Human Aspects, Security Education, Security Management

The best of times and worst of times in security education

Posted on October 14, 2015August 30, 2021 by Ron Woerner

[Note: This article was originally posted on the ‘Educating Next-Gen Cybersecurity Leaders‘ blog on CSOOnline.com.]

“It was the best of times. It was the worst of times.” No, I’m not talking about Dickens’ A Tale of Two Cities. I’m talking about the Internet Age where we have powers beyond our ancestor’s imagination literally at our fingertips. We can work, play, and communicate from almost anywhere and anytime. The flip side is the dangers where people, systems, and data are breached on an all-too-frequent basis. Since you’re reading this, none of it is new to you. What may be new is how Education Technology is rapidly evolving to meet the needs of both students and industry, which epitomizes the best of times and the worst of times.

As a security professional, you may not be aware of all that’s happening in the world of Education Technology (#EdTech) and how it affects the security community. Teachers are using a wide variety of tech tools from smartphones and tablets to Internet applications like Google Docs, Twitter, Edmodo, Udemy, etc. Classrooms are being flipped to be student-focused rather than the traditional ‘sage on the stage’ lecture. The cloud has reached the classroom to where students learn from almost anywhere, anytime from any computing platform. Academic institutions at all levels (K-12, colleges, and universities) are scrambling to keep up with the rapid pace of technology.

Study after study shows we’re lacking combatants on the cyber battlefield to take up both offensive and defensive roles. Steve Morgan’s Cybersecurity Business Report validates this need in the posts Cybersecurity job market to suffer severe workforce shortage and Worldwide cybersecurity market continues its upward trend. He offers some solutions such as, “parents sending their kids to cybersecurity school,” and “getting a Master’s Degree in Cybersecurity.” However, there are underlying issues preventing these from being complete solutions.

One is the disconnection between what’s required by the security industry and what’s currently provided in academia. The body of knowledge for cybersecurity professionals requires such a wide berth that covering all of those areas at any depth is nearly impossible in the traditional classroom. Educators are forced to focus on some areas, while dropping others. They usually pick what’s easiest to teach in the classroom or their interest area or specialty, rather than what’s most needed in the ‘real-world.’

Then there’s the issue of developing essential professional skills such as hands-on technical know-how, real-world problem solving, and fundamental collaboration / communications abilities. Standardized, multiple choice (guess) tests only go so far. Creating and then grading assignments to meet these needs is much easier said than done. Educators at all levels need to be connected with industry professionals to understand and meet the burgeoning needs of not only what’s being taught, but also how.

There are many great activities promoting the next generation of security leaders. Conferences are getting kids involved in safe arenas to learn cybersecurity and practice their skills. Examples include the RSA Conference’s Cyber Safety Village, R00tz held in conjunction with BlackHat/DefCon, and the Hak4kidz conferences.

Cyber competitions promoting both offensive and defensive skills are also available to students from elementary school up through graduate studies. Examples of this area include US CyberPatriot, the ISC²/MITRE Cyber Challenge 2015, and National Collegiate Cyber Defense Competition (CCDC). Dr. Dan Manson from California State Polytechnic University, Pomona, is consolidating information on the Cybersecurity Competition Federation website.

If you have a cybersecurity competition or kids’ event you’d like promoted in this blog, please let me know. More information on all of these resources will be coming in future posts.

We have many opportunities to work together to solve this problem of developing more and better students with cyber savvy skills. We need you to join us in educating, training, and preparing the next generation of security leaders.

Careers, Security Education, Security Management

Hacker High at the 2015 RSA Conference

Posted on April 14, 2015July 25, 2018 by Ron Woerner

On Tuesday, April 21, I am leading a Peer-to-Peer (P2P) session at the RSA Conference in San Francisco. The title is “Hacking High: Teaching Our Kids Vital Cyber Skills.” The premise is that we need more kids with cyber smart skills, but they aren’t educated enough on the underlying technologies. This discussion explains those issues and brainstorms ideas for solving them. As the US CyberPatriot mentor of the year, Ron Woerner will talk about his experiences and show you how you can get involved in your community. See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1879/hacking-high-teaching-our-kids-vital-cyber-skills#sthash.NxeQRUQm.dpuf

I was interviewed by Fahmida Y. Rashid, the Editor-in-Chief of the RSA Conference about the session. Her questions along with my answers are below.

1. Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

The Peer-to-Peer session, “Hacking High: Teaching Our Kids Vital Cyber Skills” is for anyone who sees the great need in our industry for developing skilled cybersecurity professionals. This could be hiring managers, security trainers and educators, or anyone with the passion for building the next generation. This session will explain the issues and brainstorm solutions for meeting that need. There are many great opportunities for existing security professionals to work with the new generation. This goal of this session is to show them easy ways to be part of the solution.

2. Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

We’re in a national crisis. There is a continued need for more skilled cybersecurity professionals, yet we don’t have a consolidated plan for building people with those skills. Additionally, many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources and personal knowledge to teach technology to teenagers.

The articles below demonstrate the need:

• “Demand to fill cybersecurity jobs booming” – http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/
• Cybersecurity’s hiring crisis: A troubling trajectory –http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/
• Developing the Next Generation of Cyber Leaders – http://www.serco-na.com/docs/materials/2012-cisse-nextgencyber.pdf

There are solutions available, but we need to work together as an industry to implement them. My simple solution is to teach hacking in schools. Kids will do it anyway, so we might as well guide them to keep them out of trouble and develop those critical skills. Everyone I talk with agrees that we need to start teaching IT and cybersecurity skills earlier in schools, but we don’t have a plan to do it. One of the solutions I will discuss is the role of cybersecurity and hacking competitions for 7-12 grade students. As the 2013-2014 Air Force Association CyberPatriot Mentor of the Year, I will be sharing my experiences with participants to show how easy it is to get involved and the many rewards in doing so.

3. Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

Two things I’d like attendees of my session to consider is:

1. How is your community or school system educating the younger generation to prepare them for the multitude of IT and Cybersecurity careers? Is a cybersecurity curriculum in place? If so, what does it contain?
2. What are solutions for filling that gap? How can we work together to implement those solutions for our school aged kids.

This allows attendees to understand the problems and then be able to generate and implement solutions for addressing the needs.

4. What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

We need more security professionals to lead the education of our next generation. We can’t just leave it to the teachers. Attendees of the “Hacking High” session will fully understand the issues and come away with actionable ideas to be part of the solution. They will hear from other industry experts who are doing successfully doing it in their community to everyone’s benefit. They will see the bright star of hope to meet the critical needs of our industry in a fun and safe way, by teaching hacking in high school.
For more information on these topics, please see my blog entries:

• Why Aim for the Ground? Teaching our kids the right computer skills
• Hacker High – Why we *need* to teach hacking in school
• Lock IT Down @ CYBER++

We all need to work together to solve this international issue. In doing so, we not only build up a new generation, but build ourselves as well.

Careers, Security Education, Security Management

Security Trial & Error

Posted on February 6, 2015July 25, 2018 by Ron Woerner

“Never give in, never give in, never; never; never; never – in nothing, great or small, large or petty – never give in except to convictions of honor and good sense” – Sir Winston Churchill, Speech, 1941, Harrow School

Perseverance is one of the better traits to have for security professionals and anybody. Rarely do things work out the first time tried. It often takes multiple attempts using multiple techniques to accomplish the goal. The key is to never give up (or give in as Sir Winston Churchill says in the quote above).

While I’m sure I had this trait beforehand, I really got this trait in College. This was back in the late ’80’s when all they had was Computer Science and they mostly taught C programming. Some people are born to program, but I’m not. Most assignments were a battle. I’d try one thing, test it, figure out what I did wrong, and then try again. It was totally trial and error. Although I don’t remember very much C, I do maintain the trait of perseverance.

