InfoSec, Just Doing It

I'm pretty loud as it is so I really don't need the mic except for the recording part so I'll try to dial it back a little bit all right I'm Rob Jorgensen I actually do have a bio I've been working in technology and InfoSec for about 20 years in Utah I left industry about two years ago to work in academia where I've been building a cybersecurity program so this talk is infoset just doing it notice it's not just do it so I'm not infringing on Nikes trademark uh so the way this talk came about was with my role I get asked by a lot of people how you get into cybersecurity how you get into InfoSec

you know what can you do I have a lot of people who are students who don't really have any experience but I also talk to a lot of people who are system engineers you know system administrators network administrators who say I really want to be in security but my you know my company won't support me you know I don't know what to do and a lot of people basically like I can't afford it because everyone thinks that if you want to be an infoset you've got to go take a $5,000 sans course does anyone here taking a sans course what was it good yeah great courses but expensive right so this is so this comes up a lot and

one of the things I I say is well you know there are things you can do and one of the big things is setting up a virtual lab and that's kind of where this started out with but then I realized that that wasn't really the place to start so the question is why are we gonna set up the labs and where to start and so one of the big questions is you actually want to work in InfoSec does everyone here one work in InfoSec cybersecurity anyone not sure this is a question because some people they want to you know hack they want to tinker they want to get into various things but they may not actually want to do it as a

job and then the question is do you actually like doing InfoSec or do you like the idea of doing it fo sec does everyone recognize that distinction it's like who here wants to be a pen tester or a hacker anyway who here likes writing 30 hours of reports yeah weirdo he's got a good beard though we need to get that on the camera so let's kind of zoom out a little bit so to the general public what do we do all right if you're trying to explain to your grandparents or are you talking about somebody who's looking at jobs in the scope of all the jobs in the world right construction workers and and airline pilots and marine biologists

what do you say yeah some people say how many people just say I work with computers or I do computer stuff for those watching online that was pretty much all the hands right but like if if I say hey what do you do and you said I do computer stuff is that gonna be a good enough answer for me no because we kind of zoom in on things when we know about them so you know if I say hey what do you do you say oh I work in computer something oh yeah what kind of computers you're like oh I'm I'm I'm an IT person Oh what kind of 80 person Ohama you know I'm an assistant Oh what kind

is this admin oh I'm a Linux this admin like well you like sentence you like food or ona you know and so it kind of gets deeper and deeper in and that's the same thing with security a lot of people think oh you know there's a security job right and that's like saying there's a DBA job okay are all DBA is the same yes no don't right so there's weirdo Oracle DBA s and then there's everyone else I'm just kidding they're all weird so with security people it can be just like oh I want to be a security person and so one of the questions is what do you want to do in security you know do

you want to be a pen tester if you want to I write firewall rules do you want to you know do things with snore so the really question is you know what's your passion what moves you you know what are what are you really interested in you know what makes you want to learn more and what gives you a rush does anyone ever get that rush when they're working on something and they they figure it out they're there you know popping a box or they're writing a query or you know they're getting some code to work it's so nice to calm you know everything works an angels sing right and that's a good feeling right if you never get that

maybe this isn't the thing for you if you're just like all writing I guess it worked time to go punch the clock it's gonna be a really really long you know career I guess so and then thing is what was you do you ever read about something go that's awesome I want to do that hey yeah you have an example nice do you like to break things sweet yeah all right so with this I wanna have a little bit more of an open dialogue even though it's gonna be weird for people watching it I kind of want to embrace that besides discussion concept rather than just me up here time talking anyone else have anything that Wow's

them gets them excited

I'm talking to you dr. unicorn you gave a talk on one right so you know there's there's Jeff in the back who likes malware we'll talk about Jeff a little more later but one of the things I get is I say what Wow's you what do you want to do cybersecurity and this is the answer I get anything I don't care I just want to be an InfoSec this is how you end up you know tweaking snort rules for the next you know three years or something awful I mean people who do say that end up in a situation like this

