Author: Ron Woerner

Careers, Security Education

CompTIA Security+: The Gateway to Security Certifications

Posted on by Ron Woerner

One of the greatest hindrances to mitigating cybercrime is the lack of qualified and skilled professionals trained in cybersecurity.

Cybersecurity is a rising career field with a need for more security professionals in all industries and types of organizations. One of the greatest hindrances to mitigating cybercrime is the lack of qualified and skilled professionals trained in cybersecurity. Companies are looking to fill these roles. And there are numerous people interested in entering the field. There are three categories of people interested in joining the fight:

  1. Young professionals starting their careers
  2. Experienced professionals moving from one career into cybersecurity
  3. Professionals at all levels wanting to learn more about it to better protect their personal and business lives.

All three begin with the question: where do I start my learning about cybersecurity?

Where to start a cybersecurity learning journey

If you’re wondering where to start in cybersecurity, start with CompTIA Security+. Out of the many security certs out there, it’s the easiest route to get certified and learn more about the technologies and business of cybersecurity.

The CompTIA Security+ SY0-501 exam is an internationally recognized validation of foundation-level security skills and knowledge and is used by organizations and security professionals around the globe. This certification proves an IT security professional’s competency in topics such as threats, vulnerabilities, and attacks, system security, network infrastructure, access control, cryptography, risk management, and organizational security.

Courses such as the Cybrary Cybrary Security+ video series covers these topics to prepare students for the CompTIA Security+ SY0-501 certification exam. The fundamentals taught in this class will help you get started in a career as a cybersecurity analyst and build your security knowledge base.

For those entering or even moving around the career, you should understand the many job roles available and find the one that best fits you. The Cyber Seek website (https://www.cyberseek.org/pathway.html) contains a list of careers. It provides an interactive career pathway of key jobs within cybersecurity, common transition opportunities between them, and detailed information about the salaries, credentials, and skillsets associated with each role.

The journey is more important than the destination

With CompTIA Security+ or any certification, note that the journey is more important than the destination. The goal is not simply gaining a certification and letters after your name, but understanding all aspects of a complex and wide career field. Studying for a certification is often the start of your learning about cybersecurity. It expands your mind and helps you see the entire playing field required of cybersecurity analysts. It also lets you know about your strengths and weaknesses, since it’s near impossible to know everything about all areas of cybersecurity. For example, if you enjoy the technical aspects, then you should look at being a security administrator, pen tester, or forensics analyst. If business is more your forte, you should focus on policy, governance, compliance and risk. The certification journey helps you determine your focus areas so you can have maximum effectiveness, no matter your career choice.

Benefits of certifications

Certifications establish your credibility in the industry and open doors for jobs.

Certifications establish your credibility in the industry and open doors for jobs. It’s often the first thing requested in job descriptions. Certifications show you have knowledge in a specific area or indicates that you have the subject matter expertise and that you’ve taken the effort to obtain and maintain it.

If you’re starting your cybersecurity journey, look to the CompTIA Security+ as the place to jumpstart your career and gain critical knowledge in protecting your personal life, your organization and ultimately everyone.

For more information about Cybersecurity careers, see my previous Peerlyst blogs:

I’d love to hear from you about your experiences with cybersecurity certifications as part of your career journey.

Careers, Concepts, Human Aspects, Security Education

Choosing your Cybersecurity Career Path

Posted on by Ron Woerner

  • Landing and keeping a job in cybersecurity
  • What’s best for your Cybersecurity career: certification or a degree?
  • Strategic (GRC) vs. Tactical (Technical) career paths

I’m often asked by folks entering the cybersecurity career field, “How do I land (or keep) a job in cybersecurity?” and “Should I get a degree in cybersecurity or focus on certifications?” The bottom line is that there is no one answer that fits everyone. As with most things in life, it depends. Where you are at in your career, life’s journey (i.e., age), financial resources and your own ambitions are all things to consider. In this post, I’ll cover options in hopes of helping you understand the benefits of each and how you can grow your career as a cybersecurity professional. This is part 2 of my series on Breaking into Cybersecurity.

