How to Become an InfoSec Professional with Limited Resources – SCW #32

Jeff Man, Matt Alderman, Scott Lyons, and Josh Marpet discuss becoming an InfoSec Professional.

Recorded 6.16.20

STATS: Jeff 39% | Scott  17%| Josh 22% |Matt 19% |

PCI Counter:

SPONSOR 0:01
RSA offers business-driven security solutions that provide organizations with a unified approach to managing digital risk that hinges on integrated visibility, automated insights and coordinated actions. RSA solutions are designed to effectively detect and respond to advanced attacks, manage user access, control and reduce business risk, fraud and cybercrime. RSA protects millions of users around the world and helps more than 90% of the Fortune 500 companies thrive and continuously adapt to transformational change. For more information visit securityweekly.com/RSAsecurity.

Jeff Man 0:35
Welcome back to Security and Compliance Weekly, we are talking about what it means to be an infosec professional. And we’re struggling with what it is before what it means to be one. We’re going to continue that conversation in the second segment, and hopefully try to tie in a little bit about how to break into this field. And we’ve got more to talk about than we have time for.

Let me get some announcements out of the way and we’ll jump back into the discussion. Join our security weekly mailing list and receive your invitation to our community on the discord server, which is blowing up today on our segment. You can get there by going to securityweekly.com/subscribe, click the button join the list. Also, if you want to learn how to prevent account takeover attacks, our next June webcast is with Google Cloud. Also, in our first July webcast, you will learn how to stitch and enrich flow data for security with viavi solutions. You can register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts or visit securityweekly.com/ondemand to view our previously recorded webcasts.

Okay. So, to summarize, I think what I’ve been hearing in our first segment, it sounds like there’s the opportunity for making a distinction between the profession or the field, the science, if you will of information security or infosec. And that might be somewhat different than a particular skill set job description, job title, that that is infosec professional, we seem we seem to have been bouncing around that. I think the shorter answer is if you think you’re an infosec, professional, based on whatever your job description is, you are, at least in your own mind. We can keep up we can keep on with that discussion. But we also want to try to weave in how do you get into this field? How do you become whatever it is we’re trying to define, which I think touches a little bit on you know, the whole debate on whether you get through education through a degree through certification of some sort, for some sort of specialized training, or the way I got there was simply by experience. All are valid or invalid. Let’s see where we go. So jump in guys.

Josh Marpet 3:17
So I’m going to throw my mitt in the ring. I think that all of the routes you mentioned, which was education, school, in other words of certification, whatever they all bow before experience. And the reason I say that is that’s certification or schooling, education degree, whatever, they give you more knowledge, but they don’t teach you what to do with the knowledge and on the whole. Whereas experience not necessarily professional experience somebody is paying you. I consider somebody who is running Kali on a box at home and building a VM system on another box and then using Kali to attack them, I consider that experience Don’t get me wrong, it may not be the same caliber is being paid to do a pen test. But it’s actually a hands-on learning how to do things I consider that to be experienced. Does that make sense?

Jeff Man 4:04
It makes sense. And since I’m the most experienced person here, I believe, let me throw this out for you. I agree with what you’re saying. And me the experienced infosec professional, that I was or am is very concerned that while I think it’s valid that so much of information is transmitted over technology today. And so that’s obviously an integral part of the discussion and of the field. It hasn’t always been that way. And and where I will fall on my sword, metaphorically, is the principles of information security that I learned in another media, let’s say years ago, I think hold true today and transcend whatever the technology is. So I think it’s important and I and therefore I think it’s possible to not be hands-on technical To some degree, and understand the principles and the concepts, the science, if you will, of information security, and be an infosec professional and not necessarily have gone the route that is sort of the underpinnings of most of our opinions and conversations about being on the tech side, hands-on. Now, having said that, I think it’s, you know, from an experience perspective, having hands-on and having the understanding of it from a technical aspect certainly is advantageous and better off. I mean, I think I was better as a as an assessor in the compliance world because I had so much of experience hands-on prior to joining it. So I agree with you that I think experience is key. And I’ll shut up and let you guys talk. Don’t worry,

Matt Alderman 5:57
you know, because there are, there are disciplines within what I would consider this infosec profession that aren’t technical or don’t need to technical skill sets. third party vendor risk management, you don’t really have to be super technical, to be able to facilitate that kind of program, you have physical security, right? You may not be dealing with technical Yeah, there might be cameras and stuff. But there are a lot of disciplines within this the spectrum of infosec professional that don’t require technical skill sets. Jeff right. Now, a lot of us came out of the technical side, I came through engineering programs from a technical perspective, which is where I got to where I am today, but a lot of those technical skill sets are gone. You guys do not want me doing a penetration test. Cuz I, I would fail.

