Breaking into cybersecurity with CompTIA

Chris Sienko: As you probably know, October is National Cyber Security Awareness month and to celebrate, InfoSec is giving away a free month of its InfoSec skills platform. This is a subscription-based skills training platform for cyber security experts. If you'd like to learn more, please go to infosecinstitute.com/podcast and don't forget to claim your free offer before October 31st.

Welcome to another episode of the Cyber Work with Infosec podcast. The weekly podcast in which I talk with a variety of industry thought leaders to discuss the latest cyber security trends, how those trends are affecting the work of InfoSec professionals, as well as tips for those trying to break in or move up the ladder in the cyber security industry. Today's episode comes from a recent YouTube live session which was streamed live on September 24th. In it, Infosec's Product Marketing Manager, Jeff Peters, and CompTIA's Chief Technology Evangelist, James Stanger, talk in depth about how to break into the cyber security field. It's been well documented that a critical shortage of cyber security professionals, means that there are more cyber security job openings than there are qualified professionals. Nearly three million more. Organizations would love to fill these positions and you might even want to fill one of these positions yourself, but you could be asking yourself now, "How do you even start learning cyber security?"

During the course of this livestream, Jeff and James will discuss using the CompTIA career path to build your skills and land your first security job, why Security+ has become the go to entry level cyber security certification, the different types of entry level cyber jobs available, and how you can train to earn your next CompTIA certification. To help you accelerate your cyber security studies, InfoSec is giving away a free month of the InfoSec skills platform as part of National Cyber Security Awareness month in October. Just go to infosecinstitute.com/podcast and use the Start Learning link to sign up for your free month of skills training and be sure to sign up before October 31st. Now let's listen to James Stanger of CompTIA and InfoSec's Jeff Peters and their livestream entitled, "Breaking Into Cyber Security With CompTIA."

Jeff Peters: All right, hello everyone out there and welcome to InfoSec's first ever YouTube livestream, very excited to have you guys all with us. Today we're gonna be talking about breaking into cyber security. Basically everything entry level involving training, certifications, careers, skills you need, all that stuff. Just a little background on why we're doing this livestream in the first place. October is National Cyber Security Awareness month and that month is really all about training and awareness and getting education out there and that's really what we're all about here at InfoSec. First, let's kick it over to James for your introduction. I'm Jeff Peters, I'm the product marketing manager for InfoSec's training, but the person you really wanna hear from today is James Stanger. Maybe give a little bit of background about yourself.

James Stanger: Sure man, hi, I'm James. I'm the chief technology evangelist. I always forget that title 'cause it's such a fancy one, here at CompTIA. And my job is to talk to IT pros such as yourself, also beginning students, everybody else in between. And I go and I travel around the world talking to hiring managers about the skills that they need. This year I've been in India for example talking to people who do a lot of help desk. I've been in London talking to cyber security professionals. I was at RSA San Francisco talking to hiring managers who are cyber security folks. And so I talk with people about the essential skills and then I go back and I talk to our exam development folks, I talk to our content development folks to make sure things stay relevant. And then I also do a lot of webinars and things like that. I've got, golly, 20 or so years or more, in things such as penetration testing. Also helping folks with help desk. A lot about open source and Linux. Done a lot of work in that over the years. So I'm very pleased to be here Jeff, thank you very much and thank you InfoSec for having CompTIA here.

Jeff: Yeah, and like you mentioned, you do a lot of stuff just wondering if there's a favorite aspect or a favorite skill that you get to use since we're gonna be talking a lot about cyber security skills today. Is there anything in particular you enjoy doing the most?

James: You know a lot of the things I really enjoy doing the most are doing analytics for security. It's really fun not only to conduct attacks, and when I say conduct attacks, I don't mean attacking unwitting people. I'm talking about pen testing. Pen testing is a lot of fun. It's a lot of fun to listen in on what the pen testers or the attackers are doing to do analytics. So I find that fun and then I'm a big Linux geek. I like Linux stuff and the cloud. There you go.

So let's start by talking a little bit about some entry level cyber security career landscape overall. So we have some numbers on the screen here. I guess the two that really stand out to me is one, you have 3 1/2 million, that's the number of projected unfilled cyber security positions by 2021. And then another interesting stat is from the Bureau of Labor Statistics, they expect a 32% growth in cyber security jobs over the next decade from 2018 to 2028. So obviously tons of demand out there already, but it looks like over the next decade we're gonna even see more growth and everyone always talks about the cyber security skills gap, and how hard it is for organizations to fill positions, so just wanted your thoughts overall on the career landscape as it is today and particularly how it relates to entry level.

