An introduction to the INFOSEC world for high school career center and college students by a graduate working the the field.

1. Intro to INFOSEC
Sean Whalen
sean@seanpwhalen.com
https://seanpwhalen.com
@SeanTheGeek

2. To view this slide deck with links
https://j.mp/infosecintro

3. Disclaimer
The views and opinions expressed
here are my own, and may not
represent those of my past,
current, and post-apocalyptic
employers.

4. Who is this guy
• I’m an Information Security Engineer
• Specializations: Intelligence, malware analysis, and network defense
• Human log parser
• Fairfield CC/Reynoldsburg HS ’09 – Ohio Dominican University ‘13
• Work(ed) for
• DISA/DoD (Columbus, OH)
• CBTS/GE Aviation (Cincinnati, OH)
• Cardinal Health (Dublin, OH)

5. Topics
• What INFOSEC is and isn’t
• The importance of INFOSEC at it relates to business
• How attacks work, and how they can be prevented
• The challenge and fun of security
• The state of the industry and job market
• The benefits and limits of a college education
• Thoughts on career

6. What is INFOSEC
Information Security (INFOSEC) is the
practice of applying reasonable controls that
mitigate threats to the integrity,
confidentiality, and availability of
information.
It includes layers of non-technical controls,
such as policies, training, and locks.
The goal is to make attacks impractical,
while respecting business needs.
The tricky part is finding balance.
Wikipedia/John Manuel

7. What INFOSEC is not
NCIS:The BoneYard

8. Unless you are SONY Pictures

9. Mythbusting
With less explosions…sorry

10. Encryption solves everything.
Why didn’t they just encrypt it? Idiots!

11. How encryption is used
• To protect data at rest (e.g. on a portable hard drive)
• To protect data in transit (e.g. login submission)
• A system that uses encrypted data must be able to decrypt it
• A vulnerable application can leak keys and/or plaintext data

12. Windows is inherently insecure.
Macs don’t get viruses.
Of course it’s secure, it’s open source!

13. Operating system
security
Any operating system can and should be
hardened: Installing patches, disabling
unused features, limiting users, etc.
Malware can be written for any OS.
The security of an OS is largely dependent
on the vigilance of its admin, and the
trustworthiness of its users.
Windows security has steadily improved
since XP SP2.
Apple still adjusting to being a larger target
as its market share grows.
Decades-old flaws have been discovered in
extremely common open source software.

14. Why would anyone hack me?
I don’t have anything of value.

15. The value of a hacked computer
Brian Krebs

16. It’s easy to hide on the internet.
Catch me if you can!TOR andVPNs FTW!

17. OPSEC
Operational Security –Securing the details of
what people do.
Only sharing
• Who?
• What?
• When?
• Why?
• How?
On a “need-to-know” basis
Changing behavior, passwords, and keys
Securing communications
It goes against human nature. People like to
brag/help.

18. Meet Ross Ulbricht
Convicted of charges related to operating
the “hidden” online illegal drug marketplace,
Silk Road.
While an IRS Special Agent was looking for
directions on how to access the hidden site,
he found early forum posts from a user
named altoid, promoting the site on the
normal internet.
Looking at the altoid’s earlier posts, he
found the user posted his email as
rossulbricht@gmail.com.
He was sentenced to life in prison without
the possibility of parole, as required by the
“Super Kingpin” section of the CCE statute.
His lawyers are appealing.
The incredibly simple story of how the gov’t Googled Ross Ulbricht

19. Can you spot the OPSEC fail?
CrowdStrike

20. Industrial Espionage
It’s real.
A group of PLA officers/employees were
indicted by grand jury in the US.
Evidence shows that they were actively
engaged in industrial espionage, something
China denies.
Although it is extremely unlikely that the
group will be extradited, such attribution
shows that even state actors can be sloppy
with OPSEC, and the state can be called out
on its actions, if desired.
An attacker’s sloppy OPSEC can be used for
defense, even if the attackers cannot be
directly identified and/or arrested.
United States of America v.Wang Dong, et al. (Crim. No. 14-118 W.D.Pa.)

21. The Cyber Kill Chain
A concept for modeling attacks, developed
by Lockheed Martin.
Allows defenders to build intelligence from
both failed and successful attacks.
By building intelligence-driven defenses for
each stage of an attack, you are more likely
to catch future attacks.
Force the attacker to change tactics across
all attack stages, providing more intel.
The more they try, the more you learn.
Can be used to group attacks/attackers.
Intel can be shared among groups for herd
immunity. Intelligence-Driven Computer Network Defense
Informed by Analysis of Adversary Campaigns and
Intrusion KillChains

22. Sharing is hard
What do you collect?
What do you share?
Can you share it?
How do you share it?
Who do you share it with?
Who can you trust?
What can you do with shared information?
Declassified SASC Inquiry Into Cyber
Intrusions ofTRANSCOM Contractors

