DISCLAMER: Some of the views and opinions expressed in this presentation are presenters alone, and may or may

not reflect or align with

organizations policies, and certain sections of the material should not be viewed as an official enforcement by any organization or person. This
presentation may be freely distributed.

How To Make A Fortune in

INFOSEC (or S/W Development)

October 22, 2010

Kurt R. Schmeckpeper, CISSP, GCIH

DISCLAIMER
The thoughts, statements, and ideas
presented here are not representative of
or claimed by Motorola or any past
employer, ASU and their faculty, or anyone
else you might meet, and they are in no
way responsible or liable for them.

Brief Professional Resume

BSEE, MEE Okla. State University - 1975
NASA, Houston, Texas 1975 to 1996

Space Shuttle SW Developer & Flight Controller

Space Station (US & Russian) System Design
Tomahawk Cruise Missile SW Tester (St. Louis)
Apache Helicopter System Tester (Mesa, AZ)

Engineer, Motorola INC. 1996 to present

Chandler Arizona, Basingstoke UK, Copenhagen DK

Iridium SW Tester then Test Manager
Authentication Centre Test Manager
Information Assurance System Designer & Analyst

Current Job Role

Educator & System Designer
Bringing the gospel of Information Assurance
and Computer/Network Security to the
masses
Designing IA into our Private Radio Systems
that we sell to Government agencies.
Consulting on IA with other Corporate Product
Teams

Brief Personal Resume

Bay Area Comm. on Drugs & Alcohol
Abuse Crisis Help Line: 1977-1980
Volunteer, Trainer, Board of Directors

Galveston Co. Fair & Rodeo: 1981-1996

Computer Geek, Secretary, Treasurer, Board
of Directors

Greater Corona Home Owners Assoc.:

2000-2004
Contracts Mgr., Secretary, Board of Directors

How to Be Wealthy
Have Rich Parents
Marry a Rich Spouse
Win the Lottery
Become a Successful Black Hat
Work as a White Hat (this presentation)
YOU WILL MAKE YOUR OWN CAREER!
Others may help, but its ALL ON YOU!

What is INFOSEC (from ISC2)?

1)
2)
3)
4)
5)
6)
7)
8)

Access Controls
Telecommunications and Network Security
Information Security and Risk Management
Application Security
Cryptography
Security Architecture and Design
Operations Security
Business Continuity and Disaster Recovery
Planning
9) Legal, Regulations, Compliance and Investigations
10) Physical (Environmental) Security

Technical Skills You Should Have

LEARN the Operating System
LEARN the Coding Language
LEARN Assembler & Shell Coding
The Art of Assembly Language by Randall Hyde
www.ollydbg.de (an Excellent Disassembler)

www.safemode.org/files/zillion/shellcode/doc/
Writing_shellcode.html

LEARN Metasploit www.metasploit.com

Consider becoming Certified (CISSP or CEH)

Occupations using these skills

Penetration Tester
Incident Handler
Secure Software Development & Test
When you can Hack your own code, you know
that you have to make it more secure

Cyber Warrior (DoD needs 3000+)

Auditor
Additional training in whatever standard you
are auditing against is required

What Else Should You Know?

Learn English Grammar, Syntax, & Punctuation
unless for a Foreign company, then substitute the official
language for English

Learn Social Engineering

How to Listen/Motivate/Evaluate People

Pick a Technical Specialty or two

But then become a Generalist

Be as Technology Agnostic as Possible

Dont be a Fan boy or girl for any technology unless you are
going into SALES as a Career

Learn PowerPoint and Public Speaking

Join Toastmasters for the practice and the connections

If you want a MGMT career

Learn some FINANCE stuff
Start with an Engineering Economics textbook
You dont need to be an MBA
Unless you aspire to be a CISO

Learn some Project MGMT tools

Microsoft Project is a good one

Learn how to play Golf

Learn about Cultures other than yours

Prior to & Post-Graduation

If you know the job you want, go after it!
Otherwise, search until you see an appealing job

