This webcast was originally published on August 14, 2017.
In this video, the speaker discusses their journey and insights into the field of computer security, emphasizing the importance of foundational knowledge and hands-on experience. They detail their career progression, from initial roles in technical support to specialized positions in security, highlighting key learning moments and decisions. Additionally, the speaker offers advice for aspiring security professionals on education, skill development, and the value of certifications in the industry.
- The speaker emphasizes the importance of foundational knowledge in computer security before moving on to advanced tools and exploits.
- The webinar highlights the value of practical experience and the opportunity to learn from mistakes in a secure environment.
- The importance of scripting and programming in security careers is underscored, with Python and Bash being recommended as essential skills.
Full Video
Transcript
John
I’m sorry. I sound like a smoker. Everybody, as we were discussing earlier, I’m fighting a really bad cold, and technically, I shouldn’t be here, but I’m here to infect all of you with knowledge.
okay, that sounds really, really cheesy. people think you’re creepy. You wonder why social engineering fails. So I want to get a little bit of my background, just so people know. Some people that have been through sans classes know, this, just kind of give you an idea.
So I went to the university of Wyoming for a degree in political science, specifically, in political theory and international relations. And notice that has absolutely nothing whatsoever to do with computer security at all.
But, I did work with associated student technical services, technical support or whatever broken down to aztec. And, we did sound engineering, and I also did some stuff with computers there, and that was kind of fun.
And then I switched over to accenture, and I got started doing help desk, actually, at accenture. And eventually they found out that I could do security stuff.
I moved in some basic security, and, wow, I’m really, like, glossing over this quickly. and then I moved to Northrop Grumman because I’ve been doing security for a while. I’d gotten some San certifications, and I’ll talk about accenture here in just a couple of moments and why that was so important.
But whenever I moved over to Northrop Grumman, that’s where a lot of things tended to, take off, because I started working on classified programs, which sounds a lot cooler than it actually was. It was just basically cube farms that were a bit dirtier.
And, a lot of the stuff that I worked on, I spent most of my time working on it, wondering, why is this classified again? but that was neat. It was a good experience working on really, really high pressure cases.
Then I became a sans instructor. And then shortly after becoming a sans instructor, I basically started, if it said, joined Black Hills information security. And that’s basically how I got to where I am now.
Everything I’m going to talk about here over the next, roughly hour or so is going to talk about if I could go back and do it all again, if I could just basically go back, start from scratch, do the entire thing all over, how exactly would I do it differently, to try to do better and be better at my craft.
And this webcast is specifically designed for students that are in college, that are interns that are interested in computer security. This originally started out with the webcast. It was going to be two interns. Black Hills power and light are the people that produce mypower, and our power here and the black hills, see how that works out.
The thing is what it’s named, and they had some interns that kind of wanted to have a background in security. And we opened this up to the general community, and it turned out to be a very well attended and, kind of set up webcasts.
So if you’re like, wow, this really seems like I’ve been doing this for four years and I already know all this stuff. Remember, this webcast wasn’t exactly set up for you in that situation. It’s just basically covering some of the fundamentals that we consider to be important, getting started in computer security as a whole.
So what absolutely kickstart, absolutely everything off for me was, the world’s largest class action lawsuit. It, was Cobell versus Department of Interior. And it all got kicked off because the United States government had a bunch of native american lands that they were basically handling the mineral royalties for oil and gas and coal, and they were responsible for handling that appropriately, and they didn’t do a very good job of it.
And this wasn’t just like a year or two, like we’re talking 100 plus years. So they, Cobel, who was basically representing the tribes, basically, filed a lawsuit, class action lawsuit, and the judge initially in that case, judge case, Judge Lampert, hired a penetration testing firm to break into the Department of Interior to see how, unsecured the networks were for indian funds.
And the answer to that question was not very secure at all. And department, of interior scrambled, and they tried to stand up a security team very quickly. And I had some slight background in computer security.
And, Ed Mundo, who I actually started working for initially, interviewed me, hired me onto his team, and I basically got a chance to work in a full domain environment, and not a small one, but a very, very large domain environment with lots of web applications, lots of, you had exchange servers, active directory, you had it all set up and ready to rock and roll, and, shut down all Internet activity.
And they also, basically shut down all of the apps. So effectively no work could be done for something like nine months to a year. And I was able to do whatever I wanted, to that network during that time.
so I was able to run scans, I was able to crash servers, I was able to try all the wonderful things that any person would ever want to do in a network with little to no fear at all of any type of blowback for two reasons.
One, the network wasn’t really being used because the judge had set everything down. And number two, the administrators who were there to keep the thing running with accenture, if I brought something down, it wasn’t like they were busy, so they could simply put these things back up.
So this network became whack a mole for me. so like Greg Carlson was my manager at Accenture. Brilliant. Mark Brunig learned a tremendous amount, from him as well.
Steve, I had an amazing network of people that were extremely patient with me and they had a tremendous amount of time to teach me their art and their craft and operating systems and what they were doing and kind of clean up my mess.
I must have been like a toddler running around leaving poop on the floor. And these guys really, really handled it quite well, walking around, picking up my messes that I made. So when the network was put back on, I had a tremendous amount of experience in doing vulnerability assessments, exploitation, crashing systems.
