Skills and Knowledge for InfoSec

As a consultant for an incident response firm, the engagements we get are typically fairly fleshed out in terms of being a security or operational incident. Every once in a while, we have calls come in that seem very security focused when described by the customer contact but after arriving onsite they work out to be an operational incident. It can take a lot of experience to really take the problem down to its roots to even make an approach at root cause.

There have been a lot of discussions flying around about various skill levels required for InfoSec jobs. Along with that, many have expressed concerns about the job postings and the requirements that get listed, and I joined in a little while back. Others have made bold statements that InfoSec jobs shouldn’t be entry level jobs since the skills needed are gained through other roles. I am in the middle on that feeling. I have met some very smart people that seem to just ‘get it’ and do well in InfoSec without other prior experience, and I have also met people that have spent 20 years in IT that don’t understand some of the basic concepts. It really goes both ways.

Although I do not hold the opinion that InfoSec is not an entry level job, I do think there is a lot to learn that can be extremely beneficial to a role in InfoSec. I recently went out on an engagement that required an incredibly deep understanding of routing and switching concepts. I am not talking about having the magical skill of being able to calculate subnets in your head (although I was able to do that at one point in my past). I was facing one of those security vs operational incidents I mentioned above.

I spent a lot of time in a network admin role. I took over management of a medium sized business nationwide network. The network had previously been built (incorrectly) by a supposed networking expert. I spent a lot of time understanding what the problems were and addressed each of them as components to an overall problem. The result was a lot of positive comments from end users about the improved speed and reliability of the network. I ended up rebuilding about 90% of that network at another point later during a move from Frame Relay to MPLS. I spent time studying proper network design and function to make sure I was doing things correctly.

I mention this because the recent engagement I went out on involved a few components that at a glance could easily appear like very serious security issues. A proper understanding of networking principals, and along with that the OSI model, was absolutely essential. There were a ton of components that when viewed as a whole would lead down a ton of rabbit holes.

In Incident Response especially, we need to have the ability to view the problem as a whole, but also be able to break the problem down into the various smaller components. That is what an investigative / analytical mind does. Those components often times are not all contributing to the problem. They are often times a symptom or result of another problem. If you don’t have the knowledge to separate those components from the overall problem, then your incident is going to be much more difficult to resolve.

To those of you that are considered entry level:

  1. You can learn on the job, but you need to make sure that you take on a job that will give you that opportunity. Make sure that your role will be involved in technology across the board to get the exposure.
  2. Find a mentor that seems to be the right personality for you. That mentor can guide you to various topics that would be very beneficial to your career in InfoSec.
  3. Understand that there will be jobs that are requiring skills that you don’t posses. The postings don’t always reflect the true picture of what that company is willing to hire.
  4. Ask your mentor for help in applying. Ideally, that mentor will be well connected in the industry and would have already started to expose you to various people around the industry. If that hasn’t happened yet, there might be a reason for it (maybe you aren’t ready), or your mentor might not be supporting you as well as needed.
  5. Show your efforts in learning. Make sure that people understand the time you are putting into improving yourself. This doesn’t mean that you constantly brag about your self, but you can demonstrate your learning in many different ways.

InfoSec can be a tough place to work since we have to know a little about a lot. Embrace your curiosity.

James Habben
@JamesHabben

Infosec Jobs

I unintentionally started a small storm on #infosec twitter the other day. In that storm I received responses in extremes that I didn’t even know existed. I wanted to give a bit more depth to that thread than what 140 characters can convey.

Let me clear the air a bit first. That was not an attempt to broadcast me searching for a job. I am not ‘on the market’ and no I didn’t apply to any of those jobs that I tweeted about. That was also not an attempt to phish for compliments, ego inflation, or many other interesting things I was accused of in private messages and subtweets.

The Backstory

Here is what happened. As a Senior Consultant for an Incident Response firm, I periodically take a look at other jobs that show up on the market for situational awareness. I have found that the industry titles seem to vary quite a bit as the responsibilities of my Senior title seem to be equivalent to other firms’ Principle, Lead, Manager, or even Director titles. There are Managers that don’t manage, and there are Leads who do. It is pretty spread out.

