Embed Size (px)
Citation preview
How To Make A Fortune in INFOSEC (or S/W Development)
October 22, 2010
Kurt R. Schmeckpeper, CISSP, GCIH
DISCLAMER: Some of the views and opinions expressed in this presentation are presenter’s alone, and may or may not reflect or align with organization’s policies, and certain sections of the material should not be viewed as an official enforcement by any organization or person. This presentation may be freely distributed.
DISCLAIMER
• The thoughts, statements, and ideas presented here are not representative of or claimed by Motorola or any past employer, ASU and their faculty, or anyone else you might meet, and they are in no way responsible or liable for them.
Brief Professional Resume
• BSEE, MEE – Okla. State University - 1975• NASA, Houston, Texas – 1975 to 1996
– Space Shuttle – SW Developer & Flight Controller– Space Station (US & Russian) – System Design– Tomahawk Cruise Missile – SW Tester (St. Louis)– Apache Helicopter – System Tester (Mesa, AZ)
• Engineer, Motorola INC. – 1996 to present– Chandler Arizona, Basingstoke UK, Copenhagen DK– Iridium – SW Tester then Test Manager– Authentication Centre – Test Manager– Information Assurance System Designer & Analyst
Current Job Role
• Educator & System Designer– Bringing the gospel of Information Assurance
and Computer/Network Security to the masses
– Designing IA into our Private Radio Systems that we sell to Government agencies.
– Consulting on IA with other Corporate Product Teams
Brief Personal Resume
• Bay Area Comm. on Drugs & Alcohol Abuse – Crisis Help Line: 1977-1980– Volunteer, Trainer, Board of Directors
• Galveston Co. Fair & Rodeo: 1981-1996– Computer Geek, Secretary, Treasurer, Board
of Directors
• Greater Corona Home Owners Assoc.: 2000-2004– Contracts Mgr., Secretary, Board of Directors
How to Be Wealthy
Have Rich ParentsMarry a Rich SpouseWin the LotteryBecome a Successful Black HatWork as a White Hat (this presentation)YOU WILL MAKE YOUR OWN CAREER!Others may help, but it’s ALL ON YOU!
What is INFOSEC (from ISC2)?
1) Access Controls 2) Telecommunications and Network Security 3) Information Security and Risk Management 4) Application Security 5) Cryptography 6) Security Architecture and Design 7) Operations Security 8) Business Continuity and Disaster Recovery
Planning 9) Legal, Regulations, Compliance and Investigations 10) Physical (Environmental) Security
Technical Skills You Should Have
• LEARN the Operating System• LEARN the Coding Language• LEARN Assembler & Shell Coding
– The Art of Assembly Language by Randall Hyde
– www.ollydbg.de (an Excellent Disassembler)
– www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html
• LEARN Metasploit www.metasploit.com • Consider becoming Certified (CISSP or CEH)
Occupations using these skills
• Penetration Tester• Incident Handler• Secure Software Development & Test
– When you can Hack your own code, you know that you have to make it more secure
• Cyber Warrior (DoD needs 3000+)• Auditor
– Additional training in whatever standard you are auditing against is required
What Else Should You Know?
• Learn English Grammar, Syntax, & Punctuation – unless for a Foreign company, then substitute the “official”
language for English
• Learn Social Engineering– How to Listen/Motivate/Evaluate People
• Pick a Technical Specialty or two– But then become a Generalist
• Be as Technology Agnostic as Possible– Don’t be a Fan boy or girl for any technology unless you are
going into SALES as a Career
• Learn PowerPoint and Public Speaking– Join Toastmasters for the practice and the connections
If you want a MGMT career
• Learn some FINANCE stuff– Start with an Engineering Economics textbook– You don’t need to be an MBA
• Unless you aspire to be a CISO
• Learn some Project MGMT tools– Microsoft Project is a good one
• Learn how to play Golf
• Learn about Cultures other than yours
Prior to & Post-Graduation
• If you know the job you want, go after it!– Otherwise, search until you see an appealing job
• If your job hunt is not immediately successful, consider volunteering at a Charity or Hacker Space, while you keep looking– Or consider getting a Masters Degree– Or consider the Armed Forces
• Keep learning new skills & practicing old ones
Your First Job
• Lower rungs of the tech or mgmt ladder• Unpaid Overtime is Expected• When offered company training – take it• Expect to make Mistakes
– Learn from them
• Be friendly to the Admin Asst (Boss’ Secretary)• Do your Job well before you Volunteer to take on
new jobs – unless your boss asks you to take it
Your First Job (continued)
• Sign up for:– ALL the Health & Life Insurance they offer
• It’s the cheapest you will ever buy
– 401-K • at least to get the full company match
– Savings Plans or Company Stock Plan• as much as you can afford
Your First Job Attitudes
• Read the HR Policies & LIVE Them!!!!– Acceptable Computer Use Policy– Information Classification & Handling– Cultural Diversity Policy– Be Pro-Active in reporting violations of these
policies (however discuss it with the person first, they may have been ignorant)
• HR exists to protect the company first and you second.
