Getting Involved in Network Security

Jeff McJunkinCCNA, GSEC, GCED, GCFA, GPEN, GCIH

Web Application / Network Penetration TesterAppSec Consulting, Inc.

Obligatory Disclaimer

• I speak for myself, not for my company.

• My views may or may not bear any relation whatsoever to the views of my employer

– Or anyone else for that matter.

Outline

•Gain skills

•Use those skills

• Talk to people

About me

This talk is especially relevant for me recently

• I graduated SOU in 2011– Computer Security / Information Assurance, emphasis

in digital forensics

• City of Central Point from 2008-2013– Systems / Network Administrator

• Now working for AppSec Consulting– This is my first week!– I’m telecommuting, too

About me

• I’ve won a few security challenges– SANS Network Security 2011 NetWars

– US Cyber Challenge Northern California, 2012

– 3rd place, NetWars Tournament of Champions, 2012

• I’ve been involved in the Collegiate Cyber Defense Competition– Red Team is the fun team, believe me

• I gave a Tech Segment on PaulDotCom Security Weekly last year, as well

My Coworkers

• Bill Sempf (Black Hat Speaker, OWASP author)

• Josh Brashars (Black Hat Speaker, Author)

• Travis LeeCISSP OSCP

OSCE GPEN

eCPPT GREM

GCIA GCIH

GCFA GSNA

MCSA

Goals of today’s talk

• Meta-advice

– Not about specific skills, but how to gain those skills

• Follow this advice, and hopefully you’ll be talking to the right folk

• Follow this advice, and hopefully you’ll be interesting to the right folk

Outline

•Gain skills

•Use those skills

• Talk to people

So, what do I do?

• Build a home lab

– www.reddit.com/r/homelab

– BackTrack, Metasploitable, and Windows XP go a *long* way

– Keep notes! You’ll need these later

An aside on money

• Don’t be afraid to spend some money on this

– You’re all in college, which is already costing you how much?

– Purpose of a liberal arts education

– Consider VMware Workstation, Microsoft TechNet (or MSDN:AA)

An aside on SOU…

• SOU can provide the foundation

– *If* you apply yourself

• Job-specific skills are for *you* to obtain

– Most won’t be taught in the classroom

Don’t expect to float through and then get a job!

So, what do I do?

• Blog about your work

– Seriously, no research is too small

– WordPress.com is free, grab your name and go

• By the way, you should all own “yourfullname.com”

• Hang out on IRC channels

– You’ll see what folk are actually up to, including some big names

– #pauldotcom, #metasploit, #backtrack-linux, for starters

So, what do I do?

• Learn a solid foundation first– Systems experience (Windows and Linux at a minimum)

• Administration• Forensics• Defense• Attack

– Networking experience (Priscilla Oppenheimer will be here next week!)• Network forensics

– Programming• Pick one of {Perl, Python, Ruby}• Pick one of {Bash, PowerShell}• Optionally, pick one of {C, C++, Assembly}• Learning Windows Command Prompt (cmd.exe) is helpful as well!

So, what do I do?

• Specializations are complicated. Learn the foundation first.• Examples:

– Attack or Defense• Wireless

– 802.11{a,b,g,n}– Bluetooth

• Web– Microsoft stack (ASP, ASP.NET, etc.)– Linux stack (LAMP, jQuery, etc.)

• Application– .NET– Java

• Systems– Windows– Linux– Mac

So, what do I do?

• Listen to security-oriented podcasts

– PaulDotCom

– Exotic Liability (NSFW language, great content)

So, what do I do?

• Read blog posts from smart folk– I’d recommend Google Reader, but Google recently said

they’re going to take it offline– Feedly is quite popular recently

• To start you off… (Google these to find the sites)– IronGeek’s Security Site– Krebs on Security– Metasploit Blog– PaulDotCom– TaoSecurity

• Email me for more if you’re interested– apparently I now have 305 RSS feeds

Outline

•Gain skills

•Use those skills

• Talk to people

Use those skills

• Consider security challenges– In-person:

• Collegiate Cyber Defense Competition (talk with Daniel and Lynn, then sign up as a school for next year)

• United States Cyber Challenge

• NetWars (paid)

– Online:• DC3

• pen-testing.sans.org (search for Holiday Challenge)

• forensicscontest.com (Network Forensics)

Use those skills

• Blogging helps here, too!– Play with a new tool, then write a quick blog post about it

– 500 words and an hour of documenting

– Post it to reddit.com/r/netsec and ask for feedback• Be prepared to get it

• Find a problem with another person’s research?– Write up a nice blog post, post it, email the person

• Find a problem with another person’s tool?– This is where coding helps!

• Sign up for GitHub, pull their code down, fix it, send a pull request

• Those of you in Daniel’s classes will know Git, right?

Building the habit

• Building the habit is more important than the actual work at first

– Spend 10 minutes every morning reading a few blogs and try one command in BackTrack

– After a month or so, consider putting a bit more time in

Outline

•Gain skills

•Use those skills

• Talk to people

Talking to the right folk

• Half the challenge is just showing up

• Just ask!

1. Find folk in the valley doing interesting stuff

2. Ask to help them for free

3. …Profit? Learn!

• Carl, Jesse, and Lana are great examples!

Talking to the right folk

• Southern Oregon Geek Group (sog.gy)

– Attend a monthly dinner (first Thursday of the month, 6:30pm at Four Daughters in Medford)

• Standing Stone Thursdays

– But shhh, it’s a secret

– 5ish to 6:30ish

• Ask your professors about industry contacts and internships!

Conclusion

• Looking to get into network security?

– Good news, everyone!

– Unemployment in this field is hovering around 0%

• Don’t get into it for the money

– Be prepared to work hard

– Keep up-to-date

• Latest threats, attacks, defenses

Questions?

• Email me at jeff.mcjunkin@gmail.com

– Want a lesson plan? I just made one for a few of your fellow students…

• Care to chat later? Let me know, I’m always up for coffee!