You know there is a major need out there. There's no question. And I think a lot of people kind of say to themselves, well, you know if we need cyber security professionals, what about jobs getting offshored? In other words, the jobs used to be available in whatever country you happen to be in. Let's say the United States and then they get shipped to somewhere else. I think a lot of other people kinda worry about artificial intelligence. Things like automation and orchestration. This various forms of automation. I think they worry about that taking away jobs. Here's the thing, if you know your fundamentals, if you take the time to learn your fundamentals, then you can become a cyber security person eventually. And it doesn't take that much time, but it takes a real long time if you don't learn those fundamentals.

So Jeff, talking about people who are just starting out, I would say one of the first things you've gotta learn about are the different kinda end points that are happening today. And by end points I'm talking about all the different types of things that need to be secured, if you know what I'm trying to say.

Jeff: Yeah, and that's an interesting point maybe we could talk about a little bit.

James: Sure.

Jeff: I think traditionally, I'm in my 30s so growing up I think people had a different definition of an endpoint. Now we have the cloud and all these other technologies. I guess that from an entry level standpoint, is that much more challenging now that you have all these different devices and potential end points instead of just having one physical thing you have to lock down?

James: That's a good question. I think it is, I don't know if it's more challenging, it's just the diversity is there. And the diversity is kinda cool. But here's the deal. If you're in your 30s then you probably are used to your notebook computer. You're used to a desktop computer and a mobile phone. Fair enough?

Jeff: Mm-hmm, yeah.

James: Right, and in your 30s, let's say 10 years ago you were in your 20s so I mean a mobile phone was a fairly cool thing back when you were in your wild 20s. Is that the idea? Or was it earlier than that?

Jeff: Yeah I think I was 17 when I got my first flip phone.

James: Yeah, and that was what was available back then, right?

Jeff: Yeah, yeah.

James: And then the smartphone for you showed up when you were in your early 20s.

Jeff: Yeah.

James: Is that right?

Jeff: Yep, definitely.

James: Well, so those are kind of the free and form factors that are traditional ones. That and the tablet I guess I should talk about the tablet. But, nowadays there are so many more form factors, I'll call them form factors, so many more types of end points. So now you have IP-enabled watches. Friend of mine left his phone in the Uber, car that he was on his way to the airport. So he's at the airport and he had to run in and find some sort, there are no payphones anymore, right? So he ran in and got some airline's person to give him a phone or whatever so he could call the Uber and he eventually got the thing back. And I looked at his smartwatch and I said, "That smartwatch, does it have a telephone number on it?" And he goes, and he kinda hit hisself on the head like he could've just used his smartwatch to make the phone call. 'Cause not only does his smartwatch connect via wifi to his phone, right?

Jeff: Mm-hmm.

James: But, he actually had a phone number, dedicated phone number, that watch was also, you know, Dick Tracy time. It could actually make phone calls itself. I guess what I'm trying to say is that it takes awhile for us human beings to realize how IP-enabled our world is.

Jeff: Mm-hmm.

James: And so, there's our smartwatches. You know seriously, wearables, whether it be clothing or whatever is all becoming IP-enabled. But there's another type of diverse end point out there that IoT device. The webcam, the gaming device, Jeff do you do games? I don't, believe it or not my kids,

Jeff: Yeah I do a little Xbox every now and then.