This is also important in computer security where you often need to try multiple approaches to reach your goal. It can be seen in vulnerability or penetration tests, forensic investigations, or configuring an application. Fortunately with most systems, there are multiple ways to do things. So if one way doesn’t work, try another. When you begin to get frustrated, take a break. It’s okay to ask for help, but make sure you’ve done your homework and tried everything you can think of. You may even want to write down what you’ve done to track your progress. Don’t take the easy way out and quit trying. A good part of the learning is not in reaching your goal, but in the lessons you learn along the way.

I’ll finish with a quote from one of the best philosopher’s of our time, Yoda: “Do or do not… There is no try.”

Concepts, Security Assessments, Security Education, Security Management

What to do about Malware?

Posted on October 31, 2014August 30, 2021 by Ron Woerner

Viruses on our computers are about as prevalent as the common cold. It’s not a matter of if you’ll get infected (or a cold), but when. Cold remedies are a multi-billion dollar industry. Anti-Virus (A/V) and malicious software (aka malware) defense and clean-up is quickly catching up. There are a few good sources on A/V products that may help you decide the one that’s best for you (note: these are all for PC):

AV Comparatives Independent Test of Anti-Virus Software Provides a good comparison of top brands. It’s consistent with other, similar reports. See http://www.av-comparatives.org/dynamic-tests/
Techradar provides their list of “Best Free Antivirus Software, 2014” http://www.techradar.com/us/news/software/applications/best-free-antivirus-9-reviewed-and-rated-1057786

The things with colds is that they usually go away on their own given 3-10 days (taking zinc early on helps, btw). That’s often not true with computer viruses. Anti-virus solutions aren’t 100% effective against all types of malware.

What can you do if your PC gets infected and your A/V product isn’t taking care of it? Below is an email from a student who’s grandparent’s computer got infected along with my response. It’s not intended to single-out this student or his grandparents, but to use it as a case on how to respond when the inevitable infection hits.

From the student:

We shouldn’t get tunnel vision when protecting our homes and with all the emerging methods to breach security (e.g. bash bug), we have to stay diligent. Indeed the low hanging fruit is the one to get plucked. I talked with my fiance’s grandparents this week and they have unfortunately fallen victim to a classic social engineering scam. Someone called the grandmother claiming to be a technician from her anti-virus software company. He then asked for various sensitive information from her (i.e. passwords, credit card numbers, etc.) and she naively gave up the information trusting this gentleman, when he told her that something was wrong with her computer.

Now every time she connects to the internet, this d%&$ has remote control over her PC. He contacts her saying that he will not give up control of the PC unless she pays him more money. I’m planning on doing some serious overhaul on their laptop the next time I visit.

My response:

This is a classic case of ransomeware. Re-imaging the PC and starting with a clean slate is the only sure-fire way to get rid of the problem(s). Most companies now don’t even spend time trying to remove malware. They’ll just save any important files first and then re-image. This person should be able to boot to safe mode to grab any local files on the PC before they re-image it.

If the you have time and wants to experiment, she/he can use SysInternals Suite tools to try to manually remove it. Have her/him watch the video, “Malware Hunting with Mark Russinovich and the Sysinternals Tools.” It’s a great tool to learn how to effectively use the SysInternals Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. He makes it look easy.

Of course, there’s always Malwarebytes, Junkware Removal Tool, and Malicious Software Removal Tool. These may also remove the offending files.

(I’m assuming this is a Windows PC.)

What tools / techniques do you like to use for malware defense and removal? Please comment and share your ideas.

Careers, Concepts, Security Education, Security Management

Why Aim for the Ground? Teaching our kids the right computer skills

Posted on September 26, 2014July 25, 2018 by Ron Woerner

We’re in a national crisis. Many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources to teach technology to teenagers. In a talk at DerbyCon 2014, Professor Phil Fitzpatrick explains why our kids need to learn fundamental computer skills in a fun and ethical way; through education and competitions like CyberPatriot. It’s a discussion of why high school students should learn more than just simple computer applications and what security professionals can do to help.

