Transcript

welcome to the cyber rants podcast
where we're all about sharing the forbidden secrets
and slightly embellish truths
about corporate cyber security programs
we're ranting
we're raving
and we're telling you the stuff that nobody talks about
on their fancy website and trade show giveaways
all to protect you from cybercriminals
and now here's your hosts
mike ratando
zack fuller and lauro chavez
hello and welcome to the cyber ants podcast
this is your co host
zack fuller
joined by mike ratando and lauro chavez
have a good episode today
a variety of topics
we're gonna just going to see where it goes
and there's some interesting stuff in the news as well
mike you want to kick us off
i started the news with a very critical story
ferrari apparently got hacked
ran somewhere
doesn't matter
i still can't afford one
now back to real news
the first seventy two hours of an instant response
critical to taming cyber attack chaos
cybersecurity professionals
tasked was responding to attacks experienced stress
burnout and mental health issues
that are exacerbated by a lack of breach preparedness
and sufficient instant response practice
in their organizations
a new ibm security sponsored survey
published this week
found that two thirds
of instant responders suffer stress and anxiety during
at least some of their engagements
while forty four percent
have sacrificed the well being of their relationships
and forty two percent have suffered burnout
according to the survey conducted by morning consult
in addition
sixty eight percent of instant responders
often have to work
on two or more incense at the same time
increasing their stress
according to the survey's results
companies that plan and practice
responding to a variety of incense
can lower the stress levels
other instant responders
employees and executive
sound sector recommends
ir tabletop exercises quarterly
also recommend that she quit whining about
doing your job bc attacks
most victims aren't using multi factor authentication
apply it now stay safe
business email compromised
scammers are gaining access to real accounts
that they're using to do victims
in descending payments
there's been a big rise in business
email compromise attacks
and most victims work on
organizations that weren't using multi factor
authentication to secure their accounts
bc attacks are
one of the most lucrative forms of cyber crime
according to the fbi
the combined total loss is
forty three billion
in counting for this year
tax reported
in at least a hundred and seventy seven countries
that's pretty much every place as a computer
and these attacks are relatively simple
for cybercriminals to carry out
all they need is access to an email account
and some patients
as they try to trick their victims into
making financial transfers
under false pretenses
is commonly involved
sending messages to employees
purportedly from their boss or a colleague
that suggests a payment
often very large
must be made quickly
in order to secure an important business deal
it's a known
commodity that scammers monitor
in boxes for a long period of time
only choosing to strike
when a real business transaction is about to be made
at which point
they cut in
and direct the payment to their account
there's a common theme about
among these victims
and that is that they don't have mfa in place
so i guess the point of that article is
get mfa in place
of course sending your subject
mfa fatigue
figure something out and they can think
we've seen lots of mfa bypasses
and office three sixty five as well
so yeah unfortunately it helps
but not the ideal
you need to be using a pin
rotating pin based app for your
yeah mfa an authenticator gap
like norton or google or one of those yeah
hundreds of microsoft sql servers
backdoored with new malware
big surprise
security researchers have found a new piece of malware
targeting microsoft sql servers
named maggie
the backdoor has already affected hundreds of machines
all over the world
maggie is controlled through sql queries
that instructed to run commands
interact with files
its capability extends
a brute forcing administrative logins
to other microsoft sql servers
and doubling as a bridgehead
into the server's network environment
fun trade data shows that maggie is more prevalent
in south korea
india vietnam
china russia
thailand germany
and the united states
microsoft updates mitigation for exchange
zero server zero days
about a week ago
there was a big zero day that happened
microsoft came out with remediation
now they're updating it
because they approve that
research approve
the remediation didn't work
researchers had discovered
that microsoft's original mitigation steps
for the so called proxy
not shell flaws
was easily bypassed
microsoft today updated its mitigation measures
for two recently disclosed
and actively exploited zero day vulnerabilities
and exchange server technology
after researchers found its initial guidance
could be easily bypassed
microsoft's original mitigation
for the two vulnerabilities
cbe twenty twenty two
four one o four o
and cve twenty twenty two
four one o eight two
was to apply a blocking rule to specific ur path
using url we wait module
on i asked server
they were asked you to add a string of content
i'm not going to read the article
it's very important to know if you've got an exchange
we've sent it out to all on prem exchange people
but it's an important thing to look at
basically what it came down to
is that the code they asked you to put in
was easily bypassed
fbi cyber attacks targeting election systems
unlikely affect results
you know it's election series
election times
so the fbi has come out with