James: Xbox okay, so see that's an IP device. We see people carrying a lot of different IP-enabled devices. The other thing I wanna bring up is they call it operational technology. Just a fancy phrase for saying any physical device that normally wouldn't have an IP address stuck on it and it does now. And by physical device, I'm talking about the power grid. Mechanical devices, things that are on an assembly chain. Machines. For years we've been doing network connectivity to things like, what's it called? Pipelines. And power supply generators. Wind turbines and things like that. That more and more with operational technology, we're sticking IP addresses on everything. So as you get into eventually cyber security, but is you get into the IT world, you gotta start thinking about all these different end points. And I'm just listing a bunch of physical ones, smartwatches, pipelines, robots, when I say robots that are assembling cars in Detroit or Kentucky or Japan, wherever. The other thing that is interesting though is what I call logical end points, I guess I don't call them logical end points, that's just what they're called. In the cloud. Nowadays you can set up a cloud instance in Azure, Microsoft Azure, or in AWS or anywhere else of a logical desktop that you can set up and it'll travel with you wherever you wanna go and you can access it on your mobile phone, you can access it on your notebook or whatever and it goes with you no matter where. So even, "Oh gosh I left my computer," it doesn't matter anymore. If you can get up to the cloud via somebody else's device. So there are so many different types of end points that you have to support now as a tech support professional. And I would argue that's kind of the first step that you're probably gonna take getting into the IT world is this idea of being a tech support professional. And that's where you learn to support, not only the consumer end points, like Jeff you and I have been talking about, but also you'll start supporting servers, the things that we go up to whether it be a web server or a database server, ecommerce, you get the idea. As a tech support professional it's a very rich area. That's why, I don't know if you can see it, my shirt here, says A+, can you see that Jeff?

Jeff: Yeah, yep, dig deep.

James: There you go. The idea that with A+ you do dig deep, not only into end points, but eventually all the networking things that you need to learn in order to move on and become a security person.

Jeff: Yeah, so let's talk about the big three certifications.

James: Sure.

Jeff: I know recently Security+ passed half a million certification holders, so to my knowledge it's the most popular security certification in the world and I think that's the goal probably for people watching. You wanna go A+ and Network+ and then eventually get that Security+ certification.

James: That's right.

Jeff: So why don't we walk through the different certifications here.

James: Sure man, yeah.

Jeff: So obviously you wanna start with A+. Let's say someone really has no cyber security knowledge, maybe they're fresh outta high school, fresh outta college or maybe they're in another career. We see a lot of people transitioning into cybersecurity from all sorts of different roles. Someone wants to get started is the A+ kind of the first thing that they should pursue I would imagine?

James: A lot a times it is. If somebody is really making a transition and they've not been tech savvy, we see people who are what we call pioneers. They may not know their tech real well. But, they want to get into it for whatever reason. 'Cause first of all there are a lot of opportunities in it. So we can start them out with A+, that's a classic starting point. There's also something we call ITF+, technology fundamentals, ITF. And that really sits before A+ and that's something that people, if they really need to make sure they get their fingerprints on things like the beginnings of, I shouldn't say the beginnings, but it's not a history course. But to understand what ARP is, what a MAC address is, to understand how computers of various ilk, various types, work. Not just a PC, we're in the post PC days these days, but how those things work, how search works, how networking operates, how storage works. So ITF+ could be a really great way to start things out. But A+ is often where a lot of people start. Here's the thing I'd like to bring up, as people start their career down the, or up I guess we'll say the big three, I'll say down because I'm a real pathway based kinda person. I love to do a lot of hiking and things like that. So it's all about learning pathways for me. So, I'll say you go down the path and it's a good path. A+, Network+, and Security+, people were calling the big three because those are the ones that have done very well of many of our certs. But the reason why they've done well is you've got your end points in A+, right? And then with Network+, you've got how to stick those end points together. How to network them together. And then with Security+, you basically talk about how to secure the network devices and also the transmissions that go between end points. So another thing I like to bring up real quick, as you go down A+, Network+, and Security+, like I said, if you got a lousy degree like I did, I got a degree in English and then I made up for that by getting a masters degree in English and then I made up for that though by getting a PhD in unemployment, in English. And so what I did after awhile is I had 2 3/4 kids and I switched back to security, to networking. So I myself am a pioneer in a sense. I'm what I call a retread. And part of my retread going down the pathway was getting the big three. It majorly helped my career. So I got all those college degrees and I wanna point something out, if you don't have a college degree, you don't need to go get one in order to get A+ certified or to go down that pathway if you know what I mean Jeff.

Jeff: Mm-hmm, yeah, yeah.

James: More and more companies are not asking for a four year degree yet. If you go into management, maybe a four year degree would make sense, eventually. But why not get a job with A+, Network+, Security+ and then have the company pay for your college degree as you're working. I mean this is kind of the new pattern that's happening.

Jeff: Yeah, I wonder if you could talk a little bit more about A+ in particular. Recently our marketing team with InfoSec we went out to Vegas for Black Hat and you guys had your CompTIA partners on at some of the same times.

