This webcast was originally published on September 24, 2018.
In this video, seasoned experts discuss effective strategies for starting and advancing a career in computer security. They emphasize the importance of understanding core principles over chasing buzzwords like ‘blockchain’ and ‘AI’ initially. The conversation also covers the shift in educational approaches, highlighting the increasing value of hands-on experience and practical knowledge in the cybersecurity field.
- Importance of hands-on experience in computer security education
- Transition from traditional to modern approaches in computer security careers
- Value of continuous learning and adapting in the field of computer security
Highlights
Full Video
Transcript
John Strand
So let’s get started. So this is the. Your five year plan. Next generation. If you notice, we’re not in studio, right? We’re not in studio because, we had the governor and a bunch of people here today.
We’re actually down at our intern headquarters in Rapid City, South Dakota. And behind me is our wonderful wall of fud and, just buzzword board. Buzzword board.
So if you’re trying to look through this, trying to find things like passwords or meaning and information security, have fun with that. It’s not going to get you anywhere. But I think it’s apt, Sierra, because this right here is a bunch of crap that if people are getting started in computer security, they would try to automatically jump into buzzwords like artificial intelligence and machine learning and blockchain and all of these different things.
And there’s value. But that’s not a good place to start your career, at all. So we wanted to cover good places and ways to start your career. And I thought I would bring in Randy Marcheni, who has a tremendous background in starting careers in computer security, and Ed Capizzi, who helped launch my career in computer security, to just drop in every once in a while.
So my background college was at University of Wyoming, initially went to accenture, Northrop Grumman, started working on classified projects, started teaching for Sans, and started black Hills information security.
I don’t want to spend too terribly, too much time on this as a whole, because there’s other things that I want to get to. And I talked a lot more about that in my previous session. But it’s interesting, because when we’re looking at computer security, especially for the old people that have been doing this for like, 1520 or Randy’s, case, 30 years, you don’t really have a straight path to getting into information security.
I, would say, randy, I’d love to get your opinion on this. Even ten years ago, we were always suspect of anybody that came out of college and wanted to go right into computer security. There was this huge focus on coming up through the school of hard knocks and getting into computer security, rather than just getting a degree.
But you’re working with degree program level students that are going right into computer security. Do you see that changing in the industry as a whole, that now you can actually make that progression from university, get a master’s degree or undergrad degree and get into computer security?
Or do you think that there’s still a lot of the school of hard knocks requirements involved?
Randy Marchany
there’s still a lot of school of hard knocks requirements. I think a lot of universities now have started to realize that hands on experience is something that’s really, really valuable.
it started off if you said computer security. My degrees are in electrical engineering and computer science. And if you said cyber security, back then, they would hand you a crypto book and say, here’s cryptography.
one thing that we’ve done here. So I’m the Cesa at Virginia Tech. So my team runs all the cyber defense for the university, but we have a lab that the analysts use, and we opened up that lab to research and projects by undergrads and graduate students.
So we basically, converted it into a teaching hospital where I’m short staffed. I need some bodies to do some stuff. Students need some practical experience and real world, real world applications.
And so that’s what the purpose of the lab is. And so, the kids that come out, and I say kids, but graduate students or the undergrads that come out, they’ve actually had hands on experience using snort, using bro, using Netflow, Argus, all these types of netflow tools, and working on real life attacks, because we see those every day.
So hands on experience is really, really valuable. and with the CTF competitions, net wars, and those things that, like, in the stuff that you guys do, your hacking thing coming up, that is a huge thing that students like to go the cons of, the shmoocons and those type of things.
John Strand
I think the important thing is, if you’re a student at a university that doesn’t have the resources or the kind of the vision of something like, like Virginia tech or MIT has a pretty good program.
Stanford does as well. Those, those different capture the flag events, those things that we’re doing at wildlife are available, and they’re freely available for people that are coming up through the university system. You don’t have to stay just in the university system for your learning.
You can branch out as well.
Randy Marchany
Absolutely correct. I mean, a lot of these, they’re open to the general public. there’s a big push to get k through twelve, kids, involved. One, of the projects that we’re working on here is the Virginia cyber range, which, it’s more of a.
It’s not a true range like everybody thinks it might be from the sound, but we’re collecting course materials that teachers can use at the high school level.
it’s basically out in the cloud. You set up your learning environments that way.
John Strand
What’s the URL for that, Randy?
Randy Marchany
The URL is. It’s, all one word, virginiacyberrange.org dot. The last thing I’ll say about it is this solved a big problem that high schools had with cybersecurity education, because another program that the feds have started, a program called Gen Cyber, where you teach high school teachers about fundamentals of computer security.
They get jazzed up and they go back to their high schools and they’re ready to teach a class, and they want to get that lab hooked up to the Internet. And their it guys say, no way in hell are you going to hook up a lab of hacking machines into my school network.
John Strand
all right, cool. So I’m going to come back to you here in just a second, Randy. so I’ll jump over to Ed. When I met Ed, I was a university student at, Denver University. He was a professor there.
And I was caught up in the middle of the indian trust settlement computer, security case. And a lot of this information is actually publicly available online. You can go and you can pull down all kinds of information about it.
And, actually, if you go to the Indian Trust settlement website, there’s a lot of documents, historical documents from the early two thousands. And Ed was someone that was kind of a surprise to me because Ed, I think at the time you were working at, was it coal fire that you were working at?
Whenever you’re a professor, I know that you did transition in there as well.
Ed Capizzi
Yeah, yeah, I was starting. I was at coal fire getting ready to move to Chapa. yep.
John Strand
And the idea of computer security as a profession outside of, like, working in the government, as it was, with accenture, you were kind of on the ground floor of doing security consulting, back in the early two thousands.
Have you seen anything kind of change since then? coming up to today, whenever you’re looking at computer security consulting, because you’ve been a consultant, you’ve actually been working with companies, you’ve been on both sides of the fence for quite some time.
