Getting Into Infosec

DEFCON 2023

Ayman Elsawah — Thu, 03 Aug 2023 07:32:00 -0400

Hey folks, I'll be at DEF CON in Vegas this year! Would love to see you all there!

Jack's Parties: https://twitter.com/JackRhysider/status/1686785376327987200
Checkout Miscreants at the Vendor Area: https://www.miscreants.com/

yFDrTl54ZSu3KAmLWbmi

Mentioned in this episode:

Stay In Touch

Rana Khalil - From Cryptography to Pentester!

Ayman Elsawah — Fri, 11 Mar 2022 10:50:00 -0400

Journey into Cybersecurity and OSCP Certification with Rana Khalil

This episode features Rana Khalil, a Senior Cybersecurity Assessment Analyst with a rich background in pen-testing, especially in the financial sector. Rana shares her non-traditional entry into technology, starting with a dislike for her first laptop and phone, transitioning from biochemistry to a math degree, and eventually finding a passion in computer science, leading her to cryptography and cybersecurity. Her academic journey includes significant work in cryptography, under the tutelage of Carlisle Adams, and a master’s project on web application vulnerability scanners. Rana discusses her motivation and relentless pursuit of the OSCP certification, highlighting the importance of hands-on experience, teaching, and documenting the learning process through write-ups. She also conveys the value of previous experience in related fields, the significance of specializing and pacing in learning, and shares insights into her career progression, including valuable advice for people aspiring to enter the cybersecurity field.

00:00 Introduction and Guest Background

01:47 Rana's Journey into Cybersecurity

02:45 Rana's Early Interest in Mathematics and Cryptography

05:47 Transition into Computer Science and Web Security

10:52 Master's Research on Web Application Vulnerability Scanners

13:02 First Security Job and the Impact of Public Speaking

15:11 Journey to the OSCP Certification

17:36 The Value of Self-Study and Accountability

18:53 Reflections on the OSCP Experience

20:59 Understanding the OCP Exam

21:13 The Importance of Lab Time

22:18 The Value of Documenting Your Journey

22:49 Introduction to the OSWE Certification

25:07 The Role of Experience in Security

25:16 The Life of a Security Professional

25:25 The Importance of Specialization in Security

26:24 The Value of Previous Experience in Security

29:55 The Challenges and Rewards of Pen Testing

30:43 The Balance of Work and Personal Time in Security

34:58 The Importance of Focusing on One Area in Security

37:07 The Importance of Understanding Source Code

38:11 Final Thoughts and Advice

Thank you for listening!

Mentioned in this episode:

Stay In Touch

Norman Weekes— From Contractor To Security Ops Analyst

Ayman Elsawah — Thu, 24 Feb 2022 22:00:00 -0400

Norman Weekes is on the Security Operations Team at Salesforce. He is in charge of scanning their infrastructure and ensuring that everything is set up and operating properly.

Norman already spent almost a year in the information security world. This is also his first official full-time security job. After going through different job contracts, he believes that if everything's shut down early, there's no reason not to just get in a good routine and go after whatever certification or whatever job you want. This episode will undoubtedly inspire and assist job contractors who are considering a career in the information security world.

LINKS

Linkedin: https://www.linkedin.com/in/normanjr/

Security and Privacy Framework: iapp.org

Full Show Notes: https://www.gettingintoinfosec.com/

Mentioned in this episode:

Stay In Touch

Niru Ragupathy - From Almost Biotech to QA to Google Security Lead

Ayman Elsawah — Thu, 05 Aug 2021 06:39:00 -0400

Niru Ragupathy is a Security Engineer at Google and works as the Offensive Security Lead and manages part of the Offensive Security Team. She is currently the Tech Lead Manager. Niru sees managing as a challenging, interesting ride yet undervalued skill. She also considers it rewarding although it demands the investment of both time and effort.

She believes that it is important to start leading and take things slowly but not take the decision lightly. Having planned on taking Biotech in College but being persuaded by her parents, she was thrust to take on Computer Sciences since it has greater demands in society. In the face of her struggles, Niru has found her sense of belongingness in security management. This episode will surely encourage and benefit Engineers who struggle in transitioning on management.

LINKS

Linkedin: linkedin.com/in/niru-ragupathy-99078233

Mentioned in this episode:

Stay In Touch

John Gates - From Car Mechanic to Lead IT Security Analyst

Ayman Elsawah (@coffeewithayman) — Wed, 16 Jun 2021 02:24:00 -0400

John Gates is a Lead IT Security Operations Analyst for a global food brand. John has always liked to know how do things work - and that has proven to be a beneficial trait - from his first job as a car mechanic to IT consultancy and education to his current role. He’s also an advisor and former board member at OpsecEdu, an organization educating technologists in state, local, and education agencies on security best practices.

LINKS

Linkedin: https://www.linkedin.com/in/johngates/

OpsecEdu: https://www.opsecedu.com/

Intro Music: https://trash80.com/#/content/133/weeklybeats-2012-week5

Full Show Notes: https://www.gettingintoinfosec.com/john-gates-from-car-mechanic-to-lead-security-analyst/

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Samantha Cowan - From National Parks Service To Head Of Compliance

Ayman Elsawah (@coffeewithayman) — Mon, 31 May 2021 23:00:00 -0400

Samantha Cowan is the Head of Compliance at HackerOne. She's the former Director of Compliance at OneLogin and former Security Engineer at CoverHound, Cyber Policy, and Zenefits. Sam initially perceived Infosec as an "unhappy job", but later found herself taking her MBA and paving her way into the security industry. Despite having her master's degree, she was not an exemption to facing rejections when applying for cybersecurity. Her episode is mind-blowing as she shares how you can break into boundaries by being confident in yourself and by not compromising to being seen as a token hire.

LINKS

Linkedin: https://www.linkedin.com/in/samanthacowan/
Intro Music: https://trash80.com/#/content/133/weeklybeats-2012-week5
Security and Privacy Framework: iapp.org

----------------------------------------------

Follow @coffeewithayman on Twitter for more

For more information check out: gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Betsy Bevilacqua - From Almost Lawyer to CISO and Security Leader

Ayman Elsawah (@coffeewithayman) — Sun, 28 Feb 2021 22:00:00 -0400

Betsy Bevilacqua is the current VP of Information Security at Chainalysis. Initially, she had her mind set on law school until she did a self-audit and realized that she enjoyed computers and tech much more. Her journey into infosec led her to move from Kenya to the US to obtain a degree in Security and explore various companies involved in academia, food and facilities, healthcare, telephone communications, and finance to more traditional tech. Her interview is full of advice for those looking to break in and those already in infosec.Computer

Links, Detailed Show Notes, and Transcript:

https://gettingintoinfosec.com/betsy

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Dr. Eric Cole - Accidental CIA Hacker To Fortune 500 Security Advisory To Entrepreneur

Ayman Elsawah (@coffeewithayman) — Mon, 11 Jan 2021 06:55:00 -0400

Dr. Eric Cole is an accomplished cybersecurity hacker and executive advisor. His career has been a mix of sixth-sense chance encounters and wisdom/foresight of the future. His uncanny ability to see the opportunity in cybersecurity combined with the wisdom to listen to those smarter than him is why he is where he is today. His interview is chock full of poignant advice and tips.

Dr. Eric Cole also has a creative side to him: he's a musician. He was a French horn player before and now, he's a drummer. He's known as the Tommy Lee of Cybersecurity.

Eric Cole's Quick List of Advice

Always be respectful, Don't be an A**Hole to other people… but don't give a crap what other people say or think because we're unique and different. If you're an entrepreneur in cybersecurity, they're not gonna get ya.
Listen to people that are smarter than you and have made the mistakes before you make them.
Life will force you to repeat lessons until you learn them.
The biggest gap is in the monitoring, detection, and analyst side.

Quotes

"It's all about looking at calculated risk, understanding [the] pros and cons, and taking chances."
"You've done the same thing six times in a row, and it doesn't work. What makes you think if you do it a seventh time [that] it's actually going to work?"
"Try different things."
"Have advisory board members for your life."
"If the best professionals in the world have coaches, why shouldn't we?"
"If people are not listening to your advice, 99% of the time, it's because you didn't answer the right question."
"Smart people know the right answer. Brilliant people ask the right question."
"Good cybersecurity people solve problems. Great cybersecurity people solve the right problems."
"Don't overlook the obvious."
"It's never a lack of resources, but a lack of resourcefulness."

Getting Into Infosec

Other episodes, transcripts, a career guide to Getting Into Infosec:
https://gettingintoinfosec.com/

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Lisa Jiggetts - From Navy Cook To Pentester To Non-Profit Founder!

Ayman Elsawah (@coffeewithayman) — Mon, 23 Nov 2020 20:00:00 -0400

Lisa Jiggetts knew from an early age that she was going to be in tech and cyber. A navy veteran who started off as a cook, she always found herself gravitating towards technology. She is also the Founder & Board of Director of the Women’s Society of Cyberjutsu, a non-profit that is dedicated to increasing the opportunities and advancement for women in cybersecurity. Check out her journey into the cybersecurity field.

Notes

Originally a cook in the military, then migrated to information security.
Looked for opportunities to transition into information security by talking to people in and outside her social network.
Networking can be hard, but it will turn in your favor.
Lisa is an introvert, but knows how to become an extrovert when needed.

Quotes

"When you're starting out, you don't necessarily get into the area you want to be in—you got to work your way up."
“That's the biggest thing you can do. I think is networking because somebody knows somebody."
"So I got all these certifications… I read a book and pass. What is it to me personally? That didn't tell me, you know, how to do anything. They get you in the door."
"[Networking is] hard, but just do it because, in the end, it's gonna turn out in your favor."

Links

Lisa on Twitter: https://twitter.com/lisajiggetts
Intro Music: https://trash80.com/#/content/133/weeklybeats-2012-week5
Women’s Society of Cyberjutsu: https://womenscyberjutsu.org/

Getting Into Infosec

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Stay in touch and sign up for sneak peeks, updates, and commentary: https://gettingintoinfosec.com/subscribe
Ayman on Twitter: https://twitter.com/coffeewithayman
Follow Us on Twitter: https://twitter.com/getintoinfosec
Follow Us on Instagram: https://www.instagram.com/coffeewithayman/
Join our community: https://community.gettingintoinfosec.com/

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Eric Strom - From Lawyer to FBI Cyber Division Unit Chief

Ayman Elsawah (@coffeewithayman) — Sat, 24 Oct 2020 02:06:00 -0400

Eric Strom is the Unit Chief of the Mission Critical Engagement Unit, Cyber Division. In this role, Mr. Strom oversees the FBI Cyber Division’s private sector outreach efforts to the 16 critical infrastructure sectors, forging partnerships with companies in those sectors to develop and share threat intelligence related to activities by sophisticated criminal organizations as well as nation-state actors.

Notes

Eric has been with the FBI for 21 years, since June 1999
Originally a lawyer practicing criminal defense and civil defense, then went to non-profit
Early on in the FBI, they had to do a lot of workarounds. Cyber wasn't so straightforward
56 Field offices were all doing something different, then became consolidated centrally as a service organization

Quotes

"Now, it's funny. None of us really had a traditional cyber background. Tom started out his career as a geologist, and Keith actually started out selling, like, furniture. He was a salesman."
"But, I mean, from the legal standpoint, you've got third-party liability and other things. So we really had to walk a kind of a tight rope when it came to what types of malware we were infecting ourselves with. And then how far we'd let it go."
"And so as we're taking it over, it was really interesting to sit behind one of the malware analysts and watch a Wireshark and watch the instructions coming out. I crossed the wire. It was really cool. And when it really kind of sunk in, because to me, it was like a tangible thing. I can actually see it happening as it was going on."
"It's (cybersecurity) probably the most rewarding thing you'll ever do in your life."

Links

FBI: https://www.fbi.gov/
Intro Music: https://trash80.com/#/content/133/weeklybeats-2012-week5
Outro Music: https://freemusicarchive.org/music/KieLoKaz/Free_Ganymed/Alte_Herren_Kielokaz_ID_364

Getting Into Infosec

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Stay in touch and sign up for sneak peeks, updates, and commentary: https://gettingintoinfosec.com/subscribe
Ayman on Twitter: https://twitter.com/coffeewithayman

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

ICS Gabe - Electrical Engineer to Accidental Cybersecurity ICS Expert

Ayman Elsawah (@coffeewithayman) — Sat, 10 Oct 2020 23:56:00 -0400

Gabriel Agboruche (@ICS_Gabe) is a senior ICS and OT cybersecurity consultant, helping organizations solve their most challenging industrial control security problems. And that was a mouthful, but that's what he does. His journey's unique one, and almost didn't happen.

Notes

Gabe was a math whiz in the Detroit Public school system
During college, he had some unique experiences as an African American, one of which was due to him being the top of his class
Gabe was an electrical engineer working at a nuclear facility, then #Stuxnet happened
The demand for cybersecurity skills combined with his experience and love for growth paved the way for where he is today.

