Career In Information Security

A presentation at c0c0n 2023 in October 2023 in Kochi, Kerala, India by Anant Shrivastava

Slide 1

Slide 1

Career in Information Security Anant Shrivastava Founder – Cyfinoid Research

Slide 2

Slide 2

Anant Shrivastava ● ● ● ● Chief researcher @ Cyfinoid Research 15+ yrs of corporate exposure Speaker / Trainer: BlackHat, c0c0n, nullcon, RootConf, RuxCon Open Projects: ○ Code Vigilant ○ Hacking Archives of India, ○ TamerPlatform https://anantshri.info (@anantshri on social platforms) (c) Anant Shrivastava 2

Slide 3

Slide 3

We are talking about your career • Career choices are hard. • Think about them but don’t fixate too much • Especially early in career you can switch around easily (2-5yrs) Ultimately remember 1. its life no one comes out alive 2. Make decisions, if you don’t enjoy feel free to move away (c) Anant Shrivastava 3

Slide 4

Slide 4

Infosec != Hacking • Information Security is a job which deals with providing services to secure enterprises / businesses • Hacking is about exploring the systems and find the unknown DON’T MIX THE TWO (c) Anant Shrivastava 4

Slide 5

Slide 5

Information Security Information Security is a field where we focus on securing the information. The protection could be from malicious attackers or simply unintended tampering/access of data. In short • keep the bad out • let the trusted in • give trusted access to • what they are authorized to access • when they need the access (c) Anant Shrivastava 5

Slide 6

Slide 6

• Security and Risk Management • Asset Security Domains of Information Security • Security Architecture and Engineering • Communication and Network Security • Identity and Access Management (IAM) • Security Assessment and Testing • Security Operations • Software Development Security (c) Anant Shrivastava 6

Slide 7

Slide 7

https://joapen.com/blog/wp-content/uploads/2017/02/cybersecurity-map-1.0.png (c) Anant Shrivastava 7

Slide 8

Slide 8

Role Types Offensive Defensive Find flaws and show impact fix or help in fixing issues • Secure Developer • Product Security Engineer • Blue / Purple Teamer • Incident Response Team • Server Administrator • DevOps / DevSecOps professionals • Forensic Investigator • Auditor • Technical Writer • …. • Penetration Tester • Red Teamer • Exploit Developer • Malware Analyst • Vulnerability Assessment Analyst • ….. (c) Anant Shrivastava 8

Slide 9

Slide 9

How to Gain Knowledge Upskill yourself: Refer resources section Read what others are doing Follow People who share knowledge (c) Anant Shrivastava Participate in Communities / Events Practice 9

Slide 10

Slide 10

Practice SETUP OWN LAB ENVIRONMENT WRITE WHAT YOU LEARNED TALK ABOUT WHAT YOU LEARNED (c) Anant Shrivastava PRESENT ABOUT WHAT YOU LEARNED 10

Slide 11

Slide 11

Communities / Events in India Communities • Null Community @ https://Null.community • OWASP Conferences (paid) • C0c0n • Nullcon Regional Events (may be paid) • Bsides • Defcon groups (c) Anant Shrivastava 11

Slide 12

Slide 12

Upskilling • The IT world is moving towards “as a code” • Programming is a necessary evil (vm macro to ansible to python) • Earlier you accept it the better it is • Understand the basics and practice • Some areas to keep in mind • Automation : Ansible / Terraform • Programming : go / rust • Scripting : python / Bash scripting (c) Anant Shrivastava 12

Slide 13

Slide 13

Higher Studies v/s Experience Academia must: 1. Get the basics right for people (Bachelors and master degrees) 2. Think far ahead in future before commercial world (PHd’s) Align your own likings • Academia : If you want to explore future and not worry about implementation of it • Commercial world: If you want to have implementational exposure (c) Anant Shrivastava 13

Slide 14

Slide 14

(c) Anant Shrivastava Certifications? • Certification means you were able to solve a specific set of problems at that specific point in time. • Consider it as a checkbox • If you give human’s challenge; they will find shortest possible way • Do certification for • Clearing HR screening • If company sponsors training[+certification] to have accelerated learning 14