yeah some people have no idea what that is does anyone have no idea what that is find some of the old Jeff and have him tell you get off my long Kid you let that guy in ones your talk at what time okay I'll be there to heckle you and I'm bringing friends alright so one of the questions is what can you do to find that passion and you know I instead of waking the screen I jumped ahead of slide what do you guys think what do you do to find that read a lot what do you read

yeah what else rfcs RFC 1918 which is the RFC for the pigeon based IP that's not not 1918 but what else YouTube okay good anyone else DC 801 so how many of you have a passion in InfoSec or to do something in cybersecurity what is it I mean before I have a banana passion when I was actually calling on people and no one raised their hand anyone want to share anything yeah yes okay so you like blue tea and stuff but tastic how did you get into that mmm but how did how did that grab you personally anyone else great oddity is participation at the end of the day I'll get back to you Ethan in

the back so so you like to watch so you like and how did you get into that even way in the back yeah so one of the things is is it's there anyone who doesn't have a passion yet or it's just kind of exploring everybody knows what they want to do sweet that goes like 12 slotted slides will just jump ahead I know so I don't need my slides apparently alright so some of the way it ways to find that or to embrace that is reading right some of these things came about Twitter how to news reddit net set blogs like making security tripwire that sort of thing you know if you really don't know what you're looking for if you're

looking for a change you know read these take a look at these and see kind of you know what things you know grab your attention okay does anyone else have any favorite feeds scared yeah data loss TV mm-hmm all right Verizon data breach incident report anybody every summer that comes out you read it really excited let's see what else did you have to say like programming mmm-hmm thanks you had a guy who writes reports over here and a guy who likes documentation the only two in Utah yeah it's it's the only thing I write is self-documenting code so so so read listen there are lots of great podcasts out there lots of good information everyone listen to security weekly

anyone listen to security weekly yeah use three Paul calm change the security weekly but a year ago risky business Patrick down Australia does a good one there's more these podcasts are one advantage of the podcast and listening is something you do while you're doing something else right you're driving you're commuting you're riding the bus but they talk about all kinds of different topics they're not Newton narrowly focused so things to watch YouTube DEF CON channel is anyone everyone check that out yeah how about iron geek column is there anyone who doesn't know about iron geek calm all right all right it's so who's been there yes what does iron geek have it's a turn Crenshaw's website talks adrian records

hundreds of talks I can't I can't even begin to describe the you know the number there but it seems like almost all the smaller regional conferences gurken Derby con a lot of the b-sides conferences he records and he puts them up there so you have the opportunity to go watch all these great talks without traveling so if you haven't check that out one that that's it that's a great site to find information anyone have any others yeah like I has a YouTube as well good RSA also puts up some of their stuff if you're into the RSA talks yeah okay the next step in kind of figuring that out is talking finding the local groups hey how many here are part of

some kind of local group be it a Def Con group Oh wasp aisaka is e squared this is where you really can't find a lot of people who have similar passions and explore new things several the speakers here are from BC 801 and they're talking about all kinds of topics from debugging to hardware attacks to penetration testing to malware reverse engineering what else anyone and when I was from DC 801 here remembers all the tops that's a bunch of talks so DC 801 is a local Def Con group there are I have no idea how many members does anyone know official members but what what where's meta cortex what I need them so so or Nima's

yeah so the DEF CON groups are great you know for people in Salt Lake Utah there is DC 801 EC 801 as a hackerspace in downtown Salt Lake City it's pretty nice hacker space and they have meetings but about three times a week on a variety of topics a bunch of them are free and open to the public some of them are for members only but these are people with similar passion and interests who you know want to talk about these things there's also a wasp aisaka but a big thing is attending conferences like this one so well done you guys can check conferences off but one of the things I want to mention with

conferences are the important things not just to attend the talks I mean that's a lot of the reason we have these conferences is because people want 10 talks but what we call hallway con is often much much more valuable yes Dustin you've got something to add okay what's that yeah no problem that's a Dustin Larson I'd like to introduce everyone I told him I'd give him a shout out so what is hallway Kahn can anyone describe that networking okay anyone else this is the worst part about the last slot of the day everyone's dead tired and just wants to be done and my students who are here just here for extra credit you know I want to check