in conjunction with cissa
in a public service announcements
that says that cyber activity
attempted to compromise election infrastructure
is unlikely the cause of massive destruction
or prevent voting
the fbi and cissa assess the associated risks over time
and neither agency has seen evidence
of malicious interference having any miserable impact
as of the date of this report
the fbi insists that have no reporting to suggest
cybersecurity has ever prevented
a registered voter from casting a ballot
compromise the integrity of any ballots cast
or affected the accuracy of voter registration
no mixer dropper delivers a multi malware code bomb
this is actually really interesting
in one shot
there's a trojan called no mixer
installs a suite of downloaders
banking trojans
stealers and spyware on victims systems
it's only after a user clicks on malicious link
downloads the malware
and then launches it
that no mixer is deployed
but once the dropper infects the victim system
it deploys multiple strains of malware
from spyware to trojans
the multi hyphenated malware threat lurks among sites
promising license software workarounds
and fake security key generators
according to kaspersky
the malicious documents appear legitimate to users
because those sites have found their way up
to the first page of google search rankings
for keywords like crack software and keygen
using advanced co search engine optimization tools
he compared
kaspersky said
unfortunately
it's not just home users at risk
thanks to the work from home phenomenon
and people using personal devices for work purposes
the danger to companies
from these kinds of threats is clear and present
it's even more justification
this is a silent sector comment
to lockdown even byod devices
with some sort of endpoint controls
couple key headlines
rdp attacks decline eighty nine percent in eight months
which is a big surprise there
are a bunch of defense organization hacks going on
there's some healthcare hacks that happened
apis are back in the news
and again ferrari was hacked
but i still can't afford one
so it doesn't matter
laura yeah i was really hoping that
that ferrari hack would help us
you know be able to afford a ferrari
hey i mean you know
you just got to give up the forty dollar cigars
and a hundred and fifty dollar bottles of scotch
right gross
who drinks hundred fifty dollar bottles of scotch
that's disgusting
one of us on this feed
no i mean like
if it's not four or five hundred dollars a bottle like
oh yeah i see
yeah right right
that just a mere
mere peasantry
yeah the peasantry
my pilot my pilot is so sophisticated
it needs two hundred and fifty dollar whiskey
no i think the bottom shelf is now i don't
it's got to be better than the plastic bottles right
can't go that that far
but i can't put scotch in plastic
give me a yeah that would be
that would be horrific
a while ago they came out with can scotch oh
that might be okay
needless to say that didn't last long either
you know for the scotch
can't the scotch drinker that wants to throw something
into his cooler when he goes fishing
hey the glass bottles work just fine in a cooler too
that's why plastic is such a great idea
you get drunk you don't break anything
well back to cyber security
laura you have any
any news anything going on in the world
there's always stuff going on in the world of exploits
however interesting trend
i'm seeing a downtrend in the
creation of new exploit payload codes from
from the community
i don't know
i've kind of watched this sort of downturn happen
over the course of the summer
and now we're just not
seeing as many exploits pushed to the public space
so that could be a couple reasons
maybe a lot of them got conscripted in russia
maybe some of them are saving some of the more
serious attacks for the holiday season
and you know maybe they
they figured out that doing this for free
doesn't get you any closer
to the goals that you have in life
so there may be
some of these authors are moving to the marketplace
on the dark market
to get a little money or do bug bounties
versus putting these out for the public consumption
however there are still exploits to talk about
and i'm gonna do something that i don't normally do
i'm gonna talk about wordpress that
so i'm gonna have to wash my mouth out with
with some very cheap
very high grained
very plastic bottle scotch
after i talk about this
this topic here
however those of you who like to ride the danger zone
danger zone
wordpress danger zone
there have been over seventy five exploit successful
exploit payloads
written just this year
for your free
open source community
wear driven wordpress
so if you are still liking to live on the edge
and live dangerously
you know just use random needles on the street
or for your
for your purposes
be careful out there
because there are quite a few new wordpress
plug in vulnerability exploits this week
a lot of them with sql i
and remote code execution
so both very
very bad i guess
vulnerability
attack services
for you to have
sql i is going to allow
the attacker to pull data out of your database
or even inject it into that database
and remote code execution is going to allow that
code to execute remotely
as part of the weaknesses in your wordpress deployment
not anything to your fault
wordpress is just crap
it's you know
it's not anybody's fault
it is what it is
but i want to take the conversation
just a little further
and talk about
something that
i'm gonna say
i'm gonna give mike the congrats to this
for pushing this my way
because i don't like to talk about wordpress
i want to point out
that there is a very big news article out this week
