Offense From Defense - My Rocky Path to the Dark Side

can you guys hear me now I can hear perfect over yeah awesome plan I'm ready to go whenever you hungry yeah I guess your are your parents lost you know they were gonna come to be sighs last year before he got sick uh yeah I think my my father-in-law's into in a discord chat it's been we've been talking trash to one another all day yeah I must definitely encourage you to come make fun of me in the discord chatter no even afterwards we have dinner afterwards so awesome alright well we are too late so I will uh I'll turn it over to you so thanks for coming and stepping in and stuff it up and presenting today to wrap

up track 1 Sarah yeah sure thank you guys for having me thanks for you awesome so so I gave this talk in I think earlier this year or want to say maybe January at besides Tampa so I it's if you were there then I'm sorry there's there's not much difference but I just really wanted to I I thought that this would be pretty great for the Greenville community simply cause a lot of pen testing and stuff there isn't a strong presence of it here in Charleston there's there's a car in South Carolina excuse me there's a huge presence you know in a lot of the major areas like Atlanta in San Francisco and Seattle and that sort of thing but what

I see a lot of in South Carolina is a lot of IT a lot of network stuff auditing and compliance and a lot of blue teen stuff so so essentially this talk is about my path over the last 12 years from you know just getting started to where I'm at now and kind of going into it the the the first thing I kind of want to start off with was I you know who who likes these type of drives right so like if you're going on a road trip or something and you just got you know this open highway you've got like no traffic here you got no cars on the road right like music is music is

blaring will pretend that it's it's summer instead of in this picture it looks like it's in the fall so your windows are rolled down and you know it's just like a scenic route right there's you've got a lot to kind of take a look at but most of the time my drives across the country are not like this a lot of times it feels like it's like this right you know just a lot of twists and turns terrible if you have a stick shift you know it's not the as you look it's not the most efficient way from you know the top of the top of the hill to the bottom so going from right to left

and then there's really no way to speed because you're at the mercy of the landscape and then you're if there is traffic on this road you are in for a super long day so living at least me moving to Greenville and living in you know the Greenville area like Woodruff Road just is bananas to me and I lived in DC Maryland and Seattle and Woodruff Road although not as bad as them is still pretty bad but you know showing these two pictures showing these two things core you know these two pictures can be correlated to your career as well so regardless of if you're a nympho sec now or you're wanting to get into it or

you're kind of just you know sticking your feet in the in the water so to speak and trying to learn about it you can typically relate to one of those pitchers in regards to your own career and for me like I said earlier I most definitely relate to the second one my career has been everything but ordinary it seems like I did everything backwards than what is typically you know the typical career path and you know it's just been a lot of twists and turns uncertainty and then again often at the mercy of the environment that ever were Kennan so although I've been doing in some way shape or form involved in security for 12 years now I feel like I

have barely scratched the surface and I think the panel talked before he kind of most definitely covered it you know impostor syndrome is real and every day I'm constantly learning something or I'm challenging what I have learned which makes me feel like oh man I thought I had a good crimp on this and I most definitely don't so this talk again is kind of what I wanted to do I wanted to share my story so so this talk is called offense from defense and then my rocky path to the dark side dark side being offensive security so a little bit about me I'm currently an application security consultant of the museum I recently left the Army National Guard so was on active

duty the reserves and the National Guard I kind of ended my career kind of abruptly and if you want to know more you can hit me up on the score or Twitter we can you can most definitely talk about it but I was a cyber warfare officer within the South Korean national guard and I'm currently a technical 4-node carolina's which used to be notice see I'm kind of expanded to the North Carolina community as well but most definitely a code monkey I normally am working in Python or go but I've been recently learning Kotlin and you know trying to brush up on JavaScript and Java and my day to day job originally graduated college of Charleston 2016 I'd

like to build Legos so like I'm a huge child and I just recently had a newborn so my wife is constantly saying I have you not to take care of two children and pursue her the perfect fashion I have you know I know it's a simple recipe but it's so hard to nail it down and get it right I haven't been able to do it yet and you having a webcam right now so you know I decided to put a picture of me as Clyde the cougar which is called in Charleston's mascot so this is a picture of me when collide as a mascot got his ring on ring night um so when I first started doing this

