Building the Next Generation of InfoSec

okay well excellent so my name is Brian or forgotten uh forgotten SEC on Twitter uh talking to you guys today about uh kind of the next generation of infos SEC which we uh I'll get into a little bit more in one second um so forgotten SEC because security is always forgotten um in a lot of environments especially what I do right now uh graduated from some schools went over to sourcefire did some stuff ended up in a bunch of different Industries uh spending a lot of time on snort and network security monitoring and hacker spaces because I run one and conferences because I run two uh do a lot of other random projects so lots of

different fun things um also in uh spent a lot of time learning about learning which is kind of a fun meta conversation uh that's kind of what we're focused on today uh so we all hear about kind of one of the problems is that we as an industry are short and the number varies depending on who you ask but 10 20 30 40 50 100,000 people who have the skills that we need to fill the job roles we need and part of that problem stems from the fact that people don't actually write the correct requirements for the job they may have someone in HR writing the job requirements or a manager who doesn't understand the technical needs

of the role or the company doesn't understand the technical needs of the role uh those are all very common issues uh kind of the other side of it is that the pipeline that the building of infosec professionals right now is kind of broken uh that's what I'm mainly going to be focusing on today so a lot of student or a lot of people go through various degree programs high school programs come out with some interesting background knowledge but a lot of times don't get that hands-on experience that infosec demands to be functionally useful um and there's quite a few categories of infos SEC when it comes down to it um trying to pin them down is

kind of fun uh so obviously hear good bit about digital forensics and instant response network security monitoring is all becoming much more popular as a topic threat Intel can't spit not hit two at any conference trying to sell their feed uh pent testing which probably has the most resources available because everybody thinks pen testing is sexy and it's a lot of fun when you break into your first computer ethically or not um would recommend ethically because that's obviously a good thing uh but you know getting that experience of understanding how exploits work really helps um to do any of these tasks reverse engineering um everybody know reverse engineering is looking for more reverse Engineers there

aren't that many who can survive that training or excuse me uh they go into that speciality uh compliance which a lot of us hate because well it's documentation it's the I won't say non-technical but the focus is more on uh legalities than it is technical specificity there's a ton of generalists tons of organizations will have the it security person or it will be part of a job um and then vendor and solution developer the folks who I've got this product let's talk about how to make it work in your network and how you'll pay my company money and then there's research folks and other unique snowflakes don't fall under one of these categories uh I was talking to some

downstairs who do kind of the uh building or re researching methods to do some of these other things so researching some threat Intel like stuff to try to identify attackers and how to detect them uh so that was just one example but there's a ton of different uh categories but which of these really have a structured learning opportunity um for most of these compliance obviously you read the book that details the compliance and probably take some law classes because a lot of lawyers get involved when lawsuits happen with compliance but for the rest of these there's not really a structure or a lot of training available um so uh some of the other fun things uh

diversity we we kind of have a very focused field with a lot of white males which is a thing um so there are some programs out there to try to uh help some other groups uh girls who code and cyberjutsu or two who focus on girls or ladies uh cyberjutsu also Al social woman's side of things um and then there's also some other groups uh they were really really hard to find uh even in couple hours of just Googling around and Twitter and whatnot I had a lot of actual fun finding them um I know for example there's a Spanish or sorry Hispanic infos professionals group but couldn't find a website or any details on and anywhere I know it exists because

I've spoken to a member but finding any actual information was failing miserably uh also there's military groups that are designed to help folks make the transition from you know I was in let's say you know a grunt or a Navy guy um or one of the other name or one of the other groups that kind of did more of the well maybe classified stuff but not necessarily it in any way shape or form trying to make the transition after they get out well a lot of a lot of a lot of folks tend to choose it and infosec because there's a lot of opportunity and there are programs again to help those folks develop finding them is not simple

a lot of times on the outboarding from the military they have some of those available um these were some of the ones that I found in a few uh would help if I actually had the right slide up so GSU code cyberjutsu was two of them and then here are some others that are more focused around veterans uh except for the bottom left that was just a really good description of what uh what happens uh with the transition Trad in military boots for uh nice shoes for moving more into an office or it environment although realistically those look like dress shoes so probably not as much that but it was an interesting article on the transition there are

