Recruiting Cybersecurity Professionals - Corporate Cyber Education

February 22, 2021

The Cyber Rants Podcast

Episode 17 - Starting a Cybersecurity Career plus Insight for Employers

The guys talk with Haidon Storro, who brings a different point of view to corporate cyber education. Haidon is an exceptionally motivated cybersecurity professional who recently graduated college and started her career. She shares her journey from finding a passion in technology, to getting educated and finding her first full time role in the industry. It's a highly competitive market for recruiting cybersecurity professionals and Haidon’s insights are critical for employers to understand when trying to recruit junior team members.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber ants podcast this is your co-host

zach fuller joined by mike rotondo and lauro chavez we have a different a little bit different

episode today we have special guest hayden starrow joining us and we'll talk to her and her about her

progress in the cyber security industry and we'll dive into a little bit about how we got to know

hayden and and such here shortly but mike before we do that will you kick us off with the news

good day and welcome to the headline there's nothing we can do about this file yandex suffers

data breach after sysadmin sold access to user emails yeah that's kind of your worst nightmare

nothing we can do no it's just like yeah okay i just chose this one out because hey valentine's

day was last week but pre-valentine's day malware attack mimics flower and lingerie stores

so be careful with what you bought ransom attackers set their sights on saas saas is

becoming a bigger and bigger attack platform they're hitting it harder so be careful

um or ran somewhere security researchers discover help desk software vulnerability

uh this is in desk pro which is another you know remote access software solution for help desk so

if you're using it make sure it's patched it's a cross-site scripting issue

apple patches severe mac os big sur data loss bug so if you're on a mac make sure you're up to 11.3

interesting article on this i really recommend that you check out the link

on our podcast called how one man soundly infiltrated dozens of high-tech networks

apparently there's some source code that's been published by a few vendors you might have heard of

apple microsoft tesla uber yelp and others um that is customized internally and can be easily hacked

so be careful with that and check out that link from the really isn't that you're bad enough

already more bosses are using software to monitor remote workers and not everyone is happy about it

um not surprised we've come a long way since mouse jiggle um but this is getting a little

more sophisticated rdp the ransomware problem that won't go away yes rdp is becoming more and

more of an issue attacks are becoming more and more of an issue masslogger swipes microsoft

outlook group google chrome credentials hackers are now leveraging microsoft windows help files

as an attack vector um definitely an interesting attack story definitely recommend you look at

that from threat post details tied to safari browser-based scam club campaign revealed

this is back on big sur 11.01 it affected google and safari um so recommend you upgrade

if you can micros microsoft pulls windows kb 4601 1392 for blocking security updates

and then had to pull another for blocking security updates so that was kb5001079 so

um good job microsoft and finally first malware design for apple m1 chip is now discovered in the

wild apple's venturing into making their own chips and we've already got malware for it so

world is exciting hey laurel any uh anything you want to add not as exciting as the new m1

chip malware that's pretty cool well what can you say it's evolution right on the

exploit front not a lot to talk about other than you know there's been some some recent

you know i guess zero day bugs with ipv4 ipv6 and things like that i haven't seen any exploits come

across any of the main lines you don't have to like pay for to try and see if they work

so exploit database not reporting anything of that use which is good

and still patch those vulnerabilities but there's no exploit capability that we're

seeing today that's within at least the free range right unless you're developing yourself

which is a whole different topic however what is interesting is it there's quite a few php based

web applications that have had exploits written for them in in this last week all of them geared

towards online learning which i thought was kind of interesting so some of them are

the teachers record management system it's got a sequel injection uh that someone wrote again

available from medically pro there was a school of an attendance monitoring system again uh crosstalk

scripting on that and a stored cross-site scripting piece so that you can you know

consistently reflect um school file management system um another cross-site scripting on that

you know interesting tasks for the teachers uh teachers task management and to sum it up

another one is um online school management system uh version one and that's sql injection too

so um it looks like you know there's like this online education platforms that you know

companies are trying to write to help support this so we're more remote learning capability

that we we need now we're in the pandemic and obviously the hackers are taking advantage of

that so please please in in in the light of our kids don't don't speed to market this stuff you

know make sure that you're doing your sdlc and checking for lost stuff because sql injection

just shouldn't come up anymore i mean it's just it's just really it's just really negligent to

build an online application that still has something like that that's it for exploitation

zach i'll turn it back over to you all right thank you well negligence is a is a big problem

and leads to a lot of breaches so certainly out there we've been talking in the cyber ants podcast

quite a bit about building the team finding team members good people um this is something

our security services firm science sector really prides itself on quality over quantity and just

working with some outstanding individuals in that we also do some work with grand canyon university

and help them as far as our security programmers we were in touch with faculty students um the

