Information security is a journey not a destination

June 2, 2019

It’s actually two journeys or two parts.

Part one: Getting into Infosec

This is where the journey begins. Usually with a desire (or need) to get into the information security. Sometimes you didn’t even know you were on the path. Which was my case. I joined IT because it seemed interesting and did a pretty good job of paying the bills.

I’ve been thinking about this more, because I’m going through the hiring process for a junior level position. I’ve noticed a variety of backgrounds of people trying to get in. Some people are coming from the military, others college, and yet others from working in IT. The junior positions don’t require security experience, it does however require some kind of college or IT experience.

Another observation I have is that, the candidates that are sticking out are involved in the infosec community and taking advantage of the many free resources. There are conferences, forums, slack channels, podcasts, blog posts, capture the flag events, videos, VulnHub, Hack the Box, bug bounty programs, and much more. Being involved in those things is very important because once you get in…

Part two: Being in Infosec

You have to utilize all those resources to keep up with the field. It’s been called a cat and mouse game between attackers and defenders. Technology is in a constant state of advancement and enhancements and with it comes new security challenges. A few weeks ago four vulnerabilities got dropped over a four day period that required me to understand the vulnerability. I had to understand how it is exploited and how we can mitigate it. I used blog posts, podcasts, Twitter, Google, and reached out to some people.

That last one is particularly important. The others are found on Google. Getting to know people requires putting yourself out there. Overcoming nervousness and anxiety to meet some new people. The benefit is two fold: you can ping ideas off people and you’ll increase your chances of finding opportunities within infosec. The perfect first job in infosec is rare. By perfect I mean a place to grow and advance. Even if you find a good organization there may not be a chance to advance or move up.

Below are a some links to help look for conference and other events in the area. I like BSides events because they have a low bar to entry. Usually $10-30 bucks for a day of talks, networking opportunities, and food. If that’s too much volunteer. It’s a great way to help out the community (reflects well on a resume) and be in a position that requires interaction. I only interacted with a few people at my first event as an attendee. As I continued to go to events my interactions with different people and the same people increased. How quickly this happens depends on how many events are attended.

These events also don’t require you to be in the field. You can start building your knowledge and opportunities before you get into the field.

Resources

Meetup.com - Good place to find local user groups in your area

Infose-conferences.com - Pick your state and any adjacent state you’re willing to travel to

This blog post first appear on Exploring Information Security

Some thoughts on infosec and social media

January 30, 2019

The more I dig into #infosec the more I find that the really good people aren't people you've heard about on Twitter.
— Timothy De Block (@TimothyDeBlock) January 29, 2019

I posted the thought above on Twitter a couple nights ago.

Rereading it, I feel I need to expand upon my idea, because there are a couple motivators for the tweet. First, the tweet was not worded very well. It comes off as saying that people on Twitter are not as good as those not on Twitter. This wasn’t my intention. I think there are really good people both on and off Twitter. The idea is more about myself and evaluating whether or not I’d be a better infosec person if I were to stay off Twitter.

A majority of the people I work with on the security team are not on Twitter. All of them are really good at what they do. I know there are more of those types of people, because I’ve worked with others who are really good at what they do. Twitter is a very small subset of the people within the infosec field. I think it’s important that what is said and done on Twitter doesn’t necessarily reflect on the entire industry. I was also watching a YouTube video at the time of a buddy of mine who has a Twitter account, but doesn’t tweet a lot. He’s really smart and is doing some pretty amazing things in the field. I’ve wondered if I need to be spending more time being productive and less time on Twitter.

Twitter being just a small part of Twitter is also why I was a bit disappointed to hear that this year is DerbyCon’s last. I like to go to DerbyCon. I have a good time and I catch up with friends and make new ones. There’s a lot of positives to the conference. Unfortunately, there is also some drama, which gets amplified by Twitter. It’s draining on the conference organizers. I get it and I don’t have any ill feelings towards their decision. It’s their conference.

What I think it highlights to me is that sometimes we need to step out of our own little bubble and look around. Twitter, and social media, is our own little world. We create it and curate it to our beliefs and preferences. It can certainly be a useful tool for information, but it can also create our own bubble that consumes and drowns us.

Things that get our attention the most are on social media are controversial. It’s frustrating and depressing. I take solace in the fact that there’s a larger world with the those things but also a lot more good.

This blog post first appear on Exploring Information Security

BSides Nashville 2014. One of the first pictures I took for the security community.

How to increase your chances of breaking into infosec

December 19, 2018

Get involved with the infosec community. That’s it. I’ll elaborate.

The best way to get hired for a security role is to know someone. The key part of that sentence is the, “know someone” part. That requires getting out there and doing things within the community. That can be a variety of things:

Contributing to open source projects.
Become an active member of a niche community in the field (OMG the slack channels out there). Writing a blog post.
Producing a podcast.
Attend a conference.
Shooting pictures at a conference.
Volunteer at a conference.
Speak at a conference.

These are all the things I’ve done. I also see people doing things like:

Twitch streaming.
Writing a book.
YouTube channels.
Singing.

Find something you’re really passionate about (not infosec) and bring it to the field. For me it started with photography. I’ve always liked taking photography. I have a media arts degree and took some photography courses (so I kind of not what I’m doing). I reached out to a BSides organizer to see if they’d be okay with me coming and shooting some pictures at the conference. That one contribution, eventually led me to my current place of employment (and I absolutely love what I’m doing).

It was BSides Nashville. One of the organizers works at the place I’m currently employed. They were looking for an AppSec guy, so told her AppSec guys. I luckily knew one of those AppSec guys and as a matter of fact had just started an OWASP Chapter with that AppSec guy. You never freaking know when things will connect for an opportunity*.

* I met my wife, because we saw someone we knew on the highway at 80 MPH. A story for another time.

Prior to that I would look for a job via online postings. At one point it took me 15 months to find a new job. I got into security via a job posting, so there is a path that way. It’s just not the most efficient. I got my next security role, because I had helped start a monthly local user group meetup. The CISO was looking for a few good security people. That local user group has gotten several other opportunities. Mostly because of who you know; partly because it looks really good on a resume. It looks like you’re engaged.

Everyone has a different path. What increases the chances is getting out there. Contributing without expecting anything in return. Showing that you can provide value to someone else. What are your strengths and passions? Now bring that to the infosec field.

This blog post first appear on Exploring Information Security

Application Security resources for beginners

October 29, 2018

This is a continuation of my resource series of posts. Application security is the field I found a lot of interest in. This despite coming from the operations side of IT not development. Using the resources below I was able to get a job in application security.

Websites:

I first realized I had an interest in appsec after reading a Troy Hunt post. Not only were things explained well, but I was also paying attention to every word in his blog posts. He has since branched out to more breach related content as the creator and maintainer of Have I Been Pwned. Still he has a lot of good appsec content. He has several courses on Pluralsight for beginners plus. He also does a weekly podcast that’s worth checking out.