Quotes

"All these systems are air-gapped by regulatory guidance."
"I'm here for my education. I'm going to get this education. And not even necessarily prove this person wrong, but I'm going to be here and do what I have to do in order to get where I desire to be."
"He's like, wow, you're the first black guy that I have ever seen in person."
"I almost rushed with him for one (a fra)."
" I saw that I would gain a greater exposure to a lot more technologies within my field. I get to see different plants. I get to touch different areas."

Links

Getting Into Infosec Info

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Stay in touch and sign up for sneak peeks, updates, and commentary: https://gettingintoinfosec.com/subscribe
Ayman on Twitter: https://twitter.com/coffeewithayman

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - Lisa Jiggetts - Salary Negotiations

Ayman Elsawah (@coffeewithayman) — Sat, 15 Aug 2020 21:01:00 -0400

Lisa Jiggetts is the founder of the Women's Society Of Cyberjutsu. After recording, we continued talking and the topic of salary negotiations came up. It was so good I started recording again. This topic is super important. I have seen both experienced and inexperienced people make these mistakes.

Getting Into Infosec

Ask A Question: https://gettingintoinfosec.com/ask
Website: https://gettingintoinfosec.com
Ayman on Twitter: https://twitter.com/coffeewithayman
Breaking IN Book: https://gettingintoinfosec.com/book
Join My Mailing List: https://gettingintoinfosec.com/list

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Switching Into Infosec Success Story And Lessons Learned

Ayman Elsawah (@coffeewithayman) — Thu, 16 Jul 2020 04:30:00 -0400

Today's episode features a story that was sent to me by a listener. He reached out to me on LinkedIn, telling me of his success story posted on Reddit. This is the audio version. I think you're going to be really interested in what he had to say. He talks about his struggles and what he went through in his journey to Information Security.

Original Reddit post:

https://www.reddit.com/r/ITCareerQuestions/comments/fw44sg/career_change_success_story_starting_my_first/

Getting Into Infosec Links:

Site: https://gettingintoinfosec.com/
Book: https://breakingintoinfosec.com/
Follow Me Twitter For More Resources To Help You On Your Journey: https://twitter.com/coffeewithayman

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Black Lives Matter

Ayman Elsawah (@coffeewithayman) — Mon, 01 Jun 2020 23:23:00 -0400

Transcript

Hey everyone…

So, as if this time was not hard enough as it was with Covid, the American Black community has been affected yet again.

It's difficult to post motivating content while so many are feeling a sense of outrage and so much going on. So I'm going to pause, slow down, or at least take into consideration the posting of new content during this period. Of course, people still need to work, so I can't stop completely, and I do have episodes coming down the pipe.

There's a personal story I want to share related to this.

A friend and I were driving once, but he realized he left his wallet at home, which had his driver's license. I said, "Not a big deal. They can just look you up if you get pulled over." He then looked at me, and I then figured it out: he's black.

It hit me then how privileged of a life I had. It then hit me how scary driving while back really is. I may not be white, Christian, and from the suburbs, but I'm not black and male.

I may not have the best things to say at this moment, but I realize staying silent isn't an option. I don't have a TV, and I'm not on Twitter often, but the little I did see made me realize silence or status quo is almost as bad.

Diversity and inclusion are an integral part of this podcast. I've never called it out as I just wanted my lineup to speak for itself. Many of my guests are black. For the longest time, it was rare to see a brown or black person at a security conference. It was quite lonely.

For listeners outside of the US, please try to empathize with whatever social divide you have in your country. It could be the religious minority in your country, the darker-skinned, those of a "lower" social caste, the poor, or whomever it may be. There are always those that are marginally suppressed or oppressed.

So….

I stand with the Black community against racism, violence, and hate. Now, more than ever, we must support one another as allies and speak up for justice and equality.

#BlackLivesMatter

******************************************

Website: https://gettingintoinfosec.com/

Twitter: https://twitter.com/coffeewithayman

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - Announcing Getting Into Infosec BITES

Ayman Elsawah (@coffeewithayman) — Thu, 14 May 2020 00:47:00 -0400

Hello! Wanted to let you know I'm creating daily (almost) videos on YouTube called Getting Into Infosec BITES: https://www.youtube.com/c/gettingintoinfosec

Please like, subscribe, and spread the word.

The best thing you can do to support this media is to spread the word and let others know. Thanks!

Links:

Site: http://gettingintoinfosec.com/
Book: http://breakingintoinfosec.com/
Twitter: https://twitter.com/coffeewithayman

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Kavya Pearlman - From Hairstylist to CISO to XR Superhero

Ayman Elsawah (@coffeewithayman) — Sat, 18 Apr 2020 19:14:00 -0400

Kavya Pearlman is an award-winning cybersecurity professional with a deep interest in immersive and emerging technologies. Kavya is the founder of the non-profit XR Safety Initiative (XRSI). XRSI is the first global effort to promote privacy, security, ethics, and develop standards and guidelines for Virtual Reality, Augmented Reality, and Mixed Reality (VR/AR/MR), collectively known as XR.

Kavya is constantly exploring new technologies to solve current cybersecurity challenges.

Quotes:

"Money, money, money. How much money [are] you going to make? I was so put off. No, it's not about money. I really just want to learn."
"What would you become when you grow up? I would be a D.I.G. (Deputy Inspector General)."
"This country needs me. This world needs me."
"You owe it to yourself to explore this little itch, and figure out whether this is your passion or not."
"You will inevitably make (sometimes) bad decisions."
"Technical support IS security."
"I don't think anyone read that [report], but then it gave me some satisfaction that this is awesome. I can actually take what I'm learning and apply it to the job."
"Believe in yourself. Not just for information security."

Links:

Kavya Pearlman - https://twitter.com/KavyaPearlman
XRSI - https://www.xrsi.org/
Caroline Wong - https://twitter.com/carolinewmwong
Steve Hunt [22:17] - https://twitter.com/Steve_Hunt

Getting Into Infosec:

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Stay in touch and sign up for sneak peeks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - Pandemic and The Coming Recession / Depression

Ayman Elsawah (@coffeewithayman) — Thu, 02 Apr 2020 23:35:00 -0400

We are in the middle of a worldwide pandemic (COVID-19), a recession is here, a depression might be coming, and everyone is remote! Everything has changed. What can you do? How can you find a job in these crazy times? What are the challenges? How can you make yourself valuable? What's going through the company or hiring manager's mind?

Please share or leave an awesome review if you found this helpful.

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Syntax - Arrested Teenager to Motorcycle Racer To Pentester

Ayman Elsawah (@coffeewithayman) — Tue, 10 Mar 2020 09:47:00 -0400

Syntax, an internal pentester for a large organization, had an interesting ride into infosec, filled with pitstops, detours, and countersteering along the way. At an early age, he was influenced by his father, got started hacking, and was wrongfully arrested for reporting a vulnerability in his High School. Hear his exciting journey into infosec, filled with life lessons.

Shownotes

Was arrested in High School for disclosing a vulnerability in the school IT system
Went to college for computer science, but dropped out
Inspired by the movie hackers
His first computer had a 1MB hard drive (yes, not a typo!)
Still went to Defcon even when he was not in IT or working in security
Was a professional motorcycle racer
Kept all his rejection letters as a way of motivation to keep going
Had some business and entrepreneurial experience in the past, which helped him get back into the field
Got back into security through… IT!

Quotes

"A lot of our time is spent arguing with the other departments and justifying our findings." [2:58]
"Is this cross-site scripting really a problem?"
"I get stuck a lot… it's kind of the nature of the beast." [5:17]
"I'm not going to work in tech again." [12:21]
"You're a motorcycle mechanic… why should we hire you?"[19:07]
"It's my hacker family. These are my people. Everyone in security, they make sense to me, cause they're all kinda like me." [19:41]
"I kept getting [these] projects coming my way and I constantly said, 'YES.'" [22:07]
"Have you done this before? … no, but I'll learn!" [25:06]"
"Because I had that mindset… I was seeing [from a] different [perspective] than other analysts." [26:00]

Links

Syntax on Twitter: https://twitter.com/syntax976
DCZIA: http://dczia.net/
Queercon: https://www.queercon.org/
Outro Music: "Pure Decking" by Patient Zero from the album "Screen Saviour" her link is http://patientzero.bandcamp.com and she is @DoctorKraft on the Twitter

Getting Into Infosec

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Sign up for sneak peeks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Bonus - Cyber Security Job Search Frustrations (Ivan)

Ayman Elsawah (@coffeewithayman) — Sat, 07 Mar 2020 16:00:00 -0400

These are quick hallway conversations with recent graduates discussing the difficulties they've faced in their job search. I did not know any of these people before interviewing, and it's the first time I'm asking them these questions. This was recorded at RSA Conference 2020.

Getting Into Infosec:

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Sign up for sneak peeks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Bonus - Cyber Security Job Search Frustrations (Zoe)

Ayman Elsawah (@coffeewithayman) — Fri, 06 Mar 2020 14:00:00 -0400

Getting Into Infosec:

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Sign up for sneak peaks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Bonus - Cyber Security Job Search Frustrations (Jayesh)

Ayman Elsawah (@coffeewithayman) — Thu, 05 Mar 2020 20:00:00 -0400

Getting Into Infosec:

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Sign up for sneak peeks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Bonus - David Zeichick - Cybersecurity College Professor

Ayman Elsawah (@coffeewithayman) — Wed, 04 Mar 2020 06:27:00 -0400

So as I was at RSAC, I was trying to keep an eye out for those looking to get into the field. RSA is not usually the place for that, but I saw the NetWars tournament and figured that might be a good place to start. On my way there, I met David Zeichick, who had "College Day" on his badge. Intrigued, I asked about "College Day," and he told me all about it.

I sat down with him for an impromptu interview on the topic.

Links

David on Twitter: https://twitter.com/dzeichick

Getting Into Infosec:

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Sign up for sneak peeks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Tanya Janca - From Insecure Developer to Appsec, Diversity/Inclusion Advocate, and Mentor

Ayman Elsawah (@coffeewithayman) — Sun, 23 Feb 2020 18:05:00 -0400

BIO

Tanya Janca, also known as SheHacksPurple, is the author of ‘Alice and Bob Learn Application Security.’ She is also the founder of We Hack Purple, an online learning academy, community, and podcast that revolves around teaching everyone to create secure software. Tanya has been coding and working in IT for over twenty years, won numerous awards, and has been everywhere from startups to public service to tech giants (Microsoft, Adobe, & Nokia). She has worn many hats: startup founder, pentester, CISO, AppSec Engineer, and software developer. She is an award-winning public speaker, active blogger & streamer and has delivered hundreds of talks and trainings on 6 continents. She values diversity, inclusion, and kindness, which shines through in her countless initiatives.

Founder: We Hack Purple (Academy, Community, and Podcast), WoSEC International (Women of Security), OWASP DevSlop, OWASP Victoria, #CyberMentoringMonday

Notes

Part of security is teaching security
Started in software development, then starting meeting hackers, and decided to switch to security.
Tanya is extremely scholastically inclined
She comes from a family full of women computer scientists, technologists, and mathematicians!
- Her aunt was the FIRST to graduate in CS from Ontario.
- Her mother was a mathematician.
- She had four uncles in computer science.

Tanya's Quick List For Getting Into Infosec

Responsibility of a mentee: [30:29]
- Have energy and time
- Respect your mentor's time
- Need to have already looked for the answer online before you ever ask them for something
- They are not a free consultant; you shouldn't ask them to do your work
- You shouldn't stand them up for meetings
- Recognize and have gratitude for the fact that this person has a crap-ton of knowledge in their brain that they're sharing with you for free. They're taking the time out. You're not their daughter or son. You're not their friend. You're a person in their industry, and they're trying to pay it forward.
- You want to actually do the exercises that your mentor gives you
- Choose your mentor wisely
- Do not expect your mentor to find you a job

Quotes

"We're graduating people who don't know how to make secure software, but they do know how to make software! So that ends up being insecure software." [4:57]
"So if I [were] going to teach a software security course at a university, they would pay me as an adjunct professor, and they would pay me almost nothing. It would almost be equivalent to volunteer work." [5:35]
"I thought I really wanted to be a penetration tester until I discovered that there is this weird spot… in between red team and blue team." [10:17]
"A lot of penetration testers get a little depressed."[11:07]
"People just don't know how many super awesome cool things there are out there!" [15:11]
"The people I liked the best are the people in my computer science class." [22:24]
"Honestly, I just smoked a lot of weed and just showed up and would ace things." [22:12]
"You don't have to spend money at the beginning necessarily." [31:58]
"Which certification should I get so that I can be a good pentester?" [31:34]
"I don't know enough to be a mentor." [31:50]

Links

Tanya Online
- Personal Site: https://dev.to/shehackspurple
- Twitter: https://twitter.com/shehackspurple
- Pushing Left Series: https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95
NICE Framework: https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center
OWASP: https://owasp.org/
WoSec: https://wearetechwomen.com/wosec-women-of-security/
Franziska Bühler https://twitter.com/bufrasch

Getting Into Infosec

Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Sign up for sneak peeks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Nick Vissari - Engineering Dropout to Math Tutor to Security Architect/Engineer

Ayman Elsawah (@coffeewithayman) — Tue, 04 Feb 2020 00:03:00 -0400

Nick Vissari went from being an engineering dropout (he didn't like creative writing) to a tech consultant to a math tutor. His penchant for fixing things homed him back into tech, where he is now responsible for security in a large school district. He recently went back to school and received his cybersecurity degree as well.

