Cybersecurity Apprentice Program: A CyberStart JumpStart

My student employment/apprentice/intern program (or whatever you want to call it) needed a jumpstart and frankly, so does the cybersecurity workforce at large. I’m not entirely sure how to begin this post because there is just so much to say. So, let’s just start with some problem statements. If you just want to read more about what we are doing at Stony Brook to establish a cybersecurity apprentice program, just skip this section all together and head straight to the next subheading.


The Problem(s):

  1. We’ve all read the headlines. CYBERSECURITY WORKFORCE SHORTAGE BY THE MILLIONS. While this is not an exaggeration, it is worth expounding a bit. According to the 2018 (ISC)² workforce study, that shortage is close to 3 million globally, but over 2 million of those job vacancies are in the Asia-Pacific region. So, what is the situation closer to home? The same study tells us that ~500,000 of those vacancies are in the U.S. Ok, so we definitely have a problem as an industry. Can cybersecurity practitioners do anything to directly help the cybersecurity workforce shortage?
  2. Women are one of the groups significantly underrepresented within the cybersecurity profession. That is an understatement. You have no doubt heard the statistic that only 10-11% of cybersecurity positions are held by women. The aforementioned workforce study published one of the highest percentages I have seen to date…24%. Even if that number is accurate, it’s too low. Way too low. If our field represented the relative percentage of humanity it should be closer to 50/50 male/female. How can we attract underrepresented groups, such as women, to a career in cybersecurity?
  3. Hiring students to work within an information security department is not a new concept. Not by a long shot. Some of my esteemed colleagues have thriving and impressive cybersecurity internship programs already. For most higher ed CISOs and industry partners however, finding students with the right qualities and the fortitude to make a meaningful contribution to a real cybersecurity department can be challenging. Many students I’ve spoken to do not have the right expectation when they interview for a job with us. They imagine days filled with malware analysis, Wireshark and Metasploit. It’s not that we don’t do those things, but we do many other things too, like security awareness efforts and policy writing. While I would love to pay a student to play with Wireshark and ask us questions, my small team does not have time to stop their operational responsibilities for extended periods of time to educate their curious minds. How can we find students that have realistic expectations and the right qualities to be successful within an ‘all hands on deck’ cybersecurity department?
  4. There is no shortage of action on any given day, which is true throughout most of academia due to our diverse and unique computing requirements. Having a relatively small team means we are extremely busy all of the time. While this also makes it an ideal place for a student to get a wide range of hands-on cybersecurity experience, it introduces a unique barrier as well. It takes a significant work effort to begin and sustain a thriving internship/apprentice program within our department, and to do so with our existing staff level would cause very serious responsibilities to suffer, and the resultant increase in risk to our organization is not a tradeoff we can afford to accept. How can we start a meaningful, mutually beneficial program with only a reasonable amount of work effort?
  5. An alarmingly increasing number of CISOs tell me that they do not like to hire new graduates with cybersecurity degrees. Anecdotally speaking, they are having great success with new hires from a diversity of academic backgrounds, such as psychology and the humanities, for example. Sadly, many in the workforce today do not consider a cybersecurity career unless they have a so-callled “relevant” degree or computer science background. I can’t tell you how many students I talk to that are shocked when I tell them my programming experience is limited to “VCR” and “ALARM CLOCK.” (Yes, I do know what a for loop is, but never used one to accomplish anything useful aside from printing “Hello World” an infinite amount of times). How can we we attract cybersecurity talent from groups with non-STEM, academic backgrounds and work experience?
  6. When we have hired students, their gap in knowledge for even the most basic information technology concepts are lacking. With little or no real world IT experience, many did not truly understand how things like DNS and DHCP worked. Active Directory? Forget it. In my mind, an entry-level cybersecurity position is not an entry-level position. By the time we filled in all of those gaps for our student hires, it would be graduation time and we didn’t even get to the security part. How could we onboard a student in an expedient manner, without sacrificing too much of our staff’s limited time?

The Solution(s)…maybe:

What if there was a fun, online game that we could offer to all current college students that increases security awareness for all who play? What if this same game required no prior technical knowledge, and it could help players prove that they have the essential qualities to be successful in a cybersecurity role? What if there was an associated online course that taught core information technology fundamentals, and then layered on associated security concepts?

