I've gotten a lot of good feedback form the most recent episode of the Exploring Information Security podcast, "How I got into information security." People seem to like the solo podcast. More importantly a lot of people identify with my story. Some had a similar story. Others appreciated the story as they were in the process of getting into information security.
One such person is Josh Huff. Whom I've gotten to know the several months personally. He's a regular at our ColaSec meetings and recently found his own way into infosec. He shared his story with me.
"I was raised on technology. I was computing on Commodore 64 at the age of 5 and playing Atari 2600 video games. So growing up I saw, used and played with most forms of technology as it developed into what it is today. (Does anybody miss Palm Pilots?) I wasn’t sure what I wanted to study in college. Since I was comfortable with technology and I liked math and science mechanical engineering was my choice.
Although I learned some awesome things about the business and manufacturing world being an engineer was NOT my calling. I changed my major to business. I changed colleges a couple of times. Then at some point in my part time college job, I took a promotion into full time retail management. Now my comfort level with technology was used to teach and sell technology to customers and train my sales staff. Retail management wasn’t perfect as a career by any means, but it was a good fit for my skill set and I was good at my job. I was good at it for about 13 years in fact.
As my son grew older and family time became a much higher priority I had to make a career choice that would get me off the retail work schedule. So in May of 2015 I started studying everything InfoSec related I could find. At this point I also quit my job and enrolled in technical college. I realized all my old college credits weren’t far off from an Associate’s degree. In just under 2 semesters I got my degree and started looking into how I could land a job in information security.
Podcasts, blogs, an InfoSec twitter feed and security books were my source of guidance. The biggest challenge with learning this way was “drinking from the fire hose” which means taking in way too much to learn anything. I was reading about pen testing, malware, lock picking, network sniffing and cryptography. I researched coding, firewalls, forensics, open source intelligence, networking, vulnerabilities and social engineering. Everything I read was interesting, but I didn’t know how I proceed to this magical job in security. I needed to network with real people that were working in security and find out what they do and how they got there.
I looked online for local meetups. There were some community groups like a Linux user group, open hack Columbia and something called ColaSec. ColaSec had a meetup 3 days later. Plus they said it was an open invitation group, so I just decided to show up to the September meeting.
I wouldn't call myself shy, but getting out of your comfort zone and just going out to meet new people can be tough. If you are looking to get into security find your local city ‘Sec’ meetup and go! If the people you meet are half of what I found at ColaSec it will be worth your time.
I walked in, introduced myself as a tech and security enthusiast. People said hi and gave me pizza and beer. They were hanging out talking about random security news then a speaker gave a talk about building a security framework. There was a table in the back with practice locks and lock picks and people were drinking an adult beverage or two. I HAD FOUND MY PEOPLE!
Once the meeting was over everybody was kind of hanging out so I introduced myself to a few of them. I met a few people that worked in a Security Operations Center. There was several help desk managers and a technology course instructor present. There were also people on the job search like me. A conversation about security conferences led to an invitation to one in Kentucky called Derbycon. Tickets sold out, but I managed to snag one last minute and headed out of town to my first security conference.
On the way to Derbycon I checked the speaker list. I found that a few authors of my security books plus people from my twitter feed were going to be at this conference. I decided to meet as many of them as I could. Derbycon itself is worthy of its own write up, but in short it was awesome. I got to keep meeting and talking with real security professionals. They were open to answering questions and connecting on twitter and I continue to stay in touch with many of them today. I learned a lot of other people’s career paths that led to information security.
When I got back from Derbycon I felt like I had direction. I started applying to some help desk and technology jobs to try and get my foot in the door. I revised my resume and evaluated my past skills into how they could help me in a security related position. This started a roller coaster process. As applications and interviews started to pile up frustration started to settle in. Repeat… wait… apply… repeat. I had one interview that I thought went well and a few pings on my resume that had placed me into consideration. I felt things were looking up again. The promising job lead fell through. Then the 'under consideration' jobs decided not to fill the position.