Notes

At 10-years-old, his Dad had problems putting the computer together, so he helped his dad
Family never stifled any inquisitiveness he had
Started as a math tutor at the school system
How he initially had the wrong attitude in security

Quotes:

"Once you get into a position somewhere, do whatever you can to make yourself invaluable. Find the things people don't want to do and do them. The hard problems are the ones most rewarding."
"If you're not automating right now, it's probably because you have more resources than you know what to do with."
"There are a lot of people that are security professionals, but they really don’t know about how a system works."
"Just got to have that passion for wanting to learn and you can definitely jump into security."
"My grandmother always said: 'Those who don't make mistakes, don't do much.' So get out there a make a bunch of mistakes."
"Don't be that guy that says 'No' to everything."

Links

Nick on Twitter: https://twitter.com/nickadam
sslstrip by Moxie: https://github.com/moxie0/sslstrip
Firesheep plugin: https://en.wikipedia.org/wiki/Firesheep

Getting Into Infosec

Checkout My Book: Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
Sign up for sneak peeks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Page Glave - Professor of Kinesiology to Cybersecurity Analyst!

Ayman Elsawah (@coffeewithayman) — Sat, 16 Nov 2019 07:53:00 -0400

Page Glave was a tenured Associate Professor of Kinesiology with a focus in exercise science and was successful in her field. However, she came to the realization that she can't see herself doing this for the rest of her life. She offers lots of great advice on resume tips when switching, homelabs, certifications, and how she was able to break into the field. This is her story.

BIO

I am an analyst, project manager, ethical hacker, and tech consultant with more than 10 years’ experience with research and project management. I spent a while in higher education – long enough to get tenure and decide it was time to do something else. I have eJPT (eLearnSecurity Junior Penetration Tester), Security+ and Splunk User certifications. I love learning and tech, so digging into all of this stuff just makes me happy.

Notes:

5-months into her first security job!
Being in a small environment, she gets to do everything from governance to pentesting
Previous to this, she was a tenured associate professor in kinesiology, focusing on biomechanics and obesity.

Quotes:

"Pretty big adventure on a daily basis because no day is the same."
"Really is an environment where security is everyone's job."
"I think I'll always be in-house tech support for as long as I live." [7:08]
"I kinda got bored… I didn't want to keep doing something that wasn't challenging." [7:28]
"Do I really want to do this for the next 30 years?" [7:58]
"…going through the headers, that should have been a clue that maybe tech would have been a good fit for me."
"You'd be hard-pressed to find anyone in Information Security who was just thrilled with their budgets."
"Being able to translate that self-directed learning to something on my resume."

Links:

Page's Twitter: https://twitter.com/pageinsec (Thank her via Twitter)
Breaking Down Security Podcast: https://www.brakeingsecurity.com/
Pacific Hacker's Conference: https://phack.org/
Sam Bowne's Class: https://samsclass.info/
Skadi VM: https://www.skadivm.com/ (by Alan Orlikoski https://twitter.com/AlanOrlikoski)
Marco Palacios: https://twitter.com/MPalacios_Cyber
Keirsten Brager: https://twitter.com/KeirstenBrager
Intro Music: https://trash80.com/#/content/133/weeklybeats-2012-week5
Outro Music: https://www.youtube.com/channel/UCNXDIltPLbdcAavUtL00i7g

Getting Into Infosec:

Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: Breaking IN: A Practical Guide to Starting a Career in Information Security
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
Website: https://gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 2)

Ayman Elsawah (@coffeewithayman) — Sat, 02 Nov 2019 01:18:00 -0400

Part 2 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.

Show Notes

SEE PREVIOUS EPISODE FOR COMPLETE NOTES & RECRUITING TIPS FROM NICK.

Getting Into Infosec:

Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://amzn.to/2HP2i25
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
Website: https://gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Nick Jeswald - Confessions of a Cybersecurity Recruiter (Part 1)

Ayman Elsawah (@coffeewithayman) — Fri, 25 Oct 2019 07:27:00 -0400

Part 1 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.

BIO:

I've been in infosec for 8 years, and in various IT roles since 1996 (Developer -> Sales Engineer -> BD Specialist -> Security BD -> Security Recruiting -> Dir. Corp Dev). However, I've also been one of the top recruiters for each company I worked at whatever role I've had.

Show Notes:

Internal recruiters != external recruiters
- Backgrounds are different
  - External recruiters come from varied backgrounds, virtually zero from infosec
    - Much like BD people
  - Internal recruiters are more likely to have a greater understanding of infosec or at least IT
  - A recruiter that doesn't understand security is more likely to make bad placements with higher turnover
- Motivations are far different
  - I want to choose people to spend a career with
  - They want to make a commission and meet SLAs
- Attention to detail is very different
  - A tiny detail that could betray a hidden skill set or flaw would likely be overlooked by a 3rd party
  - I have an interest in understating the person, not just the resume
    - What is their desired career/life trajectory?
    - How will our company enrich/hinder that life?
You are in competition with an army of low-skilled counterfeits
- You need to be able to demonstrate raw skills, not just list your certs
- Have a body of work available for review on GitHub, your own site, etc.
- Internships are a nice touch, but they cut both ways
  - You interned with unnamed-big-4-biz-consulting firm? Don't drag that culture in here. I fear for what you learned.
- Can't talk about where you interned because it was a non-DOD three-letter agency? Communicate that point to me in your way. If that is the truth, I'll trace you back and verify.
Always be client-facing
- I have seen many recruits passed over for poor hygiene, arrogant treatment of interviewers, disclosure of illegal activity, and just generally obnoxious behavior
  - You couldn't act like this on a client site and not get sent home; don't do it on the interview
  - Yes, you are talented...there's always someone cooler than you
Interview your interviewers
- You should have a standing list of questions for interviewers
  - Why do you stay with them?
  - What is the intended growth path? Organic? IPO? Channel?
  - Is there any merger/acquisition activity going on? Planned? Intended impact?
  - Is there any rebranding activity going on? Planned? Intended impact?
  - What conditions are driving this open role? Turnover? Internal restructuring? Organizational growth?
  - Will I be supported in my security research? How?
  - Does your company have a defined mentoring path? Why not?
  - How does the company support continuing infosec education?
Meet your team
- Watch the team interaction closely
- Can you see cohesion? Are they supportive or adversarial? Are they authentically happy with their jobs?
Understand the org chart you are stepping into
- To whom does security answer? CXX? IT Director? General Counsel?
  - Understanding this will help mitigate surprises later
Understand the company culture
- Big corp? Big corp problems.
- Boutique? Founder problems.
- Is there a "treehouse" mentality among the senior employees?
Never forget who you are
- I know you want a job, but don't take a job that is sure to kill you slowly from the inside
  - Like doing offensive security? Don't start in the SOC.
- Did you walk away from the interview(s) thinking that this company understands the care & feeding of hackers?
- If you can already see the point at which you will outgrow the company, is it the right place to start?
  - Maybe! If you have a goal of entrepreneurship, or of working for a specific team, this first step just needs to support that eventual goal. This may be detected by an astute interviewer, though.

Resume tips

One page.
- My dad started at the bottom, and worked up to EVP of a Fortune 50 corp. One page.
Focus on your work experiences and extracurricular infosec workrelevant
I'd rather read about 0days and CVEs than certs
I want to know about your community involvement
- 2600, local DCs, TOOOL, OWASP, etc.
- Presentations at cons matter to me, especially if I can watch you deliver information to an audience
  - Like a free audition, and believe me I watch every one people link in resumes
I don't care about your GPA, fraternity/sorority, who we know in common, what sports you enjoy, or what you look like. At all.
- Seriously, don't add a photo.

General tips

Code in several languages.
- Despite semantic differences, you should have a pretty good working knowledge of the most widespread VMs, coding languages, and compilers
Web apps are your paycheck
- Knowing the OWASP Top 10 is like knowing your middle name...not impressive in and of itself, but if you don't know them, there's something wrong.
- Many composite "red team" projects will involve some Web app hacking, and even the most specialized consultancies will agree to a Web app assessment for an established client
Think holistically, and make yourself more valuable
- If you can't write a report, of what value are your assessment activities?
- Seem always to have interpersonal conflict? Time to read up on Empathy and EQ. Be the go-to on your squad.
- Get comfortable with an audience. Toastmasters is there for you.
Learn the value of "the Halloween Mask" as Henry Rollins called it
- Sure, you're a young security professional. We all expect eccentricity from you. We're all also trying to make money and be taken seriously
  - Don't forget: in boardrooms of white-haired old men across the nation, we're still the same guys who lost them millions of dollars on ERPs and useless Y2K preparations
  - I'm not kidding about this.
- Don't wield your difference like a blunt object. A little bit goes a long way when you're also scaring the hell out of everyone with pen test reports.
- My life is far more complex and wacky than my coworkers know, and I talk a lot. I just know how much to let through the mask

Getting Into Infosec:

Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://amzn.to/2HP2i25
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
Website: https://gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

September 2019 Update

Ayman Elsawah (@coffeewithayman) — Mon, 23 Sep 2019 11:00:00 -0400

Summer was crazy. My day job was keeping me super busy, and I've been really mentally occupied lately dealing with kids, family, and school. I miss producing shows and will be getting back into it. Have some really good shows queued up! I've still active on Twitter when possible, so we can stay in touch there in between shows.

Oh, and by the way, it's been a year since I started podcasting! Pretty cool. So many things I want to do with the show, like animating my spoof ads and transcribing the shows.

Anyway, just wanted to update you and let you know I didn't forget about you. I can't wait to release some of these amazing shows.

As we depart, here is a draft of a spoof ad I put together real quick. It talks about my love of the word "cyber."

See you next time.

Getting Into Infosec:

Follow Me on Twitter: https://twitter.com/coffeewithayman
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book - Breaking IN: A Practical Guide To Starting A Career In Infosec - https://amzn.to/2HP2i25
Website: https://gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Fareedah Shaheed - From Tech Curious to Information Security

Ayman Elsawah (@coffeewithayman) — Wed, 31 Jul 2019 06:52:00 -0400

Fareedah, a lifelong learner, was always interested in technology and grew up reading her father's Cisco books. His influence led her to the field of information security, where she stepped up and is always tackling new challenges.

BIO

Fareedah Shaheed was born in Maryland, but spent most of her childhood outside of the US. She returned to the States in 2013 and attended the Community College of Baltimore County (CCBC), where she majored in cybersecurity.

Her experiences with different cultures and the tech field led her to combine her interest in psychology with cybersecurity, and thus, her passion for security awareness was born.

In 2018, she founded Sekuva with the mission to educate and support small business owners and families with understanding how to secure their sensitive information.

She currently works as a Security Control Analyst at a financial firm in Maryland.

Notes:

Currently works with Security Awareness and Threat Intelligence
Must break down concepts for both executives and associates
Saw that there was a lack of cybersecurity awareness for "regular" people, especially with parents
Got thrown into leading "lunch & learn" events and experienced imposter syndrome due to her lack of her experience
Her lack of experience became a benefit to the audience as they were able to relate!
Father was in tech. Changed her major in college based on his advice
Wanted to teach, but didn't want to be a teacher
Has read 2000 books since childhood
Fareedah had really good role models growing up

Quotes:

"I vowed never to have anything to do with math whatsoever."
"I was a broker, I did an internship, I did teaching... and through all of that, I realized I didn't really want anything but tech."
"Whatever your parents' field is, that kind of is in the back of your head, whether it's a yes or no."
"Let me do it. Let me try this out."
"Cybersecurity is new. It's upcoming. I really believe that your skills would be good for cyber. There's not a lot of women there. Especially not a lot Muslim women there, who look like you."
"I remember just lying awake at night just thinking about how does WiFi work."
" Instead of guards, we have guides." [21:12]
"You have to do it afraid; you can't wait for the perfect moment." [25:35]

Links:

Fareedah on Twitter: https://twitter.com/cyberfareedah
Fareedah's Company- Sekuva: https://sekuva.mykajabi.com/
Year Up: https://www.yearup.org/

Getting Into Infosec:

Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://amzn.to/2HP2i25
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
Website: https://gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - Updates, Defcon, More

Ayman Elsawah (@coffeewithayman) — Fri, 26 Jul 2019 05:30:00 -0400

Hey, everyone!

It's been a while, I know. Life has been busy. Lots of transitions, so schedule has taken time to get used to.

Links

Security Sandbox Podcast: https://podcasts.apple.com/us/podcast/hacker-culture-fm/id1453203447
Sean Sun: https://twitter.com/seanqsun
Hacker Culture FM: https://www.hackerculture.fm/
Defcon Sticker Swap: https://twitter.com/dcstickerswap
Outro Music: https://soundcloud.com/southlondonhifi

Getting Into Infosec:

Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://amzn.to/2HP2i25
Sign up for updates and commentary: https://mailchi.mp/467573a314e5/gettingintoinfosec
Website: https://gettingintoinfosec.com

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Keya Horiuchi - From Teacher, Filmmaker, and Website Design to Security Engineer!