cyber range that they have there and it's really been really been great to see that

organization grow their security program um and in doing so we met hayden storrows with us today

and uh met her as a as a student when she was a student there at gcu and she really stood out from

the crowd you know there are a lot of people that just go into cyber security because there are jobs

available and there's demand for it but she really uh truly has a passion and it showed and so we um

started working together and hayden helped tremendously if you've read our book you're

you'll see a mention of her in in the first few pages of the book i'm helped tremendously

uh with research he's done a lot of writing on blog posts and things for us and really just true

uh has a true passion for technology and cyber security so we thought we'd bring hayden on

today and have her talk a little bit for those people that are looking to get into the industry

especially and also for those people that are looking to employ cyber security professionals

that are that are newer to the field thought it'd be great to get hayden's perspective on what all

this looks like out there you know and because she comes at it from a different lens than we do

so thank you hayden for joining us today we really appreciate having you and um as always it's it's

just a pleasure to uh to work with you thanks zach and laurel and mike for having me um certainly

the honor is all mine like i'm super stoked to to speak and share a little bit of my perspective and

i guess we'll go with math to how i got to security great yeah thank you and speaking of

which do you mind sharing a bit about what made you decide to pursue cyber security as a career

and how you got started in it sure so i kind of never so i never like knew that i wanted to do

cyber security um i kind of got lucky where like senior year of high school was two in colleges

and gcu offered to buy people from my area just like like a thousand miles from arizona for free

to the college and that was kind of when i first heard of cyber security like i was just kind of

the typical i guess like high school student didn't really know but knew that i needed to

get a get a degree you know get a job and whatever but then when i was touring gcu they had like a

like a session on some of the degrees they offer and i've always been good at technology

but like you know just typical like fixing a printer or helping my parents restart their you

know fire tv like nothing actually super advanced but anyways turning it and hearing like how much

like i guess opportunity but need there is for defenders and i guess red team as well

and that kind of like sparked interest in me and seeing that it was such a like like quick

fast-paced you know agile environment compared to like what i was thinking of i was heading towards

like pharmaceutical type stuff and then i was like like screw that like that's boring if i could do

something that's you know like really requires some critical thinking and it's always changing

and so that kind of and then on top of that also the whole um doing something that's like

meaningful so like yeah being an accountant yeah you're helping people whatever but like

cyber security you're really like there you know especially with iot going out

and 5g and all these you know buzzwords going like it's a real opportunity to i guess help

humanity so that's that's kind of how and then i guess i also had so then after okay so i got

back from the tour came home and i was like told my parents like i know what i want to do now and

so then from there i just kind of i got lucky when there was um an internship in my town so

it's like a smaller it's not like tiny but it's not really like a tech city and that security

internship was what really like solidified like okay i want to do this for forever

so that's kind of that's how i got started what about school hayden what what would you say um

as far as as far as your learning and your course to get prepared for a job i mean did you think you

got most of your knowledge in school did or were you doing a lot of work on the side as a hobbyist

uh tell us tell us about that and kind of where you picked up your skills

that you have today sure so i guess for any job you need to have like foundation and so

i came from i was somewhat techie that i knew a little bit about you know joe breaking an ipod

like small stuff like that but not any sort of enterprise or anything like that and so i

at the internship one of the things they told me like you should do

is get your a plus which is like a basic i.t fundamentals how computers work how you know

traffic goes across the network things like that and so i guess a combination of school

and then certificates i got a few and then the internship they were honestly all really

valuable i guess school gave me the more textbook stuff you know how a server works and

um soft skills as well we've learned like business stuff and how to get budgeting for projects and i

wish we had more technical honestly because like our ethical hacking class and stuff like that was

very very like very basic but um enough to like i guess get get me started especially with cyber

security being so new i mean kind of the guinea pigs in general at the school so i didn't i wasn't

like disappointed but the internship is kind of really where i learned most of my i guess

knowledge and because that's just like that's real world that's the stuff that's happening every day

um so that that gave me a lot of knowledge and then just for fun on the side i did i did some

like hacking competitions i guess you could say it asu and um obviously online there's so

many resources with youtube udemy so i kind of did like a combination of like everything you could do

and then uh another thing i got to do which was really like also somehow i got lucky is i got to

go to black hat which is like a cyber security office that's like the world's largest where

red team blue team purple team grey team any team everyone just goes there it's like um so i got to

go to that and learn a ton that was super super eye opening of like how all of the car hacking

and just all these really like i realized how like everyone's so so smart in this industry so always

always dream to learn but i guess those were the basics and tell us about um so you you went

through the internship your school you followed that path and tell us a little bit at least

what you can say about what you're what you're doing now and what types of roles you picked up