From a career or professional perspective, information security (aka cybersecurity or information assurance) is now a stable and growing profession. Information security jobs are expected to increase by 28 percent through 2026, according to the Bureau of Labor Statistics (BLS). With all the opportunity, landing a cybersecurity job can still be tricky trying to meet the laundry list of requirements that are often looking for the optimal candidate who walks on water.

Below are some steps for you to determine certs or degree and help you build your cyber career:

  1. Pick a path. There are two main categories of cybersecurity careers: Strategic and Tactical.
    1. Strategic includes Governance, Risk, and Compliance (GRC), Policy, IT Audit, security frameworks and management.
    2. Tactical includes everything technical: security systems administration, networking, application security, security operations, incident response, vulnerability management, and penetration testing.

Pick the one where you have the most strengths. If you love playing with technology, go tactical. If you’re more prone to management and process, consider strategic. A word of caution: don’t try to do both and be a jack of all cybersecurity trades. Folks in this position (like me) are often seen as a master of none and are disqualified from many jobs. I’ve been told dozens of times that I’m too technical for strategic jobs and not technical enough for tactical. By the way, picking one over the other does not mean you won’t need to know how the other side works. Strategic needs to understand technology and tactical needs to get business risk. The Cyber Seek website (https://www.cyberseek.org/pathway.html) contains a list of careers for each path.

  1. Determine your education path. This is how you will reach the goal of getting the cybersecurity job of your choice. Cybersecurity degrees and certifications each have benefits and costs. Both can be used to open doors on cybersecurity careers.
    1. Degree – Expand or gain knowledge over time. With a degree you learn how to learn. This is crucial in the ever-changing cyber world. You’ll also gain additional professional skills like communications, leadership and management. Another positive for education is that a degree is forever and does not require any upkeep. It will get you in the HR screening process door if an IT degree is a particular job requirement. It indicates that you have the work ethic to complete something. Of course, it comes at a cost; both time and money. An inexpensive education option in the United States are 2-year schools (aka community colleges). The National Security Agency (NSA) designates 2 and 4-year schools as Centers of Academic Excellence in Cyber Defense. See https://www.nsa.gov/resources/students-educators/centers-academic-excellence/.
    2. Certification – Establish your credibility. Certifications show you have knowledge in a specific area or indicates that you have the subject matter expertise. If you’re just starting in cybersecurity, the CompTIA Security+ (http://bit.ly/2Ei6Xtw) is the perfect place to start. It covers the basics, without requiring you have extensive knowledge or experience. Certifications based on a point in time and require continuing certification. The benefit is that you can often take a 1-week boot camp or watch a video series like Cybrary and complete the certification exam shortly after. This can be a low-cost option for many.
  1. Practical Experience / Practice. Getting certifications or a degree does not guarantee a job. You must continually practice what you’ve learned and build on that knowledge. This should come from both practical experience and personal practice.
    1. Experience. For many cybersecurity jobs, this matters more than degrees or certifications. For those who are new to the cybersecurity career field, start in a help/service desk or security operations center (SOC). These are great ways to gain positive professional experience learning how cybersecurity operates within an organization. You can also gain experience by volunteering to fix or security computers for a community group (e.g., senior center, religious organization, etc.). In return, ask for a reference. By the way, you don’t have to start in cybersecurity. All careers can teach about professionalism and how organizational operations. These can provide much-needed perspective outside of technology.
    2. Practice & Do Your Homework. Cybersecurity is a career where you must keep learning and relearning to stay relevant and keep your skills sharp. I often tell my students, “Homework begins after you graduate” and “The real test is in the real world (not in the classroom).” You flunk a test in school, you can still graduate. You flunk a test irl (in real life), you won’t get the job or get to keep your job. This means you need to keep learning. Take advantage of sites like Cybrary that provide free videos on many aspects of security.
      1. For the strategic / GRC track, you need to read a lot about cybersecurity. Study the latest frameworks (NIST, CSC), laws and regulations (PCI, HIPAA, GDPR, State Laws, etc.). Read security news like krebsonsecurity.com.
      2. For the tactical / technical track, practice your skills. You should have a home lab environment with physical equipment, virtual machines or both. You can do much of this for very little cost. Learn Linux by getting a Raspberry Pi or load VMWare or VirtualBox. Learn how to hack and protect yourself.