about the solar marker group
okay this is a
this is an advanced
persistent threat group called solar marker
they have been creating a watering hole
for all of the vulnerable wordpress sites out there
what that means
is that they go out
they find the fact that you're a clown
and you're running a wordpress
they're gonna find a vulnerable exploit
and they're gonna attach to that
so what a watering hole attack is
is everybody
that doesn't know
is the cyber attack group
solar markers going out
they're finding all the clowns
that have put up wordpress sites that are vulnerable
they're taking advantage of those vulnerabilities
and they're setting up
hidden traps
for visitors
that they're gonna lure
essentially
to the watering hole
think of the alligator
in the watering hole
and you're the antelope
and you're coming up
and you're innocent
you're just trying to get a drink of water
to start your day off
and automatically
the alligator chooses violence
that is how they wake up
and this is the exact same thing
you're gonna go to one of these wordpress sites
and in order for you to further view the wordpress site
the wordpress sites gonna say
hey you need a new chrome update
or you need to install this firefox update
or you need to install this edge update
and the moment you do that now you've
you've been
you have been
sabotaged my friends
so keep in mind
there is this water hole attack going on
if you are crazy enough to run wordpress
please check your plugins
please check your versioning
and make sure that you're not running
one of the highly vulnerable versions of wordpress core
and if you are
try to upgrade it to the next
slightly less
but still highly vulnerable
wordpress core
all right zach
that's probably enough about the wordpress
i said that
i got to tell people this
but if you haven't heard it before
hopefully you heard it this time
yep if this is your first
cyber rants episode
there have been a few others
previous to this
that also mentioned
a thing or two
about wordpress
just because of
the prevalence
of exploits
that being said
we're gonna take a quick commercial break
jump right back in
want even more
cyber rants
be sure to subscribe
to the cyber rants podcast
get your copy of our best selling book
cyber rants
on amazon today
this podcast
is brought to you by
silent sector
the firm dedicated to building world class
cyber security programs
for bin market
and immersion companies
across the us
silent sector
also provides industry
leading penetration tests
and cyber risk assessments
visit silent sector dot com
and contact us today
and we're back with the cyber rants
podcast today
i've been thinking about
a career in cybersecurity
i'm wondering
if i should get in
to the cyber security field and
it seems like there are a lot of people
asking the same question
so of course i'm being
i'm joking right
of course already in this business full time
but there are a lot of people i think
i don't know what it is
if it's a time of year
people are starting to think about their future
whatever the case may be
but especially young people
high school college
are reaching out to ask
how do i get into cyber security
i really like tech
i am interested in this stuff
what do i do
and i always
always time to talk with them
i'm always happy to jump on a quick call right
help people out
people have certainly helped me through
throughout my career
and i'd love to return the favor
but i thought it'd be good
we could just
in a podcast right
and we've talked about it in a couple previous episodes
but there's always new stuff happening and things go on
so first of all
question comes to mind how do
you think about getting into cyber security first by
do you really want to get into cyber security
what are some of the pros and cons
they should think about
when they're going into this field
well based on that article from ibm
that i read at the top of the news
can you handle stress
when there's an incident that happens
there is a structural occasion
can you think strategically
do you like puzzles
do you like challenges
do you like to solve problems
can you write
if the answer to any of those is no
then cyber security may not be for you
well yeah i mean
i'm not gonna say i disagree with you mike it's
i'll say this
i'll say that there's a steep
you know for and
and like you zach i
i tend to take on a couple interns a year
for those that don't know
is part of a philanthropy
if you will
to try to teach and guide the next generation of
cyber security practitioners
because we do have a shortage of that in this country
and if you go to any of the job sites
you'll notice very quickly that there's a
approaching eight hundred thousand
open positions in cyber security day
none of which can be really field
and so you you know
like you said zach
you have a lot of
of these you know new
new fresh minds
that are coming out of high school and college
they're seeing that
mike and i are working from home
we're working from pretty much wherever we want
and this is probably consistent
with other cyber security professionals too
some of you probably have an
office requirement part time
but a lot of this work can be done remote
you really have a nice flexibility of
work and personal life
but like like you said mike
there's a lot of puzzle
there's a lot of strategy required here
there's a lot of stress that's required
in this job field
there is a steep learning curve
and i want to harp on what mike said
writing your technical
your ability to write technical documents
is very important
because it doesn't matter if you're
putting in a trouble ticket
a lot of the documentation
that a cyber practitioner may be doing
would be entering