This is the point in the story where desperation may have kicked in. I took a hard look at what I wanted from a security job and it wasn’t a help desk spot that I could work my way up from. Open source intelligence (OSINT) was my favorite subject so I decided to find people I could talk to again. It seemed that military or law enforcement background was a prerequisite for a job in OSINT. I thought about who I could talk to about this and I looked up private investigation firms in Columbia, SC. Through the ‘contact us’ part of the PI websites I shot a quick introduction email. I gave a brief description of who I was. I described what I was studying and asked if they were hiring. I also said if they weren't hiring I would be happy to just talk OSINT and find out how they used it as investigators. I got a phone call from a private investigator 1 day later.
I chatted with the investigator for a few minutes and he asked for my resume. It turns out the background in law enforcement or military wasn’t an issue. So a few hours later I was called for an interview. The position wasn’t exactly OSINT, but they had need of a digital forensic analyst. My technical background led me through the interview with ease. 1st interview led to a 2nd interview which led to a tryout in their computer forensics lab. The tryout went well and I am now over 3 months into my role as a digital forensics analyst. I get to work in a forensic lab doing cool stuff with all types of technology and in between cases I talk OSINT with the other investigators.
I’ve listened to a lot of stories about how people got their InfoSec job. There doesn’t seem to be a defined path or perfect guide out there, but this is my path. I hope by sharing my path that somebody finds some facet of my story that they can apply to their own career path. If I could re-iterate just once point of my story it is to go out and talk to people. Information security is about the people that drive the technology. If you don’t know how to apply information security it in real world scenarios go talk to the people that do. It will likely be a fun journey."
I see a lot of self-study and going to college advice for those looking to get into information security. I would like to recommend another option. Join the military. People joining the military get training, real world experience, and money for continued education.
Now, the military isn’t for everyone. Yes, there is a chain of command filled with people who give out orders. And yes, those orders need to be complied with. The thing about that is that most people know what they’re doing in the military. It's usually not an issue. And that's because the quality of people in the military is top notch.
Joining the military is no small decision and it shows in the people that serve. I had several really good mentors in the military that helped shape who I am as a person. Not only did I enjoy the benefits below, but I learned a lot from those mentors. I gained a strong work ethic. Learned communication and leadership skills. And I had a lot of fun doing it.
The lifestyle is a lot different. The first couple of years involved moving around quite a bit. Moving from a barracks to a dorm to another dorm to a different base. Then off-base to an apartment. I spent a year in the midwest, three years one the west coast. Then two years on the east coast. If you like traveling there’s plenty to be had in the military.
Then there's the uniform. Sure, I couldn't pick my close, but that made things easier. Each day I woke up and new what I had to wear. I also saved quite a bit of money on doing laundry, because I could wear the same uniform for a few days. Usually, I was just changing my undergarments.
My first military contract had me set to be a paralegal in the Army. That fell through and I ended up joining the Navy as an electronics technician. That contract came with a $7,000 signing bonus. I had two months of basic training. Two months of basic electronics training. Four months of communication electronics training. Three weeks of miniature/microminiature board repair training (2M). All that in my first year. I was also sent to radio, aircraft load out, instructor, Humvee driver and forklift operator training. When it comes to training the military is one of the best.
I joined in early 2001 and IT (let alone infosec) positions weren't as well defined. Now that the digital age has matured, there's a much stronger focus on information security. That means the programs are much more prominent in today's military.
Real world experience
During my time in the Navy I did a little bit of everything. I pulled cable. Moved phone lines. Setup computers. Troubleshooted computer issues. Setup communications for field exercises. Inventoried and maintained radio equipment. Setup switches. Created user accounts. And that was all at my first command.
My second command involved a lot more IT work. I learned how to rebuild a server after it crashed and no backups were available. I trained personnel on email usage. Took part in my first workstation refresh, swapping out old computers with new ones. Patched systems. Updated anti-virus. Troubleshooted more computer issues. I leaned on a lot of that experience when I got out and started looking for a job.
I also got the opportunity to do a lot of fun stuff. Train with Navy SEALS. Face-off against the Canadian Army in multi-nation exercise. Jump waves on the Pacific Ocean in a Zodiac Hurricane. Just to name a few.