Scott Lyons 6:50
That would be fun. Come on, Matt. You’ve got the technical skill, buddy. You know what you’re doing?

Matt Alderman 6:57
Long time ago, long time ago. So I think experience does play in here for sure, Jeff. Because having that experience in these different roles, it gives you the ability to do it. So I struggle a little bit with this balance of Do I need to come from a technical discipline to be a good infosec? Professional? No, I don’t think you do. Do you need experience? Definitely. Because look, when I was going through my engineering programs, I was a an electrical engineer. So I knew how to put circuits together the foundation of building a computer, I didn’t know how to secure it, then I wanted to Computer Engineering, and I learned the software side and had to build software and realize I didn’t want to be a programmer. But without that experience, the experience I had in the nuclear power plants and putting systems together and then eventually coming into the infosec space, I wouldn’t have been a good infosec professional, that experience I think is probably more important than necessarily some of the technical education.

Jeff Man 8:02
You gave me a thought. When you’re talking, Matt, when when you and I were coming up in school in college, I mean, we’re within a decade or so of age, I think the idea of getting into computers and technology, I think we all had the impression that back then getting into computers meant the job was computer programming. And, you know, accurate or inaccurate. That was the perception that a lot of people had, if you want to get into computers, you got to be a programmer. And we looking back on it, obviously, there was a lot more, you know, career tracks you could take that fit into that category. I wonder if we’re not sort of doing the same thing today where the perception is, if you want to be in the infosec field, you have to be at this. And there’s obviously more to it than just this. And this I think just the throw it out there is to be a hacker red team or a pen tester. That’s that’s the perception today, which was similar to the perception we had 2030 years ago that to be in computers meant to be ever you have to be a programmer.

Matt Alderman 9:17
Exactly right. Yeah. When I went into my master’s program in 1994. I went into computer engineering, and my focus was programming it in databases that that’s what you did. And that was a skill set you have and we kind of do the same thing. We were talking at the break. We track 55 different categories around security at security weekly, Paul, and I’ve done a segment on this on business security weekly. All of our content is tagged. That’s a and I don’t even think we captured them all. But we wanted a way to be able to say look, we’re going to talk about endpoint security application security. We’re going to talk vulnerability management threat hunting threat intelligence. We have 55 of those kind of categories laid out for our content. That just tells you the different types of responsibilities that fall in this umbrella of infosec. And we have compliance in there. We have privacy in there, we have some risk management in there. Right. So, you know, we’ve taken a pretty broad swath of what we think infosec is, I’m sure we’re missing some, but that’s 55. That’s potentially 55 different jobs or responsibilities to have. It’s not just a hacker, to your point, Jeff.

Jeff Man 10:39
Well, in and I said this on the discord server. And for those that aren’t there, I want to say it here. I get asked very often, questions along the lines of who I wanted to get it. I want to get into this field, I want to be a pen tester, I want to be a hacker I want to be a red Teamer. I want to get into infosec what do I need to do to get there, and I try to back people up a little bit and say, you know, look, this is a broad field, you know, there’s that we’re struggling to define it. But we can all agree it’s a broad field. And there’s lots of different disciplines within it. I try to encourage people, especially younger people that are like, you know, looking for an internship or they’re working a job and they don’t like what they’re doing, they want to make the jump over somewhere. I tried to tell them, you know, as much as possible in however way you can finagle it, hack it, try to get, try to expose yourself to as much as you can, all the different facets and aspects of this industry. And for three purposes, one to find out what you like doing, to find out what your you know, are good at doing, or three is related to, to find out what you think you’re capable of being good at. And, and, and focus on that because I think ultimately, you’ll have more job satisfaction, if you’re doing something that you’re good at and you like doing. And that may be a pen tester that may be a red Teamer that may be an admin that may be a developer that may be an an auditor, there may be a compliance purpose person, it may be a support person, it could make maybe a data scientist, I mean, there’s so many things. Yeah, but I you know, because we as an industry, we we put a certain aspect or certain skill set on a pedestal, whether deliberately or inadvertently, everybody wants to be that, and in reality is not everybody can be that not everybody is going to be good at being that not everybody needs to be that because there’s plenty of other disciplines within this field that are equally as important. In fact, maybe even more important, but but you know, we don’t get the glory we don’t get the we don’t get the held up on a pedestal, we don’t get all the speaking slots and Keynote positions, because we’re not telling the coolest fun stories.