While looking at one of those postings, I said to myself “Hmmf. I can’t qualify for this job with the same title at a different firm.” I then did a mental inventory of my professional network and started identifying people I have connected with in the past that I could reach out to if I were to go through the application process for that job. That took me to another statement to myself, “How does someone with less time in the industry (and likely less connections) make it past any of these requirements.” Naturally, this mostly applies to folks that are very new to the industry. Then off to twitter I went.

The Response

The responses that I received came in through all different avenues: text, LinkedIn, Twitter, Email, even one on Instagram. I would have probably seen a few on Facebook, however I do not currently possess any credentials to logon to that god-forsaken website.

The responses also varied in their messages. I got a few that definitely do not need repeating, and I’m not exactly sure where the motivation came from behind them. On the other extreme, I received a response from someone (or someones) in my network at every one of those companies that I mentioned in a tweet. Many have very graciously offered to put me in touch with someone to get me hired there, and this would bypass the HR and recruiters to ensure that I was considered. I am thankful for all of those responses since it shows how much of a community I have with those individuals. That wasn’t my intent though, and I hope this post makes that more clear.

The Bypass

What makes me so special? Why did so many people offer to take me around the filters?

I have been in the industry for a really long time
This doesn’t mean I know what I am doing. At the most basic level, it means I have been able to fool enough people for a long enough time to stay employed. While that is not an accurate representation of me as a whole, my length of time makes no other indication.

I work for BigName firm
Yup, I do. I also know a lot of people that are very new to the industry and still have a lot more to learn that also work for big name firms. This also does not show anything about me.

I have followers on Twitter
Ya, I have some. There are plenty of people that have tons more followers than I do. There are also folks that I know who are extremely knowledgable and very good at their jobs with a double digit follower count or no Twitter account at all. It is quite easy to look smart on the internet when I have time to plan and research what I decide to make public.

I have a blog to share my thoughts and research
Now we are getting somewhere. My posts on this blog are a far better representation of who I am than some of the things mentioned above this. Although, it is still quite easy to look smart here because of the time allowed for planning and research. What is more difficult to fake, however, is my communication skills. My writing here is a clear demonstration of my abilities to convey points to a widely varied audience, although the majority of readers here seem to be more technically focused. We are finally looking at something that employers could use in their evaluation of me as a potential candidate.

I have spoken at conferences
Another point that gets more into who I am. We are also getting into an area that is a bit harder to fake. Sure, there is still prep and research involved ahead of the point in which I am delivering my talk, and I certainly do plenty of that. What is nearly impossible to fake is my presence in the room and my authority on a topic. As a bonus, there have even been recorded sessions I have delivered that are available publicly on the internet, and this allows me to provide another demonstration of me to a potential employer.

I know lots of people
This seems to be the most significant point in this list. My time in this industry has put me in contact with a large amount of people. People I have made enough personal connection with to where they care about my wellbeing in terms of being employed. People that have calculated the risk involved, and are still willing to put their reputation and connections on the line to help me.

The Takeaway

Every job I have held has been through some connection. I have not received any jobs where I applied through some web portal. I have tried some of those in the past, and have many times not even received a courtesy rejection letter. My experience is often not categorized as ‘cybersecurity’ or ‘infosec’ depending on which recruiter I talk to.

If you are struggling with breaking into the industry, here are my pointers (which is really an echo of so many others’ great advice as well):

  1. Start a blog and post about stuff. it can be research, thoughts, infosec challenges, or a number of any other topics. If you would like some help getting started on this, please feel free to reach out to me. I enjoy helping motivated people. The information you put in public can give employers more data to consume when you are short on other requirements.
  2. Work on your soft skills. I have a few posts up here about how soft skills can be improved in various ways, and I intend to continue these posts. You need soft skills in this industry if you want to get into the better jobs. Interviews will make or break your job application in the end.
  3. Go out and meet people. This can be virtually or physically. There are quite a number of people who I would consider to be a step above acquaintance in terms of relationship who I have never met. Some I might not even know their real names! Connections will get you in the door.

Last point, I am in no way criticizing the companies that put up those job listings. They have reasons for asking for those requirements, probably because something has bit them in the past. I am not saying they should relax their requirements either. What you as an applicant has to recognize is that the requirements are not always requirements. You need to make meaningful connections to get access to the people that are making the hiring decisions.

