What we can learn from unusual journeys into infosec - Part 2

In this expeditious edition of the Exploring Information Security podcast, Stuart Peck Director of Cyber Security Strategy at ZeroDayLab (@ZeroDayLab) joins me to discuss unusual journeys into infosec.

Stu (@cybersecstu) is a Co-Founder of The Many Hats Club, which is a massive Discord community and podcast. Earlier this year, Stu started sharing Unusual Journeys. I love this series because it highlights that there is no true path into infosec. He’s had 18 series so far and each story is fascinating.

In this episode we discuss:

  • Why failure is good

  • What sticks out from theses stories

  • What are some of the backgrounds people come from

What we can learn from unusual journeys into infosec - Part 1

In this expeditious edition of the Exploring Information Security podcast, Stuart Peck Director of Cyber Security Strategy at ZeroDayLab (@ZeroDayLab) joins me to discuss unusual journeys into infosec.

Stu (@cybersecstu) is a Co-Founder of The Many Hats Club, which is a massive Discord community and podcast. Earlier this year, Stu started sharing Unusual Journeys. I love this series because it highlights that there is no true path into infosec. He’s had 18 series so far and each story is fascinating.

In this episode we discuss:

  • What started Unusual Journeys

  • How Stu got into infosec

  • What we can learn from these stories

How to prepare for an infosec interview

It's another solo episode! Next weekend I will be at BSides Nashville. Among the many other things I am slated to do, I am helping out with resume/interview workshop. As preparation for the workshop I put together a list of interview questions I intend to use.

I put out a tweet asking for interview questions from the Twitter community. I got back some really good questions. As I was putting the list together I decided this would make a great podcast. Preparing for an interview is very important. I increased my offer rate significantly once I started preparing for interviews. Prior to that I always tried to wing them. I spent 15 months looking for a job at one point. I would get interviews, but failed to get offers.

Interviews are a nerve-racking process. Preparation provides more confidence and the ability to anticipate curve balls in an interview. Being prepared allows you to have more brain power when there is a question you didn't anticipate. When you're prepared, it shows. People tend to like candidates who are prepared. They can tell by how direct and decisive answers are to questions. There is one caveat to this. If your interview with someone as part of a network, there is more leniency in the interview.

Preparation

There are multiple ways to prepare for an interview. Figure out what works best for you. What I have below and in the podcast are what I've used to be successful in interviews.

Look at the job posting

Review the companies job posting and your resume before going into an interview. If you're doing resumes write you should have a different one for each job you apply to. Remembering which resume you submitted is important. Tie your experience to the job posting. This will help with answering the question in a way that shows you're a fit for the role.

Look for key words in the job posting that you might be asked about in the interview. If you're going for a role in a security operations center (SOC), be prepared to answer networking questions. If you're doing application security be prepared to answer development questions. If you're going for a penetration tester role be prepared to talk about attack techniques and your methodology. You get the idea.

Write out questions and answers on 3x5 index cards

I use the list of 31 common interview questions from the muse. I pick the ones that apply and write them down on 3x5 index cards. I then flip them over and write down my answers in one word or short sentence. This allows me to practice my answers to questions such as, "What's your greatest strength/weakness" or more technical questions like, "How does DNS work?"

Practice, practice, practice

Go over the questions you've collected. Read out loud the question and say out loud your answer. Flip over to see that you've hit on your main point. Do this over and over again. Do this again in the waiting room or in the car (if you've arrived early, which I recommend) on the day of the interview. That's the benefit of writing questions and answers on 3x5 index cards, they fit nicely in a coat pocket.

You will practice questions that don't get asked. There is no way for you to anticipate all the questions you'll be asked. Getting the common ones and the ones you think will be asked will make the interview go much smoother. The less brain power you have to spend on a question the more you have for the questions you didn't anticipate.

