Stopping Hackers for a Living: Becoming an IT Security Specialist Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation [email protected].

Stopping Hackers for a Living: Becoming an IT Security Specialist

Kai Axford, CISSP, MCSESr. Security StrategistMicrosoft [email protected] http://blogs.technet.com/kaiaxford

Kirk Munro, MVPSr. Software DeveloperQuest [email protected]://poshoholic.com

Growth in Number of CISSPs

2001 – 6,000

2002 – 11,000

2007 – 50,000

Remember….

1. You have competition.2. For any job you want, someone else is

probably qualified.3. This is no longer easy.

Security - A Different Industry?

• It’s important to understand what a career in security means…– Security is different in some ways– And it’s the same in a lot of ways– Break the wrong rules at your peril.

• It’s the same in that...– Careers usually still involve working for other people– Involve knowing your field and advancing in your

knowledge and skill• The main difference is speed.

It is 2008

5 years ago:PCI was a slot in your computer.SOX went on your feet.AJAX was a product for cleaning your sink.WEP was the only encryption for your WiFi

network.HIPAA swam in African lakes.…and you had never heard of Data Leak Prevention.

The Fastest Changing Industry• Security changes quickly

– The challenge in security is almost always the newest emerging technology– A security professional has to be current with the newest changes, not the

oldest ones.• This Change makes the industry unstable

– We all know people who were at the top of the game 10 years ago who are obsolete today

• Living in interesting times– Full of constant learning– Constant opportunity for advancement– And a sense that the ground beneath you is never stable

• One of the most rewarding careers– Because of the challenge of growth

Unfortunately…

You knew that was too easy…

“You are not special. You are not a beautiful or unique snowflake.”

- Chuck Palahniuk

Security is no longer special• Back in the day...

– Security was a growth initiative– IT layoffs usually didn’t hit the security department– Budget cuts hit IT before security– Security salaries increases were significantly better than average IT salaries

• Now...– Some view security as a traditional cost center– Security is no longer immune to layoffs– Security budget gets hit alongside other IT initiatives– HR salary bands are the same for security as other functions– Standard increases apply

• Job security is no longer guaranteed– Rapid growth in security talent means cheaper talent always exists.– Security operations can be handled by IT, security strategy by corporate

compliance

Bitter Irony• Security has less job security

– Rapid growth in security talent means cheaper talent always exists.– Security operations can be handled by IT– Security strategy by corporate compliance/legal/audit– Often, INFOSEC is an easily-outsourced function

• Hard times bring awareness– More companies are starting to realize– The CISO role is changing in scope and responsibility– Corporate security is shifting

• Competition is ramping up– You have to be better than ever before– You have to stand out from the crowd to get the job you want.– You need to be outstanding to keep the job you have.

There is a way to make yourself stand out.The outstanding are the ones that survive.

In fact, there are 3 simple rules...

Recession-proofing

• The answer isn’t what you think it is– Most say: “Be more business focused and downplay technical skills”– This is usually wrong.– Nobody ever got fired for having too many technical skills– The key is awareness of what you need to know and how you need

to be perceived.• But “mad hacking skillz” won’t save you

– Skills are easy to replace.– Besides, you likely already have the skills to do your job– If you don’t have them, go read a book.

• 3 rules for being recession-proof1. It’s all up to you.2. Know yourself.3. You’re nobody until somebody knows you.

Rule #1 – It’s All Up To You

Nobody’s going to do it for you• This is obvious

– But, having seen enough people, we need to say it.– Your career is going to take work.– Work on your career as well as in your career.

• You Need to take Responsibility– Nobody’s going to do it for you.– Your boss is too busy managing his/her own career– There are so many diverse careers that your way won’t be anybody else’s

• There’s much work to be done– You need to know what you’re good at.– You need to know what you want.– You need to make that happen.

• You’re the Only One Who Can Do It.

Rule #2 – Know Thyself

You Need to Know You

• If it’s all about you, you have to know what it’s all about.– Self Awareness is Key

• Take Stock of Your Own Skills– What are you good at?– What are you not so good at?

• How do those skills match up...– To what you do now?– To what you wish you were doing now?– To what you want to do in 10 years?