groups that are designed around preparing uh veterans who are moving out of the service into more of infos SEC but again they're kind of hard to find and uh not easily available um so then we have kidson uh this is a program that was actually started by MIT about five years ago now and these are some of the local hacker con or not all local but some of the hacker cons that have uh embraced the idea of having a kids focused event at a hacker con and kind of start teaching some of those skills earlier uh and then there's a ton of opportunities that are driving infosec skills down uh into earlier ages um actually a couple that have actually

pushed into the middle school area there's been high school for about the last 10 years or I want to say it's eight years for cyber Patriot which is one of the uh defense inherent defend type exercises hosted by military uh the Air Force Association combined with uh one of the contract government contractors one it was North Grumman but might have been lock or one of the others I don't remember offand but um Air Force Association is kind of the Prime on that and then uh basically they give students from across the country in machines they have to defend and Harden um so kind of getting that basic hardening experience security experience in the high school level they

want to say they had 1,800 1900 teams last last year and then the Middle School they've Mo they've taken over one school district out in California and I know I know they're looking to expand that robotics league is an infosec but at least exposed his programming at a young age uh NYU ply has a couple of things on here uh the forensics confer forensics challenge uh is really really interesting uh from the computer security awareness week program and then they also have a capture the flag called seesaw CTF that also is there um and Carnegie melon has Pico CTF again a middle and high school focus challenge there um us cyber challenge actually is a program where you basically take a

test but if you do well enough you can get uh invited to the training camp the training camp has four one-day versions effectively what's a Sand's class and then a CTF on Friday again that's completely free um so that was a really interesting program to go visit even though it's targeted towards college students I know a lot of professionals ended up doing it anyway um so that's also out there um cyber is at the high school division in that Unfortunately they don't have a training camp they do have some online material uh the national cyber league is well I hate the word cyber but National cyber League was an interesting challenge uh it's kind of exposed uh log

analysis and forensics and some of the other skills crypto steganography in a challenge that was targeted towards college students and they put your name up on their website if you did well which turned into a very strange phone call from someone finding a phone number for me from 10 years ago um miter CTF I played a number of years ago as well and a lot of companies are starting to use capture the flag and other challenges to drive education because as you play a challenge you end up having to go research something that you didn't know coming in it's pretty much a guarantee if you're playing the challenge correctly you are going to end up researching something and learning

about it the other component is that after the challenge you can go read someone's Solutions on most the most of the challenges we'll have writeups on what some of the solutions were so you can actually learn not um solutions to problems how they solved them and where in your thinking you you stopped and see what the natural progression to get to that understanding can be um within Academia there's a few groups that Target creating that cyber security uh training and education type environment uh cyberwatch and cyberwatch West have money from National Science Foundation to do just that they also provide courseware and whatnot um uh UTSA has a group that runs the National Collegiate cyber defense

competition and works with all the other ones that's the CIS and then they actually have a information security education conference so teachers who teach infosec a conference specifically for them with a horrible name called ciss um or the colloquium is what the new logo is uh I think that's a lot better because I think was a horrible name but it was a really interesting conference to go here and see what people were doing the biggest takeaway was they need help they want help from industry and they're looking for us to get involved um so some of the other programs uh more of the online courseware edx is MIT in Harvard uh UDA city is Google Facebook mongodb

Cloud era AT&T uh corsera is probably 50 or 60 different colleges and hacker high schools out there as well Stanford web as well but they their logo is transparent and pain in the butt so I didn't get to that one um some more lovely classroom materials uh when I was giving a version of this talk at a local group down in Northern Virginia uh he literally hey I got Labs on GitHub and uh Sam classinfo and crypto city are the uh open sourcing of the course material from uh crypto city is Dan Guido of NYU Po and Sam's class I don't remember what school but I want to say it was somewhere out in the midwest

somewhere um and then I started a project on GitHub recently to start identifying some labs around network security monitoring again going back to the the fields I talked about at the very beginning only one of those is really well represented for the open training that's available pen testing and red teaming there's a ton of material out there and we talk a lot about that at different conferences but when it comes to defense there's not been as much Focus for example when you think of defensive cons or uh hacker cons that focus on defensive skill sets you really struggle to come up with naming a couple um so Sans is out there obviously that's a little bit more

targeted and a little more expensive um security onion con and uh bsides austa are out there uh but other than that there really isn't a ton of other defensive focused options or for any of the other uh categories I mentioned um the only other one is Def uh dfir digital forensics incident response there's a few additional conferences specific to that uh Nola con or uh besides Nola I forget which one the two is very very very heavy in uh forensics so um couple other tools obviously suggesting internships uh life Journey was kind of an interesting group that tried to map out what skills you need for specific jobs and create a path to actually getting into say verse engineer yes did