Ayman Elsawah (@coffeewithayman) — Sat, 15 Jun 2019 02:12:00 -0400

Keya was a public school teacher who stood out from the crowd. She loves problem-solving and challenging environments. Keya was also a filmmaker and web designer. She's currently a detection security engineer who gets knee-deep in malware on a daily basis.

Notes:

Knew she didn't want to be a teacher her whole life
Was the only one in the rational thinking group at her school
Enjoys rational thinking and the problem-solving process
Prototyped a mock medical device with a Raspberry Pi and won a national competition!

Quotes:

"Easy to get into what you're comfortable with... and I didn't want to have a job like that."
"It was something that I enjoyed, but I definitely feel more at home with the cohort that I work with currently and with what I do."
"For me, it was an amazing process because I hadn't ever SSH’d into a device and I had to figure out how to get like ports scan."
"I read so much documentation on all the little things that we connected to it. I watched a bunch of YouTube videos. I looked at a lot of GitHub accounts trying to figure out like I've got to make this move." [14:24]
"It was incredibly challenging. A lot of times I was trying to figure [things] out... sometimes the information that you get from the client is essentially just a hint of what's going on in the network." [17:07]
" You just have to be creative and keep going at it until you can do what needs to be done." [18:08]
"Yeah, it's amazing. Especially coming from public school teaching, where I had seen almost physical fights altercations happen over, like, reams of paper because there's just not that much allocated towards schools to where snacks are brought in. Like, it's a very different environment…" [21:22]
"You did great on the test, but I want to watch you take the test." [23:06]

Links:

Edx: https://www.edx.org/
NSF Project: https://nsf2015.fosslounge.org/
Intro Music: Cascadia by Trash80 - https://trash80.com/#/content/133/weeklybeats-2012-week5 (Released under Creative Commons)
Outro: Cosmetic Cosmos by Verified Picasso https://www.youtube.com/channel/UCqDmyXPJdrZjwUdWLyhyQRA

Getting Into Infosec:

Website, Show Notes, Transcripts: https://gettingintoinfosec.com
Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://amzn.to/2HP2i25

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - Audiobook Sample!

Ayman Elsawah (@coffeewithayman) — Tue, 04 Jun 2019 22:20:00 -0400

Listen to the retail audio sample of my book: Breaking IN - A Practical Guide to Starting a Career In Information Security.

Kati Fredlund narrates the book. She did an amazing job!

You can read a sample or purchase the whole book here: https://t.co/DDXxfVwpD7

Full Audiobook to be released soon!

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Hossam Mohamed - Young Hacker to "Not A Security Researcher"

Ayman Elsawah (@coffeewithayman) — Sun, 26 May 2019 16:00:00 -0400

A 19-year-old "not a security researcher" facing limitations because of his age and not having the right "prerequisites," Hossam has had to pave his own path. He also dreams in code and is one of the youngest OSCEs in the world!

BIO

Hossam Mohamed is one of the youngest OSCE in the world and currently working in the cybersecurity domain for a financial company in Istanbul. His area of interest includes exploit development, offensive security, secure web development, and malware analysis. He is a big Python lover.

Notes

On the organizing team of BSides Istanbul
His best friend is a computer
Just finished high school last year!
Was doing freelance web design and security projects for clients
Taught himself assembly
Developing offensive security labs
Hacked his way to getting a job :)

Quotes:

"Because I love [to] code."
"I wanted to understand how these games work." [5:56]
"I developed a project for my school. They liked it, but no one cared actually."
"No one in infosec doesn't play a little bit (hacking)." [8:04]
"Technical interview was great... didn't work because of my age and my education. I was only 18." [10:22]
"Do you ever dream in code?" "Actually... how did you know that?" [12:35]
"People think when it's about assembly and reverse engineering, omg it's untouchable... No, I'm telling you there is [a] much more lower level than that."
"I feel bad when I get sick because I don't go to work... I don't (get to) open my laptop and... code."
"When I'm far from my computer for two or three days... [I get] depressed."
"You can make it part of your day." [22:52]
"I wanted to send them the new domain controller password with the report. " [25:23]

Links

Hosasm on Twitter: https://twitter.com/wazehell
Hossam's Website: https://wazehell.io/
BSides Istanbul: https://bsidesistanbul.com/
Upcoming talk "Hunting For Windows Remote Zero-days": https://bsidesistanbul.com/hossam-mohamed/
Intro Music: Cascadia by Trash80 - https://trash80.com/#/content/133/weeklybeats-2012-week5 (Released under Creative Commons)
Outro: Weak Knight by Devon Church - https://www.youtube.com/watch?v=LEOYtxvlnAY

Getting Into Infosec:

Website, Show Notes, Transcripts: https://gettingintoinfosec.com
Follow Me on Twitter: https://twitter.com/coffeewithayman
Subscribe To YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Checkout My Book: https://www.amazon.com/Breaking-Step-Step-Starting-Information-ebook/dp/B07N15GTPC/

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - Consuming VS Producing

Ayman Elsawah (@coffeewithayman) — Tue, 21 May 2019 14:37:00 -0400

My thoughts on consuming vs. production and how it relates to Getting Into Infosec. Sometimes, we get stuck learning, consuming security news, trends and etc, but we forget to produce something. Whether it be testing a new exploit we heard about, trying something new in our lab, or applying something we learned the day before, finding the right balance is important. If we're stuck, take little steps—better than no steps.

Links:

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Izzy - Random and Unplanned: From Annuities to ISO!

Ayman Elsawah (@coffeewithayman) — Sun, 12 May 2019 23:15:00 -0400

Ismaelle Vixsama (aka Izzy) has a knack for finding strategic flaws and speaking up about them. Doing so helped her get her first full-time job as well as have repercussions for defensive egos. Her whole career is a war story.

BIO:

Izzy is an ISMS manager with 7 years of experience. She has worked in FinTech, Government, and Security R&D. Her work has allowed her to work on several mainstream products and services with some of the most well-recognized brands.

Notes:

Creates a security program around a company's information systems
Played the CISO role initially, very CISO like role
First role in security was in Risk
Izzy comes from a very traditional Haitian back
Izzy came up with benefits at her job for an opportunity to learn something new and be in a non-toxic environment
First heard/learned about hacking at 15 from an AOL chat with a "hacker"
At 23, she decided to speak up in a meeting to provide feedback, which led to her being hired full-time

Quotes:

"[By] the time I was 22 years old, the pay wasn't that great but for me. It was amazing because I was doing something I hated. I had benefits at my previous job, but this company was giving me an opportunity to learn something new. To me, that was so exciting."
"He looked at my resume and he said, 'I realize you have no cybersecurity experience.' By starting the conversation like that, it took some pressure off of my shoulders." [10:00]
"I was so nervous that he was going to drill into me about all these topics I had no clue about."
"I didn't even [know] I had sisters."
"Everyone just kinda wrote me off." [16:20]
"Who is the audience, what do we want to say here?" [21:13]
Worst comment ever: "We have to really train you on your critical thinking skills." [22:45]
"A good idea is a good idea, regardless of who it came from."
"My whole career is a war story." [32:05]

Links

Izzy on Twitter: https://twitter.com/Is_Vix
Her story is on Twitter: https://twitter.com/Is_Vix/status/1079218656138149889
Izzy's Business, VixCyber: https://vixcyber.co/
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
Intro Music: Cascadia by Trash80 - https://trash80.com/#/content/133/weeklybeats-2012-week5 (Released under Creative Commons)
Outro Music: "Feather Duster" by Geographer: https://www.youtube.com/channel/UCcB_tnqYHwPzADwUdeppIIQ

Getting Into Infosec:

Twitter: https://twitter.com/coffeewithayman
YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Book: https://t.co/DDXxfVwpD7

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

David Scrobonia - Lifelong builder, Appsec Engineer, Creator of ZAP Heads Up Display

Ayman Elsawah (@coffeewithayman) — Fri, 03 May 2019 23:25:00 -0400

From Zero to One, David is a lifelong builder. Wherever he goes, he just builds things. From an electric car to Adhoc android apps to ZAP HUD to an awesome heads up display for ZAP Proxy, he's a game-changer, IMHO. We discuss the lack of UX in the security tooling community, how contributing to Open Source got him his job, and even about imposter syndrome.

BIO

David Scrobonia is part of the Security Engineering team at Segment, working to secure modern web apps and AWS infrastructure. He contributes to open source in his spare time and leads development for the OWASP ZAP Heads Up Display project.

Notes

Mostly interested in architecture and mechanical engineering when younger.
Built his own electric car with his dad, out of a Porsche 914!
David explains XSS and why certain languages are better than others, such as React
David gets lost in El Segundo. Yes.

Quotes

"It's just a program that listens to these silly protocols."
"I wanted to do more hands-on stuff, [and] quickly fell in love with the coding side as a lot of people do."
"I was like... what's GET? What's POST? What do you mean?"
"Before you know it, right? It seems so daunting."
"Still plenty of opportunities out there. [It] will be a long time before the world is perfect and secure."
"I've been working in the security industry, but I didn't really feel part of any security community."
"I have nothing but good things to say about the open-source community."
"They're (security tools) just not built with user experience first."
"I think people underestimate what they are able to contribute."

Links

David on Twitter: https://twitter.com/david_scrobonia
Rube Goldberg Machine: https://en.wikipedia.org/wiki/Rube_Goldberg_machine
Dan Boneh's Cryptography Course: https://crypto.stanford.edu/~dabo/courses/OnlineCrypto/
OWASP Appsensor Project: https://www.owasp.org/index.php/OWASP_AppSensor_Project
Zap Proxy Heads Up Display (HUD): https://github.com/zaproxy/zap-hud
Article by David on Zap HUD: https://segment.com/blog/hacking-with-a-heads-up-display/
Brakeman Pro: https://brakemanpro.com/
https://samsclass.info
My talk at Sam's class: https://www.youtube.com/watch?v=KJvPHZGtGdM
Intro: Cascadia by Trash80 (https://trash80.com) Licensed Under Creative Commons
Outro: Cancun by Topher Mohr and Alex Elena

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - CliffsNotes To The First 20 Episodes!

Ayman Elsawah (@coffeewithayman) — Sat, 27 Apr 2019 06:38:00 -0400

Having completed 20 episodes, I decided to take a moment to go over each episode briefly.

Thanks to call my guests!

Ep01 - Dan Borges: https://twitter.com/1njection

Ep02 - 0daySimpson: https://twitter.com/0daySimpson

Ep03 - Christina Hanson

Ep04 - Matt Toth: https://twitter.com/willhackforfood

Ep05 - Rob Carson: https://twitter.com/robcarson05

Ep06 - Robin Stuart: https://twitter.com/rcstuart

Ep07 - Clay Wells: https://twitter.com/ttheveii0x

Ep08 - Elvis Chan: https://twitter.com/FBISanFrancisco

Ep09 - Virtual Kyle Kennedy: https://twitter.com/Kyle_F_Kennedy

Ep10 - InfoSteph: https://twitter.com/StephandSec

Ep11 - Yaron Levi: https://twitter.com/0xL3v1

Ep12 - Jack Rhysider: https://twitter.com/JackRhysider

Ep13 - Marcus Carey: https://twitter.com/marcusjcarey

Ep14 - Nipun Gupta: https://twitter.com/nipungupta

Ep15 - Adrian Kaylor: https://twitter.com/AdrianKaylor

Ep16 - InfosecSherpa: https://twitter.com/InfoSecSherpa

Ep17 - InfosecJon: https://twitter.com/InfoSecJon

Ep18 - Masha Sedova: https://twitter.com/modMasha

Ep19 - Jared Folkins: https://twitter.com/JF0LKINS

Ep20 - Leron Gray: https://twitter.com/mcohmi

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - MCOHMI New Song, Trap Music, and Domain Song Background

Ayman Elsawah (@coffeewithayman) — Wed, 17 Apr 2019 13:01:00 -0400

MC OHM-I (Leron Gray) talks about his next project about tabs in the browser, trap music, and some background on his awesome song, "Domain."

Getting Into Infosec

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Leron Gray - From Navy E6 to Pentester, SANS Mentor and Nerdcore Rapper!

Ayman Elsawah (@coffeewithayman) — Fri, 12 Apr 2019 23:49:00 -0400

Leron Gray is a man of many talents. Although he didn't really get into infosec until much later in life, he always had a creative side. He now finds himself as a pentester working from home and a nerdcore rapper producing amazing beats!

BIO

Leron is a penetration tester and a ten-year Navy veteran with four years of experience as a Cryptologic Technician (Networks), focusing primarily on offensive cyber operations. He holds a Bachelor's degree from Dakota State University in Cyber Operations. With a passion for Python, he loves automating tedious daily routine tasks for efficiency and considers himself to always be in a position to learn more and pass on knowledge. He always enjoys competing in as many Capture-the-Flag events as possible and also often performs as a nerdcore rapper.

Leron currently holds eCPPT, eWPT, GPYC, GPEN, GAWN, GCFE, and GICSP certifications. He also maintains a blog and maintains an active Twitter discussing music, information security, and wrestling.