out but thank you all right hallway gone so talking to people because that's one of the things especially as geeks a lot of us are introverts right like me I'm obviously very introverted and shy as my bio said but this is a chance to talk to people with like interests who may not you know are not people you may not work with you know and they're not going to be like oh you're a geek I don't know anything about that so hallway con is actually the best part of any conference in fact I would rather usually chat in the halls with people than go to the talks that that's especially the case at a big conference

like DEFCON zenman been to Def Con how are you is it to get into a talk at DEFCON yeah you get a lot of hallway calm discussion in the hallway for like two hours trying to get into the talk I do recommend going to DEFCON though is there anyone who has not been to DEFCON here Wow a lot of people so there anyone who doesn't know what DEFCON is okay so DEFCON is not for everybody is that an understatement it's not for everybody but it's really eye-opening to go to in fact I worked with a guy who went to DEFCON a couple of years ago well more than a couple years now and you know I

said well so what you think your first Def Con he's like I guess it's good to see what as people do right and it did you know you kind of had a little snare and he's like I don't yeah like I don't like those people what he doesn't realize is some of those people are his co-workers and while there's a lot of black t-shirts and Mohawks there's a lot of good information there and you're going to get exposed to things that you normally wouldn't see the downside is it's huge and chaotic and hot and you know it's DEFCON but I'd recommend anyone from Utah especially go why from Utah CCA no one party ah well there is

that yes that's what driving distance so there are people who come from around the world to go to DEFCON people who drive across the country fly in from Asia whatever for us it's it's an hour-and-a-half flight or you know a five and a half hour drive it's also a cheat conference right how much does it cost to get into DEFCON two twenty so about two hundred dollars does anyone know what it costs to get into blackhat $1,700 RSA is about the same most of the bigger conferences are pretty expensive DEFCON 200 bucks not too much you know that may not be something your employer will be willing to pick up but often you can work on something like saying well

how about I go and don't use vacation time does anyone ever ever pulled that one yeah so it's not very expensive and then you can stay in Vegas for very little money I'm looking at RSA right now and RSA staying downtown San Francisco and if you buy your hotel room six months in advance you know it's like $200 a night Vegas you can stay for how much 50 60 yeah Vegas is pretty cheap the other thing is you can eat cheaply Vegas especially if you drive down there you know you stop with a you know stop it Costco in st. George by you know some cereal and milk and it makes it a it makes it an easy one to go to so

there's a lot of good regional conferences though to go to b-sides there's besides Vegas which if you're going to Def Con you might as well go to be sized Vegas besides Salt Lake City obviously st. Conn is anyone been to st. Conn bad feed of you that's usually in the fall there's also some security stuff at Open West which is April May they were known open first of May yeah so we've got some good conferences around here but there's also some smaller conferences that are really great because one of the things about a great big conference like Def Con is well who goes to that farm who else goes you know that the 40 people in this room and 15,000 of your

closest friends right so it's absolute chaos it's very hard to you know hook up with people to visit there's one guy that I've been exchanging email with and and messages on Twitter for you know quite a wide island and I'm like hey we should totally made up at Def Con and with all the chaos and all that we basically got a handshake in passing you know in the four days because there's just so many things booked up so the downside of that so the upside is everybody's at Def Con the downside is everybody's at Def Con but there's these smaller cons you can go to gurken zoo one Herberger con know it oh you have where it where's Kirk on

Grand Rapids Michigan where is that I don't know Michigan someplace a good pun how about Derby con is anyone been to Derby con Derby con is fantastic so that you know there's conferences in in Colorado but these smaller conferences are great because usually there's not as many people you know the speaker quality varies a lot and you know they're worth going to one thing I want to mention was attending the conferences and watching these talks is a lot of times the topic when you're trying to figure out what you're looking for can be colored by the speaker right there are some really really good speakers who could make really really boring topics super interesting there

are some really terrible speakers that could take an awesome topic and make it just incredibly arduous to watch so that's a good reason to sample a lot of them and the advantage of grabbing these talks off youtube or iru comm is you get to check out a lot of them those of you who've gone to DEFCON and you know waited in line for a half an hour an hour and then you go in to talk and the guy spins you know 15 minutes and then says thank you any questions and then walks out or actually besides last year will call out that person Danny yeah so when you find these things what do you do you find what grabs you and you could