the results from one of these incidents
that mike was just asking
if you can handle stress
some that's the reason you're there
think of yourself as the paramedic
or the first responder
you're the first responder for the it team
you're also the first blamed
so if anything goes wrong in it
you're gonna have to defend your honor
and let them know that you weren't doing any scanning
or pin testing while things went down
but the stress for the job sometimes can be very high
i hate to say it
but there are some organizations that still don't
see the true benefit in cyber security
and the practitioners they hired
and you can
you can have lots of great ideas and be met with
with resistance at the leadership level
but the one ingredient that i will say
that is necessary
for you to be successful in this field is passion
and i don't care what mike said and what i said
if you're passionate about this field
you're gonna be successful
one thing i will say is that
the self study and the continued education
for yourself as a practitioner is very high
the demand is very high
yeah absolutely
it's well said
and i think that's true in any field
there are different schools of thought of
do you pursue passion
versus strictly looking at problems to solve
regardless of the level of passion
i think in this business
i mean there are people that are
the probably the most successful people
are the ones that just would do this without
getting paid right
they love this stuff
one thing i would add is
there are so many facets of cybersecurity right
it's not just pen testing
as a lot of courses would teach you right
that's a component of it
but there are all kinds of different requirements
and one of the things i've been
i've been telling people as i
as i talk to
people that are getting started in this career
young people or people changing careers
is think about what you really like to do do
you like to really
just get into the weeds of the technology
do you want to be interacting with the machines all day
every day or do you like to get out more
socialized a little bit
do you like that side of it
what do you like to get deep into
reading or things like rules and regulations
something that you absorb naturally
and think about who you are as a person right
because there's so many aspects of cybersecurity
chances are there's a niche that you can fit into
that will suit your personality
don't try to put a square peg in a round hole and say
well you know
i really hate dealing with people
i want to just be in the technical pieces
all day every day
as much as i can
don't go out and be a sales rep
outside sales rep for an organization right
those two are not going to fit
they're not going to be grown
so think through that
and what your natural tendencies are
i think that'll take you a long way into
determine your path
so what's been happening lately is that i've gotten
i've done some mock interviews
from high school students
that want to get into cyber security
and i've been talking to some people that are
that are graduating with cis degrees lately
and there's very big
miss nomar out there that you have to have a cis
degree to be in cyber security
and that's one of the things that really
it bothered me
i have a degree in history
so i don't have a degree
i'm a college dropout
just for everybody out there that listens
yeah so um you know
the cis degree
that's nice
it teaches you theory
you're about two to three years behind
you're about
you're better off taking the cont t asserts
and taking an internship and an entry level job
and by the time you would have finished your cis degree
you got four years of actual evidence
actual work under your belt
actual experience
and i think that's far more valuable
i think you really only need the degree
if you want to get into management
and who likes management
yeah you want to be not a
want to be a see so
or director or something like that
but if you know
if you want to do cyber security and stay in the weeds
and stay doing exploits
and stay doing princess
and stay doing real world cyber security
instead of going into management
you don't necessarily need a cis degree
again i'm not saying you know
anything bad about college
if you want to go to college
go to college
if you want the education
get the education
but don't go
spend two hundred thousand dollars on a degree
when you can very easily spend five thousand dollars
on multiple certification
start a job making forty
fifty thousand dollars a year right away
and that's my thinking on the subject
you know that's good thinking
and i don't want to cause like a
like an atomic shell to drop here
but you don't need a cyber security degree
undergrad degree
to get working in cyber security
now the colleges may not like that
but that's the absolute truth
i think mike hit it right on the head
if you want to get a degree
get a degree
but to get into this field
it's more practical use of talent
so if you've got certifications
that prove that you have a practical use
that's going to go a lot further than a degree
i need individuals that can come in
from our perspective
and mike you can feed in here
i don't care if you have a degree
i need to know
can you do the job
your degree is completely as irrelevant to me as
what color shoes you like to wear
exactly you know
my question is
can you walk from point a to point b
not i don't care about your shoes
none of that matters
can you do the work
so from our perspective
it's very you know
demonstrate it
demonstrate your talents
not do you look good on paper
and to kind of go off of what zach was saying
i think we can kind of divide cyber security into
maybe two pieces for everybody