you have a

question yes they're

downstairs yep cyber Jutsu women definitely is out there I couldn't find their logo when I was searching but that's just because it was really busy um they definitely exist and they definitely do good work they're at a lot of cons especially in this area um I've run into a couple of their members all over the place but um yeah they they're definitely out there as well um so started life journey is they mapped out probably about about 20 infosec professions or excuse me not that many in infosec but a bunch of professions and mapped out the steps you need to take and the resources you need to learn from to get to that role uh

obviously asking someone in infosec to be your Mentor is out there and there's been a number of open offers for that type of thing one Twitter there's not really a structured program through some of the colleges there are um but it can be really hard to find someone and also as a mentor kind of advertising it is awkward um there's a couple of us who will just post out hey anyone want a mentor ping me on Twitter uh myself and uh good buddy of mine da 667 do that regularly but there aren't too many that do um and it's not easy to be a mentor it takes some learning as well uh there's a group called cyber fed which

is completely not what it sounds like uh they actually are the cyber security competition Federation uh this was also based on an NSF Grant to build out uh availability for information about information security challenges so the idea was to try to link up the challenge authors with the academic community and with industry to help make the challenges more structured more uniform um it's kind of still in its infancy there's a very interest podcast they're doing for that uh head by couple guys out of cowply Pomona uh Dan Manson and uh is Jason Pitman um so that's kind of an interesting thing I think they've done 30 or so episodes um every every college student and I think high school

students might be eligible for this for as well are can get a free account on dreamspark which gives you access to a ton of software through academic licensing for Microsoft this allows you to set up a Windows server and play with it something that traditionally you wouldn't think to do but is really really important if you want to start working with servers well how do you know how to use them until you've set one up until you played with it getting that hands-on experience is very critical to it in general and an infosec so going out and playing with that uh a lot of colleges also have Labs available um NY po was just one example but most

colleges with infosec programs have Labs there are various groups that meet up from those a lot of them are open to the public you just have to go find them um some of them are easier to find than others so uh we get to kind of the Crux of things um the big issue and as I mentioned before you know the the big struggle that a lot of Academia and that a lot of these programs have is that they need help from professionals to say hey I'm willing to do a presentation on X um same is true of meetup groups hacker spaces colleges high school programs they all are really looking for help um a lot of the programs out there

are always struggle to find professionals to come in and speak ideally a lot of those College club meetings will meet weekly or month or bi-weekly or so sometimes even monthly but that's normally more rare because they have the time at that point and they need speakers to come in and talk about a subject so most of the people in this room I'm guessing have a subject that they're pretty much an expert in at some level or at least know well enough to talk about for an hour so my call to action to you is go out and participate find one group in your local area and say hey are you interested in having me come speak about something or talk to

your membership whether that be a university a high school a Meetup Group uh a local con a hacker space there are tons of opportunities especially in the corridor between Delaware and Northern Virginia there is hundreds of different groups out there at different schools and meet up and all over the place take a look please get involved the pipeline that we have right now is very broken and we're just starting to build out those resources to fix it more people are starting to build Out programs around learning all those various skills that I talked about in the very beginning the skills that you need for the lovely job titles and again this wants to be angry and not friendly I

hate PowerPoint some days what is going on so anyway um as we go through those lovely Fields most of them do not have structured training so another way if you're not say the person who is comfortable speaking in front of a group as seen by Heidi this morning some people really struggle with that although she did an awesome job you could see Panic um for those folks there's opportunities still out there so for example the UMBC GitHub that I posted earlier I'm sorry um um as well as my own the project is to try to build out labs for something that I do on a regular basis so for example taking a look at a pcap and looking at a

particular type of event researching it literally as I go through my daily job I'm documenting this is what I did although with non-w work data I go home um I'm in the process of taking an entire analysis of an intrusion event and running through the process tool by Tool in my home lab and writing out the steps of what needs to be done and the answers and separating that out that is what the universities need a lot of the professors struggle because they'll have some experience but it's really hard to have experience in everywhere in infosec and a lot of the programs are taught by teachers who may have some experience in one SP spot but not necessarily

