Getting Into Infosec

A Technology, Business and Careers podcast featuring
 1 person rated this podcast

Best Episodes of Getting Into Infosec

Mark All
Search Episodes...
Listen to the retail audio sample of my book: Breaking IN - A Practical Guide to Starting a Career In Information Security The book is narrated with a female voice, Kati Fredlund. She did an amazing job! You can read a sample or purchase the whole book here: Full Audiobook to be released soon!
Speaker Bio Rob Carson founder of Semper Sec. Rob knows how to simplify the problem and deliver solutions. His clients base includes: Fortune 200 Companies US Government Contractors State and Local Governments Fuel Retailers Software and hardware manufacturers His distinguished career includes service as a Marine Corps Infantry Officer, as well as leading roles in IT and Security. Before devoting his work fulltime to facilitating his client's success, He built highly successful information security programs for ISO 27001:2005/2013, PCI, HIPAA, NIST 800-171, GDPR. He also volunteers his time as the Chief Security Officer for BSIDES Las Vegas, a non-profit educational organization designed to advance the body of Information Security. Episode Highlights Matt reveals how much he made when he got out of the Marines Matt hilariously talks about the nuances he had to deal with when going to the private sector: Not saying "Sir" and "Madamn" Figuring out what to wear How being early is too early Quotes "I wasn't getting shot at... I was working in climate control, you know, so people be all stressed out and I was like 'Well no one's going to die'." "I like to call myself a lessons learned enthusiast." "The hardest job you'll ever get in infosec is that first step in." "A first sergeant told me your hobbies should reflect part of your career." "You can be outside the box, but you need to stay inside the room." Links Sempersec: Rob Carson's LinkedIN Profile:
Recast An Audiogram on Social MediaPage Glave was a tenured Associate Professor of Kinesiology with a focus in exercise science and was successful in her field. However she came to the realization that she can't see herself doing this for the rest of her life. This is her story. She offers lots of great advice on resume tips when switching, homelabs, certifications, and how she was able to break into the field.BIOI am an analyst, project manager, ethical hacker, and tech consultant with more than 10 years’ experience with research and project management. I spent awhile in higher education – long enough to get tenure and decide it was time to do something else. I have eJPT (eLearnSecurity Junior Penetration Tester), Security+ and Splunk User certifications. I love learning and tech, so digging into all of this stuff just makes me happy.Notes:5 Months in to her first security job!Being in a small environment, she gets to do everything from governance to pentesting.Previous to this she was a tenured associate professor in kinesiology with a focus on biomechanics and obesity.Quotes:"Pretty big adventure on a daily basis because no day is the same.""Really is an environment where security is everyone's job.""I think I'll always be in-house tech support for as long as I live." [7:08]"I kinda got bored… I didn't want to keep doing something that wasn't challenging." [7:28]"Do I really want to do this for the next 30 years?" [7:58]"…going through the headers, that should have been a clue that maybe tech would have been a good fit for me.""You'd be hard pressed to find anyone in Information Security who was just thrilled with their budgets.""Being able to translate that self-directed learning to something on my resume."Links:Page's Twitter: (Thank her via Twitter)Brakeing Down Security Podcast: Hacker's Conference: Bowne's Class: VM: (by Alan Orlikoski Palacios: Brager: Music: Music: Into Infosec:Follow Me on Twitter: To YouTube: My Book: Breaking IN: A Practical Guide to Starting a Career in Information SecuritySign up for updates and commentary: 
Christina Hanson is a security analyst working for Truvantis Cyber Security Consulting and one of my former boot camp students. She has extensive technical experience and a deep understanding of the collaborative nature of InfoSec, not to mention how women and other underrepresented groups in the community have a more difficult time navigating this industry due to institutional barriers. In our discussion, Christina touches on the wide variety of resources and events that helped her enter information security, why teamwork is just as important as technical work, and why InfoSec's responsibilities will continue to grow in the near future. Episode Highlights: How Christina's aptitude for IT led her down the path to InfoSec. The "elective" course Christina took that turned out to be career-changing. Why cooperation and group work are so important in InfoSec. The "soft skills" needed to work in security. Infosec was not her 1st or 2nd career! An overview of Christina's day at Truvantis and how she works with clients. Christina's experience at a SANS women's academy and the Day of Shecurity conference. Why the InfoSec industry needs contributions from people from all backgrounds and how it benefits from diversity in general. The increasing accessibility of conferences and other tech events for those who can't attend. InfoSec's important role as companies have more and more access to users' data. Quotes: "I found that just the general atmosphere of security and the overall focus of what you're trying to accomplish was really helpful." "Anything you're gonna do in security, you're gonna do as a team." "Being open to learning new things is really important with this particular field." "Even if I don't understand everything they're talking about, it gives me at least a start and a basic understanding that I can then research later." "Being a professional in this field, it's so important that we are able to make other people safe." Links: Christina's LinkedIn: Day of Shecurity: SANS Women's Academy: Merritt College: Dr. Johannes Ullrich: SANS Daily Podcast: The Cyberwire Podcasts: OWASP: Amanda Rousseau (@malwareunicorn): Dead Drop SF:
Permalink and Transcript: In this first episode, I chat with Dan Borges, a professional red teamer, blogger, and security tool developer. Dan discusses his early experiences using and exploiting computer systems, how InfoSec experts work with companies, and a new tools he and other created and released this year! Episode Highlights: Dan explains how he became involved in information security, including his introduction to programming through a Lego robotics program. His early experiences as a pen-tester—i.e. a penetration tester, who looks for system security weaknesses—and why it’s difficult to get hands-on experience in that field. The benefits of becoming an Offensive Security Certified Professional (OSCP). What does a red team do in an organization, and how is it different from pen-testing? Dan describes the day-to-day life of a pen-tester and the kind of conflicts they can run into. A few war stories from the trenches of InfoSec, as well as some of the tools pen-testers use. How being grounded led to Dan’s earliest hacking experiences, and the ways his parents fostered his interests and mentality. What conferences should InfoSec beginners check out? Fun and beneficial ways you can “hack” reading. Dan’s tips for those starting off or looking to transition into Infosec. An in-depth look at one of the newer tools Dan uses for his work. The rules and intricacies of InfoSec competitions. Quotes: “It’s such a catch-22 to get practical, hands-on experience to go to these jobs because, y’know, hacking’s illegal, right?” “We don’t just go in and blow the brakes off people, we’re trying to measurably improve security.” “It was a constant escalation war, cat-and-mouse like that. They’d take something away and I’d figure out how to use the computer with that limitation.” Links: Dan Borges’ personal blog: Dan’s LinkedIn: Dan on Twitter: Dan and Alex's DEFCON Talk on Gscript: Gscript: Genesis Scripting Engine: NationalCPTC (Collegiate Penetration Testing Competition): Outro Music: Missing You by Trash80: Getting Into Infosec: Twitter: YouTube: Book:
Nipun graduated during the recession, but found a job as a consultant which helped him gain experience quickly. He was in fact discouraged to pursue a career in information security due to his immigrant status. Nipun is now a Cyber Security Executive focused on innovation. BIO: Nipun Gupta is a Cyber Security Executive at a large global financial institution focusing on innovation. Armed with many years of experience helping Fortune 500 companies solve cyber risk challenges, Nipun is tasked to help his employer discover, asses & adopt new cybersecurity solutions protecting against emerging threats. In the past two years, Nipun co-founded and ran the global Cyber Innovation Ecosystem strategy at global consulting company, with a specific focus on US and Israeli startups. He offers a strong network of security executives, startup founders, and the Venture Capital community in the West Coast and abroad. Technically proficient in network and application security, Nipun is a trusted advisor for many financial service institutions, technology, and telecom companies contributing, to solutions worth tens of millions of dollars. Nipun completed his Masters of Information Technology and Information Security from Carnegie Mellon University, and has been collecting industry certifications like CISSP and SABSA ever since. Notes: Was discouraged to go into cyber security due to his immigrant status Graduated in a tough time during the 2008 recession Discusses burnout and having to work odd hours for 6 months of the year The show "24" was an influence in sparking the interest in information security Shares an interesting war story where he accessed tons of files Discusses the personality traits needed to be a consultant Quotes: "The biggest problem security professionals will continue to face is how to bridge that gap between technical conversation and business conversation." "You have to be technical to understand the depth of the issue, but at the same time you need to be able to express it in business language so non-technical people can make those decisions." "I think you have to talk in terms of risk. Every business professional [in a] large or small company understands risk, because risk can put them out of business." "While I'm an introvert when it comes to working, I'm an extrovert when it comes to expressing my work related conversations or expressing my work related issues." Links: Nipun on Twitter: Nipun on LinkedIN: SecurityTube: Hak5: Nullcon: BayThreat: Intro Music - "Cascadia" by Trash80: Outro Music - "Put This Rap Together " by Bobby Cole:
Leron Gray is a man of many talents. Not getting really into computers until much later in life, but always having a creative side, he now finds himself as a pentester working from home and nerdcore rapper producing amazing beats! BIO Leron is currently a penetration tester and a ten year Navy veteran with four years experience as a Cryptologic Technician (Networks), focusing primarily in offensive cyber operations. He holds a Bachelor's degree from Dakota State University in Cyber Operations. With a passion for Python, he loves automating tedious daily routine tasks for efficiency and considers himself to always be in a position to learn more and pass on knowledge. He always enjoys competing in as many Capture-the-Flag events as possible and also often performs as a nerdcore rapper. Leron currently holds eCPPT, eWPT, GPYC, GPEN, GAWN, GCFE, and GICSP certifications. He also maintains a blog and maintains an active Twitter discussing music, information security and wrestling. Notes Went to a high school that made you choose majors. Grew up poor, was not allowed to go out much. Technological learning came from school. Didn't really get into computers until he was 25. Has been in music sister Jr. High School. Marching band, jazz band, and concert band... all