I hesitated about initially sending those tweets, and again about writing this post. I am sure another round of hatemail will be heading my way soon. Also, it is not easy to publicly admit that I don’t qualify for so many positions in the industry I have been in for so long. I probably don’t even qualify for the requirements of my current position either. As someone facing the challenges of the hiring process, I hope this can give some comfort and help in your quest.

Good Luck!

James Habben
@JamesHabben

Soft Skills: Respect

I’m sorry that you interpreted our discussion in the way that you did

I was recently the recipient of this statement. In the best case, it is frustration to hear or read this. In the worst case, it can be depressing and completely demoralizing. Let me provide a few examples with a little elaboration:

As a teacher:
I’m sorry that you didn’t understand what I was saying. It is only my job to talk at you and you are responsible for listening and figuring out the message I was intending to deliver.

As a consultant:
I’m sorry that you didn’t get what I explained. I do this on a daily basis and know so much. I also don’t have time to explain these things to you.

As a friend:
I’m sorry you didn’t interpret that conversation correctly. I was trying to help you to be a better person, but you couldn’t get over yourself enough to hear what I was saying.

As a potential employer:
I’m sorry you understood my statement incorrectly. I hold all the power here and you should be bowing to me to show that you are worthy of a job here.

As a boss:
I’m sorry you misunderstood my instructions. You should have listened better. I know exactly what I was saying and it is your fault you don’t.

Own It

When you decide to take on the task of explaining something, it has become your responsibility to ensure that all of the recipients correctly understand the message. If they don’t, it is YOUR FAULT. This may come as a news flash to some people, but there is no such thing as a mind reader. If you do not explain things in a way that people can understand, you are setting someone (or someones) up for failure.

From Jessica Hyde:
The phrase “I’m sorry” is absolutely meaningless when the onus is then placed back on the party being apologized to in the qualifier. Apologies should be formatted ” I am sorry I…” not “I am sorry you…”. Argh. The second is just rude.

From Mitch Impey:
the basic rules are valid in every industry and respect is key 🙂

Treat everyone with respect. Someday it will bite you.

James Habben
@JamesHabben

Soft Skills: Be Present

On the heels of an industry conference, there are so many emotions running through me. Excitement – to apply new techniques and tools to my work. Frustration – that I didn’t get over my shyness to engage with others that also looked shy. Happiness – that I got to see friends from around the world that would otherwise be logistically difficult. Pride – that I didn’t screw up too badly while talking in my sessions. Exhaustion – that I didn’t get enough sleep because there are only 24 hours in a day. This time for me, it was Enfuse 2017.

In reflection, there was one trend that I noticed quite a lot during the conference. Many people were not being present in their conversations with others. I saw this in hallways between sessions, during mealtimes, and at the various parties. I wasn’t immune either, as I caught myself a couple times as well. There is always a lot going on at conferences, and that makes it especially hard to stay focused on the current engagement. This is one of the best times to either start building or further reinforce a connection with other like-minded folks in the industry. Some call it networking, although I prefer the word connecting because I feel that ‘networking’ doesn’t convey the right meaning.

Networking is when you go to an evening mixer party with a stack of business cards hoping that the numbers will work for you. The larger the number of people that have you card, the more likely you are to get contacted about something. That something might be a sales lead, a job opportunity, or even a free meal. This is not a bad thing.

Connecting is when you spend time to get to know a person. The key difference is how you engage. You focus on the one or few people in the circle and you pay attention to those people. You listen to the conversation and interact.

Some focus points to be present:

  1. Keep your phone in your pocket, purse or bag
  2. Turn your phone alerts off if you are too easily distracted
  3. Look at the person talking, not behind or beside
  4. Point your feet at the person (or group) to help keep your body engaged

Some points to help others be present:

  1. In a networking/connecting event, don’t latch onto one person and prevent them from being able to make other connections
  2. If you notice another person drifting away from you, politely bring it into conversation to either lock in attention or give the opportunity to disengage
  3. Pay attention to your own behavior to ensure you aren’t causing someone to drift
  4. Respect other people’s conversations – don’t barge in and take over

Any other tips you have to be present?