No matter the path, you need to:

  1. Be aware of the other side. If you’re tactical / technical, you still need to understand strategic / business, and vice versa.
  2. Network (the human kind). Join security groups in your community like ISSA, ISACA, ISC2, OWASP, Infragard, etc. This is a great way to meet other passionate cybersecurity professionals. These groups may also provide mentors to help you chose your path and keep your skills sharp through continual learning.

This is just a short tutorial on building your cybersecurity career. Like in the Matrix, you need to pick a path (the red pill or the blue pill / strategic or tactical / education or certification) and move towards your goals.

If you chose not to decide, you still have made a choice. Don’t let the choice be made for you.

Careers, Concepts, Security Education

Breaking into Security Careers – 2018

Posted on by Ron Woerner
Cyber Careers

Cybersecurity continues to be a hot career field with many job opportunities. This means more and more folks want to break into it. A common question I’m asked is, “How do I get a job in information security / cybersecurity?” We continue seeing people who are interested, but don’t know the steps it takes to start or extend a cyber career. This blog post answers the question, “How do I break into (the) security (career field)?” It’s updated from my 2014 and 2015 blogs.

Career Triad

To get hired as a security professional, you need a mix of experience, education, and certifications. It takes all three to not only land the job, but also be successful in it.

1. Education: With education, you learn how to learn. Cybersecurity is a vast field and it’s nearly impossible to know everything. You need to be able to learn and adapt quickly to new technologies, situations, and processes. Education also builds the soft skills of critical thinking and communications. It’s readily available both online and in-person through local universities and training partners like CyberVista or Cybrary.it. It’s hard to study on your own. These resources provide you with expert instruction and guidance to not only pass the certification exams but also gain knowledge to succeed as a security professional. When looking at formal education, seek out 2 or 4 year schools that are designated Centers of Academic Excellence in Cyber Defense by the NSA and DHS.

2. Experience: You gain experience and a fine-tuning of your abilities through work, volunteering and building your own home cyber playground. Almost every job today has an aspect touching technology. Do your homework and learn all you can about it. Ask others if you don’t know. It’s also easy and inexpensive to build your own home lab or playground. Finding an old computer or getting a Raspberry Pi and learning Linux is a great technical experience builder. You can also gain experience by volunteering to help secure a local non-profit, your church, or other community organization.

3. Certifications: IT certifications get your foot in the door and help you move up in your career by showing employers you have the skills they’re looking for. CompTIA Security+ is and has been the optimal starting point for security certifications. It helps you prove basic competency in topics such as threats, vulnerabilities, and attacks, system security, network infrastructure, access control, cryptography, risk management, and organizational security. Don’t stop there. Keep your career moving by building on it with other ones like the CompTIA cybersecurity certifications (CySA+, CASP, or PenTest+). CompTIA CySA+ and CompTIA PenTest+ delve further into the cybersecurity specialty, validating the complementary skills of offensive and defensive cybersecurity teams. If you’ve been in cybersecurity for a while and want to remain in a hands-on enterprise security, incident response and architecture role rather than moving into management, CASP is for you. Once you’ve gained five years of cyber experience with those certifications, you’ll be ready for advanced cybersecurity certs like (ISC)2’s CISSP or ISACA’s CISM or CISA.

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Figure 1 shows the high-level cybersecurity careers. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

Cybersecurity Career Paths

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

The NIST National Initiative for Cybersecurity Education (NICE) is a great resource for cybersecurity career information. The NICE Cybersecurity Workforce Framework, aka NIST Special Publication 800-181 is a national focused resource that categorizes and describes cybersecurity work. CyberSeek provides detailed data about supply and demand in the cybersecurity job market. Use it to see where and what the cyber jobs are through interactive maps and career pathways. NIST NICE provides numerous other resources invaluable to cybersecurity job seekers. The nice thing about these (pun intended) is that it’s all free.

Security Professional Traits

The following traits are common among successful cybersecurity professionals. Having each will differentiate you from others when you’re hunting for a job or looking for a promotion.