Ed Capizzi
Well, the change has been huge, John. I mean, you hit the nail on the head earlier when initially, a lot of the consultants or anyone was working in security got there through a very securitous route.
Normally they had a technical background, and at some point somebody had said, we just bought this thing called the firewall. We want you to run it. Good luck. so that has changed all the way through, people.
Now coming up, programs like yours, sans the webcast that black hills do. They’re teaching people about these concepts way early.
And so it is not unusual to have someone come up and say, hey look, I was kind of studying to be a DBA in college. Ran into these different resources and this looks like a lot cooler way to get into it.
What do you think? Well, what am I going to say? Of course that and the fact that you no longer have to have a small fortune to have the hardware to build a lab in your own, to have a lab that you can be in full control of to start practicing some of these things.
John Strand
So let’s talk about, let’s talk about that lab and that practice. Right? So what I said in the previous webcast was year one, you’ve got to focus on core concepts. Ed has this quote, that everyone should steal and should print it out.
And it stuck with me for a long time. It says good computer security is nothing but an inspired application to the fundamentals. It’s not about being lead, it’s not about zero days. It’s not wizards trying to impress other wizards.
It’s just having a good understanding of the key fundamental concepts for Windows, for Linux, for networking. I recommend Python as a starting language. And I would also go so far as to say the benchmark standards.
It’s a great place for someone to learn an operating system by going through the say is benchmark standards. And we can have long arguments about whether or not those standards are relevant to modern attackers.
Whether it would actually stop, I honestly don’t care. But for me, learning coming up, Randy, you remember years ago, back in 2000, they were coming up with the standards for Windows 2000, the standards for red Hat at Sans.
And then that basically spun off into center for Internet Security. I can’t remember which one came first, but we’re looking at year one learning your core operating systems, learning some basic security fundamentals and way that you look at those operating systems, getting started with the language.
Is there anything that you all would recommend that we should add to somebody for like building up a lab for year one? All right, so we’ll start with Randy. Randy, is there anything that you would add or kind of, kind of bring to the table here about these core fundamentals?
Networking operating systems and getting started on coding?
Randy Marchany
you need a fundamental understanding of TCP, IP, and ICMP, at least, at least those three protocols. You definitely need a, good understanding of it.
You need a good understanding of, how to what I call the Sec 503 intrusion.
defense packet, all about packets, right? How to read a packet, it is all about packets. at that level, that’s the supplemental knowledge. In addition to, like what you said, being a good windows admin, being a good Linux admin.
I started off as a Unix at Sysadmin. And so, knowing how to rebuild systems, patch systems, understand what the network connections are, sockets, all that socket programming is another thing that you might want to, a skill that you might want to work on as well.
John Strand
Yeah, definitely.
Randy Marchany
Like you said, python.
John Strand
And it’s tough because a lot of people, when they think of Python, you go through the standard books on Python and like, we’re going to build a battleship game. but I would say specifically, if you’re looking at something like Python, learning how to do sockets and making TCP connections, UDP connections, doing things like that, maybe starting with the scapey framework or Scapi would, be a good way to go as well.
Ed, your take on this, is there anything that you’d like to bring to enlighten this particular slide in this particular section?
Ed Capizzi
Yeah, the one thing I would add is if you can find an old copy of the, four inch thick TCP IP book.
John Strand
Stevens.
Ed Capizzi
Yeah, get that book, read through it. it’s painful, but when you come out the other end, it’s awesome to have that kind of a background. And then the other thing that I would add to this is while people are focusing on these hard skills, start your education on the soft skills.
How are these machines used in business? What are people doing with them? Because, how they’re used in the business can be just as important when it comes down to tracing the wire and understanding the technology as the hardcore tech.
John Strand
Yeah. And if you can’t speak the business speak, this is another thing that you talked about years ago as a consultant coming into Denver University with that program. If you can’t speak the business speak, and Randy’s talked about the exact same thing for years.
If you can’t talk to business executives, to people that are making decisions about where money is going to go, you’re going to go nowhere. You can be as technical as anybody else out there, but if you can’t understand the application of what you’re trying to do, then you’re not going to get very far.
So do we have any questions we’d like to hit or doing?
Sierra
All right, Derek just wanted to make a point. he says, hello. I was at black hat this year. One of the best things I gained from that con was approaching John about an internship, and he replied, do programming?
Are you good with Python? It got me knowing. Even though most say it’s not a prerequisite in Infosec, I believe it is a need because it helps in the long run. I’m currently learning Python and it’s going to help in the field, so thank you.
John Strand
Fantastic. So, Randy, kick it over to you, because you work a lot with interns, not just like standard interns at Virginia Tech. You have some amazing interns. Is it possible to sit and work with you as an intern if I don’t know how to code?
Is that something that you would even consider, for an intern in your team?
Randy Marchany
Yeah, I mean, it depends on the background. The thing that we really look for is, an aptitude. I was really, really lucky. One of my professors, when I was an undergraduate, was actually one of the code breakers for the enigma in world War Two.
Sierra
What?
John Strand
You always want me to say that you’re not that old in the industry, but you literally had someone that worked with you that broke codes on the enigma.
Randy Marchany
I j. Good. Jack good was a statistics professor here at Virginia Tech, and I had asked him years later, after everything was declassified, I said, you guys were first order mathematicians.
What? But the rest of us, what did you look for? And he said, we look for a certain aptitude. They picked on crossword puzzles, champions, because it’s an ability to extract, information, from small clues.
a 13 letter word that starts with an a and ends with an n, and you go, oh, attenuation, and the rest of us.
John Strand
That would have been the first one.
Randy Marchany
I jumped to, you go, huh that and the ability to, just to be persistent and not give up. And so if I find a student that’s got those, those abilities, I can teach them the python stuff.