The Open Web Application Security Project (OWASP) is the go to resource for AppSec. It’s a massive non-profit organization that has tons of projects, knowledge bases, cheat sheets, and more. There might even be a local OWASP chapter. There’s annual conferences to attend (I’ve never been). It’s the resource I recommend for people starting out.

Podcasts:

DevelopSec
Application Security Podcast

James Jardine puts on the DevelopSec podcast. The podcast is targeted at developers. It’s also consumable by security people. This podcast doesn’t release on a regular schedule. The Application Security podcast is also targeted at developers. It releases in seasons.

Training:

The first bit of AppSec training I got was the SANS SEC542 Web Application Penetration Testing and Ethical Hacking. It’s a lot of AppSec information, concluding with a Capture The Flag (CTF) exercise. I’d try to get your organization to pay for this as it’s several thousand dollars.

The Practical Web Application Penetration Testing course is a Tim Tomes course. He’s a former SANS instructor who puts on this training several times throughout the year in public and for organizations. It’s a great affordable course that Tim tries to keep up to date with relevant information.

The blog post first appear on Exploring Information Security

Information Security resources for beginners

October 16, 2018

I wrote a recommended resources post back in early 2017. I’d like to update that, as the resources I recommend have changed. I try not to think of my podcast as something for new people to the infosec field. However, the people reaching out to me the most are people who are new to the field. So, I’ve given in and I want to start creating a series of posts directed at new people or those trying to get into the industry. These posts are meant as a gateway, not an exhaustive list.

These are the resources I find the most useful. With out further ado.

Websites:

Krebs is considered the public Intrusion Detection System (IDS) for companies. If you’re getting a call from him, it’s probably not good. He covers various topic primarily around breaches, skimmers, and unmasking malicious actors. I’m friends with Steve. He reports on a variety of infosec related topics. When something breaks on Twitter he’s one of the first people I check to get accurate information.

Podcasts:

Risky Business is the best security podcast out there. It’s the podcast with the best content and quality. The podcast allows me to stay up with the latest infosec news. He’s got sponsored (gotta pay dem bills) podcasts that are just as useful. Security Weekly was the first podcast I listened to. It’s great for getting information and gaining an understanding of the hacker culture. After a while, for me, it turned into a bit of a boys club where they go off on tangents and genital jokes. Episodes are usually two hours long which sucks up a lot of podcast listening times. Finally, there’s the Peerlyst list of podcasts. It has an exhaustive list of infosec related podcasts.

Conferences and local user groups:

Conferences and local user groups are a great place to learn, while also meeting people in the field. The security community is inclusive and welcoming if you put yourself out there. That means doing that awkward social thing. There is very likely a BSides near you. Most local user groups can be found on meetup.

Training:

Information security is an ever changing field. To stay relevant in the field requires curiosity and a willingness to learn new things. Before getting to that point, we need to learn the basics. Irongeek and Pluralsight help with the basics and staying up-to-date. SANS SEC401 is a general course that will provide a good foundation for any security professional. I thought I was above the course, as I was taking it three years into my infosec career (and several more in IT). I was so wrong. The course helped fill in a lot of gaps for me from a security and IT perspective. I highly recommend the course for beginners and those already in the field.

This blog post first appear on Exploring Information Security

ShowMeCon wrap-up and what's ahead

June 21, 2018

I know. I know. It's been two weeks since ShowMeCon. I've been busy! Within hours the neighbors wanted to hang out (I brought the St. Louis beer). The next day, I had a big case of the don't give a shits. I didn't get a podcast ready for that night's release.

I went to work Monday expecting to head home and work on some stuff (like get a podcast out). Instead I was informed the development team I work with was heading to Nashville Sounds game, because some people were in from out of town and I was invited. I went. Tuesday, I played soccer for two and half hours, because I like pain (I didn't regain full functionality of my legs until Saturday). Wednesday was a social night, because those same people were in town (yay!). I got home and got the podcast out, three days late. Thursday, I wrote about suicide. Friday, I wrote about password policy. Both very serious topics.

Things sort of got normal after that. I took the weekend to kind of dink around on stuff I wanted to do. Monday I got two of the four podcasts edited I needed to. I was invited over the neighbors Tuesday for beer and baseball. Finally, last night I got four podcasts scheduled. I'm heading to Asheville tomorrow for BSides Asheville (still looking for a ticket). Much beer (and maybe a podcast) will be involved. Tonight is the night for me to write something and hopefully get a little Overwatch in. Damn I've been busy. Didn't really realize that until writing it down.

Back to ShowMeCon. This was my third year and fantastic as always. It's the ideal security conference. The hackers think it's too businessy. The business people think it's two hackery. There are more women at this conference than any other security conference, I've been to combined. I love it!

I did my first ever podcast panel, which went really well for being the first time. They had a personal trainer there to talk about health and fitness. There were a lot of questions at the end. This might be something I need to write about. I do work at a wellness company after all!

During the conference I managed to get two interviews for the podcast recorded. I really like the idea of recording interviews at conferences. It's a much better vibe when the two people are in person. It flows better. There's the low rumble of the crowd. The low thud of doors smacking closed. It's fantastic. Those will be releasing over the next two weeks.

Now that ShowMeCon is over, I've been re-evaluating my desire and need for submitting to conferences. I've been speaking since 2015. It's a great challenge and a good career booster. Now that I'm at a company that I adore and in a role that continues to expand, I'm starting to wonder the value I'm getting out of submitting to conferences. I love sharing ideas and challenging myself to become a better speaker. The downside to speaking is that it takes time away from my family.

I have two kids still in the single digits. I'd like to spend more time with them. At one point I was slated to be at 12 conferences this year. With other obligations, conflicts, and one conference not happening this year, I'm down to eight. That's still quite a bit. I've presented at all five I've gone to this year. It's not just going to the conference that takes time. It's also the preparation leading up to the conference. I spend several hours putting the talk together. Then I spend the week leading up to the conference practicing the talk. This is on top of the weekly podcast I produce.

I spend a lot of time in the field. Because of my expanding role I'm spending more time at work now too. I'm trying to find that balance. I'd like to spend more time with my kids. I think that will be at the cost of the conferences I attend. If I do submit a talk, it'll be for a podcast panel. The preparation for that is much easier than a full blown talk. I'd like to say I'm cutting back on conferences, but I don't think it'll take much for me to go to a conference (someone asks). We'll see.

This blog post first appear on Exploring Information Security

Yet another 2017 December link post

December 29, 2017

What I'm reading

Would people (who actual read this blog) rather have me do link posts or spend this time putting together blog posts?

New Pluralsight Play by Play: What You Need to Know About HTTPS Today. Another Pluralsight course by Troy Hunt.