you know you can dive in you can dip your toe and that's one of the great things that there's so much information out there that if you want to dive into it you really can and I'm gonna pick on Jeff for a second Jeff can I pick on you so a couple of years ago Jeff was like oh nice I checked mine just before I came in so it's super professional their room monitor take away your volunteer shirt so a couple years ago Jeff from says I want to learn malware analysis and reverse engineering and he was really into it he saw some talks at DEFCON and what did you do Jeff should I play

malware home you got the great malware book from no starch that the name is totally escaping me sorry no starch one of our sponsors practical malware analysis and what do you do now he's a malware analyst Jeff fully dove in to Malory's like hey this Bower stuff is pretty cool and you just did it the other thing is you can't dip your toes in this you don't have to fully commit you like want to try a little malware analysis and the nice thing is is that you can go you know kind of back and forth depending on what you want to do so that solve everyone's problems yes sweet thanks buddy so now we're doing it again but

with feeling right so it's not just enough to read something wants or watch something once right hopefully what this is doing is this is kindling something inside of you you're saying you know what I really like malware analysis or I really like IDs or I really like breaking stuff or whatever it is and so you get in deeper right you read you find some books on the topic you can check out OpenCourseWare is everyone familiar OpenCourseWare is anyone familiar with OpenCourseWare few of you so there so you've got MOOCs right I'll talk about those in a second but one of the things that you had before that would you had a lot of schools who were opening up their

courseware you know you got open software right that anyone can access some schools do open courseware does anyone know who Ron Rivest is who's Ron Rivest right he's the are in RSA right would anyone think it'd be cool to take a security class from Ron Rivest you know does anyone know who he's affiliated with MIT there they're kind of like slick but in Massachusetts so they have Ron Rivest security course up on their website on the MIT OpenCourseWare site we didn't go up there and download lectures and assignments from what you know one of the leading cryptographers out there doing research they have tons and tons of courses some of them just have a you

know some slides and some assignments some of them have everything but you know this is a source where you can go find that information you know some people don't do well with just reading or watching video some people like a structured course and so that's you know definitely an option for that that brings up MOOCs does anyone know what a MOOC is does anyone know what an MMORPG is it will strange people walking into the back to answer that question thank you so a MOOC is a massive online open course right so Coursera is anyone familiar of Coursera or EDX these are our online things where schools such as Stanford Johns Hopkins Berkeley lots and

lots of schools have come together and put entire courses online that you can take for free there's you know cryptography courses anyone tried the Stanford cryptography course what do you guys think ruff yeah it's pretty brutal right you're like oh yeah I know crypto and then you jump into that you're like holy crap right and then there's there's a crypto two out by the way for those of you who got through crypto one how many got through crypto one nobody but it's a damn bone invaders course boner I don't have to say his last name Bona but it's it's a really cool horse and it dives into a lot of theory and the mathematics behind crypto but there's courses out

there on all kinds of things risk analysis ethical hacking you know pen testing web app security all kinds of apps set as well as other things and one thing that I don't have up here that is really important is they also have courses on speaking writing things like that because one of the things I run into a lot what I'm talking to employers is they're like this guy is really good at technical stuff but he can't write I'm like this gentleman over here who likes to write documentation for fun so that that's something you could work on with that because basically if you can't communicate the technical ideas it doesn't matter how good you are

what's that what was that actually a comment or is that just like someone saying where are we eating dinner in 21 minutes when this talk is over good home so what does the other things more talks hopefully that you found you know something that interests you you can go find more talks almost any topic you find someone's giving a talk on you know you dive in there's more sources for that you can dive deeper you can get blackhat DVDs you know there's tons of conferences like Kirk on that you haven't heard a lot of things and that gets back into talk again right so collaborating with others this is big right does anyone here work with anybody on

something not necessarily for their job but just something they're interested in projects new people right how has that been for you this is the interactive part you can talk great even you haven't come it yeah it you you can really you know push each other and and you know go deeper but it also has the kind of the effect of you help each other right and plus you know for those of us are a little competitive you kind of don't want to be the worst guy on the team right the other thing the talk is to give a talk new here is presented at the conference before was it a good experience how did you feel about the