Below are are problems as we see it:

– The general public understands that most jobs out of high school, are based in knowing and having IT skills. Yet, most parents hand off their kids starting in 6th grade assuming all areas of education are covered, especially technology.
– High schools are trying to answer the call for more IT workers by adding technology classes to their curriculum. However, they don’t have a lot of room for a variety of courses because of school year length, teaching expertise and availability, and their nature of school environment.
– Kids only need to take one technology course to graduate and they look for the easy “A” rather then what will help them with their careers.
– Schools are challenged with keeping the curriculum and technology up to date to meet current needs.
– High schools are more concerned with getting students ready for college or working by teaching necessary life skills.

There are solutions available:

– Establish technology academies in schools that teach a variety of cyber skills, not just what’s on the computer science AP test.
– Provide courses in application develop, systems and network administration, database management, and cybersecurity.
– Encourage teachers to build their knowledge base on different computer skills needed by industry.
– Use grants to ensure technology is up to date.
– Promote competitions and clinic like US CyberPatriot (http://www.uscyberpatriot.org/).
– If you’re an IT or Cybersecurity Professional, become a mentor. These kids need someone with experience to help guide them in the journey. They’re not looking for an expert, just someone who cares. AND it’s very rewarding for the mentor.

Lastly, educate yourself. Here are some links to get you started:

– Cybersecurity’s hiring crisis: A troubling trajectory – http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/
– Developing the Next Generation of Cyber Leaders – http://www.serco-na.com/docs/materials/2012-cisse-nextgencyber.pdf
– DoE: Science, Technology, Engineering, and Math: Education for Global Leadership – http://www.ed.gov/stem
– Cyber-Security, IAS and the Cyber Warrior – http://www.cisse.info/archives/category/29-papers?download=297:p11-2012
– High School 12-Week Cybersecurity eLearning Pilot – http://www.cisse.info/archives/category/29-papers?download=295:p09-2012
– Secure Coding Education: Are We Making Progress? – http://nob.cs.ucdavis.edu/~bishop/papers/2012-cisse/seccode.pdf
– Where are the STEM Students? – http://www.stemconnector.org/sites/default/files/store/STEM-Students-STEM-Jobs-Executive-Summary.pdf
– ACM: Toward Curricular Guidelines for Cybersecurity – http://www.acm.org/education/TowardCurricularGuidelinesCybersec.pdf

Also see the previous post, “Hacker High – Why we *need* to teach hacking in school.”

Please help be part of the solution by promoting cyber education in your community.

Security Education

Before You Hit Your Head Against a Wall

Posted on June 22, 2014August 30, 2021 by Ron Woerner

As both an educator and a security professional, I often see people who get frustrated. It could be with a school or work assignment. To help reduce frustration, here are some words of advice:

DON’T PANIC. This is my first rule of incident response. Getting all worked up never solves the problem. Take a deep breath or a time-out if needed and then proceed.
Understand “Who Owns the Headache?” So often, we get frustrated with things outside of our realm of control. Basically, we try to fix things that we can’t because we don’t have control or “Own the Headache.” Acknowledge what you can control and what you can’t. Only focus on the things you can.
Research it. Ask yourself: Is this information available from an Internet source (iow, Google it)? One thing hammered into me when I was in ROTC was “use your resources.” You don’t need to know everything. You just need to know how to find the information and then use it intelligently.
Look at the problem from a different perspective. Is there another way to solve the problem? In computers, there’s usually at least 2, if not many more ways to solve any problem. That’s why I don’t usually have a set answer in mind. You may think of something I haven’t that works just as well.
Take a time out. Step away from the problem for a little while. Sometimes they resolve themselves, as in the case with bellevue.edu being down. Sometimes, it will give you a chance to think about it and think it through. This also gives your subconscious some time to process and develop a solution. (Have you ever had a “duh, I should’ve thought of that” moment?)
Ask someone. A person is also a resource (see use your resources above). First try a fellow classmate or colleague. I love it when students work together and help each other to solve problems. The student’s who collaborate get bonus points in my book. It’s truly a win-win for everyone. This is also part of my personal mantra, “By helping each other, we’re all smarter/stronger/better.”
Ask good questions. If no one else has the answer (about an assignment), then ask your professor or your boss. If something’s not clear, then ask for clarification. In today’s world, it’s not the answers you have, but the questions you ask. Come up with good questions, then be bold and ask them.