Jocko Willink on the Power of Discipline by Cal Newport: "If you want freedom, then you need to have discipline"

On the Complicated Economics of Attention Capital by Cal Newport: "And yet, even though we’ve pushed connectivity to daring new levels — a technological miracle built on numerous ingenious innovations — we haven’t become more productive."

Mirai IoT Botnet Co-Authors Plead Guilty by Brian Krebs: "The Mirai malware is responsible for coordinating some of the largest and most disruptive online attacks the Internet has ever witnessed."

"I can' believe you wore a plunging neckline when you save mankind" by Frances Cole Jones. Some people will always find something negative to say.

Anti-Skimmer Detector for Skimmer Scanners by Brian Krebs. Of course, skimmers are getting more complicated and harder to detect.

The end of facebook's ubiquity by Cal Newport. "...once social media services are forced to make a sales pitch, as oppose to leveraging an inherited position of cultural ubiquity, they suddenly seem so much less vital."

New Package Moniker rules. I love npm's stance on security. They're doing a lot of great things (see link below). In this instance they're trying to battle the typosquatting issue in the npm registry.

Skyrocketing Bitcoin fess hit carders in the wallet by Brian Krebs. Interesting to see the downside (for the darkside) of the rising value of Bitcoin (that sentence sounds weird. Is it weird?).

4 Years after target, the little guys is the target by Brian Krebs (can you tell I like Brian Krebs?). If you like Jason's Deli (I don't really care for it) it may have had credit card information compromised.

npm private modules outage on December 12th. I love this! This is awesome and gives some insight into responding, troubleshooting, and fixing a production issue.

Buyers beware of tampered gift cards by Brian Krebs. I had something like this happen to me. I won a gift card at work. Went to use it and it had less the $3 on it.

What I'm watching

This is my favorite holiday video for this time of year.

An interesting take by John Sonmez on Net Neutrality. I like looking at contradictory views. I think losing net neutrality will cause a positive reaction.

Brockmire. I recently watched the first season of Brockmire. I gotta say it's a funny series. Crud, but funny.

This blog post first appear on Exploring Information Security.

My first developer focused talk on security at Nodevember

November 28, 2017

Enjoyed lots of great talks today @nodevember especially @TimothyDeBlock on security #js #node pic.twitter.com/h3NBNlnfXh
— Desmond Cain (@Desmond_Cain) November 27, 2017

On Monday, I had the opportunity to speak at Nodevember. The title of the talk is, "How to embed security into your process." I've wanted to get out and speak at a developer conference since the beginning of the year. Nodevember was the first conference to accept my talk (CodeMash next month is the second).

My talk

I believe developers have a lot of say in regards to the security of an application. I believe that we have a lot to say in regards to application security. I've been speaking on application security for the past couple years at security conferences and local meetups. That's great and it helps teach others in the field about application security. Where I can also make an impact (and potentially more so) is at developer conferences.

Developers have a lot of interest in security. There is proof of that from today. The talk before mine, "The State of Node Core" (good talk) had about a third of the seats filled. By the time my talk started just about all the seats were filled and a couple people were standing in the back. I was both happy and terrified.

My assessment of my talk was okay. I checked the schedule of the talks when I got to the conference. The 40 minutes I thought I had, was actually 30 minutes (my goof). I tried not to freak out. I'm usually quick on practice and I could cut out some things I needed to. By the end of it, I had discussed everything I felt was necessary and still had three minutes to spare.

I missed a couple elaboration points and a rant. I could have gotten those on my final thoughts slide, but my mind was blank. I was doing the talks with just slides and not presenter notes. This was due to me not wanting to waste time switching displays for the demos I was doing. Speaking of demos, I had one fail on me because I didn't practice my talk using my phone hot spot. My VM network settings was set to use Wifi.

Overall, it was okay. I got positive feedback from several people, plus some suggestions on what I could add to the talk (I asked for that specifically and was not disappointed). It was expressed to me that developers would love more security talks at developer conferences. There was some frustration around getting fellow developers to take security more seriously. Something I can sympathize with.

Here's some of the specific feedback and suggestions I got (thank you to those that gave feedback):

They really liked the OWASP ZAP demo
securityheaders.io (I did a content security policy demo before my talk)
Docker Hub Images - static analysis (I need to research this)
HTTPS - Cloudflare and Lets Encyrpt
Lateral movements

I don't think all the feedback is in the scope for this talk. It certainly gives me ideas for future talks.

Other talks at Nodevember

I also really like attending developer conferences, because I still have a lot to learn from the development community. I have the same feeling of wonder and inadequacy as I did when I first started going to security conferences. All three talks I attended were great and taught me something new.

Unlocking the Mysteries of Unfamiliar Codebase by Randy Cox touched on diving into an unfamiliar codebase. This is a big thing for application security professionals who need to do code analysis. My confidence was boosted by Randy, because I was already doing a lot of the things he recommends. He also gave me some new ideas for looking at unfamiliar code.

My notes:

Document
It's like an investigation
Make sure everything is in source control
Where is all the code?
Git blame
Document startup sequence and system architecture
Use "code analysis" instead of "documentation" if management wants you to only code.
Don't fix things - document and write bug tickets

Using npm scripts as your build tool by Elijah Manor. This talk was a little over my head. The scripts he covered were for automating some of the builds you can do in Node. Lot of cool scripts and ascii art.

The State of Node Core by Colin Ihrig. This talk gave an over view of the Long Term Support (LTS) schedule. Talked about some of the statistics on Node version use. Talked about new features and some other items I hadn't heard of before. Colin also talked about some of the security improvements on the way.

The closing keynote, Welcome to the new npm by Laurie Voss was very entertaining and enlightening. He covered the past of npm, as well as looked at the future of npm and Javascript development.

Final thoughts

More security people need to get out to non-security conferences to learn, gain an understanding, and contribute.

The blog post first appear on Exploring Information Security.

Post 2017 Thanksgiving links

November 27, 2017

I hope everyone had a good Thanksgiving. Onward to Christmas!

What I'm reading

Using an Attack-for-Hire could get you in trouble with the law. Now you can do it from your mobile device!

Facebook's mission: ‘How do we consume as much of your time and conscious attention as possible?'

Interesting idea for setting goals. Three days, three months, and three years (what happened to three weeks?). New Year's is coming up!

Finding sensitive information in URLs is one of the easiest things to find in application security. Adam Baldwin went down a rabbit hole with this question: “wonder if any npm dependencies are using urls that contain tokens or passwords.”

CouchDB and the npm registry.

Good article on Digital Forensics Incident Response (DFIR) resources.

Root9B shuts down at the end of the year. It's a Brian Krebs article if you're wondering, "who is Root9B?"

Another Brian Krebs article. Scammed via Western Union? There's a fund for you.