I learned a lot of lessons about networking systems administrators because I was able to bring things down and try to bring these things back up again. And I also know that a lot of people don’t get that type of opportunity.
I talked to a lot of people that accelerated their career and there’s always some place where they were able to work with somebody and they were able to work in an environment that really allowed them to grow and make mistakes and they didn’t beat them up.
And having that lack of a culture of fear is what made me absolutely, very excel a lot faster. So that’s kind of what kick started it all for me. So if I was going to say year one, and granted I’m going to talk about this at the end, some people will be like, well I think this should be on year two, or maybe that should be year three, I don’t care.
It’s just this is how I would have done it if I could have done it all over again. Your core concept should be windows, Linux networking and Python. That is how you should start out.
Don’t jump into metasploit, don’t jump into exploits. And I know that you’re going to do that anyway. You’re still going to follow security on Twitter, you’re still going to try the new hot tool.
But your main goal should be trying to understand windows, at a very deep level. Your main goal should be trying to install everything that you can on Linux.
Your main goal should be understanding, switching and routing and how packets actually work. And you should be working constantly with Python to try to become proficient at least in one coding language.
And Python is without question the absolute best starting coding language there is out there. And I know there’s people that are going to say Ruby or Perl and those people are wrong and old respectively.
Python is a very easy language to work. It’s very structured language. There’s lots of people that know how to use it. It tends to make sense for people that are getting started, and it’s also wicked powerful, and you can also use it to create malware later on in your career, but we’ll talk about that more a little bit later.
I also recommend that you start looking at security standards, center for Internet Security the NIST 800 documents. Most of this is absolutely worthless, just so I used to follow the center for Internet Security and I used to follow what NIST was doing very, very, very closely.
And NIST has gotten a little bit better lately. But by and large, a lot of the documents and standards and the hardening guides, really have little to no impact whatsoever in actually stopping real attacks.
But what it’s going to do is it is going to at least get you exposed to some of the underpinnings of what is in an operating system. It’s going to get you exposed to some of the major concepts like two factor authentication in computer security, and it’s going to get you a better understanding as far as what’s under the hood.
So a lot of what I learned about Microsoft, Windows, or what I learned about Linux, I actually started with the center for Internet Security scoring guides and we were scoring operating systems and we were going through and trying to create scripts to try to lock down those operating systems.
Now, as I said, a lot of this is worthless for, the perspective of actually trying to stop an attacker, but it was invaluable for me to have a better understanding as far as how the core, underpinnings of the operating systems worked and some of the key security features, well, it will be worthless for you to stop an attacker.
It’s going to be invaluable for you to learn. So start using these guides and this guidance as a way to understand what the core concepts are and what it is you kind of need to know.
Also, people are going to ask questions, it’s weird, but you are not going to be very effective at your job if you don’t understand these documents. And once again, that’s not because these documents are really useful if we’re trying to stop attackers.
But whenever you’re talking certification and accreditation, you’re talking about compliance. You’ve got to be able to talk that talk to be effective at your job. You just can’t be a straight propeller head all times and breaking things constantly.
You need to understand these compliance documents in order to communicate effectively, especially with compliance people. So yes, this is part of that core understanding of what you need in your security career.
So you will need to understand these things, but don’t expect them to give you some type of gold understanding of how to attack systems or defend systems. it’s kind of like a Lego in and of itself is kind of worthless.
It isn’t until that Lego is stacked with other things that it actually provides value and has meaning and it actually is something that you can understand. So these are Legos to start out. They’re not end goals in and of themselves.
So how do we get started? Well, with Windows it’s pretty easy. a lot of people are afraid to get started in Windows because they have this fear that Microsoft Windows is so expensive.
How are you ever going to set up a lab? And the fact of the matter is Microsoft has made it very very very easy for people to get started with a variety of Microsoft technologies.
you can go to the Technet evaluation center, you can download a variety of different versions of their operating systems from Windows ten all the way up to server implementations. And you can start installing software like exchange.
You can start installing software like active directory. Now there’s definitely a time limit associated with it, but that’s okay. The worst case is you’re going to build the entire thing and then when your time limit’s up you have to blow it all away and start over.
And that’s not bad. That’s not a bad thing at all. this is going to be painful. some things are very easy to install in Microsoft, like Active directory. Some things are very very difficult like SCCM for configuration management on Windows computer systems.
But they’re going to be important lessons for you to learn how these things actually do in fact work. So you’re going to build what I would recommend a core of active directory, build a domain controller, build exchange, build a bunch of Windows workstations that can actually tie into this active directory infrastructure, possibly stand up SharePoint and maybe move into creating an Outlook web access, portal as well.
These are the things that you’re going to constantly be defending and these are also going to be the things that you’re constantly going to be attacking as a security professional. As I said, Microsoft is great because it actually makes it very easy for you and cheap to learn these things.
There are amazing people, in the Microsoft community that are willing to share their amazing knowledge with people that are getting started in it security. So start watching those forums, ask these people questions.
But I’m going to warn you, while these people are brilliant at what they do, once again, they don’t understand security. They understand how these different tools work, how these different services work. And to be fair, that is a huge amount of computer security understanding.
