Hey everyone! It’s Ell Marquez coming back with another part in our “It’s Okay to Be New” series. Now I’m not sure how many of you know this, but October is National Cybersecurity Awareness Month and it is in its 15th year as an annual initiative to help raise awareness about the importance of cybersecurity. As a part of this event, Linux Academy has been kind enough to allow me to take a break from the container world and go back to my roots in the cybersecurity world by helping organize this year’s Texas Cyber Summit. For those of you who have followed my blog posts, you will know that my career began at a local Bsides conference where the cybersecurity community took the time to invest in teaching a bright-eyed, bushy-tailed novice (Is that better than saying noob?) what they were talking about.
I am probably one of the only people who will admit to being a cybersecurity fangirl. Although I’ve been to lots of conferences and love the cybersecurity community, when it comes down to actually using the tools and putting the principles into action, I can tell you I’m just as new as anyone.
Today I’m proud to have the opportunity to interview Justin Mitchell, one of the course authors here at Linux Academy, and Fred Wilmot from Texas Cyber Summit.
I want to start off by saying thank you to both of you for making time in your busy schedule to educate us all a little bit more regarding cybersecurity.
Could you take a moment and introduce yourselves?
FW: Hi, my name is Fred Wilmot, I run Security Engineering at Devo, and a Principle at AMCyber. I build security technology and product security at Devo, and do security research at AMCyber to break and improve IT/OT software/hardware for the safety of people in transportation.
JM: I’m Justin Mitchell, Security Training Architect with LinuxAcademy. I’ve worked in IT for just over 12 years now, with the last 8 being in Security. I’ve held positions with several government agencies as well as in the healthcare field.
So as you know, this interview is part of our “It’s Okay to Be New” series. Can you tell us how you got your start in cybersecurity?
FW: I was building network infrastructure, network architectures, for a start-up (configuring routers, switches, firewalls, and circuits) when a couple guys suggested I come do security. Keep in mind, at this time, there were no classes, trainings, etc. Monitoring an MSSP network for various threats to IP, espionage, and sabotage were the daily workspace for me as an analyst. I loved it. It mattered. I learned to play with packets, and Host-IDS, Snort and Bro, Firewalls, network scanning, and ‘proactive investigation’. I was able to stand on the shoulders of giants who had done that work before me. I could also ask those people for help (after doing my homework.) These were all the education I needed. I had some great mentors as well, really invested in my success. It made all the difference.
JM: I think my experience is vastly different than most people’s ever will be. I got my start in Security completely by happenstance. I hadn’t considered security prior to the switch, and it was completely by dumb luck. So, when I was in the military, I was on the team that managed our data center at the time, and as part of that, I administered my organization’s software deployment as part of our vulnerability management program. The security guy who was responsible for vulnerability scanning and assessments was leaving our unit, and they weren’t backfilling his position, so they asked me to take those responsibilities over. I started playing around with all the different technologies and just became fascinated with it all. I spent more time working with the security guys than I did with my own team. Those people taught me so much. After about a year of having my hands in that, a position became open on the Security Engineering team, and they asked me to make the move. It’s important to understand how the military operates: I shouldn’t have been able to make that move because my career field was hard-coded I guess is a good way to put it, but I guess I had shown enough for them to apply for a waiver for me to fill that position. Since then, I’ve been engrained with Security and haven’t really looked back.
I am going to take a step back here because our Linux Academy family encompasses many different backgrounds. Could you explain what the term cybersecurity means and what it entails?
FW: It’s had many names over the years, but it’s a superset of many disciplines, of which, anyone can become proficient in their own rights. From a Linux perspective, do you understand systemd, how to start/stop services, firewalld, access controls, compiling kernels, etc. all with the purpose of making sure the system is secure? Now, apply that to all the controls that can do that. Network packets, host-based, SIEM-like things, Crypto, Application Security, etc. and the process of making sure those work in the lifecycle – so pentesting, red teaming, blue teaming, Incident Response and forensics, all the way to audit and compliance. It’s been called many things: IT Security, INFOSEC, Cybersecurity, along with any sub-discipline, like web application security.
JM: I agree with all of what Fred said, but I think it’s important to add: Cybersecurity is also what encompasses all of our business processes and procedures to keep them secure. These things (IR, SDLC, web security, personnel security, etc. etc. etc.) all have to be built around our company’s bottom line. It doesn’t make sense to have these policies and processes in place if we can’t demonstrate how they affect our organization. Obviously, security personnel are involved in securing the organization, but even the end user has their place. They need to understand when they see this weird behavior who to report it to, what to do if someone is trying to piggyback into the facility, or what’s the processes for account management, etc. We can put a million policies in place, but they do not help if end users don’t know them, or worse, know them and don’t follow them. The other part is security cannot be a hindrance to operations. I don’t know how many times I’ve seen security ventures have a negative impact on operations. The two have to almost be completely married at the hip. What good does it do to have security trying to stop outsiders from bringing down operations when we’re bringing them down ourselves?
Is the cybersecurity field something that’s already established and set in its ways, or is it more of a community inside an industry that is continuously changing and growing?
FW: I always think when something begins having standards, courseware, and degrees, the field is established. So, I would say, yes, the field is established. I am sure it will change names again at some point.