talk I was like man I have done a lot of stuff and it's like all over the place so how can I categorize it and for me I kind of when I laid it all out and kind of break it down it seemed like college was me going to college in my college experience was a huge you know turning point as you'll see in the next slides in regards to my career so a quick caveat this this kind of talk isn't most definitely a pitch to go to college or a pitch to you know get certifications or a pitch to do any of that this is most definitely just a snapshot of me and this is kind of like the easiest way

that I could break it down you know to make it easy to understand easy to digest so so essentially my path creek college you know if you were going to you know do a 30,000 foot level snapshot like this is essentially it I was born and then obviously and then shortly thereafter I started I always had a knack for technology growing up even as a child my parents loved to tell this story whether I cannot confirm if this true or not but I as a as a toddler reprogrammed the VCR so the time was right on the VCR which if showing my age a little bit even though I was a toddler like that was that was a skill that

eluded everyone you know like the time he was just always 12 and blinking but I had my um with this and you might see ITA eh right and this is kind of like me trying to be funny but I T as a hacker right so I always knew that I wanted to go I wanted to be a hacker I wanted to be like the cool guys in the movies I could do all the things like I'm in with the sunglasses but it was a long road to even get there and so I'm originally from Charleston in South Carolina and growing up was kind of born into into poverty like we we weren't my family like we're homeless

but we also weren't pretty well-off so we're this hacker this holiday came to be is how can I do things or get things that typically cost money but I don't have money so so how do I get around that right so essentially how do i bypass these access controls or these safeguards in place to prevent me from doing things that I probably shouldn't be doing right and that's kind of where my experience kind of came from so to speak not breaking laws nothing illegal nothing nothing crazy you know but just having that tinkering that how do i how do I get somewhere how do I do something kind of mentality you know fast forward a little bit I enlist I enlisted in the

army at 17 became a human resource specialist actually but I showed you know through my tech background I mean I had my first computer was a Compaq Presario my father bought me when I was like 12 and I like the first thing I did was just tear down this tower and then I remember my father walking back in and losing his mind because there were just pieces all over the place I and then I had to figure out like okay I took it apart

like how do I get back together like that's not so easy um but you know kind of taking that snapshot and moving forward I showed a lot of skill and interest in IT started taking some you know my platoon sergeant my military leaders are always like the Army's hang up for free college if you're not taking advantage of it you're you're just a so you know I was like I just graduate I school like I don't wanna go back to school and then my leaders were like stop being stupid like go get this free money and use it so I started taking classes and then kind of brought that into my own army my own army career so

when so when I was in South Korea I became a sysadmin at 18 for six different groups that was spread across five different areas across the entire country of South Korea so all in all I responsible for about $250,000 worth of equipment and some people are like oh man that seems like a pretty cool job like pretty cool full-time job well the fun fact is that my full-time job in South Korea was to be a mailman it was trying to me to sysadmin so I made sure that people had an amazing Christmas but you know I also it was like who knows tech stuff Oh hate does okay peyt you're our guy now go make it happen so being an additional

duty as the military using military speak it was like once my full-time job of being a male-male is done then I got the task to go do all the sysadmin stuff which you know there's no extra pay or anything it was just like get it done so didn't fast forward this at this point I was on active duty so I was professional soldier I was a full-time soldier shortly from there moved to was reassigned to into Texas where I worked at the NSA for about about a year and a half and it's here that I got to see a lot more behind the curtain in regards to how the United States government does the cybersecurity things and a lot of my

friends were working on a lot of pretty cool projects I was like oh man we can do that like that's pretty cool um so it not only it just fueled my passion a little bit more um and then after after that year and a half I got vol I'm told that I'm going to move to a new unit about 30 minutes down the street and then six months later I was calling Afghanistan so deployed to Afghanistan and then after that was like man I'm really tired and I just want to go back home to Charleston so decided to go back to school and utilizing the GI Bill again you know went to become a college student so as