But they’re missing huge chunks of understanding the attack methodologies and the underpinnings of what the attacks actually look like and what they actually go after as well. So learn from them.
But at no point should you absolutely trust anybody, and that includes me too. I have a very slanted view of computer security and jaded. And it makes it, it definitely gives me a particular color to my worldview.
And it doesn’t mean that you should listen to me. Understand anybody is going to be approaching you with their specific colored worldview, and you need to take it for what it’s worth. It doesn’t mean that you disregard anything anybody says.
But honestly, you have to listen to what people say, keep what makes sense, and discard what doesn’t make sense, because this changes fast enough. You don’t want to get into any type of, religious adherence to anything at all, because it’s just, it.
Networking is huge. I really can’t stress enough how many university students come out of college with little to no networking understanding at all.
They, may understand an operating system on how to install it a little bit. They may understand how to do some coding and actually writing an application. But the fact of the matter is, they don’t understand how packets get from point a to point b.
And there’s a lot of people out there that will say, you honestly don’t need to know how networking works. Those people are not your friends. Those people are wrong. You have to understand how networking works, because in the world of computer security, this ecosystem of switches and routers, these things are also vulnerable, and these things can be attacked.
And there’s an amazing, beautiful, elegant attacks out there. If you understand the core of networking and how things like ARP works, how things like link local multicast network requests, Llmnr, understanding things like WPAd will make no sense to you if you do not understand networking, and DNS and packets and things like that.
So there’s some things available to you. There’s some networking simulators. Now, this link, this Brian Linkletter website is fantastic. You all need to go there right now. By the way, find Brian Linkletter on Twitter and tell him thank you.
Sierra
Oh, the bhis hug of death.
John
We’re on our way. Yeah, it’s the bhis squirrely hug of death. As his server goes down, so many people accessing it. Now, if you guys let me know if we do bring his website down just by visiting it, let me know. But go on Twitter and say thank you for the work that he’s done here.
And you have amazing simulators that are all free. so use those and kind of understand the networking and how these things come across. But there is a difference between how a simulated network actually functions and how a real network functions.
I can’t describe exactly what problems you’re going to run into, but simulators are very well controlled environments. And once you get real gear, that is pretty fundamentally different.
There’s a bunch of old Cisco gear on eBay. I would say, as a rule, if you could find any Cisco gear for like $10, buy it, the old twenty five hundred s and twenty six hundred series.
and I know that that seems goofy, but these things are awesome. And just simply firing them up and getting them to do what they’re supposed to do and wiping the config out, resetting the passwords. You’re going to learn so much, and it’s such a beautiful experience.
I used to hate this whenever I would work with some old decrepit gear and it wouldn’t work. But years later, I realized that that’s what actually made me good at some things, was the amount of fighting that I did trying to get this gear up and running effectively.
getting the configuration, like not knowing what the password is. How do I actually bypass the screen with the host system with a terminal connection, a serial port connection, to get access to it so I can reset the password.
These are simple things that are actually really hard things to do. And some of the skiers are cheap, and Cisco is one of the big ones. Juniper, you see a lot too. And yes, I understand that Cisco iOS is changing.
Yes, I understand that there’s Gui’s and things, but by going through the command line and learning how to do it for the command line, you’re going to learn a lot. And then micro ticks are stupid, stupid cheap, and they’re incredibly powerful.
let me show you real quick. I’m going to actually blow up the slide a little bit here. So we’re going to take this image, we’re going to do this and make it, bigger and we’re going to pull it to the front because that guy’s some kind of ninja with PowerPoint.
It’s like he spent two. All right, so I love Microtik. The router OS is awesome. I think they call it Winbox too.
but it has the ability for doing bridging. ppp. You can set up mesh networks, deal with ip configurations all the way down to setting subnet masks, however you want them to be.
Routing system information. You can actually open up and do full packet capture off the device, get terminal access to the router itself. It’s just awesome. I have not seen anything for the price point of like 60, $70.
Now granted, just so it may not be the most stable piece of equipment you have ever seen. but it is, it has everything and it all works. It is really, really, really cool.
I actually got a couple of these running at my house, for doing kind of quality of service management because I don’t want my kids to watch movies and it completely destroys my ability to actually work and do things that matter.
So check them out, they’re dirt cheap. But start with the free simulators and then move forward with real hardware. Also install everything from scratch on Linux.
There are tons of websites out there. and you just simply Google learn. I said learn. Learn Linux online and you’re going to come up with about 15 sites immediately.
They’re going to give you step by step instructions on how to learn Linux and how the operating system itself actually works.
Sierra
John sounds like the emperor from Star wars.
John
Yes.
Sierra
Yes he does.
John
Good.
Sierra
We had to, somebody asked me, why didn’t you post on this? We had to do it today. And I’m sorry I’m such a slave driver.
John
She is. Send help.
Sierra
but yeah, you’re doing great.
