Getting involved in network security
- 1. Getting Involved in Network Security Jeff McJunkin CCNA, GSEC, GCED, GCFA, GPEN, GCIH Web Application / Network Penetration Tester AppSec Consulting, Inc.
- 2. Obligatory Disclaimer • I speak for myself, not for my company. • My views may or may not bear any relation whatsoever to the views of my employer – Or anyone else for that matter.
- 3. Outline • Gain skills • Use those skills • Talk to people
- 4. About me This talk is especially relevant for me recently • I graduated SOU in 2011 – Computer Security / Information Assurance, emphasis in digital forensics • City of Central Point from 2008-2013 – Systems / Network Administrator • Now working for AppSec Consulting – This is my first week! – I’m telecommuting, too
- 5. About me • I’ve won a few security challenges – SANS Network Security 2011 NetWars – US Cyber Challenge Northern California, 2012 – 3rd place, NetWars Tournament of Champions, 2012 • I’ve been involved in the Collegiate Cyber Defense Competition – Red Team is the fun team, believe me • I gave a Tech Segment on PaulDotCom Security Weekly last year, as well
- 6. My Coworkers • Bill Sempf (Black Hat Speaker, OWASP author) • Josh Brashars (Black Hat Speaker, Author) • Travis Lee CISSP OSCP OSCE GPEN eCPPT GREM GCIA GCIH GCFA GSNA MCSA
- 7. Goals of today’s talk • Meta-advice – Not about specific skills, but how to gain those skills • Follow this advice, and hopefully you’ll be talking to the right folk • Follow this advice, and hopefully you’ll be interesting to the right folk
- 8. Outline • Gain skills • Use those skills • Talk to people
- 9. So, what do I do? • Build a home lab – www.reddit.com/r/homelab – BackTrack, Metasploitable, and Windows XP go a *long* way – Keep notes! You’ll need these later
- 10. An aside on money • Don’t be afraid to spend some money on this – You’re all in college, which is already costing you how much? – Purpose of a liberal arts education – Consider VMware Workstation, Microsoft TechNet (or MSDN:AA)
- 11. An aside on SOU… • SOU can provide the foundation – *If* you apply yourself • Job-specific skills are for *you* to obtain – Most won’t be taught in the classroom Don’t expect to float through and then get a job!
- 12. So, what do I do? • Blog about your work – Seriously, no research is too small – WordPress.com is free, grab your name and go • By the way, you should all own “yourfullname.com” • Hang out on IRC channels – You’ll see what folk are actually up to, including some big names – #pauldotcom, #metasploit, #backtrack-linux, for starters
- 13. So, what do I do? • Learn a solid foundation first – Systems experience (Windows and Linux at a minimum) • • • • Administration Forensics Defense Attack – Networking experience (Priscilla Oppenheimer will be here next week!) • Network forensics – Programming • • • • Pick one of {Perl, Python, Ruby} Pick one of {Bash, PowerShell} Optionally, pick one of {C, C++, Assembly} Learning Windows Command Prompt (cmd.exe) is helpful as well!
- 14. So, what do I do? • Specializations are complicated. Learn the foundation first. • Examples: – Attack or Defense • Wireless – 802.11{a,b,g,n} – Bluetooth • Web – Microsoft stack (ASP, ASP.NET, etc.) – Linux stack (LAMP, jQuery, etc.) • Application – .NET – Java • Systems – Windows – Linux – Mac
- 15. So, what do I do? • Listen to security-oriented podcasts – PaulDotCom – Exotic Liability (NSFW language, great content)
- 16. So, what do I do? • Read blog posts from smart folk – I’d recommend Google Reader, but Google recently said they’re going to take it offline – Feedly is quite popular recently • To start you off… (Google these to find the sites) – – – – – IronGeek’s Security Site Krebs on Security Metasploit Blog PaulDotCom TaoSecurity • Email me for more if you’re interested – apparently I now have 305 RSS feeds
- 17. Outline • Gain skills • Use those skills • Talk to people
- 18. Use those skills • Consider security challenges – In-person: • Collegiate Cyber Defense Competition (talk with Daniel and Lynn, then sign up as a school for next year) • United States Cyber Challenge • NetWars (paid) – Online: • DC3 • pen-testing.sans.org (search for Holiday Challenge) • forensicscontest.com (Network Forensics)
- 19. Use those skills • Blogging helps here, too! – Play with a new tool, then write a quick blog post about it – 500 words and an hour of documenting – Post it to reddit.com/r/netsec and ask for feedback • Be prepared to get it • Find a problem with another person’s research? – Write up a nice blog post, post it, email the person • Find a problem with another person’s tool? – This is where coding helps! • Sign up for GitHub, pull their code down, fix it, send a pull request • Those of you in Daniel’s classes will know Git, right?
- 20. Building the habit • Building the habit is more important than the actual work at first – Spend 10 minutes every morning reading a few blogs and try one command in BackTrack – After a month or so, consider putting a bit more time in
- 21. Outline • Gain skills • Use those skills • Talk to people
- 22. Talking to the right folk • Half the challenge is just showing up • Just ask! 1. Find folk in the valley doing interesting stuff 2. Ask to help them for free 3. …Profit? Learn! • Carl, Jesse, and Lana are great examples!
- 23. Talking to the right folk • Southern Oregon Geek Group (sog.gy) – Attend a monthly dinner (first Thursday of the month, 6:30pm at Four Daughters in Medford) • Standing Stone Thursdays – But shhh, it’s a secret – 5ish to 6:30ish • Ask your professors about industry contacts and internships!
- 24. Conclusion • Looking to get into network security? – Good news, everyone! – Unemployment in this field is hovering around 0% • Don’t get into it for the money – Be prepared to work hard – Keep up-to-date • Latest threats, attacks, defenses
- 25. Questions? • Email me at jeff.mcjunkin@gmail.com – Want a lesson plan? I just made one for a few of your fellow students… • Care to chat later? Let me know, I’m always up for coffee!