How I Managed to Break Into the InfoSec World With Only a Tweet and an Email

okay well as I said my name is Michael fornal and this is my talk on how I managed to break into the uh information security world with only a tweet and an

email thinking there we go thank you all right so a little bit about me for for six years I worked as a web producer uh and I worked for a travel company in Milwaukee Wisconsin where I basically did front-end design email marketing um you know the kind of flashy stuff you know come take a trip to Aruba I did get bored um and then as Jimmy had said I got bored with that and decided you know what I need a change so I went back to school uh I went and am in the process of finishing my bachelor's degree in information security and computer forensics from Kaplan University um during that time I to get in I kept hearing about you

know you need certain certifications and so on and thought okay well what's an entry-level certification well the only one that came to mind was the Security Plus for CompTIA so I went and took that studied for it took like six months and really try to study as hard as I could well and unfortunately the test test was actually harder than I thought it was going to be so I didn't exactly pass it um you need 750 I had 715 so you know just barely um and with that I thought okay great so that's an entry level certification I didn't get it what are my chances now of being able to get an actual job now on

information security so I reached out to a couple people and I reached out to one person in particular um on Twitter and said hey you know ask him the question what are my chances of it and he had said well you know it's a great one but it's it's known in the industry but it's not known you know everybody wants you to have your cissp and and so on and so him and I kept talking back and forth and uh he sent me an email and said you know why don't you email me your resume and I'll take a look at it okay so I sent him my resume and kept talking and he's like you know I've got

this position available for a security analyst why don't you apply for it see where it goes at least you can have the right of you know interviewing for it and so on and uh well that was October uh and uh went out there in November and uh to Seattle and um come February uh 6 I was hired on and um right now as of now I'm a security analyst for Providence Health and services in Seattle um we are a very large organization there's about 64,000 employees uh there we've span all the way from Alaska all the way down to Southern California uh and in my division uh at least for the uh information security side there's about

15 of us so my career plan social resume equals finding a job this is the plan that I had designed for myself um to be able to hopefully be able to get a job so you create your networks and your relationships pad your resume with education and your understanding build your skill your uh skills and experience and all that like I said will Le to hopefully a job create your network join Twitter if you're not on there already get on there um I have learned more on Twitter I think than I have sitting in the classroom um just because of the fact that it's real world not to take anything away from the classroom but this it is true

it is very cheaper yes um but you know you actually have people that are actually out in the field that are going through and doing the stuff that you're learning about and I think you can can learn more from them than uh your professor who's up there who might be in the field but might not just is teaching for a check um LinkedIn we all know LinkedIn has been bashed around in the last couple of months with her password um but I still think it holds value it's a great place to be able to set up your network to talk with people to find jobs um I also highly suggest setting up a security blog it's easy it's simple um

and also join organizations like Isa and and nay so using Twitter to create your network um I highly suggest going into Bill Brenner's site here um go on the Friday follows it's about two three pages long and it has everybody's Twitter uh handle on there I suggest taking about five people that's what I did start to look at their conversation see who they're talking to and start following them and then eventually you're going to build people will start to follow you start to build your network that way and don't be afraid you know there's a lot of conversations that are going on on Twitter stuff from Cloud to you know the latest uh company that

got popped uh you know ask your questions you know we're all knowledgeable here in information security say what you know um just don't be afraid it's one of the best ways like I said to I think to to start a network to get yourself out there you can learn a lot like I did I uh go to LinkedIn create your profile um start getting involved in the groups that are on there it's another way to engage in conversation build your network uh there's a lot of great questions that are asked on there um I still have questions that I put on there of stuff that I'm doing and I get really great feedback from people um some of

it's like uh solicited of you know come buy our new Blinky box that'll make what you're trying to do uh much better ignore that stuff of course but for the most part you know we're all on there to be able to make connections find a job um a lot of it is is recruiters that are on there that's not necessarily a bad thing to have a recruiter calling you and asking you hey I've got this position that I think that your talents would be good for um so like I said that's another another great tool to build your network so create your social creating your security blog um you can use stuff like WordPress like I have you can use

your Tumblr um blogger all of those are great um it's really a great way to improve your writing skills because no matter I found that no matter what job you're doing you're GNA have to write you're going to have to write a report and you've got to make sure that what you're writing is being tailored to your audience so you know we you know on Twitter you write 140 characters or less and we you know kind of Hall with a different verbage that we use but when you write something to a CEO that's going to go to a board you have to be very careful in terms of what you're writing um and I think this is a great

way to practice that um some people are scared I think you know I was scared at first to be able to start this um and I just started about writing about whatever interested me um I think one of my first posts was actually about the the pawn of uh Sony so I just went on there and basically stated what had happened um what other people were saying about it and gave my sense as to well here's what Sony should do moving forward and you know um what other companies can do and uh also make sure that you try and if you do go this route and get a security blog make sure you try and get it added to feeds like

security bloggers Network um they're a great place to bring in your feed and other ones you can look at other people's security blogs that they have out there get ideas um great way to drive traffic to your site too um it's just like I said it's a great resource to uh to get yourself out there yeah yeah at the end huh okay um you know another aspect of with social is again of expanding your networks that you have um Twitter and everything is great but you really want to get out there and be able to meet people uh joining groups like Issa and asig are fun uh you know it's a little bit of a different crowd um some

of them I haven't joined nasig um I'm new to Seattle and I know we've got a uh a chapter there so I've yet to make it there but Isa I've been there uh went to the one in Milwaukee I've gone to the one for in Seattle some of them are it's different just because of the fact that it is a little bit more corporate but nonetheless it's still networking it's still people in your field they still have going through the same stuff that you're going through yes exactly L um you know I just they always have speakers at least for the one in Milwaukee it was great they had speakers and then they would give

you out a they had a raffle for a book at the end I mean who doesn't live a free security book you know those things are like 50 bucks so you know if you can get one of those it's always good um you know and who knows somebody in that in there might actually have a job uh a couple months ago I went to uh a Gora meeting uh in Seattle pretty good turnout I would say about 200 people and they literally had people with signs on their back that said I'm from Microsoft I'm hiring I'm from Amazon I've got four or five position yeah well they actually like yeah but uh yeah so like I said there's jobs that

are out there I was impressed with that agore meeting because of the fact too that that was the first thing that they started out with was that we who's got who in the audience has jobs um where are you sitting you know I think they even had somebody from uh I think from the Army or something like that that was there too that was hiring um people wanted to go into that route too um you know like I said it's another way to expand your network get yourself out there get yourself known for your resume um one thing you want to make sure that you are kept up to date on everything that is happening

in the information security world uh we all know that it changes daily monthly it's never the same I really suggest going using Google Reader or I use news blur to and create yourself an RSS feed of all the different websites that are out there like I've got you know threat posts uh search security security security bloggers network uh I try and read at least 10 articles a day so you once I check emails in the morning I've got about five articles I try and read and then another five throughout the day um in regards to your resume I also highly suggest you go on to infos leaders.com um it's a great site it's got lots of information on how to help

your resume um they have lots of great examples of people that are you know if you're lucky enough to have two companies kind of vying for you and what should I go you know this this company has got uh kind of what I want but this one might have a little bit more and how should I go about doing that um it's just really great information um I believe Lee is going to be here um Lee and Mike are two the guy the creators of that site very knowledgeable guys uh when I was first getting into the field I sent them uh an uh an email and just said well how do I get into it you know

here's what I'm currently do um doing as a web producer and they really gave me great feedback as to you know try and take that job you know working as web producer you do touch security because I was in the travel industry we did work with credit cards so you know I got some uh PCI experience and uh and things like that so I was able to turn that around in my favor I got again staying current um listen to podcasts we all have a commute of some sort um whether it's train car whatever podcasts are great uh Southern Fried security paul.com and down the rabbit hole uh those are the three that I listen to there's a ton of them that

are out there and they're all great um you know really great way to be able to stay up on current information um and so on attend free webinars um bright talk.com is a site that I really like most because of the fact that it's free um and they have everything in information security that you could probably want from privacy down to Cloud to governance you name it it's on there um it's also a great way one of my articles that I had on my blog where I was on um IDs and I watched the webinar that was on there took a bunch of notes put it back out on my blog and said you know here's what I learned from this

here's good ideas of what as a company you can do um I I still have hits on that article um you know it's information for you information for other people and like you all are doing right now attend a security conference like bsides or Derby con or any of the ones that are in your area or wherever it's a great way to network it's a great way to stay up to date on things that are going on um you know what better way to kill two birds with one stone and attend a conference

all right so getting near that hands-on experience everybody's Catch 22 you've got all this knowledge you want a job but that place that you want to work for won't hire you because you don't have the 20 years of experience that they want so how do you get it I highly suggest creating a home lb um it's the easiest probably not as expensive to do um I went and grabbed a book called build your own security lab by Michael Greg great book when every everything from you know Network to metas sploit uh and uh forensics was built into there uh just a great book it was like about 50 bucks or so um with creating your home

lab when I went for my interview for my current position um my boss had asked me well what do you do to keep your skills up to date do you you know attend conferences and stuff and I said well yeah but I also have a home lab that I have and we went into details about that I told him I said well you know I've got snort running on there to play with I've got that running into a database uh so that I can check the logs and see what's what's going on um you know I try and work with Metasploit is for me as hard as it is um you know I try and just