James: Yeah, that was cool.

Jeff: So I was able to go over and sit in on your talk on the A+ and there was just some really interesting stuff you brought up about how the help desk role is maybe changing and evolving. So, yeah, wonder if you could talk a little bit about that so people who are going into that role, really know what to expect.

James: You bet. Over the years I've been lucky enough to go talk to various companies and they tell me how their help desk role is evolving. And one of the first things is that there's not a whole lot of repair that happens in corporate environments. And we could talk about how that's a good or a bad thing. And when I say not a lot of repair, I'm not saying none, but we are in the post break fix period. I remember 20 years ago when I first started getting A+ certified, you actually did. You got into the PC and you replaced a video card or you determined what the IRQ problem was or the hard disk, you get the idea. Nowadays what happens more and more is if there's a problem with your mobile phone or with your Windows surface, or with your MacBook or whatever, you throw that thing away, or that thing goes away and the information that's on that device then gets shifted to a new device. So what's happened is that with the death of the break fix era, I kind of was worried in a sense that well that means the death of A+. If you're doing that support and it's now gone, fixing physical devices, that's largely gone, I shouldn't say fully gone. Then we only need this many A+ people instead of this many.

Well, actually it's, we need more. There are more jobs posted for tech support than ever before. Then there were in 2003 when break fix was still a thing. And the reason is is because you've gone to logical forms of support. You're now basically saying okay I've got a phone here that is breaking. I don't know if you can see it here, but it has all sorts of cracks on the phone and things like that. I'm getting a new phone actually because this thing is too broken. So the question becomes, and you can say, "Well James, that's done automatically now." If you go to a new android, all that stuff will get shifted over automatically, or automagically. Not so fast. We need tech support people to understand how all of that works. We also need tech support people to do the account resets, to set up the multifactor authentication, all of those things because a lot of end users aren't interested in being power users. They're intended in using that technology and they need a tech support person to help them do that. And so that's one reason why there are more tech support jobs than ever before.

When I was in India, I was talking to, I was in Hyderabad and I was in also Bangalore, and between those two places, I can't remember was it 10,000 or 14,000 tech support workers? And Dell was having very serious discussions about what is the future of the help desk looking like? Will we even have a help desk? Do we even need one now that things are moving to the cloud and things like that? And they had a very honest discussion with themselves. They brought me in as a part of that. And the answer is, yeah, they need tech support, but those skills that the average tech support person needs are radically, fundamentally different than there were even five years ago or 10 years ago. The tech support world is much less script based and by script based, if any of you have ever been in a tech support job before, back in the old days it was somebody calls in and the possibilities of the devices that you would support would be three or four devices. And then you'd say, "Well okay, what's the device?" And "Okay, have you rebooted it?" And then the person describes what the problem is after you ask if they've rebooted it. And then you basically type in a couple of things and then a series of scripts will come up. And then you just read the scripts out to the customer. That's how the typical repetitive nature of customer support. That's how things have been for years.

But over the past five years especially, that script based support, where you just read something that comes up to you, that anybody can read. Two things have happened, one, artificial intelligence, machine learning, can read stuff too and probably better than you. And it can deliver that via a chat bot. It can deliver that via a self support page, much cheaper and much faster. But what's happening, the second thing that's happening though, is that the problems that end users are bringing up, are more complex, they require a thinking brain to evaluate the situation. And artificial intelligence is very good at taking known knowledge and then repeating it. Human beings actually aren't that good at it. We can repeat stuff but then we get really bored of it and we do a lousy job of it. Computers they never get bored really. But what computers are lousy at is if something unexpected comes up, if there's a trend that has a lot of outliers in it, computers don't get that sort of thing. So that's why we need somebody with really good people skills, it's one of the major things. Really good listening and analytic skills and also who can take knowledge that artificial intelligence gives them and then draw conclusions. 'Cause computers still aren't all that great at drawing conclusions. You'll read stuff in the media about how they're figuring it out. Yeah they are figuring it out, but for the next several years they ain't gonna figure it out yet.

Jeff: Yeah, yeah.

James: So those are some things Jeff.

Jeff: Okay, yeah, so let's spend just a few more minutes talking about the other certifications.

James: You bet.

Jeff: And then we'll open it up, let you do a demo, kinda show some stuff in action.