Great take on the baseball Hall of Fame by Astros County

Troy Hunt is testifying in Washington DC regarding data breaches.

What I'm watching

Linkin Park & Friends Celebrate Life in Honor of Chester Bennington

When You Haven't Played Destiny 2 in 3 Weeks...

Destiny 2 Lore - The Story of Osiris

Leviathan Raid Funny Moments

#EarnedHistory | Houston Astros

This blog post first appeared on Exploring Information Security.

My recommendations for getting started in security

August 28, 2017

I feel like I’ve been asked this question before. “What advice do you have for getting started in infosec?” I swear I’ve been asked this before. I don’t think I have though. At least that I can recall. Usually, the questions are more specific than that.

I believe there are multiple paths to getting into infosec. I’ve talked to a lot of professionals in the field and there are no two paths alike. Everyone’s path is different. First, I would ask you, “What do you want to do?” What are your aspirations in the field. I want context, because I’ll provide someone wanting to go into pen testing with different advice than those going into digital forensics. Both fields have their positives and negatives. Make sure you understand both. I would recommend strongly looking at the negatives more than the positives.

Pen testing is the area I see a lot of people wanting to get into. Did you know that 60% of your time will be writing reports. Yes, you have to have good communication skills to excel as a pentester. You also have to know what actionable advice you can give for an organization. The best pentesters can provide advice with context. “I know you still have to run XP for your business to operate. Have you thought about putting those machines on their own VLAN.” If your advice to a hospital is to upgrade their XP machines, you’ll be frustrated a year later when you find the same issues haven’t been addressed.

For me the “fun” is solving the challenge of securing those vulnerable applications running on a legacy OS. Understanding and responding to the chaos that is the new named vulnerability. One of my most eye opening experiences was discovering that our application running IIS was in fact vulnerable to Heartbleed, because our WAF was Linux based. Then having to report that to leadership and providing guidance on whether to keep the WAF in place and be vulnerable to Heartbleed or turn it off and be vulnerable to other types of attacks. Defense is the more intriguing and challenging side of security.

Don’t get me wrong, I love my hacker buddies and marvel and the things they can do. I just find it more satisfying to build something in security that is lasting and makes a positive impact on an organization. Occasionally I get to break into things and assess an application for security issues (not something to overlook if you want to red team). Most of my time is spent hardening systems and applications.

I recommend working your way up the IT ladder. It’s very important to understand how a help desk works. How a server works. How a network works. My belief is that security is an advanced niche within the IT field. You don’t get into security coming straight out of schooling unless you’ve already worked with computers for several years. Some people can make the jump into security and be successful (remember multiple paths). They usually have several years of experience working with computers on their own.

I think there are benefits to working in other departments before jumping into security. Most security controls are put in place by other departments. Having an understanding of their goals and challenges helps when working with them towards a security solution.

My experience is along those same lines (yes, I’m biased). I joined the NAVY for six years as an Electronics Technician coming out of high school. I got some computer experience along with some other general electronic experiences. The most beneficial thing I learned in the Navy was troubleshooting. I learned how to troubleshoot issues in a circuit boards. Figured out if it was a transistor or a chip that was causing the issue. What an open and closed circuit meant. A lot of those same techniques applied to troubleshooting a computer, server, network issue, and security problem.

I got to patch our machines on the SIPRNET (secret military net). Handled the creation and deactivation of user accounts. Being stationed in San Diego allowed me the opportunity to tag along for a ride to Las Vegas to attend DEFCON. I had no idea what I was doing (the casinos were fun). I did attend a few talks and found them fascinating. It didn’t exactly spark an interest in security at the time (maybe a seed, though). I had a great time serving in the Navy and I learned a lot. I was able to put a lot of my experiences on a resume.

After the Navy, I pulled cable and inventoried electronic equipment. I didn’t apply myself as much as I could have coming out of the Navy. Which is why I ended up working entry level IT jobs. I had the experience for positions higher on the IT ladder. After about six months of that I landed a system analyst II role (advanced help desk) at a manufacturing plant. I got some good computer experience, with a little server and networking experience.

I also got some security experience. Try keeping manufacturer workers from writing the password (in marker) on the floor computer monitor. The computers on the floor needed constant maintenance because they were getting malware on them. I worked with the network team after we were told our phone bill was through the roof. Someone was using our phone system to make long distance calls due to a vulnerability in the phone system (patch your shit).

From there I moved to a network/system administrator position with the state of South Carolina, at the department of Juvenile Justice (the kids knew all the good proxies). This is where I started to learn the ins and outs of network and system administration. The first appliance I got to play with was our SourceFire box (intrusion detection system). It had been setup and never touched (or monitored for that matter). I started getting familiar with it (why are we talking to China?!?) and setup my online SOC for identifying machines that needed to be cleaned or reimaged. I also got introduced to forensics and some other security concepts. My other responsibilities included webfilter, spam filter, load balancer, imaging, and backup administration (sucks!). All of those responsibilities have played into my roles as a security professional.

After that I jumped to my first security role with the Department of Employment and Workforce. Six months into that role our website was defaced. Mind you, this was two to three months after the Department of Revenue announced a breach (we made the local news). My previous experience allowed me to be useful during our response to the incident. At one point, I had two different vendors on the phone (in the wee hours of the morning) asking them to explain how the attack had gotten by our WAF and intrusion prevention system (IPS). My experience from previous roles both in the security field and outside it allowed me to remain calm and collected.

My recommendation for getting into security is to get some information technology experience. I promise you’ll be doing security related activities in those roles.

This blog post first appeared on Exploring Information Security.

How to join an online infosec community

July 17, 2017

I had an interesting follow up question to the most recent Exploring Information Security podcast, how to join the infosec community. Here’s the question:

Tyler Neeriemer:

Any advice for those of us in incredibly rural areas. Are there active online communities you can recommend?

This a great question, because I imagine there are a lot of people in a similar situation. My response was to join CitySec meetups remotely. Both MiSec and ColaSec stream and record the talks that they have. They would both love people to get involved online. Those are two groups that I know do this, there may be others (please hit me up if there are others).

I just started GamerSec, which is an infosec user group for those interested in video games. You can contact me directly to get added (my Twitter DMs are open or email, timothy.deblock[@]gmail[.]com). Again, there may be other online specific groups.

I also asked Micah for his input and he recommended checking meetup.com. If there’s nothing there you can get involved via listservs or slack channels. I am part of the OWASP, security metrics, ColaSec and GamerSec listservs. These are usually Google Groups that people with the same interest members can join to discuss an infosec topic. Slack is more of a chat channel (AKA IRC). I’m part of three slack channels: DevelopSec, MiSec, and ColaSec. I know there is also a channel for OSINT and Network Security and many others.

My final bit of advice is to start your own CitySec. You only need two people to start one. I've done a two-part podcast series on this topic. I would love to hear other suggestions.