topic you had like before and after any difference no difference was it an awful experience and you're never doing it again so this is the awkward note for next time take presenta talk off and maybe not present anymore no so when you when you put together your talk did it did you learn anything more did it make you think about some things you know it's different to you know just kind of doing something by yourself whereas actually having to stand up and you know have slides or have slides and do a demo right alright is anyone done a live demo on a talk how that go should good man yes the the demo gods are never in your

favor but yeah listen I need was a talk is that you go a little further right you dig a little deeper and and you want to be competent you don't want to get up here and look like an idiot as this example seems to show so okay but one of the things we get into is I don't understand what we're talking about right the I'm not that that ready you know I don't know X does anyone run into that like hey I want to do this but I have no idea how to do it where to start so my suggestion is that you play that's one of the great things is that with this you can mess around with it like for

example if you guys want to do the malware analysis what would you do right now anybody go download malware uh-huh you you you can in fact hello malware download malware question mark question mark question mark profit and then what would you do after you download your malware okay good good this is the stuff you should enjoy right you should be like excited to get malware not necessarily on your production box but you should be like yeah awesome I found the malware or I I trigger this alarm or I pop this box something should grab your attention okay and I've got some suggestions on how how did some basic things that can kind of help you

with that one of them is learn Wireshark who here uses Wireshark who here thinks it's really really useful in their job who hears like and I really don't need Wireshark and it's never helped me okay just checking if you're you know if you're like I'm a purist I'll only use TCP dump then that's fine you're hardcore you probably use like vim or something - who's getting the vim talker he's a big tall guy Wow good for you I'm a nano yeah I'm lazy which brings us to the next cig learn Linux um this was a text I got a couple of years ago from someone in this room I'm not gonna point out who it was

unless he wants to out himself so he's not gonna do it okay that's fine I'm not saying he's in the second row on the ride or anything so lose it and say I'm gonna see what the problem is with this I'll read it for those in the back the message I got was apparently tar - CBF star file dot our hoses the first file in the directory oops and my sympathetic reply was ha ha ha ha ha and then I point out the first aargh after the F is the file name of the new tat all because auto corrects for with the win and then tar ball and this was information that would have been useful

two hours ago so what happened does anyone know what that could handle do what does that command do notice I'll call out Dustin Larson but I'm not going to call out your name on the video right

so so so it expands out that and then tries to put everything in the first file name it expands because the dash F is what the file is gonna be so it basically takes all the files and dumps them into the first file which is really bad if this is you know has crypto information for a hardware security module now that's what happened so learning it's not the only pepper boxes that will act by someone who doesn't know Linux who here is good with Linux who wishes they were better right who messes with Linux a lot with their security job right you do a lot with Linux okay I mean you just need to learn Linux so many tools run on Linux

if you don't need to figure out how to do something it will save you so much time right I had somebody who who asked me the other day it's like how do I get an md5 for a bunch of file there are four a bunch of entries in a file anyone know how to do that and b5 some right which comes in to learn to automate write scripting is your friend when you're learning these things you should learn how to script in some language does anyone have a favorite scripting language - Python PowerShell PowerShell is actually pretty awesome these days so I mean it was kind of a joke right haha but once you get the light power shelf

for it's pretty awesome power sploit yeah and PS exec is also pretty useful on the pen testing side so so thanks Microsoft that was a double edged sword so learn to script learn to automate there are so many cool things you can do at the command-line you know you know for Linux you could also do cool things with PowerShell but learn how to automate these tasks a lot of the things we do are repetitive and you don't want to you know have to type it in over and over again there are tons of tutorials if you look for bash scripting tutorial or Python scripting or anything there's tons of cool things and it becomes useful even at lower level it's like

does anyone use KP for anything they want to escape he is what's KP it is crafting module for packets yeah it's a packet crafting module it lets you do really really granular things with packets through Python another recommendation learn a debugger right you don't necessarily need to be able to do you know a lot of stuff but if you have some idea of what debugging looks like it makes a lot more sense right like you see you're looking at a trace and you see a lot of nine zeros in it right in x90 knots right yeah so you don't you know those things are there's a lot of tools out there I mentioned it later but

