Skip to main content

The People Problem - Part 1

Every new year begins with the best of intentions, and I am going to try to blog at least once a month in 2016. There was an absolutely fabulous post by Scott Roberts in January called Introduction to DFIR ( that I highly recommend reading. That along with my steadfast belief that being good at infosec is primarily dependent on people and not technology, has inspired my first blog post of the year.

More than anything, infosec is a problem caused by people that can only be effectively addressed by people. Whether it is coders introducing bugs, business leaders taking excessive cyber risks to accomplish near term business goals, or oblivious users clicking on links and attachments in phishing emails, it a people problem. To drive home this point, lets make an example. Based on the following organizational descriptions, which ones do you think are most secure and alternately which one would you want to work for.

Stark Industries
• CISO - Doug Steelman
• Director, IR & Forensics - Brian Carrier
• Director, Red Team - Dave Aitel
• Director, Threat Intelligence - Patton Adams

Massive Dynamic
• SEIM - ArcSight
• Forensics - Encase Enterprise
• IDS - SourceFire
• CTI - Norse

• SEIM - Splunk
• Forensics - F-Response, SIFT
• NSM - Custom Bro/Surricata sensors
• CTI -  ThreatConnect

I am not sure how other people would chose and what criteria they would apply. However for myself, it is clear that choosing to work for great people has the least amount of risk and the greatest amount of "top cover". My choice in order would be Stark Industries followed by Hooli. I wouldn't work for Massive Dynamic based on their choices. The key take away is that people matter more than anything when choosing either employment or how competent you expect that company to be in securing their information.

Most companies at least pay lip service to the idea that people are vital to success. However, there are some serious challenges in this space. Anyone can throw big money and big promises at a "cyber rockstar" and lure them in. Where corporations often fall flat on their face is retaining talent. Capable and motivated people will not sit around while you figure out what you want to be when you grow up. For instance, I once personally waited 18 months for network taps at a company and never got them. This was despite multiple meetings with network design and buy in from senior leadership. To add to the insult, there was already a tap aggregator in place! My time is worth more than that, so I decided to move on and it had nothing to do with money and everything to do with being in an environment where I could deliver tremendous results and succeed.

While the vast majority companies are self sabotaging when it comes to IT security talent retention, the ones who understand this will profit immensely. This brings me to the other big component of the people problem. There just aren't enough qualified candidates. Instead of whining about this at your elegant CISO roundtable dinners with a 24yr old single malt in your hand, take ownership of the problem. Talent has to be developed plain and simple. Every single person starts out knowing nothing. That is what I want to address starting in this post and a follow up one.

I think we need to develop infosec talent at an even lower level. Scott's great post is spot on for training up DFIR personnel, but I believe there are some fundamental IT skills that need to be in place first. The reason I believe this is that, there are quite a few people coming out of college "security" programs without critical foundational skills. And I'm not picking on edu, this is the case for the majority of entry level candidates regardless of background. Knowing something on paper is only the beginning of where you need to be at from a functional perspective.

IT Fundamentals for InfoSec

Operating Systems
1. Windows
2. Linux

4. Routing/Switching
5. Firewall/VPN

6. Web
7. Database
8. Programming Constructs

9. Collect & Analyze

10. Common Body of Knowledge
11. Malware
12. NSM
13. Live Response
14. Offensive Concepts
15. Defensive Concepts

Above would be my requirements for someone looking to get into a career in information security. I would expect them to have functional skills in items 1 through 9, followed by a basic understanding of items 10 through 15. Having this foundation ensures that a candidate is positioned to succeed in a junior IT security role. While there are always exceptions to the rule, I would strongly recommend anyone work 2-3 years in a general IT role before moving into security. It gives the person much more context and understanding of why things are they way they are and potentially insight on how to improve things. In part two of this blog post, I will detail out each of the 15 IT fundamentals, which in turn I hope will assist people looking to break into information security with a degree of competence.


Popular posts from this blog

FIRST Conference 2018 - Review (Kuala Lumpur Edition)

As apart of my new job, my employer is seeking to gain FIRST membership later this year. To support that goal, I was asked to attend the 30th FIRST Conference in Kuala Lumpur. For the travel weary, this is not a trip to take lightly. For me it was 3 flights and 28 hours total of travel just to arrive. I do have to say, the conference venue, the Shangri-La hotel is absolutely fabulous. Very nice, clean, and ultra courteous staff. The swag bag I was given at registration was also very nice, including 3 shirts, challenge coin, notebook, mini first aid kit, and a pretty decent backpack. I also have to say the lunch options for the conference are vastly superior to anything I have ever experienced. SANS and Blackhat could learn a few things. For a 5 day conference, you get a much greater value here.

If you are interested in jumping straight the slides you can visit here.
OpeningThe conference was kicked off on Day 1 by Thomas Schreck (@shrekts) who gave out some interesting attendance statis…

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool.

A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up the elevator to my ro…

Hacking Exposed Notes

Hacking Exposed Notes

Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocks

Website Pilfering – grabbing source code to analyze offline

Unix – Wget

Win – Teleport Pro

Search Engines – tools for searching multiple engines, IRC, email, etc at once

Win – FerretPRO($)

Web – DogPile

Registered Networks – internet whois searches

Current Registrars

Unix – Whois, Xwhois

Unix - $ whois “acme.” (list possible domains)

Unix - $ whois “HANDLE JS1234” (list POC info)

Unix - $ whois “” (list email info)

Web – US

Web – International

Web – US Military

Web – US Gov

DNS Interogati…