Notes

Went to a high school that made you choose majors
Grew up poor, was not allowed to go out much
Technological learning came from school
Didn't really get into computers until he was 25
Has been in music since Jr. High School (Marching band, jazz band, and concert band... all the bands)
Networking is the biggest thing that Leron says would help
Leron offers his passionate opinion on "aptitude" (it's a pet peeve of his)

Quotes

"I learned a lot... I made sure not to waste any opportunity for learning."
"Job searching, in general, is a pain."
"I don't think I would be where I am right now if I hadn't gone out and made that effort."
"One of the big deals that people had were degrees. I wasn't really sure why; I have 10 years of IT/Cyber experience."
"It turned out the company no longer owned that server. Their DNS was still pointing to it though."
"I took Java in high school and was really bad at it and I found out everyone is bad at Java, so it doesn't really matter."
"It's so much easier to learn when you have a problem to fix."
"It's not even just information security that learning Python could help... it could be anything you do... often enough to warrant not to do it [manually]."
"Nobody does a CTF and expects not to learn something by the time they leave."
"Job searches shouldn't be like that: they should be based on your merit."
"Maybe the person can't get OSCP, but maybe they have the skills or knowledge."
"The idea of aptitude... raises too many borders."

Links

Leron on Twitter: https://twitter.com/mcohmi
Leron's Blog: https://daddycocoaman.dev/
Leron's GitHub: https://github.com/daddycocoaman
Class that Leron Is Mentoring: https://www.sans.org/mentor/class/sec573-seattle-19mar2019-leron-gray
Visual Studio Code: https://code.visualstudio.com/
PyCharm: https://www.jetbrains.com/pycharm/
IPython Notebook: https://ipython.org/notebook.html
San Antonio's Hackers Association: https://satxhackers.org/wp/
MC OHM-I: https://www.mcohmi.com
Intro Music: Cascadia by Trash80 - https://trash80.com/#/content/133/weeklybeats-2012-week5 (Released under Creative Commons)
Outro Music: https://soundcloud.com/mc-ohm-i/domain

Getting Into Infosec

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Jared Folkins - 18 YRO Manager To Education Security To Human Hero

Ayman Elsawah (@coffeewithayman) — Wed, 03 Apr 2019 05:49:00 -0400

Jared Folkins understands people, technology, and the world around him. He can smell a toxic environment from a mile away and has used that EIQ spider-sense for good. Jared shares with us some VERY personal stories (tear-jerker warning!) in integrity and life decisions as well a bunch of on-the-job war stories, including a famous one featured in the news! This is probably my most dramatic episode yet.

Notes:

At 18, he got promoted to manage a team of 50 because he wasn't lazy.
In hindsight, he was able to see indicators of the dot com crash but didn't realize that
Had a fork in the road where he had a major decision to make
Jared shares a VERY personal story with us and the life lesson from that which he applies in his professional life
Having a low tolerance for toxic relationships, Jared has been able to sense toxicity, and it's been a driving force for good for him

Quotes:

"I believe in the power of admitting when you're wrong."
"I carry my guilt between my shoulder blades."
"When I make that mistake; When you have a team that you can trust or a team that honors you, you have the freedom to say stuff like that."
"You can only control you."
"Constraints can be healthy."
"Stepping outside of your comfort zone... [can be] super healthy too."
"If someone tells me this person... is not a good person, I'll actually go meet that person. I want to assess it for myself."
"[When] you get rejected, don't get super emotional... just work with what you have and move on."

Links:

Jared's Blog: https://www.acloudtree.com
Jared's Twitter: https://twitter.com/jf0lkins
Jared's GitHub: https://github.com/jaredfolkins
Opsec Edu: https://www.opsecedu.com
KayPro Computer: http://oldcomputers.net/kayproii.html
Donkey Kong Clone: https://ostermiller.org/ladder/
Grand Mal Seizure: https://www.mayoclinic.org/diseases-conditions/grand-mal-seizure/symptoms-causes/syc-20363458
Project Dir Fu: https://www.dir-fu.com/
TorHound: https://github.com/jaredfolkins/torhound

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Masha Sedova - From Generations of CS to Behavioral Science and Entrepreneurship

Ayman Elsawah (@coffeewithayman) — Fri, 22 Mar 2019 19:15:00 -0400

Masha Sedova comes from a history of computer scientists! Her grandmother was in the first Computer Science graduating class in 1954 under Stalin in the Soviet Union! She loves challenges and is now utilizing what she thought was a waste of time in Liberal Arts to conquer challenges in Information Security using behavioral science, emotional intelligence, and other human factors.

BIO

Masha Sedova is an industry-recognized people-security expert, speaker, and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security, delivering the first people-centric security platform that leverages behavioral-science to transform employees into security superhumans. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers. In addition, Masha has been a member of the Board of Directors for the National Cyber Security Alliance, and a regular presenter at conferences such as Black Hat, RSA, ISSA, Enigma, and SANS.

Notes

Grandmother was in the first Computer Science graduating class in 1954 under Stalin in the Soviet Union!!
Her Grandma taught her dad and her dad taught her programming around the 6th grade.
Had access to a computer only through the local University.
Masha began her search into 3 disciplines
- Game Theory
- Positive Psychology
- Behavioral Science
Leaderboards are better for only a small subset

Quotes

"You can't patch a human being."
"We've taken a technology solution to a human problem, and I think that's totally wrong way of going about it."
"Without the human interaction we would not have been able to get that alert."
"Focus on failure as an eventual outcome."
"I like picking hard challenges and very tall mountains to climb and computer science seemed like a tall mountain."
"If you give people the correct amount of challenge, that is a state of happiness."
"I found that leaderboards are effective for a small subset of people."
"The reasons people don't do things is not because they don't know."

Links

6:1 Positive Feedback Ratio for Performance: https://medium.com/@Praiseworthy/harvard-research-finds-employees-need-a-6-1-positive-feedback-ratio-to-perform-their-best-8f14160a8fbd
Dr. Gottman: https://en.wikipedia.org/wiki/John_Gottman
Reality is Broken by Jane McGonigal: https://www.amazon.com/Reality-Broken-Games-Better-Change/dp/0143120611
Flow by Mihaly Csikszentmihalyi: https://www.amazon.com/Flow-Psychology-Experience-Perennial-Classics/dp/0061339202/
BJ Fogg: https://www.bjfogg.com/
Opower Report: https://www.povertyactionlab.org/evaluation/opower-evaluating-impact-home-energy-reports-energy-conservation-united-states
Predictably Irrational by Dan Ariely: https://www.amazon.com/Predictably-Irrational-Hidden-Forces-Decisions/dp/006135323X
Intro Music (Cascadia by Trash80): https://trash80.com/#/content/133/weeklybeats-2012-week5
Outro Music (Quincas Moreira - Entire): https://www.youtube.com/watch?v=DoKpuXyIyVs

Getting Into Infosec

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - InfosecJon Learns Trust But Verify The HARD way

Ayman Elsawah (@coffeewithayman) — Wed, 20 Mar 2019 22:30:00 -0400

InfosecJon expands on some CRAZY follies he experienced during his times in the Navy. He learns through trial by fire, literally: trust but verify!

Notes

Jon almost gets crushed inside the engine of Naval ship
A boiler exploded and Jon, a jr. engineer, was left in charge of the situation and had to give orders
Jon got soaked with engine Oil on a running ship, resulting in the loss of pitch-control
Luckily, Jon was wearing a PEP suit
Tag-out manual: https://www.public.navy.mil/NAVSAFECEN/Documents/afloat/Surface/Rsrcs/References/TUM_REV_07.pdf

Getting Into Infosec

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

InfosecJon - From Rudderless Youth to Navy Engineer to Security Professional

Ayman Elsawah (@coffeewithayman) — Sat, 16 Mar 2019 00:24:00 -0400

InfosecJon runs a website cataloging his learning and dedicated to helping others get in the field. He shares his personal story from a directionless youth to enlisting in the Navy (and its follies) and his tribulations getting into the field. He also shares some interesting Navy stories. Look out for the bonus episode!

BIO

Jon is a father, husband, and a veteran. He went from an aimless youth to enlisting into a career path he never liked. After 7 years as an electrical engineer, he got the chance to pursue his dream of working in information security. Now, he runs a website devoted to helping others.

Notes

By almost getting crushed in a two-story engine, Jon learned to be adaptable to the situation
Got exposure to computers by working with dad at his computer store
Was an engineer at heart who fell in love with the inner workings of things and how they work
Became the go-to person for technology in his department
Always had a knack for helping others, even before the military

Quotes:

"[The] biggest skill I got was to be able to figure things out quickly and troubleshooting."
"You can't troubleshoot something until you know how it works."
"I just wanted to learn as much as I could."
"I want to work with technology; I want to help people."
"Going to a traditional school, being more mature, was [seen as] a negative."
"Everybody doesn't know everything. That's why most security teams are... teams!"
"I want to help people; I want to protect people."
"The networking knowledge, the [SysAdmin] knowledge, and then the drive to learn new stuff... is what they were attracted to."
"Nobody wanted to do it. I volunteered and stepped up."
"One thing that attracted me to the school 100% was the advertised hands-on labs."

Links

InfosecJon (Twitter): https://twitter.com/infosecjon
InfosecJon (Website): https://infosecjon.com/
Navy C-School: https://www.quora.com/Whats-a-Navy-C-school
Jon on the different types of hackers: https://infosecjon.com/types-of-hackers/
Intro: Cascadia by Trash80: https://trash80.com/#/content/133/weeklybeats-2012-week5
Outro: White Smoke by Endless - http://www.endlessslove.com/

Resources

SEED Labs by Syracuse University: http://www.cis.syr.edu/~wedu/seed/index.html
David's CTF Post: https://bsidessf.org/news/2019/03/running-the-bsides-sf-2019-ctf

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

InfosecSherpa - From Travel Agent to Law Librarian to Security Analyst!

Ayman Elsawah (@coffeewithayman) — Fri, 01 Mar 2019 08:05:00 -0400

Tracy Maleeff (@InfosecSherpa) was a professional law librarian and at the top of her game. Looking for change and meaning, she searched until she found the field of Information Security. This is her journey.

BIO

Tracy Z. Maleeff (/may-leaf/), @InfoSecSherpa, is an independent information professional providing research and social media consulting with a focus on information security. She is a frequent presenter on best practices of data mining from social media, professional networking, and introduction to information security topics. Tracy has 15 years of experience as a librarian in academia, corporate, and law firm industries and earned a Master of Library and Information Science from the University of Pittsburgh. She is the Principal of Sherpa Intelligence LLC–your guide up a mountain of information.

Notes

There is a condition called the "Librarian Face"
Librarians who have a Master's Degree in Library Science are taught to be approachable
Was never a public librarian; she worked in "special" libraries. This made her really good at finding and accessing data
Tracy shares some social engineering tricks she did earlier in her life
Didn't grow up with computers around her
Advice: "Know yourself"

Quotes

"If you are out in public… people are likely [going] to come ask you questions because you look like you know things."
"I did fail, but I did not fail as badly as I thought I would!"
"I don't regret the path that I took."
"For someone like me who does come from a technical background... having the certifications is what people want to see."
"They need to see some receipt!"
"Even if it turned out to be nothing, don't be afraid to speak up."
"I don't think I realized it was social engineering; I just knew it was something that I wanted."
"Managed to talk my way not only on the plane, but also into business first."
"They had me at port scanning."

Links

Infosecsherpa: https://twitter.com/infosecsherpa
Women’s Society of Cyberjutsu (WSC): https://womenscyberjutsu.org/
Intro Music: Cascadia by Trash80 - https://trash80.com/#/content/133/weeklybeats-2012-week5
Outro Music: JR Tundra - Natty Roadster

Resources

Art of Improvement: https://www.youtube.com/channel/UCtYzVCmNxrshH4_bPO_-Y-A

Getting Into Infosec

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Adrian Kaylor - From Network Admin to Trainer to Sales Engineer for Life

Ayman Elsawah (@coffeewithayman) — Fri, 22 Feb 2019 04:50:00 -0400

Adrian is a Sr. Sales Engineer at Splunk who focuses on security. He has worked for various security startups in the Bay Area for the past 15 years from vulnerability management to endpoint investigation to ML-based threat hunting.

Notes:

Had an interest in security early on, starting with opening binaries on Sierra King's quest games and looking for hints.
Took any opportunity he got to get exposed to security
His job as an instructor was very useful during support and later as a sales engineer
Keeps a Trello board for his lab!
Adrian expenses (deducts) what he spends on his lab from his taxes (consult a tax attorney)
He mentions an awesome hack for installing Kali on a Chromebook (~22 mins)

Quotes:

"I remember the first time I found Phrack, my mind exploded a little bit."
"Experience is experience: everything that you use (skills) will get used later on."
"Figure out what pieces they're missing, so you can fill them in."
"Go through the CIS top 20 critical controls."
"Be less focused on the whizbang fun stuff, and more focused to get you the most return."

Links:

Please thank my guests for sharing their time with us and let them know if this episode helped you.