If your job hunt is not immediately successful,

consider volunteering at a Charity or Hacker
Space, while you keep looking
Or consider getting a Masters Degree
Or consider the Armed Forces

Keep learning new skills & practicing old ones

Your First Job

Lower rungs of the tech or mgmt ladder

Unpaid Overtime is Expected
When offered company training take it
Expect to make Mistakes
Learn from them

Be friendly to the Admin Asst (Boss Secretary)

Do your Job well before you Volunteer to take on
new jobs unless your boss asks you to take it

Your First Job (continued)

Sign up for:
ALL the Health & Life Insurance they offer
Its the cheapest you will ever buy

401-K
at least to get the full company match

Savings Plans or Company Stock Plan

as much as you can afford

Your First Job Attitudes

Read the HR Policies & LIVE Them!!!!
Acceptable Computer Use Policy
Information Classification & Handling
Cultural Diversity Policy
Be Pro-Active in reporting violations of these
policies (however discuss it with the person
first, they may have been ignorant)

HR exists to protect the company first and

you second.

Your First Job Attitudes

Identify your internal/external Customers
Its all about Customer Service
Your Boss and co-workers
Companies/Groups you deliver to

If I received this product, would I be

Happy/Satisfied with it?

Dont date co-workers, customers, or

competitors
Not a hard & fast rule, but it makes your life go
smoother.

How to Present to MGMT

It will probably be in Powerpoint
NO Animations
Only people that like animations are being trained or they are
in SALES

Problem Statement
Clear, Concise, and Why

Possible Solutions (the no more than 4 Best)

Again, Concise, with Pros and Cons, and Cost

Your Recommendation (Optional)

First Job After Work Activities

Have Fun with some caution
Volunteer Expands your network & Social
Circle
Learn a new Skill/Hobby
Doesnt have to be a work-related skill
Woodworking, Plumbing, Computer Repair
Dancing, Golf, Bartending, Foreign Language

LIVE WITHIN YOUR MEANS!!!!

Make a Budget and stick to it.
Save for Retirement

A Word About Social Networking

Social or Business Related (Personal)

Facebook Limit what you post & your network

MySpace see Facebook
Linked-In Strictly for Business & Work-related stuff
Plaxo Avoid Check out their Privacy policy
Naymz Avoid Check out their Privacy policy

Dont friend any boss or co-workers on Facebook or

MySpace (its just a bad idea), Linked-In is OK.
Keep your Work Life and After-Work Life as far apart as
possible.

How To Get Promoted

1)

Do Your Job Very Well (and know the promotion

requirements)

2)

Exceed your Boss Expectations!

Make Your Boss Look Good

3)

When they get promoted, they will be looking for a

replacement

Transfer to Another Job

4)

Repeat 1) & 2) above

If your Boss wont cooperate, go to his Boss

5)

But make sure you are solid on 1) & 2) above as you may
have to do 3)

Live Long Enough

Sometimes its just a matter of being in the right place at the

right time and knowing the right people

First MGMT Job

When you exceed Technically, you will probably be promoted to Supervisor

This is not a BAD Thing, although it will take you a while to realize it.

Alternatively, if you are Totally Exceptional Technically, you may want to quit and hire
yourself out as an Independent Contractor. This pays VERY, VERY well, but you will be
paying the Full Cost of your Benefits Package including both sides of Social Security,
remember to save money to pay your Taxes.

95% of the comic strip Dilbert by Scott Adams is REAL LIFE!

With Luck, you will be doing 50% MGMT/50% TECH

Your friendly & non-friendly co-workers may be reporting to you

But that rarely lasts two or three months, and then its 90% MGMT/10% TECH
Get over it, thats the way LIFE is!!! Learn all you can.

You have to put some personal distance between you and them

You will have to evaluate/counsel/mentor/placate/motivate them

Thoughts on Certifications
Passing a Certification exam says that:
You have the minimum knowledge to be considered
for certification (at the time of the test) OR
You are very good at taking tests.

CISSP - www.isc2.org
A mile wide and two inches deep

SANS www.sans.org
MGMT & TECH Hands On Tech

CEH various
See Resource presentation at the end

Thank You For Your Time!

