a guest Jan 26th, 2019 492 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
- // by viss
- On infosec resumes
- I've noticed quite a lot of 'getting into infosec' and ‘infosec career advice’ and other sorta threads cropping up quite a lot lately. MOST of them are pretty good, and seem pretty helpful
- and informative. But this morning something dawned on me and I'm not sure I've seen anybody mention this at all. I think it's important to give the fresh folks this perspective because “its
- not exactly pleasant or comfortable", but if they LEGIT WANT JOBS in this space, this is the reality of things.
- I haven't seen a single book, or class, or tutorial or con preso cover this. I can't be the first person to mention this, there has got to be some material that I just haven't seen yet, or
- that slipped by me (I did not spend hours and hours researching before writing this, btw).
- A huge chunk of the things that make people 'senior' in the infosec space, whether it's on the red or the blue side of the house, or somewhere inbetween is "all the batshit crazy stuff you
- have to deal with on the job." There are some things that LITERALLY NO BOOK OR CLASS CAN TEACH YOU. You cannot become a "Senior" in this space without “having seen some shit".
- Every company that takes someone fresh out of college and labels them a senior (the big four are SUPER GUILTY OF THIS), or companies that give huge lofty titles to people so they feel better
- about their jobs are doing them a MASSIVE DISSERVICE.
- It is illegal to ask certain questions, as the interviewer, during an interview. Straight up illegal. It is not legally required for companies to give anything beyond "job title and length of
- employment" as info when a new employer calls the old one for infos. If you ever wondered how charlatans and people who just wreck shop everywhere they go SOMEHOW keep getting jobs, this is
- how. The law protects them.
- That being the case, If this person with 6 months experience is labeled a "senior" and goes somewhere to do "senior" work they will be faced with sitations they have never fielded before and
- they will crash and burn because they arent prepared to deal with them.
- I was considering drawing a fancypants venn diagram to describe this, but I figure I can use words instead.
- Imagine a circle. Now take various shape kids cookie cutters and slam ‘em into that circle a few times. See that cowprint mishmash that cant support it's own weight? That's as far as you can
- get in infosec without “experience in the field". Thats as far as classes, and home study, and conferences and hack the box, and DA's home lab book will get you.
- Now, thats pretty far. It's a non trivial amount of knowledge, and anybody that takes that available square footage and fills it with knowledge will be a FORMIDABLE candidate against anybody
- who doenst have that knowledge. But despite all that, there is still stuff you can only learn on the job. Here's an example of some of the things that no class or book or con preso can teach
- - how to handle an active attacker in the building who is stealing laptops
- - what to do if your whole office gets ransomwared
- - what happens when a car plows into the telco cabinet on your works block and takes out all the copper
- - what happens when you discover china exfiltrating your main users auth database, and the files on the infected system are 4 months old
- - what do you do when its 3 am and youve broken into your customers office on a redteam gig AND THE COPS SHOW UP
- - what do you do when a customer is drunk or high, and beligerent and screaming profanity at you and threatening violence?
- - what do you do when a competitor does exactly the same thing?
- - what happens when your phishing campaign gets loose and lawyers get involved?
- - what do you do when you realize you just popped shell on "not your customer" because of a typo?
- - what happens when you take out the customers office because their firewall was misconfigured and it was your nmap that was the straw that broke the camels back?
- - what do you do when you discover child porn on someones laptop during a gig?
- - what do yo do when you discover an employee embezelling hundreds of thousands of dollars from your customer?
- It's not all rainbows and unicorn farts. At the end of the day, infosec is “measuring risk from a technical perspective and remediating that risk the best and most compatible way, custom, for
- every customer, every time". It's not always pretty, and some stuff doesnt make it into “someones flufffy curriculum". It is also in ABSOLUTELY ZERO security cert programs. Everyone saying
- that one cert or another is "a good basis" or "a good foundation" for this kind of work is either defending themselves (hello egocentrism) and secretly feels inadequate outside of having that
- cert, which they wear like a fucking badge, or they are being paid (in one way or another) by the org that maintains the cert program.
- Employers have to see this from the other angle. ZERO PEOPLE want ANY OF THAT SHIT TO HAPPEN. EVER. Occasionally it does, and it's a learning experience for everybody, and at the worst it can
- cost hundreds of thousands, or even millions of dollars. and people routinely get fired over this kind of stuff.
- Whether you're red, blue or somewhere in between, Here's your tl;dr:
- - there's mind blowing weirdness LOTS OF IT. it's usually fucking miserable to deal with, but it looks FANTASTIC on your resume
- - it means stories. and stories mean experience. Listen to stories. they are VERY TELLING.
- - these experiences FUNDAMENTALLY CHANGE HOW YOU MAKE DECISIONS. -> THIS IS THE MOST IMPORTANT FUCKING PART HERE <- .
- - Lying on your resume, or artifically inflating your title sets you up for failure, and acts as a force multiplier for when this mind blowing weirdness happens, slanted AGAINST YOU. Because
- its IMMEDIATELY OBVIOUS you lied and you cant handle yourself and you, and everyone around you is now fucked,|
RAW Paste Data