Your First Job Attitudes
• Identify your internal/external Customers– It’s all about Customer Service
• Your Boss and co-workers• Companies/Groups you deliver to
– “If I received this product, would I be Happy/Satisfied with it?”
• Don’t date co-workers, customers, or competitors– Not a hard & fast rule, but it makes your life
go smoother.
How to Present to MGMT
• It will probably be in Powerpoint– NO Animations
• Only people that like animations are being trained or they are in SALES
• Problem Statement– Clear, Concise, and Why
• Possible Solutions (the no more than 4 Best)– Again, Concise, with Pros and Cons, and Cost
• Your Recommendation (Optional)
First Job After Work Activities
• Have Fun – with some caution• Volunteer – Expands your network & Social
Circle• Learn a new Skill/Hobby
– Doesn’t have to be a work-related skill• Woodworking, Plumbing, Computer Repair• Dancing, Golf, Bartending, Foreign Language
• LIVE WITHIN YOUR MEANS!!!!– Make a Budget and stick to it.– Save for Retirement
A Word About Social Networking
• Social or Business Related (Personal)– Facebook – Limit what you post & your network– MySpace – see Facebook– Linked-In – Strictly for Business & Work-related stuff– Plaxo – Avoid – Check out their Privacy policy– Naymz – Avoid – Check out their Privacy policy
• Don’t “friend” any boss or co-workers on Facebook or MySpace (it’s just a bad idea), Linked-In is OK.
• Keep your Work Life and After-Work Life as far apart as possible.
How To Get Promoted
1) Do Your Job Very Well (and know the promotion requirements)
• Exceed your Boss’ Expectations!
2) Make Your Boss Look Good• When they get promoted, they will be looking for a
replacement
3) Transfer to Another Job• Repeat 1) & 2) above
4) If your Boss won’t cooperate, go to his Boss• But make sure you are solid on 1) & 2) above as you may
have to do 3)
5) Live Long Enough• Sometimes it’s just a matter of being in the right place at the
right time and knowing the right people
First MGMT Job• When you exceed Technically, you will probably be promoted to Supervisor
– This is not a BAD Thing, although it will take you a while to realize it.– Alternatively, if you are Totally Exceptional Technically, you may want to quit and hire
yourself out as an Independent Contractor. This pays VERY, VERY well, but you will be paying the Full Cost of your Benefits Package including both sides of Social Security, remember to save money to pay your Taxes.
• 95% of the comic strip Dilbert by Scott Adams is REAL LIFE!
• With Luck, you will be doing 50% MGMT/50% TECH– But that rarely lasts two or three months, and then its 90% MGMT/10% TECH– Get over it, that’s the way LIFE is!!! Learn all you can.
• Your friendly & non-friendly co-workers may be reporting to you– You have to put some personal distance between you and them
• You will have to evaluate/counsel/mentor/placate/motivate them
Thoughts on Certifications
• Passing a Certification exam says that:– You have the minimum knowledge to be considered
for certification (at the time of the test) OR– You are very good at taking tests.
• CISSP - www.isc2.org – “A mile wide and two inches deep”
• SANS – www.sans.org – MGMT & TECH – Hands On Tech
• CEH – various– See Resource presentation at the end
Thank You For Your Time!
• Questions?
Resources
• How to protect your privacy (11 slides)
• IA Certifications – should I get one?– Compare/Contrast CISSP & CEH– Used with permission of the author
Should We Expect Privacy?
• http://www.theregister.co.uk/2008/10/07/symantec_thompson_privacy_bunk/
• “Consumers ought to accept that loss of privacy is the price they pay for using internet service, according to Symantec chief exec John Thompson.
• Echoing Scott McNealy's opinion that "you have no privacy, get over it," the Symantec boss expressed surprise that information such as IP addresses is regarded as sensitive.”