James: Sure man.

Jeff: And if anyone out there watching has any questions, feel free to drop them into the live chat and we'll answer those as well. So, yeah, sounds like A+ is really associated with the help desk role.

James: Very much.

Jeff: Going on to the Network+. What kinda jobs is that associated with and how does that really expand on A+?

James: You know with Network+ that's a really exciting one to be honest. The one that I like to geek out on the most is Network+. With A+ it will introduce networking. With Network+, you're really gonna learn more about exactly how not only local area networks operate so that you can set up your home office, things like that. Or help support other business offices. What you're really gonna get to do with Network+ is understand how exactly how the internet works today. So you're gonna learn about IPv4, the version of IP that most people know about. You're gonna learn about IPv6, which is the latest and greatest version. About routing, about how to set up VLANs, virtual LANs on switches. So the idea is that with Network+ you will be able to say, "Okay, I can for that company as they move to the cloud, "I can make sure that the network pipe, "the network bandwidth is good enough and big enough." And you'll learn about things like quality of service. Like Jeff, you and I have been talking, right? The reason why you and I are able to talk so well on this and also so that you can see my lovely little dungeon that I'm sitting in in my lovely little shirt here, is because quality of service has been established between your network and mine. You and I didn't do it. It was done by a networking professional. And to prioritize voice, 'cause if voice doesn't get properly prioritized, then it gets mixed in with all the other stuff. All your web traffic or your email traffic. And when that happens then weird things happen. Drops, the wonderful buffer, circle or whatever, or people's voices start going like that. You've heard all these things.

Jeff: Yeah.

James: You'll be doing that sort of thing as a network professional. But you won't understand things like quality of service or how to do it unless you first get some of those fundamentals about things like what a MAC address is? What RPF is. Understanding how IPv6 or IPv4 encapsulates packets and how those things work.

Jeff: Yeah, I'm always interested to ask people if there's anything that's particularly different for people to grasp. Like any common concepts in Network+ or in A+ that you find students who are new to IT or security

James: Oh that's a great question.

Jeff: have the most difficulty grasping. Or maybe if it changes person to person.

James: The first thing I'll say is that a lot of people think in order to get into an IT job, they need to be a math genius. Calculus expert, take all this math. Trust me, I call myself a math atheist. I'm not even sure it exists. It does. But I've only been recently, last 10 years, been able to do any sort of numbers in my head and I'm pretty good at using computers. So, you don't have to be a math genius. The other thing is you don't have to be a programmer to use a computer.

Jeff: Mm-hmm.

James: It helps, it does help. A good networker, a good tech support person, should be able to create little scripts that automate things and things like that. But anyway, your question was the tough things. I think one of the first things in Network+ is that idea of how computers communicate with binary and converting things between binary, hex, and whatever. I guess I'm getting into kinda computer scienceville, but I've found that understanding subnetting for example required a certain amount of math that I found difficult. But you should learn how to do subnetting. I realize there are subnetting calculators now and things that do that automagically, but as you go in and have to configure a VLAN, you will be asked for a CIDR notation for your network. You will be asked for well what's the subnet mask? You may not need to go into the zeroes and ones and the bits and all that stuff of calculation, but actually if you get that background and that foundation, you'll find yourself using that constantly. I found that kinda tough. I think another thing that is confusing are all the different environments that you need to learn. It's like some people just wanna stick with Windows. Some people just wanna stick with Linux. Or with MAC, or with whatever. I think juggling and making sure that you are equally skillful in all of these different environments is a very good idea. And I think that's kinda difficult for people too.

Jeff: Mm-hmm, yeah, so we touched on A+ and Network+, maybe just briefly touch on what is it you're gonna learn in Security+.

James: You bet.

Jeff: Is that just kind of a broad, just kinda touch on everything and get a good baseline analysis type of cert or how would you describe that?

James: You know we focus all of our certs on particular job roles so with Security+, you're gonna be doing basically something that a level one security person would be doing. It often will be called level one or a security professional. You could even say something like, I would say the job role, suddenly I'm blanking here, sorry. The job role that is important for Security+ would be something like a security administrator.

Jeff: Mm-hmm.