This blog post first appeared on Exploring Information Security.

Petya/NotPetya ransomware outbreak thoughts and links

June 28, 2017

While I wait for Nashville traffic to clear (picture above), I decided to take this as an opportunity to write up some thoughts and provide links for the current “ransomware” outbreak. I became aware of this on Tuesday and started monitoring the situation via Twitter. I thought it a good idea to create a list and add people who are providing the most useful information about the current outbreak. I figured it would be useful for future security related events.

There are already some good blog posts out there with what we currently know. SANS Internet Storm Center and Symantec Security Response have really good information. What I’d like to focus on is the idea that this is outbreak is a cover up for a nation-state attack. As I watched Twitter it seemed like a very particular set of organizations were getting hit by this ransomware. There were reports in several different countries and different types of organizations, but something didn’t feel right. I didn’t know anyone experiencing this event or see reports of local government or schools getting hit with this stuff. If there is truly an outbreak I would expect to hear about outbreaks in those areas. They run IT (let alone security) on a shoestring budget. All the reports seem to focus on those areas in Ukraine.

On my ride into work this morning the Risky Business podcast floated the idea that this was a targeted attack by a nation-state (Russia) at Ukraine (don’t call it “The Ukraine). Based on what I’ve seen it makes sense. Furthering the idea is Matt Suiche who wrote up an article on Petya as a wiper not ransomware he dug into the code for the malware and found that some of it had changed. This makes things much more difficult to recover from. If this is a cyber attack on another nation then the goal is certainly destruction. Crafting malware to look like ransomware but make things irrecoverable is a good way to accomplish that goal. It also helps with creating disinformation (something Russia does).

Then there’s the article from the grugq. He tracks down the MeDoc connection, which is considered the starting point for the infection. MeDoc is an accounting software package. The malware was sent through it’s update service. Now, if I’m a criminal trying to make money of this thing I use phishing emails to send this thing out to as many places as possible. Targeting a software vendor to deliver ransomware seems like way too much work for not a lot of payout. In fact the email address for payments has already been shutdown. Even if you wanted your files back you’re not getting them, because communication with the attackers is gone. Last check of the bitcoin wallet is $10,296.2 USD, according to @petya_payments on Twitter.

The problem with news like this is that there’s a lot of information flying out there. Not all of it good. It’ll take a few days to sort through everything, even then we won’t have a clear picture. In several weeks US intelligence will have their say. Like they recently did with WannaCry (it was North Korea). I think this is a targeted attack involving countries. There will be collateral damage, but it’s unlikely to affect a majority of us. In fact it looks like the initial attack has long since passed. Again, it’s early and some of this information is likely misguided or incorrect or new information will come out. There are some researchers saying that it’s not a wiper. The link in the post is another good resource for information and a good example of the community working through early information. He does agree that the malware's purpose is destruction, he's just not sure it's a wiper. I'm not versed enough in malware analysis to make a distinction either way. Wiper or ransomware are minor details, both will cause a lot of destruction. We should have a clearer picture in the next few days.

Suggestions for defending yourself are in the SANS and Symantec articles. Simple answer is to patch your shit and evaluate SMBv1 needs. I also took this event as an opportunity to email some internal folks and ask questions about our systems and see how they responded. When people talk about war gaming a security incident, these are good opportunities, even if you’re not impacted.

Resources:

I think traffic got worse.

This blog post first appeared on Exploring Information Security.

HipChat's Security Win

April 25, 2017

I was disappointed not to find any of the HipChat coverage in my Feedly reader this morning from the infosec news sites. It hit plenty of main stream sites like engadget. I'm sure there is coverage on some infosec sites. It's just not as wide spread as I see for other breaches. Why is this?

Well it might have to do with HipChat having a good response to their incident. Most of the detail for the breach comes from their own blog. Over the weekend the detected a security incident affecting their servers. The incident was the result of a vulnerability in a popular third-party library. The attacker may have accessed user account information for everyone using the service. Because of that they invalidated everyone's password and asked them to setup a new one via the forgot password link.

They were reaching out to 0.05% of their users who were more seriously impacted by the breach. For those users messages and room content may have been accessed. For everyone else it was just (potentially) account information.

While this is an unfortunate incident to occur, this is a security win for HipChat.

They detected the incident and within days made an announcement. This led to a very small percent of users being impacted. They went ahead and invalidated everyone's password. I logged out and tried to get back in with my old password and it wouldn't work. I had to use forgot password. This meant that password didn't need to be changed immediately if people were still work or hadn't heard of the breach yet. Unfortunately, I don't think they accounted for the demand on their forgot password page. The page was essentially denial of serviced causing some frustration among users. I'm sure there will be plenty of lessons learned this week.

I wanted to write this post because I think we should highlight more security wins in our industry. The sites I use to keep up on infosec are focused on NSA backdoor detection, BrickerBot, among other nasty things. All still relevant and scary. However, we are seeing some positive things in security. HipChat is a good example of that and I applaud them.

This post first appeared on Exploring Information Security.

Recommended resources for information security

February 20, 2017

“What are some good materials you would recommend on InfoSec?” -Kenneth Reavis

This is such a great question and one I thought worth a post. My short answer is podcasts, blogs, and videos. These are what I use to help improve and stay relevant in the information security field. I listen to podcasts on my ride into work. I read Feedly to stay up with news events and people in the industry. I watch YouTube and Pluralsight when I need to pick up a complicated concept or technical topic.

Podcasts

I love podcasts. I love them so much that I produce my own. Security Weekly is the first podcast I started to listen to when I got in the field. Each episode contains a news, interview, and demo segment. I found the interview segment to be the most useful. This is a good first podcast to start with. The show has been around for years. It has a lot of good content and it’s a good crash course to the hacker culture of the field.

Risky Business is the best podcast in the infosec field. The production quality and content are top notch. The show starts with a news segment. That leads into two interview segments. The first usually deals with a current topic being discussed in the field. The other is a sponsor interview, which is usually just as useful as the other interview. The show is usually 50-65 minutes long.

Peerlyst has a long list of podcasts. Look for a few that are of interest. Give the podcast about three episodes before making a decision. Podcasters do sometimes have “off” shows. Here are some of the other podcasts with good content.

Down the Security Rabbit Hole - Leadership and business

Defensive Security podcast - Blue team focused

Data Driven Security - Data scientist focused

DevelopSec - Application security focused

On my ride home I listen to hobby and interest focused podcasts. I found that when I listened to infosec podcasts both ways I started to get burned out on podcasts. I now listen to infosec or business related podcast on my drive in. This helps me get focused. On the ride home I listen to hobby podcasts. This helps me transition from work to home much easier.

My last recommendation is to pick up podcasts that don’t have an infosec lean but focus on improving the self. I listen to both Manager and Career Tools for business etiquette guidance. I also listen to the Art of Charm for relationship building and self-improvement guidance. Both have helped tremendously in my day-to-day interactions at work.