So what do we do now? - 1
• Surf the web with a proxy server– www.anonymizer.com – www.torproject.org – www.the-cloak.com – www.megaproxy.com/freesurf/
• None of these have been evaluated by me except analytically
So what do we do now? - 2
• Use encryption (your email & Hard Drive)– www.truecrypt.org – www.gnupg.org (Free PGP)
• Turn on/Install – scan and update weekly– Firewall (Windows, ZoneAlarm is better)
• www.zonealarm.com
– Anti-Virus (AVG) – • free.avg.com/download-avg-anti-virus-free-edition
– Anti-Spyware (SpyBot Search & Destroy)• www.safer-networking.org/en/download/
So what do we do now? - 3
• Setup many email addresses– Don’t use AOL or Hotmail – GMAIL is OK, but it’s a target– Use them for different purposes– Use a private email address for your close
contacts
• Web Browsers– Turn off scripting or use Firefox with NoScript
So what do we do now? - 4
• Keep all your software up to date!
• Get Secunia’s Personal Software Inspector (PSI) – Its Free– http://secunia.com/vulnerability_scanning/personal/ – Use IT!
• Be Careful Using Bluetooth!– Google “Josh Wright Bluetooth Video”– or www.ihackforsushi.com
Other Things To Be Careful About
• Internet Kiosks
• WiFi in Hotels, Airports, & Coffee Shops– Never check bank balance or shop online
• ATMs (especially if it keeps your card)
• Shopping online – Use One Credit Card with a low limit– Don’t use a Debit Card
What Do I Do?
• All of the above plus:– Separate computers for work, play, & “risky”– One laptop is “disposable” and has a plug-in
wireless card that is only used for “risky”– When installing Windows, I use a fake name
and company– Otherwise I use Linux, which doesn’t need it– I also use LiveCDs and Virtual Machines
What Else Can You Do?
• Educate yourself– Learn your Computer, Operating System, and
programs– Read the latest hacking literature at (you
might have to use Firefox instead of IE):• www.defcon.org• www.toorcon.org • www.shmoocon.org
• Google Yourself Weekly!
“Risky” Work Defined
• WiFi in Hotels, Airports, & Coffee Shops– Unless its work-related, then I use my work
laptop with two-factor authentication and a VPN encrypted tunnel
• Checking the security of a neighbor (with their permission, of course!)
Closing Thoughts - 1
• In the 2006 Census, there were 225,633,342 people in the US whose age was 18 years or older.– You will have your PII exposed– With luck, you won’t lose any money
• A last quote from Symantec chief exec John Thompson: – "Businesses have a responsibility to protect sensitive
data. The public should not expect the government to protect them."
Closing Thoughts - 2
• The odds of anyone trying to track you down are low!– There are trillions of pieces of information stored in
the ISPs and search engines of the world, so your stuff is not easy to find.
• Your non-online Credit Card History is probably more exciting than your web browsing
• However, if you run for political office, become a political agitator or become very wealthy, all bets are off!
Information Assurance Forum
How and Why to be a CISSP and CEHMay 20th, 2010Gedi Jomantas, CISSP, CEH, CCNA, CCNP, CCSA, CCSE -> CBSA, AECDM, MCDMMM…
Outline
– Nothing matters but your resume – Certifications and different schools of thought– Not all certifications were created equal– Certified Information Systems Security Professional - (CISSP®)– Certified Ethical Hacker - (CEH)– Certification value to you and your company– Where do you go from here?
DISCLAMER: Some of the views and opinions expressed in this presentation are presenter’s alone, and may or may not reflect or align with organization’s policies, and certain sections of the material should not be viewed as an official enforcement by any organization or person. This presentation used with the author’s permission.
Nothing matters but your resume…
…well, not exactly…
…or…
…but when your career hits a brick wall….
Nothing matters but your resume…
….when the job winds change… the question is….
Courtesy: Johnklund.com, 123rf.com
Search “CISSP” Results:
Dice.com - 1050
Monster.com - 1000
Search “CEH” Results:
Dice.com - 40
Monster.com - 40
.... what will your sail look like?
Certifications and Different Schools of thought…
• Experience– 20 years of government experience in secure systems engineering, certification and architecture– BS Business Admin/Mgt; BSEE; MS CS with a focus on Secure Systems Engineering– 10 security related patents – NSA accreditations
• Complimentary, not a replacement!– Your buddy does, but HR rep may not know you…
• So you have the piece of paper, hung it on the wall…
• Certification vs. Professional Lifestyle– Don’t get it for the sake of getting it….– Conscientious choice to support your career’s direction
• Industry Participation– Security professional community– “Security professional” community
• Continuous Education– Knowledge can get stale…
vs. Certification?
• CISSP, CEH, CISA, etc.
now what?
Not all certifications were created equal….
