a guest Jan 26th, 2019 559 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // by viss
  2. On infosec resumes
  3. I've noticed quite a lot of 'getting into infosec' and ‘infosec career advice’ and other sorta threads cropping up quite a lot lately. MOST of them are pretty good, and seem pretty helpful
  4. and informative. But this morning something dawned on me and I'm not sure I've seen anybody mention this at all. I think it's important to give the fresh folks this perspective because “its
  5. not exactly pleasant or comfortable", but if they LEGIT WANT JOBS in this space, this is the reality of things.
  6. I haven't seen a single book, or class, or tutorial or con preso cover this. I can't be the first person to mention this, there has got to be some material that I just haven't seen yet, or
  7. that slipped by me (I did not spend hours and hours researching before writing this, btw).
  8. A huge chunk of the things that make people 'senior' in the infosec space, whether it's on the red or the blue side of the house, or somewhere inbetween is "all the batshit crazy stuff you
  9. have to deal with on the job." There are some things that LITERALLY NO BOOK OR CLASS CAN TEACH YOU. You cannot become a "Senior" in this space without “having seen some shit".
  10. Every company that takes someone fresh out of college and labels them a senior (the big four are SUPER GUILTY OF THIS), or companies that give huge lofty titles to people so they feel better
  11. about their jobs are doing them a MASSIVE DISSERVICE.
  12. It is illegal to ask certain questions, as the interviewer, during an interview. Straight up illegal. It is not legally required for companies to give anything beyond "job title and length of
  13. employment" as info when a new employer calls the old one for infos. If you ever wondered how charlatans and people who just wreck shop everywhere they go SOMEHOW keep getting jobs, this is
  14. how. The law protects them.
  15. That being the case, If this person with 6 months experience is labeled a "senior" and goes somewhere to do "senior" work they will be faced with sitations they have never fielded before and
  16. they will crash and burn because they arent prepared to deal with them.
  17. I was considering drawing a fancypants venn diagram to describe this, but I figure I can use words instead.
  18. Imagine a circle. Now take various shape kids cookie cutters and slam ‘em into that circle a few times. See that cowprint mishmash that cant support it's own weight? That's as far as you can
  19. get in infosec without “experience in the field". Thats as far as classes, and home study, and conferences and hack the box, and DA's home lab book will get you.
  20. Now, thats pretty far. It's a non trivial amount of knowledge, and anybody that takes that available square footage and fills it with knowledge will be a FORMIDABLE candidate against anybody
  21. who doenst have that knowledge. But despite all that, there is still stuff you can only learn on the job. Here's an example of some of the things that no class or book or con preso can teach
  22. Welt
  23. - how to handle an active attacker in the building who is stealing laptops
  24. - what to do if your whole office gets ransomwared
  25. - what happens when a car plows into the telco cabinet on your works block and takes out all the copper
  26. - what happens when you discover china exfiltrating your main users auth database, and the files on the infected system are 4 months old
  27. - what do you do when its 3 am and youve broken into your customers office on a redteam gig AND THE COPS SHOW UP
  28. - what do you do when a customer is drunk or high, and beligerent and screaming profanity at you and threatening violence?
  29. - what do you do when a competitor does exactly the same thing?
  30. - what happens when your phishing campaign gets loose and lawyers get involved?
  31. - what do you do when you realize you just popped shell on "not your customer" because of a typo?
  32. - what happens when you take out the customers office because their firewall was misconfigured and it was your nmap that was the straw that broke the camels back?
  33. - what do you do when you discover child porn on someones laptop during a gig?
  34. - what do yo do when you discover an employee embezelling hundreds of thousands of dollars from your customer?
  35. It's not all rainbows and unicorn farts. At the end of the day, infosec is “measuring risk from a technical perspective and remediating that risk the best and most compatible way, custom, for
  36. every customer, every time". It's not always pretty, and some stuff doesnt make it into “someones flufffy curriculum". It is also in ABSOLUTELY ZERO security cert programs. Everyone saying
  37. that one cert or another is "a good basis" or "a good foundation" for this kind of work is either defending themselves (hello egocentrism) and secretly feels inadequate outside of having that
  38. cert, which they wear like a fucking badge, or they are being paid (in one way or another) by the org that maintains the cert program.
  39. Employers have to see this from the other angle. ZERO PEOPLE want ANY OF THAT SHIT TO HAPPEN. EVER. Occasionally it does, and it's a learning experience for everybody, and at the worst it can
  40. cost hundreds of thousands, or even millions of dollars. and people routinely get fired over this kind of stuff.
  41. Whether you're red, blue or somewhere in between, Here's your tl;dr:
  42. - there's mind blowing weirdness LOTS OF IT. it's usually fucking miserable to deal with, but it looks FANTASTIC on your resume
  43. - it means stories. and stories mean experience. Listen to stories. they are VERY TELLING.
  46. - Lying on your resume, or artifically inflating your title sets you up for failure, and acts as a force multiplier for when this mind blowing weirdness happens, slanted AGAINST YOU. Because
  47. its IMMEDIATELY OBVIOUS you lied and you cant handle yourself and you, and everyone around you is now fucked,|
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand