cheapskate free and excellent infosec career resources
play

Cheapskate! Free and Excellent Infosec Career Resources Nathan - PowerPoint PPT Presentation

May 14, 2023 •277 likes •777 views

Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1 / 48 Who Am I Three careers Flight Simulation both trainers and engineering Software Tester Security Worked in defense,

  1. Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1 / 48

  2. Who Am I ● Three careers – Flight Simulation – both trainers and engineering – Software Tester – Security ● Worked in defense, commerical software, consulting, security ● Got CISSP in 2011 and C|EH in 2012 2019 Oct 11 2 / 48

  3. Agenda ● How I see Cyber Security / Information Security ● Free info to get started and where to find it ● Local meetings to attend ● Security Certifications 2019 Oct 11 3 / 48

  4. How I See Cybersecurity ● When I look around at the careers and positions in cybersecurity, and to keep things organized in my mind, I see three broad categories: – Management – Infrastructure – Engineering ● There is overlap in these three categories, and where something may fit depends on how you see the position. 2019 Oct 11 4 / 48

  5. Management ● Management is the mostly non-technical support structure for organization security. – Policy – Procedures – Human Resources – Legal – Compliance – Training 2019 Oct 11 5 / 48

  6. Infrastructure ● Infrastructure is anything needed to get the organization’s work done. The infrastructure needs to be kept secure. – Network – Third-Party Applications – Cloud – Wireless 2019 Oct 11 6 / 48

  7. Engineering ● Engineering is anything the organization creates, sells or provides to customers. All these things need to be made in a secure manner so they will be difficult to hack. – Applications – Web Site – Services 2019 Oct 11 7 / 48

  8. These Classifications are not Precise ● There can be overlap or things fit in multiple classifications ● For example – how about Forensics? – Forensics is often a legal (managerial) requirement. – When actually executed, it is usually network or endpoint drives (infrastructure) that are imaged. 2019 Oct 11 8 / 48

  9. These Classifications are not Precise - Overlap ● Another example – how about Pen Testing? – Pen Testing is often a compliance (managerial) requirement. – When actually executed, it depends on the subject of the pen test. ● A physical pen test (getting into the building, getting information) is managerial. ● If the pen test is against the network, it is infrastructure. ● If an application, web service or web site is being 2019 Oct 11 9 / 48 pen tested, it is engineering.

  10. Free Stuff - NIST Notes ● A great free source for a lot of information is the National Institute for Standards and Technology (NIST) Computer Security Resource Center. ● https://csrc.nist.gov/publications/ ● NIST documents can be considered authoritative. ● However, NIST documents are extremely dry reading. 2019 Oct 11 10 / 48

  11. Free Stuff - Introduction ● Introduction to Information Security – NIST SP 800-12 Rev 1: “An Introduction to Information Security”, 2017, https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final – NIST SP 800-100: “Information Security Handbook: A Guide for Managers”, 2007, https://csrc.nist.gov/publications/detail/sp/800-100/final 2019 Oct 11 11 / 48

  12. Free Stuff - Introduction ● Introduction to Information Security (cont’d) – Cybersecurity is Everyone’s Job, NIST, 2018, https://www.nist.gov/news-events/news/2018/10/cybersecurity-everyones-job – The Infosec Handbook, Apress Open, 2014, https://link.springer.com/book/10.1007%2F978-1-4302-6383-8 – Navigating the Digital Age 1 st ed, Caxton Business and Legal, 2015, https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity- 9780996498203-no_marks.pdf 2019 Oct 11 12 / 48

  13. Free Stuff - Introduction ● Introduction to Information Security (cont’d) – Navigating the Digital Age 2 st ed, Palo Alto Networks, 2018, (requires signup) https://www.securityroundtable.org/navigating-the-digital-age-2nd-edition/ – A CISO’s Guide to Bolstering Cybersecurity Posture, Center for Internet Security, 2018, (requires signup) https://www.cisecurity.org/white-papers/ebook-a-cisos-guide-to-bolstering-cyber security-posture/ – Defender’s Dilemma, RAND, 2015, https://www.rand.org/pubs/research_reports/RR1024.html 2019 Oct 11 13 / 48

  14. Free Stuff - Management ● Compliance – Two lists of compliance requirements can be found at Telos and TDCI sites https://www.telos.com/cyber-risk-management/xacta/compliance-standards/ https://www.tcdi.com/information-security-compliance-which-regulations/ – PCI DSS (Payment Card Industry Data Security Standard) https://www.pcisecuritystandards.org/document_library – GDPR – (General Data Protection Regulation EU) https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data- protection/2018-reform-eu-data-protection-rules_en 2019 Oct 11 14 / 48