Slide 15

Slide 15

Resume tips (General guidelines) • Simple words • Concise • (1 page : 0-2yrs, 2 page: 2-10yrs, 3+ only for executives) • Reduce past experiences to 1-2 liners • Talk about your impact not job activites • Items to keep • Items that you want to talk about • Items that you show your capabilities in specific field Interviewer is taking the interview, but your resume drives it. (c) Anant Shrivastava 15

Slide 16

Slide 16

Resume tips (Personal Preferences) • Academics matter only till 2-4 yrs experience range • Hobbies only if you want focus on those • Things that don’t help • Club memberships or designations in college • Attendance/participation entries (speaker is fine) • Photograph or certificate logos • Shinny and fancy artwork graphics • Your Ikebana prize might be a proud moment, but do you want to talk about it (c) Anant Shrivastava 16

Slide 17

Slide 17

Online Presence Curate your online presence or FB/Insta/WA/X/Linkedin do it for you Associate your identity with your own domain and not gmail or outlook At the minimum • Build your own website • Host your own blog (write about whatever you learn) • Host your resume on it (c) Anant Shrivastava 17

Slide 18

Slide 18

Startup vs Corporate Startups : PoC Builders for Corporate world Corporate Chaos Processes Unorganized setup Organized Fast moving Brand Value More power to individuals https://blog.anantshri.info/startups-vs-corporates-unblurring-the-lines-for-job-seekers/ (c) Anant Shrivastava 18

Slide 19

Slide 19

Remember about Startup’s • Startups are uncertain about future • Closure • Buy out • Acquisition • They offset the risk by paying huge • Unless you want to jump around startups don’t assume that as your market value. It’s the golden handcuffs given to you. Nothing is good or bad, they are logical choices. Decide after knowing the differences (c) Anant Shrivastava 19

Slide 20

Slide 20

Entrepreneur or Job • Remember being an entrepreneur is • 5-10% tech and remaining • Finance • HR • Marketting • Sales • Customer Interaction • …. (including if required janitor and sweeper) • If someone is trying to tell you, you don’t need to do all of these they are lying. • even if its not your responsibility you will have to know these areas. (c) Anant Shrivastava 20

Slide 21

Slide 21

Job or Entrepreneur • Job gives you a fixed target-based environment (if not then switch) • Job gives you someone else to blame if things don’t work • Job gives you an assurance of someone else worrying about your paycheck (c) Anant Shrivastava 21

Slide 22

Slide 22

Finances • IT Security is one of the highest paying jobs in India • Don’t assume you will keep drawing this high salary • Prepare a finance plan for yourself • Know your expenses • Understand what Runway money and Financial Independence means • Recommended Reads • Lets Talk Money : Monika Halan • The Psychology of Money : Morgan Housel (c) Anant Shrivastava 22

Slide 23

Slide 23

Resources: Practicing the craft Free + Paid resources in random order • https://www.vulnhub.com/ • https://pwnedlabs.io/ • https://www.hackthebox.com/ • https://tryhackme.com/ • http://www.hacker.org/ • https://sadservers.com/ (defensive) • https://summerofcode.withgoogle.com/ (long term paid projects) (c) Anant Shrivastava 23

Slide 24

Slide 24

Free Resources for everyone • Github Student Pack https://education.github.com/pack • 1 Free ebook everyday https://www.packtpub.com/free-learning • Resources Free for Developers https://free-for.dev/ (c) Anant Shrivastava 24

Slide 25

Slide 25

Credit where credit is due Following people have provided inputs for the talk • Dhruv Shah – https://shahdhruv.info/ • Dr. Angelina Gokhale https://in.linkedin.com/in/angelinagokhale-9a588214 • https://danielmiessler.com/blog/buildsuccessful-infosec-career/ (c) Anant Shrivastava 25

Slide 26

Slide 26

NAME WEBSITE anant@anantshri.info EMAIL / FEDIVERSE / MASTODON (c) Anant Shrivastava 26