UPDATE: Reading Material

How To Win Friends & Influence People by Dale Carnegie
Part Two, Section 6 – How to Make People Like You Instantly

Key point: Make the other person feel important – and do it sincerely.

This book was originally written in 1936 and is still considered one of the best on this subject. It is referenced by almost every book that presents thoughts and ideas. You will serve yourself well by reading this book, and not just once.

This chapter gives many examples of situations on both sides of this recommendation – making yourself the most import and showing others that they are important. It is a great read with a lot of perspective.

There is nothing more frustrating to a person than to feel like the other person doesn’t value the discussion. Although some people do love to talk for hours regardless of anyone actually listening, I will hold off that discussion for another time. If you don’t want to be there, respectfully disengage. If you want to be there, be there.

James Habben
@JamesHabben

Real Self Improvement

This Digital Forensics and Incident Response (DFIR) industry attracts a lot of hard working individuals. The curious nature of people is what has stood out to me the most in all the people that I have talked to. We have an internal drive to find out how things work, and that is not satisfied until we know every part. This is a big part of what makes us stick to a job that can sometimes seem like a battle that could never be won.

The Ongoing Battle

The battle we face is a constant discovery of new artifacts and techniques. These come from both the offense side and the defense side. We don’t all have time to research these on our own, and the community is fortunately very supportive in that there a blogs to detail these findings. The offense finds a new hole and shares with their like minded folks. Then often times the defense finds a way to detect or monitor, and there is more sharing with the like minded community. You only need to see the list of links for a one week period on thisweekin4n6.com to understand the volume and community we have.

Constant Improvement

Because of the community, there are tons of resources to explain all the technical loveliness that we all enjoy. Improving our technical skills is a very achievable task. Reality is that some of the skills I learned to examine Win2k systems are (thankfully) starting to fade. Our tech changes with rapid speed.

What about our non-technical skills? Do you make any effort to improve how you interact with other people? These are often referred to as ‘soft skills’ and you will find them listed, in some form or another, on every job opening.

  • Strong communication skills
  • Ability to convey technical concepts to others
  • Be a team player
  • Comfortable speaking to a crowd

In fact, you might have been a witness to a peer getting a promotion instead of yourself while you have proven multiple times that you are far more technically capable than this peer. Your technical skills were likely not even part of the consideration for that promotion, as the soft skills matter much more when moving up.

Steps

The first step is always to realize. I won’t call this a problem because I don’t see it as such. It is a deficiency, and one that can easily be corrected if you will first make that realization.

Next, make a commitment to improve. I mean a real commitment. You won’t make much progress if you don’t take it seriously. Improving soft skills is a whole lot harder than improving your technical skills. You cannot do it alone.

Find someone to help you be accountable. This can be a sibling, friend, classmate, coworker, workout partner, or even someone you just met at a local association meet up. The important thing to find in this person is the ability to be called on the carpet if you are not following through. You know yourself best and what type of person you would be most receptive to.

Find a mentor (or two). This mentor doesn’t have to be someone in the DFIR industry since soft skills are pretty universal. In fact, you might find some extra insight from someone outside your circles. Don’t be afraid to aim high either. For the most part, I have found that people are very willing to give advice all the way up through the C-suite. If there is someone who you admire for a certain trait, go talk to them and find out about the struggle they had to gain that trait. There is an interesting program called infosecmentors.com that might be a good start.

Lastly, don’t waste time. This is one of the only things in this world that we can’t just make more of. We can make more money. We can learn more things. We can drink more whiskey. We can’t take back the hour that we sat listening to that one guy who just wanted to blabber on and on about the things only he thought were important. Be respectful of your time and anyone else you ask for time from. These people will want to see improvements made, or they will start to see time spend with you as a waste. Set an expectation of time with a person and don’t waste it.

More to Come

I have seen and heard a lot of discussion about soft skills in more recent times. I initially wanted to put together another ‘must read book list’, but I decided that I would take a little more time and talk about some various soft skills that we can work on improving together. I will be writing about these in future posts and I will provide information about some of the books that I continue to use in my path of improvement. This can be an intimidating set of skills to improve, and I want to help you do it.

James Habben
@JamesHabben