Do I have your attention? As it turns out, that game does exist and so does the associated course, SANS CyberStart Essentials. In my opinion, CyberStart Essentials has the potential to onboard many thousands of future cybersecurity professionals, and fill-in knowledge gaps for thousands of existing professionals. I just didn’t know about either until Alan Paller, the founder of SANS, reached out to me and agreed to partner with Stony Brook University as a proof of concept that the game could be used effectively within the higher education space. It was almost a year ago today, as he was on his way to RSA 2018 to do his annual keynote and I am writing this article sitting in an airport on my way home from RSA 2019. In between those two bookends in the stream of time, some other higher education CISOs helped us brainstorm on a coherent approach in a one day in-person workshop, and their collective wisdom and insight was priceless. Early on in this endeavor, Mandy Galante joined SANS full-time as the CyberStart Program Manager, and she has been working with us tirelessly to ensure the platform is conducive to our use case. While we are only about halfway through our proof of concept at SBU, here is what we are doing:

  1. As part of Cybersecurity Awareness Month in October 2018, we advertised this exciting new online game via our career center, social media posts, and online postings. We even had a pizza party, complete with dim lighting and techno music. It did not take much effort to generate interest in this program; students were fascinated by it. We stressed these key themes:
    1. No prior technical experience required.
    2. Play to find out if you are an extraordinary problem solver.
    3. If you do well, you could win access to additional online training and potentially a paid apprenticeship with our team.

      CyberStart Pizza Party

      CyberStart Pizza Party

  2. Players first tried an abbreviated version of the game that was free and could be anonymously accessed on the Internet. In fact, it was this version they played during our October pizza party. If they didn’t like it, there was no need to continue. If they wanted access to the full version, they had to request access via a simple online form. We validated their request by asking them what their favorite challenge was and why. We received over 250 requests and issued those students registration codes for the full version of the game.
  3. The players played…and played…and played. In fact, it was easy to see from the scoring that while some players opened the game, played it once, and stopped, many others – more than 50 of our 250 players – kept playing and earned an invite to the next phase of the program.
  4. The high scorers were invited to a celebratory lunch and an exclusive online collaboration space (the start of a cybersecurity club perhaps?), and officially qualified to compete for a student apprentice position with our department in the coming months. We will be using this group as our exclusive candidate pool. These students also won scholarships to the associated online course, CyberStart Essentials.

    CyberStart Celebratory Lunch

  5. We will be reviewing the scores and the CyberStart Essentials completion percentages, and then invite a subset of the top 50 or so students to interview for up to three student apprentice positions within our Information Security team this coming May. The first thing our new hires will do is complete the CyberStart Essentials course. We then hope they will spend at least two years with us as student apprentices as they get hands-on, practical experience. We also hope they will choose to pursue a career in cybersecurity. Time will tell.

So, will this program address some or all of the challenges I listed at the outset of this article? I can’t be sure yet, but I can tell you this: it has already increased security awareness within our student body, and it has created a buzz around campus, catching the attention of non-STEM as well as STEM students. And I am excited about our future apprentice hires this Spring/Summer. Since my scope as CISO has recently expanded to include Stony Brook Medicine, we might be able to hire more apprentices than I initially thought. Most importantly, in addition to complementing our small team, this might be a way to make a real difference across the country if this model is copied at other campuses. It’s truly win-win for everyone involved.

So far, I have no doubt that CyberStart is going to be just the JumpStart we were looking for.

Thanks for reading and don’t forget to subscribe.

SANS SEC503 (GCIA) Review

Ouch. My head hurts.

I am tempted to end my review right there, but this class is just too awesome. I would not be doing it justice.

This past May I attended SEC503, Intrusion Detection In-depth, virtually. It was v-live format; Essentially a live stream of the course at SANS Houston. As far as the format is concerned, I liked it more than on-demand, but not as much as being there in the flesh. You don’t get to network as well and obviously you miss out on Netwars and SANS @ Night, but the core part of the experience is kept intact. I had the ability to interact with the class via chat, which was definitely useful. If I typed in a question, the moderator would inform the instructor, in this case Johannes Ullrich. He would than respond verbally, which was a great way to interact with the instructor remotely. This was important to me because one of the primary reasons I prefer SANS courses over many others is the caliber of their instructors. Dr. Ullrich is truly an expert in the field and for those that don’t already, I would highly recommend subscribing to his daily ISC Stormcast. If you don’t know, now you know (yes, that was a 90’s hip hop reference)! I digress.