• Security Domain• Domain Segment• Technology Area• Industry Specific• Vendor Specific
– Cisco, Microsoft, Nortel, RedHat, Solaris, etc.
• Provider specific• ISC2, EC-Council, SANS, etc.
– GIAC, CEH, CISSP, etc.
• Management vs. Individual Contributor• Policy Oriented vs. Technical
- CISM, CISA, CISSP, CEH, QSA, etc.
Orientation
Concentration
• Boot camp vs. Self study• Classroom vs. CBT• On-site, instructor led
Method
The Certification That Inspires Utmost Confidence
• If you plan to build a career in information security – one of today’s most visible professions – and if you have at least five full years of experience in information security, then the CISSP® credential should be your next career goal.
• The CISSP was the first credential in the field of information security, accredited by the ANSI (American National Standards Institute) to ISO (International Organization for Standardization) Standard 17024:2003.
• CISSP certification is not only an objective measure of excellence, but a globally recognized standard of achievement.
Certified Information Systems Security Professional - CISSP®
Marketing Alert!
• The CISSP® Domains Include:
• Access Controls • Telecommunications and Network Security • Information Security and Risk Management • Application Security • Cryptography • Security Architecture and Design • Operations Security • Business Continuity and Disaster Recovery Planning • Legal, Regulations, Compliance and Investigations • Physical (Environmental) Security
• CISSP certification pre-requisites:
• Professional experience in two or more of the CISSP domains
• Minimum 5 years of experience in information security
• Complete the Candidate Agreement, attesting to the truth of his or her assertionsregarding professional experience and legally commit to adhere to the (ISC)2 Code of Ethics
• Successfully answer four questions regarding criminal history and related background
Certified Information Systems Security Professional - CISSP®
http://www.isc2.org
• Additional CISSP Concentrations
– Information Systems Security Architecture Professional (CISSP-ISSAP)• The six domains of the CISSP-ISSAP CBK are:• Access Control Systems and Methodology• Communications & Network Security• Cryptography• Security Architecture Analysis• Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)• Physical Security Considerations
– Information Systems Security Engineering Professional (CISSP-ISSEP)• The four domains of the CISSP-ISSEP CBK® are:• Systems Security Engineering• Certification and Accreditation (C&A)• Technical Management• U.S. Government Information Assurance (IA) Governance (e.g., laws, regulations, policies, guidelines, standards)
– Information Systems Security Management Professional (CISSP-ISSMP)• The five domains of the CISSP-ISSMP CBK are:• Security Management Practices• Systems Development Security• Security Compliance Management• Understand Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)• Law, Investigation, Forensics and Ethics
Certified Information Systems Security Professional - CISSP®
Myth #1: A CISSP certification is easyWell, some people may think that it is easy. Most people find it hard work: you need to have at least 3 years in IT security before you even apply for the exam. You need to cover an extremely broad landscape of IT security - many areas, such as physical security, few people will have any experience in. And you'll need to do a fair bit of reading and studying to get through that exam: 250 questions to answer in 6 hours isn't much fun.
Myth #2: Once you get it, just sit back and relaxNo. Once you pass the exam you need to earn CPE credits in order to keep your certification. If you don't then you'll need to resit the exam after 3 years to keep the certification. Getting CPEs is fairly straightforward: if you publish papers, attend seminars, do some presentations, and basically remain active in the IT security arena then you should have no problem here. But it takes a little work: this isn't a get-it and forget-it sort of certification.
Myth #3: You'll get more money/better job/more recognitionIn actual fact, you probably won't. I've found (at least here in New Zealand) that many employers and even employment agencies have no idea what a CISSP is. They tend to think in terms of the product-certifications; you know, the Cisco CCNA and Checkpoint CCSE sort of thing. They have no idea that you need 3 years of experience to get a CISSP, and they have no idea that it is an ongoing professional-level certification like a CPA (Chartered Accountant). Ergo, you probably won't get a better job or more money from waving your CISSP certificate around.