Blogs

I use Feedly to collect RSS feeds from the sites and blogs I have an interest in. I follow ars-technica for news. Their articles are both informative and usually a quick read. I also follow Steve Ragan at CSO for news.

I work in the application security field. Troy Hunt is one of the bigger names in the field that produces content regularly. He also runs Have I Been Pwned which is a very useful tool for incidents involving a breach.

Brian Krebs is the man when it comes to reporting on breaches and criminal activities involving digital technology and ATMs.

Bruce Schneier is one of the top names in the cryptography and encryption field. He also tends to focus on the bigger picture and ramifications of security in society.

I add and prune my feed pretty regularly. If I get too far behind on my feed I’ll look to simplify it and get rid of the blogs. I look for blogs that aren’t providing as much value or report on stories I see from other feeds.

Get an RSS reader setup (it doesn’t have to be Feedly). Start adding to it and adjust if necessary. Feeds are also good for keeping up with alerts and vulnerability databases.

Video

I am a visual learner. The two resources I use extensively are YouTube and Pluralsight. I add a lot of conference talks to my Watch Later list. That list has 48 videos as of this writing. I don’t get on YouTube as much as I would like, but it’s still a useful tool for research. And every once and a while I'll create a playlist. It’s a valuable resource for better understanding a technology or infosec technique. Pluralsight requires a subscription. The content is top notch and provides a more indepth look at technology or security topics. It's $300 a year. I've had my place of employment pay for the last few years. It's usually an easy sell.

Conclusion

Those are the resources I use on a daily basis to learn and keep up with information security. There are a lot of other great resources out there. I just haven't found them or don't get as much value out of it. There are a lot of great digital forensics and incident response resources. I just don't work in that field. Find what gives the most value. If it's giving very little, ditch it.

Blogs allow me to keep up with daily news and read interesting new content. I have several hobby feeds setup in there so I get a nice mix throughout the day (I sometimes need a break from infosec). I listen to podcasts almost daily. There are general podcasts and more focused podcasts. Some have varying degrees of quality, but most have really good content. Finally, videos provide a visual opportunity to learn and research topics. I don’t use these on a daily basis. Instead I use them when I need to dig deeper into a topic.

There are a lot of great resources out there. Ask around. Find what type of medium you prefer and fits best into your lifestyle. Try something. If it provides value, great! If not, get rid of it. I just realized I didn't even touch on boxes. I may save that for another post.

This post first appeared on Exploring Information Security.

How to find your niche in information security

November 28, 2016

How to find your niche

Relax. It can take time to figure out what really engages you. Appreciate some of the skills you learn along the way. Ignore the advice to follow your passion. You may find work in security that you enjoy doing but aren't exactly passionate about. That is okay. You can be passionate about other things and still be happy in the work you do.

Explore. Try all the things. If your role allows it, take on security projects or initiatives in different areas. Research different areas. Go to security conferences and checkout various talks. Some of the best ones for exploring are single track conferences like BSides. Find a local security meetup. Follow a bunch of people on social media in the infosec field. Listen to security podcasts. There are a ton of them.

Play. Build a home lab. One of the great things about our industry is that there are a ton of free tools that do some amazing things. Some of my favorites are:

Redline a memory forensics tool
Zed Attack Proxy a dynamic analyzer for applications
EMET a windows hardening tool
PDQ Deploy third-party patch management and software deployment tool

Ask questions. Talk to people in various fields. Do this at work and at conferences and local meetups. Social media is also a great place to ask questions.

Evaluate your strengths. If you love math or a good puzzle, cryptography might be your thing. Do you love solving mysteries like a detective? Then maybe incident response or forensics might be your thing. Liking a little bit of everything may lead down a generalist path and into a management or CISO role. Whatever the strength try to match it to a different field in information security.

My story

I didn't really have a plan for what I wanted to do coming out of high school. The one thing I was sure of was that I was heading into the military. I didn't want to head to college not knowing what I wanted to do and put myself in debt. The military would give me an opportunity to figure that out and earn money for college when I did.

Prior to graduating I had looked at a number opportunities in the Army. Helicopter mechanic was one I remember. The other one I remember is paralegal, because that's what I ended up signing to do. That plan ended up falling through and I ended up working at Blockbuster for six months. I eventually signed on with the Navy and tested into the electronics technician role.

As an electronics technician I dealt with anything that had a circuit. Computers, phone lines, printers, communication equipment, and so on. I learned a lot about troubleshooting. I honorably discharged from the Navy after six years still without an idea of what I wanted to do. This lead to contract jobs pulling cable on and off for six months. Eventually, I landed an IT role as a tier two technician. The IT field was alright. I was good at it, but it wasn't exactly inspiring me.

At this point I started going to college part-time as a media arts undergraduate. Why media arts? I enjoyed movies and video games. I had an interest in possibly building websites. The biggest factor, however, was that the offered night classes. The computer science department did not. Plus, I had worked as an electronics technician for the past several years. I would only be gaining a little benefit in going back to school for that.

A year into my tier two technician role I got hired as a network/system administrator for a small state agency. This is where my interest in security really started to manifest. The first appliance I touched was the Sourcefire intrusion prevention system (IPS). I started tuning it and setup a process where I reported computers that needed to be grabbed because they were talking to places like China. This was a juvenile detention facility, there is no reason to talk to China. Despite starting to gain an interest in security, I had aspirations to move into the media arts field for a few years. I was blogging and podcasting about baseball and enjoying that opportunity. I even started making a little money from it. I didn't know what I wanted to do, but I started looking at opportunities in the field.

The problem with the media arts field is that it doesn't pay well and it's highly competitive. The money I started making wasn't anywhere close to feeding myself, wife, and child. I was also putting in a lot of hours after work just to maintain that extra source of income. After a few years of exploring the possibility of a career in media arts, I nixed it for practical reasons. This is when I started to gain clarity on the information security field.

After gaining some network and system, as well as security, administration experience, I was hired into my first security role. This role had me wearing several different hats in the security field. I managed AV, the webfilter, email spam filter, incident response, web application firewall, and much more. All these different areas intrigued me more than network or server administration had ever.

I thought I was good. Security was my niche. Done.

Then I found out I was supposed to find a niche within my niche. I had to pick a field in security. Really? I was enjoying doing it all in security. Can't I be a generalist. Well depending on who you talk to you can or you can not be a generalist. I think you can be a generalist and I was heading down that path as my niche. I had a wide range of experience in not only security but IT in general. I could walk into a network or server discussion and talk basics.