John
Thanks. And by the way, if people are worried about me for this, I’ve actually taught six days like this. So an hour or two, nothing, nothing. so to be a bit more specific, the big thing that I’d like you guys to get into is bash scripting.
there are other shells. You got z shell, you got ash, you’ve got k shell for corn, you got born. Of course bash is the born again shell. That’s the joke. Born corn and born again.
but anybody that tries to put you down any of those other paths to start out with is not your friend. Bash is really the only one that matters. They’re doing a huge disservice. You don’t want to hang out with them at parties, you just want to stay away from them.
Start with bash. Now, after you have mastered bash, if you feel so inclined to go to z shell or a shell or corn, go for it, that’s fine, have at it.
But if you actually want to learn something that’s applicable and will be transferable to other people so that they understand what it is that you’re doing and it’s useful to other people, you’re going to have to learn bash.
So bash is without question my favorite shell scripting language. And these are three books that just happened to be in order on Amazon that I thought were really, really good. But, shell programming and Bash scripting is probably the gentlest introduction to computer programming there is.
And more importantly is it’s actually directly applicable. So if how to do bash scripting, if how to create little scripts, if you’re like doing the same thing every day and you write a script to automate that process, well, that’s just fantastic.
that is just fantastic for you, to improve your career. Because seriously, we’re getting into a future and I don’t want to sound like one of those people that’s looking into a glass ball and says, hey, I’m a thought leader because I hate that.
But if I’m looking forward into the future for my children, okay, if I look forward, there’s going to be people that know how to use computers. There’s going to be no people that know how to manage computers, and then there’s going to be people that know how to make computers do their bidding.
The people that know how to make computers do their bidding are not going to starve. Okay, so, I’ll talk about Python here in a little bit, my son. But yeah, learning the Bash command line and learning how to script in bash is a great way to get started.
Learning Python align code academy really, the people behind this, they’ve earned all the beer, root beer and otherwise in the entire universe.
we did this with our high school program, which we do need to start up at some point. they have amazing tools for learning a variety of different languages, but they have full python available and it is without question the best kind of getting started.
Training wheels Python learning program I have ever seen. now the best training class is Mark Bagot’s python class at sans. But I even recommend if people are going to take that class that they actually start with code.
academy first to get them started to the point where they can get the most out of something like 573 from Joff thier or Mark Bragett or Mike Murr. And, also with my kids, you run into discipline things.
And, I know disciplining kids is somewhat difficult. Trust me, I get that. I know where my children are right now. But, I’m moving to kind of a discipline thing with phones.
the kids will lose their cell phones, which apparently in this day and age is a horrible thing to do to a child. And they’ll lose their streaks for whatever it is they’re doing, like Snapchat or whatever. And what you can do is say, I want you to pass two lessons on, python code academy for you to get your phone back.
So instead of grounding your children and saying, hey, you have, you can’t use your phone for a week. So yeah, you can get your phone back, but I want you to earn it. And this is a great way to earn it. And, that’s kind of what we’re doing.
And if you’re a college student, I mean, come on, you have to learn a language. Now, your professors are going to try to get you to learn Cobol or Fortran or some ancient language. For that I apologize, but this is going to be a language that you can use and you can carry forward in the future for the rest of your career.
And honestly, to become proficient as a developer, I think a lot of times people forget to be truly proficient in the world of development is like a crack coder. You have to oftentimes know Python, you have to know C.
C, you have to know something else, like Ruby. And, it’s very common for developers to actually know like four or five languages. And Python is a great starting language to kick off with.
So moving on to year two, it’s time for you guys to start projects. Some of you may want to start a project right away in year one. That’s great. Do so. There’s absolutely nothing that is going to hold you back.
And you shouldn’t say, well, John Strand said, I should wait until here too. If you have an idea, I want you to start it immediately. But you really should start something, even if you think it’s stupid.
Like, you’re basically like, well, I want to do a little project that, anytime I type into my computer, Sasquatch, it replaces it with Wookiee.
that’s awesome. That’s a cool project, the Wookiee Sasquatch replacement project. okay, that sounds stupid, but that’s beautiful, right?
Because the things that you’re going to learn in that stupid little project are going to be applicable to almost anything that you’re going to do moving forward, like regular expression pattern matching and doing string replacement.
And that may be a dumb, project, but that is going to be a life skill that you’re going to take with you forever. So that’s awesome. I also recommend that you start a security group at this point, at work, at school, start learning Powershell.
I would recommend that’s going to take a while, but Powershell is going to be key. The same thing as bash scripting, but Powershell scripting is the analogous windows thing. Now, I had you start on bash scripting.
the reason why I had you start on bash scripting is it’s a lot more gentle introduction to learning scripting. When you couple bash with Powershell, excuse me, when we couple bash with Python, learning syntax and classes and all of these different things is going to prepare you for Powershell.
The point is, Powershell is a little bit steeper of a learning curve than like, python or bash does. So by learning bash and python, it’s going to help get you set up for actually learning Powershell.
Also, keep up on security news. I know that a lot of you, once again, if you’re at this webcast, they come out with a new exploit or they talk about something on Twitter, you’re going to rush to play with it, and that’s great.
Don’t be afraid to play with those things all the way through. But in all honesty, you shouldn’t let that kind of consume your life. it should be merely a kind of a passing fancy.
You look at it, you’re like, oh, eternal blue. Okay, I’m moving on. But you shouldn’t dig too deep into it because if you don’t understand the stuff, especially in year one and year two, a lot of those ideas are going to be lost upon you.