Matt Alderman 13:09
But yeah, the cool fun stories of me crawling under a datacenter, Poland fiber, and then sitting there terminating and polishing the ends, I mean, that’s how I started. That’s not the greatest stories in the world, but you took that experience, you applied it elsewhere, and you move through there, I think there’s a lot of great ways to come into our profession again, because it’s so broad, you don’t necessarily have to have an engineering degree you could come out of the business side because compliance and risk management and having some of those principles apply there. So you know, even from a marketing or communication perspective, maybe I’m really good at social engineering you never know there’s lots of ways in you just have to kind of figure out based on your strength of skills where some of those potential jobs you will learn more you will expand and then you can move into different disciplines that’s how I did it I started on the network side

Jeff Man 14:07
Josh Scott disagree with this is we’re coming at it from the other side.

Matt Alderman 14:15
Josh is muted. Oh, too busy on Discord.

Josh Marpet 14:20
Oh, shit. Okay. My apologies.

Jeff Man 14:23
No, what are we haven’t been responding to.

Josh Marpet 14:28
So the topic of this segment was how to get in on the cheap and how to do this inexpensively to get into the field. And I mentioned, you know, put Kali on a box, learn how to do a pen test or, you know, read a compliance standard and learn what that means and understand the controls. You talked about polishing fiber. Not that fiber is that cheap, but you get the idea. There’s a lot of ways to get in, but to do it on the inexpensive side. You don’t have to spend $100,000 on a college education. You don’t have to spend, you know, five, how much is it for the CISSP exam 600 50 bucks or something like that?

Matt Alderman 15:02
I took it in 2000. No, I have no idea how much it converts. All I know is it cost me 85 bucks a year to renew that sucker.

Josh Marpet 15:11
But the point is, is that you don’t have to spend 1000s and 1000s and 1000s of dollars to learn the pieces of information, the techniques, the ideas that you need to learn to become part of the field. You can learn forensic accounting, or sorry, you can learn digital forensics, using Linux with slifkin autopsy, and get the idea and FTK imager and get the ideas down for all entirely for free as long as you’ve got a laptop. You can learn good Lord pentesting with VirtualBox, and Kali, which is again free, and pentane, which is also free.

Matt Alderman 15:44
Packet capture with a whileago, right and started to go network packets.

Josh Marpet 15:49
Yeah.

Scott Lyons 15:51
Years and years ago, I was integral in writing a book called The Lab Manual Version Two and I wrote the forensics piece to it right. So everything soup to nuts that you ever wanted to know about doing a VM and learning forensics, right? There are books that are out there that can teach you these skills, but you really have to soak up and have a passion for trying to figure out the problem, like be problem driven. Individual, right? Don’t just look at something and say, well, it’s Yeah, I said that. Don’t just look at something and say, well, it is what it is, I’m going to take it at face value, it’s easy to deal with, right? understand the underlying issues and how they all roll up into the enterprise. If you’re going to become a infosec. Professional, right? It all comes down to securing the business, how are you going to do it? What tools techniques and tradecraft are you going to do it with? And then how are you going to interact with other people? You know, in the discord, we we’ve been going back and forth on a rockstar status, right versus DFIO. Right, Aaron Lin, thank you. Versus, you know, how do you go about doing this right over in the YouTube channel? We have somebody that saying, Well, I have a degree, but you know, I’m looking for an internship, right? My degree is not in infosec. So how do I get into it? Right? Where do you begin? Right? I guess that’s a point that we can actually make here is where do you begin to become an infosec? professional.