Physical preparation

  Go get a haircut and make sure you still fit into your interview clothes. If you've out grown a pair of slacks you'll need to go buy a new pair. Prior to the interview you can ask what is the dress expectation. A suit is standard and something I often go with. I also have a pair of khakis and a sports coat in case they want me to dress down. Have at least two sets of interview clothes for multiple interviews. Dressing in the same thing twice is not a good look.

I feel uncomfortable going to an interview in just a t-shirt or polo shirt, even if that's what was recommended. I know some interviewers in our industry care less about dress. I believe in over-dressing rather than under-dressing, though.

Extra preparation

I applied for a job once that described the role as I would my dream job. I did all my usual preparation above. I had two really good interviews and was slated for a third. The first two were phone interviews. The third was going to be in person. It was expected that I would interview with the CISO and a one or two other managers (it ended up being six).

I decided that I would put together a short slide presentation. I practiced going through the presentation as part of my answer. I also went to the print shop and had them print out three bound copies of the presentation. It cost me about $35. I took this to the interview. Two questions in when we started discussing my vision for the role, I handed out the bound copies of the presentation. I then walked through my vision for the role. I got an offer for that job and I'm happy to say I'm still in that role.

Wrap-up and resources

Preparation is so important for a job interview. I failed at it for a long time. Some people can wing an interview and get an offer. I am not one of those people. Once I took the time and made the investment into preparation, I increased my offer rate. I turned down other positions, because I had the confidence that a better offer was coming. 

Review the job posting. Tie it to your experience. Write down common questions and ones you think might be asked. Practice. Say your answers out loud. Do that over and over again until you can answer question confidently and concisely. Then practice some more. Make sure what you wear to the interview is ready before the day of the interview. Scrambling around for something presentable creates more anxiety and nervousness. Finally, consider putting a presentation together. $35 was a great investment.

Before I go here are some great resources around preparation:

Hope to see you at BSides Nashville!

What's happening in OSINT?

In this open edition of the Exploring Information Security podcast, I sit down with Micah Hoffman, Kerby Plessas, and Josh Huff to discuss Open Source INTelligence (OSINT).

Micah Hoffman (@WebBreacher) is a SANS instructor who will be teaching a brand new SANS course, SANS487: Open-Source Intelligence Gathering and Analysis.

Kirby Plessas (@kirbstr) runs her own training company Plessas Experts Network, Inc. There is an online training portal that you can use to learn more about OSINT.

Josh Huff (@baywolf88) is a Digital Forensics Private Investigator and OSINT addict. He runs the Learn All The Things website.

This is a new format for the podcast that I am trying out. It's a lot like the conference episodes I do: It's longer; I allow swearing; and there is no format or direction. I asked for OSINT questions on Twitter and got some pretty good ones back for people to answer. I can turn this into a live show that would allow for people watching to interact with the guests on the show. I need feedback on whether or not this of interest to people. Hit me up on Twitter (@TimothyDeBlock) or email (timothy[.]deblock[@]gmail[.]com)

In this episode we discuss:

  • Why it's important to automate OSINT
  • What tools are available for OSINT
  • Where does OSINT end and breaking the law begin?
  • Where can OSINT be used in an organization
  • How to get into OSINT
  • and much much more

More Resources:

What is Converge and BSides Detroit?

In this Motor City edition of the Exploring Information Security podcast, Ryan Harp, Kyle Andrus, and Kate Vajda join me to discuss the conferences Converge and BSides Detroit.

Ryan (@th3b00st), Kyle (@chaoticflaws), and Kate (@vajkat) help put on one of the best conferences. Last year was my first year at the conference. I was not disappointed. They had a workshop on application security; a room set aside to get resume feedback; Ham radio exams; and much more. They also had three days of wonderful talks with some really great speakers. At lunch there are multiple treks to go grab a coney dog.

The call for papers is currently open. They're looking for speakers and to add more workshops this year. Tickets are also available now. Make sure to grab yours and I'll see you at Converge and BSides Detroit May 10-12.

In this episode we discuss:

  • How the conference got started.
  • Where the conference is at and what's new this year for the layout.
  • What's unique about the conference.
  • Coney dogs.