James: And so this is somebody who would be able to go in and take a look at the log files of a Linux system, log files of a Windows system or a MAC and say, "Hm, something odd is going on here. "A user has been added," or "There's an open session that has been opened "that shouldn't be." So this is somebody who can understand, for example, we'll go with an older technology, firewalls. Firewalls used to be the greatest thing 20 years ago or more, 25 years ago. They're now table stakes but you still need to understand how they operate. Security+ teaches how to block or how to allow certain forms of traffic. But see you wouldn't understand how to do that unless you understand your ports. You know there are 65,000 and change, over 65,000 individual ports for any one IP address.

Well, so, how do you understand how each of those ports work? You don't have to understand 65,530 ports, but you do need to understand the privileged ports. You know from zero to 1,024. You do need to understand how sockets are opened up. Security+ is gonna teach you how an application, for example, such as a web browser opens up a network connection. You'll understand how to harden an operating system. So to shut down certain services and how to start certain other services. You'll understand how viruses work so that you can really, truly understand why updating virus definitions is important. If there's been an attack, what does a SYN flood look like, S-Y-N. What does that look like? But you're not gonna understand what a SYN flood is unless you understand how TCP, I'm getting back into Network+, how TCP makes a connection. It's basically a little conversation, it's called a three-way handshake that each time a TCP connection is made, it starts out with a certain handshake. But that can be manipulated, that handshake. So in Security+ you learn about how that handshake is manipulated and it can manipulated to turn it into attack that denies services, that ends services that can actually crash systems or flood network pipes, fill up the bandwidth. You can also manipulate a TCP connection to make it look as if you and I are talking, but a bad guy comes along and knocks you out of the equation. You're now not in that network connection and the bad guy can take over that connection. So I think Jeff I'm talking to you or I'm sending you an email, but in fact I'm sending it to a bad guy. So those are redirection attacks.

Jeff: Yeah, yeah. Yeah so let's just talk real briefly about some entry level careers.

James: Sure man.

Jeff: You know I know you've kinda been talking about how each certifications applies to these different job roles. One of the things that we do with Infosec Skills, the training platform that you can get free for 30 days if you go to that URL there, we've mapped all of our training to the CyberSeek roles so there's I know CompTIA, Burning Glass, and NICE, they partnered for CyberSeek data Oregon.

James: Yeah.

Jeff: I think you, did you have some involvement in that?

James: No personally, well a little bit, a little bit. Most of that was done by our research team, a guy named Tim Herbert who led that and it was an NSA grant and he worked with a lot of different security providers as well, other security certifications. With Cyberseek you can go up there and you can identify through Burning Glass and through CompTIA, what the job roles are and what the open jobs, and then through the NISTs through the NICE initiative, we mapped it to a lot of open job recs in the Department of Defense for example. And then throughout each of the United States anyway. We went in there and were able to identify not only the jobs that are available, but the types of people who are certified and how many more certified people we need. Pretty cool thing.

Jeff: Yeah, we actually did a video podcast with Tim Herbert. So if anyone out there watching is interested to learn more about Cyberseek, you could check that out on a YouTube channel. Also I should bring up in the YouTube description, we have a four page flier on breaking into cyber security and on page three of that flier we have all 10 of the roles listed and you can actually click on any of the roles and it'll take you to our website and all of the training, all of the CompTIA training and all the other training that we offer is actually mapped to those roles. So for example here, we have four entry level roles from Cyberseek, cyber security specialist, cyber crime analyst, incident analyst, an IT auditor, so if you wanna see what specific trainings are associated with either of those roles, you can download that flier, go to our website, and see all the trainings there.

James: It's really cool.

Jeff: Yeah, so just overall, someone works their way up, they get to Security+, what kind of jobs and tasks can they be expected to do? Like it mentions we have the specialist, the cyber crime analyst, incident analyst, some of the roles here in Cyberseek. If we would just talk about a couple of different job options out there?