  • Curiosity – A wonder on how and why things work. All hackers are curious.
  • Critical Thinking – goes with #1. You need to go beyond the obvious and be able to analyze your environment to best fit business needs.
  • Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest. Build your ability to both write and speak. This is where education can help.
  • Technical Skills – You need to know your way around computers, networks, and applications. Understand what’s happening under the covers. You should build this both on-the-job and on your own.
  • Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

Each are discussed in more detail in Eric Steven Raymond epic paper from 2001, “How to Become a Hacker,” which should be required reading for all cyber professionals.

Join the Community

The last piece of advice is for you to join a local or national cybersecurity organization. ISSA, ISACA, (ISC)2, and OWASP have chapters throughout the World. They provide access to expert instruction on cybersecurity topics. There’s also tremendous power in networking (the human kind). Most jobs are found through someone you know. Plus, at their meetings, you’ll can meet other passionate cybersecurity and IT professionals to help you jumpstart or extend your cybersecurity career.

For more ideas on breaking into cybersecurity careers, I recommend Launch Your Cybersecurity Career in 8 Steps from CompTIA: https://goo.gl/3aV74t.

Cybersecurity jobs are aplenty and it’s a great career. It’s up to each worker to set her/his own path. Use the ideas above and share others.

Security Education, Security Management

Accelerating cybersecurity education to meet industry demands

Posted on by Ron Woerner

Seasoned information security professionals now have another flexible option to complete a Masters of Science in Cybersecurity, with the Bellevue University accelerated cohort format. The new online degree program enables students to complete their degree in about 14 months, alongside other professionals in their field. The cohort group will take all of the required courses together and finish at the same time, sharing experiences and expertise along the way.

There are twelve classes taken two classes at a time, each lasting nine weeks following a set agenda.  All of the classes are held online, which enables flexibility with student schedules. When students complete the program, they will have attributes, knowledge, and skills needed by industry as a master information security professional.

The faster pace of these classes requires students to enter the program with a set of knowledge, skills and abilities in information security. Students accepted into the accelerated cohort format must be seasoned professionals with a Bachelor’s Degree in Computer Science, Computer Information Systems, or Information Assurance/Cybersecurity, at least ten years of directly applicable information security experience, a major security certification (CISSP, CISA, CISM), and notable communications skills (published or spoken at conferences).  This allows a common frame of reference and skill level among all students.  In other words, students are learning with their peers and are able to share common problems and collaborate on solutions.

This program will be led by Ron Woerner, who has extensive academic and industry experience.  [See his bio here at http://academic2.bellevue.edu/rwoerner/.]  Ron is looking to work with students as professionals rather than the traditional teacher-student relationship.  Participants are encouraged to leverage their experiences and knowledge in completing the course work.  “I love joining people in their educational journey and learn alongside them.  I see my job as coaching them to that next level of their career rather than professing what I know down to them,” says Ron.

Students lacking the certifications and experience are encouraged to enter the traditional Masters of Cybersecurity program. This format allows students to take 1 or 2 classes per quarter term.  Twelve courses are required for graduation, however the traditional program allows students to pick their class schedule and concentration classes based on their preference.  This is more suited for people transitioning into the cybersecurity career field or looking for a more flexible program.

For more information on the Bellevue University Masters of Science in Cybersecurity programs, go to http://www.bellevue.edu/degrees/master/cybersecurity-ms/.

RWoerner-Class

Human Aspects, Security Education, Security Management

Breaking into Security – 2015

Posted on by Ron Woerner

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity.  Traits to be successful in cybersecurity include:

  • Curiosity – A wonder on how and why things work
  • Critical Thinking – goes with #1. You need to go beyond the obvious
  • Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest
  • Technical Skills – You need to know your way around a computer
  • Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

1
Human Aspects, Security Education, Security Management

The best of times and worst of times in security education

Posted on by Ron Woerner

[Note: This article was originally posted on the ‘Educating Next-Gen Cybersecurity Leaders‘ blog on CSOOnline.com.]

“It was the best of times. It was the worst of times.” No, I’m not talking about Dickens’ A Tale of Two Cities. I’m talking about the Internet Age where we have powers beyond our ancestor’s imagination literally at our fingertips. We can work, play, and communicate from almost anywhere and anytime. The flip side is the dangers where people, systems, and data are breached on an all-too-frequent basis. Since you’re reading this, none of it is new to you. What may be new is how Education Technology is rapidly evolving to meet the needs of both students and industry, which epitomizes the best of times and the worst of times.