The idea is to prevent frustration, which inhibits learning and growth.

Coach Ron
“Every man…should periodically be compelled to listen to opinions which are infuriating to him. To hear nothing but what is pleasing to one is to make a pillow of the mind.” St. John Ervine

Security Education, Security Management

Hacker High – Why we need to teach hacking in school

Posted on June 8, 2014July 25, 2018 by Ron Woerner

This rant is in response to Quinn Norton’s opinion piece from May 20, 2014, “Everything is Broken.” (Link: https://medium.com/message/81e5f33a24e1)

<rant>

I have a simple solution that’s hard to implement: TEACH HACKING IN HIGH SCHOOL*! Yes, you heard it right. We need to teach our kids all about technology. Including how to break it and how to fix it. It’s incredible how little they really know. To them it’s PFM (Pure Frickin’ Magic). We won’t solve this problem with our adults. That’s why we need to get the kids involved. The problem is that they think they understand technology, but it’s only how to use it. Many (most) are clueless about systems & network administration as well as security. “Dad, the computer’s broken again…” I don’t think this is just my teenage kids.

The curriculum development is easy; adoption is hard. This is for three reason:

1. Cyber isn’t included in the common core curriculum, so they don’t have time to teach it as a primary subject. They try to teach it on the side with limited affect. The problem is also with our government officials who don’t see cyber as important. A fun study would be to see how many government leaders are proficient in technology. My hypotheses is that it’s less than 10%.

2. We don’t have teachers qualified to cover it and the good computer folks don’t want to take the huge pay cut. [At my daughter’s middle school, cybersecurity is taught by history and English teachers… I’ve volunteered many times to come into their classrooms and hear crickets…] It’s often that the teachers don’t know what they don’t know and are afraid to look ignorant if they ask for help. [NOTE: There are some fantastic teachers out there doing great work. This doesn’t apply to them. The problem is that they are the minority. They are also limited by what they can do and what they can teach.]

3. There’s no standard curriculum for Information Technology or cybersecurity. It’s up to the teacher to develop his/her own, which is therefore based on his/her knowledge. (See #2.) Local school boards are responsible for deciding what’s included in their schools curriculum, but they don’t seem to understand cyber. Another fun study would be to see how many school board members are proficient in technology. My hypotheses is that it’s less than 20%. We need a standard cyber curriculum for the teachers to work from. It should be broad enough to allow flexibility for the teachers, yet cover primary topics of how the technology works.

We need to find a way to teach IT and cybersecurity to our kids starting in elementary school and then throughout middle and high school. The problem is that we’re blocked by adults who don’t understand the necessity. The solution is out there people. For example, see staysafeoneline.org and stopthinkconnect.org. We just need to use it.

Help spread the word that we need to TEACH HACKING IN SCHOOLS. Talk to your local school board and elected officials.

*NOTE: I use the broad definition of hacking, meaning developing a curiosity on how things work. It’s not the malicious kind. When teaching hacking, ethics must be included. The intent is to keep the kids out of the orange jumpsuits (even if it’s the new black).

</rant>

[This rant reflects my opinion and not necessarily the views of my employer. ]

Concepts, Security Education, Security Management

My Security Bookshelf

Posted on March 24, 2014August 30, 2021 by Ron Woerner

I recently was asked, “What books, article, websites, blogs, or videos do you recommend for those just beginning in Cybersecurity?”
It’s a great question with many answers. Too bad you can’t just come to my office and look on my bookshelf…

There are many reading and viewing options for cybersecurity. The challenge isn’t the lack of material, but the overabundance (which is a good topic for another blog post).
The following resources are great for all levels of cybersecurity professionals.