The course lived up to the hype. It has a reputation for being one of the most challenging SANS courses. And I would have to say that of the courses I’ve taken, there is truth to that. I will qualify that by saying I do not have a strong background in this area. I had a high level understanding of packet analysis solely from SEC401, but otherwise this was uncharted territory for me. I am comfortable with IDS concepts overall and oversee a managed implementation of such, but my hands-on experience is limited. This course filled in all the gaps. I was able to work with snort quite a bit, and some other great solutions such as Bro, SiLK and Security Onion. I learned very quickly that aside from basic functionality, Bro requires basic programming capability to support, hence the limited adoption. I also learned more about IP, TCP, UDP, and IPv6 that I ever cared to know about. But more importantly, I have a crystal clear understanding of what is normal and what is not when looking at a series of packets. It also provided plenty of flight time with tcpdump and Wireshark.

wireshark screenshot

Wireshark screenshot

 

I used the full 4 months to prepare for this exam after taking the course. Partially due to external time contention (being appointed interim CISO shortly after I took the course) and partially because this material was outside of my comfort zone…not my cup of tea as “they” say. I still managed to score a 95 on the exam. I’m not sharing that to brag. I wanted to reassure my blog readers that if you are inclined to take this course, you can be successful, even if you’re not already a packet ninja. If you want to be one, this is a good place to start. I would like to set your expectation, though. Even after taking this course, I would not consider myself a black belt. Brown belt at best!

Do I recommend this course…absolutely. Keep the Advil handy, though!

SANS SEC504 (GCIH) Review

There was one problem with this class…I didn’t want it to end. 6 days long and two months of supplemental studying only whet my appetite for what SANS has to offer. SANS SEC504 (GCIH) was the perfect sequel to the SANS SEC401 (GSEC) course I took over a year ago. In similar fashion you cover one book per day, but the books are only “yay” thick (a welcome reduction compared to 401):

picture of book thickness compared to pencil

Let me give you 5 reasons why this course is a must-do for any security professional.

1) John Strand: He took over authorship for this class from Ed Skoudis (his virtual big brother) and to say John has done the class justice is an understatement. He shares many firsthand experiences and even some tools in this course that were built by his own company, Black Hills Information Security (BHIS). For instance, on day 5 you get to “infect” yourself with a command and control bot that calls home using a common HTTP parameter. It’s amazing to see things from the perspective of a “bot herder” and to leave the course with a way to test your NGFW, IDS and maybe even your MSSP. Plus, he throws in there a bunch of little tidbits that are not part of the actual cirriculum. Thanks, John.

2) MP3s of the course: John was not the in-person instructor when I took this course, Kevin Fiscus was. Fortunately, Kevin understood the material about as good as anyone in the world, aside from the actual authors. However, the beautiful thing about every SANS course is that a week after it concludes, you’re provided MP3 audio files of a previous class. In this case, it was a session that John Strand taught. A quick download allowed me to listen to the course during my daily commute. In other words…two instructors for the price of one!

3) Incident Response Phases: Day 1 was our foundational day which sets the table for the following 5 days of intense instruction. By the conclusion of the course, you will be uttering the 6 stages of Incident Response in your sleep…Preparation, Identification, zzzzzz, Containment, Eradication, Recovery, Lessons Learned…zzzzzzzzzzzzz. The ZZZ’s are not there because it’s boring, but because after each and every threat you review during the week you then commence to review how to identify such an attack, prepare for it, contain it and eradicate it. Over and over again that formula is followed. Really awesome approach and a great way to learn.

4) Netcat Relays, Buffer Overflows and Format String Attacks: Day 3 was the most technically intense day of all and filled in a lot of gaps for me, and created some new ones. You will go to bed this night with a headache and wake up with a newfound respect for the tools that make complex attacks trivial to carry out today.

5) Day 6 Capture The Flag (CTF): If you’ve never participated in a capture the flag competition, this is the perfect way to start. You break up into teams and use many of the skills you have acquired throughout the week. So not only do you spend most of the week thinking like a bad guy, you then get to BE a bad guy and break into actual systems in a lab environment. As Kevin Fiscus said, “Don’t overhack this, guys!” Throughout the week you are given many “hints” and even if you are used to CTF competitions, you will learn a lot and realize that sometimes the easiest way in is through the front door…no backdoors required. But you’ll know how to create those too if you so choose.

I don’t want to make days 2 and 4 feel bad, those are great too. The bottom line is that offense should inform the defense and this course helps you to take a close look at the offense. This is not a penetration testing course, but you do walk the line throughout it with the goal of identifying and defending against common practices used by hackers today. Yes, you also look at some tools that they use, but understanding why they use such tools and how they work is more important. The course has a defensive theme woven throughout.