I’ll just give them a book and they’ll take off with it. So it’s that ability to look at something and really, in a way, Schneier wrote an essay called inside the twisted mind of a security professional, and in there he basically says that engineers are trained to build things that work.
Security engineers misuse those things to break them. And m. So it’s that attitude that we look for, and those are the guys that are at the top of the pyramid that will become the tool tool builders.
But one last thing. The ability to speak in public is a key thing, and for anybody do a talk at the cons, do a talk at your, at your events, do a talk anywhere and get practice on it, because that’s, that’s the thing that’s going to get your message across the business.
John Strand
And this year at Wild West Hack and Fest, we have our fireside talks, right?
Sierra
Campfire talks.
John Strand
Campfire talks. And our campfire talks, I’m not joking, are literally like, I hate to say it, there are auditions for next year. I’m going to sit there. We’re going to watch a whole bunch of people at Bhil.
Sierra
They’re not all new, so they’re all, they’re not all. No, no. We have, like, we have some new people doing that. The campfire talk was basically, we could cram more talks into our event. So they’re lightning talks.
They’re not all brand new people, but.
John Strand
It’S a great opportunity, right? You get to move fast. You get to see what works. You get to see what doesn’t work in a presentation. And the only way you get better at presenting is by presenting. So, for technet evaluations, you can download those from Microsoft.
On the networking side, you can set up an entire network lab at home. And you should be trying to set that up. there’s a whole bunch of simulators that gave you a link that you can pull down in the slides, or you can just find some old gear.
actually are buying all kinds of gear all the time. I have testers that will be like, hey, I found this voting machine that’s on sale on eBay for $20. John, can I buy it? I’m like, absolutely.
We want to take that apart. David Fletcher. David Fletcher has got Rick. David and Rick have got to have just garages filled with electronic crap, that they buy all the time.
And they constantly fiddle with it.
Sierra
They’re always like, can we, Sierra, can we buy this new piece of thing for wild west hacking festival?
John Strand
Yes. Approved. Make that happen. And Randy talked about the aptitude. If it’s not just coding, I think it’s that curiosity, right, Randy? I mean, we don’t have a lot of students that are coming up these days doing crossword puzzles, but it’s that curiosity of finding garbage and not just simply discarding it, but it’s that curiosity of finding these old equipment.
These old equipment and stuff. Just taking it apart and trying to figure out how it actually works is very much key to computer security because it isn’t just enough to build something. We want to take it apart and try to understand it.
And ultimately breaking it is going to be part of that process. So usually with my testers I say buy two or three, because you’re going to end up breaking a couple of them.
Randy Marchany
That’s true, that’s absolutely true. And in fact not just the device itself, but how the process of using the device. Again, in Schneider’s little essay thing, he talks about how you could probably walk up to the service department of a car dealership and after going out to where they park the cars after they’ve been serviced, copy down a VIN number or license plate number, go on in and pay for it, and they’ll hand you the keys to the car because they don’t ask you for any type.
it’s that type of looking at the process and seeing how things work.
John Strand
Yep. Also, I recommend Linux install everything from scratch. You’re going to be spending a tremendous amount of time building Linux tools, getting Linux tools configured, getting things working like your wireless card, fingerprint reader, everything.
But all of that struggle that you go through. I get a little sad whenever I talk to prospective interns and I ask about Linux and they’re like, well, I could install Linux, but it’s just crap and it doesn’t work.
And all my stuff didn’t work. So I just gave up and I went back to windows or a Mac. Don’t begrudge them. You can’t be mad about that because there’s some value in what they’re saying, but it doesn’t reflect the types of qualities that we’re looking for.
And we want someone to work for us. We really, really, really like people where, I started building the Linux kernel from scratch and trying to install all the software from scratch.
Not just using a distribution like Ubuntu, but trying to build all the stuff from the core level on some jump that is a massive like flag for us to say, hire this person because they’re not trying to make their life easy, they’re trying to make it exceptionally difficult for the purposes of trying to learn.
So a bit more specific, bash scripting. Randy may disagree with me on this one. There are other shells, but bash is the one that you’re going to end up using more than just about any place else.
So please, please, please start learning the basics of bash scripting. I think Sierra, we have another question.
Sierra
yeah, so just back up to your conversation about Linux a little bit. When you say learn Linux fundamentals, what do you mean? Do you mean understanding how it works, the basics of where everything is that you can run racist commands or that you should know how to do it blindfolded.
John Strand
I would say yes to all of it.
Sierra
Okay.
John Strand
The only way that you really get that good to where you can actually do it blindfolded is by struggling and trying to get things to work that generally shouldn’t work. it’s just basically dig in. I always tell people too, we had one person that wanted to be an intern.
Just uninstall windows. A couple of magical things are going to happen. Although it’s changed recently. If you uninstall windows, just install Linux as your core os, your world is going to get a little bit more difficult. It is, but you’re going to learn a tremendous amount in doing so.
The other thing is it’s going to close off a lot of paths for you. You’re not going to have the path open to you for playing video games, even though Steam now has a tremendous amount of functionality on Linux, which made me cry a little bit inside.
But you’re going to be focused on using that operating system rather than just simply playing video games on it. And I’ll talk more about video games later. So here’s a couple of books. Yeah, go ahead.
Ed Capizzi
I just want to reinforce what you’re talking about because, the ability to build it from the ground up, you’ve got to be able to connect those dots because troubleshooting, I know they say it can’t really be taught, but if you can do the basic troubleshooting of.
Okay, this isn’t working. Why? What came before it? Did it load?
John Strand
Did it work?
Ed Capizzi
is it getting power? When you start trying to go through and reverse engineer or functionally decompose a system, you’re going to have to understand what’s connected to what.
Connect those dots and follow it backwards.
John Strand
Mhm. And I kind of have a thing I talk about in sans classes. the basics of troubleshooting are ping port parse. If you have any tool or anything that’s not working, can you ping the system you’re trying to communicate with?
If you can’t, your problem is the network or it’s not plugged in. then you have port is the port of the remote service I’m trying to talk to available? And you can check that with like an NMAP scan, just basically making sure the port is accessible.
There’s no firewalls, the service is actually running properly. And then parse is take all of the error messages that are being provided to you and actually read them and try to understand them go to Google or the logs that are being generated from that particular application, try to read them and understand them.
If you can kind of work through the idea of ping port parse, you’re going to have a, much better time trying to troubleshoot, but you’re going to have to learn. How does networking work? To understand pinging and port, you’re going to have to understand operating systems because you’re going to have to understand.
How do you query an operating system in Windows? Netstat minus NAOB or LSOF space minus lowercase I space minus capital p. You’re going to have to learn the operating system ways to communicate and actually work through ping Por parse properly.
But having that basic operating system knowledge, getting started in that operating system, struggling with that operating system, is going to give you the key fundamentals that you’re going to need to move forward with troubleshooting.
Because Ed said you can’t teach someone to troubleshoot, but people can learn and it’s something they have to do on their own. Is that kind of a good reflection of what you just said, Ed?
Ed Capizzi
You said it better than I did. Thank you.
John Strand
So where can we go to learn coding? I would like to open this up as well. We have some people as well that maybe they want to share some links too. But learning Python online and going to code academy, code academy is fantastic.
I use it for high school students whenever we do high school coding classes. I think it’s great for professionals at Black Hills information security if we have someone that wants to make a transition into, doing pen testing from systems administration or some type of development.
if they want to learn a language, we always throw them to code academy. And I want them to get all the way through a specific lesson plan before, they move on to different activities in the company, be it development, be it R and D and so on.
And their classes that they have are amazing. They have Python, they have standard web classes, they have Ruby, they have all these different languages that you can learn. And I think Python is the best place to start because it has got very strong syntax in it.
But other languages are important as well, like asp.net, comma, c, hash and so on. You’re going to be using a wide variety of different coding languages to actually do your job. So learn Python online is great.
There’s another one, code warrior, I think, where you learn how to code a video game online. And hopefully we have some people that have shared some other things that, have popped up. Pluralsight. I think is another good one. Anyone else come up with some good recommendations as well?
Sierra
They agreed with code academy and pluralsight. And someone, else mentioned codingbatch.com, python.
John Strand
Codingbat.com python.
Sierra
Cyber free code camp, safari books online. Cyprary hack this site. So, udemy yep.
John Strand
ucademy I think is how it is. So there’s a lot out there. So find something that works for you, because code academy may not be the best approach for you. You may need something else, go find that.
And this is a great place to start in high school. We originally did this for college students as well, but the response that we got from people that are it security professionals that were just looking for some place to get started was overwhelming at our conferences.
So that helped out quite a bit. year one, next generation, gentlemen. I’m throwing in the 20 critical controls. I think if you want a good overview of computer security, you can spend a lot of time in the CIS documentation for individual operating systems.
But the critical security controls, giving you a great overview of what technical controls need to be in place and how to implement those controls, is something I should have hit in the first time I ever did this webcast.
the 20 critical controls are important for a number of reasons. One of those reasons is, it gives you a clearly defined set of objectives, what those objectives look like, and then also mapping.
I’m going to throw it over to Ed first because I know he’s done some auditing on this. I’m going to stop sharing my screen, and I’m going to open up a couple of excel spreadsheets here in just a couple of minutes. So, Ed, what are your thoughts on this as well?
Randy Marchany
Good.
Ed Capizzi
It’s a good place to start. The other thing that I like about it, John, is it’s a structured way to start looking at the universe of, security that also, I keep coming back to the central tenet, brings in a little bit of what the business is looking for and what part you play in it, because to your point, you can be a tech God.
and if you don’t know why it’s important that you’re a tech God, it’s not going to help you out. So I do like the top 20, and I also have to say that, and this is going to go, I know not everyone’s going to hear this, but the aspect of auditors, there’s nothing wrong with documenting things, and it is good to be able to go through a system and understand if I’m expected to review a system for security.
What am I looking at, what am I looking for and why?
John Strand
Yeah, I think the why behind it is huge. so these are a couple of scripts, that are available from enclave security, audit scripts who’s since beefed up their web servers since the last time we did a webcast, the bhis hug of death.
Sierra
We actually haven’t done that in a while.
John Strand
We haven’t done that in a while. We haven’t brought any sites down in a long time. But it breaks down each of the critical controls, what it is you’re supposed to do. And there’s a lot of documentation online as to the why, why you need to do these different things.
And like basically inventory of software, inventory of hardware, continuous vulnerability management. Understand what this is. So it’s been interesting, my brother is just now starting to take his journey into information security.
He’s came on and he’s joined us and he’s helping us out with a lot of different things. And for me, watching him try to find that place to gravitate and latch onto, it was interesting how quickly he gravitated to the critical security controls and is just becoming a monster in information security very quickly because he’s going through each one of these controls, developing a better understanding of what these controls actually mean, the why behind it, and then also implementation strategies for each of the critical security controls.
I think that that was huge for him. And to actually see that from the eyes of somebody that is just getting started in computer security and the value it’s brought to him in particular is incredibly important.
Also, one of the people you’re going to run, groups of people. And Ed and I have talked about this quite a bit in computer security is sometimes you’ll be dealing with security pro, that’ll always bring up a certain obscure audit compliance standard.
Like they’ll basically be like, well, according to the canadian CSE top ten. And you’re like, I don’t even know what they’re talking about. And the critical security controls has a Rosetta stone where each one of the controls is specified and then it’s cross referenced to NIST 853, the NIST CSF.
And then you get all the way over here, you got ANSI standards, you’re going to have PCI DSS 3.03.1, HIPAA, so on. This is incredibly valuable because it means you’re not just learning one framework, but that framework that you’re learning is directly applicable and cross referencing over to a number of other frameworks and randy on your side, I know you were there.