i think there's the technical side of it
and then there's
what i consider to be the business side of it
which is where your compliance and governance
and things come in at
because there are certainly non technical jobs
in the cyber security field
governance compliance is one of those areas that
you know like mike said it
your exact said
if you like to
if you like to write
and you like to read
and you like to do
i mean really
what it is is is
it's reading comprehension
it's reading comprehension
and applying that to a technical state
and so you can work with your technical people
as a compliance
governments practitioner and cybersecurity
to make the organization reduce risk
without ever having to actually touch a windows
or a wordpress site in your whole life
yeah you know if you can do that
if you can you know
definitely right on
there is a lot of non technical work in cyber security
especially on the compliance
from being you know sock to hipaa pci
that sort of thing
but if you can bridge that gap
or you can write and be technical
and you can comprehend compliance
then you're pretty well set up
so if you can do all of those
definitely definitely
one of those things that i just want to share
in an adult from my past
in two thousand eight
that was a year
like thirteen years ago
for those of you who are too young to remember that
we're in high school at the time
anyway we had a big economic downturn
and the reason
all my friends that were managers and directors and it
lost their jobs
a lot of them
i kept working
because i didn't
never went into management
i never was a director
i never did
i never why
they did eventually
but um i was technical
i was an operator
i kept my job
kept working
never had an economic downturn
so just one thing to keep in mind
there's a wise part in our book
the cyber rants book
page sixty six
ancient infosect proverb
and it goes like this
when one is eager to learn
no obstacle or task
is to mundane or challenging to overcome
even pci compliance
so if you're looking for some tips
the book is full of words of wisdom
and to dovetail on what you said mike
i've been telling a lot of people
hey if you want to get a leg up on other
people that you're around
your peers also
trying to get into the cyber security market
i was about to say break in
but it's almost not like that
i've seen people with little to no experience
just get scooped up
it's like hey
you're interested you're on
we'll train you on the job
so it's not
first of all
know that there's opportunity out there for you
second of all
if you really want to
have your pick of the job
start to figure out also what industries interest you
maybe it's healthcare
maybe it's finance
maybe it's defense work
whatever that is and learn
the compliance requirements of that specific industry
now when you go into a job
you're not just saying hey yeah
i took this network plus course
and this security plus course
or i'm really interested in this part of cyber security
you could say yeah
i really am focused on this component of cyber security
as it relates to your compliance requirements
you might be interested
and i'm really interested
in organizations in the healthcare industry
i've studied hippa compliance
right i understand it
and i really want to find a role that's a good fit
and and use of
use of my understanding of both the technical side and
the compliant side
so that can will
will help you get into places a little bit easier
i think because you're speaking their language now
and we see it as cyber security services providers
right even though we are fairly industry agnostic
i mean there are industries that we work with
more regularly than others
but the principles apply across the board
the fact of the matter is though
those people in those specific industries
that's what they relate to
they want to make sure you're speaking their language
you understand the nuances of their business
and how it operates and how their customers think
start to learn that as well
and that's easy to do
that's free
go online start to look at the requirements
read the pdfs
download the files
it's all there for you
and one other thing that i'll point out
that's online is nist
put together a
a guide for you
and it's all free
it's called the national institute
for cybersecurity education or nice
so you could just look up nist nice
and it has courses
and different job descriptions and all kinds of things
you can go look through and find out what's of interest
maybe list your top five
and then boil it down from there
and then go out and use your local community right
use linkedin
get on linkedin
start a linkedin profile if you don't have one
and connect with tech leaders right
most successful people in the tech world
well really
in any profession
i believe most of them
had help along the way
well they probably all had help along the way
but most of them are willing to help you as well
connect on linkedin with a cio
with an it director
or with a security director
whoever it is
and say hey this is me
really fascinated in your business and what you do
would you have fifteen minutes to chat
and then that establishes the introduction
from there you can start to feel it out
well hey maybe they even have opportunities
don't just go asking for an internship
just ask for a connection
ask for their advice
and you'd be surprised
how things might just materialize out of that
and all of a sudden maybe
roles or opportunities that weren't available before
suddenly become available
that's my way i think
i think the internship is a big deal
and i'm surprised
in talking to some of the college kids i've talked to