A pass on the exam is very achievable. Like every SANS course, it is open book. The questions are mostly straightforward, but a few of them were kind of sneaky. Others make you interpret screenshots and identify the type of attack you are dealing with. There were quite a few on my exam about the actual IR process and what steps should be taken within each phase. If you prepare well, you don’t have to worry about passing of failing. It’s more a matter of how well you will do. If you’re not in the GIAC Advisory Board, make it a goal to get 90 or better on this exam so you can  join the party. It is worth the effort. This was my second SANS course and my equation for success was the same: 1) Attend the course (online or in-person) and do all the labs while you’re there. 2) Listen to the MP3’s in your car. 3) Read each book, highlight key phrases and create a detailed index.

For this course, my index was 18 pages long and 821 lines. It is essentially an excel spreadsheet with 4 columns: Keyword/Subject, Book, Page, Summary/Info. I added several SANS cheat sheets to the back for reference and had the whole thing spiral bound at Staples for $5. Here’s a picture of mine, mostly blurred, so please don’t ask me to send you a copy:

GCIH Index Picture

One change I would suggest to SANS is to spend a little bit more time on identifying intrusion remnants on Linux computers. It is covered, but not to the extent I would have preferred. Don’t get me wrong, the 6 days were jam packed, so I’m sure the authors had to make some decisions along the way in terms of content. For instance, there was a lab on day one that walked you through looking for signs of intrusion on a Windows box. The equivalent steps were covered for Linux in the appendix, so I was able to go through that but on my own time. Memory analysis is covered in two different labs, which focused on the memory dump from a Windows machine. This is clearly the most common scenario most students will face, but in my environment there are a large number of Linux computers to deal with too. Fortunately, the skills I learned can be extended to Linux with a couple of quick Google searches.

Major Takeaways: Defend your user accounts because when the bad guys have valid credentials on your network, YOU ARE IN TROUBLE. If you can’t detect an insider, you can’t detect stolen credentials. Stop trying to be a hacker. Be a security professional. Treat your internal network like it’s hostile…because it is.

Oh, one more thing…YOU’RE WELCOME.

Did you take this course or another SANS course? Tell us about it in the comments below.

Thanks for reading and don’t forget to subscribe.

Security Conference Round-Up

Just about once a year, I start to explore the various security conferences that are available, their approximate cost and when they are usually held.  There are a few summaries out there on the web, but most are exhaustive with way too much information or simply not enough. So, here’s a summary of conferences on my radar, based on 2015 data. Fortunately, the data does not change much from year to year so this will be a good point of reference in the future. This is far from an exhaustive list, though. There are smaller hacker conventions, like Derby Con and Hope X, which I did not thoroughly investigate, but are definitely worth a nod. The costs are estimated (assuming no discounts) and the descriptions are highly subjective, mostly based on hearsay. How is that for minimizing the usefulness of this post?!

http://en.wikipedia.org/wiki/File:DEF_CON_17_CTF_competition.jpg

http://en.wikipedia.org/wiki/File:DEF_CON_17_CTF_competition.jpg

Conference Location $$$ Timing Description
Blackhat Vegas $5500 August All the corporate heavies will be here, leans towards a hacker theme. Conference without any training is about $2500.
Defcon Vegas $250 August Hacker convention. Cash only, starts right after Blackhat, lots of bad words. If you’re going to Blackhat, Defcon is a must do.
Educause Security Pro Minnesota $500 May Security within the higher ed vertical, peer preso heavy, REN-ISAC meetup.
Gartner Security Summit Maryland $3,000 June Calling all CISO’s, managers and CISSP’s! Strategic thinking and networking.
Interop Vegas $3000 April/May General IT conference with security track. Some tech, vendor heavy.
(ISC)2 Security Congress Anaheim $1000 Sept/Oct Calling all CISO’s, managers and CISSP’s, with some technical mixed-in.
RSA Conference San Fran $5000 April All the big shots will be here. Corporate with broad security coverage. Conference without any training is about $2500.
SANS Various $5000 Various More training than conference, top-notch educational opportunity. Heavy technical with some strategy mixed in. SANS 2015 in Orlando is a main attraction.

You can check out my 2014 Interop NY review here, but there will not be a NY version this year. Vegas only, so my guess is that quite a few people agreed with my assessment.

I’m sure I missed some really good ones. Please add them to the comments below. Thanks for reading and don’t forget to subscribe!

SANS SEC401 Course Review

I recently completed the SANS SEC401 Security Essentials Bootcamp course via an online on-demand webcast.  If taken in person, this course runs 9 AM to 7 PM for six days…hence the “bootcamp” label.  With the on-demand format, you have the added privilege of viewing the lecture content at your own pace over a four month period.

If I can summarize the course in one word it would be, “AWESOME.”  The writer and instructor of the course is Dr. Eric Cole, a fellow of the SANS Institute.  His enthusiasm is contagious and he made approximately 50 hours of lecture content fly by in what felt like a mere 49 hours.  That is no simple feat considering the content.  Each day is dedicated to a particular topic:  Day 1:  Networking Concepts, Day 2:  Defense In-Depth, Day 3:  Internet Security Technologies, Day 4:  Secure Communications, Day 5:  Windows Security, Day 6:  Unix/Linux Security.  Oh, and there is a corresponding book for each day…

SANS GSEC401 Text Books

SANS GSEC401 Text Books

I read every word and went the extra measure of creating an index for all 6 volumes, which SANS intentionally neglects to include to encourage “Learning.”  I followed the advise posted by this fellow SANS trainee so I won’t bother going into detail.  My index looks eerily similar to his and I found his blog posting very useful.  In total it is 28 pages long.

 

What I especially loved about this course is that Dr. Cole added so much real world context to the material.  The course differs from the “textbook” model of teaching, and as far as I’m concerned, this should be a requirement for all security courses.  Textbook and real world are often misaligned.  The content addressed these challenges head on.  On the other hand, examples were provided of when textbook recommendations have been ignored and at what cost.  For example, he talked about a scenario where an adversary breached a very large network.  One of the well meaning administrators sent a message over email in reference to cleaning up the breach.  Oops…they never had a chance because the adversary read the email and inflicted as much damage as possible by Monday.  This highlights the importance of out of band communication in the event of an incident.

There was also tons of hands on labs and practical content.  I spent the time doing every lab and had the opportunity to play with tools like tcpdump and even messed around with stego crypto.  It was kind of fun hiding a secret message to my wife within a jpg picture of our kids.  Hands on training is a simple, but powerful learning technique and SANS makes good use of this as part of their curriculum.

Compared to the CISSP content, which I consumed 6+ months ago by means of a self-study program,  I found there to be some overlap.  More often than not, the SANS training looked at hands-on topics more granularly, but areas of theory were covered in more detail within the CISSP courseware.  For example, the Bell-Lapadula model was briefly mentioned in SEC401, but explained in further detail by the CISSP.  Overall, I am happy in the order that I pursued these credentials, but they could have been tackled in reverse order just the same!

This class truly was a bootcamp and for that reason I did appreciate the ability to go through the material at my own pace.  In some regards, though, I think doing so is prolonging the pain, er, I mean, extending the fun.  There is something to be said for battening down the hatches and going off-grid for 6 long days versus trying to steal 6 long days from your normal schedule.  Some other courses which are more lab intensive and collaborative, would not be as good if taken in this format.

SANS offers endless training opportunities and there is a case to be made for all IT employees to take some of their training.  For example, they have an entire course that focuses on Windows Security.  There’s another that focuses on Unix SecuritySecure Web Development?  They got that.  Let’s not forget Network Security…  The list goes on and on.  These courses are not just for security analysts.  They are for IT professionals who want to accomplish their job in a secure manner and I highly recommend them to all IT administrators.  Perhaps one person from each department could attend one SANS course per year?  Wishful thinking perhaps, but it would be a great investment and in line with our core values here at DoIT.

We will actively hire great people, develop the growth of our staff, promote a diversity of voices, and support our staff.”

I will be taking the associated GIAC GSEC exam within the next week for the sake of putting a rubber stamp on this experience.  However, it’s really all about the journey, not the destination!

Some food for thought from the course:

1) Prevention is ideal.  Detection is a must.

2)  What is the risk?  Is it the highest priority risk?  Is it the most cost effective way to mitigate the risk?

3)  TCP/IP and TCPDUMP Cheat Sheet

4)  SANS Windows Tools and Scripts Download

5)  Baseline your systems while they are healthy by, at a minimum, documenting running processes, listening ports, existing users (especially admin and root level access UID 0) and admin group membership.

Rating:  Excellent – I’d pay my own way … okay, not really, but that’s how much I liked it.

Thanks for reading and don’t forget to subscribe!