As a security professional, you may not be aware of all that’s happening in the world of Education Technology (#EdTech) and how it affects the security community. Teachers are using a wide variety of tech tools from smartphones and tablets to Internet applications like Google Docs, Twitter, Edmodo, Udemy, etc. Classrooms are being flipped to be student-focused rather than the traditional ‘sage on the stage’ lecture. The cloud has reached the classroom to where students learn from almost anywhere, anytime from any computing platform. Academic institutions at all levels (K-12, colleges, and universities) are scrambling to keep up with the rapid pace of technology.

Study after study shows we’re lacking combatants on the cyber battlefield to take up both offensive and defensive roles. Steve Morgan’s Cybersecurity Business Report validates this need in the posts Cybersecurity job market to suffer severe workforce shortage and Worldwide cybersecurity market continues its upward trend. He offers some solutions such as, “parents sending their kids to cybersecurity school,” and “getting a Master’s Degree in Cybersecurity.” However, there are underlying issues preventing these from being complete solutions.

One is the disconnection between what’s required by the security industry and what’s currently provided in academia. The body of knowledge for cybersecurity professionals requires such a wide berth that covering all of those areas at any depth is nearly impossible in the traditional classroom. Educators are forced to focus on some areas, while dropping others. They usually pick what’s easiest to teach in the classroom or their interest area or specialty, rather than what’s most needed in the ‘real-world.’

Then there’s the issue of developing essential professional skills such as hands-on technical know-how, real-world problem solving, and fundamental collaboration / communications abilities. Standardized, multiple choice (guess) tests only go so far. Creating and then grading assignments to meet these needs is much easier said than done. Educators at all levels need to be connected with industry professionals to understand and meet the burgeoning needs of not only what’s being taught, but also how.

There are many great activities promoting the next generation of security leaders. Conferences are getting kids involved in safe arenas to learn cybersecurity and practice their skills. Examples include the RSA Conference’s Cyber Safety Village, R00tz held in conjunction with BlackHat/DefCon, and the Hak4kidz conferences.

Cyber competitions promoting both offensive and defensive skills are also available to students from elementary school up through graduate studies. Examples of this area include US CyberPatriot, the ISC2/MITRE Cyber Challenge 2015, and National Collegiate Cyber Defense Competition (CCDC).  Dr. Dan Manson from California State Polytechnic University, Pomona, is consolidating information on the Cybersecurity Competition Federation website.

If you have a cybersecurity competition or kids’ event you’d like promoted in this blog, please let me know.  More information on all of these resources will be coming in future posts.

We have many opportunities to work together to solve this problem of developing more and better students with cyber savvy skills. We need you to join us in educating, training, and preparing the next generation of security leaders.

Careers, Security Education, Security Management

Hacker High at the 2015 RSA Conference

Posted on by Ron Woerner

On Tuesday, April 21, I am leading a Peer-to-Peer (P2P) session at the RSA Conference in San Francisco. The title is “Hacking High: Teaching Our Kids Vital Cyber Skills.” The premise is that we need more kids with cyber smart skills, but they aren’t educated enough on the underlying technologies. This discussion explains those issues and brainstorms ideas for solving them. As the US CyberPatriot mentor of the year, Ron Woerner will talk about his experiences and show you how you can get involved in your community. See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1879/hacking-high-teaching-our-kids-vital-cyber-skills#sthash.NxeQRUQm.dpuf

I was interviewed by Fahmida Y. Rashid, the Editor-in-Chief of the RSA Conference about the session. Her questions along with my answers are below.

1. Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

The Peer-to-Peer session, “Hacking High: Teaching Our Kids Vital Cyber Skills” is for anyone who sees the great need in our industry for developing skilled cybersecurity professionals. This could be hiring managers, security trainers and educators, or anyone with the passion for building the next generation. This session will explain the issues and brainstorm solutions for meeting that need. There are many great opportunities for existing security professionals to work with the new generation. This goal of this session is to show them easy ways to be part of the solution.

2. Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

We’re in a national crisis. There is a continued need for more skilled cybersecurity professionals, yet we don’t have a consolidated plan for building people with those skills. Additionally, many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources and personal knowledge to teach technology to teenagers.

The articles below demonstrate the need:

•  “Demand to fill cybersecurity jobs booming” – http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/
•  Cybersecurity’s hiring crisis: A troubling trajectory –http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/
•  Developing the Next Generation of Cyber Leaders – http://www.serco-na.com/docs/materials/2012-cisse-nextgencyber.pdf

There are solutions available, but we need to work together as an industry to implement them. My simple solution is to teach hacking in schools. Kids will do it anyway, so we might as well guide them to keep them out of trouble and develop those critical skills. Everyone I talk with agrees that we need to start teaching IT and cybersecurity skills earlier in schools, but we don’t have a plan to do it. One of the solutions I will discuss is the role of cybersecurity and hacking competitions for 7-12 grade students. As the 2013-2014 Air Force Association CyberPatriot Mentor of the Year, I will be sharing my experiences with participants to show how easy it is to get involved and the many rewards in doing so.

3. Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

Two things I’d like attendees of my session to consider is:

1.  How is your community or school system educating the younger generation to prepare them for the multitude of IT and Cybersecurity careers? Is a cybersecurity curriculum in place? If so, what does it contain?
2.  What are solutions for filling that gap? How can we work together to implement those solutions for our school aged kids.

This allows attendees to understand the problems and then be able to generate and implement solutions for addressing the needs.

4. What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

We need more security professionals to lead the education of our next generation. We can’t just leave it to the teachers. Attendees of the “Hacking High” session will fully understand the issues and come away with actionable ideas to be part of the solution. They will hear from other industry experts who are doing successfully doing it in their community to everyone’s benefit. They will see the bright star of hope to meet the critical needs of our industry in a fun and safe way, by teaching hacking in high school.
For more information on these topics, please see my blog entries:

• Why Aim for the Ground? Teaching our kids the right computer skills
• Hacker High – Why we *need* to teach hacking in school
• Lock IT Down @ CYBER++

We all need to work together to solve this international issue. In doing so, we not only build up a new generation, but build ourselves as well.

Concepts, Online Safety Tips, Security Management

Loose Lips Might Sink Ships

Posted on by Ron Woerner

Are you watching what you are telling your neighbors?  Do you guard information in your care to make sure only those people with a need to know can see it? Hopefully, you’re not accidentally letting any secrets slip.  It could be disastrous if confidential information got out to your competitors.  It could hurt your sales, your stock price and your reputation.

It happens in a variety of ways: accidental disclosure, carelessness in storage and protection, and corporate espionage.  Many times, it happens because people are not always conscious about how they handle sensitive information.  Employees are often the greatest threat in the compromise of sensitive information.

Following the simple steps below will help assure your ship is not sunk by loose lips:

1. Know your information.  Is the information you handle sensitive or confidential?  What would be the damage if it gets out to the public or one of our competitors?

2. Label sensitive, proprietary or confidential information.  You may know that the information is sensitive, but do your co-workers?  This is solved by labeling the document or data source as confidential.

3.Stop and think before doing anything with the information.  You should be conscious on how you use the information and where you store it. Don’t share it with someone who doesn’t need to know.

4. Protect sensitive, proprietary or confidential information.  This is a separate article by itself. In general here are some things you can do:

  • Place it in a secure location (not the public folder or even your laptop hard drive).
  • Better yet, don’t store a copy outside of a protected area.  Your PCs hard drives are neither secure nor protected.  If you don’t need a copy of a document, then don’t keep it on your computer.
  • Don’t send it to an outside email address unless absolutely necessary.
  • Encrypt it (using a tool like Microsoft Bitlocker)
  • Remove any extra copies of sensitive documents.  Maintain originals in a secure location and get rid of all other copies.

5. Ask for help.  Work with your security department.  If you are the security department, ask for help from others.

6. Be on the lookout.  Inform security if you find sensitive information that you shouldn’t be able to see.  It’s not to get someone else in trouble, but to protect your company.  Security should collaborate with the originator to ensure its proper protection.