James: You bet. One of the first jobs as a security administrator is somebody who for example, I was just talking last night to a gentleman who's Security+ certified and his job as, I'll use the term entry level, it's always tough to say entry level security, it's kind of an oxymoron, right? But, he is a security person who is at the beginning of his career in the cyber security world. And so his job, he works for a healthcare company, and his job is to listen for SYN floods, for floods of network traffic that are not legitimate. His job is also to help listen in for botnet attacks and also ransomware attacks. And then he basically runs a few applications to determine the true IP address origin, where those attacks are coming from and then he basically creates a report and sends that in as a support ticket to network professionals and to more advanced security professionals so that they can reconfigure things such as firewalls, intrusion detection devices, and end point security tools to deny those floods and to make it so that the systems are less prone or vulnerable to attacks. So this person isn't actually reconfiguring the firewall himself, but he takes a look at the log files and he takes a look at, he uses an application, a particular SIM called ARCNET, A-R-C-N-E-T. There are many of these types of things out there. There's AlienVault that's another one like ARCNET. There's Splunk. So an entry level beginning security person doesn't configure those things like ARCNET. Doesn't go in and mess with those things, but they do read the results of and the readouts and the, how should I put it, the visualization that comes out of there. And then they basically help send alerts along the way.

That's what one entry level person does. I know another person who basically goes around and helps harden servers. Hardening meaning improve the patch level of the server. So if there's a vulnerability out there, that person makes sure that the patches get applied. He's responsible for working with thousands of different, well probably, yeah, thousands of different servers, and end points and switches to make sure that they are less vulnerable to attack, that's what he does all day long. And it doesn't sound like a hard job or whatever, but here's the thing, it's easy to say, "Well it's easy to apply a patch, "you can do that automatically, you don't need that." Well that's actually not the case. A lot of times the servers that we use have a lot of custom code on them, applications and things, that if you do a patch, an update, on the operating system, you may break that code, you may break the programming that is on that server or on that system. So you have to be pretty savvy when you apply a patch on a network system because you could end up breaking functionality that a business needs.

Jeff: Mm-hmm, yeah.

James: So, those are things that a security professional does. A more advanced one would be a pen test, you wanna talk about more advanced stuff, or do have other stuff you'd like?

Jeff: Well first we have a question from someone in India and they are wondering if there is any security job roles specific to that country. So, I think what kind of a bigger question is, geographically are they different flavors or is it pretty much the same country to country?

James: No, I find that there are certain flavors and things. For example, some countries, because they do more support for programming, they might have, when I say support for programming in India there's a tremendous amount of coding work that is done for the rest of the world. India does that. They also do a lot of help desk and support. So anybody who does cyber security work, it may end up in those particular regions, in those particular sectors I should say, in help desk or in programming. What I also find though is that it really is very similar from region to region. There are local flavors. But think of it this way. I know a gentleman, he doesn't live in India, he lives in Romania and his job is to secure, I'm oversimplifying, but his job is to secure oil derricks in the North Sea. His job is to, you know what an oil derrick is? The things that suck oil out of the ocean, right? His job is to make sure that all of the Windows and Linux systems that control all of that oil pumping facility are secure. He also helps secure banks.

I talked to a group of people in India, I would say there were about 35 people in the audience. A lot of them were pen testers, a lot of them were, they go in and they break into with authorization they break into things to test security. A lot of them were also people who were becoming security analysts. They're the ones that listen for attacks. The reason I'm bringing this up is those guys worked for, some of them worked for the local bank that I was presenting to, very large bank in India. So there's a lot of financial services that you could help support in India. But I also noticed half of the audience, they were people who worked for a company that provided security services worldwide and those people wanted to learn more about pen testing because as good as they were, they needed to learn more. And so, you're gonna find that in India yes, you could join a company that does penetration testing services for the world or security analytics services, meaning that they listen for attacks. So that's something that I've seen a lot of Indian companies, a lot of Indian employees prepare for.

Jeff: Mm-hmm, yeah I see we have just about 20 minutes left. So maybe if you want to do your demos next and kind of give us some hands-on.

James: Sure, we'll give it a shot here. So what we'll do here folks is we can start at the more A+ kind of level here and talk about the different types of end points that you support. And so let me see if I can share my screen here. Let's see if you can actually see it.