break what you can on there without actually being able to get arrested for it so you can have free will um like I said go to the thrift store grab a couple of uh boxes from there I I see them there all the time they're like five bucks rebuild them use use it as a box to go after uh look for internships some places have them they're not as uh prevalent as they used to be but they are still out there um some of them if you're lucky enough will pay um otherwise other they might not but you're still gaining the knowledge that you can put down on your resume as well as the experience um look for projects

to help with um you know some of us um I don't know if your parents come to it all about hey you know my computer doesn't work uh that's all stuff that you can put down on there and say okay you know what Mom your computer's running slow let me help you with that I bet you've got some mware on there or something like that go through there find it get rid of it put it down and say you know what I maintain my home network I maintain my parents Network and here's what I do for it um you know I've set up firewalls you know the whole works employers want to hear that they want to hear that you're

actually keeping up to date with stuff that you're getting your hands dirty um attend classes as well you know for me I went back to school uh but you know not say that you actually have to go back to school or have to you know go for a degree there's stuff that's out there um I know that I think uh the government puts on I think it's by Homeland Security but they've got little like classes for information security and stuff like that of just general knowledge um you know and if you have a cissp I believe you can get the uh credit points that you need for it to keep that up to date um make sure again

too that you're documenting everything that you do so if you set up a home lab and you're using metlo make sure you're taking screenshots of those and you're putting that out on your blog or somewhere for an employer to be able to see you whether it's your own website whatever it is make sure that they're out there so that they can see that yes you're working with this type of technology and you know he used whatever latest exploit that there is and he was successful at it um and also again you know go for certifications in any training programs that you can sometimes if you're in certain groups on LinkedIn they'll give you free training um I know they've got

you know the stuff for the domains for the cissp certified ethical hacker sometimes appear on there where they give you free stuff uh you know certifications if your employer will pay for them that's even better yet because they are costly um you know so better have them pay for it than out of your own pocket but if you can uh if not I still suggest going for them because it shows that you know the knowledge shows that you took the time to learn that knowledge and that you're able to apply

it so finding a job watch for job post on Twitter uh you know I use tweet deck I think every day I see a job for either uh you know web app security database something they're out there um I know veric code is hiring right now I believe white hat is hiring right now I think Matt Jay is supposed to be here tomorrow I know he had put a tweet out ear earlier that had said that hey I'm hiring if you can find me give me your resume um so if you guys have copies of your resume make sure you try and find them and give it to them um great guy talk to him before um he's down in I

believe Texas right now but I know white hat is all over so he might have something there or elsewhere also uh SE twits For Hire um that's another great one on Twitter to follow because that's where places can go and post um jobs and you can also go on there with that with that hashtag there and say Hey you know I'm a Linux Guru I need a job somebody might be able to find you on there um and they usually when somebody does post something on there they retweet it so you know that it's going to go out to whoever else's uh networks that are on there Network jobs on LinkedIn again they're out there there's a lot out

there for security you just got to dig um um research security companies check out the positions and follow them on Twitter I found this to be very helpful um not only that because of the fact that you can see what they are looking for in say a pen tester what skills are they looking for that you have that would match that you would make you would want to apply for it but at the same time well maybe I don't have that skill and now I know that I need to get that skill so that I can apply for that job um most of the time they'll follow you back um mandate was a company they

based out of New York I think they're also in La too I had applied for a position with them for a security analyst and they followed me back and with that I was able to talk to them a little bit more about the position rather than just kind of wonder what they were really looking for um I didn't get the job through them but I was still able to talk to them and say Hey you know I know y'all looked at my resume and you said I didn't have what you were looking for but what were you really looking for and what can I improve on there so that that I am a little more

looked at by you guys um also get locally involved a lot of places have meetups uh when I lived in Milwaukee we had uh milc which is a group of Security Professionals and basically we just got together at a bar drank and talked kind of like what you do here although you don't have to travel as far um you know there's other local events that are all over the place so you know they're all on the internet Google it find it get involved um you know get involved with bsides get involved with a uh um another conference that's going on it's a great great way to get yourself out there Network you know you're covering all

your bases who knows somebody might out there too might actually have a job for you so again good luck and thanks for attending my talk and uh we'll go with questions do you have a question sure

thank

you no that I didn't um you know I still had a I have a family to take care of so I couldn't um I just tried to use what I was doing with that company and trying to gain whatever security that I could I knew one of the guy this main security guy that was there and I tried to Shadow him um you know if I could otherwise I just tried to look at it and go okay well you know I'm working with this technology I'm working with JavaScript uh you know what are the security vulnerabilities for that what should I be looking for when I have to put it into a web page you know things like

that um yeah was that answer question okay yeah do you have another one yeah yeah