23. Standards
IT INFOSEC is still a very new field.
Organizations want to be secure.
Most are trying to figure out how to do that.
How do we hire? What tools do we need?
There are many “standards” for sharing
security information –none are compatible
with each other.
xkcd

24. Getting the right job

25. Motivation matters!
• More than anything, good employers look for these things in a candidate:
• Basic understanding of the concepts
• Ability to communicate and work with peers and management
• Willingness/eagerness to learn
• Passion for the work you do
• Don’t chase a job just for the big bucks
• Find your niche in CS/engineering/networking/programing
• Do what you enjoy doing, you’ll be great at it, and the big bucks will follow
• It’s pretty easy to change roles in an IT career; stick around for a couple
years at least and build reputation unless you absolutely hate it

26. Tips for career building
• Create a GitHub account, create little projects for things that interest you
• Doesn’t have to be anything fancy
• Could be something to make your life/school a little easer
• Could be something fun and wacky, so long as it’s SFW
• Shows employers that you know how to code be creative
• Buy your own domain after your name (they’re cheap)
• Create a simple, one-page web version of your resume
• Add a professional photo, and links to projects
• Maybe add a journal blog to track what you are learning
• Showcase all of these things on your paper resume to show employers you
are motivated!

27. INFOSEC job market
• Columbus is (IMO), the best job market for IT in Ohio, and among the
top in the country
• INFOSEC specialists are in demand at mid-to-large size businesses
• However, most businesses require some experience before they will
hire someone for INFOSEC, even at entry level
• It’s common for someone to start as a sysadmin or developer, and
gain INFOSEC-related experience as they work
• Security+ could give your resume a little boost

28. Columbus Collaboratory

29. Common INFOSEC roles
• Incident Responder – Responds to alerts generated by security tools
• Information Assurance Manager (IAM) – DoD role that checks
systems to ensure compliance with policy
• Vulnerability Manager – Responsible for running vulnerability scans
on systems and applications
• Risk manager – Helps to define IT policy, and ensure compliance with
that policy

30. Specialized roles
• These roles are usually only found within large organizations, or
security firms:
• Intelligence Analyst – Responsible for collecting, managing, and
sharing threat intel
• Reverse Engineer – Responsible for reverse engineering malware,
and determining Indicators of compromise
• Pentester – Responsible for conducting penetration tests against the
organization

31. News sources
• Please don’t get your INFOSEC news from gadget blogs.They have
no idea what they are talking about.
• Come Good sources
• ArsTechnica
• Krebs on Security
• https://twitter.com/SeanTheGeek/lists/infosec
• /r/netsec (great aggregation!)
• The Full Disclosure mailing list

32. Education
• Most employers require a bachelors degree
• Your degree can be general CS, but there is one NSA certified program in
Ohio
• UC’s cybersecurity program (Dr. Franco)
• To make the most out of your college education, start looking at
internships. Ask questions in class. Make tuition worth it.
• Find topics that interest you, and start learning.There are lots of
great free, online resources.

33. Learning resources
• How to be an INFOSEC Geek
• Iron Geek –Videos of almost every conference talk, podcasts, and
more!
• Reverse engineering – Practical Malware Analysis
• Pentesting – HackYourself First
• Web app security – OWASP –Web Security Dojo
• Attack detection – Security Onion
• Automate the Boring Stuff with Python – Awesome, free online book
• The InfoSec Speakeasy –Tutorials and news

34. The fun stuff
Lets talk malware and phishing

35. Actual APT code
Dropped by UltraSurf.exe
6dc7cc33a3cdcfee6c4edb6c085b869d
FireEye:Operation Saffron Rose

38. Image credit: FireEye

40. They also stole creds in a more direct way
Image credit: FireEye

41. Think users wouldn’t fall for this? Think again.

42. Security tips
• Always install up-to-date patches for your OS, browsers, browser plugins, and office suites
• If you useWindows
• Upgrade toWindows 10 (its free), and be sure to configure the privacy settings to your liking
• You should turn off Wi-Fi Sense
• Install Microsoft EMET
• Avoid free third partyAV like Avast and AVG.Windows 10 comes with free AV that is quite good, assuming
you follow safe computing habits like these
• Remember: Malware is increasing for Mac, Linux, and, mobile devices too
• Don’t download or install freeware, shareware, pirated software, cracks, keygens, or warez
• Use separate passwords for key accounts (e.g. OS,Wi-Fi. Email, banking, social media)
• Limit third party app access to your accounts
• Never loan or borrow devices, storage media, or credentials

43. Interested in technology, the law, and your rights?
Check out https://eff.org/

44. Questions?
@SeanTheGeek
Sean@SeanPWhalen.com PGP Key ID: 2DD0EA48