Just like a bunch of us at sans. James Turala really took off with this. And Kelly Tarala, who we both know and love, we’ve worked with him for a long, long, long time. I got to be honest, whenever Alan sat down with you, like he did with Ed SCOTUS and Eric Cole and me and Rob Lee, and he said that his solution to trying to solve the problem of audit and compliance was to develop another auditing framework.
Were you a little bit skeptical at the beginning of that entire process as well?
Randy Marchany
Yep, sure was. And the actual, it’s kind of funny because the critical controls actually evolved from a sans project called top ten Internet threats.
And this was back in the early two thousands where a consensus group. I was part of that group. we analyzed the causes of attacks back then and it came down to about ten basic attacks.
were responsible for 80% of the successful intrusions at that time. So yeah, this whole framework is really, really important.
And at Virginia Tech we are implementing the 20 critical controls. it’s a bridge between the policy and rubber meets the road type stuff.
At the high level you got a policy says we’re going to follow NiST 853. In the middle you got the critical controls, which tells you what to do. The CIS benchmarks then actually have the rubber meets the road commands.
What are the actual commands that you’re going to do in Linux or windows or whatever to accomplish what a, critical control requires and that backtracks to the standard.
So that’s kind of the bridge that we use the controls. Sec 566, which is the sans course on the critical controls, and 440, I’ve been, I’ve been teaching those with sans that, that course is, as you said, taking off.
Yeah, I’ve been teaching that one pretty much constantly for the last two and a half years, all over the place now.
John Strand
And we’ve talked about this too. And Ed, jump in as well. You’re going to have conversations if you’re getting started down your critical, down your, your security path. Right. As you get started on information security, you’re gonna have people that say, well I disagree with the 20 critical security controls because they don’t have enough emphasis on threat hunting or they’ll talk about some specific technology that’s not in there and it’s old and it’s out of date.
Don’t listen to those people. It’s not that they’re wrong. They may have a technically valid argument for what they’re doing. But in computer security, you’re gonna come across professionals that’ll look at something, be it 853, be it, ISO standards, be it the critical security controls, and they’ll have a couple of gripes with it, and they think they need to throw away the entire framework.
When you get started in computer security, you can’t go down the path of absolutely throwing out something in total because there’s something wrong with it. I’d use antivirus as an example. From a technical control.
Antivirus can absolutely be bypassed. Does it mean it’s worthless? No, it just means that it has a specific goal, objective and limitations and a lot of learning. Computer security is understanding those limitations and not necessarily throwing things away because they’re imperfect, but building your architecture out of imperfect components that’ll reinforce and support each other.
So you’re going to have this happen, right? You’re going to have people that say, well, that’s stupid, for the following reasons. Don’t listen to the haters. Haters going to hate. That’s what they’re going to do.
But even if they’re technically correct, you need to be able to move past that and understand that with a lot of things, it’s going to be about 90 95% correct. You need to focus on that.
Don’t worry about maybe the 5% that is somewhat confrontational.
Randy Marchany
If you were interviewing for a job with us, and you’ve brought that up in your resume, that, the 20 critical controls, that would be a big plus because that would tell me a, that you’re looking at it from a strategic standpoint.
And then, and then what, what needs to be done from a high level. And then I can ask you more detailed questions about, well, how would you do this? And drill down into the other, more specific commands to test your technical knowledge on that.
John Strand
So now we’re moving on to year two. and gentlemen, year two. I think what I tried to do with year one to year two transition, because I was very high on Nyquil when I did this whole thing.
I wanted people to move from m being consumers to being creators. You’re a consumer of knowledge, you’re a consumer of books, you’re consumer of webcasts or consumer of podcasts. At some point, you have to start that process of starting git projects.
You’ve got to start that process of creating your own podcast, your own webcast. You got to start that process of starting to create videos. No matter how basic you’ve got to start that process. Maybe learning a new coding language like Powershell.
And I don’t care where, you’re at in your career path, if you’re just getting started in your career path and you’re just getting started in Powershell and you learn something kind of cool, don’t hesitate to write a blog post about it.
Is that me?
Sierra
You hit it.
John Strand
I didn’t.
Sierra
It’s like a bell.
John Strand
Jeez. I didn’t. Oh, it just started moving on its own. it’s a great opportunity for you to start creating, start sharing, and even if it’s very, very basic little scripts and things that you’re creating, believe it or not, there’s people that are dying to try to get that information.
Somebody may be doing exactly what you’re trying to do, and if you can show them the way, that is amazing. So you have to start becoming a creator relatively early in your career path.
You may not like some of your projects when you get five, six years down the road, but you can get rid of them or you can update them. We had an intern who spent the better part of his summer redoing all of his old projects that he did to polish them up, to make sure that they were ready for job interviews.
They were ready, but he had projects that he was working on in high school that he hadn’t touched. And he’s like, this code is embarrassing. I’m going back to fix it. I’m not saying do that level of obsessive compulsiveness, but it shows that type of dedication, and that’s someone that we absolutely want working with our company, by the way, who you are.
The door is always open to say you want a job, and we’ll be happy to hire you. So, Ed, about creators, you coming up with the education system with me, there weren’t a lot of people that were creating anything at all as part of their path in education.
Ed Capizzi
No, and you’re absolutely right. No matter how lame you feel when you’re doing it, there’s going to be someone out there who goes, oh, thank you for doing that. This has been, this is a godsend.
And you look at them and you go, I don’t know whether to be really happy now or to be really sad because you thought that was good, but, I mean, and it’s something that you can’t get better at if you don’t do.
John Strand
Absolutely.
Ed Capizzi
If you look back at any of your first podcasts, any first papers that you released, you kind of laugh and you go and people watch that. Oh my God.
John Strand
I think Sierra coming in. When we start up the podcast, it’s like, all right, well, we got a webcast. She’s like, what are you doing? Well, we got a folding table and we’re just going to do that. She’s like, are we just using the microphone in your computer?