  15. Free Stuff - Management ● Privacy – CCPA (California Consumer Privacy Act) https://www.oag.ca.gov/privacy/ccpa – CCPA Amendments (still in flux) https://www.infolawgroup.com/blog/2019/9/20/ccpa-act-ii-amendments-pass-cali fornia-legislature-head-to-governors-desk – IAPP (International Association of Privacy professionals) – some material is free, paid membership required for full access. https://iapp.org/resources/research/ 2019 Oct 11 15 / 48

  16. Free Stuff - Management ● Risk – DHS Cyber Risk Management Primer for CEOs https://www.dhs.gov/sites/default/files/publications/C3%20Voluntary%20Progra m%20-%20Cyber%20Risk%20Management%20Primer%20for%20CEOs%20_5.pdf – NIST Cybersecurity Framework https://www.nist.gov/cyberframework – CMU SEI Blog on Risk Management, 2018 https://insights.sei.cmu.edu/insider-threat/2018/02/7-considerations-for-cyber-ris k-management.html 2019 Oct 11 16 / 48

  17. Free Stuff - Management ● Training and Awareness – Cybersecurity and Information Systems Information Analysis Center (CSIAC) https://www.csiac.org/series/cyber-awareness-videos/ – Australian Defense Cybersense https://www.youtube.com/playlist?list=PLAA359AC9EEA14569 – EDUCAUSE Security Awareness https://library.educause.edu/topics/cybersecurity/security-awareness – DHS Stop. Think. Connect. Toolkit https://www.dhs.gov/stopthinkconnect-toolkit 2019 Oct 11 17 / 48

  18. Free Stuff - Management ● Checklists – NIST Manufacturing Extension Partnership (MEP) Cybersecurity Self-Assessment Handbook, 2017 https://nvlpubs.nist.gov/nistpubs/hb/2017/nist.hb.162.pdf – US Cyber Consequences Unit Cybersecurity Matrix Checklist, 2016 http://usccu.us/documents/US-CCU%20Cyber-Security%20Matrix%20(Draft%20Ve rsion%202).pdf 2019 Oct 11 18 / 48

  19. Free Stuff - Infrastructure ● Center for Internet Security (CIS) 20 Controls V7.1 (requires signup for download) https://www.cisecurity.org/controls/cis-controls-list/ ● SANS Posters of CIS Controls https://www.sans.org/critical-security-controls/ ● Mozilla Server Side TLS https://wiki.mozilla.org/Security/Server_Side_TLS ● OWASP TLS Cheat Sheet https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_S heet.html 2019 Oct 11 19 / 48

  20. Free Stuff - Infrastructure ● Better Crypto, https://bettercrypto.org/ ● IIS Crypto Free Tool by Nartac Software https://www.nartac.com/Products/IISCrypto ● Mozilla OpenSSH Recommendations https://infosec.mozilla.org/guidelines/openssh ● Cloud Security Alliance (CSA) Security Guidance V4 https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/securi ty-guidance-v4-FINAL.pdf 2019 Oct 11 20 / 48

  21. Free Stuff - Infrastructure ● CSA Cloud Control Matrix V3.0.1, 2016 https://downloads.cloudsecurityalliance.org/assets/research/cloud-controls-matrix/CS A_CCM_v.3.0.1-10-06-2016.xlsx ● Cyber Kill Chain – Lockheed Martin https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html – Mitre ATT&CK https://attack.mitre.org/ ● Pen Testing Execution Standard http://www.pentest-standard.org/index.php/Main_Page 2019 Oct 11 21 / 48

  22. Free Stuff - Infrastructure ● Incident Response – CMU SEI Resources for Creating a Computer Security Incident Response Team (CSIRT) https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=485643 – CMU SEI Handbook for CSIRTs, 2003 https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=6305 2019 Oct 11 22 / 48

  23. Free Stuff - Infrastructure ● Incident Response – Centre for Research and Evidence on Security Threats (CREST, UK) Cyber Security Response Guide V1, 2014 https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement- Guide.pdf – US Dept of Justice Best Practices for Victim Response and Reporting of Cyber Incidents, 2015 https://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29 /criminal_division_guidance_on_best_practices_for_victim_response_and_reportin g_cyber_incidents2.pdf 2019 Oct 11 23 / 48

  24. Free Stuff - Engineering ● Software / Secure Development Lifecycle (SDLC) – OWASP Software Assurance Maturity Model (OpenSAMM) V1.5 https://www.owasp.org/index.php/OWASP_SAMM_Project – Building Security In Maturity Model (BSIMM) V10 – (download requires signup) https://www.bsimm.com/framework.html – BSIMM V9 download https://www.bsimm.com/content/dam/bsimm/reports/bsimm9.p df 2019 Oct 11 24 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Dr. med. Christina Czeschik www.serapion.de Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide ide BalCCon 2k17 Sept 16, 2017, Novi Sad How to Make Users Behave Safely? Explain things to them?