You won’t know exactly what the different exploits and everything work. So we got some questions.
Sierra
are there any good resources for Powershell, like code academy?
John
I don’t think code academy has a Powershell module yet. but honestly, the book, Powershell unleashed, by Tyson Kobsnofsky. no, I butchered his name.
there’s some good stuff there. Also, here, we’ll just take you guys to it.
Sierra
Also, we did give Brian Linkletter the BHS. Hugo death.
John
You’re kidding. We did. Inside one of the link totes. Did do we tweet him to say hey, thank you.
Sierra
No, but I there’s two and I’m m assuming it’s the one. Did you guys add him?
John
Yeah, if somebody could let us know what his twitter and follow him on twitter as well, that would be awesome. And let me think here. I was going to show you guys command, line kung fu blog.
Can’t type.
Sierra
Can’t type.
John
Can’t type. Confun.
Sierra
It’s a rough day.
John
all right, so here we go. so this is a great website and it looks like they haven’t done anything since 2014, but it’s actually very very very useful. So you should go through and do absolutely everything in here.
So what they do with the command line kung fu blog is they set up all these different requests. And then Hal Pomeranz did it in bash, Ed SCOTUS used to do it in the windows command line and Tim Medine did it in Powershell.
So what you can see is what does something look like in the command prompt on windows and what does it look like in bash and what does it look like in Powershell? So this is blog.com, comma kung fu.com is probably one of the best places to get started, with the kind, of learning Powershell.
Sierra
Also, a lot of you had good suggestions for other places you’ve learned Powershell and I’ve been trying to like reply to all. So make sure that you’re paying attention to the chat with everybody’s answers.
John
So there’s a bunch there. I predominantly learned from Tyson’s book and command, my kung fu blog as well. I’m unfortunately actually trying to make other people’s scripts work, but that’s another long story I don’t want to get into.
All right, let’s move on. Talk a little bit about Henry Rollins. I had mentioned starting your own security group and I know that a lot of people are like, well, there’s no security groups in my area.
I live in Rapid City, South Dakota.
Sierra
We don’t have electricity.
John
We don’t have electricity or Montana or I don’t care where you live. Right? Don’t. Just don’t. Okay, so years and years and years ago I was going to the University of Wyoming and I mentioned that I worked at, aztec and doing technical things and part of that was sound engineering.
And the guy in the upper right hand corner, his name is Joe Gorzdecki, I think was his name. he had a coffee shop downtown, called the provisional cafe.
He had actually moved to Wyoming, specifically because he had, wanted to write a western novel, and he wanted to get a feel for what the west actually felt with felt like.
And Joe was one of those. Is probably still one of those guys that’s very visceral. it’s not enough just to, like, read something. He had to be there. He had to be part of it.
And he was one of the people that helped run SST records, which, if, punk rock history is kind of where black flag was under. So Joe and Henry Rollins were really good friends, and Joe, had somehow worked out to get, I don’t know the details to get Henry Rollins in, into the university of Wyoming as part of a spoken word tour.
Right. So he showed up, and it was awesome. It was a great night. It was a great experience. And I actually got to meet Henry Rollins briefly. And mind you, this is, like, approaching, this is now approaching probably 18 to 20 years ago, right?
And, I talked to Henry Rollins, and he was very, very cool, kind of an intense dude. And, he was like, so, what do you do? And I’m like, well, I go to the university here. I do sound engineering, got my own band.
and he goes, how’s the band going? And I said, well, it sucks. Here at the university of Wyoming, there’s just no scene. And he kind of said, f you, man, you got to create your own scene. You just can’t expect people to create a scene for you.
And, that kind of resonated. Right? And I kind of carried forward in computer security, and whenever we get in trouble for it, like, we’re kind of in trouble for it today. Sierra and I, we’re constantly kind of creating our own little scene and trying to do that.
And there’s all these people that are creating their own scene in computer security, and they aren’t in massive areas. Like, look at all the people that are doing b sides conferences. I, just did one in Cleveland. It was an awesome experience.
Go to Augusta, Georgia, which is not a huge metropolis by any stretch of the imagination, but Augusta is crushing it. They got great security talent out there. So all these places create their own scene.
And for you, somebody that’s just getting started, you get to year two. Don’t expect people to create a scene for you. No one. No one. It’s no one’s job to do that for you at all.
Sierra
Well, the other thing I was just gonna say is, like, people sometimes act like there’s like this pie of scene. And if someone has the scene, then there’s no more scene left to be gotten.
John
There’s another wrong, right, wrong.
Sierra
There’s like, just go shovel it up like it’s out there waiting for you. One portion of it that someone’s already gotten.
John
So I guess that kind of goes here a little bit too. People can always find excuses, right? There’s not a scene or somebody’s already created the scene, or this little group of people over here, they’re going to be mean and they’re going to pick on me.
Screw them. most likely not. Most people in security are awesome and they’re going to want to come play, and you shouldn’t let anyone try to take your scene from you. So this was kind of one of those things that was very much, heavy on me, whenever I was in college, especially whenever I got started in computer security and, started doing things at Northrop Grumman and Accenture, trying to do as much as I can good with computer security and getting that started up in my own little place.