Blogs & websites:

– Bruce Schneier on Security: https://www.schneier.com/
– Dark Reading: http://www.darkreading.com/
– CSO Online: http://www.csoonline.com/
– Threatpost: http://threatpost.com/

Videos:

– RSA Conference 2014 On-Demand Sessions: http://www.rsaconference.com/events/us14/downloads-and-media/video-index
– TED Talks Playlist, Who are the hackers? – http://www.ted.com/playlists/10/who_are_the_hackers.html
– TED Talk, Bruce Schneier: The security mirage: http://www.ted.com/talks/bruce_schneier.html
– Cambridge Ideas, Professor Risk (Dr. David Spiegelhalter): http://www.youtube.com/watch?v=a1PtQ67urG4

Books:

– “The Cuckoo’s Egg,” Clifford Stoll,
– “Secrets & Lies,” Bruce Schneier
– “The Art of Deception,” Kevin Mitnick
– “Spies Among Us,” Ira Winkler

Book Reviews & Commentary:

– At the 2014 RSA Conference, Rick Howard of Palo Alto Networks gave a talk titled, “The Cybersecurity Canon: Must-Reads.” You can also find the list of his favorite cyber/security books on his Terebrate blog at http://terebrate.blogspot.com/2014/02/books-you-should-have-read-by-now.html.

– Ben Rothke, a well-known security guru / speaker / writer, provides numerous book reviews for RSA including The Best New Books from RSA Conference 2014. You can see all of his RSA blog posts at www.rsaconference.com/blogs?keywords=rothke.

The time you spend on these resources will be well spent in developing yourself as a cybersecurity professional. If you have one you think is missing, please provide a reply or email me.

Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

Posted on March 12, 2014August 30, 2021 by Ron Woerner

The RSA 2014 Conference took place in San Francisco February 24-28. It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees. I had the privilege to attend (and lead a CISO panel). While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events. Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference. The industry is finally realizing it’s about the humans and people will always be the weakest security link

“@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones. @SocEngineerInc

@humanhacker @SocEngineerInc showing stats from http://hackmageddon.com. Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.” He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010). Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see http://en.wikipedia.org/wiki/Calculus_of_negligence …).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

“@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage http://bit.ly/1ffzuMY
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance:

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see http://bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Careers, Concepts, Security Education, Security Management

Breaking into Security

Posted on January 27, 2014October 29, 2015 by Ron Woerner

One of the common questions I am asked is, “How do I get a job in information security?” Infosec continues to be a hot career field with many job opportunities. Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security. This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security. It all started as a computer science major at Michigan State University. I was also in Air Force ROTC. This combination allowed me to start developing my security mindset. As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity. The security community has a vast number of articles on breaking into the security career field.

This article from the great security blog site Securosis contains recommendations for starting in security and potential career tracks: “Who to Recruit for Security, How to Get Started, and Career Tracks”.
“I Am InfoSec, and So Can You:” is an article by Ben Tomhave now a Gartner analyst. In particular see his second paragraph explaining what we really need in security. He also has a number of tips for those who are still crazy enough to enter the field.
George Hulme wrote in March 2015, “Six entry-level cybersecurity job seeker failings,” http://www.csoonline.com/article/2894193/infosec-staffing/six-entry-level-cybersecurity-job-seeker-failings.html
Jenifer Noss (A Bellevue University MS Cybersecurity graduate) has a nice piece on “Finding work as an IT Security Specialist.” She is not only a student, but also a seasoned cybersecurity professional. Check out the links in her blog for where to go tshe provides for increasing your cybersecurity potential.
The National Initiative for Cybersecurity Careers and Studies has a website focused on Promoting Education, Engaging Students, and Fostering Communities.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years. The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success – http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP). It’s great, general information on how to succeed in any career.

Center for Cybersecurity Education