the bands. Networking is the biggest thing that Leron says would help. Leron offers his passionate opinion on "aptitude". It's a pet peeve of his. Quotes "I learned a lot... I made sure not to waste any opportunity for learning..." "Job searching in general is a pain." "I don't think I would be where I am right now if I hadn't gone out and made that effort." "One of the big deals that people had were degrees, I wasn't really sure why; I have 10 years of IT/Cyber experience." "It turned out the company no longer owned that server. Their DNS was still pointing to it though." "I took Java in high school and was really bad at it and I found out everyone is bad at Java so it doesn't really matter." "It's so much easier to learn when you have a problem to fix." "It's not even just information security that learning pyt hon could help... it could be anything you do.. .often enough to warrant not to do it manual." "Nobody does a CTF and expects not to learn something by the time they leave ." "Job searches shouldn't be like that. They should be based on you merit. But..." "Maybe the person can't get OSCP, but maybe they have the skills or knowledge..." "The idea of aptitude... raises too many borders." Links Leron on Twitter: Leron's Blog: Leron's GitHub: Class that Leron Is Mentoring: Visual Studio Code: PyCharm: IPython Notebook: San Antonio's Hackers Association: MC OHM-I: Intro Music: Cascadia by Trash80 - (Released under Creative Commons) Outro Music: Getting Into Infosec: Twitter: YouTube: Book:
Fareedah, a lifelong learner, was always interested in technology and grew up reading her father's Cisco books. His influence led her to the field of information security where she stepped up and is always tackling new challenges.BIOFareedah Shaheed was born in Maryland but spent most of her childhood outside of the US. She returned to the States in 2013 and attended the Community College of Baltimore County (CCBC), where she majored in Cybersecurity.Her experiences with different cultures and the tech field led her to combine her interest in psychology with cybersecurity and thus, her passion for security awareness was born.In 2018, she founded Sekuva with the mission to educate and support small business owners and families with understanding how to secure their sensitive information.She currently works as a Security Control Analyst at a financial firm in Maryland.Notes:Currently works with Security Awareness and Threat Intelligence.Must break down concepts for both executives and associates.Saw that there was a lack of cyber-security awareness for "regular" people, especially with parents.Got thrown into leading "lunch & learn" events and experienced imposter syndrome due to her lack of her experience.Her lack of experience became a benefit to the audience as they were able to relate!Father was in tech. Changed her major in college based on his advice.Wanted to teach but didn't want to be a teacher.Read 2000 books since childhood.Fareedah had really good role models growing up.Quotes:"I vowed never to have anything to do with math whatsoever.""I was a broker, I did an internship, I did teaching... and through all of that I realized I didn't really want anything but tech.""Whatever your parents' field is that kind of is in the back of your head, whether it's a yes or no.""Let me do it. Let me try this out.""Cybersecurity is new, it's upcoming. I really believe that your skills would be good for cyber. There's not a lot of women there. Especially not a lot Muslim women there, who look like you.""I remember just lying awake at night just thinking about how does WiFi work."" Instead of guards we have guides." [21:12]"You have to do it afraid, you can't wait for the perfect moment." [25:35]Links:Fareedah on Twitter:'s Company- Sekuva: Up: Into Infosec:Follow Me on Twitter: To YouTube: My Book: up for updates and commentary:
Today's episode is a reading of an amazing written by Kyle Kennedy, president of The reading is performed by Allison, an IBM Watson personality. I also go through some recent resources discovered to help you on your journey to a Career in Infosec. BIO: Kyle F. Kennedy is a social cybersecurity expert and president of His organization provides foundational soft-skills training for a small fee (supported by corporation donations) and plans to launch soft-skill Masterclasses in 2019.They helped organize an event called Day of Shecurity, for women of diverse backgrounds to have one day of learning: tech/ hard skills, soft skills. They had opportunities for mentorship and guidance. Day of Shecurity was FREE to attendees! Links: Article: Stories, not resumes: Breaking educational and other barriers in cybersecurity Google Image Search for "cybersecurity" Associate of (ISC)² Adrian Kaylor's talk "Sales Engineering and getting into infosec" Flaws2 City College of SF Cybersecurity Program CCSF Information Security (Cybersecurity) Analyst Apprenticeship Sam Bowne's Classes Article in IBM Watson's Expressive SSML used on the show Intro/Outro Music: Cascadia by Trash80 Full Text of Article: When you search for images under the key word “cybersecurity,” a familiar shot always turns up: a guy wearing a hoodie, operating in a dark room, fingers on a keyboard. I’d like to replace that image with…anything. To be a cybersecurity professional, you can be anything. And anyone. We’ve heard the statistics. There is currently a human capital crisis, with 1.5 million cybersecurity jobs available and no takers. The number is projected to balloon to 3.2 million by 2021. But who exactly are these cybersecurity professionals we are looking for? For so long, we have had our own definition of who can fit that talent. A good cybersecurity professional has to have a computer science degree. They must have solid professional background. They have to be male. This pattern of defining success has led us to the shortage we are experiencing today. It’s kind of like insanity, really: Doing the same thing over and over and expecting different results. What really makes up a good