Questions?

Resources
How to protect your privacy (11 slides)
IA Certifications should I get one?
Compare/Contrast CISSP & CEH
Used with permission of the author

Should We Expect Privacy?

http://www.theregister.co.uk/2008/10/07/symantec_thom
pson_privacy_bunk/
Consumers ought to accept that loss of privacy is the
price they pay for using internet service, according to
Symantec chief exec John Thompson.
Echoing Scott McNealy's opinion that "you have no
privacy, get over it," the Symantec boss expressed
surprise that information such as IP addresses is
regarded as sensitive.

So what do we do now? - 1
Surf the web with a proxy server
www.anonymizer.com
www.torproject.org
www.the-cloak.com
www.megaproxy.com/freesurf/

None of these have been evaluated by me

except analytically

So what do we do now? - 2
Use encryption (your email & Hard Drive)
www.truecrypt.org
www.gnupg.org (Free PGP)

Turn on/Install scan and update weekly

Firewall (Windows, ZoneAlarm is better)
www.zonealarm.com

Anti-Virus (AVG)
free.avg.com/download-avg-anti-virus-free-edition

Anti-Spyware (SpyBot Search & Destroy)

www.safer-networking.org/en/download/

So what do we do now? - 3
Setup many email addresses
Dont use AOL or Hotmail
GMAIL is OK, but its a target
Use them for different purposes
Use a private email address for your close
contacts

Web Browsers
Turn off scripting or use Firefox with NoScript

So what do we do now? - 4
Keep all your software up to date!
Get Secunias Personal Software
Inspector (PSI) Its Free
http://secunia.com/vulnerability_scanning/personal/
Use IT!

Be Careful Using Bluetooth!

Google Josh Wright Bluetooth Video
or www.ihackforsushi.com

Other Things To Be Careful About

Internet Kiosks
WiFi in Hotels, Airports, & Coffee Shops
Never check bank balance or shop online

ATMs (especially if it keeps your card)

Shopping online
Use One Credit Card with a low limit
Dont use a Debit Card

What Do I Do?
All of the above plus:
Separate computers for work, play, & risky
One laptop is disposable and has a plug-in
wireless card that is only used for risky
When installing Windows, I use a fake name
and company
Otherwise I use Linux, which doesnt need it
I also use LiveCDs and Virtual Machines

What Else Can You Do?

Educate yourself
Learn your Computer, Operating System, and
programs
Read the latest hacking literature at (you
might have to use Firefox instead of IE):
www.defcon.org
www.toorcon.org
www.shmoocon.org

Google Yourself Weekly!

Risky Work Defined

WiFi in Hotels, Airports, & Coffee Shops
Unless its work-related, then I use my work
laptop with two-factor authentication and a
VPN encrypted tunnel

Checking the security of a neighbor (with

their permission, of course!)

Closing Thoughts - 1
In the 2006 Census, there were 225,633,342
people in the US whose age was 18 years or
older.
You will have your PII exposed
With luck, you wont lose any money

A last quote from Symantec chief exec John

Thompson:
"Businesses have a responsibility to protect sensitive
data. The public should not expect the government to
protect them."

Closing Thoughts - 2
The odds of anyone trying to track you down are
low!
There are trillions of pieces of information stored in
the ISPs and search engines of the world, so your
stuff is not easy to find.

Your non-online Credit Card History is probably

more exciting than your web browsing
However, if you run for political office, become a
political agitator or become very wealthy, all bets
are off!

DISCLAMER: Some of the views and opinions expressed in this presentation are presenters alone, and may or may not reflect or align with
organizations policies, and certain sections of the material should not be viewed as an official enforcement by any organization or person. This
presentation used with the authors permission.

Information Assurance Forum

How and Why to be a CISSP and CEH
May 20th, 2010
Gedi Jomantas,

CISSP, CEH, CCNA, CCNP, CCSA, CCSE -> CBSA, AECDM, MCDMMM

Outline
Nothing matters but your resume
Certifications and different schools of thought
Not all certifications were created equal
Certified Information Systems Security Professional - (CISSP)
Certified Ethical Hacker - (CEH)
Certification value to you and your company
Where do you go from here?