you can see you know my my you know relevant to information security just kind of exploded at this point College College was a defining moment for me because you see that I split off and essentially three different areas so those three areas are the commercial space so like private industry going to go work for you know companies and in the military side of things which is in yellow working as a reservist and then as a National Guardsman so doing things at the federal the state and even the county level in South Carolina and in the red is kind of like the academia college route so breaking these down even further you know starting with the

commercial side I became an intern at a security consulting company in Charleston called site area not to be confused with cetera which is a defense contract company so start as an intern there were like three co-founders and myself like I'm stringing up cable or helping stringing up cable and and install like security alarm systems like cameras and hit systems you know helping set up like internal infrastructure like help building you know beams and you know just documentation of you know the company's infrastructure of stuff at a time and it's funny that I actually met the one of the one of the co-founders at a besides Charleston event and it just so happens he was like hey I heard that

you were in the army and that yeah and he was like cool I'm sorry in this consulting company uh you know tell me more about you kind of deal so it was most definitely pretty interesting so startup ended in and turned that summer when school started back up uh became assistant system administrator you know just building out a sim building out their login capability like building out all these things which were great projects for you know an intern college student to do and then even while in college were cramped up so got to cut my teeth a little bit on the consulting side of things was paired up with like principal and senior consultants where I was able to kind of

learn a little bit and not only learned that IT side of things and security side of things but also learn the business side of things as well like how to how do you talk to clients how do you interact with clients and and that sort of thing so simultaneously I decided at my time in the army I didn't want it to be over I must definitely liked it but I didn't want to be a professional soldier anymore so decided to enroll in ROTC at the Citadel and go to school at College in Charleston and became an ROTC cadet while I was an ROTC cadet was in the reserves there is a transportation to transportation unit in Charleston they

essentially their whole job is logistics I was doing Human Resources for them and then I talked to one of the recruiters on the civils campus reached out to me and said hey I heard you do cyber stuff I heard you do security stuff and I was like yeah is that you want to join the National Guard and I was like well I'm already part of the reserves and he's like well South Carolina it's a cyber team and I was like oh awesome can I talk to them and he's like I don't know who to talk to but they have one and I was like okay well thank you so um you know doing it doing a Google search

doing some LinkedIn stuff I eventually found my mentor who you know long story short met with we met when we had a couple beers and then eventually decided to bring me onto his team doing you know essentially blue team type stuff for the National Guard so this team was developed as a at the time nikki Haley was our governor and she wanted in the event that something was to happen in the state of South Carolina she wanted a military she wanted to have a military option response to it and in regards to you know cybersecurity threats which was on the rise at this point she most definitely wanted to to have some some elements to that so this

team was kind of built based upon that idea so so as ROTC cadet got to eventually fill the role of a defense cyber operations team leader which led a team of about two to three soldiers actually about two to five soldiers depending on you know what was being asked and you know what what needed to be done and over the three years that I was in school kind of were dual hats we had we had some special missions come up where you know they were likely I think you'd be a great person to kind of come watch out for this and kind of lead this effort um you know can you do it as I

guess sure so held multiple hats incident response commander working with industry partners to kind of help figure out that stuff in their network as well as you know just doing the day-to-day you know managerial in charge of soldiers type of deal as well as special missions so we have like these special things that popped up and then in college so College of Charleston if you don't know is a liberal arts institution in Charleston South Carolina was founded in 1770 and they have a pretty good computer science program however at the time security was taught in none of their classes it was more so on how do you build it and even then their curriculum was slightly dated so I

became the annoying guy in the classroom asking well how does security fit into this and that sort of thing so moving into that decided because there was no security presence I'm she's going to make one so I founded the cyber security Club it called traulsen which later you know as I found out last semester actually so I founded it about 2014-2015 it's now one of the largest organizations on their campus which is pretty cool so not only did I was able to like create something out of nothing but then I was also able to rally people behind me you know in an effort to kind of help build something to raise awareness and that sort of

thing I can tell you all types of funny stories and interacting with the the college itself and saying well I want to create this cybersecurity club and I want to you know I got plans to help build a lab for security students and I'm working with these industry people around around the low country to help donate equipment like can you help me set up a lab and they're like you want to do but like what are you trying to do you know so lots of funny stories but at the end um after graduating college decided that I was you know I have fun at Soteria but I would kind of wanted to expand my horizons a little bit so move