professional? Every human being brings a different experience. You need critical thinking and creative thinking, both. A variety of educational, ethnic, geographical, backgrounds. For example, cybersecurity is not the obvious career path for someone with a biology degree; however, a biology major might help throw a new perspective on cybersecurity given that advancements of technology will eventually interface with the human body organically creating a scary threat landscape. Often too we talk about cybersecurity in the context of oil and gas, or transport, or finance. Cybersecurity today and going forward, is a horizontal across every industry, as opposed to just being by itself. Every industry needs cybersecurity professionals. People from other disciplines could provide their own perspectives and add value to how the job is done. For example, some of the best cybersecurity communicators otherwise known as “Social Engineers”, I know are drama majors, communication majors and liberal arts majors. Why are soft skills critical? The risks here are complex. If these risks are not articulated in a business language, such that executives are not able to grasp their importance, then what you will have as a result are cyber policies, created from the ivory tower, which everyone must follow, and which would inhibit the business instead of enabling it. If cybersecurity becomes more inclusive instead of exclusive, then we will be all the more superior to the attackers. As it is, it’s the enemy who are inclusive. They don’t have any requirement that hackers should have this or that degree or should have attended an Ivy League school. Most hackers are self-taught, and when something sparks their interest, they go online. They read. Nobody tells them they could not do it because they are not a good fit. Initial strides Foremost, before anything can be done, there must be an acknowledgment of the current situation and the need to be more welcoming. Business leaders and decision-makers must recognize the unconscious bias that they have. They have to understand that creating positive disruption and changing patterns are a business differentiator. My organization is active in our advocacy for inclusion in cybersecurity, specifically for women. We have been speaking to organizations on positive disruption. A good way to create action is through regional events and grassroots involvement. We bring the community together, and it is these communities that conduct classes and organize meet-ups and training courses. We did this in reaction to the more established cybersecurity conferences that present numerous barriers to entry, and which are more for senior professionals. Women may not have the luxury of being able to spring for the travel, or leave their homes for days at a time, and perhaps find childcare for the time they are away. ISC2 also now has an associate certification, where an individual can take the certification examination without the work experience; providing an opportunity for employers to recognize & support candidates entering or transitioning to the cybersecurity industry. Personal reasons My passion for diversity in cybersecurity is driven by several things. First, given my degree in sociology, I must have had a hundred interviews before landing on a job in technology, even though I knew a lot about it – it had been a hobby for years — and it was clear I was keenly interested and willing to learn. They said I was not the right fit because I did not have a technology degree; specifically, a computer science degree. Didn’t matter that I could code in Assembler, BASIC, C, Cobol, Comal, Forth, Fortran, Logo, Pascal, PL/1 or Algol. And I thought, if this could happen to me, a white male, think of all the others who could not break the barriers! I ended up leading the engineering department of the first company that hired me. And then I met my wife, who herself had to break barriers in IT because she was a woman. For example, during meetings, she was seen as more of an assistant rather than a peer, even though she was very technical. My male colleagues initially said I was just on the bandwagon with my advocacy for women in cybersecurity. I said no. Men have to recognize that we have to be part of the solution, since many of the positions of senior leadership are occupied by men. ‘This is not my coffee’ I have a good analogy for all this. Suppose you went to a Starbucks, and when your coffee is given to you, you see that it was not what you asked for. For a moment you might think you might as well take it, because the barista probably knows what is good for you, more than you do. But no – you renegotiate. The barista does not know any better. You then look for the manager to explain the mistake and to get the drink you want. Empathy is what can truly enable us to understand that we need to change the status quo. Yes, I am male, I am white, but I know that my background is a lot different from that of my peers. Because of this, I am very empathetic in that I know there are institutionalized barriers. I should know – I have spent the past 25 years in security. What should really matter is that there are many talented individuals capable of both critical and creative thinking. They may not come in the shape and size we have traditionally expected them to be, but they are interested. They are intelligent. In the end, only three questions should matter to organizations when they decide on investing in somebody for a cybersecurity role: Do you have the brain? Are you passionate? Can you learn? Kyle F. Kennedy is a social cybersecurity expert and president of His organization provides foundational soft-skills training for a small fee (supported by corporation donations) and plans to launch soft-skill Masterclasses in 2019.They helped organize an event called Day of Shecurity, for women of diverse backgrounds to have one day of learning: tech/ hard skills, soft skills. They had opportunities for mentorship and guidance. Day of Shecurity was FREE to attendees!