the colleges are not helping place those kids
in their senior year into an internship
like you know
law schools place law students into law firms
i would think that the colleges
would want to reach out and say
hey you know
company xyz
do you want to take a couple of our interns
for college credit
you know and then you can train them
i mean i would think that'd be a very viable option
and i think that's something that we
and we've talked about here at sound sector
working out with a couple of colleges
to do some interns
and maybe that more of that will come out in twenty
twenty three but
yeah i mean the internships key
one of the things you have to relax
a realistic expectation
of the hours you're going to work in cyber security
with one of the high school kids i was interviewing
i said expect to work more like fifty
sixty hours a week
and his eyes turned into saucers and didn't realize
that there's more than forty hours in a work week
so just have that realistic expectation
especially you're gonna go to like
an amazon or something like that
they're gonna work you hard
and and you just got to expect that
but yeah and expect not being really
yeah you know
you're probably not gonna be the one person on the team
you're not gonna be the security person
you're gonna be a part of a greater team
doing a very specific
a very specific task
within your realm of responsibility
i got a good personal story to share
met a guy his name was ken he's got a son named keith
keith is try going to college
keith is twenty years old okay keith's twenty
he tried to go to college a couple times dropped out
didn't really know what he wanted to do
you know you can throw the adhd asperger
whatever term you want
in there right
that makes it applicable
it doesn't matter
this is a person that is challenged by crowds
challenged by public speaking
anyways was trying to find their way in life
and so i met the father
and through a short conversation he was like
hey is there any way that you can talk to my son
about what you do
and about maybe some goals for him
and some places to point him
well keith had already taken his
i'm sorry his a course
so for those of you practitioners out there
probably know what a plus is but comp
tia puts together a two part fundamental course
all right there's a plus
it's in two parts
there's the hardware part of the a plus course
and then there's the software part of the a plus course
right that goes over operating system management
and that sort of thing
well keith had finished his hardware
he had failed the software the the
the pre test
and was frustrated
and so i you know
spent about
not long about forty five minutes talking to keith
and keith i told him
i was like you know
go back and take the software part of this it's a
the a plus is a very good fundamental course
it lets everybody know that you understand
fundamental computing on classic computers today
take the course
there's nothing wrong with it
it's not the most expensive course
and it's not the most prestigious
but it is certainly a good
a good baseline
and i said when you're done with that
take security plus
is like you'll be right in line
we're taking security plus
another comp tia course
so for those of you
listening to this conversation out there
i want to get into this
due to this work
a plus security plus from comp ta
or two great places to start that are not hard
okay so keith
fast forward
i just got the text from keith yesterday
okay this is
so this is breaking news
he texts me
well so about
about three weeks ago
he texts me
maybe a month
and he's like
hey i finished
i got my certification for a plus
on hardware and software
and i was like awesome
that's great
he's got more for my security plus
so then about
you know about a week ago he text me
i got my security plus
and i was like dude
that's fantastic
and so today
or yesterday rather
he texts me
and he's like
i just got a job at my local telco
he lives in oregon
and so you know
they have a local
that's not at amp t or verizon right
they have a local telco
that hired him on as a security analyst and
and in this guy's
you know again
keith's no experience
twenty years old
got two certs
three certs under his belt
and a love for the job
and now he's working
as a tech slash
it's a dual world
cyber security analyst for the local telco
reviewing logs from firewalls
making trouble tickets
things like that
as part of those incidents that they see
and just super excited to reach out to me last night
and was like
thank you so much
for the advice
and i didn't really do anything
but just say
you go that way
that's the way to town
just follow the road
but it's really
it's really nice to see that these individuals
with just a little determination right
just a little bit of drive
can go out and
not have any college degrees
and take a couple certs
and now they're have it
they have a good job
they have a future
at this telco
you know it might not be
a hundred and fifty dollars an hour
that you're looking for
but you're not gonna get that immediately
unless you can just write exploit code on the fly
to begin with
right and so
to start out at twenty
or twenty five
or thirty dollars an hour
that's fantastic
especially when all of your peers
are working in retail
or something of the likes right
or that was your other options
so stay positive
if this is the field that you like
stay interested
and look at
you know like zach said
look at the nist nice
and check out comp tia
for some of their
study stuff
and a lot of their things
are free as well
yeah there's soccer
i was gonna say
there's so many free resources out there online
just with what you can get out of youtube
it's amazing