566 views • 52 slides
InfoSec Training and Awareness Program Training & Employee InfoSec Yearly In-person

InfoSec Training and Awareness Program Training & Employee InfoSec Yearly In-person

InfoSec Training and Awareness Program Training & Employee InfoSec Yearly In-person Whitepapers, InfoSec Spear Awareness Comms Intranet Site Security Security Brochures E-mailbox Phishing Awareness Awareness Exercises

389 views • 36 slides
RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen

RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen

RFID Hacking Live Free or RFID Hard 24 Mar 2015 InfoSec World 2015 Orlando, FL Presen sented ed b by: Francis Brown & Rob Ragan Bishop Fox www.bishopfox.com Agenda O V E R V I E W Qu Quic ick k Over erview ew

853 views • 57 slides
InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who am I? Samiux is an Information Security Enthusiast. - OSCE, OSCP, OSWP - Blogger - Linux user Hobbies : - Programming - Reading

261 views • 12 slides
Eco-Friendly Educational Hub. Excellent Campus with Academic Ambience

Eco-Friendly Educational Hub. Excellent Campus with Academic Ambience

Eco-Friendly Educational Hub. Excellent Campus with Academic Ambience Excellent Academic Results Free Branded Laptop and Cell Phone 24x7 Dedicated Internet Leased Line. Fully Air-conditioned Class Rooms for

431 views • 42 slides
STEM+Ag Career Pathway Curriculum and Activities Session Resources:

STEM+Ag Career Pathway Curriculum and Activities Session Resources:

STEM+Ag Career Pathway Curriculum and Activities Session Resources: https://engineering.mnsu.edu/stemag-career-pathway-curriculum-conference-session-resources/ Melissa Huppert, Ph.D. Judy Barka Director of Program Development and Evaluation

476 views • 20 slides
STEM+Ag Career Pathway Curriculum and Activities Session Resources:

STEM+Ag Career Pathway Curriculum and Activities Session Resources:

STEM+Ag Career Pathway Curriculum and Activities Session Resources: https://engineering.mnsu.edu/stemag-career-pathway-curriculum-conference-session-resources/ Melissa Huppert, Ph.D. Judy Barka Director of Program Development and Evaluation

352 views • 33 slides
Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova

Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova

Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova This presentation is about Passion This presentation is NOT about Embracing change how to become an expert in the information security area

975 views • 49 slides
NSF NSF CAREER CAREER Pr Program NSF 14 532 Why Apply Wh Apply fo for a CAREER? CAREER?

NSF NSF CAREER CAREER Pr Program NSF 14 532 Why Apply Wh Apply fo for a CAREER? CAREER?

5/14/2014 NSF NSF CAREER CAREER Pr Program NSF 14 532 Why Apply Wh Apply fo for a CAREER? CAREER? Prestigious research funding for early career investigators Provide support at a sufficient level/duration to allow for career

645 views • 21 slides
WEB-BASED CURRICULUM RESOURCES FOR CAREER ACADEMIES Erin Fender Career Academy Support Network,

WEB-BASED CURRICULUM RESOURCES FOR CAREER ACADEMIES Erin Fender Career Academy Support Network,

WEB-BASED CURRICULUM RESOURCES FOR CAREER ACADEMIES Erin Fender Career Academy Support Network, (CASN) UC Berkeley Graduate School of Education efender@berkeley.edu Donna Reed Casa Grande High School, Petaluma Sonoma State University

364 views • 17 slides
So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

Changing Legal Landscape for Infosec Who I am: Elissa Shevinsky CEO of Jekudo Privacy Company @ElissaBeth and @Jekudo_Cat on Twitter Writer/Journalist Cautious Security Researcher So basically same as a lot of us here: Wants to do cool

472 views • 17 slides
Common Language 2012-06-11 State Resources Excellent

Common Language 2012-06-11 State Resources Excellent

Common Language 2012-06-11 State Resources Excellent Educators for New Jersey h@p://www.state.nj.us/educaFon/EE4NJ/ EE4NJ Goals Universal Vision Common

453 views • 26 slides
SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started

SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started

SITCH Inexpensive, coordinated GSM anomaly detection About Me 2000: Technology career started (I can get paid for this??) 2003: Started building with Linux Came to infosec through systems and network engineering, integration

1.1k views • 56 slides
free resources for finding people, 13th to 18th centuries Dr Gillian Draper

free resources for finding people, 13th to 18th centuries Dr Gillian Draper

Going back in time: free resources for finding people, 13th to 18th centuries Dr Gillian Draper development@balh.org.uk What I plan to cover or mention today Online catalogues Websites and downloadable resources Free printed