Nothing matters but your resume

well, not exactly

but when your career hits a brick wall.

or

Nothing matters but your resume

.when the job winds change the question is.
.... what will your sail look like?

Search CISSP Results:

Search CEH Results:

Dice.com - 1050

Dice.com - 40

Monster.com - 1000

Monster.com - 40

Courtesy: Johnklund.com, 123rf.com

Certifications and Different Schools of thought

Experience

20 years of government experience in secure systems engineering, certification and architecture

BS Business Admin/Mgt; BSEE; MS CS with a focus on Secure Systems Engineering
10 security related patents
NSA accreditations

vs. Certification?
CISSP, CEH, CISA, etc.

Complimentary, not a replacement!

Your buddy does, but HR rep may not know you

So you have the piece of paper, hung it on the wall

Certification vs. Professional Lifestyle
Dont get it for the sake of getting it.
Conscientious choice to support your careers direction

Industry Participation
Security professional community
Security professional community

Continuous Education
Knowledge can get stale

now what?

Not all certifications were created equal.

Orientation
Management vs. Individual Contributor
Policy Oriented vs. Technical
- CISM, CISA, CISSP, CEH, QSA, etc.

Concentration
Security Domain
Domain Segment
Technology Area
Industry Specific
Vendor Specific
Cisco, Microsoft, Nortel, RedHat, Solaris, etc.

Provider specific
ISC2, EC-Council, SANS, etc.
GIAC, CEH, CISSP, etc.

Method
Boot camp vs. Self study
Classroom vs. CBT
On-site, instructor led

Certified Information Systems Security Professional - CISSP

Marketing Alert!
The Certification That Inspires Utmost Confidence

If you plan to build a career in information security one of todays most visible
professions and if you have at least five full years of experience in information
security, then the CISSP credential should be your next career goal.

The CISSP was the first credential in the field of information security, accredited
by the ANSI (American National Standards Institute) to ISO (International
Organization for Standardization) Standard 17024:2003.

CISSP certification is not only an objective measure of excellence, but a

globally recognized standard of achievement.

Certified Information Systems Security Professional - CISSP

The CISSP Domains Include:
Access Controls
Telecommunications and Network Security
Information Security and Risk Management
Application Security
Cryptography
Security Architecture and Design
Operations Security
Business Continuity and Disaster Recovery Planning
Legal, Regulations, Compliance and Investigations
Physical (Environmental) Security

http://www.isc2.org

CISSP certification pre-requisites:

Professional experience in two or more of the CISSP domains
Minimum 5 years of experience in information security
Complete the Candidate Agreement, attesting to the truth of his or her assertions
regarding professional experience and legally commit to adhere to the (ISC)2 Code of Ethics
Successfully answer four questions regarding criminal history and related background

Certified Information Systems Security Professional - CISSP

Additional CISSP Concentrations

Information Systems Security Architecture Professional (CISSP-ISSAP)

Information Systems Security Engineering Professional (CISSP-ISSEP)

The six domains of the CISSP-ISSAP CBK are:

Access Control Systems and Methodology
Communications & Network Security
Cryptography
Security Architecture Analysis
Technology Related Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Physical Security Considerations

The four domains of the CISSP-ISSEP CBK are:

Systems Security Engineering
Certification and Accreditation (C&A)
Technical Management
U.S. Government Information Assurance (IA) Governance (e.g., laws, regulations, policies, guidelines, standards)

Information Systems Security Management Professional (CISSP-ISSMP)

The five domains of the CISSP-ISSMP CBK are:

Security Management Practices
Systems Development Security
Security Compliance Management
Understand Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP)
Law, Investigation, Forensics and Ethics

Certified Information Systems Security Professional - CISSP

Getting a CISSP
Author: Kerry Thompson
think of it as a journey ...