One day my manager came to me and said, "We need to setup an application security program." Off I went to figure out what I need to do. What I discovered in my research was that I had a strong interest in application security. Reading about the field was keeping my interest more than the other fields. Some of my strengths started to show themselves. I've also had an interest in web design. I know HTML and XML pretty well. Plus, I was wrapping up a degree in media arts that gave me more experience with websites. I also started to discover that I had a knack for working with other departments. Which came in handy when setting up security programs that involved other departments. I had found my niche.

Nearly, three years later I am working as senior software security engineer. I work with the development team to get security in the software development life cycle and I am loving absolutely every minute of it. I know I wouldn't be happy as a security operations center (SOC) analyst, because I was in that role for eight months and disliked it a lot. I think I would be happy working as a generalist in information security. For a time I thought I would have to be generalist. The "requirement" to get into application security is to have a programming and development background, which I don't have. That didn't stop me from perusing those types of roles and should probably be left to another blog post.

I shared this story, because I want to show people that it can take time to figure out what you want to do. I didn't know I wanted to be in security until my late 20s. I didn't get into security until after my 30th birthday. It was another two years from that point that I figured out what I wanted to do. Relax, explore, play, ask questions, and evaluate your strengths. Then you'll find your niche.

This post first appeared on Exploring Information Security.

Leveraging the security mindset of others

November 21, 2016

I am over six months into my new role as a senior software security engineer. My role has me embedded with the development team. I go to meetings and interact with the team on a day-to-day basis. My desk is in there area. I go to lunch and conferences with them. As I’ve gotten more familiar with the environment and team, my task list has started to grow.

One of my co-workers noticed this and while leaving a meeting the other day asked if security had plans to hire another security person. I responded that I thought they might in the future, but that I wasn’t counting on it. It took two years to fill my role. With the current “talent shortage” it may take another two years to fill a similar role.

My strategy for getting security into the software development life cycle is to leverage the skills and knowledge of the developers. They are really smart people, so I put a focus on improving the security mindset of the developers. In meetings, I let them to talk through security issues and find their own solution. Just me being there the developers know that security needs to be taken seriously. For the most part they choose the right path.

I also recognize when security issues are identified and addressed by the development team without my involvement. The development team is already doing a lot of good things from a security perspective. By recognizing that in a meeting or one-on-one I am amplifying and encouraging that type of behavior. Using that strategy, I’ve started to see improvements in the development team in regards to security. The other person I was discussing this with agreed. They were seeing more focus being made on security.

Do we need more people in security? I don't know. What I do know is that the security industry is having a tough time finding the right people. Maybe we need a different strategy. I think that strategy should include leveraging the security mindset of others. I've had some encouraging results so far. It will be interesting evaluate the strategy a year from now.

This post first appeared on Exploring Information Security.

Rethinking the security team

November 5, 2016

What if security teams placed their people into each department, instead of their own?

This is the position I currently find myself in. Four out of five days I sit with the development team with the goal of improving security in the software development life cycle (SDLC). It is going really well. It's going so well in fact that I've started to wonder why we don't do this more?

There would still be a security operations center and some other roles, like pentesters, working in a security space, but why not place a person in network or the server team?

Being in the room with the developers I'm able to build strong relationships within the team. I'm a security resource for them to bounce ideas off of and gain clarification on various security ideas and concepts. This makes things tremendously easier when I look to establish security processes and practices for the dev team. They see me daily and know that security is a priority. They also know that I see their successes and their struggles and that my goal is to help them be successful.

I believe this can apply to other departments. If security is involved the day-to-day operations of a team we are seen more as a resource instead of someone holding them accountable. We are still holding them accountable. The difference is that they can ask us questions. Why are we doing it this way and not this way? I'm finding people are much more amenable to security initiatives when we can explain why it's important and it benefits them.

This post first appeared on Exploring Information Security.

How to build a home lab links

June 17, 2016

This past week I presented on getting started building a home lab at CircleCityCon and ShowMeCon. Below are the resources and content Chris Maddalena and I created around the topic.

Google slides - ShowMeCon

Google slides - CircleCityCon

YouTube - BSides Detroit Talk

YouTube - ShowMeCon talk

YouTube - CircleCityCon training - part 1

YouTube - CircleCityCon training - part 2

How to build a home lab - Exploring Information Security podcast

How to make time for a home lab - Exploring Information Security podcast

What is another home lab use case? - Exploring Information Security podcast

This post first appeared on Exploring Information Security.

Josh Huff presenting at ColaSec - March 2016

How Josh Huff got into information security

May 29, 2016

I've gotten a lot of good feedback form the most recent episode of the Exploring Information Security podcast, "How I got into information security." People seem to like the solo podcast. More importantly a lot of people identify with my story. Some had a similar story. Others appreciated the story as they were in the process of getting into information security.

One such person is Josh Huff. Whom I've gotten to know the several months personally. He's a regular at our ColaSec meetings and recently found his own way into infosec. He shared his story with me.

"I was raised on technology. I was computing on Commodore 64 at the age of 5 and playing Atari 2600 video games. So growing up I saw, used and played with most forms of technology as it developed into what it is today. (Does anybody miss Palm Pilots?) I wasn’t sure what I wanted to study in college. Since I was comfortable with technology and I liked math and science mechanical engineering was my choice.

Although I learned some awesome things about the business and manufacturing world being an engineer was NOT my calling. I changed my major to business. I changed colleges a couple of times. Then at some point in my part time college job, I took a promotion into full time retail management. Now my comfort level with technology was used to teach and sell technology to customers and train my sales staff. Retail management wasn’t perfect as a career by any means, but it was a good fit for my skill set and I was good at my job. I was good at it for about 13 years in fact.

As my son grew older and family time became a much higher priority I had to make a career choice that would get me off the retail work schedule. So in May of 2015 I started studying everything InfoSec related I could find. At this point I also quit my job and enrolled in technical college. I realized all my old college credits weren’t far off from an Associate’s degree. In just under 2 semesters I got my degree and started looking into how I could land a job in information security.

Podcasts, blogs, an InfoSec twitter feed and security books were my source of guidance. The biggest challenge with learning this way was “drinking from the fire hose” which means taking in way too much to learn anything. I was reading about pen testing, malware, lock picking, network sniffing and cryptography. I researched coding, firewalls, forensics, open source intelligence, networking, vulnerabilities and social engineering. Everything I read was interesting, but I didn’t know how I proceed to this magical job in security. I needed to network with real people that were working in security and find out what they do and how they got there.

I looked online for local meetups. There were some community groups like a Linux user group, open hack Columbia and something called ColaSec. ColaSec had a meetup 3 days later. Plus they said it was an open invitation group, so I just decided to show up to the September meeting.

I wouldn't call myself shy, but getting out of your comfort zone and just going out to meet new people can be tough. If you are looking to get into security find your local city ‘Sec’ meetup and go! If the people you meet are half of what I found at ColaSec it will be worth your time.