Yeah, yeah, that’s fine. It’s fine. Fine. I had like pizza stains on my shirt. Still do, probably.
Sierra
You’re always growing. We’re always growing.
John Strand
But that growing is cool, right? It’s cool sometimes to look back on it and say, that’s where we came from and where we are today and how much better.
Sierra
Well, it’s like with the blog that we have, like the testers are always feeling a little bit impostery because we realize like the giants that are in this industry.
So it’s like. But I don’t want to say something that someone’s already said better. No, because it’s. That’s not true. Like, you are, like, you’re saying something in a way that’s going to reach somebody.
Ed Capizzi
Yeah. It’s the same thing when anytime you’re teaching,
Randy Marchany
Mhm.
Ed Capizzi
The information may not be new, but, when you have someone, I, used to encourage people. It’s like, look, if the person sitting next to you can explain it in a way that makes you get it better than I can.
Knock yourself out. The point is you get the information. And the other thing that I think is critical, John, is that when you start being a creator, for good or bad, you become rapidly exposed to this thing called the public opinion.
and I think that we all have to go through that because at some point you have to be able to separate what was really good, meaningful input that might have stung.
Randy Marchany
Mhm.
Ed Capizzi
And what was just someone trying to be rock throwing.
John Strand
Yeah, trying to throw rocks.
Ed Capizzi
Thank you.
John Strand
So, Randy, I want to throw it over to you because you don’t just have students that have projects, you have team projects that a lot of people are working together.
Do you think that that creates a place for people that maybe don’t have any creative, super awesome ideas or they’re a little bit shy, they’re a little bit timid. They can kind of hook into a cool project that’s working at their university, like a Virginia tech or school of mines and Technology here in South Dakota.
It gives them a safe space to kind of get into it a, little bit gentler. What’s your take? Is that different, do you think it’s just as cool for a student to say, I worked on this project. Like our interns, I worked on the reader project.
do you look at that as kind of equal to each other or is that different? What’s your take on larger projects that involve teams?
Randy Marchany
So if you’re going to go take a job in any real world company you’re going to be put in a team. And so it’s rare that you’re going to be here, do this on your own with no other resources.
So you have to learn how to work in a team environment. and you have to understand that the skill set, of your team is going to depend, is going to be all over the place, part of it too.
When like for the classes that I teach here at Virginia Tech, I’ve got 85 students. I split them up into teams of four or, or three or four, whatever the number comes out to be.
But some, someone might be a Linux expert, someone might be a network expert, someone might be a windows expert. And you need that type of expertise, but you need somebody, somebody’s got to become a team member.
Somebody’s got to become the person who’s the team leader, and can take whatever the goals are and translate it into action.
the lone wolf person. you don’t find, a lot of those in industry anymore. they have to work as a team. The other thing I do is recommend, especially and it’s open to community college level as well as four year institutions.
We all have cyber security clubs and they’re not all restricted to students only like our cybersecurity club. We take people from outside the university that can come in and do stuff.
in fact, they meet twice a week and one day of that, Tuesdays, for instance, it’s a learning session. someone from the cybersecurity club will be teaching people how to use wireshark or how to use scapey or how to use hping three or any of these things.
John Strand
And that’s awesome because you talk about that and that’s exactly what I talked about on this slide a year ago. so for those of you that don’t know, I graduated from the University of Wyoming, talked about at the beginning of the session and Henry Rollins came out on a spoken word tour.
Brandy, I know I’ve told you the story. I think I told it to you when I was in, we were in Singapore together and I was in a band at the time and we were in Laramie, Wyoming.
And the gentleman up in the upper right hand corner, his name is Georgia Decky, and he was the manager of SST Records, which was, Henry Rollins’s record company. And God, only knows why he was in Laramie, Wyoming.
He was writing a book, western. And Henry Rollins got a chance to talk with him, and he was talking about the music scene in Laramie. And I’m like. He’s like, so how’s the music scene in Laramie?
And, I said, it’s horrible. the scene here is horrible. It’s just an awful scene. And his response was basically, with explicitives built in. He was like, make your own effing scene.
And you talk about this, and if.
Sierra
There’S no scene, there’s space for scene.
John Strand
Space for scene, right? And, his whole thing of, get on the bus, get out there, do it, get out there, fail. Have people throw beer bottles at you. Suck horribly, but just keep doing it.
it goes back to Randy. You talk about that brown bag session where you’re going to have someone that gets up and talks about wireshark.
Randy Marchany
Yeah.
John Strand
It may not seem like you’re making a scene, but it is. You are making a scene. You’re becoming that touchstone you’re presenting, and you just got to get out and you got to do it. If you’re waiting for someone to come and hand you stuff, like, there’s a whole group of people on Twitter.
They’re like, I’m a genius, and no one’s hiring me, and I’m so brilliant. Nah, you suck in some way. Go fix it and, go make your own scene.
Randy Marchany
Dare to suck.
John Strand
Yeah, dare to suck and embrace the suck, right?
Randy Marchany
That’s what I said. I mean, every class I’ve ever taught, whether it’s sans or a tech, I’ve never taught a class where I didn’t come back with a page and a half full of notes about how somebody did something different.
John Strand
And that’s cool. That’s what we. That’s why we do it, because it makes us better. I think you told me. I think I was. It was like the second year I was teaching with sans. I was with you, and you’re like, you were so blunt, but you said right now you suck at teaching.
And I felt like I was on the beat. I had good scores and eval scores, and I’m like this guy, that sans instructor number two, right? It’s just blunt. And he’s like, you suck and I’m like, I think I just do it.
I got defensive, and I think I’ve been doing pretty good. He goes, you’re going to move forward. Ten years from now, you’re going to look back at how you were teaching and what you did, and you’re going to realize just how horribly prepared you were in that long run.
