The Wonderful World of Information Security. Who is this guy? John Simpson aka Thracky - @ThrackySpackoid on the twooter Recent grad of the program Currently.

The Wonderful World of Information Security

Who is this guy?

• John Simpson aka Thracky - @ThrackySpackoid on the twooter• Recent grad of the program• Currently working for THE MAN – big consulting company• Previously did lots of general IT, and a tiny bit of development work• Infosec work has focused mostly on defensive/SOC type stuff• Obsessed with pretty much every aspect of the industry• Also I like cats.

What are you/we doing here?

• The information security industry is huge.

• I only really knew about “ethical hacking” as a possible career option when I started in BAISc• Even though that’s what I’m actually doing (soon) it’s important to know what

else it out there

• We’re going to go through as much industry info as possible, potential employers, job roles, and learning/info resources. (Yes I’ll make the slides available)

The many faces of InfoSec

• There are a TON of different career options out there• First let’s start with WHO you can work for:• Consulting firms – client focused work• Clients can be pretty demanding• Could be a lot of travel depending on the firm/position• Get to experience a lot of different environments

• Vendors• Work on/with a specific product or set of products• Harder if you don’t truly believe in the product (in my opinion)• Lots of sales related roles in this space if you’re in to that sort of thing

Ok but what if I want to keep my soul?• In-house security teams• Security related stuff for one company• Usually strict hours, minimal overtime requirements (but stuff still happens)• Other people who work at the company might hate you

• Government (soul requirements job dependent)• Government is pretty desperate for infosec people• CSIS and CSE are both constantly hiring• Pay is actually pretty good

• Not sure how well it keeps up at higher levels though…

So… what can I do?

• There are a lot of sub-fields and I can’t possibly cover them all

• So let’s cover the major areas and I’ll let you all do a bit of research on some of the details

• DISCLAIMER: I HAVE NEVER WORKED IN MOST OF THESE ROLES BEFORE SO TAKE WHAT I SAY WITH A GRAIN (OR 5000) OF SALT

Attacking!

• Ok well it’s not all “attacking”• Penetration testing (aka Pentesting) – what a lot of people THINK they want to do.• Testing the security of various stuff for clients (or even internally)

• Pentests are often specialized: Network Pentests, Application Pentests, Physical Pentests

• A lot of report writing• You will probably have to travel a fair bit – I’ve seen some firms say 50%+ travel.• You don’t get to just go in and hack stuff – scope is clearly defined and often times

pretty narrow• All around technical knowledge is key – Networking, programming, sysadmin, etc

etc.

Defending!

• Work as an analyst in a Security Operations Center (SOC)• In house or Managed Security Services Provider (MSSP)• Monitor events, perform investigations, cry, drink

(DEFENDING IS HARD!)• More experienced analysts get to do things like malware

analysis and contribute towards improvements• Smart organizations are starting to have their SOC teams

do proactive “threat hunting”• Every company that has a SOC is hiring. All of them.

Building defenses

• This is a super broad field• Design & implement specific security

controls, systems, policies• Room for technical and non-technical

people here• “Security Architects” have to understand

how everything fits together• Can do this as a consultant, vendor, in-

house, probably government too.

We may have gotten owned

• Incident response – how did we get hacked, how bad is it, who did it? (Hint: China, sometimes North Korea)• There’s only 2 kinds of companies:• Those who got hacked• Those who don’t yet know they got

hacked

• Forensics galore! But also maybe some malware analysis

For people who LOVE code

• Application Security aka AppSec is in ridiculous demand and will only grow• Software powers everything – my TV, car, phone,

lightbulbs, fridge, toaster, blender, hair dryer, tooth brush etc• A lot of programmers are terrible at security• Industry needs programmers that can help create

more secure software, not just write secure code.• Web dev on its own is probably massive enough

to take up all your time – pick a niche

The importance of community!

