malicious attacks by attacking the system
himself all the while staying within legal
limits. - Catch a thief, by thinking like a thief Certified
instructors will take you through practice exams
and real world case studies that prepare you to
become the Security Professional your
organization can depend on. - What is an "Ethical Hacker"? The Ethical Hacker
is an individual who is usually employed with the
organization and who can be trusted to undertake
an attempt to penetrate networks and/or computer
systems using the same methods as a Hacker. - Hacking is a felony in the United States and
most other countries. When it is done by request
and under a contract between an Ethical Hacker
and an organization, it is legal. - The most important point is that an Ethical
Hacker has authorization to probe the target - The CEH Program certifies individuals in the
specific network security discipline of Ethical
Hacking from a vendor-neutral perspective - Skills span across multiple domains social
engineering, in-depth technical expertise,
vulnerability assessment, penetration testing,
principals of forensic analysis, etc. - The CEH certification will fortify the
application knowledge of security officers,
auditors, security professionals, site
administrators, and anyone who is concerned about
the integrity of the network infrastructure. - A CEH is a skilled professional who understands
and knows how to look for the weaknesses and
vulnerabilities in target systems and uses the
same knowledge and tools as a malicious hacker.
50 Certified Ethical Hacker - CEH
- Other CEH related certifications
- Advanced Ethical Hacker
- Certified Penetration Tester (CPT)
- Certified Expert Penetration Tester (CEPT)
- Certified Application Security Specialist (CASS)
- Certified SCADA Security Architect (CSSA)
- Certified Data Recovery Professional (CDRP)
- Certified Reverse Engineering Analyst (CREA)
- Certified Computer Forensics Examiner (CCFE)
- Etc..
51 Certification value to you and your company
- You
- Opportunity
- Continuous Professional growth
- Company
- Market specific training requirements
- Mandatory certifications
52(No Transcript)
53- DOD 8570 provides guidance and procedures for the
training, certification, and management of all
government employees who conduct Information
Assurance functions in assigned duty positions - DOD 8570 requires that anyone who has access to
Information Technology system, must be certified
with one of the external certifications listed.
This includes contractors and vendors by 2010
54 Where do you go from here?
- Assess your career objectives
- Remember, nothing matters but your resume )
- Talk to a CISSP or CEH and decide if it is a
right certification for you - Discuss with your manager if a security
certification is the right fit for you in your
current or future roles - Understand how security certification aligns with
your organizations business goals
55 In conclusion...
Keep in mind
sometimes, certification is nothing more than a
56(No Transcript)