And that long view is something, I think, that was important. and I just continued to suck for a long time until I finally got better at it. another story year. two next generation, slide that I added in.
The other thing I didn’t talk about in the last webcast was part of the reason there was a huge inflection point for me. Even before I started teaching for sans, I was, watching american, idol, and my daughter was there, and, she was trying to get my attention.
She was very, very, very small and trying to get my attention as my daughter does. And I, was watching, I don’t know, Justin Guarini or someone dance and saying, and I’m watching tv.
And I noticed that my daughter made it, like, all the way across the room and she had walked. And I just got the opportunity to see Lauren fall at the end of the room. And I realized I missed my daughter’s first steps because I was watching television.
And I realized I was failing as a father, I was failing as a husband, I was failing as a human being because I was replacing things that are real with this crap on television.
And it fundamentally changed me. And that’s whenever I started sinking in. I got Sansa Cissp and started learning and breaking active directory and started this whole path of doing pen testing back in 2001, 2002 timeframe.
It was a fundamental change and a shift for me to start switching away from those things and that failure and realizing that I was failing was huge. Now, I took the television, I’m not joking.
We actually had a television on a card. We could wheel the television around, bring it out of the closet, set it up, and I took the television and I threw it away in the front of our house, in front of our driveway.
And Erica, my wife, came home and she’s like, why is the tv out, in the driveway? I’m like, I threw it away. Just, like, poltergeist just threw it out. And I was done with it. And that point, for the next six months, I was able to sink into computer security, and it became everything to me.
it was what I was reading in my spare time. I was working on things constantly. I was building virtual machines and real Linux systems and breaking stuff. And it was annoying. But I created a void in my life and I filled it with something else and that was huge.
Now I don’t want to be that ass that’s always like, so I don’t have a tv and it frees me from the shackles of consumerist capitalist society. And it makes me an infinitely better person than you because I got to be honest, Game of Thrones is awesome.
what’s the other show? Westworld is great. I just got done watching, Iron Fist season two, which is infinitely better than Iron Fist season one. But one of the things I recommend to people, I used to just say, shut it off.
Shut off video games, shut off absolutely everything. But now I kind of move to go through phases. Go through a month where you disconnect and you just focus in on something and then come out.
And then the next month, go ahead and watch things, right? Create those spaces, but create long stretches. Don’t ever be like, well, today, between the hours of seven and nine, I’m going to study security. Then from nine to ten, I’m going to watch.
Don’t do that. create a month. So if you notice, I haven’t been doing a whole lot on Twitter lately. I, have been really sinking into right here.
I’ve been sinking into blockchain. I’ve been sinking into cryptocurrencies and blockchain at the behest and kind, recommendations of Bo Bullock, daft hack on Twitter.
And you, stay ready. Mike, felch on Twitter, they’ve been doing a lot with this and they kind of turned me around. I was like, blockchain is crap. It’s a whole. It’s a buzzword.
It’s on our buzzword board, but basically like, no, there’s something there. And I’ve decided to sink into it because if somebody like Bo or Mike comes up to you and says, no, there’s something there, you’re not like, well, they’re idiots, right?
M so I’m sinking myself into it. And if you watch my Twitter stats, it’s like, whoop, bam. And it just kind of dropped off. So I’m setting up these times where I can just do something technical and then I can come out of it, and then I can do something technical and I can come out of it.
But that may be different. So, Ed, what do you do to try to keep up with things in security? Is it just like slow and steady? Or do you set like these de punctuate articulum points where you just kind of grow your career as fast as you can.
How is it working for you?
Ed Capizzi
mostly fits and starts. You end up having these incredible periods where you realize, oh my God, I’m lame, I can’t do this anymore.
And you dig in real hard and you get yourself back up to a level where your work is good. You feel connected to the rest of, the infosec community. I can actually listen to a John Strand podcast and understand most of the words.
and then you get distracted by making a living. You get distracted by earning a living, spending time with your family. Yep. And then sleeping.
Yeah. You wake up, fill in the blank months or years later and realize, oh my God, it’s that time again. And so I tend to go, kind of in the business cycles, there’s a trough.
You bust ass to get back up to the top and get at the top of your game. And then you get busy playing the game only to realize it’s time to start getting back at the top of the game.
John Strand
Yeah. I wanted to move on to year three. We’re kind of running a little bit behind year, three. It’s the year of web apps. Learn a web development language. And, Randy, I’d like to get your take.
I think that learning Python, learning Ruby, learning c, c sharp, I think that is all fundamental, but the way the world is today is it’s all interconnected. Web technologies, APIs, Android apps, iOS apps.
If you’re going to be a viable candidate for a job in the next 1015 years, you’re going to have to know some web development, just to be able to talk the talk. And information security.
If you’re an auditor, you’ve got to be able to talk asp.net to be able to talk about what problems were found and how the solutions actually work. Communicating effectively from like OwasP and their recommendations.
I think you have to learn a web language. Do you guys agree or not? This just seems like it’s really important.
Randy Marchany
These days for an auditor. I don’t think you have to, I don’t think you have to learn it at that detail, but from a blue team type person, most definitely you want to have somebody who’s got some sort of web app skills, to do any of that type of stuff.
Same thing with database. I mean, you need somebody who knows, Oracle, mysql or whatever. you want to have those type of specialists, involved.
cyber defense is, I mean, your industry, where you guys are with black hills, you’re in a very niche, specialized, skill area in terms of what the overall corporate world looks for.
I need people with your skills, from, from that. Everybody at Black Hills has, but I’m not going to use them to attack other sites or do pen tests, even on myself.
I’m going to hire you to defend my organization. And so, learning how to take, I mean, you have to learn offensive skills before you can become a defensive specialist.
And I think that’s what you’re saying here, is you have to learn some of these languages, you have to learn some of these tools, you have to learn how to break into something. And then I’m going to flip it on you as if you come work for us.
