1 / 17

Hacking outside the box

Hacking outside the box. Mike Aiello. Objectives. Describe jobs in “Infosec" Discuss why communication is critically important to Infosec professionals How to communicate well What to know about working in large organizations Interactive discussion: solving a complicated security problem

derron
Download Presentation

Hacking outside the box

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking outside the box Mike Aiello

  2. Objectives • Describe jobs in “Infosec" • Discuss why communication is critically important to Infosec professionals • How to communicate well • What to know about working in large organizations • Interactive discussion: solving a complicated security problem • Advice for succeeding as an Infosec professional

  3. Background • Poly Grad 2006 BS/MS • Worked with ISIS Lab students on various projects (CTF, research projects) • Own a business that sells RFID blocking wallets • Work at an investment Bank as an “Application Risk Analyst”

  4. Assumptions & Context • Once you are done with the penetration testing course, you should be able to break into any computer system given enough time, money and energy • You can poke holes in encryption algorithms, design secure architectures and publish vulnerabilities in products built by multimillion dollar companies. • Published research reports in major books and journals. • Now what????

  5. Mike’s “finger in the air” security professionals by industry

  6. Roles • Penetration Tester / QA • Network Security Engineer • Policy Writer • System Architect • Incident Response • Trainer • Researcher • Attacker (offensive) • Manager

  7. How I spend my time

  8. How I spend my time (Communication)

  9. Communicating Well • Practice • Professional Email • Clear & concise writing in English • Policies, Standards, Guidelines • Organization • Don’t drop the ball. Get things done. • “Know your business” • Know how the organization works

  10. Architecting Exercise – The New Green • The New Green (Forbes 01/07/2008) • The U.S. Treasury makes money the old-fashioned way, by printing it. • The Treasury should let others get into the business of issuing money • Why not print money at home on your laser printer rather than go to the ATM? Today, we can do this with stamps; the illustration shows postage produced by stamps.com.

  11. Architecting Exercise – The New Green • Context. You work for the treasury, you’ve been tasked with making this happen. • Who needs to be involved making the decisions? • How much will it cost? (What needs to be done?) • Timeline? • Prove it will succeed, demonstrate situations where it could fail?

  12. Advice • Please take with grain of salt

  13. Be in motion: commoditization is the goal • People are expensive, replace them with cheap computers • Web Authoring • HTML “coders” replaced with FrontPage • Infosec • Testing/QA • Automated Web Application Testing • Automated Static Code Analysis • Automated Network Assessment • Policy (maybe) • Templates for policy, standards, guidelines, audit reports • Operations • Firewalls, VPNs, Routers & other security products becoming trivial to manage

  14. Don’t be ignorable • Know your industry & tell people what is going on in it • Read: Blogs, proceedings, news • Security Focus, Bruce Schneier, ha.ckers.org • Go to: Conferences, trade group meetings • OWASP, BlackHat • Elevator pitch for “what you do” • Know the business as well as anyone else who works there • Network like a crazy person • “Be the Don” • Know who matters • Be the best at something • SHY & QUIET KILLS YOUR CAREER. Make sure people know “what you do” • Be especially nice to administrators, they know everything

  15. Do something scary every day • Know the risk reward curve • Tell people they are wrong! Your boss doesn't know everything, you were hired you as an expert • Ask for critical feedback • Give critical feedback • Ask for help • Talk to someone you don’t know

  16. Know the company clock rate Hiring Budget Reviews Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

More Related