Jeff Man 17:20
But but but people of a certain age, none of us have infosec degrees, because they didn’t exist.

Scott Lyons 17:26
I’ve met I’ve met people. I’ve met people that are older than you that say that they’ve been an infosec for 40 years. And I’m like, Wait, what?

Josh Marpet 17:33
It’s entirely possible. You couldn’t be an infosec for the last 100 years?

Scott Lyons 17:38
Yeah, you could it depends on the definition.

Jeff Man 17:41
I claim 40 years.

Josh Marpet 17:44
no, no, no. Jeff, Jeff, he dropped a zero. Sorry.

Scott Lyons 17:49
Oh, geez. You know, part of the discord chat has been based around, would you call social engineering a step of infosec? Yes, right.

Matt Alderman 18:01
That is one of my categories, yes.

Scott Lyons 18:03
You could also make the argument that it isn’t right?

Josh Marpet 18:07
Your use of the term infosec it is information security, you can use social engineering to garner information from a secure environment, to to you, obviously pass that secure perimeter, if you will. And therefore you are breaking information security, you are then an information security professional. Why do you want to use computer security..

Scott Lyons 18:27
Hold on.. time out there. A lot of this was not codified until Information Security started looking at it right. Before it was social engineering. It was known as manipulation. Right? How do you get somebody to do something that they shouldn’t be doing? Like handing over their credit card data? Or handing over bank information? Right, Hello, I am from Microsoft. I am calling you because we have gotten a report about a virus on your computer. How many of us have gotten those damn calls? Right? It’s social it’s it’s manipulation right?

Josh Marpet 18:32
And Scott, how many of us get funny voice that we used just to answer them?

Scott Lyons 19:06
Oh God I loved I love taking time out of those people. I can’..

Josh Marpet 19:11
Can you tell me how to turn my computer on?

Scott Lyons 19:15
I can’t I love that. I love those. Yeah, I don’t even care. Like who it is. You know if I don’t know you you’re getting the voice.

Josh Marpet 19:26
So okay, so to get into infosec in some form or fashion, on the cheap on the easy, not easy but the inexpensive fashion. There’s it depends on what you want to do. If you want to do digital forensics, there are Linux based tools that are free that are absolutely up to par with everything you can find that will teach you the concept of digital forensics. I think that’s the important piece, not digital forensics, sorry. But while there are commercial products that cost 1000s and 1000s and 1000s even millions or hundreds of 1000s of dollars to buy There are probably some Linux-based tools open source equivalent, whatever that will at least teach you the concepts you need to understand. Okay, you want to learn about security incident event management system, SIEM systems, there are free themes out there that you can use to learn that will teach you how to use Splunk. effectively. Okay, you may not know, oh, watch button in Splunk does this, but the concepts that you’ve got down, will stand you for good in that employment. Okay.

Matt Alderman 20:27
almost every webcast we do Josh, Paul, and I talk about the free and open source tools available. There are a ton of them out there across all these different disciplines that are great ways to learn basic capabilities. Now, they may not solve your enterprise security problem in a large organization, which is why commercial tools exist. But there’s a ton. I mean, there’s free vulnerability scanners out there, there’s free Sims, there’s a ton of stuff on the application side that’s been open sourced and put out there. I mean, there’s a ton of these tools,

Josh Marpet 21:01
monstrous amounts, the security onion, there’s a rack knee, there’s open vas, there’s I like there’s just ridiculous numbers of tools. You’re absolutely correct. And and Matt, thank you. That’s it. That’s great that you guys do that. If you’re looking to break into into infosec, or break into another branch of infosec, if you will, find the tools that will allow you to learn the concepts, the ideas, the workflow, the methodologies, learn the tools, and more importantly, learn the concepts behind the tools, and then go say, hey, I’d like an entry level job as a Splunk, operator, whatever, and get the job, use the concepts you’ve learned, they’ll stand you in good stead. And then you’ll advance in that in that field in that branch of the field. I should say,

Jeff Man 21:40
Josh, what if, what if you want to just break on through to the other side?