These may seem like simple ideas, but they are still overlooked. A little time in security now can save many headaches later.

2
Careers, Security Education, Security Management

Security Trial & Error

Posted on by Ron Woerner

Never give in, never give in, never; never; never; never – in nothing, great or small, large or petty – never give in except to convictions of honor and good sense” – Sir Winston Churchill, Speech, 1941, Harrow School

Perseverance is one of the better traits to have for security professionals and anybody. Rarely do things work out the first time tried. It often takes multiple attempts using multiple techniques to accomplish the goal. The key is to never give up (or give in as Sir Winston Churchill says in the quote above).

While I’m sure I had this trait beforehand, I really got this trait in College. This was back in the late ’80’s when all they had was Computer Science and they mostly taught C programming. Some people are born to program, but I’m not. Most assignments were a battle.  I’d try one thing, test it, figure out what I did wrong, and then try again. It was totally trial and error. Although I don’t remember very much C, I do maintain the trait of perseverance.

This is also important in computer security where you often need to try multiple approaches to reach your goal. It can be seen in vulnerability or penetration tests, forensic investigations, or configuring an application. Fortunately with most systems, there are multiple ways to do things.  So if one way doesn’t work, try another. When you begin to get frustrated, take a break. It’s okay to ask for help, but make sure you’ve done your homework and tried everything you can think of. You may even want to write down what you’ve done to track your progress. Don’t take the easy way out and quit trying. A good part of the learning is not in reaching your goal, but in the lessons you learn along the way.

I’ll finish with a quote from one of the best philosopher’s of our time, Yoda: “Do or do not… There is no try.”

Concepts, Security Assessments, Security Education, Security Management

What to do about Malware?

Posted on by Ron Woerner

Viruses on our computers are about as prevalent as the common cold.  It’s not a matter of if you’ll get infected (or a cold), but when.  Cold remedies are a multi-billion dollar industry.  Anti-Virus (A/V) and malicious software (aka malware) defense and clean-up is quickly catching up.  There are a few good sources on A/V products that may help you decide the one that’s best for you (note: these are all for PC):

The things with colds is that they usually go away on their own given 3-10 days (taking zinc early on helps, btw).  That’s often not true with computer viruses.  Anti-virus solutions aren’t 100% effective against all types of malware.

What can you do if your PC gets infected and your A/V product isn’t taking care of it?  Below is an email from a student who’s grandparent’s computer got infected along with my response.  It’s not intended to single-out this student or his grandparents, but to use it as a case on how to respond when the inevitable infection hits.

From the student:

We shouldn’t get tunnel vision when protecting our homes and with all the emerging methods to breach security (e.g. bash bug), we have to stay diligent. Indeed the low hanging fruit is the one to get plucked. I talked with my fiance’s grandparents this week and they have unfortunately fallen victim to a classic social engineering scam. Someone called the grandmother claiming to be a technician from her anti-virus software company. He then asked for various sensitive information from her (i.e. passwords, credit card numbers, etc.) and she naively gave up the information trusting this gentleman, when he told her that something was wrong with her computer.

Now every time she connects to the internet, this d%&$ has remote control over her PC. He contacts her saying that he will not give up control of the PC unless she pays him more money. I’m planning on doing some serious overhaul on their laptop the next time I visit.

My response:

This is a classic case of ransomeware.   Re-imaging the PC and starting with a clean slate is the only sure-fire way to get rid of the problem(s).  Most companies now don’t even spend time trying to remove malware.  They’ll just save any important files first and then re-image.  This person should be able to boot to safe mode to grab any local files on the PC before they re-image it.

If the you have time and wants to experiment, she/he can use SysInternals Suite tools to try to manually remove it.  Have her/him watch the video, “Malware Hunting with Mark Russinovich and the Sysinternals Tools.”   It’s a great tool to learn how to effectively use the SysInternals Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. He makes it look easy.

Of course, there’s always Malwarebytes, Junkware Removal Tool, and Malicious Software Removal Tool. These may also remove the offending files.

(I’m assuming this is a Windows PC.)

What tools / techniques do you like to use for malware defense and removal?  Please comment and share your ideas.

2