I walked in, introduced myself as a tech and security enthusiast. People said hi and gave me pizza and beer. They were hanging out talking about random security news then a speaker gave a talk about building a security framework. There was a table in the back with practice locks and lock picks and people were drinking an adult beverage or two. I HAD FOUND MY PEOPLE!

Once the meeting was over everybody was kind of hanging out so I introduced myself to a few of them. I met a few people that worked in a Security Operations Center. There was several help desk managers and a technology course instructor present. There were also people on the job search like me. A conversation about security conferences led to an invitation to one in Kentucky called Derbycon. Tickets sold out, but I managed to snag one last minute and headed out of town to my first security conference.

On the way to Derbycon I checked the speaker list. I found that a few authors of my security books plus people from my twitter feed were going to be at this conference. I decided to meet as many of them as I could. Derbycon itself is worthy of its own write up, but in short it was awesome. I got to keep meeting and talking with real security professionals. They were open to answering questions and connecting on twitter and I continue to stay in touch with many of them today. I learned a lot of other people’s career paths that led to information security.

When I got back from Derbycon I felt like I had direction. I started applying to some help desk and technology jobs to try and get my foot in the door. I revised my resume and evaluated my past skills into how they could help me in a security related position. This started a roller coaster process. As applications and interviews started to pile up frustration started to settle in. Repeat… wait… apply… repeat. I had one interview that I thought went well and a few pings on my resume that had placed me into consideration. I felt things were looking up again. The promising job lead fell through. Then the 'under consideration' jobs decided not to fill the position.

This is the point in the story where desperation may have kicked in. I took a hard look at what I wanted from a security job and it wasn’t a help desk spot that I could work my way up from. Open source intelligence (OSINT) was my favorite subject so I decided to find people I could talk to again. It seemed that military or law enforcement background was a prerequisite for a job in OSINT. I thought about who I could talk to about this and I looked up private investigation firms in Columbia, SC. Through the ‘contact us’ part of the PI websites I shot a quick introduction email. I gave a brief description of who I was. I described what I was studying and asked if they were hiring. I also said if they weren't hiring I would be happy to just talk OSINT and find out how they used it as investigators. I got a phone call from a private investigator 1 day later.

I chatted with the investigator for a few minutes and he asked for my resume. It turns out the background in law enforcement or military wasn’t an issue. So a few hours later I was called for an interview. The position wasn’t exactly OSINT, but they had need of a digital forensic analyst. My technical background led me through the interview with ease. 1st interview led to a 2nd interview which led to a tryout in their computer forensics lab. The tryout went well and I am now over 3 months into my role as a digital forensics analyst. I get to work in a forensic lab doing cool stuff with all types of technology and in between cases I talk OSINT with the other investigators.

I’ve listened to a lot of stories about how people got their InfoSec job. There doesn’t seem to be a defined path or perfect guide out there, but this is my path. I hope by sharing my path that somebody finds some facet of my story that they can apply to their own career path. If I could re-iterate just once point of my story it is to go out and talk to people. Information security is about the people that drive the technology. If you don’t know how to apply information security it in real world scenarios go talk to the people that do. It will likely be a fun journey."

This post first appeared on Exploring Information Security.

Getting into information security via military service

May 21, 2016

I see a lot of self-study and going to college advice for those looking to get into information security. I would like to recommend another option. Join the military. People joining the military get training, real world experience, and money for continued education.

Now, the military isn’t for everyone. Yes, there is a chain of command filled with people who give out orders. And yes, those orders need to be complied with. The thing about that is that most people know what they’re doing in the military. It's usually not an issue. And that's because the quality of people in the military is top notch.

Joining the military is no small decision and it shows in the people that serve. I had several really good mentors in the military that helped shape who I am as a person. Not only did I enjoy the benefits below, but I learned a lot from those mentors. I gained a strong work ethic. Learned communication and leadership skills. And I had a lot of fun doing it.

The lifestyle is a lot different. The first couple of years involved moving around quite a bit. Moving from a barracks to a dorm to another dorm to a different base. Then off-base to an apartment. I spent a year in the midwest, three years one the west coast. Then two years on the east coast. If you like traveling there’s plenty to be had in the military.

Then there's the uniform. Sure, I couldn't pick my close, but that made things easier. Each day I woke up and new what I had to wear. I also saved quite a bit of money on doing laundry, because I could wear the same uniform for a few days. Usually, I was just changing my undergarments.

Training

My first military contract had me set to be a paralegal in the Army. That fell through and I ended up joining the Navy as an electronics technician. That contract came with a $7,000 signing bonus. I had two months of basic training. Two months of basic electronics training. Four months of communication electronics training. Three weeks of miniature/microminiature board repair training (2M). All that in my first year. I was also sent to radio, aircraft load out, instructor, Humvee driver and forklift operator training. When it comes to training the military is one of the best.

I joined in early 2001 and IT (let alone infosec) positions weren't as well defined. Now that the digital age has matured, there's a much stronger focus on information security. That means the programs are much more prominent in today's military.

Real world experience

During my time in the Navy I did a little bit of everything. I pulled cable. Moved phone lines. Setup computers. Troubleshooted computer issues. Setup communications for field exercises. Inventoried and maintained radio equipment. Setup switches. Created user accounts. And that was all at my first command.

My second command involved a lot more IT work. I learned how to rebuild a server after it crashed and no backups were available. I trained personnel on email usage. Took part in my first workstation refresh, swapping out old computers with new ones. Patched systems. Updated anti-virus. Troubleshooted more computer issues. I leaned on a lot of that experience when I got out and started looking for a job.

I also got the opportunity to do a lot of fun stuff. Train with Navy SEALS. Face-off against the Canadian Army in multi-nation exercise. Jump waves on the Pacific Ocean in a Zodiac Hurricane. Just to name a few.

Money for continuing education

The GI Bill is one of the best benefits received from joining the military. I paid for school and a Network+ certification with it. Last year I graduated from the University of South Carolina with a degree in media arts. All paid for by the GI Bill. I knew coming out of high school that if I went to college I would be wasting my time and my parents money. I wanted to get some real experience and get college paid for when I was ready to go.

The GI-Bill is even better now then when I first started going to school. A year or two after I started taking classes, the GI-Bill changed. Not only was school paid for, but I was making a little money on the side. As long as I was taking more than half a load of classes I got basic allowance for housing (BAH). Which is a significant amount of money. This really helped when we started expanding our family.

Final thoughts

The military is a great option for people looking to start a career. The military does a great job of training and giving it’s members real world experience. A lot of that training and experience translates to the real world. For those looking to get into information security, the military has some good programs. When I joined, I had no idea of the career I wanted to be in. That was okay, because when I knew what I wanted to do I could lean on a lot of my experience.

Serving the military is a massive commitment. Again, it’s not for everyone. It is a viable option though and one that I recommend exploring.

This post first appeared on Exploring Information Security.