Courland de has tons of great tutorials as Eamonn been out to the core LAN site good next big one learn tracer T if that's why they make you laugh go back to the talk step and ask somebody notice I didn't say somebody old this time tracer feet does have tracer T right but if it was tracer T it it shows you everyone's connection to Google slowly what we need to just play the tracer T video for an hour yeah next thing find some challenges challenge yourself right make a game out of it is anyone familiar with the term gamification turning stuff into a game it and I mean of the you know I feel bad saying this but it's

something I use with my kids all the time right let's see who can stay quiet the longest or let's say you could put away their toys the fastest right you turn things into a game and suddenly it's fun right it's also kind of manipulative but but there are tons of challenges out there there's lots of online CTF there's you know a lot of conferences contests have archives of things to do you know if you're if you want to find something a great place to start is someplace where someone has actually put something to find does that make sense so you go out there you know capture the packet people you can go up and get

their network captures and look through them and they've got years of archives up there dc3 dot bill was supposed to release their forensic challenges they haven't so far but they should have that as well so now we're to where I was starting with this build that lab right virtual machines are your friends is there anyone who doesn't know how to use virtualization in here fantastic virtualization is pretty awesome for this stuff why isolation what else Kostya you don't have to own it right it's not like that you know 15 years ago where if you want to tap a Linux box in a Windows box and their client all that you needed to have you know five

different desktops and you had all these crappy p2 s and P threes that you'd cobbled together to try to network no you can have you know this MacBook has 16 gigs of RAM you know I have another laptop that's got 32 gigs of RAM I can put lots and lots of machines on there and the best part about the VMS is that when I mess them up which you invariably will when you're playing what do you do revert to snapshot right so yeah if if you're not using virtual machines you're doing it wrong so where do we get VMs AWS sure if you want to pay for it some of us are made of money apparently

14 cents an hour what am I gonna get that kind of money what's that VirtualBox you VMware Workstation there's plenty of things out there hyper-v I guess one of the problems is though so what about Windows VMs can you get Windows VMs anywhere sure no no how about legit Windows VMs we got in there modern dot ie has anyone heard of this website what what is it right it's for it's from Microsoft it's designed for web developers to test their their stuff but what versions of Windows doesn't have up there all of that well not all of them I mean it's not like it's got 311 and you've got to use like go I'm trying to think of a browser from then

but there's like you know NCSA mosaic one dot oh it does not have that but it goes all the way back to XP right if for some reason you want a Windows XP machine with ie6 you can just go download it from there it's a timebomb demo but on the desktop it actually has the instructions on how to rearm it so it's pretty cool for a while it was not patched and you could just you know Papa with MS o o8 o 67 if you wanted to look cool sometime around November they fix that because they wanted to make my demo fail but you can remove one security patch and and it's vulnerable again there's Windows XP

Windows 7 there's Vista in case you want to test your website against the seven people are so running that there's there's Windows 10 is out there with like every flavor of IE and you can just download them they're all time mom but they're legitimate versions you can't test your web app with write my web app happens to be Metasploit sometimes so that's a good place I mean you can actually get those that's always been a challenge is getting Windows VMs now Microsoft is giving them to us Kali Linux does anyone not know what Kali Linux is okay good you know Metasploit able I don't even know what DVM is that should be DVL good job in the slides drop other linux

distros you put damn vulnerable a web app on it the am vulnerable linux you can grab you know things like that you can build these there's a lot of tutorials out there Metasploit unleash does everyone done better split unleashed does anyone done Metasploit unleashed a couple of people so offensive security the people who do Kali Linux have a web tutorial they're called Metasploit unleashed that runs you through reconnaissance fuzzing scanning exploitation the whole thing just for free up there if you want to try some reverse engineering debugging that sort of stuff exploits Corle and has some really great tutorials up there and then YouTube YouTube has a lot of demos up there so with the end is what you need to do you

just go out there and do it right all the tools you need are out there so you know go read go listen go watch go talk and then repeat as necessary so does anyone have any questions comments funny jokes bless you all right that's it thank you