• The vast majority of important people in InfoSec are awesome, approachable people• Make connections + learn by being on

Twitter and meeting people at conferences (combine for greater effectiveness!)• Where to start?• Get on Twitter now! And keep up on it even

a few minutes/day!• Here’s a bunch of people to follow for

starters:

Just to start…. (Check out who I follow for more)• @mikko – Chief Research @ F-Secure

• @kevinmitnick – The famed ex-black hat

• @gattaca – Security @ Akamai, writer, blogger, speaker

• @briankrebs – Best damn infosec investigative reporter (IMO)

• @owasp – Open Web Application Security Project

• @chriseng – VP Research @ Veracode

• @myrcurial – popular Canadian InfoSec guy & writer/podcaster

• @e_kaspersky - CEO of Kaspersky

• @jeremiahg – Founder WhiteHat Security

• @jack_daniel – BSides Co-founder

• @JimmyVo – Rapid7 Global Services

• @hacks4pancakes – Great DFIR person

• @rootkovska – Creator of QubesOS & a ton of other stuff

• @threatbutt – Poking fun at the “threat intelligence” community

• @iiamit – VP @ ZeroFOX

• @da_667 – great malware analyst/network security monitoring guy

• @hypatiadotca – Security @ Slack

• @__apf__ - Google Chrome security team

• @KimZetter – Writer for WIRED – focuses on InfoSec a lot

• @daveaitel – CEO Immunity Inc.

• @runasand – Privacy and Security researcher

• @matthew_d_green – Crypto prof at Johns Hopkins

• @thegrugq – king of OPSEC

• @MalwareJake – SANS Instructor and course creator

• @peterkruse – eCrime specialist

• @k8em0 – Chief Policy Officer HackerOne

• @travisgoodspeed – Creator of PoC||GTFO

• @attrc – Volatility core developer

• @botherder – Privacy advocate & fellow @ CitizenLab

• @MalwareMustDie – badass malware hunter & exterminator

• @sambowne – Ethical hacking professor @ City College San Fran

• @nickm_tor – TOR developer

• @taviso – Hacks antivirus

• @alexcpsec – InfoSec data scientist

• @granick – Cyber Law @ Stanford

• @jessysaurusrex – Works for Agilebits (1Password)

• @Sidragon1 – dude who allegedly made a plane fly sideways

13

BLARGS!

• There’s a lot of security blogs out there• Some are run by companies and can potentially

have an agenda• Here’s a few great ones to start with:

• WIRED Security: http://www.wired.com/category/security

• Krebs On Security: http://krebsonsecurity.com• Schneier On Security: https://www.schneier.com/• Naked Security: https://nakedsecurity.sophos.com/• The Hacker News: http://thehackernews.com/• Packet Storm Security: https://packetstormsecurity.com/• The Register Security:

http://www.theregister.co.uk/security/• Graham Cluley’s Blog: https://grahamcluley.com/

Conferences!

• A lot of conferences are VERY expensive – Intended for industry people who are being paid to attend• Some provide student pricing or are generally inexpensive• Cons are critical for meeting people and you always learn something• Local(ish) Conferences:

• SecTor – Oct 20 & 21 – Expensive, but Sheridan often sends a limited # of students• BSidesTO – Nov 7th – Inexpensive, small, great place to meet people• HackFest (Quebec City) – Nov 6 & 7 – Like DEFCON for Canada, a bunch of students and

alumni go every year!• RECon – Every June in Montreal – Reverse engineering focused conference• CounterMeasure (Ottawa) – Nov 19-20 – Corporate type event, expensive!• NorthSec (Montreal) – May ish – Small conference but huge CTF!

Other major conferences

• DEFCON (Vegas)– Biggest hacking convention in the world – Every August• You need to go to this at least once

• BlackHat (Vegas) – Corporate DEFCON same week as DEFCON in Vegas• BSidesLV is also held during this time, great alternative to BH!

• ShmooCon (Washington DC) – Awesome con in January• DerbyCon (Louisville, KY) – Another popular con, GOING ON THIS

WEEKEND!• But seriously, there’s a ton of conferences, an average of 1/week

worldwide.

Learning resources

• All those conferences we just talked about, most of the talks become freely available online or are even streamed live• Check out DerbyCon’s live stream if you have time this weekend

• Online CTFs• http://ringzer0team.com & http://www.overthewire.org are great places to start

(New people try Bandit on overthewire)• Also check out ctftime.org for info on time limited CTF competitions and get together

with some friends and play as a team!

• In person CTFs• HackFest!!!!!• Sheridan CTF (Every July)• NorthSec – Remote location available in Toronto this past year

More learning!

• Opensecuritytraining.info – Great super technical videos• Cybrary.it – Free infosec training• Books!• There’s a fantastic book for almost any topic you could imagine• I think everyone should read “Beyond Fear” by Bruce Schneier

• His new book Data & Goliath is pretty awesome so far also• If you’re looking for a book on a particular topic just ask

And now we go drink

• Thanks everyone!• Please reach out to me on IRC/Twitter for any questions, guidance,

etc etc.