JM: Is it established? Yeah, I’d say so. However, I don’t think that it is set in its ways. We see an ever-increasing amount of change to technologies, so I think it has to continue to change and to grow. Take paying for something, for instance. 10 years ago, we had really 3 options: cash, check, or credit/debit cards. Today you have Paypal, NFC, 80-something apps on your phone, etc. So I think we have to continue to evolve, change, learn, and grow or we end up not knowing new technologies (and how to secure them) that affect us in our everyday life.
Week 2 of Cybersecurity awareness month, October 8-12, focuses on educating for a career in cybersecurity. I’ve read a statistic that 69% of business say they are under-resourced because they can’t find enough qualified IT staff to help fill their security departments. If someone is new and wanting to become involved in the cybersecurity field, how would you recommend they start?
FW: I have recruited folks from top universities with CS masters degrees, and I have hired folks who are self-taught and never finished high school. The number one thing you cannot teach in school is desire and work ethic. Intern anywhere you can, find mentors, go to security conferences and network, ask questions of people on-line, communicate on LinkedIn with people, show up at meetups and user group meetings, etc. Get involved. Everyone uses the statistic to justify the opportunity in the industry. It’s key to remember the adjacent industries don’t always know how experience or fit for skills matters. Get to understand those things by asking questions. The community is terrific, and we want you here with us. There are not enough of us to stop the bleeding.
JM: Oh yeah, that shortage definitely exists. I’d say probably the biggest thing to do is network, network, network. Go to conferences, local meetups, message folks on LinkedIn, just talk to folks. I grew up in a very blue-collar family, my father works in a factory and my mother is a bank teller for a local, very rural bank. When it came time for me to start job hunting after getting out of the military, I couldn’t turn to my family for advice. They just didn’t know. I had to get involved with the community, I asked questions, I picked brains, and I kept learning. The flipside of that is when someone tells you where to focus your efforts, heed that advice. If they say “go get certified in X,” you go get certified in that. Read up on new technologies and trends. And, most importantly, be willing to keep learning. At Linux Academy, we have several awesome courses coming up, due for release in November. For instance, our Security+ course would be great for someone just starting out or wanting to get into security! In it, we cover the six major domains that the Security+ certification entails to help prepare students for the exam. The Security+ certification is such a good place to start, as it shows that you can demonstrate your knowledge to understand risks and install and configure devices using secure practices. I have even configured a few labs to help students in this venture.
So let’s go to the other end of that; if someone’s been involved in the cyber security field for a while but they’re really wanting to sharpen their skills, what advice would you give them?
FW: This is a good one. I do this with my interns, or with folks getting started. I make a capability matrix of all the skills I think the cyber industry offers. Then look to check them off. Some people want to learn how to reverse engineer binaries, some people want to craft packets, and some people want to learn to write tools in java or ruby or python. Pick a project that piques your interest, and fail at it a bunch. I still do all the time, it’s a good exercise. Then share with people. Don’t be afraid to fail. You will learn more from that than any success. InfoSec Institute is great for formalized training. Visit OWASP, download VMs of tools, get Binary Ninja, and try to understand how this binary thing works and why. It’s all out there.
JM: It’s easy to get siloed in Security. There are at least 8 major domains, with who knows how many subdomains. And if you’re not careful, you can get sucked into a job or position and never escape. You become the “<one certain thing> guy.” I think we’ve all been there at one point in our career, but it’s important to maintain that willingness to learn new stuff. Honestly, for me, it’s job security, right? I worry about getting so stuck in a certain technology and then that technology is deprecated, where does that leave me? So it’s important to continue to learn, to stay up-to-date with current trends and new technologies. I think LinuxAcademy does that, and I’m excited to see how we continue to tie those lessons together with the new technology advances.
In a few weeks, myself and others from Linux Academy will be helping out at the Texas Cyber summit. For those individuals who are just starting out in the security field, going to a large security conference might seem a bit intimidating. What advice would you give them?
FW: When you start a new job, enter a new field, your first thought is to put yourself down a peg, and everyone else up a peg. Don’t do that. No one at the conferences you want to go to sees you that way. They see you as starting a journey and being proactive to learn, grow, build, break. Go to sessions. Ask questions. If you are nervous, ask after. Ask about content, and where you can learn more – find a person who can mentor you. You have to realize, a lot of the reasons we put these conferences on is to build the community. So, don’t be nervous. C’mon in, the water is fine.
JM: We’ve all been the new guy at some point. Don’t fret about not understanding something, and DEFINITELY ask questions about those things you don’t understand. Seek out those people who are experts in their fields. In 99% of cases, they want to share what they know. The only people who can tell you how to become an expert is an expert. I couldn’t tell you how to be an expert in underwater basket-weaving, but I know a thing or 2 about security that I’d be willing to share. All you have to do is ask. What happened to my invite, Ell? I’m holding you responsible for not getting me a ticket 🙂
Ell: Thank you both for your time and JM, we will make sure to have a ticket at the door for you.
That’s all for this week’s It’s Okay to Be New. If you all have any questions for Justin or Fred, make sure to leave them below. I would also like to invite you to share your “How I Got Started” story and help inspire others who are starting out in their journey.
The Texas Cyber Summit, October 12-14, is supposed to be great this year. If you can get to it, stop in and see us.
Until next time remember: its okay to be new.