And there are small things, but they are things. And you learn a lot just having a group of people working together. So year three, I’d, like to say this is the year of the web apps. After you’ve gotten some basis in Python, you’ve got some basis in Powershell, and you’ve got some bash scripting underneath your belt, it’s time to start up with some languages like PhP and ASP.net dot.
Now, a lot of people come back and say, well, I think it should be rust or Ruby on rails or, I don’t know, whatever. I honestly just do not care. But for most of our pen tests, we come across ASP.net and we also come across, Php.
I hate that. I turn 40 and I feel like this. I all of a sudden feel like I’m like a 90 year old man. Thanks. So start with these language languages and, just don’t get distracted with other crap.
Just try to focus in. I’m learning some basics with these languages, like, how do you make a database call? How do you sanitize your input? Stop SQL injection. How do you create a website with aSP.net and PHP so that it has SQL injection?
What are all the mistakes that have to be made? Start creating something and, start looking at the mistakes that people made and make those m mistakes. And that’s awesome. You’re going to suck. If you ever are at a point in your coding career where you’re like, I am awesome at this.
You probably aren’t that great. I’m sorry. There’s always somebody out there that’s going to be much better. There’s always going to be that lady or that dude that’s going to be like, oh, I saw that you did this in 23 lines.
Did that you could do this in a one liner with this one command? It’s like, oh, man, I just got done talking with, Don and Mark, two subcontractors with Bhis, their instructors with the Sans institute, brilliant people once again out of Augusta.
And, Don is constantly being challenged by his students in the sans python class, always where, a student will write this python script that solves a challenge, and then they’ll go to Don and they’ll say, can you do this in a python one liner?
And Don will do it because he’s just that good. and that’s awesome. And he’s constantly humbling people. But even if you talk to him, he’s like, oh, there’s this guy over there that’s way better at python than I am.
So don’t get hung up and don’t get frustrated. If something’s better at something than you are, that’s fine. Just get enough to where you can be functional and make things work. Also, feel free to branch out into network, apps for iOS and also Android.
All right, so year four, it’s time to start hacking stuff. Now, notice I didn’t talk about much of any of this stuff at all until this point. So if you’re in college, right, when you finally get to be a senior, or, if you’re going for your master’s degree senior year, it’s time to start breaking things.
Learn iDapro, learn immunity debugger. Pick a protocol, I don’t care what it is. ICMP. And learn how that protocol works inside out, backwards.
Find the rfcs that describe that protocol. Find tools that implement that protocol. Find Python packages that implement that protocol. Use scapee to attack that protocol and use that protocol.
Just basically learn what it takes to dig into something deep. You don’t have to dig in to try to find a vulnerability. You don’t have to find an exploit, but just go for the curiosity of it and try to dig in.
and it really should be just about anything. My protocol was SMB. I loved SMB, and the reason why I got addicted to SMB is that was one of the first sections that Ed SCOTUS had me teach in preparation for Sans 504 you had to go through a number of prep classes to become a Sans instructor that we used to call murderboard.
but now we don’t call them that because apparently we’re pansies. Snowflakes. Yeah, we’re all precious snowflakes. What was that you said about snowflakes and the heat? You said, well, I don’t know, you had that quote. It was something like snowflakes and people that are treated like snowflakes neither last very long in the heat.
Sierra
I say a lot of things. Most of them are quote worthy.
John
Most of them are words strung together in the form of sentences that pull together coherent thoughts in the forms of paragraphs. Truth, nevertheless, and bound together in books. Yes, yes.
We will sing songs in the future. Songs that you will write. Oh, God, I don’t know. I’m so. I really should be on some cold medication. I probably act less stoned.
Sierra
I asked him.
John
I know you did. I know it just lasts long, but you dig into a protocol and you tear it apart and that’s the goal. Right? And I also know that you’ve already been playing with metasploit the whole time, and that’s fine, but at this point, you’re probably now at the point where you’ll have a better understanding of what it is an exploit actually is doing and how that exploit actually does work.
It’s also time to start working with, z ATT and ck proxy from owasp to start learning how to attack web applications. And the sad thing for me is that I know that a lot of you want to jump right to the slide.
You want to do these things, you want to do Idapro, you want to basically use OwAsp to start attacking websites. But unless you have an understanding of what’s actually happening under the hood with things that you’re attacking, you’re not going to do very good.
So develop that firm basis and understanding. I’ll give you an example. I’m going to pick on Brian, Furman at Bhis. Brian has two master’s degrees.
he’s a genius. tremendous respect, an amazing amount of background development experience and operating systems experience and web application experience whenever he was working at Raven Technologies before we stole them from Raven.
And, just really, really good. When we finally got him to the point where he was playing with actual hacking tools like Metasploit, owasp, z ATT and Ck proxy, Ida Pro and immunity debugger took to it immediately.
The learning curve for him was almost like a speed bump. He just, boom, he was in it because he understood the base concepts of what these things were actually talking about and what they were doing, so he was able to hit the ground running.
And that’s one of the key things that I say a lot of times is it’s easier for me to take a developer or systems administrator and turn them into a penetration tester than it is to teach a penetration tester.