Money for continuing education
The GI Bill is one of the best benefits received from joining the military. I paid for school and a Network+ certification with it. Last year I graduated from the University of South Carolina with a degree in media arts. All paid for by the GI Bill. I knew coming out of high school that if I went to college I would be wasting my time and my parents money. I wanted to get some real experience and get college paid for when I was ready to go.
The GI-Bill is even better now then when I first started going to school. A year or two after I started taking classes, the GI-Bill changed. Not only was school paid for, but I was making a little money on the side. As long as I was taking more than half a load of classes I got basic allowance for housing (BAH). Which is a significant amount of money. This really helped when we started expanding our family.
The military is a great option for people looking to start a career. The military does a great job of training and giving it’s members real world experience. A lot of that training and experience translates to the real world. For those looking to get into information security, the military has some good programs. When I joined, I had no idea of the career I wanted to be in. That was okay, because when I knew what I wanted to do I could lean on a lot of my experience.
Serving the military is a massive commitment. Again, it’s not for everyone. It is a viable option though and one that I recommend exploring.
WordPress websites allow individuals or organizations to get a website stood up quickly. With easy customization, WordPress is a flexible and powerful platform for websites. Unfortunately, because they're easy to setup security often times gets overlooked. Outdated and unused plugins can lead to compromised website. That compromise is typically in the form of redirects to malicious sites that try to install malware on a visitors machines. Most of the time an owner is unaware of the compromise.
All hope is not lost. There is a way to securely run a WordPress site.
These three practices will help maximize security on a WordPress site:
- Run only the programs needed
- Run a security plugin like iThemes
- Keep all plugins up-to-date.
The theme here is plugins. WordPress itself is a well built platform. The security issues that arise from the core are minimal. What makes WordPress sites vulnerable are plugins. The reason for that is that anyone can create a plugin.
Only run the plugins needed
I get it. We see a plugin we like and install it on the site to try it out. We forget about it or we deactivate it to try another plugin. That plugin sits there and sits there. And sits there. And sits there. If a plugin has been sitting there for a while remove it. A deactivated plugin is vulnerable to exploitation. If it’s deactivated remove it. It's just as easy to reinstall later.
If this is for an organization the same IT principles apply. Deactivate any active plugins that seem unnecessary or unused. Wait for a period of time to ensure there are no adverse affects, then remove it. A plugin installed on the site, even if it is deactivated, is still vulnerable to a malicious actor.
Run a security plugin
There are plenty of good security plugins available for WordPress. A security plugin will add more features and settings to help make a site more secure. Here is a list of seven courtesy of Infosec Institute . I’ve only used iThemes, so I can’t speak to the quality of the others. Try out a few and see which one works the best. Remember the section above.
Keep WordPress and plugins up-to-date
Most vulnerabilities in WordPress-based sites aren’t from WordPress. They are usually from the plugins installed on the site. The core itself is pretty solid. The plugins are usually what make the site vulnerable. Look for plugins that are kept updated. Then update when a new version is available. It’s as simple as that.
The update process is quick and painless. Make sure to have good backups. Some hosting providers will provide this feature. Login to the site weekly to check for an update. A weekly reminder works wonders.
Only run plugins needed on the website. That means removing all unused plugins. Install a plugin for security. There are several available. I’m the most familiar with iThemes, which is why I recommend that plugin. Try out a few and find one that fits the website the best. Keep all plugins up-to-date. Even if the website isn’t logged into on a regular basis. Set a reminder and login once a week to check for updates.
WordPress sites are one of the most vulnerable platforms out there. One of the reasons for that is that a lot of people use it. A lot of people use it, because it is an easy platform to setup and maintain. That goes for security on the platform as well. Follow the three pieces of advice above and help make the internet a safer place.
I made a mistake with the latest episode of the EIS podcast. Instead of uploading part one of my conversation with Johnny Xmas, on how to start a successful CitySec meetup, I upload part two. I apologize for this. The feed should be fixed now.