• That mapping will help you know what to work on.– Do you enhance your strengths or eliminate your weaknesses

Examining Your Skills

• We spend far too much time on technical skill– Most jobs are about far more than just whether you can code

• How are your skills in each area? Are you more of a Dev or an IT Pro?– Dev: Programming Languages, Dev Tools, Platforms written for,

Security Implementations– IT Pro: Products and Technologies, Security Concepts, Hardware

experience– Do I possess any “soft skills” (i.e. public speaking, excellent writing

ability, etc.)?• What skills in each area does your job require?• Would I hire me based on my existing skills?

Strengths and Weaknesses• There are 3 types of skills

– Strengths– Weaknesses (that matter)– Weaknesses (that don’t matter)

• Your Time Should Be Divided:– 80% on your strengths– 20% on your weaknesses (that matter).

• Focus on your strengths– It’s more rewarding in the long run– People don’t really change that much in most ways– It’s most fun.

• A strategy– Figure out your 3 best strengths– Devise a plan to improve each of them by 10% in the next year.– Work that plan.

Gap Analysis• What do I need to do, in order to get where I want to be?

– Are you more of a Dev or an IT Pro?– What skills do I have or I’m working to develop?

• What are some resources I can use to fill in the gaps?– Lack of Experience?

• IT volunteer at non-profits, home LAN, classes

– Lack of Skills? • Practice!!! Setup a home LAN and beat it up!

– Lack of Knowledge?• Stay informed! Stay current! What is the “buzz” now and what looks hot coming up?

– Lack of People?• Join a local user groups and professional organizations (ISSA, ISACA, ASIS, etc.)

Know the steps….MCTS – Windows Server 2008One exam is required to earn each of the MCTS Certifications.

MCTIP – Server AdministratorThree exams are required to earn the MCTIP – Server Administrator Certification.

Rule #3 – You’re Nobody ‘til Somebody Knows You

Personal Branding• “Personal Branding” always sounds so cheesy

– But it’s the most important career exercise that you can do.– If you do nothing else, establishing your brand and getting it out there will take you

farther than anything else.• “Brand” is just another way of saying

– “What people think of when they hear your name.”• What do you think of when you see each of these names?

– Paul Henderson– Barry Bonds– Osama Bin Laden– Bill Gates– Don Cherry– Kevin Mitnick

• The most common denominator of what you just thought is their personal brand.

The Key to Branding/Networking• Be Yourself.

– Yes, it’s that simple.– But do it in front of a lot of people.

• Put your best foot forward– This does not mean to post your drunken party pictures on your Facebook– Understand the message you’re sending, but be you– Be the best you that you can be.

• Most important - do what you’re good at– If you write good, write.– If you speak well, speak.– And if you make friends easily, go make a lot of them.

• The fastest way to branding failure: – Try being something that you aren’t.

BONUS: Kai’s Hire/No-Hire Notes…

Kai’s Hire/No-Hire Notes• Some jobs may require a degree in CS or MIS– If you have some really 31337 skills, we may overlook it....but

it will never hurt you to have it.– I know plenty of people with degrees in Bio-Chemical

Engineering or English who are security professionals.• Most jobs want prior experience– At least tell me you’ve actually seen a firewall…

• Expect the interview to be unlike any practice one you’ve had at your Career Center• I don’t care about “What kind of tree you would be”. You

better be able to explain PKI and authentication mechanisms to me in detail.

Kai’s Hire/No-Hire Notes• Expect a background check or a credit report review– These are “security careers”, not Desktop Support– I have to trust my security folks 100%

• Have a strong technical background in network security, a specific O/S, or other security technology– You pick. I don’t care what.

• Some jobs may require business skills in order to understand the financial impact to the company.– “Darn! So you’re sayin that my accounting class was

important?!!”– If you can talk the talk of the Big Bosses, then you’re in good

shape.

The Interview

Demo

• Special Thanks to– Mike Murray, Neohapsis• http://www.forgettheparachute.com

– Lee Kushner, LJ Kushner & Associates• http://www.ljkushner.com/

– Much of this slide deck was taken from their excellent presentation at RSA 2008.

Resources

• Get the slides! (Available June 2008)– http://www.microsoft.ca/bootcamp

• Kai’s Blog– http://blogs.technet.com/kaiaxford

• Kirk’s Blog– http://poshoholic.com

• Get ready for the exams!– http://www.microsoft.com/learning/mcp/default.mspx

• Work at Microsoft?– http://www.viewmyworld.com/

Questions?

Kai Axford, CISSP, MCSESr. Security Strategist, Trustworthy Computing GroupMicrosoft [email protected] http://blogs.technet.com/kaiaxford