Black Lives MatterTranscript:Hey everyone… So as if this time was not hard enough as it was with Covid… the American Black community has been affected yet again.It's difficult to post motivating content while so many are feeling a sense of outrage and so much going on. So I'm going to pause, slow down, or at least take into consideration the posting of new content during this period. Of course people still need to work, so I can't stop completely and I do have episodes coming down the pipe.There's a personal story I want to share related to this…A friend and I were driving once, but he realized he left his wallet at home, which had his driver's license. I said, not a big deal, they can just look you up if you get pulled over. He then looked at me, and I then figured it out… he's black. It hit me then how privileged of a life I had. It then hit me how scary driving while back really is.I may not be white, Christian, and from the suburbs, but I'm not black and male.I may not have the best things to say at this moment, but I realize staying silent isn't an option. I don't have a TV and I'm not on Twitter often, but the little I did see made me realize silence or status quo is almost as bad.Diversity and inclusion are integral part of this podcast. I've never called it out, as I just wanted my lineup to speak for itself. Many of my guests are black. For the longest time it was rare to see brown or black person at a security conference… it was quite lonely.For listeners outside of the US, please try to empathize with whatever social divide you have in your country. It could be the religious minority in your country, the darker skinned, those of a "lower" social caste, the poor, or whomever it may be… there are always those that marginally suppressed or oppressed.So….I stand with the Black community against racism, violence, and hate. Now more than ever we must support one another as allies and speak up for justice and equality.#BlackLivesMatter******************************************Website:
Having completed 20 episodes, I decided to take a moment to go over each episode briefly. Thanks to call my guests! Ep01 - Dan Borges: Ep02 - 0daySimpson: Ep03 - Christina Hanson Ep04 - Matt Toth: Ep05 - Rob Carson: Ep06 - Robin Stuart: Ep07 - Clay Wells: Ep08 - Elvis Chan: Ep09 - Virtual Kyle Kennedy: Ep10 - InfoSteph: Ep11 - Yaron Levi: Ep12 - Jack Rhysider: Ep13 - Marcus Carey: Ep14 - Nipun Gupta: Ep15 - Adrian Kaylor: Ep16 - InfosecSherpa: Ep17 - InfosecJon: Ep18 - Masha Sedova: Ep19 - Jared Folkins: Ep20 - Leron Gray: Getting Into Infosec: Twitter: YouTube: Book:
RECAST any part of this episode: 2 of 2 - Nick Jeswald has been an external and internal recruiter in security. He shares with us what he looks for in a candidate, common mistakes made by candidates, and the nuances of hackers he's learned over the years.BIO:Show Notes:SEE PREVIOUS EPISODE FOR COMPLETE NOTES & RECRUITING TIPS FROM NICK.Getting Into Infosec:Follow Me on Twitter: To YouTube: My Book: up for updates and commentary:
Tracy Maleeff (@InfosecSherpa) was a professional law Librarian and at the top of her game. Looking for change and meaning, she searched until she found the field of Information Security. This is her journey. BIO: Tracy Z. Maleeff (/may-leaf/), @InfoSecSherpa, is an independent information professional providing research and social media consulting, with a focus on information security. She is a frequent presenter about best practices of data mining from social media, professional networking, and introduction to information security topics. Tracy has 15 years of experience as a librarian in academia, corporate, and law firm industries and earned a Master of Library and Information Science from the University of Pittsburgh. She is the Principal of Sherpa Intelligence LLC – your guide up a mountain of information. Notes: There is a condition called "Librarian Face" Librarians, who Master's Degree in Library Science, are taught to be approachable Was never a public librarian, worked in "special" libraries. This made her really good at finding and accessing data. Tracy shares some social engineering tricks she did earlier in her life. Didn't grow up with computers around her. Advice: "Know yourself" Quotes: "If you are out in public… people are likely to come ask you questions because you look like you know things." "I did fail, but I did not fail as badly as I thought I would!" "I don't regret the path that I took." "For someone like me who does come from a technical background... having the certifications is what people want to see." "They need to see some receipt!" "Even if it turned out to be nothing, don't be afraid to speak up." "I don't think I realized it was social engineering, I just knew it was something that I wanted." "Managed to talk my way not only on the plane, but also into business first." "They had me at port scanning." Links: Infosecsherpa: Women’s Society of Cyberjutsu (WSC): Intro Music: Cascadia by Trash80 - Outro Music: JR Tundra - Natty Roadster Resources: Art of Improvement: Getting Into Infosec: Twitter: YouTube: Book:
Ismaelle Vixsama (aka Izzy) has a knack for finding strategic flaws and speaking up about them. Doing so helped her get her first full-time job as well as have repercussions for defensive egos. Her whole career is a war story.BIO:Izzy is an ISMS manager with 7 years of experience. She has worked in FinTech, Government, and Security R&D. Her work has allowed her to work on several mainstream products and services with some of the most well recognized brands.Notes:ISMS - Information Systems Security ManagerCreates a security program around a company's information systems.Played the CISO role initially, very CISO like roleFirst role in security was in RiskIzzy comes from a very traditional Haitian backIzzy came up benefits at her job for an opportunity to learn something new and be in a non-toxic environment.First heard/learned about hacking at 15 from an AOL chat with a "hacker".At 23 decided to speak up in a meeting a provide feedback, which led to her being hired Full-Time.Quotes:"At the time I was 22 years old, the pay wasn't that great but for me it was amazing because I was doing something I hated, I had benefits at my previous job but this company was giving me an opportunity to learn something new. To me that was so exciting.""He looked at my resume and he said 'I realize you have no cybersecurity experience.' By starting the conversation like that it took some pressure off of my shoulders." 10:00"I was so nervous that he was going to drill into me about all these topics I had no clue about.""I didn't even [know] I had sisters.""Everyone just kinda wrote me off." 16:20"Who is the audience, what do we want to say here?" 21:13Worst comment ever... "We have to really train you on your critical thinking skills." 22:45"A good idea is a good idea, regardless of who it came from.""My whole career is a war story." 32:05Links:Izzy on Twitter: story: - Her story is on Twitter:'s BUsiness, VixCyber: Cybersecurity Framework: Music: Cascadia by Trash80 - (Released under Creative Commons)Outro Music: "Feather Duster" by Geographer: Into Infosec:Twitter:
Recast Link for sharing your favorite snippet: Janca, also known as ‘SheHacksPurple’, is the founder, security trainer and coach of, specializing in software and cloud security. Her obsession with securing software runs deep, from starting her company, to running her own OWASP chapter for 4 years in Ottawa, founding a new OWASP chapter in Victoria, and founding the OWASP DevSlop open-source and education project. With her countless blog articles, workshops and talks, her focus is clear. Tanya is also an advocate for diversity and inclusion, co-founding the international women’s organization WoSEC, starting the online #MentoringMonday initiative, and personally mentoring, advocating for and enabling countless other women in her field. As a professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.Notes:Part of security is teaching securityStarted in software development then starting meeting hackers, and decided to switch into security.Tanya is extremely scholastically inclinedShe comes from a family full of Woman Computer Scientists, Technologists, and Mathematicians!Her aunt was the FIRST to graduate in CS from Ontario.Her mother was a mathematician.She had four uncles in Computer Science.Tanya's Quick List For Getting Into Infosec:Responsibility of a mentee: [30:29]Have energy and timeRespect your mentor's timeNeed to have already looked for the answer online before you ever ask them for somethingThey are not a free consultant, you shouldn't ask them to do your workYou shouldn't stand them up for meetingsRecognize and have gratitude for the fact that this person has a crap-ton of knowledge in their brain that they're sharing with you for free. They're taking the time out. You're not their daughter or son. You're not their friend. You're a person in their industry and they're trying to pay it forward.You want to actually do the exercises that your mentor gives youChoose your mentor wiselyDo not expect your mentor to find you a jobQuotes:"We're graduating people who don't know how to make secure software, but they do know how to make software!  So that ends up being insecure software." [4:57]"So if I was going to teach a software security course at a university, they would pay me as an adjunct professor and they would pay me almost nothing. It would almost be equivalent to volunteer work." [5:35]"I thought I really wanted to be a penetration tester until I discovered that there is this weird spot… in between red team and blue team." [10:17]"A lot of penetration testers get a little depressed."[11:07]"People just don't know how many super awesome cool things there are out there!" [15:11]"The people I liked the best are the people in my computer science class." [22:24]"Honestly, I just smoked a lot of weed and just showed up and would ace things." [22:12]"You don't have to spend money at the beginning necessarily." [31:58]"Which certification should I get so that I can be a good pentester?" [31:34]"I don't know enough to be a mentor." [31:50]Links:Tanya OnlinePersonal Site: Left Series: Framework: Bühler Into Infosec:Breaking IN: A Practical Guide to Starting a Career in Information Security:, Mugs, and more: up for sneak peaks, updates, and commentary:
Was arrested in High School for disclosing a vulnerability in the school IT systemSyntax is an internal pentester for a large organizationWent to college for Computer Science, but dropped outInspired by the Movie HackersFirst computer had a 1MB hard drive (Yes, not a typo!)Still went to Defcon even when he was not in IT or working in securityWas a professional motorcycle racerKept all his rejection letters as a way of motivation to keep goingHad some business and entrepreneurial experience in the past, which helped him get back into the fieldGot back into security through… IT!Quotes:"A lot of our time is spent arguing with the other departments and justifying our findings." [2:58]"Is this cross-site scripting really a problem.""I get stuck a lot… it's kind of the nature of the beast." [5:17]"I'm not going to work in tech again." [12:21]"You're a motorcycle mechanic… why should we hire you?"[19:07]"It's my hacker family. These are my people. Everyone in security, they make sense to me, cause they're all kinda like me." [19:41]"I kept getting this projects coming my way and I constantly said YES." [22:07]"Have you done this before… no, but I'll learn!" [25:06]""No, this is website scraping… because I had that mindset… I was seeing it different than other analysts." [26:00]Links:Syntax on Twitter: Music: "Pure Decking" by Patient Zero from the album "Screen Saviour" her link is and she is @DoctorKraft on the twitterGetting Into Infosec:Breaking IN: A Practical Guide to Starting a Career in Information Security:, Mugs, and more: up for sneak peaks, updates, and commentary:
These are quick hallway conversations with recent graduates discussing the difficulties they've faced in their job search. I did not know any of these people before interviewing, and it's the first time I'm asking them these questions. This was recorded at RSA Conference 2020.Getting Into Infosec:Breaking IN: A Practical Guide to Starting a Career in Information Security:, Mugs, and more: up for sneak peaks, updates, and commentary:
Adrian is a Sr Sales Engineer with Splunk who focuses on security. He has worked for various security startups in the bay area for the past 15 years from vulnerability management, to endpoint investigation, to ML based threat hunting. Notes: Had an interest in security early on, starting with opening binaries on Sierra's King's Quest games and looking for hints. Took any opportunity he got to get exposed to security His job as an instructor was very useful during support and later as a sales engineer Keeps a Trello board for his lab!! Adrian expenses (deducts) what he spends on his lab from his taxes. (Consult a tax attorney) He mentions an awesome hack for installing Kali on a chromebook (~22 mins) Quotes: "I remember the first time I found Phrack, my mind exploded a little bit." "Experience is experience, everything that you use [skills] will get used later on." "...figure out what pieces their missing, so you can fill them in." "Go through the CIS top 20 critical controls" "Be less focused on the whizbang fun stuff, and more focused to get you the most return." Links: Please thank my guests for sharing their time with us and let them know if this episode helped you. Adrian Kaylor on Twitter: Adrian Kaylor on LinkedIN: Phrack Magazine: Lack Rack: ISS: Splunk Dev License: CIS 20 Controls: JA3: Irongeek: Netsec Reddit: SANS Holiday Hack Challenge: Garage Door Hack by Samy Kamkar: Sam Bowne's Class: Adrian's Presentation on YouTube: (Picture of lab at 24:05) Intro Music by Trash80: Outro Music (Liberation Theology - Exploitation is Sin): Learning Resource Mentioned: based on: Getting Into Infosec: Twitter: YouTube: Book:
0day (“Zero Day”) is a security researcher who specializes in distributed systems security. In his career journey through a "Geek Squad" like service at Circuit City ("Firedog") to trading floors and corporate information security, he’s amassed significant experience in the industry and is an example of how security consciousness is important even before you're an official security "pro". In our conversation, 0day discusses getting into computers as an inner city kid, acknowledging how our hangups can affect the growth of InfoSec, the benefits of older technology, and much more. Episode Highlights: 0day defines distributed systems and how he and his team ensure they remain secure. How his first hacking experience arose out of necessity. The inner-city program that fostered 0day’s early interest in computer systems. How the less-advanced technology of the Modem Age gave him a clearer understanding of how computers and the Internet worked. How did Circuit City allow 0day to take his first step into the professional tech world? His first taste of information security dealing with his company’s most dissatisfied clients. 0day tracking down a security vulnerability through a coworker’s NSFW browsing habits. What are 0day’s thoughts on the modern security industry and how it could be improved? The importance of getting over our own prejudices and mentoring those coming into InfoSec. 0day recommends books and conferences for those starting out or interested in the industry. What’s 0day’s average routine at his current job? Why computer science alone isn’t a solid enough background to get into InfoSec. His advice for overcoming shyness at your first security conference. Quotes: “The malware I came across in those days, I still don’t see anything as unique.” “We should really reach out to a wider swath of society to give them an interest in information security.” “We as a community need to be less exclusionary by default, and be willing to look at some of these candidates who we are ignoring just for the sake of our feelings toward a particular certification or particular path.” “We as people who are more seasoned in the industry now have the responsibility to also make ourselves available to those who are coming into the industry.” “When you take away some of the complexity it makes it more difficult for someone to understand the underlying constructs, but at the same time it makes it easier for them to access, so there has to be a balance.” “As you start to get really familiar with anything, you can see both the dark side and the light side of it.” “We as professionals have some responsibility to disseminate correct, accurate knowledge.” Links: 0day’s Twitter account: Youtube talk about Twitter: Outro: "Cyber Sunset" Getting Into Infosec: Twitter: YouTube: Book:
Summer was crazy, my day job is keeping me super busy, and I've been really mentally occupied lately dealing with kids, family, and school. I miss producing shows, and will be getting back into it, have some really good shows queued up. I've still active on Twitter when possible, so we can stay in touch there in between shows.Oh and by the way, it's been a year since I started podcasting! Pretty cool. So many things I want to do with the show like animating my spoof ads and transcribing the shows.Anyway, just wanted to update you and let you know I didn't forget about you. I can't wait to release some of these amazing shows.As we depart, here is a preview of draft a spoof ad I put together real quick. It talk about my love of the word "cyber". See you next time. Getting Into Infosec:Follow Me on Twitter: up for updates and commentary: To YouTube: My Book - Breaking IN: A Practical Guide To Starting A Career In Infosec -
MC OHM-I (Leron Gray) talks about his next project about tabs in the browser, trap music, and some background on his awesome song Domain. Getting Into Infosec: Twitter: YouTube: Book:
My thoughts on consuming vs production and how it relates to Getting Into Infosec. Sometimes we get stuck learning, consuming security news, trends and etc... but we forget to produce something. Whether it be testing a new exploit we heard about, trying something new in our lab, or applying something we learned the day before. Finding the write balance is important. If we're stuck, take little steps - better than no steps. Links: Getting Into Infosec: Twitter: YouTube: Book:
So as I was at RSAC, I was trying to keep an eye out for those looking to get into the field. RSA is not usually the place for that, but I saw the NetWars tournament and figured that might be a good place to start. On my way there, I met David Zeichick who had "College Day" on his badge. Intrigued, I asked about "College Day" and he told me all about it.I sat down with him for an impromptu interview on the topic.David on Twitter: Into Infosec:Breaking IN: A Practical Guide to Starting a Career in Information Security:, Mugs, and more: up for sneak peaks, updates, and commentary:
Elvis Chan is a Supervisory Special Agent Elvis Chan, who works cyber security matters for the FBI San Francisco Division. We discuss how we got into the FBI, Life in the FBI CyberSecurity Division, and how to get involved. The FBI is always looking for qualified applications for Special Agent and professional staff positions. Please see for more details. Notes: There are three main roles in CyberSecurity at the FBI: Special Agent (Gun Carrying Badge) Intelligence Analyst Computer Scientist It may be quiet on the outside, but you can bet the FBI is hard at work on the inside. Protection of the recent elections was discussed. The sheer number of people involved in protecting the elections from foreign actors couldn't be enumerated. Both the public sector and private sector involved. In an incident response, there is often coordination with FBI headquarters and sometimes other 3 letter agencies. FBI San Francisco was the squad of record for investigating the 2014 Yahoo hack. Elvis goes into detail explaining more about Russian Hacking and how the FSB culture works. Placement in the FBI is based on a ranking system. Quotes: "There are a LOT of things behind the scenes I can't talk about." "If you see in the news that there is a hack, you can be sure that there is at least one maybe two, maybe several, office mobilized to figure out what the heck happened." "On a regular day, I would love to just go through my email and have the scheduled meetings I'm gonna have." "Why are the Russains coming after us..." "Whatever happens to you... 'The Need of the Bureau'" "My current job, despite all the paperwork and meeting I don't want to go to is a 10 out of 10!" "People would not believe some of the stuff that we've seen or that we've gone through. They would make the worst movie plot because they would be so unbelievable!" Links: FBI Jobs 2014 Yahoo Hack FSB InfraGard FBI Field Offices
My book is out! Breaking IN: A Step-by-Step Guide to Starting a Career in Information Security
Rate Podcast
Get episode alerts
Subscribe to receive notifications by email whenever this podcast releases new episodes.

Subscribe to receive notifications by email whenever this podcast releases new episodes.

Recommend This Podcast

Recommendation sent



Join Podchaser to...

  • Rate podcasts and episodes
  • Follow podcasts and creators
  • Create podcast and episode lists
  • & much more

Podcast Details

Sep 5th, 2018
Latest Episode
Jul 16th, 2020
Release Period
No. of Episodes
Avg. Episode Length
29 minutes

Podcast Tags

Do you host or manage this podcast?
Claim and edit this page to your liking.
Are we missing an episode or update?
Use this to check the RSS feed immediately.