Adrian Kaylor on Twitter: https://twitter.com/AdrianKaylor
Adrian Kaylor on LinkedIn: https://www.linkedin.com/in/adriankaylor/
Phrack Magazine: http://www.phrack.org/
Lack Rack: https://www.google.com/search?q=ikea+lack+rack&source=lnms
ISS: https://www-03.ibm.com/press/us/en/pressrelease/20468.wss
Splunk Dev License: http://dev.splunk.com/
CIS 20 Controls: https://en.wikipedia.org/wiki/The_CIS_Critical_Security_Controls_for_Effective_Cyber_Defense
JA3: https://github.com/salesforce/ja3
Irongeek: http://www.irongeek.com/
Netsec Reddit: https://reddit.com/r/netsec
SANS Holiday Hack Challenge: https://www.holidayhackchallenge.com/2018/
Garage Door Hack by Samy Kamkar: http://samy.pl/opensesame/
Sam Bowne's Class: https://samsclass.info
Adrian's Presentation on YouTube: https://www.youtube.com/watch?v=8LF96Oq_pgo (Picture of lab at 24:05)
Intro Music by Trash80
Outro Music (Liberation Theology - Exploitation is Sin):
https://open.spotify.com/album/0oc93ZsbMluxL8H994U9MW

Learning Resource Mentioned:

https://www.youtube.com/watch?v=6MYF6Zo6i6A (based on https://www.coursera.org/learn/it-security)

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Nipun Gupta - From Security Consultant to Security Innovator

Ayman Elsawah (@coffeewithayman) — Sat, 09 Feb 2019 22:54:00 -0400

Nipun graduated during the recession, but found a job as a consultant which helped him gain experience quickly. He was in fact discouraged to pursue a career in information security due to his immigrant status. Nipun is now a Cyber Security Executive focused on innovation.

BIO:

Nipun Gupta is a Cyber Security Executive at a large global financial institution focusing on innovation. Armed with many years of experience helping Fortune 500 companies solve cyber risk challenges, Nipun is tasked to help his employer discover, adopt, access new cybersecurity solutions protecting against emerging threats.

In the past two years, Nipun co-founded and ran the global Cyber Innovation Ecosystem strategy at a global consulting company with a specific focus on US and Israeli startups. He offers a strong network of security executives, startup founders, and the Venture Capital community in the West Coast and abroad. Technically proficient in network and application security, Nipun is a trusted advisor for many financial service institutions, technology, and telecom companies contributing to solutions worth tens of millions of dollars. Nipun completed his Masters of Information Technology and Information Security at Carnegie Mellon University, and has been collecting industry certifications like CISSP and SABSA ever since.

Notes:

Was discouraged to go into cybersecurity due to his immigrant status
Graduated in a tough time during the 2008 recession
Discusses burnout and having to work odd hours for 6 months of the year
The show "24" was an influence in sparking the interest in information security
Shares an interesting war story where he accessed tons of files
Discusses the personality traits needed to be a consultant

Quotes

"The biggest problem security professionals will continue to face is how to bridge that gap between technical conversation and business conversation."
"You have to be technical to understand the depth of the issue, but at the same time, you need to be able to express it in business language so non-technical people can make those decisions."
"I think you have to talk in terms of risk. Every business professional [in a] large or small company understands risk because risk can put them out of business."
"While I'm an introvert when it comes to working, I'm an extrovert when it comes to expressing my work-related conversations or expressing my work-related issues."

Links:

Nipun on Twitter: https://twitter.com/nipungupta
Nipun on LinkedIN: https://www.linkedin.com/in/guptanipun/
SecurityTube: https://www.youtube.com/channel/UCBRNlyf9lURksAEnM-pyQdA
Hak5: https://hak5.org
Nullcon: https://nullcon.net
BayThreat: http://baythreat.org/
Intro Music - "Cascadia" by Trash80: https://trash80.com/#/content/133/weeklybeats-2012-week5
Outro Music - "Put This Rap Together
" by Bobby Cole: https://www.audioblocks.com/stock-audio/put-this-rap-together%C2%A0-98857.html

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS - My Book is OUT: Breaking IN: A Step-by-Step Guide to Starting a Career in Information Security

Ayman Elsawah (@coffeewithayman) — Fri, 25 Jan 2019 19:41:00 -0400

My book is out!

Breaking IN: A Step-by-Step Guide to Starting a Career in Information Security

https://www.amazon.com/gp/product/B07N15GTPC

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Marcus Carey - Childhood Builder/Breaker to Navy Cryptologist to Founder and Mentor

Ayman Elsawah (@coffeewithayman) — Fri, 11 Jan 2019 08:10:00 -0400

Marcus Carey has been hacking since he was five. A true MacGuyver, he had to make do with the little resources available to him. He later enrolled in the Navy, worked for 3- letter agencies including the NSA, and now has his own security startup. Marcus shares a TON with us in this episode.

BIO

Marcus is renowned in the cybersecurity industry and has spent his more than 20-year career working in penetration testing, incident response, and digital forensics with federal agencies such as NSA, DC3, DIA, and DARPA. He started his career in cryptography in the U.S. Navy, and holds a Master’s degree in Network Security from Capitol College. Marcus regularly speaks at security conferences across the country. He is passionate about giving back to the community through mentorship, hackathons, and speaking engagements, and is a voracious reader in his spare time.

Notes:

Marcus had an opportunity to play college basketball, but couldn't since it was only a partial scholarship
After taking the ASVAB test, he had the choice of nuclear engineering or cryptography. He chose cryptography
Marcus made an Olympic-sized track pit up to spec as a child.
Marcus, like many other security professionals, had a strong artistic side. He achieved first chair in just a few weeks in Jr. High.
Marcus teaches us "How to Learn"
Marcus achieved over 115 college credits on his own, without attending college!
Open source tools Marcus created ended up being used be used to save people's lives in other parts of the world

Quotes:

"[I] told them all I wanted to do was work with computers."
"I've always been a tinkerer. I built stuff, I was a science fair geek... the whole nine."
"I was the poorest person growing up... so anything I did was a hack. I made my own hacky sack. I used to make my own toys."
"You can't learn how Marcus learns because everyone is different.... Nobody can tell you how to learn as good as yourself."
"So now, I'm like a finely tuned weapon when it comes to learning... cause I know exactly how to learn."
"Never be surprised how your work turns out to be used for good... it actually blew my mind that my stuff was being used to do that [saving people's lives]. "
"Show externally that you've mastered those concepts in some way."
"Sometimes your employees are going to go rogue, and hopefully, you can detect when they do."
"If you're focusing on a specific set of skills that are evergreen, and if you work that long enough, it doesn't matter your aptitude: you can become an expert at that."
"There are people out here that are celebrities, and they act like they know everything. Don't be one of those people."
"Aptitude allows people to learn stuff faster. I think the military requires you to learn stuff fast."

Links:

Marcus Carey Twitter (@marcusjcarey)
Marcus's Company: Threatcare
ASVAB Test
MacGuyver
Python The Hard Way
Sub-Vocalization
Book: "How to Measure Anything in Cybersecurity Risk"
Clep Test
DSST
Excelsior College Examinations
Book: "Never split the difference on negotiating"
Threat Agent and Honeydocs
Intro Music: Cascadia by @Trash80
Outro Music: Coupe by @yungkartz

Resources Mentioned:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Jack Rhysider - From Odd-jobs to Network Analyst to SOC Architect to... Darknet Diaries!

Ayman Elsawah (@coffeewithayman) — Tue, 01 Jan 2019 20:45:00 -0400

With an engineering background, Jack found himself doing odd jobs at first. Looking to get back into tech, he certed up and got a job in the NOC (Network Operation Center) and eventually became a SOC architect building a SOC from scratch. Looking to do something different, he started Dark Net Diaries, and it's been an adventure since! This is Jack Rhysider's origin story.

BIO

Jack Rhysider started his professional career in a NOC. He then became a network security engineer doing a lot of work to harden the network and detect threats in the network. He became a security architect and successfully built a SOC for a MSSP. He's currently the host of the podcast Darknet Diaries, where he interviews hackers or those who've suffered a major attack. The podcast has experienced phenomenal growth, so Jack now works on it full time.

Notes

A glimpse into the life of a security analyst and a Managed SOC
Takes about 3-6 months for an analyst to baseline and come up to speed
His first hack was hacking the Sim City savegame file. Dad was thrilled!
Several years of blogging his journey in Infosec helped Jack with his communication skills and explaining difficult concepts to people.

Quotes:

"As a security engineer, I need to know a little bit about everything."
"I would do things like remove (rm -f /) the whole root directory just to see how many files I could delete before the whole operating system would crash!"
"Be fearless, grandma!"
"I think there is a lot of shaming that goes on if people... do security wrong... that kind of makes things stressful."
"I think what [we], as security people, lack sometimes is good communication."
"Taking on tasks when nobody asked them to take it on... is amazing!"
"I would keep corrupting files over and over, but eventually, I figured out which byte in the file was for the amount of money, and I was able to give myself a billion dollars!"

Links:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Yaron Levi - Entrepreneur to Security Architect to CISO and Security Champion

Ayman Elsawah (@coffeewithayman) — Tue, 25 Dec 2018 09:07:00 -0400

Yaron Levi is the CISO for Blue Cross and Blue Shield of Kansas City. We talk about what he looks for in people when hiring in Infosec and a time when he took a chance on someone (against the opinion of his peers), and his chance was a big success. We also discuss a breach he had to deal with only 3 months into his job!

BIO

Yaron Levi is the CISO for Blue Cross and Blue Shield of Kansas City (Blue KC). In this role, he manages a team responsible for information risk management, cyber defense, regulatory and compliance, architecture and engineering, and identity and access management for an organization that provides health insurance for about 1 million members and has over $2B in annual revenue.

Prior to joining Blue KC, Yaron was a Director of Information Security for Cerner Corporation, an Information Security Business Partner for Intuit, an Information Security Architect and Product Manager for eBay, and a Director of Cloud Security for ANX.

Yaron is a Research Fellow for the Cloud Security Alliance (CSA). The Research Fellow designation is the highest honor and distinction given to a CSA research volunteer who has demonstrated significant contributions to CSA research. Yaron is a co-chair and lead architect of the Cloud Enterprise Architecture. Contributor to the Consensus Assessments Initiative Questionnaire (CAIQ), Cloud Controls Matrix and promoted the CSA as best practice in various cloud projects with various Fortune 500 companies.

Yaron is the co-founder of the Kansas City CISO forum, B-Sides Kansas City, and is a frequent speaker on Cyber Security Architecture, DevSecOps, and Cyber Defense.

Yaron holds a B.A. in Social Sciences and Management and is a graduate from the FBI CISO Academy.

Notes:

Created his own IT company to pay his way through college
A SOX Compliance project was his first exp
His first computer was a Sinclair ZX81
Had to save up to buy his own Commodore 64!
Yaron's discussion with youth whether a laptop is more dangerous than a gun? What about the 2nd Amendment?
3-months into his job, he experienced a breach!

Quotes:

"Security is one of those areas that you can be part of something that is bigger than yourself."
"Having a real calling for something... that can make a difference."
"It's one of those communities [where] people really want to help each other."
"I think, for many people, there isn't a prescription, if you will, of how and where to start."
"Are you the type of person who likes to crack codes and puzzles and bang your head against the wall for 16 hours...that may lead you to a dead-end or nothing? Oh no, I like to talk to people."
"First and foremost, we are educators."
"Sometimes, when we look for people, we tend to look for people based on a very specific mold or template [unfortunately]"
"Usually, I hire for character first, then skill."
"At the end of that record is a person... a human being."
"I think people need to realize that it can be a very thankless job, not just hoodies and hackers all day long. If you google a "Hacker" today... it's kind of depressing to everyone with hoodies like that... that's not the reality."
"It's all about defense... protection... enablement of the business securely. When everything goes well, nobody really thinks of you, nobody thanks you for that. But when something bad happens, everybody looks for a head to chop."
"It's, in my opinion, one of the more rewarding careers one could have and being part of something bigger than just themselves."

Links:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

InfoSteph - From Journalism to IT Support to Security Analyst

Ayman Elsawah (@coffeewithayman) — Tue, 18 Dec 2018 18:57:00 -0400

Steph is brand new to the infosec field! We go over her interesting and eventful path into Information Security, reflections on her role today, and some fascinating war stories!

BIO:

Steph is a Security Analyst for a retail company makes up the team of one. She has a background in journalism and web hosting. She is the creator and editor of StephAndSec.com, a blog focused on technology, inclusion, and lifetime learning. Stephanie's life work is to encourage and fight for more diversity and inclusion in tech spaces for more innovative and original collaboration. She spends her time mentoring high school students, hosting virtual labs via Women In Tech-a-thons, and learning as much as she can about anything and everything. Stephanie believes that giving back to the community at every stage is very important. In addition to technology, Stephanie has a secondary passion for Psychology, so don't be frightened if you hear her discuss cognitive distortions or attachment styles. She hopes to develop research that explores the dichotomy between human beings and technology. She is currently on a mission to speak at three events in 2019 and has already been booked for one event.