Myth #1: A CISSP certification is easy

Well, some people may think that it is easy. Most people find it hard work: you need to have at least 3 years in IT security before you even apply for the
exam. You need to cover an extremely broad landscape of IT security - many areas, such as physical security, few people will have any experience in. And
you'll need to do a fair bit of reading and studying to get through that exam: 250 questions to answer in 6 hours isn't much fun.

Myth #2: Once you get it, just sit back and relax
No. Once you pass the exam you need to earn CPE credits in order to keep your certification. If you don't then you'll need to resit the exam after 3 years to
keep the certification. Getting CPEs is fairly straightforward: if you publish papers, attend seminars, do some presentations, and basically remain active in
the IT security arena then you should have no problem here. But it takes a little work: this isn't a get-it and forget-it sort of certification.

Myth #3: You'll get more money/better job/more recognition

In actual fact, you probably won't. I've found (at least here in New Zealand) that many employers and even employment agencies have no idea what a
CISSP is. They tend to think in terms of the product-certifications; you know, the Cisco CCNA and Checkpoint CCSE sort of thing. They have no idea that
you need 3 years of experience to get a CISSP, and they have no idea that it is an ongoing professional-level certification like a CPA (Chartered Accountant).
Ergo, you probably won't get a better job or more money from waving your CISSP certificate around.

So, why would you want a CISSP?

Its not easy to get, it takes maintenance, and may not gain you much. Why would you want to go through all that hassle? Here's
some good reasons:
To expand your knowledge in security concepts and practices.
To show a dedication to the security discipline.
To meet a growing demand for security professionals, and to work in a thriving field.
To join a professional organization and to link up with like-minded individuals

http://windowsecurity.com/whitepapers/Getting-a-CISSP.html

Certified Information Systems Security Professional - CISSP

Certified Ethical Hacker - CEH

Certified Ethical Hacker - CEH

Certified Ethical Hacker - CEH

CEH Certification
The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks
by attacking the system himself; all the while staying within legal limits.
Catch a thief, by thinking like a thief Certified instructors will take you through practice exams and real world
case studies that prepare you to become the Security Professional your organization can depend on.
What is an "Ethical Hacker"? The Ethical Hacker is an individual who is usually employed with the
organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems
using the same methods as a Hacker.
Hacking is a felony in the United States and most other countries. When it is done by request and under a
contract between an Ethical Hacker and an organization, it is legal.
The most important point is that an Ethical Hacker has authorization to probe the target
The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a
vendor-neutral perspective
Skills span across multiple domains: social engineering, in-depth technical expertise, vulnerability assessment, penetration
testing, principals of forensic analysis, etc.

The CEH certification will fortify the application knowledge of security officers, auditors, security professionals,
site administrators, and anyone who is concerned about the integrity of the network infrastructure.
A CEH is a skilled professional who understands and knows how to look for the weaknesses and
vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.

Certified Ethical Hacker - CEH

Other CEH related certifications

Advanced Ethical Hacker
Certified Penetration Tester (CPT)
Certified Expert Penetration Tester (CEPT)
Certified Application Security Specialist (CASS)
Certified SCADA Security Architect (CSSA)
Certified Data Recovery Professional (CDRP)
Certified Reverse Engineering Analyst (CREA)
Certified Computer Forensics Examiner (CCFE)
Etc..

Certification value to you and your company

You:
Opportunity
Continuous Professional growth

Company:
Market specific training requirements
Mandatory certifications

DOD 8570 provides guidance and procedures for the training, certification, and management of all government employees who
conduct Information Assurance functions in assigned duty positions

DOD 8570 requires that anyone who has access to Information Technology system, must be certified with one of the
external certifications listed. This includes contractors and vendors by 2010

Where do you go from here?

Assess your career objectives

Remember, nothing matters but your resume ;)

Talk to a CISSP or CEH and decide if it is a right certification for you

Discuss with your manager if a security certification is the right fit for you in
your current or future roles
Understand how security certification aligns with your organizations
business goals

In conclusion...
Keep in mind

sometimes, certification is nothing more than a