Josh Marpet 21:47
That takes mushrooms?

Jeff Man 21:49
Gotcha. Okay, good, Scott. So

Scott Lyons 21:51
what you’re doing, you’re in the role, if you’re Junior in the role, and you see something inside of the business that, you know, you read about in a book like vulnerability assessment program, right? If you’re Junior in that role, see if there’s some budgets where you can go out and get tools to help stand up that program. Right. So taking vulnerability assessment on Paul security weekly, last week, we were talking about Plex track, right? Plex track is a great tool that makes it really simple not only to manage your vulnerabilities, but also to get a report out that senior level execs can read. Right? So how do you take what you are learning and then apply it in the business setting to enhance that not only the business, but your job role as well, and hit your metrics all at the same time? Make sense?

Matt Alderman 22:38
Sure. Makes sense.

Jeff Man 22:40
Yes. Yes, makes sense.

Matt Alderman 22:41
There’s lots of places to go to get that.

Scott Lyons 22:44
We have to add to all that stuff. That’s a great segment. Yeah.

Josh Marpet 22:49
So you know, we’ve got it’s interesting, we’ve talked about several things and taking this in different angles. But I think that we can all agree that information security has a lot of different branches off the tree. And to get into any of those branches requires no more than simple determination to learn, and a willingness to spend the time to do it. You might have how far you advance on that branch depends on a few things, your mindset, maybe a little talent, a little bit of how you think and why you think that way, and maybe how OCD you are, depending on certain branches of the field. But the idea is you can anybody can break into infosec, if they want to, and are driven to do so in some form or fashion. And then the idea of being an infosec professional, I think really breaks down to that if you’re willing to do it, if you’re if you have that drive, if you have that, that that will to work. And that will to do the work to do the to put the effort in. Bravo, I want you in my field, and I’m proud to call you a professional and a brother and a sister or whatever. That’s lovely.

Scott Lyons 23:58
And Josh, let me break in here. Johnny, do you have that graphic up and ready to go? There we go. So this was brought up in the discord and it’s digress. It’s a diagram of the cyber security domains, right, from security operations to architecture to threat Intel, user education, governance, risk assessment and physical security. And also the frameworks and career development like this is a really good breakdown of which parts go where in what part of the domain of the security domain now I know that’s a little convoluted in saying because it feels it feels like a mouthful of rocks, right? But there are so many areas that can be applied to information security, that one doesn’t have to stay stagnant in what their role is. Right? There’s a lot to learn about. And you look at something like this and you say, Well, you know, now I understand why there’s a quote-unquote skills gap inside of security because there’s just so much going on.

Matt Alderman 25:01
Yes, there is

Josh Marpet 25:02
Oh, that’s awesome. We’re

Matt Alderman 25:04
This makes my 55 categories look simple.

Jeff Man 25:08
Yeah, I have used this graphic in a couple of my talks. And there’s a similar one that I use it that is more detailed in terms of categorization even more detailed than this. I think, you know, our time is running short. I want to throw out a parting thought. And I get to because I’m the host. I think it’s also fair to sort of flip things around and say no, you don’t have to be an infosec professional, you don’t have to be or this or that. I think in today’s organizations, and again, this is my old-timer before the computer infosec person speaking largely, but you know, it’s okay to do whatever it is you do within your organization, find something you like doing, find something you’re good at, do that. But infosec is part of everything. I mean, it’s the magic, wiffle dust it just or glitter, if you’ve got kids, that goes everywhere and just sticks everywhere. So no matter what you do, there’s a portion of it that is interested in infosec. And everything you do infosec is interested in it, as it were, I mean, it all works together. So hopefully you’ve gotten some tidbits out of this. You know, we’ve enjoyed the conversation clearly. I don’t think anybody is ready to ring it anybody else’s neck. Certainly have enjoyed the chat on discord and there’s no reason why that has to stop. So that’s going to wrap us for this week. We’re off next week. We’ll be back again in two weeks. broadcasting live. So until then, thank you for listening and watching and we look forward to seeing you on the disc Discord server. That’s it for us.

Translate »