So, why would you want a CISSP? Its not easy to get, it takes maintenance, and may not gain you much. Why would you want to go through all that hassle? Here's some good reasons:
•To expand your knowledge in security concepts and practices. •To show a dedication to the security discipline. •To meet a growing demand for security professionals, and to work in a thriving field. •To join a professional organization and to link up with like-minded individuals
Certified Information Systems Security Professional - CISSP®
Getting a CISSP
Author: Kerry Thompson think of it as a journey ...
http://windowsecurity.com/whitepapers/Getting-a-CISSP.html
Country # Country # Country # Country #(Other) 5 Czech Republic 56 Korea, Republic of 2,479 Saudi Arabia 172Albania 2 Denmark 271 Kuwait 38 Senegal 2Andorra 2 Dominican Republic 4 Latvia 11 Serbia 7Angola 1 Ecuador 5 Lebanon 15 Singapore 971Antigua and Barbuda 1 Egypt 70 Liechtenstein 1 Slovakia 22Argentina 89 El Salvador 3 Lithuania 9 Slovenia 16Aruba 1 Estonia 7 Luxembourg 38 South Africa 293Australia 1,145 Faroe Islands 1 Macau 16 Spain 390Austria 95 Finland 298 Macedonia 8 Sri Lanka 57Azerbaijan 1 France 508 Malaysia 221 Sudan 1Bahamas 5 France, Metropolitan 7 Malta 9 Suriname 1Bahrain 28 French Polynesia 1 Mauritius 13 Sweden 319Bangladesh 1 Germany 799 Mexico 263 Switzerland 471Barbados 24 Ghana 10 Morocco 2 Taiwan 215Belarus 1 Gibraltar 2 Namibia 1 Tanzania 2Belgium 305 Greece 78 Nepal 1 Thailand 114Belize 1 Guam 4 Netherlands 1,058 Trinidad and Tobago 27Bermuda 16 Guatemala 15 Netherlands Antilles 4 Tunisia 12Bolivia 2 Haiti 1 New Zealand 147 Turkey 88Bosnia and Herzegowina 2 Honduras 2 Nigeria 115 Uganda 3Botswana 2 Hong Kong 1,286 Norway 121 Ukraine 17Brazil 269 Hungary 71 Oman 10 United Arab Emirates 284Brunei Darussalam 1 Iceland 3 Pakistan 94 United Kingdom 3,423Bulgaria 18 India 1,171 Panama 12 United States 42,195Cambodia 1 Indonesia 74 Paraguay 1 Uruguay 23Cameroon 1 Iran 4 Peru 12 Venezuela 11Canada 3,552 Iraq 2 Philippines 59 Viet Nam 12Cayman Islands 13 Ireland 254 Poland 175 Virgin Islands (British) 1Chile 73 Israel 178 Portugal 44 Virgin Islands (U.S.) 1China 457 Italy 245 Puerto Rico 23 Yemen 1Colombia 457 J amaica 14 Qatar 47 Zambia 1Costa Rica 7 J apan 1,215 Romania 55 Zimbabwe 4Croatia (Hrvatska) 40 J ordan 22 Russian Federation 149Cuba 1 Kazakhstan 6 Saint Kitts and Nevis 1Cyprus 12 Kenya 16 Saint Lucia 2
Certified Information Systems Security Professional - CISSP®
Certified Ethical Hacker - CEH
Certified Ethical Hacker - CEH
CEH Certification
• The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits.
• Catch a thief, by thinking like a thief Certified instructors will take you through practice exams and real world case studies that prepare you to become the Security Professional your organization can depend on.
• What is an "Ethical Hacker"? The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker.
• Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal.
• The most important point is that an Ethical Hacker has authorization to probe the target
• The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective
– Skills span across multiple domains: social engineering, in-depth technical expertise, vulnerability assessment, penetration testing, principals of forensic analysis, etc.
• The CEH certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure.
• A CEH is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.
Certified Ethical Hacker - CEH
Other CEH related certifications
•Advanced Ethical Hacker
•Certified Penetration Tester (CPT)
•Certified Expert Penetration Tester (CEPT)
•Certified Application Security Specialist (CASS)
•Certified SCADA Security Architect (CSSA)
•Certified Data Recovery Professional (CDRP)
•Certified Reverse Engineering Analyst (CREA)
•Certified Computer Forensics Examiner (CCFE)
• Etc…..
Certified Ethical Hacker - CEH
Certification value to you and your company
You:• Opportunity• Continuous Professional growth
Company:
• Market specific training requirements • Mandatory certifications
• DOD 8570 provides guidance and procedures for the training, certification, and management of all government employees who conduct Information Assurance functions in assigned duty positions
• DOD 8570 requires that anyone who has access to Information Technology system, must be certified with one of the external certifications listed. This includes contractors and vendors by 2010
Where do you go from here?
– Assess your career objectives» Remember, “nothing matters but your resume”… ;)
– Talk to a CISSP or CEH and decide if it is a right certification for you
– Discuss with your manager if a security certification is the right fit for you in your current or future roles
– Understand how security certification aligns with your organizations business goals
Keep in mind…
In conclusion...
sometimes, certification is nothing more than a