another um even my college where every every high-end class every 300 400 level class the teacher was actually in the industry full-time and teaching part-time they except for I think two or three uh every teacher was actually in the industry they still struggled with some of the functional aspects of some of the classes because things like okay Wireless where do we start and again what while I talked about uh that lovely program uh or programs at the high school middle school level is as those develop what we can expect when you start college can we can start to raise that bar so for example at CCDC Collegiate cyber defense competition every year people get a little better a

little bit more experience so by the time they enter the challenge or by the time they enter College they already have some cyber security experience so they're moving on to more Advan things so you're going to start to see more advanced folks as you come in and entering groups so as you build up that pipeline the skills starting from middle school by the time they hit high school they're a lot higher level than just I use A1 messenger nowadays Snapchat and Twitter and whatnot to oh yeah I've participated in a cyber security defensive exercise when high schoolers are starting to do that by the time they hit College well I've done five or six of these now I'm going to play the

college version with the next step of a live red team taunting me basically and having fun and providing a more uh more challenging attacker um so as the skills at each level high school or middle school high school college and Industry levels up the entire industry is going to build but to get there we need everybody's help to go out and start building up those programs building up the Next Generation exactly what Heidi talked about this morning this is a problem that we're having we need your assistance I say we I'm out there too I just volunteer with a lot of stuff um so now that I've ranted for a few minutes does anyone have any

questions no that's fun yes or so in general pretty much every aspect of building the infosec pipeline needs help so that's the GitHub groups that are trying to write labs and create courseware that's volunteers to actually teach at universities and and community colleges and high schools on the side so for example part-time that's volunteering to the cyber security clubs and speaking there or at local meetups that's mentors for all of those groups and new professionals that's everything um there's a shortage all over the board which is kind of the problem um and again there's a few folks trying to or starting to build up on that but we need the community's assistance because there's a lot of

students out there and the number of mentors versus the number of people who need mentorship is a huge disparity I can't have 20 mentors or 20 mentees rather also just because you have a mentee doesn't mean you can't be a mentor as well there are some high school students who were mentoring some middle school students who were also receiving some mentorship from college students um through the Cyber Patriot program they actually ask for every single team they want a mentor who has some experience in some cases this was just College students who had played challenges and others it was folks in the industry but there was a team that I ended up mentoring and when they started

playing they had 10 people by the time the organizer of cyber Patriot linked me up with them about two months later they were down to four people because they didn't have that mentorship and they struggled with just slides just explaining what's the difference between a threat and a vulnerability and the most basic of explanations explaining slides that they actually provided all those all three of those people who all four of those people were really excited to come back and play the next year the problem is right now we're not giving them the encouragement we need to get out there and assist whether that be volunteering your time to in person online whichever you're more comfortable with obviously

as I said f some folks aren't comfortable public speaking not a big deal you can still assist there's still tons of programs um Collegiate cyber defense competition for example uses volunteers as judges as uh the folks who run the infrastructure excuse me uh folks who build the injects folk uh should probably explain that so within colg cyber defense competition there's kind of a couple of things uh students inherent def a network that they know nothing about walking in besides these are the operating systems and the base function of what I have so they may get told you have a 2003 Server 2003 Exchange Server an active directory domain controller a web app running on Linux a web app

running on Windows good luck um so you can imagine that that's kind of a fun exercise very similar to the pros vers Joe's downstairs except for in the college version ver they also have business tasks they have to complete such as go make an SSL certificate and put that certificate on your website and add add it in the certificate store in all the clients a task that reasonably you may do in your company today but for college student who's never dealt with pki is not something they're easily going to get especially with the added challenge for midatlantic where they don't have direct internet connectivity they have to walk 20t to the internet work station doesn't seem like much but the fun is

you have a group of red teamers including folks like muik Rob Fuller and uh Chris Gates caral onage Rafael Mudge armit to attacker and all these other experienced season pentesters who are working to gain access and control of the student networks and disable them at some point uh normally they spend the first day having some fun first and playing around establishing persistence seven ways from Sunday but you know depending on what strategy the red team uses can change the exercise realistically the red teamers are always have a good bit of Advantage they get to bring in their own tools they get to prepare and stacked overwhelmingly against the students but the students get to learn in an

environment that I would still love to play in today of inherit and defend a network where the repercussion of getting owned or darn I lost points versus you know hey I got fired or my boss got fired or my team no longer exists uh obviously the the losing of the competition or struggling is much uh easier on the flip side they also are offered typically if they do well job opportunities internships which all the sponsors of the exercise end up hiring those students because they have that experience and have shown interest um the new more and more is that sponsors of cyber security challenges are looking for the students who are participating and saying you really are dedicated to this

