$dayjob leader has some ideas about courses and seminars
Somewhat inspired by previous years’ plans. Feedback appreciate or just share what you are learning!
]]>Here are a bunch of things I think you should put on your to-do list if you want to learn about cycbersecurity and possibly work in the field. Don’t have a list? Might be a good time to start one :)
Requirements: a computer to study on, Wifi (or some kind of Internet access), and some time to study and hack. Headphones (or the like) if you don’t have a private study space are a good idea. I recommend a wired mouse with a wheel but some folks like trackpads.
For symbolic and technical reasons you should have a dedicated computer for your cybersecurity studies that no one is counting on for anything else. For most things an older laptop or a Chromebook are actually pretty good to get started and you may already have one or can get one. Once you get going you will want more and better gear, but for modern online courses and learning to find information online you just need something more comfortable to read, write, and study on than your phone.
Further, it doesn’t actually matter what system this machine is using (Windows, Linux, Mac, BSD), so long as you can get to websites and watch videos online. If you are into it you can learn all about your operating system, and how and why to change it … a bit later on :) Seriously, Chromebooks are worth a look here, but an old working laptop no one is using is what you need.
There are fantastic free, cheap, affordable and a few really expensive options available online and lots of material for beginners or folks new to cybersecurity, or just changing specialiations. Here are my current favourites and recommendations for practice and training, in opinionated order.
Understand what you are getting into and start looking for topics and areas that interest you
Learn about, start using, and advocate digital privacy and safety techniques like multi-factor authentication, password management, updates, backups, … some starter resources
Get some or all of:
Here are three people I recommend everyone read to start their collection. There are lots and lots of good people in infosec/cybersecurity I can also recommend and you can find, but please start with these three.
Here are some communities I can recommend, and there are plenty more great ones I don’t know about:
https://www.dianainitiative.org/ | https://blackgirlshack.org/ | https://womenscyberjutsu.org/? … |
This didn’t cover job hunting, hiring, interviews, college, remote work, regulations, wars, or any number of other worthy and important topics .. but it might help you get started. Feedback appreciated and questions welcome! Cheers, good hunting!
]]>Are there any benefits particularly for remote / tele-working staff ?
Is this a newly created role or a backfill / replacement ?
Please share your lists or the sources for these ideas and I will happily add links or send a PR. Cheers!
]]>programming experience helpful, but not required
An idea for presentation or two, feedback appreciated
python -c "print('{}'.format('A' * 1024))"
python3 -c "import pty;pty.spawn('/bin/whoami')"
$dayjob leader has some ideas about courses and seminars
arguably need to pick one or two of areas like:
Also, need to reserve time/brainpower for continued understanding of cloud ops/SRE and numerous project/technology specific trainings or familiarisation runs.
Probably not this year
awk(1)
Somewhat inspired by last year’s plan and the carry bits I’m trying to finish up now.
]]>I’ve been on computer networks socially and for work/school for essentially my whole life. Much data about who I was and am is on the Internet and I haven’t done much to try and change that (philosophically & professionally against it).
Several years ago now, as part of my studies around infosec and to get a particularly tough and prestigious certification (GSE ) I had to write a couple papers. Being the open source advocate that I am I put them on GitHub (MIT License) after publication. For the latter paper on using scientific notebook software in DFIR practice and education DFIR notes (which I though might have some reach) I even spent a few minutes (okay hours) with free clipart and Inkscape to make a logo.
When I started teaching besides the day job I started to take my online professional profile a bit more seriously. I had to write up a “bio blurb” for the first time and that was tough. As I taught a little more and changed dayjobs I put more effort into branding and I think that’s about when I read Ted D.’s book InfoSec Rockstar / saw him speak and reviewed some other advice about branding. I set up the professional blog and aligned all of my professional profiles and accounts around this brand (logo was really handy). Somewhere in there I started using an email signature block consistently and continue revising it as needed for changing qualifications and new headlines. There was even a headshot photo (not just a repurposed badge photo!).
So, separately from any personal accounts I may or may not still maintain (smirk) here we are: @dfirnotes the blog, twitter, and GitHub organisation (et alia). Technically there are more contributors than just me (especially to the GithUb rules), so for that and other reasons we’re they/them.
My investigation playbooks are all question based and here as well some questions can help guide anyone in generating ideas for professional branding, resume headlines, blurbs, and consulting marketing:
Answer these as best you can by yourself and then also ask peers, supervisors, mentors, friends, and family too. From there you should get some starter ideas and possibly some new role/career options to think about. You could certainly get ideas from career themed books such as the Parachute one.
As with resumes and job postings reading others’ profiles can be very informative. If there are individuals in your field or in fields you admire check out their profiles and branding approach. What platforms are they active on and are they getting responses or engagement ? This is one of very places that paying brief attention to “Internet points” might be useful. For some folks you might even need think about search engines and advertisements … screams and runs. A review of the profiles and activity of people and communities you respect and want to be like is the best answer you can get to questions about which platforms/apps you need to be on.
On the flip side, be aware of how much information you are sharing about you, your clients, and your technology and keep in mind that others also conduct OSINT and ‘use the Internet’. It might be a be a good time to review some online privacy guidance and adjust your personal threat models as you deliberately put part of yourself “out there” more. Violet Blue’s Smart Girl’s Guide to Privacy No Starch Press is great book, and infosec professionals specifically may need to know and do more as we are actively targeted. Sites like CitizenLab and Privacy Rights Clearinghouse have some good general guidance.
Once you have some ideas you’ll need to test them. While not everyone will put their professional blog / social media account through structured A/B testing or multiple intensive focus groups … you should find a way to gather some feedback. This will almost certainly include using your new persona on applications for jobs and programs.
Once you have some of your ideas worked out you could look into vanity domains, social media handles, and check the branding options for the services you use. Many SaaS services will stamp your brand on your documents, conferences, pictures, etc. if you pay for a higher tier or add-on the service. Decide if this makes sense for you and where you are going.
Now, newly branded you should contribute to communities, which will also help build your reputation. “Hack something, learn something, write it up” is the general advice there … Start a blog, mentor or be mentored (or both!), volunteer for a panel, put in to present at a virtual conference!
Tips: refresh the whole process and your branding regularly at a cadence that makes sense to you: whether that’s quarterly, annually or before applying for a new role or a promotion. Keep all of this material someplace you can easily get to, like GitHub or a text buffer (a document) you can always get to for the endless copying and pasting of your signature line, bio blurb, website address, logo graphics, usw. into forms and applications to save time and typing and try to keep everything synchronised and consistent.
We Hope This Helps (hth) folks at all stages of a career journey. Please ask questions of us or (even better) your support community. If you don’t have a support community yet (!!) you should make finding the right one for you the 0th item on your professional development to-do list. Tweet, email, direct message or otherwise unicast us if we can help with that :)
Nota bene: This is not a guide on starting a business, though similiar steps may help if you are, and will especially apply if you are setting up a consulting business. I am not a lawyer.
]]>Things I learned (TIL) and what I got out of the awesome two days SANS course on Red Team and Adversary Emulation I took online after Purple Team Summit 2021
Course page: https://www.sans.org/cyber-security-courses/red-team-exercises-adversary-emulation/
lots more about abstractions, weird machines, and how it really works: Prof. Mickens, PoC | GTFO, Phrack … |