forward to become a stock analyst at at SPAWAR which i think is now Nick which or niche ni WH or ni WC so became a stock analyst for defense health agency so all the military the medical buildings and units and things across the entire world that were us-based I sat on their network looking for bets though so eventually at the end again just to reiterate college graduate army officer and in a stock analyst so my past post college so this one was a little challenging because I went again super-weird went through like a lot of different things but after commissioned in the office as an officer in the National Guard my official title became cyber warfare officer and then from

there I guess kind of doing it in order I was a still main my sake analyst role until we got orders sake National Guard got orders to mobilize so had to put a hold on my you know civilian career as a sake analyst and just security professional and it could be a military opposite so essentially did that I had some broadening roles went to school for four months came back worked as like a communications officer essentially how do we communicate on the battlefield kind of deal but our battlefield was like an office and and then also developed some security training for for the soldiers that were assigned to me and the soldiers that were part of my

team for an entire unit of roughly a hundred soldiers overall and in preparation for this mobilization so then we mobilized my official tile became crew commander and then shortly shortly during this mobilization also became an operator so kind of doing you know just stuff for the government they needed to get done so after I quickly of my mobilization I was at a crossroads again a lot of crossroads so the first one was what do i do do I go back to being a sake analyst which is you know I still have that possibility they stay held a position for me I do I go and and go back to that or do I look for the

next thing and I decided that my skills at this point not only on the managerial side but also on technical side was kind of no longer sock analyst level it was typically sake analysts are generally seeing unless you're like a senior stock analyst or something that's generally seen it's just an entry-level role so at this point I was like I don't think I meant relied on consider myself entry-level anymore so and being that it was a contractor role with decided that I was going to go in something else so I did a lot of did a lot of searching applied to a lot of different places and eventually it took a position as director of assessments for rhino

security labs based in Seattle so if you follow their blog post or anything you know that Rhino security loves does a lot with cloud security AWS security I think recently they've been doing a lot of stuff with container security so my job was to essentially oversee the pin chess team in the assessment team so yeah if you're following my my chart you later see that it was unemployed and [Music] afterwards after accepting this this position and moving from you know the East Coast all the way to Seattle II um you know buying a house and relocating it was uh I was pretty like good I was like broccoli pretty fast and it kind of you know shook my my core a little

bit because you know it was something that I was somewhat expecting but not uh but it really you know my my boss at the time and myself we never really had a discussion of performance and you know that sort of thing so totally woke up one morning checked my phone and then saw like I'm letting you go and I was like oh no I I wasn't prepared for this um so if anyone's ever been fired or laid off like it just kind of hurts and you go you know this is the first time that at Vista doe it had ever happened to me and I was like oh man what do I do you know for one it kind of bruise the

ego a little bit because I've done like all these great amazing things but at the same time I was like oh man you know this sucks but at the same time felt it felt a lot of anger like why is this happening like I moved all the way out here I took the position you know I I worked you know ridiculous hours to try to make things happen and you know it just felt through but also sadness and then you know even lean in it a little bit of depression because I'm just like oh no like you know this you know kind of woe is me a little bit we have the initial shock and on and

then afterwards after the dust settled panic crept in and anxiety crept in like oh no like I now have a mortgage payment and how am I gonna pay my bills and how how is me and I got married that I was married alright and married so how how am I gonna pay the bill is how are we gonna survive essentially and cost of living if you're from Seattle I've been there like it's not cheap so it was from this like kind of unemployed phase is where like the rest of this talk kind of takes over and this is where a lot of lessons were learned you know in hindsight so so the first thing I did

was you know get get get a it's like it's get understand a situation that you're operating in essentially so there's a great website called cyber seeks org and I think this is a quick note I have like a slide and a half of references of you know websites and stuff to go check out and I'll post my slides for you guys as well so so don't feel like you have to like take notes superfast or anything my slides on Twitter tonight or tomorrow for you guys to go check out and pull down and and take a look at but there's a website called cyber sea Gorga I think it's put on by NIST or one of the federal

agencies or one a federal entity and it essentially does like a snapshot of a cybersecurity market at any given time so what you're looking at on the screen now is June 2019 you know snapshot of you know cyber seek so at the time cyber seek was aware of three hundred thirteen thousand you know job openings and then they saw the total you know seen a total force was seven hundred fifteen thousand and again the supply of cyber security workers is like super low and then you see the top cyber security job titles and there's a lot of data that you can pull from this right so you know read between the lines a little it I thought oh man like I'm not good

I've done like federal stuff I've done military stuff I've done commercial stuff and each and different entities in each of those I should have no problem on you know finding a job or whatever but then moving trying to find a job that I wanted I really in the job that I wanted was pen tester or in that vein of pen tester offensive security I really didn't have a lot of hands-on experience I had a lot of book knowledge I had the certs I had the college degree I had the you know experience on the military side doing offensive stuff but not so much doing commercial stuff so taking a look at a cyber see you know kind of doing it

aside if you're new to the to the InfoSec world and you're trying to get involved this is a great website to check out because not only are you gonna be able to get a somewhat under a somewhat good snapshot of the environment but you're also gonna be able to kind of take a look at these top job titles a little bit and you can kind of do some more research on it try to figure you know see see which one did you're interested in something I do when people are trying to look for jobs and such is I point them to these kind of areas so that they can take a look at and try to figure out you know what is

it that I want to do and we'll cover more of that shortly thereafter so again the msi career your career is so big like how do you pick you've got digital forensics you got threat hunter you've got security orchestration and automation you know sore you got engineer if you want to build things pentesters consultants you get ICS systems SCADA systems right so how do you pick well you just kind of learn everything really you know and this is most definitely easier said than done but at this point when you're trying to figure out you know once you figure out the role that you're wanting to go into and it can be very broad it could be like I want to go

on the defensive security I want to go into offensive security I want to go into IT I want to go into networking right you know at that point you just you just eliminated a bunch of many different parts of the whole pie and kind of narrowed your scope a little bit so that you can kind of dig dig a little bit deeper so being unemployed realizing now that I wanted to go in offensive security this is this is kind of where my drive and determination sets in right because the clock now starts right and being able to learn everything is again easier said than done because most people have jobs again I have a newborn

so I'm finding that a lot of the free time I had before is no longer there but being unemployed and only being married and not having any kids at the time I had a I'm alive free time now so through my own experience I learned how to build and secure things again but not break them so so to narrow my scope even further from offensive security I know I want to go into security and in offensive security I started focusing on application security and really that was for two reasons one I had never been like a software engineer or developer like a full stack or front-end or back-end developer or you know in working on a dev team building something

right using some of these you know software development lifecycle it's like agile or waterfall and my deaf skills were like super lacking you know at this point I had I had I had some ID and it went immediately went into security so I had some scripting I had some other type of experience but really understanding development at a at a level that companies have development shops like I just didn't have that and that's something I wanted to learn and then going into application security it was just kind of like job security at this point every just about every organization has some type of application and whether whether it be a web app a mobile app or both and then it

typically if it's a mobile app it probably is utilizing some web technology like an API or something so being able speak to application security became paramount and just about every single role I applied for which is most definitely kind of where i stunk to my time even further issues AB set so in order to kind of gain my knowledge um I ordered the web app hacker's handbook which is most definitely dated books do get dated but there was still a lot of good solid information in there that I could pull from right even though it may be dated they may be using may be using an analysis of you know a programming language that may be obsolete at this

point or is not very much in use but it's pretty similar to what's the most current version and then there's a lot of tactics techniques and procedures that's taught in this book that you can you know it you can utilize and build your own notes off off of and then downloaded the free version of Burke Burke is free I think the only difference is between the free and the paid version is that you don't get the automatic scanning of applications and stuff there's some perfect engines that are only for the paid version and you don't get Burke collaborator which isn't too hard to just spin up a digital ocean or a web server that can accept incoming