Why we need to get outside the infosec echo chamber

In this bouncy edition of the Exploring Information Security podcast, I talk about getting outside of the information security echo chamber.

Getting outside of the infosec echo chamber is something I've wanted to do for the past year. Spending time at infosec events is important for a career. It's great for networking and knowledge sharing. We need to do those same things at non-infosec events. For me that means getting out to developer events. I am speaking at Nodevember at the end of November 2017 and also at CodeMash in early January 2018. For better security I think it's a crucial activity.

In this episode I discuss:

  • What is the echo chamber?
  • Why it's important to get outside of it
  • Who should get outside the echo chamber
  • Where to get outside the echo chamber

Why getting into infosec is hard

In this Han Solo edition of the Exploring Information Security podcast, I discuss my experience on why getting into infosec is hard.

This is a solo episode where I share my thoughts on why it's hard to get into infosec. I've been on both sides of the interview process. In this episode I share my own personal experience (where I failed), as well as what I've seen on why people didn't get the role they wanted. This topic deals with the skills shortage topic often discussed on Twitter and other media. It's a very nuanced topic. I wanted to focus on what those applying could do better to apply and interview for an opportunity.

In this episode:

  • Why people don't apply?
  • Why requirements can limit job opportunities
  • Why your resume sucks
  • How are you preparing for the interview?
  • What are you doing to improve your chances of getting an offer?

How to prepare for the OSCP - Part 2

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • How Chris' second attempt went
  • How to study for the OSCP
  • What the hardest part of the exam was for Chris
  • How the pointing system works

More resources (h/t @KrvRob):

How to prepare for the OSCP - Part 1

In this studious edition of the Exploring Information Security podcast, Offensive Security Certified Professional (OSCP) Chris Maddalena joins me to discuss how to prepare for the OSCP certification.

Chris (@cmaddalena) returns to talk about how he got his OSCP. He didn't get it on his first attempt. He did learn from his first attempt, though, and passed the exam on his second attempt. He was willing to come on the podcast to describe his experience and provide tips for others looking to acquire the certification. The exam is not easy. It's a 24-hour exam that includes writing a report as well as performing a penetration test. Preparation for the exam is very important.

In this episode we discuss:

  • What is the OSCP and OSCE
  • Why someone should pursue the OSCP
  • What is the test like
  • How Chris' first attempt went

More resources (h/t @KrvRob):

Why is passion an infosec requirement?

In this strong episode of the Exploring Information Security podcast, Chris Sanders CEO of Applied Network Defense and founder of the Rural Technology Fund joins me to question why passion is an infosec requirement.

Chris (@chrissanders88) recently put up a blog post titled, The Cult of Passion. In this post he discusses the concept of passion being a requirement in information security. This is something I've railed against in the path. Like Chris I think it sets the bar higher for those trying to get in. They feel like they have to spend 18 hours of their day doing infosec related things. That is in fact not the case and there are plenty of successful people in infosec that don't eat, sleep, and breath infosec.

In this episode we discuss:

  • What is passion?
  • What is some of the psychology around passion?
  • Why passion isn't a reliable measure for hiring managers.
  • What should people be focusing on instead of passion?

What is it like to work in a security operations center (SOC)?

In this operational edition of the Exploring Information Security podcast, Jeff Lang from Virginia Tech joins me to discuss his day-to-day in a SOC.

Jeff is a good friend of mine and one that I leaned on heavily when I was working in a SOC. He's been a IT Security Analyst for a while now and loves what he does. We've spent countless hours discuss SOC life. We've talked about nuances and some of the things he sees on a regular basis monitoring a college campus. I decided it would make for an interesting podcast episode.

In this episode we discuss:

  • What is a security operations center (SOC)?
  • What are some of the roles in a SOC?
  • What are some of the day-to-day things seen?
  • What are the skills needed to work in a SOC?

More resources:

How to be a good mentee

In this studious edition of the Exploring Information Security podcast, Amanda Berlin and Wolfgang Goerlich join me to discuss how to be a good mentee.

