adric.net

Breakin
Login
 Breakin’ into Security: Some InfoSec career tips

 How we can both get more out of your next job interview

adric DC404, Sept 2016

PDF of slides over here: http://dfirfiles.net/myslides/breakin_dc404_2016.pdf

 about:
disclaimers of warranty, introspection
 Disclaimers, background
I am not:
● a Manager
● recruiting or hiring today
●
I have interviewed hundreds for sec,tech jobs these last few years.
○ No need to raise your hands.
Most interviews are painful experiences for all.
○ Yes, even the phone screens.
○ Ask my cube mates.
Less than 5% of those people were hired by us.
○ That sucks.
I'm also not a
● licensed counselor
● therapist ●
● lawyer
● or LE *cough*

 self.inspect
● I'm on my third full time security job, now a Lead Security Engineer with a big firm.
● I’m a sysadmin, incident responder, and intrusion analyst
● and I teach for SANS part-time as a Community Instructor
● BBST, CISSP, GCFA, GCIA, GCIH, GMON, GNFA, GSEC, LPIC-1, ITILF ...
● Find me around as @dfirnotes on Twitter,GitHub or http://adric.net
 factoids

some axioms to start us off
 Are there jobs? Absolutely, but:
● Not many "entry level" infosec jobs. ○ All require some skills and experience.
○ often IT or programming skills
■ but not always: Audit, Intel, SocialEng, LE, law ... ● Josh Moore: You can go for an existing job
○ or make one for yourself (Job Reconn book).
● Job, Profession, Career, Affliction, Hobby?
○ What do you have, where are you, and where are you going?
 “Words, they mean stuff”
● Information Security:
○ Keeping DAD away from the CIA ■ from your GSEC or CISSP books
○ Red team vs Blue team, or NSM
○ GigOps, CNA, CND, CNE for the milspec nerds
● Cyber?
○ Why we've barely met!
○ Srsly be careful with this word #{self.drink!}
● Hackers, Crackers, skidiots, Journalists
○ Powerful words have meaning in context
■ social context, technical context, cultural, professional ...
■ cf: connotation vs. denotation

 Requirements
get these things to win
 Don't bother HR if you don't have these things solid:
● Communicate well
○ cover mail
○ on phone
○ in person!
● Be awesome at what you currently do
○ (whatever it is)
● Resume / CV with no lies in it
● Portfolio of sample work, achievements
“Words, they mean stuff”
- some awesome guy
● Not lying.
“Whenever ... be awesome instead.” - Barney in HIMYM

 Questions
you should be ready for
 Questions to prepare for
Not the questions we necessarily ask,
"Spoilers, sweetie, spoilers."
-River in Dr Who
but the ones we want answered...
● Why Security?
● Why #{field} #{position}? ● Why you?
● Why us?
● require Manager:: Questions
 Why Security?
● "I saw an episode of CSI / a John Travolta movie ..."
● You want to be a Hacker ... ● "Step Three : Profit !111!!!!"
● You already do or "get" (a bit of ) the security mindset.
● Have a reason and be able to articulate it!
 Why this field, position?
● “I've dreamed of being a Android tablet forensicator since before I could chew solid food!”
● "I reverse ARM and PPC malware samples on the bus on my way to Jack in the Box every day."
● "I scan web apps for injection vulnerabilities whenever my mind wanders at daycare."
● “I social engineered your mom and you didn’t notice.” ● "After ten years in IT doing security-related work and
assisting in incidents I want to be a full time incident responder."
○ nb: this is crazy
● Have a reason and be able to discuss it!
 Why you?
● How are you awesome?
○ portfolio, CV, bio
○ accomplishments, anecdotes, awards
● How will you be excellent at #{position} ? ○ Skills, knowledge, charming personality
○ Whatever you have and can support
● How will you help the organization?
○ You did research the org, right?
○ Make them money, advance their mission ○ Or save their butts,
○ if you can sell it
Recommendations section is coming right up..
 Why us?
● Know your real reasons
○ "My spouse works in this building"
○ "Stock price is certain to rise"
○ $$$ & benefits, like insurance ...
○ "I saw a post on a hacker mailing list."
■ nb: this is crazy
● Alignment with organization, team:
○ You did research the org, right?
○ Why do you want to join us?
 Your resume is fair game.
And no lying!
● We're going to ask about things on your resume, CV, and portfolio.
● Really. I'm not kidding.
○ I wish I didn’t have include this.
● Don't be surprised by this ○ and don't lie.
● Thrice told and done: Do Not Lie.
 Manager Questions
Be ready for:
● Why are you looking for work?
● Money / location / benefits
● team fit, development potential ○ work and communication style
○ independant or collaborator
● budgets and other secret stuff

 Recommendations
things to do that will help
 My recommendations
Help your skills and career :
● Read
● Participate ● Write
● Ask
● Know
 Read
Read security news
Follow this up with books, papers, online resources and independent research!
Read job listings for your fields(s) plus a few more and resumes/CVs.
 Join in, Help out
Join some groups and post usefully**
Go to some meetings
Volunteer to help with events or support
Compete in challenges, hack-a-thons, and CTFs
Present (nb: crazy)
** eg: “Search, then ask SE” From: http://catb.org/~esr/faqs/smart-questions.html
 Hack and Publish
Hack something!
Write online about what interests you Share your code and results
Even private blog, gist posts are good practice
 Know
Know yourself
Know what you want ...
And what you do not want
 Not Required though perhaps helpful: You don't have to have:
● any particular certifications
beyond the job requirements
● college, much less grad school (ibid) apply anyway (politely) (nb:crazy)
Or be:
● working in Information Security already
● be a hacker, or "leet", or have any kind of hat ● or have any kind, colour, style of hat
 Wrap up
 Resources and Links

Josh More's Job Reconn book: https://www.eyrasecurity.com/portfolio-items/job-reconnaissance/

hacks4pancakes on Starting InfoSec Careers: 
https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

Brian Krebs interview series: 
http://krebsonsecurity.com/category/how-to-break-into-security/

Daniel Miessler on Starting InfoSec Careers: 
https://danielmiessler.com/blog/build-successful-infosec-career/

this Breakin’ presentation: http://f.adric.net/index.cgi/wiki?name=Breakin