well it is very challenging um you know I had set a goal that I was going to put out one every two weeks um yeah I still haven't met that I think the last one was that I was announcing that I was speaking here um now I kind of try and shoot for once a month um now my blog post usually consists of the analysis that I'm doing for my company you know I rip out Providence or whatever and kind of change it around so that it meets not so much of a corporate world but more of a everybody's World um yeah it is very hard it is time consuming you know a lot of you go out there and figure out what

your you know how many posters should be out there people are going to tell you you should be out there five times a day not all of us is going to have that time uh you know unless you're doing marketing and that's your job then yeah I could see that you would have that but you know I think if you were able to get out there once a month get a good blog post out there I think your traffic would be great you know I think that's a goal that you should shoot for if you're going to go with a Blog at least try once a

month um let's see what have I got right now um I did an analysis on FTP um that got a pretty I was surprised that actually got a high following um I had put it I think is alive or dead um some places actually believe it or not still use it um mhm yeah yeah yeah and and that's what I found and you know and and stuff like that it's kind of like the best you can do is just kind of help them along and say you know we don't recommend it try and use this you know uh but that posted actually well um actually made it it grabbed was it some feet actually grabbed it and put it on Microsoft site

uh so I was really surprised and and humbled by that um and then the network podcast was also featured in there they were talking about it for a brief second too um so that was that was humbling and nice um another one that I put I did a interview with uh Jack Daniel um didn't know him I found him on Twitter sent him an email and said hey would you mind do an interview for my blog he said sure and um that gets pretty high following as well too any other questions oh

s well I mean you know my current field is the healthcare um there sec in that obviously we have Hippa and everything else but that's not necessarily like a bank or anything like that um even in the travel industry you know we're dealing with PCI and credit card number so yeah I I Tred to have a good mix as best as I could and kind of try to figure out and look at okay well what industries are really going to have security and are going to be a need for it and that's kind of the direction that I went um sometimes you win you know sometimes you get them sometimes you don't but yeah that is that's a very

good idea this to look elsewhere too you got a

question you know I went on there I filled out a bunch of stuff I never got anything back and a recruiter once told me that you know 80% of your jobs are not going to be found on Monster they're not going to be found on Career Builder and I really thought he was full of crap I was like whatever dude and he's like no it's going to be who you know it's going to be on social media and he's right well yeah you know say paid for that yeah no you know I really think I'm not going to discourage you from going out there and looking on there because it is a good source and yes there are some

jobs out there but I really think going on Twitter um going on LinkedIn that's where your jobs are going to be that's where the people are um you know that's I think where that's going to be the most updated you know the those jobs that are out there on Monster they've been out there for months you know either HR hasn't taken them down yet or maybe they haven't filled them but they're also looking at 30 applications or more so it's just going to stay up there until they fill it and decide that either the money runs out and we'll we'll pull the ad so you know Twitter is real time I suggest going on there you

well um yeah I you know yeah yeah um yeah exactly I would yeah but I want use I mean everybody here probably has a smartphone iPhone whatever use that you know I wouldn't I wouldn't use their web I wouldn't use Works network uh to do that um you might want to use a different handle I wouldn't maybe use your name um you know come up with something different um but I guess what they don't know can't hurt them you know I mean my job was the same way they they regulated that too they didn't want us on Facebook or any of that and I used to sit there in my little cube with my phone and checking Facebook and then

finally they kind of open up the doors and I'm like all right I'll put tweet deck on my on my computer which is a mistake because productivity went down to zero um but you know any else

told

oh what that's

[Laughter]

ridiculous yeah

yep yep

NOP I agree with that because now being in it I totally can see well oh yeah I know where they were talking about you know with the certain questions and stuff like that yeah definitely I'm

yeah for me as an analyst um the analysis that I do goes straight to our either our CEO or our head of our risk management department and you have to be very careful really you got to know who your audience is when writing something like that you've got to be careful not to use too much techn you know technical terms that they're not going to understand you know what a CEO wants to know is the bottom line what's my risk what's this going to mean to me for my company how much is it going to cost me and what can we do to fix this problem that's not going to cost me and arm in a

leg to be able to fix it can we just absorb the absorb the risk or you know what needs to be done

yep see

yep yeah

you MH

y

right exactly you know and talking with my boss the other day I had asked him I said you know planel why did you hire me I mean I don't have any experience insecurity all I have is what has come out of classroom work and he said it's your social it's the fact that you went out on Twitter that you talk to people that you blog we can see it's a passion for you that's what we want you know if you enjoy your job that much you're G to something like that you're going to be good at

it m

y

yep yes oh yeah yeah and I mean in HR departments are starting to come around they're starting to see that you know Twitter and the social networks are good medium to be able to recruit people because that's where people are you know

yep yeah

yeah oh of

course

yeah yeah very good else another question

oh

just well thank you all