calls so and then at the time ports wigger also unveiled their web security Academy which is another great great great resource if you're trying to understand application security concepts like what is cores what is what is cross-site scripting what a sequel injection how can i how can I like use and understand these vulnerabilities so the website Academy isn't just like a wiki post or anything they actually have labs that you can run through and again the only thing you need is a browser and the free version of burp and then another thing is bullet hub boom has a lot of virtual beams that are vulnerable that you can utilize to so using so during a sign kind of work

through this piece and started learning right and I was starting to pick up dynamic testing pretty quickly so how can I translate that the future employers this is a quick snapshot of like all the companies I applied to and read you know means either I didn't get a callback or I didn't get you know I didn't either I got a callback or if I did get a callback I didn't get to move forward with it so but typically a lot of these positions I get dropped into some poor old rock environment I have is you know I have a certain timeframe to find as many vulnerabilities I could within the environment and then have to write a

report on it so not only did I have to learn new coding languages networks new tools techniques procedures automation and host defenses but I also had to be able to write and make it look nice which is a lie so but luckily for me I had a lot of experience at programming experience from college I had writing it's you know styling a report writing work from doing consulting as well as colleges writing reports for college and such and then defense thinking of hardening the systems from my time as a sysadmin and a stock analyst but also offensive thinking from you know actually leading a team of pen testers on the commercial side and doing offensive stuff on the federal side so

that is kind of my path to the dark side so to speak and and then moving forward eventually landed a role with a museum which is a great company I love working for these guys I work with people that are consistently making me smarter that are consistently challenging me and pushing me to kind of learn more and one in you know do more so that's the so moving forward what is the key takeaways from you know from this you know word vomit but I've been doing it for a while learn the basics like I can't emphasize this enough a lot of people just want to get to the sexy stuff the RCE I want to pop the domain controller I

want rude on a server I want admin on the app I want to be able to do all these things but in in order to be able to do those things you have to understand just basic networking you have to understand basic coding you have to understand how Windows environments work how Linux environments work excuse me you know so for networking understanding network principles that are aligned with CompTIA and net plus at CCNA again not an advocate for like gonna go just go get the sir take the take multiple-choice test but like use the certifications in their course objectives as kind of like a road map to your knowledge to learn right they do a great job mapping it out to

say you know breaking it down to the topics and the bite-size pieces so you can understand it coding if you're trying to get into offensive security like you you have to be able to code you have to be able to script and Python is typically your go-to for this and lately once you kind of am I gonna say master but once you you know feel like you got a good grip on a programming language try to do the same thing in a different one understand how languages do certain things and for me the next step was to go and to go which you know go is club it's similar to Python but it does a lot

of things differently and sometimes one programming language works better than the other for whatever it is you're trying to do and then windows like go beyond basic usage like how do I change my desktop and that sort of thing but like learn about the underlying features and how Windows does stuff and then learn how to harden those Windows environments right so Windows internals if you are wanting to dig into Windows environments Windows internals is your bread and butter and Windows Microsoft press has a book called Windows internals I think it might be on its seventh edition is pretty recent check it out like it does way deep dive down into it and then Linux like I feel like

everyone should be comfortable in a Linux environment you don't need to be an expert in it but you should be able to navigate around on the command line you should be able to understand services and processes and like maybe write a shell script or two and just be familiar because a lot of the work that I come into a lot of my clients are building on top of Linux servers some are using is and and writing dotnet applications but the majority of them are writing on Linux servers so my next thing would be like find your thing right so it just kind of goes back to like what do I go into right so for for my kind of making this

a little bit easier do you like to build things right if you like to build things and you're looking for engineer or developer in your title if you're trying to figure out how things work you're looking again you're kind of looking for engineers looking for analysts you're looking for threat hunter in your title if you're trying to break things right you're you're looking at pen testers you're also looking at the runners again um because in order to help defend your network and you know write indicators of compromises and other things then you have to be able to understand it think like an adversary or red teamer right and if you want to fix broken things and