field you really have this extra interest and you are showing up you're showing up to something you're not required to and enjoying it maybe you're the right kind of person in infosec I would rather hire someone who has enthusiasm than I would someone with a little bit more experience any day person with enthusiasm will surpass the person with a little bit of more experience quickly this is a constantly changing field we are in a treadmill if you stop you're falling further behind if you're not running fast enough you there is no fast enough you always run a little bit behind because there's too much depth and breadth to this field that you will never be able to learn

everything in this field I would say you it's the struggle to call yourself an expert in a particular in more than one discipline in infosec because there's that much going on in every individual field there's constantly things going on the reason why so many of us use Twitter is for that exact reason because the news that we see you hear about a breach you hear about the newest exploit technique the newest defensive tool and sometimes you won't even know they're there until they've been around for a number of years and you have to run into them an event or happen to find someone's blog post that explains exactly what you need which is probably more common than

finding it in a textbook I don't think I've found too many structured things that I I had a research question they ended up in a textbook it's pretty much always someone's blog or ask it on Twitter and someone says hey I wrote a blog post on that two years ago here you go and that's honestly one of the best ways to find answers stack Overflow is another same type of uh response and communication only more in a forum aspect of you know who looking at that um so what we have is a serious need for your assistance so please take the opportunity in your area look for the groups that are out there get involved

in what you can if you don't want to do it in person go online there's opportunities there yes you had a question in the back

so every hacker space is pretty much unique in a way um some have uh more of a maker Focus some are more into Electronics microcontrollers programming you start to get fewer and fewer and as you approach infosec there are still a few out there uh obviously the the one I run unallocated space down in Maryland uh it we have a lot of infc professionals pretty much every person who was a Founder was in the infosec field so periodically we'll have events like uh we have an event called the Minicon once every two months or so share something 15 minutes to an hour and I've had everything from writing my first colel exploit to Quick keys in VI

to creating a thamen to a demo of knife and axe throwing um because that's the diversity in the technology community at its core the uh hacker space world is very focused in whatever people happen to participate in that particular one uh given the diversity we have in technology that can be all over the Spectrum and depending on which one you participate in some will have a lot more infosec it some won't uh find one that do if there's one excuse me if you're lucky enough to find one that does in your area then it's a great opportunity sometimes just exposing different technologists to information security things they don't realize um we host a lot of other infosec meetups so OAS

Maryland has to my hacker space participated similarly at colleges sometimes they will host say oasp or other infos related uh groups so it just kind of depends on figuring out the right thing for your area um especially in the Maryland DC Virginia area there are an seemingly infinite amount of groups um to the point where you can't view them all you literally there are more groups every night then there are in certain areas so it's kind of a struggle yes

yep yep there's ones that cover just about everything on meetup.com is very popular and a lot of groups will cross-pollinate so for example you you'll find people who are in multiple groups and sometimes that can lead to interesting discussions and you realize hey wait you're into all the things I'm into that's kind of interesting let's talk um I'm getting into some interesting conversations with that um there's a lot of different opportunities here and as I said I hope you guys go out and take a look into them even if you can't contribute in person any contributions you make virtual in person make the offer it's also a great way to get interns because when your company wants

to go get an intern when you say well I've had someone who's really dedicated who asked me to be their mentor and you know I think they'd be a perfect fit for this mentorship program you've already vetted the person you already know they have an interest you already know what their skills are that saves a lot of time and money on companies when you think about the cost of sourcing someone well you don't think of an intern as a as necessarily someone you're going to spend a ton of time on but when you think about all the time you spend interviewing 20 candidates even if that's half an hour a piece that's 10 hours you could have been working so

realistically there is a cost to finding a good intern and they become typically inexpensive employees after if you if the organization likes them so it's a great way to actually pick good interns and get them into excellent position so that helped everybody because companies like it when you have an intern that works out well any other questions okay well thank you for coming uh feel free to contact me a little early but it is what it is um I'm going to be building up the list of information I'm also going to be posting these slides online the other kind of co-p purpose to this is when you find that person who asks you what the

resources that are available now you have a place to go look and you have an entire set of lists of all the resources that are available different ways to search them different ways to find them thank [Applause]

you