239 views • 19 slides
Career Day Diane Hamilton Mortgage Specialist Equity Resources, Inc.. Responsibilities of my

Career Day Diane Hamilton Mortgage Specialist Equity Resources, Inc.. Responsibilities of my

Career Day Diane Hamilton Mortgage Specialist Equity Resources, Inc.. Responsibilities of my Career 1. I need to make sure that I have the families best interest in mind at all times. 2. Complete understanding of the families money

409 views • 21 slides
Solid results and excellent free cash flow Next generation thinking | Sustainable delivery

Solid results and excellent free cash flow Next generation thinking | Sustainable delivery

2020 Q2 & HY Results Solid results and excellent free cash flow Next generation thinking | Sustainable delivery Audiocast, 28 July 2020 Peter Oosterveer (CEO) & Jurgen Pullens (Director IR) FIRST HALF YEAR RESULTS 2020 Disclaimer

581 views • 20 slides
Analysis of Two Existing and One New Dynamic Programming Algorithm for the Generation of Optimal

Analysis of Two Existing and One New Dynamic Programming Algorithm for the Generation of Optimal

Analysis of Two Existing and One New Dynamic Programming Algorithm for the Generation of Optimal Bushy Join Trees without Cross Products Guido Moerkotte Thomas Neumann September 15, 2006 Thomas Neumann New Dynamic Programming Algorithm for

725 views • 39 slides
Applications of Latent Entity Networks in Information Retrieval Andreas Spitz, Michael Gertz

Applications of Latent Entity Networks in Information Retrieval Andreas Spitz, Michael Gertz

Applications of Latent Entity Networks in Information Retrieval Andreas Spitz, Michael Gertz Heidelberg University, Institute of Computer Science Database Systems Research Group { spitz,gertz } @informatik.uni-heidelberg.de Workshop

576 views • 19 slides
Computational Linguistics II: Parsing Formal Languages: Overview & Regular Languages Frank

Computational Linguistics II: Parsing Formal Languages: Overview & Regular Languages Frank

Computational Linguistics II: Parsing Formal Languages: Overview & Regular Languages Frank Richter & Jan-Philipp S ohn fr@sfs.uni-tuebingen.de, jp.soehn@uni-tuebingen.de Computational Linguistics II: Parsing p.1 Origins of

211 views • 8 slides
Algorithmic Coalitional Game Theory Lecture 12: Anytime Coalition Structure Generation Oskar

Algorithmic Coalitional Game Theory Lecture 12: Anytime Coalition Structure Generation Oskar

Algorithmic Coalitional Game Theory Lecture 12: Anytime Coalition Structure Generation Oskar Skibski University of Warsaw 19.05.2020 Coalition Structure Generation Coalition Structure Generation Find a partition of players = { ! ,

310 views • 27 slides
Big data in Russian context: An overview V. Velikhov, E.Ryabinkin National Research Centre

Big data in Russian context: An overview V. Velikhov, E.Ryabinkin National Research Centre

Big data in Russian context: An overview V. Velikhov, E.Ryabinkin National Research Centre Kurchatov Institute CREMLIN meeting, February 15 th 2017, Moscow Research areas (NRC KI) Current Big Data providers: 1 HEP LHC (WLCG RDIG)

336 views • 15 slides
Cyberpatterns workshop The Coseners House, Abingdon 9/10 July 2012 Sponsored by Oxford

Cyberpatterns workshop The Coseners House, Abingdon 9/10 July 2012 Sponsored by Oxford

Cyberpatterns workshop The Coseners House, Abingdon 9/10 July 2012 Sponsored by Oxford Brookes University and SOPHOS Ian Bayley, Clive Blackwell, David Duce, Hong Zhu Oxford Brookes University MSN 2012 (12 July 2012) 1 The First

343 views • 10 slides
National Grid Infrastructure (NGI) for scientific computations, collaborative research & its

National Grid Infrastructure (NGI) for scientific computations, collaborative research & its

National Grid Infrastructure (NGI) for scientific computations, collaborative research & its support services Tom Rebok CERIT-SC, Institute of Computer Science MU MetaCentrum, CESNET z.s.p.o. ( rebok@ics.muni.cz ) 1 5. bezna 2018

1.81k views • 153 slides
Jean Franois Guzou, RENATER Confrence WACREN 2018, Lom Confrence WACREN 2018, Lom

Jean Franois Guzou, RENATER Confrence WACREN 2018, Lom Confrence WACREN 2018, Lom

A ROADMAP TO SET UP A SERVICES PORTFOLIO FOR WACREN AND THE NRENs Jean Franois Guzou, RENATER Confrence WACREN 2018, Lom Confrence WACREN 2018, Lom NRENs NRENs are at the are at the heart heart of of Digital Transformation

459 views • 17 slides

More recommend