Notes:

Dreams of Creative Writing, but chose Journalism for practicality
Encouraged to Computer Science by her mom
Had her eye on Security, through IT or Web Hosting... eventually.
A story of being so close, yet so far
Was very close to giving up on the whole industry due to the difficulty and lack of encouragement... but was NOT comfortable with quitting.

Quotes:

"You have to talk to strangers about their story... you want me to walk up to a complete stranger as an introvert? Uh.. what?"
"The type of person I am, I can't fully commit to something without getting my hands dirty."
"The way that I learn is situational."
"We had a vulnerability scan tool and so I just tried to work with that."
"It's kind of like what doctors have to do before they [can] become a doctor."
"So many people are trying to get into the industry and facing the same issue. I've done all these things people have told me to and it hasn't gotten me anywhere."
"Just do a bunch of stuff until it sticks!"
"Twitter was one of the best... decision I made."
"Get a champion that is more senior than you."
"Don't count yourself out, before someone else has counted you out."
"The lessons that are best learned are the ones that resulted in catastrophic failure."
"When you want to be a lawyer, you go to law school, you sit for the bar. There ya go! There's a plan."

Links:

Steph's Website: https://stephandsec.com/
Speaking engagement next year: https://2019.tabgeeks.com/speakers#steph
Steph's Tech a Thon's: https://mailchi.mp/70c8010c3320/tech-a-thon-comeback
WISP - Women in Security and Privacy: https://www.wisporg.com/
Intro - Cascadia by Trash 80: https://trash80.com/#/content/133/weeklybeats-2012-week5
Outro - That Night In Your Car - Spazz Cardigan: https://www.youtube.com/watch?v=1yzuoAOd238

Resources:

HackEDU: https://hackedu.io/
Open Bug Bounty.org: https://www.openbugbounty.org/

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Virtual Kyle Kennedy - Stories, not resumes: Breaking educational and other barriers in cybersecurity

Ayman Elsawah (@coffeewithayman) — Tue, 11 Dec 2018 08:05:00 -0400

Today's episode is a reading of an amazing written by Kyle Kennedy, president of brainbabe.org. The reading is performed by Allison, an IBM Watson personality. I also go through some recent resources discovered to help you on your journey to a Career in Infosec.

BIO:

Kyle F. Kennedy is a social cybersecurity expert and president of brainbabe.org. His organization provides foundational soft-skills training for a small fee (supported by corporation donations) and plans to launch soft-skill Masterclasses in 2019. They helped organize an event called Day of Shecurity for women of diverse backgrounds to have one day of learning: tech/ hard skills, soft skills. They had opportunities for mentorship and guidance. Day of Shecurity was FREE to attendees!

Links:

Full Text of Article:

When you search for images under the key word “cybersecurity,” a familiar shot always turns up: a guy wearing a hoodie, operating in a dark room, fingers on a keyboard.

I’d like to replace that image with…anything. To be a cybersecurity professional, you can be anything. And anyone.

We’ve heard the statistics. There is currently a human capital crisis, with 1.5 million cybersecurity jobs available and no takers. The number is projected to balloon to 3.2 million by 2021.

But who exactly are these cybersecurity professionals we are looking for?

For so long, we have had our own definition of who can fit that talent. A good cybersecurity professional has to have a computer science degree. They must have solid professional background. They have to be male. This pattern of defining success has led us to the shortage we are experiencing today. It’s kind of like insanity, really: Doing the same thing over and over and expecting different results.

What really makes up a good professional? Every human being brings a different experience. You need critical thinking and creative thinking, both. A variety of educational, ethnic, geographical, backgrounds.

For example, cybersecurity is not the obvious career path for someone with a biology degree; however, a biology major might help throw a new perspective on cybersecurity given that advancements of technology will eventually interface with the human body organically creating a scary threat landscape.

Often too we talk about cybersecurity in the context of oil and gas, or transport, or finance. Cybersecurity today and going forward, is a horizontal across every industry, as opposed to just being by itself.

Every industry needs cybersecurity professionals. People from other disciplines could provide their own perspectives and add value to how the job is done. For example, some of the best cybersecurity communicators otherwise known as “Social Engineers”, I know are drama majors, communication majors and liberal arts majors.

Why are soft skills critical? The risks here are complex. If these risks are not articulated in a business language, such that executives are not able to grasp their importance, then what you will have as a result are cyber policies, created from the ivory tower, which everyone must follow, and which would inhibit the business instead of enabling it.

If cybersecurity becomes more inclusive instead of exclusive, then we will be all the more superior to the attackers. As it is, it’s the enemy who are inclusive. They don’t have any requirement that hackers should have this or that degree or should have attended an Ivy League school. Most hackers are self-taught, and when something sparks their interest, they go online. They read. Nobody tells them they could not do it because they are not a good fit.

Initial strides

Foremost, before anything can be done, there must be an acknowledgment of the current situation and the need to be more welcoming. Business leaders and decision-makers must recognize the unconscious bias that they have. They have to understand that creating positive disruption and changing patterns are a business differentiator.

My organization is active in our advocacy for inclusion in cybersecurity, specifically for women. We have been speaking to organizations on positive disruption. A good way to create action is through regional events and grassroots involvement. We bring the community together, and it is these communities that conduct classes and organize meet-ups and training courses.

We did this in reaction to the more established cybersecurity conferences that present numerous barriers to entry, and which are more for senior professionals. Women may not have the luxury of being able to spring for the travel, or leave their homes for days at a time, and perhaps find childcare for the time they are away.

ISC2 also now has an associate certification, where an individual can take the certification examination without the work experience; providing an opportunity for employers to recognize & support candidates entering or transitioning to the cybersecurity industry.

Personal reasons

My passion for diversity in cybersecurity is driven by several things.

First, given my degree in sociology, I must have had a hundred interviews before landing on a job in technology, even though I knew a lot about it – it had been a hobby for years — and it was clear I was keenly interested and willing to learn. They said I was not the right fit because I did not have a technology degree; specifically, a computer science degree. Didn’t matter that I could code in Assembler, BASIC, C, Cobol, Comal, Forth, Fortran, Logo, Pascal, PL/1 or Algol.

And I thought, if this could happen to me, a white male, think of all the others who could not break the barriers!

I ended up leading the engineering department of the first company that hired me.

And then I met my wife, who herself had to break barriers in IT because she was a woman. For example, during meetings, she was seen as more of an assistant rather than a peer, even though she was very technical.

My male colleagues initially said I was just on the bandwagon with my advocacy for women in cybersecurity. I said no. Men have to recognize that we have to be part of the solution, since many of the positions of senior leadership are occupied by men.

‘This is not my coffee’

I have a good analogy for all this. Suppose you went to a Starbucks, and when your coffee is given to you, you see that it was not what you asked for.

For a moment you might think you might as well take it, because the barista probably knows what is good for you, more than you do.

But no – you renegotiate. The barista does not know any better. You then look for the manager to explain the mistake and to get the drink you want.

Empathy is what can truly enable us to understand that we need to change the status quo. Yes, I am male, I am white, but I know that my background is a lot different from that of my peers. Because of this, I am very empathetic in that I know there are institutionalized barriers. I should know – I have spent the past 25 years in security.

What should really matter is that there are many talented individuals capable of both critical and creative thinking. They may not come in the shape and size we have traditionally expected them to be, but they are interested. They are intelligent.

In the end, only three questions should matter to organizations when they decide on investing in somebody for a cybersecurity role: Do you have the brain? Are you passionate? Can you learn?

Kyle F. Kennedy is a social cybersecurity expert and president of brainbabe.org. His organization provides foundational soft-skills training for a small fee (supported by corporation donations) and plans to launch soft-skill Masterclasses in 2019.They helped organize an event called Day of Shecurity, for women of diverse backgrounds to have one day of learning: tech/ hard skills, soft skills. They had opportunities for mentorship and guidance. Day of Shecurity was FREE to attendees!

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Elvis Chan - From Making Computer Chips to FBI Supervisory Special Agent!

Ayman Elsawah (@coffeewithayman) — Tue, 04 Dec 2018 20:00:00 -0400

Elvis Chan is a Supervisory Special Agent Elvis Chan, who works cybersecurity matters for the FBI San Francisco Division. We discuss how we got into the FBI, Life in the FBI Cybersecurity Division, and how to get involved.

The FBI is always looking for qualified applications for Special Agent and professional staff positions. Please see https://www.fbijobs.gov/ for more details.

Notes:

There are three main roles in CyberSecurity at the FBI:
- Special Agent (Gun Carrying Badge)
- Intelligence Analyst
- Computer Scientist
It may be quiet on the outside, but you can bet the FBI is hard at work on the inside.
Protection of the recent elections was discussed. The sheer number of people involved in protecting the elections from foreign actors couldn't be enumerated. Both the public sector and private sector are involved.
In an incident response, there is often coordination with FBI headquarters and sometimes other 3 letter agencies.
FBI San Francisco was the squad of record for investigating the 2014 Yahoo hack.
Elvis goes into detail explaining more about Russian Hacking and how the FSB culture works.
Placement in the FBI is based on a ranking system.

Quotes:

"There are a LOT of things behind the scenes I can't talk about."
"If you see in the news that there is a hack, you can be sure that there is at least one, maybe two, maybe several, office mobilized to figure out what the heck happened."
"On a regular day, I would love to just go through my email and have the scheduled meetings I'm gonna have."
"Why are the Russians coming after us..."
"Whatever happens to you... 'The Need of the Bureau'"
"My current job, despite all the paperwork and meeting I don't want to go to is a 10 out of 10!"
"People would not believe some of the stuff that we've seen or that we've gone through. They would make the worst movie plot because they would be so unbelievable!"

Links:

FBI Jobs: https://www.fbijobs.gov
2014 Yahoo Hack: https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions
FSB: https://en.wikipedia.org/wiki/Federal_Security_Service
InfraGard: https://www.infragard.org/
FBI Field Offices: https://www.fbi.gov/contact-us/field-offices

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Clay Wells - From SysAdmin to Security Architect to Con Organizer!

Ayman Elsawah (@coffeewithayman) — Tue, 27 Nov 2018 09:05:00 -0400

Clay Wells has been living in kernel/userland since Red Hat 4.0 Colgate. Worklife has primarily been in academia and has included programming, system administration, and information security. He's a point of contact for the DC215 group and one of the Blue Team Village coordinators at DEF CON. He also created unofficial CTF challenges for local hacker cons and organizers for the first annual WOPR Summit this March 2019 in Atlantic City.

Clay, a security architect, musician, Defcon Blue Team Village Co-Organizer, and organizer of the first annual WOPR Summit, shares some really insightful tips on making it Information Security, as well as a fascinating recent war story.

WOPR Summit is March 1st, 2019, in Atlantic City!

Quotes:

"My heart was racing... that was a huge rush, and that's when I was like yea... blue side F*** rocks!!"
"Take a holistic approach to InfoSec, dive into the culture, different cons, music, people...volunteer, get out, get involved."
"Learn a little about everything, then find what really interests you... and go for it!"
"It's great to apt-get stuff... but try compiling a custom Linux kernel."
"I'm a strong believer in embracing that creative side."
"[Blue Team] certainly hasn't been the sexiest infosec job to have... yes, defense is what people want... there's a lot of defense work out there."

Links:

Clay Wells on Twitter: https://twitter.com/ttheveii0x
Clay Wells on LinkedIn: https://www.linkedin.com/in/clayball/
Clay Wells Blog: http://www.cwells.org/
WOPR Summit 2019: https://www.woprsummit.org/
WOPR Summit Sponsorhip Prospectus: https://static1.squarespace.com/static/5b81b8f745776e48dcfb884d/t/5ba666dbf4e1fc68321a7a27/1537631964367/wopr-summit-2019-sponsor-prospectus.pdf
DEF CON Blue Team Village: https://blueteamvillage.org/
Opensoc by Recon Infosec: https://opensoc.io/
Recon Infosec: https://reconinfosec.com/
BsidesDC: http://bsidesdc.org/
Graylog: https://www.graylog.org/
Kibana: https://www.elastic.co/products/kibana
H.O.P.E Conference: https://hope.net/
No Starch Press: https://nostarch.com/
Outro Music by Clay: https://soundcloud.com/clayball/0x41-2-version-b

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

BONUS: Robin Stuart - Road to Becoming a Cyber Crime Author

Ayman Elsawah (@coffeewithayman) — Sun, 18 Nov 2018 05:08:00 -0400

Robin Stuart is a debut author in cybercrime fiction with a short story called "SegFault" in the Sisters in Crime NorCal anthology Fault Lines, which is due in early 2019!!!

Notes

Wrote her first full-length mystery in the mid-'90s!
Pitching is basically a job interview
Honing your pitch
You only get one shot at that first impression
She has a backlog of stories to tell... Stay Tuned!!! (So Excited!)

Links

The New York Pitch Fest: http://newyorkpitchconference.com/
Mystery Writers: https://mysterywriters.org/
Sister in Crime Northern California Chapter: http://www.sincnorcal.org/
Paula Munier, Robin's Literary Agent: http://talcottnotch.net/index.php/agents/paula-munier
Robin Stuart Full Interview: https://gettingintoinfosec/robin-stuart-from-paralegal-to-malware-researcher-and-cyber-crime-author

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Robin Stuart - From Paralegal to Malware Researcher (and Cyber Crime Author!)