And I say, okay, you have to defend a, network that’s wide open, doesn’t have a border firewall, has 55,000 host based firewalls, and has to. And the business model is we have to be able to go anywhere on the net, start.
John Strand
And you don’t want to hit that, like, deer in the headlights moment where you’re basically like, I have no idea what Randy just said. I wrote down a bunch of words, I need to go look those words up. you want to be able to hit the ground running.
And that’s why, year four, you started talking about the slide, too. year four, start trying to hack stuff. And there’s people that disagree with me. Like, they’re like, start right away. Whatever, however you want to approach it is fine.
It doesn’t bother me. But I think that at some point in your career, develop the technical skills where you can start taking things apart and learn. Ida, learn immunity, debugger, pick a protocol, any protocol, read the rfcs for that protocol, dissect that protocol and wireshark.
Understand how that thing works from tip to tail. Not necessarily, because that protocol is going to be key to your entire career, but, dang, just getting started to learn how to approach a protocol and to take it apart and have those skills, to do that again for another protocol is going to be huge.
And there’s lots of online challenges and stuff. And if you notice, I haven’t talked about metasploit much. I think metasploit is always there. Right? I don’t think metasploit is something that you spend the first two years learning.
I think that by this point in your five year plan, those metasploit modules make sense, like, how the exploit works, how do you set up different, memory locations for different language packs?
What are those memory locations for? Bypassing or at least checking data execution prevention. What do those actually mean? Where are they? I think that you’re going to be at a point where you can start approaching that type of hacking framework with a much better understanding and respect than you would be if you’re just running the exact same exploits again and again and again.
Randy Marchany
And also, one of the things that you, I would encourage everybody to read is, Aleph one’s paper on buffer overflow.
that exploits that came out in 96, that was a seminal paper for basically all the buffer overflow attacks that have happened since then.
And so it’s a great, great paper to read.
John Strand
And I had a student, Randy, that said, well, that paper’s old. Buffer overflows are dead. Heap overflows are where it’s at. Okay? But the concept of overflowing a buffer, the concept that are covered in that paper on how memory management works and how things are moved around with different functions and, string copy functions and, null terminator strings and things like that, those things are still there.
The core of your operating system is still the same. And the core problem of a buffer or a variable in memory that accepts more data than it should is a fundamental problem that’s not just associated with buffers, but can also transcend into the heap as well.
I agree. I think that that’s a great place to start, right? I mean, you’re going to say, well, we’re going to find lots of buffer overflows. Yes, buffer overflows absolutely still happen. We still see developers using get sick in c.
That still happens as a thing. Now, they may have goatees and really, really amazing mustaches, but they’re still making the same mistakes that were done back in the eighties. So I agree.
Randy Marchany
Yeah. Every single attack that we’ve seen in the last ten years, the DDoS attacks. Oh, ddos. Look at mixters. Paper from the early nineties, any type of buffer overflow.
Oh, you got sequel, injection. Look at those papers from the early two thousands.
John Strand
Learn that history.
Randy Marchany
Learn that history because those attacks are still being used. Why are they still being used? Because we still haven’t fixed them well.
John Strand
And they show up again and again, like, you remember iis, directory traversal, where you could basically do your directory traversal attack, and then you switched it to Unicode and it worked again.
That exact same technique was used by Ed SCOTUS and Tom Liston for the virtual machine escapes. They basically encoded their commands in a way that the hypervisor couldn’t understand and it allowed it through because it didn’t recognize it.
Granted, that’s an old school attack, but knowing how that attack works will give you that idea of how things break. You’re going to find those limitations.
also you’re for next generation. Start digging into the mitre, ATT and Ck techniques matrix. Dig deep. Every single one of the techniques up here. If you click on it, it gives you detailed information on how that attack actually looks and the different commands that you can do to exercise that.
Now you’re going to start working with these different attacks and you’re going to come up with ways to automate, you’re going to come up with ways to obfuscate. Now you’re starting to look at the attacker methodology. And this is all from the perspective of exercising and making blue team better.
And then finally, the sans pentest poster. A great place to start for cyber ranges on the right hand side. And where it’s orange, these are all websites and virtual machines that you can play with.
And then year five, short and easy. Want to get this thing done on time, present anywhere and everywhere. Randy had mentioned earlier, get out for brown bag sessions where people are just talking computer security topics, present on something that you just learned.
tcp dump filters, wireshark filters, it doesn’t matter. Get out there. And all of these cons, like if you’re talking Derbycon, Wild West Hack and Fest, we have our fireside, chats, we have all of these different things for new speakers.
And Shmoocon and Defcon have those as well. So take advantage of those and get out there. And in closing, I’ve got kind of a breakdown of things that you should do and you should not do, and you can ignore everything on this list.
We’re really, really running low on time. I think we have time for a couple of questions here, or do we want to shut it down?
Sierra
you guys had so many questions, so many things. I guess one question that I kind of saw a few times was, is this just for students? And I want to reiterate that this is not like a, this is not just how to go from high school to being a pen tester.
It’s also how to maybe switch career tracks. Maybe you want to go from being a blue team to the red team or you just want to get into this industry a little bit more and understand that.
Is that right?
John Strand
Absolutely. I think that that was our mistake, the way we set it up. Our first webcast, it was couched towards high schoolers and college students.
Sierra
Interns.
John Strand
Interns. Right. And then all of a sudden, we had all these people that were in the industry, and they’re like, look, I’ve been in security for five years, and I feel like I’m treading water and I’m sinking, and I don’t know how to make my career progress.
We realized this was applicable for professionals as well.
Sierra
Yeah.
John Strand
So I want to say thank you to Ed and Randy for coming onto the webcast, and people that had an amazing impact on my career and my trajectory. I hope they helped you as well. Thank you so much, and we’ll see you at the next webcast.
Sierra
You said something breathtaking. They wanted you to say it again as a quote.
John Strand
Good security is nothing more than an inspired application of the fundamentals.