Jeff: Yeah sure, and while you're setting that up and getting it ready, just really briefly I wanna take 60 seconds and tell everyone a little bit about Infosec Skills. So if you go to that URL there, infosecinstitute.com/ncsam2019, there's a form you fill out just put in your name, email address, some contact information and you'll get 30 days of free training to Infosec Skills. There's kind of a little demo here playing on the screen, but the whole idea with Infosec Skills is you have all these on-demand trainings. So there's all the different learning paths like we're talking about now, A+, Network+, Security+, plus more advanced ones like PenTest+ for example, CASP+, and then other non CompTIA certifications. And each of those learning paths is made up of courses and we also have hands-on cyber ranges. So if you look here on the screen it's a brief demo of how those cyber ranges work. So for example we have some questions about ethical hacking coming in. If you are interested in learning ethical hacking you can actually go into our ethical hacking cyber range and play around in these actual virtual machines and learn that way or you can take a learning path such as PenTest+ for example and watch the videos and get the courseware and stuff for that. I just wanted to obviously you can actually play around with this yourself for free so I'd recommend if you want to know more about that, just go to the URL and get your Infosec Skills account and see what's in there. But yeah now I will,

James: Hey Jeff, the fact that you bring that up is really cool that you do hands-on training 'cause the main way that you're gonna do anything useful in the IT space is I call it learn by playing. You gotta play with the technology and so it's really neat that you have a cyber range and you have hands-on ways to do it. And so for example if you wanna become a pen tester, go the pen test route. So you're going down that pathway, A+, Network+, Security+, then PenTest+ is a great way to go. But the only way you're gonna be able to do that is to learn by doing. And so one of the things I wanna point out, sorry I forgot to mute my phone. Wanna point out is for example, you may think to yourself "Well gosh James, "I don't have a whole lotta money. "It's hard for me to do this stuff, "to learn this stuff." To learn the cloud which you learn in A+ first thing, and then Networking, you learn how to network to the cloud, and Security+ you learn how to secure the cloud.

Jeff:  Yeah, so, what was your first labor security job?

James: You know some of my first jobs that I ever did was doing basically from a security perspective, I was doing a lot of cyber security work. When I say cyber security work, I was doing pentesting.

Jeff: Oh okay.

James: That's what I was asked to do. When I first started doing it, I was asked to write up the results of pen tests 'cause I was a pretty good writer even though I got a PhD in English, I still could write. And so they knew that I knew my computing really well, my security really well, and they hated to write or they didn't really write very well and so they said, "James, you go ahead and do that." So that was one of my first jobs. And then after awhile they said, "Well James, we need you to go out "and break into systems."

Jeff: All right, I think we're about outta time if you wanna wrap up here. Is there any final advice or anything that you have for people looking to get started in cyber security in terms of a key takeaway you want them to have going forward?

James: Well, one of the things that I would do is get yourself a good mentor. Somebody who's honest. A good mentor to get you into cyber security and trust me, whoever she is, whoever he is, is gonna basically say, "Well there are some fundamental things you need to learn." And you're only gonna learn those fundamentals by getting for example, let me show you what I do. If you haven't already done it, get a virtualization solution. In this case, I'm using Oracle VirtualBox manager. Or if you have the money, you can go up and create something on the cloud. Let's see, this is a workspace manager, you can do that. But in other words, if you have a PC, and you have the bandwidth, notice what I've done here. I've got how many systems there? I'm not gonna count them, over 10 virtualized systems. Get them up and running and learn how to play with them. I have an Ubuntu system here running, Ubuntu is a version of Linux. Get these systems going here. Learn how they work. Learn how you can network with them. Notice what I'm doing here, I'm pinging cnn.com via IPv4 and I'm pinging it via IPv6. Notice those two things look different. Why do those look different? What are those commands that worked? The only way you're gonna really learn how to do things is by playing around with them and so you can download versions of Windows 10 and tons of versions of Linux. Get them going and play with them. There's my main advice. Get a mentor and then play around.

Jeff: Awesome. Well, thanks for joining us today James, we appreciate it.

James: Anytime man.

Jeff: Yeah, and everyone watching out there, if you made it this far to the end, remember to go to that URL there infosecinstitute.com/ncsam2019 and get your free 30 days of training.

James:Jeff thank you so much man, I really appreciate it.

Chris Sienko: I hope you enjoyed today's episode. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. Just go to YouTube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and other webinars and as ever, search Cyber Work with Infosec in your podcast app of choice for more episodes. As a reminder, in honor of National Cyber Security Awareness month, Infosec is giving away a free trial month of Infosec Skills, a subscription based skills learning platform. If you'd like to learn more about this offer, please visit infosecinstitute.com/podcast and use the Start Learning link to claim your free month and again, do it before October 31st. Thank you once again to James Stanger and Jeff Peters and thank you all for listening. We'll speak to you next week.