or what types of activities you picked up when you got into a full-time role

so i got hired on as like the job title security analyst for the security operations center and it

it's a lot of ticketing type work so we'll get an alert that something has happened

and then i'll go investigate it and because i work at like an industrial control system

company they're very tight-knit on internet access so lots of just people trying to get

access to because we block uncommon tlds and block executables for everyone like it's just very so a

lot of like analysis like okay is this site safe or you know why do you need access to this site

that is in you know ukraine i don't know if you need this for a small town company in spokane

and a lot of telling people know which is and you get used to it but as i do that and then

also i get to do some more i get to read antivirus reports and examine our fishing inbox that we have

and that's kind of and then also i'm doing things like cleaning up our active directory we have a

bunch of old shared accounts stuff like that um and then a lot of i don't know if you guys have

heard of splunk which i'm sure you probably have splunk but lots of splunk stuff they've

because i took a splunk class online it was free and anyways splunk is really like not to nerd out

but the power of the data and so with that when we're a little bit i guess slower with our tickets

um working on creating queries to identify like data exploration creating queries to identify um

like anything you can think of you can probably do splunk so i guess that's kind of kind of

what i do and then obviously i'm we have a call like a line that people can call if they have

urgent requests because we block like usbs we block so much stuff that's it's i mean it's strong

it's like it's good from a security standpoint but from a user standpoint it can get tedious

to keep submitting tickets but anyways um i also monitored the call line so to answer a call and

that kind of helped me a lot with slowing down on my talking because i talk kind of fast and then

also people skills because some people are just really frustrated or things like that i've never

actually heard of a frustrating computer yeah that's that's so strange it must be unique to

your company yeah it must be your computing it's always security it's literally always security's

fault anytime it's like oh we didn't do that like oh security so it's like a running joke now that

that's that's always been the joke the security is the problem yeah oh you're gonna get that for

the next 30 years or so oh yeah by the way is it true that reading cyber rants is the equivalent of

a four-year college degree yes yes yes it is yes that is you know that's the quick way

shameless plug especially the part that you read that you wrote so you know there's a lot like

valuable information in cyber ants like i'm not even like biased i'm just saying like objectively

speaking it is a solid book did you did you give it to everybody you know for christmas i gave it

to my parents and yeah that was it but i still have all the copies so we'll see hey you gotta

you gotta make sure they're worthy right you can't just you can't just you know cyber rants

book giving out gun goes burr you know you gotta make sure you give them the right people right so

very cool so i so that's all that's awesome and and so let me ask you now that you've you've had

a kind of an opportunity to to you know be in an active team and and kind of see the daily things

what organizations big mature organizations right i don't mean in size i just mean in

activities right the measures they go through to maintain regulation and compliance and

you know the all the stuff that has to happen on the back end from the analysts looking at

logs to the splunk data you know aggregation and parsing and everything else that you want to do to

get the data you need where do you see yourself in in the next 10 years and in cyber security

do you still see yourself in cyber security in 10 years and then where do you think you you'd

see yourself being have you have you found a favorite spot yet that you got your eye on

yeah kind of going off the internship again um i got to work under you know a great team i still

work with them but at the time there was a threat hunter well we we he left for a different company

and they gave him more money but anyways he was a threat hunter and um like that really

the idea that you've already been compromised but trying to find like where's what's you know

what's hiding kind of like the needle in the haystack um so i would like to you know shift

more from analysts to the hunter with time um that's just that's like you know a three to five

year experience role at minimum just because it requires like a very uh wealth of knowledge

of enterprises and anywhere from network to like coding to so you have to know kind of everything

but i kind of i like that and when i am air quote hunting because sometimes my manager would be like

hey do we have any telnet traffic from blank and just like random things like that or sometimes

i have like hr investigations where they'll be like was so-and-so on facebook at this time and

things like that but that's not really hunting but the actual hunting that i do when i

can is it's very enjoyable and something that i would like to get more into and more advanced

with my knowledge if you want to stay in the cyber security industry i kind of have started kind of

in the beginning mentioned that if i don't have a job i have to find a new one but if the case that

i can't work remote with my current company i still want to work with either like some sort

of energy company or utilities or power so ics sticking with ics and you know not finance or

education or health care or whatever but that's like this is all like i want it's not like it

might not happen it might but i would really like to stick with ics for the rest of my life

or i guess working career why is that is it just that type of interview that you like or is it

the idea of like helping people like sure i'm not saving people's lives but you know the electricity

that the company i work for generates is doing that and then it's it's i guess a little bit more

i don't know i don't say sophisticated is the word but the idea that okay i'm not protecting

from script kitties or you know someone who's just trying to financially be motivated like

sure we have money and oops customer records whatever but it's like okay we're responsible

for the power grid like this is and then also it's just fun because we get a tour a lot of dams and