but look at cyber area as well
they're just a
just an immense number of opportunities out there
and then also look around through your local community
if you're in any sizable city of any kind
they're going to have different cybersecurity groups
kind of clubs organizations
you have things like issa
you have different
localized security conferences and forums
try to go to those things and meet people
and you'd be amazed at the doors that will open for you
i'm just going to say that
isaka also has a set of classes that you can take
they also have a hack lab
and a training lab for cyber security
so you might check out asaka as well
it's is aca
and look into that
so i mean there's a lot of opportunities out there
and i think part of the problem is
why we have a shortage
of it security people is that there is this belief
that you need this cis degree
that you need this whatever
there's multiple ways in the cyber security industry
going back to what zach said at the top of this
i'm self taught
everything i had
i took classes at my own page
i paid for myself
no nobody paid for my
my certifications but me
so starting way back when
when i got my mcnc for n t four dot o
and i'm sure some of you will have to look up
what that actually is so
but yeah that
that will drive you and make you more successful
just a passion for the job
so yeah absolutely
and i don't want to kai bosh on the colleges
right now because if
if you want to be in the technical aspect of this world
you know try hack me
and there's a lot of online communities
that will help you get your skills
at using metasploit framework
and other types of things
like cobalt strike
to deliver payloads
and do technical assessments for clients
if you're gonna look into a college program
check out their lab
and make sure that the lab is not
and the classes don't involve techniques um
that are more than ten or twelve years old okay
because that's not gonna help you
when you get into the real world
yeah it's gonna get you excited
it's gonna give you a lot of cool stuff
to play with in a lab
but when you come out into the real world
you're gonna look at the attack surface
and it's gonna be completely different
from what you're used to
because you were playing on stuff
from ten or twelve years ago
that was extremely vulnerable
with some of the new attacks
so they kind of
i don't want to say they rig it
but they kind of
rig it to get you involved
because you're using a modern style attack
on a deprecated operating system that's ten years old
of course it's gonna break in
of course it's gonna look funny
you're gonna be like wow
this is so easy
and then when you get into the real world
of technical assessment pen testing
you're gonna find out it is not a cakewalk
there's nothing about it that's easy
and there is nothing about it that is a plug in
and it works
so there's very very
very small chance for that to happen
we don't come across sql injection
sql injection vulnerabilities that are viable
injection vulnerabilities
very often at all
i think i've come across one
good one in the last five years
right so these things that they'll teach you
or sometimes that you are taught in these institutions
aren't relevant to the real world
always compensate your school
education with things like
try hack me
try to do some of the capture the flag activities
that are out there
in part of the community
get on our hacking
if you're a retitard
okay get out there and do our hacking
get in our cybersecurity
start following these communities and
they'll kind of help you find these places where
you can practice your skills and hone those things
and sharpen your tool
but certainly be very scrutinizing
of educational institutions and their laboratories
where they're going to try to teach you these things
go have a press site right
yeah don't do that
if their lab is made out of windows
two thousand three servers and windows xp boxes
then you probably don't have anything to do with them
i know gcu grand canyon university had some good stuff
well have state university
of course is very excellent for multiple things
including the fact
they're going to beat michigan state this weekend
so i would highly look at recommending them as well
yeah i'll just say that an osu degree will like
get you a job anywhere anywhere
it doesn't matter
if you went to the fisher college of business or not
anything from osu
i'm just kidding
i'm just saying
well you know
just going back to griza
i mean it just kind of running down this week
we have a project manager that has an agra
business degree
okay he knows how to castrate sheep
but he's also technical
we have another project manager
that has an accounting degree
i mean and they're both very technical people
and they're technical project managers
but the degree really doesn't matter
it's the ability
to understand and comprehend technology
and that's what matters
it really does
they're they're really good at what they do
because they really like what they do
our project managers
and for me like my
my degree was in management of information systems
i was going to ix and acis
so i tried to go at ohio state
coincidentally
at the fisher college of business
tried to go for management information systems
and personally
i just realized that at the time
you guys think this is in the early two thousands
cause i'm old
that they didn't really have any relevant classes
for me like
i'd come out of the army
i was already doing this stuff
and so i was thinking
like many of you
i gotta have a degree to get a job
and so i started to go down this track
and just realized that
a lot of classes i was given for my track
were just completely bogus