After recording the How to find a mentor episode, Wolf (@jwgoerlich) suggested that I do a podcast on how to be a good mentee and to invite Amanda (@infoSystir) on to discuss. I thought this was a great idea. I've heard Amanda rant before about people who ask for advice but don't do anything with it. And that's the sad truth. She's given out advice and taken the time to write up a how to on networking and networking forensics (try it out and let her know), but has yet had a mentee follow through. This episode is meant to guide those looking for their start infosec, asking for advice, how to interact with a mentor.

Be sure to check out Amanda's new book Defensive Security Handbook. Also Converge and BSides Detroit, which Wolf helps run.

In this episode we discuss:

  • Who is a mentee
  • What makes someone a good mentee
  • Experience of being a mentee and mentoring someone
  • Examples of good mentees

How to find a mentor

In this advised edition of the Exploring Information Security podcast, I have three guests join me to discuss how to find a mentor.

First up is Wolfgang Goelrich (@jwgoerlich). Wolf provided me with a video he recently did on how to find a mentor for his stuck in traffic series on YouTube. His focus is on what to look for in a mentor and that where we focused in the interview. He's also written about finding and using a mentor on his website.

Next we have Javvad Malik (@J4vv4d). You may no him from his YouTube channel and the wonderful infosec video he posts there. He also recently started doing the weekly infosec update with Alien Vault, titled Alien Eye In The Sky. In our interview we focus on where to look for a mentor.

Finally we have Johnny Xmas (J0hnnyXm4x). Who gave me some feedback that I didn't expect, don't look for a mentor. He thinks mentors can be placed on pedestals. The result of that can mean overlooking the people you already look at as mentors. 

How to find your niche in information security

In this stag episode of the Exploring Information Security podcast, I provide tips on how to find your niche and share my story of getting into information security.

This topic is one that I've submitted to a couple different conferences, but didn't get excepted. I still think it's an interesting topic and useful for those just getting into infosec. Find your niche is advice you will see other professionals give to new people in the field. I think it's good advice, but it can be frustrating figuring out how to do it. Some will find their niche quickly, while for others it may take a while. It took me a long time to figure out that I even wanted to be in infosec. I was then shocked when I got in and had to find a niche within a niche. 

In this episode I discuss:

  • Tips for finding your niche
  • Share my story of getting into infosec
  • Then getting into application security

More Resources:

How to write an infosec resume

In this advice driven episode of the Exploring Information Security podcast, I talk about my experiences writing a resume.

I received some positive feedback from people on the, "How I got into information security" episode. I've decided to try another episode where I talk about writing a resume for an information security position. Writing a resume for infosec is not unlike writing a resume for any other field. Two resources I've leaned heavily on to improve my resume are the Career Tools podcast and What Color Is Your Parachute by Richard N. Bolles. I recommend both for those looking to improve their resume.

In this episode I discuss:

What is another home lab use case?

In this alternate episode of the Exploring Information Security podcast, Brian Hearn joins me to discuss another home lab use case.

Brian (@drambuie_B) after listening to the How to build a home lab episode, gave me some feedback on the episode. he also shared his home lab setup. He uses an application called GNS3 which allows him to setup a more elaborate networking lab. I was intrigued and decided to have him on to discuss his lab further.

In this episode we discuss:

  • Brian's home lab setup
  • How he uses the lab
  • What he gains from this lab setup
  • GNS3

How I got into information security

In this journey episode of the Exploring Information Security podcast, I discuss how I got into information security.

I am in a bit of a transition right now. Getting guests for the show hasn't been as much of a priority for me the last month. This is something I've been wanting to try and so naturally now is a good time to experiment. In this episode I talk about my path to information security. Which includes military service and roles as system analyst, network and system administrator.

I would appreciate feedback on this episode. I may do more of these where I'm just solo talking about my personal experiences or covering certain topics. Email me at timothy[dot]deblock[at]gmail[dot]com or hit me up on Twitter @TimothyDeBlock.