do our you know access point scanning and so a little bit of outdoorsy too i suppose because

you know the power people always need power so if something happens

to the economy or something i feel like that's a little bit more than if i were for a startup or

not not like silent sector i'm seeing like a general like startup like oh i have

you know grab hub or something before that blew up but so that's actually i'd work for it too i

think we know people that might be able to get you an interview yeah my boss is a pretty cool

guy and i mean word on the street is that you've got what it takes to work here so

and and hayden what advice for uh we we speak a lot as you know of course in the book and

in the podcast we speak a lot to those um security and i.t team leaders both

and and organizational leadership tell them a bit about what you are looking for when you're out

starting your career looking for jobs what attracts you to an organization and and what

would turn you away i think for me uh personally speaking the biggest thing that i really look

for i guess is culture so i was willing to the beginning when i was looking for a job so i had

a couple of offers and the culture i work at is like i really do enjoy it but it's not as

much in common with my co-workers than at this other company that i was actually like they

offered me the job so i was like okay i would take a substantial pay cut but i would maybe more enjoy

lunch breaks and you know i'd actually have something in common with my co-workers versus

the ones right now i have like they're great a little older but it's just kind of there's not

a lot you have in common so it's like lunch is always awkward and things like that but i guess

the culture and then number two i would say is like continued education like they support you and

that they have a budget for training especially with cyber security like obviously every industry

you need to train and continually train if you're not staying up to date on trends if you're not

allocating enough time to you know read up on things learn new tactics um or not tactics but

learn what you know ttps are being utilized by the adversary or if you're reading news from

three years ago or like that's so irrelevant to what's gonna happen tomorrow and being you

gotta stay like up to date so i guess for me is excuse me culture and then if they had a budget

um so the company workout they don't really they don't really budget at

all for training so if you want to take a sans class which you know eight grand

that's a no but they will sponsor you and like pay but they'll reimburse you if you pass an exam

that means you're still putting away the time aside buying the resources paying for the exam

all the stuff and then the other company interviewed at they're like oh yeah we have a

hour per day or hour per week or something like that where no you know if there's

a study or not just study but they can read stuff or

look at new threat feeds or anything like that so i guess those are probably the two

well what would you what would you say so looking back and switching gears slightly looking back

on your path and getting started now that you're you're established and such and moving forward

in your career what advice would you give to other people that are really aspiring to

make a career out of cyber security i would say because i was i feel like when i started i was

a little bit more like timid and kind of like everyone i think everyone in this industry is

so smart so i just get very intimidated i'm like i don't want to ask something that's stupid or

you know but it's just like you have to just ask like you know and if if you're not even sure if

cyber security is right for you like they're just lean in if you even have you know one percent

interest in it because there's so many avenues you don't have to be a hacker you don't even have to

know anything about computers like i literally knew nothing about computers i mean now i know a

decent amount but it you know there's so much that you can do with it so i guess be curious and don't

like don't be nervous so don't don't second-guess yourself because if you have the question like

i mean it shows curiosity it shows critical thinking if you ask it but i guess i'd probably

be my advice don't be scared to put yourself out there and ask questions thank you mike and

lauro any final questions for hayden no i think you know not knowing about computers makes you

you know a prime candidate for it management

i'm sorry it's a little harsh

yeah i was going to say that that'd be perfect that's a perfect one especially the the cso rule

sorry to a lot of the fans up there we're just kidding with you it's okay

yes yes we we are here to poke fun so forgive us that's that's the only reason i'm here is for the

clown show so i yeah i didn't realize you didn't know that sorry i'm here for the sound effects i

didn't mention stupid questions and i asked stupid questions all the time so um i think i think you

never stop asking them you know but uh well thank you so much hayden i appreciate you joining us

today and it's just always always great to to work together on different projects and such and so

and uh thank you thank you to all the listeners if you have any questions for hayden or for us

um please send them our way and uh please uh please rate the podcast on your

favorite podcast platform and uh let us know your comments you know we want to hear from you we want

to continue to make these better and uh invite more guests and and and help collaborate with

more people in order to share this knowledge the world because it's really really is needed we're

all in even though we have different niches in the industry that we take care of different aspects

we're all in this together really against the fight against cyber crime so we have a lot more

to do and um i'm i think we're we're headed in the right direction but um a continuous battle to

uh subdue cyber criminals over time so thank you everybody and have a great rest of your day thanks

pick up your copy of the cyber ants book on amazon today and if you're looking to

take your cyber security program to the next level visit us online at www.silentsector.com

join us next time for another edition of the cyber rants podcast

Episode 17 - Starting a Cybersecurity Career plus Insight for Employers

Send Us Your Questions & Rants!

Categories

Archives

Transcript