and had nothing to do
with my technical aptitude of any kind
and so i got poached by a headhunter for lots of money
right out of the army
for making no money
so i was like school
who needs school
i think you know
it was like
i felt like old
what was his name in that movie
show me the money
with tom cruise and
oh jerry my boy
terry maguire
yeah it's exactly
that's what i
that's all they needed to do
is flash those dollar bills in front of me
and i was like
what college
ohio state well
i think you can look at it two ways
you can say
is that a brute force attack
or do you want fries with that
yeah exactly well
well you know and
and so you know
i guess i can bring this up right
so you know um
i don't know if i should bring this up
okay so my son has been practicing with me for
probably the last six or seven years
like i've always had him in the office
going over these types of attacks
so now he's finally got a job in cyber security
and i'm very proud of him
and he's done just a really good job
well before
you know he's seen
you know dad go to the office
he's seen dad work from home
he didn't really know what he wanted to do
so he got a couple retail jobs
and he was making friends
and now he's quit his retail jobs and is
dedicated fully to cyber security
and his peer group now is looking at his
really obvious change in living standards and really
really abrupt change in work life balance
and they're saying wow
how do i get into that
so he's kind of come to me
he's like hey dad
i've got a couple friends that they want to talk to me
and maybe talk to you
about how they get into cyber security too
because it's an attractive field
when you see the practitioners that are working in it
and how much they love their jobs
and don't get me wrong
it has its tough times
it's stressful
and when you're a security services organization
like silent sector we have
we're not just dealing with one company right
we have lots of
lots of things going on right
so it's a little more stressful for the aspect
and even if you're just a practitioner
and one organization
it can still be stressful
but everybody loves this job that's doing it i think
and because if you don't like it
you're not gonna do it
you're gonna go
you're gonna go back to retail
or go some other part of the business
marketing sales whatever
but everybody who's doing it really enjoys it
and there i think
they're really seeing the benefits
that the work life balance give them
and you know
to participate on the pen tests and
or technical assessments
and find things
make you feel like you're
you know you're getting someplace in the world with
with your skills
so it's just interesting to see
you know from my own perspective
my son go from
i don't know if i really want to do this
it's kind of
it's kind of
i don't know
i think i'm gonna go work with my buddies
to like yeah
i'm never doing that again
i'm gonna stick right here
with the technical aspect
and now see you know
the peer group is starting to come in and say wow
how do we get into this too
so i think it's a very attractive
field these days
i think with eight hundred thousand
open positions across the united states
it's very easy to get a job with a certificate
and no degree
hence keith's proof on that
and so again
if there's anything that we
can do to help you
and i don't exactly mention that
but you reach out to us
if you're listening to this song
or this song
if you're listening to this track
and you're singing along
sorry what are we doing again
this is a podcast
yeah but if you're hearing this
and you have a son
or a peer or a friend
or that's interested in this
reach out to us
we're always happy to talk
at our convenience
we are busy
but we will reach out to you
yeah one thing i want to bring up to
is that there's multiple burnout points
key burnout points
in cyber security
and the first ones at eighteen months
the second ones at three years
and then it's seven years
and if you make it past seven years
you're unfit to do anything else
so that's where you're at
you can no longer integrate back into normal society
no cyber security
you are cooked
you're done
you are now
can only communicate with cybersecurity professionals
exactly right there with you
so well outstanding
and just know this is not
this is not in any way a hit on college education
they're tremendous benefits
and different
not at all well yeah
so i mean it
don't think of it that way
what our point is that
don't let not having that hold you back
don't let not having anything hold you back in fact
i love this industry
because people can come from backgrounds of nothing
they can come from other countries and have had
you know nothing to their name
and actually get in to this industry
find a good job
make a great living
the american dream really does exist
in the cybersecurity industry today
not only that
but also building a business like we have right
and stepping out of that corporate world
stepping out of that organization
where there's politics and all that stuff going on
and build your own thing right
so there's tremendous opportunities here
it's a great business to be in
and i didn't even know we would
spend this much time on this topic today
but i'm glad we did
i hope this helps you
please if you like this podcast
share it with your friends
rate it subscribe comment
send us a note at cyberands podcast com
or on linkedin or wherever
and we'll see on the next episode
pick up your copy
of the cyber ants book on amazon today
and if you're looking to take your cyber security
program to the next level
visit us online at
silentsector com
join us next time
for another edition of the cyber rants podcast