Ayman Elsawah (@coffeewithayman) — Tue, 13 Nov 2018 22:02:00 -0400

Robin Stuart started off as a paralegal until she was challenged one day to get her boss's password (hint: do not challenge Robin). Fast forward, she switched careers to technology but kept a lookout for a career in security.

Bio

Veteran cybercrime investigator and contributing author to the Handbook for Information Security by Wiley, Robin is a debut author in cybercrime fiction with a short story in the Sisters in Crime NorCal anthology Fault Lines, which is due out in early 2019.

She consults on all things cybersecurity for Fortune 100 companies, television shows, and media outlets, including BBC and NowThis News.

She was a significant contributor to the Tech Museum of Innovation's acclaimed Cyber Detectives interactive installation, one of the museum's most popular permanent exhibits, which earned praise from the Obama Administration.

Notes

Combination of Enthusiasm and Perseverance
Creativity matters a lot!
Setting up a home lab to train
Robin's First "Hack"! EPIC!
There isn't a linear path into information security, no need for a degree necessarily

Quotes

"[After] years of being a paralegal, I think like a lawyer and that's helped me very well"
"My Google works a little better than other people's Google."
Someone once asked Robin, "I've got an hour... can you teach me everything you know?"
"Taught myself Assembly by writing a program all in assembly, just to prove to myself that I understood it."

Links

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Rob Carson - From USMC Infantry Officer to Information Security Officer

Ayman Elsawah (@coffeewithayman) — Tue, 06 Nov 2018 18:03:00 -0400

Speaker Bio

Rob Carson, the founder of Semper Sec, knows how to simplify the problem and deliver solutions.

His clients base includes:

Fortune 200 Companies
US Government Contractors
State and Local Governments
Fuel Retailers
Software and hardware manufacturers

His distinguished career includes service as a Marine Corps Infantry Officer, as well as leading roles in IT and Security. Before devoting his work full-time to facilitating his client's success, he built highly successful information security programs for ISO 27001:2005/2013, PCI, HIPAA, NIST 800-171, GDPR. He also volunteers his time as the Chief Security Officer for BSIDES Las Vegas, a non-profit educational organization designed to advance the body of Information Security.

Episode Highlights

Matt reveals how much he made when he got out of the Marines
Matt hilariously talks about the nuances he had to deal with when going to the private sector:
Not saying "Sir" and "Madame"
Figuring out what to wear
How being early is too early

Quotes

"I wasn't getting shot at... I was working in climate control, you know, so people be all stressed out, and I was like, 'Well, no one's going to die.'"
"I like to call myself a 'lessons learned enthusiast.'"
"The hardest job you'll ever get in infosec is that first step in."
"A first sergeant told me your hobbies should reflect part of your career."
"You can be outside the box, but you need to stay inside the room."

Links

Sempersec: https://sempersec.com/
Rob Carson's LinkedIN Profile: https://www.linkedin.com/in/robcarson1/

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Matt Toth - From Slinky Network Support Engineer to Security Sales Engineer

Ayman Elsawah (@coffeewithayman) — Tue, 30 Oct 2018 07:15:00 -0400

Matt Toth is a Senior Security and Veteran Sales Engineer. Having collaborated with the Department of Defense on War Games and advised senior leaders on possible cyber threats, Matt has two decades of IT experience with a focus on cybersecurity. With a passion for security, Matt is deeply engaged with the community to educate and prepare the next generation of cyber professionals.

On top of that, he’s a good friend of mine in the industry with solid advice for those looking for a career in Information Security.

In our chat, Matt breaks down a Sales Engineer’s role, explains his love of conference badges, and gets philosophical on issues related to those trying to make it in the field.

Episode Highlights:

The jack-of-all-trades nature of Sales Engineer work
Matt describes one company’s dishonest approach to “AI”
How a luxury car and stylish threads can make the wrong impression on your client
Con culture and breaking through the shyness barrier
Matt delves into #BadgeLife
The surprising accuracy of Hackers and Mr. Robot
How Matt’s art school’s aspirations shifted to IT
InfoSec wargames and the “Russian nesting doll” scenario Matt encountered working with a client
Why some companies prefer to live with a security problem rather than attempt to fix it
Lastly: Have you been keeping an ear out for my Easter eggs? Listen closely

Quotes:

“I’m here, the customer trusts me to be here, and I’m gonna make sure that when they’re done, they’re happy with the situation so that they never come back and say, ‘Hey dude, you screwed me over.’”
“You have to understand that you’re responsible for your own success. You can’t hide because you do have a quota.”
“If you really don’t like the technology you’re dealing with, you’re not going to sell it well.”
“It’s awesome... [and iconic,] that soundtrack is still incredible! On the way out to BlackHat this year, I watched Hackers on the airplane, and it was freaking me out… all of the attacks… are real world attacks we’re dealing with today still!”
“When you’re meeting with your audience, understand who they are and understand what they expect.”
“‘Hi, I’m Matt, and I’m an InfoSec addict!’ ‘Hi Matt!’”
“If you’re just getting into the industry, recognize that all of us have our skill gaps. There is no one who knows everything.”
“My thoughts on certs are, 'do you like to get paid?'”
“Most insider threats aren't malicious: they're just people trying to do their job and oftentimes working around the system to try to be more efficient.”

Links:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Christina Hanson - From HOA Manager to Headfirst Into InfoSec!

Ayman Elsawah (@coffeewithayman) — Mon, 22 Oct 2018 07:15:00 -0400

Christina Hanson is a security analyst working for Truvantis Cyber Security Consulting and one of my former boot camp students. She has extensive technical experience and a deep understanding of the collaborative nature of InfoSec, not to mention how women and other underrepresented groups in the community have a more difficult time navigating this industry due to institutional barriers.

In our discussion, Christina touches on the wide variety of resources and events that helped her enter information security, why teamwork is just as important as technical work, and why InfoSec's responsibilities will continue to grow in the near future.

Episode Highlights

How Christina's aptitude for IT led her down the path to InfoSec
The "elective" course Christina took that turned out to be career-changing
Why cooperation and group work are so important in InfoSec
The "soft skills" needed to work in security
Infosec was not her 1st or 2nd career!
An overview of Christina's day at Truvantis and how she works with clients
Christina's experience at a SANS women's academy and the Day of Shecurity conference
Why the InfoSec industry needs contributions from people from all backgrounds and how it benefits from diversity in general
The increasing accessibility of conferences and other tech events for those who can't attend
InfoSec's important role as companies have more and more access to users' data

Quotes

"I found that just the general atmosphere of security and the overall focus of what you're trying to accomplish was really helpful."
"Anything you're gonna do in security, you're gonna do as a team."
"Being open to learning new things is really important with this particular field."
"Even if I don't understand everything they're talking about, it gives me at least a start and a basic understanding that I can then research later."
"Being a professional in this field, it's so important that we are able to make other people safe."

Links:

Christina's LinkedIn: https://www.linkedin.com/in/christinahanson461/
Day of Shecurity: https://www.dayofshecurity.com/
SANS Women's Academy: https://www.sans.org/cyb
Merritt College: http://www.merritt.edu/
Dr. Johannes Ullrich: https://twitter.com/johullrich
SANS Daily Podcast: https://isc.sans.edu/podcast.html
The Cyberwire Podcasts: https://isc.sans.edu/podcast.html
OWASP: https://www.owasp.org
Amanda Rousseau (@malwareunicorn): https://twitter.com/malwareunicorn
Dead Drop SF: https://www.meetup.com/Dead-Drop-SF/

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

0day - From "Geek Squad" tech to DevSecOps

Ayman Elsawah (@coffeewithayman) — Mon, 15 Oct 2018 07:00:00 -0400

0day (“Zero Day”) is a security researcher who specializes in distributed systems security.

Throughout his career journey through a "Geek Squad"-like service at Circuit City ("Firedog") to trading floors and corporate information security, he’s amassed significant experience in the industry. He is an example of how security consciousness is important even before you're an official security "pro."

In our conversation, 0day discusses getting into computers as an inner-city kid, acknowledging how our hangups can affect the growth of InfoSec, the benefits of older technology, and much more.

Episode Highlights

0day defines distributed systems and how he and his team ensure they remain secure
How his first hacking experience arose out of necessity
The inner-city program that fostered 0day’s early interest in computer systems
How the Modem Age's less-advanced technology gave him a clearer understanding of how computers and the Internet worked
How Circuit City allowed o take his first step into the professional tech world
His first taste of information security dealing with his company’s most dissatisfied clients
Tracking down a security vulnerability through a coworker’s NSFW browsing habits
Thoughts on the modern security industry and how it could be improved
The importance of getting over prejudices and mentoring those coming into InfoSec
Book and conference recommendations for those starting out or interested in the industry.
Average routine at his current job
Why computer science alone isn’t a solid enough background to get into InfoSec
Advice for overcoming shyness at your first security conference

Quotes

“The malware I came across in those days, I still don’t see anything as unique.”
“We should really reach out to a wider swath of society to give them an interest in information security.”
“We, as a community, need to be less exclusionary by default and be willing to look at some of these candidates who we are ignoring just for the sake of our feelings toward a particular certification or particular path.”
“We, as people who are more seasoned in the industry, now have the responsibility to also make ourselves available to those who are coming into the industry.”
“When you take away some of the complexity, it makes it more difficult for someone to understand the underlying constructs, but at the same time, it makes it easier for them to access so there has to be a balance.”
“As you start to get really familiar with anything, you can see both the dark side and the light side of it.”
“We, as professionals, have some responsibility to disseminate correct, accurate knowledge.”

Links

0day’s Twitter account: https://twitter.com/0daysimpson
Youtube talk about Twitter: https://www.youtube.com/watch?v=vRYOQeJng50
Outro: "Cyber Sunset"

Getting Into Infosec:

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Dan Borges - From Infosec ITAdmin to Red Teamer to CTF Organizer

Ayman Elsawah (@coffeewithayman) — Mon, 08 Oct 2018 08:00:00 -0400

Permalink and Transcript: http://gettingintoinfosec.com/dan

In this first episode, I chat with Dan Borges, a professional red teamer, blogger, and security tool developer.

Dan Borges discusses his early experiences using and exploiting computer systems, how InfoSec experts work with companies, and the new tools he and others created and released this year!

Episode Highlights:

Dan explains how he became involved in information security,
including his introduction to programming through a Lego robotics
program.
His early experiences as a pen-tester—i.e. a penetration tester, who
looks for system security weaknesses—and why it’s difficult to get
hands-on experience in that field.
The benefits of becoming an Offensive Security Certified Professional
(OSCP).
What does a red team do in an organization, and how is it different
from pen-testing?
Dan describes the day-to-day life of a pen-tester and the kind of
conflicts they can run into.
A few war stories from the trenches of InfoSec, as well as some of
the tools pen-testers use.
How being grounded led to Dan’s earliest hacking experiences, and the
ways his parents fostered his interests and mentality.
What conferences should InfoSec beginners check out?
Fun and beneficial ways you can “hack” reading.
Dan’s tips for those starting off or looking to transition into
Infosec.
An in-depth look at one of the newer tools Dan uses for his work.
The rules and intricacies of InfoSec competitions.

Quotes:

“It’s such a catch-22 to get practical, hands-on experience to go to these jobs because, y’know, hacking’s illegal, right?”
“We don’t just go in and blow the brakes off people, we’re trying to measurably improve security.”
“It was a constant escalation war, cat-and-mouse like that. They’d take something away and I’d figure out how to use the computer with that limitation.”

Links:

Dan Borges’ personal blog: http://lockboxx.blogspot.com/
Dan’s LinkedIn: https://www.linkedin.com/in/borges1337/
Dan on Twitter: https://twitter.com/1njection
Dan and Alex's DEFCON Talk on Gscript: https://www.youtube.com/watch?v=8yjMlMf8NpQ
Gscript: Genesis Scripting Engine: https://github.com/gen0cide/gscript
NationalCPTC (Collegiate Penetration Testing Competition): https://nationalcptc.org/
Outro Music: Missing You by Trash80: https://trash80.bandcamp.com/track/missing-you

Getting Into Infosec:

Twitter: https://twitter.com/coffeewithayman
YouTube: https://www.youtube.com/channel/UCg6gV_gdfc188HZdN8LUx4A
Book: https://www.amazon.com/Breaking-Step-Step-Starting-Information-ebook/dp/B07N15GTPC/

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch

Trailer

Ayman Elsawah (@coffeewithayman) — Wed, 05 Sep 2018 17:58:00 -0400

Hi there! I am Ayman Elsawah, the host of a new podcast focused on helping you learn more about the information security field and how to be successful in it. We will walk through the shoes of seasoned information security experts as well as those new to the field, learn from their experiences, and find out how they got started. Join me on this wonderful journey!

Music: "Modem" by @Skilldrick

See omnystudio.com/listener for privacy information.

Mentioned in this episode:

Stay In Touch