Systems administration.
Sierra
We can keep stealing our sysadmins for pen testing.
John
Yeah, yeah, well, I do that, right? We get sysadmins like Jordan and Kent, who have done like three webcasts with us, and they’re awesome at systems administration, and they’re helping me write classes and doing slides, and then all of a sudden they’re like, hey, could we use them on a pen test?
Sure. I got to find more systems administrators then. So that’s a problem, right?
Sierra
It’s a good problem to have.
John
Good problems to have. Good problems to have. I’d, also like to show you the, sans ultimate pen test poster. the big thing is the back of the sans ultimate pen test poster.
On all of them, all versions, it may not look exactly like this one, but all versions have the same thing. Right here is this, vulnerable, let’s see this side of it, which I could have easily just said the right side, but I wanted to play with my pen.
Here we go. Has this vulnerable apps and systems matrix, and there’s online challenges, and there’s online virtual machines. There’s online operating systems that you can learn how to hack.
Now it’s time to start hitting these things. Now it’s time to start attacking these things and learning how they actually can be attacked and start using the tools. This is awesome. This is one of the coolest mind map resources, that I think sans has ever produced.
So get in on it and start using it. It’s a great place to get started. Also, year five, it’s time to present. It’s time to start taking what it is that you have done, the things that you have learned, and it’s time to start presenting or submitting to derbycon, shmoocon, Wild west hack and fest, which just so happens to be in deadwood, south dakota, from October 27 to 28th this year.
B sides. I’m highlighting b sides, Puerto Rico, not because of that awful song, but, because I love the guys at Puerto Rico. You haven’t heard that, despacito?
Sierra
No.
John
It’s a Justin Bieber song. It’s like the number one song I.
Sierra
Try to not listen to Justin Bieber.
John
It’s hard to miss. This is how we do it down in Puerto Rico. Kids are constantly doing it.
But besides Puerto Rico’s, who is, I was going to decide to throw a shout out to because Jose and Carlos are down there and I love those guys. Defcon. Also, you’re going to get rejected.
There’s, no question you’re going to apply for these different conferences and you are going to get rejected.
Sierra
Okay. But the other thing I want to say, because from a marketing standpoint, I try to encourage all of our new pen testers. Once John takes them m away from sysadmin, then I try to encourage them to speak and they’re like, but, but I don’t have anything to say.
And it’s all been said before and, no, it’s not true. And you will get rejected, but then you won’t get rejected and you’ll be scared.
And everybody feels like they’re new.
John
Everyone feels that way. Even the people. I’m not going to say who I was talking to, but it’s somebody that’s presented at multiple cons over the years and talking to him about it and how he feels about presenting at cons.
And he says he still feels like an imposter. Like at any minute, everyone at the con is going to turn around, point at him and say he should not be here. and I feel that way a lot, too, although I present way, way more than the average bird.
but the thing is, you’re going to get rejected, and that’s okay. I’m going to pick on Timothy, for a little bit. Tim, Adeen is a great person to pick on for a variety of reasons.
One, he’s a living cartoon character. Two, he, came up with a Kerberos attack, basically using kerberos to get password hashes for service accounts and all kinds of other things.
With Kerberos, he got rejected a bunch of times before he got picked up by Dave Kennedy, at Derbycon. And that what he came up with was actually earth shattering. So simply because a con rejected your talk doesnt mean that it doesnt have value.
It probably just means that it needs to be tweaked or the wording needs to be done.
Sierra
Or maybe youre just ahead of the curve.
John
Just ahead of the curve. Yeah. Send it to someone beforehand. Tim sent it to me and a couple of other people, and we looked at it and was like, okay, this is pretty earth shattering. And it was funny because Dave Kennedy, whenever he heard it, kind of like, what there.
He’s like, excuse me, what? How does that work? And he went with it, but you’re going to get rejected. But a lot of times when you get rejected and you have a serious submission to Derbycon or Shmoocon, you’ll get a free ticket.
And sometimes those free tickets are worth. I was going to say they’re weight and gold, but they’re on the Internet. The Internet doesn’t weigh anything.
Sierra
Well, I mean, maybe then you need to have a YouTube channel.
John
YouTube channels are great, too. Yeah. And you shouldn’t get to year five and be like, well, I don’t have anything I should present on in the four years that you’ve been working on this. you should have came across something that’s cool and just run with it.
So here’s a couple things. Feel free to do the following indulgent distractions. the distractions. There’s no straight lines to a path in computer security and a career in it, and there sure aren’t any. Once you get here, don’t.
You can stick to my plan. You can ignore my plan. Develop your own plan. Get good at just one thing. Get a degree. Don’t get a degree. Get certified. Don’t get certified. Don’t care. but I don’t want you to stand still.
I don’t want you to sink into video games. Waste your time going after epic Pokemon binge watching shows on Netflix. Use bing for anything. Just barely learn metasploit to impress, men and women.
Spend lots more time on the look of a hacker. Actually, I have to look today. I’ve got a dark t shirt wearing jeans. I don’t know about the hat. Oh, wait. Give me some scissors.
Sierra
Oh, my gosh.