that's an engineer position all day right you know server falls over what who do we call kind of deal so then um so now kind of my advice is find a mentor I think throughout my career so far I've got about six or seven different mentors in like four of my different fields um you know I have some that's totally specialized in blue team operations I have some that specialize and store operations I have some that specialize in offensive security I'll sounded specialized just in business they don't know anything on the security side but they know business pretty well so how do you find a mentor Twitter's a solid resource don't underestimate cold emails right a

lot of the more well-known kind of security people have may have like an email account that you can like reach out to meetups in your local area right so download the meetup app and go check it out there's a lot of good ones out there conferences like this right and then check for slack groups right if you don't know what kind of slack group out there you know you can easily do like a slack group or a window slack group or AWS like your mobile site group or Java slag group like the out there this guy to Google forum right and then it kinda in the same vein a finding a mentor like play my new

technology never underestimate the power of a VM or a container right in and if you don't know how to do something like Google's your best friend Google is the best sim so use it to find tutorials and how to do stuff how do I create an Apache server how do I create an engine X server how do I create an Apache server with an engine X reverse proxy you know or look-look on github for open source projects and and contribute right you can pull down being able like working and get is most definitely a skill so being able to pull down some you know being able to operate within a git environment and understand like pull

push merge and what that means will will most definitely give you some some more credibility and then here's my secret sauce right so my secret sauce is just talk to everyone like don't be afraid to approach people too many people in our industry get that well that that person knows way too much like like I'm just a peon they're not going to want to talk to me the vast majority of people in this industry want to talk to you like they love getting ask questions because people like to talk about themselves and people like to talk it just in general right there's ask a question I guarantee you and then generally look at it say if

you go to ask them a question and they tell you you know you get they're kind of rude or they brush you off or whatever now it's probably not the person that you want to talk to you anyways right get involved in your local community and put sec right so showing it to be sides is great I check out your local is a chapter that's another great one if your it's where you live has one and if it doesn't have one didn't create one right you don't need to be someone that is a senior level executive that can create a chapter anyone can create a chapter anyone can create a no-loss chapter a meetup clearly just say hey guys we're

gonna meet at XYZ at this time to talk about security if no one shows up Ron you reach get more people to come right I guarantee you people will come next one is like build a website and host a blog where you can put your put whatever you're learning right and also like don't go to wigs like wicks is a you know not doubting not putting wicks or not putting down any websites like glitz or whatever but you're gonna gain so much more if you create like a droplet or a virtual machine on Azure or an ec2 essence on AWS and then build off of that you're just gonna get so much from it and then

believe again be fluent in the fundamentals knowledge is greater than search so when I'm looking at when I was looking to hire people I cared more about what could you show me than what was on paper what did you know right and I had questions I would ask to kind of gauge your knowledge and how deep you could go they mentioned it in the previous slide but certs are the previous talk the search gets you to an extinct to a point you know search might get you pass HR or whatever but then once you like really start talking to people who know what they're talking about um you know you're not going to be able to to lie right you're not gonna be

able to like fluff it and fluff the answers right so I cared more about getting the job done can you get the job funded I need you to get done and then do stuff I think I mentioned just in discord but like CTS competitions tech projects personal and part of a team right so look at joining a CTF game right look at hosting I seek EFT and trying to get people to come join you right yeah there's a lot of lessons learned and power in groups when in in regards to learning and it lastly was kind of create your own brand so this is kind of like just for your own professional development I every time I do a talk I have slides

that I have slides that look a certain way that kind of have my feel my touch my fingerprints all over it you know when I hand out business cards you know they just have my own personal information on it when I'm not working with people you know it has my own Flair on it something that says me right so but brand is not only just marketing materials it's also like what do you stand for what are your ethics what are your values those are they so I guess that was kind of the end of my talk so at this point I would ask questions but I think I'm over on my time a little bit

um so that's never been waiting for raffle prizes oh man I'm standing between you guys are alpha prizes well I'm sorry so I have my Twitter information and email and here feel free to reach out I'm up you know I'm most definitely gonna I'll talk to you I don't use discord as much so you messed from your discord and I don't get back to you don't take it personally reach out to me on Twitter or email I'll be a lot faster but thanks that's all I got Michael thanks leo we really appreciate it yeah that was great we finally made it the bhp yeah