John
We’re gonna fix this. Oh, my gosh. and get angry. If at any point in your career you find yourself getting angry, you’re failing. Don’t do that.
and also, don’t blame others. if you ever get to the point in your career where, like, I didn’t succeed because of this person.
Sierra
Oh, my God, you fail.
John
And that’s not what we want. So we had some questions. People were asking about certifications.
Sierra
So cyber security degrees and certifications. Talk about that.
John
I tried not to talk about certifications much until the end. I’m extremely biased for Sans, especially Sans 504. But I also understand, as a.
As a junior intern, it’s really hard to get to the Sans institute, right? It’s kind of hard because it’s really expensive, and I get that.
And we spend a tremendous amount of time doing webcasts like this to try and make it so anybody that attends our classes continues to get value out of the class long after we’re done. So they’re great certifications.
OSCP is also a great certification. So is CISSP. I’m not going to rip on cissp. I spent too much of my lifetime ripping on cissp.
I have, and now CISSP and the people that are getting involved are doing better. With Sans, though, you can actually volunteer for work study at the Sans Institute, and if you volunteer for work study on the Sans institute, you can get the class a lot cheaper.
Okay. So look into that as an option. Okay. That’s something else. Ceh. Ceh is garbage.
Sierra
which is, I mean, volunteering is another option. If you can’t afford to go to a conversation, you can volunteer to go help them.
John
Yeah, you can volunteer to go help them as well. And the certifications, I many times tell people, and Sans doesn’t let me do the certification talk anymore, but I say that I think that certifications are pretty much worthless, and that’s hard, right?
Because I work in an organization that gives out certifications. Right, Sans. But if you want to work in this career, you’re going to have to have a certification to get past HR, plain and simple.
You can walk around, stamp your feet, you can complain all day long about certifications and existing, but honestly, you really, really, really need to have certifications to get through the, you have to get through that HR window.
The other thing is, if you have a GCI, I have a pretty good idea of, what the common framework and knowledge is that you should have at least coming into the interview.
If you say you have GCIH, I’m, going to ask you questions on the GCI exam. CISSp is great for a common, fundamental framework of, terminology and language, and that is great.
So while I say that certifications are generally worthless, and what I mean by that is I can’t look at somebody that has a certification and say they’re going to be good or they’re going to be bad, but it is a filter that all of us will need to pass through at some point.
So from that perspective to actually making a living and getting a job, certifications are some of the most important things that you could possibly get. OSCP, some people, like three or four people have asked me about it.
It’s a good cert. I know I should be saying sans. Only sans. Sans all the time. It’s a good cert. I see people that get that cert, and also people at Bhis get that cert, too. It’s the only cert I know of where people hug each other and cry.
Actually, that’s not true. the other cert that people hug each other and cry when they make it through is the, GSE from Sans, the Gx certified security expert one, ceh.
That’s a much longer conversation. it’s just like, my opinion, man. but, it’s just a very low regarded certification, and it’s not something that you would ever want to put on a business card and have anybody take you seriously about, ever.
Sierra
So, we have another question from, actually a couple people. What year would you put in that people should start, honing their presentation skills?
John
Year five. All the years you’re gonna be present.
Sierra
All the years you should be, like, talking to people because explaining what you’re doing is part of pen testing. blue teaming.
John
Well, and I would say the, I would say the best key to being a good presenter is actually know what it means to be to understand the topic.
Like, anytime you get up and you try to present, if you truly don’t know, a thank you, Adam just nailed it right out of the park. If you do not know it, you’re going to suck. no matter what.
I’ve seen presentations with people, especially in this field, we tend to be very forgiving if the technical content is solid, we tend to be very forgiving to people that don’t have those, they don’t have that skillset.
Right. So, yeah, that’s, something to kind of look into. So join toastmasters to improve presenting skills. Yeah, sure. Present anywhere and everywhere.
Right. Cloud technologies. You’re going to learn a lot about cloud technologies once you start learning web technologies. Not all of them, but, how.
Sierra
Far should you go at getting good at one thing before you move on to something new?
John
Well, right about the point you get bored. That’d be about it. Jason just said, hey, don’t binge watch. Does that apply to Rick and Morty? No, it does not apply to Rick and Morty.
I’m Pickle Rick. All right. There’s people that are like, what? And other people are like, oh, so get out there. And I tried intentionally to stay away from certifications, and I kind of came back.
So you’re going to need to get certified in this career field at some point, and there are people in this field that don’t have any certifications, trust me. But they’re more rare unicorns and they’re very, very special people.
But by and large, if you want to get into this career, you’re going to need to get certified and your job should be paying for that. And yeah, reach out to the Sans institute. Like I said, we’re expensive, there’s no question.
But I know of no organization that’s better to people for volunteer work study giving them a huge price discount. And the only thing that we ever ask at Sans is that you help out.
Sierra
Well, we had tons of comments. I’m sorry that I didn’t. I tried to answer a lot of you, but this was a nutty, nutty busy webcast, so I think it’s awesome.
Obviously a lot of you are interested in this topic. John did great. We got a lot of good feedback. John, everybody said good job. happy birthday. They said, hope you feel better because you sound horrible.
John
Oh, thanks, everybody. Get out of here. I’ll talk to you guys all later.