Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Infosec

BSidesLondon: How not to get hired for a security job

 How not to get hired for a security job

Stephen Bonner

Why people fail in the hiring process… by doing stupid things!

Some things that I tell you NOT to do, might be what your future employer wants… it’s not easy to define.

The process of hiring is about finding somebody that will fit in and add value to the team. It’s not all about the skill set.

The most important is to hire people for attitude. People don’t often get fired for their lack of skills, most get fired as they don’t fit in!

When you start the process of getting a job is to get involved with an agent… these agents don’t have your best interest in mind! Consider that. They aren’t aligned to your values. They’re in it for the $$$

Sending emails and CVs out of the blue to most companies is also a bad idea. There are some clearly defined processes, and trying to avoid them usually ends badly. Going through an agent is sometimes the best way.

The first thing an agent will do to your CV, is rip it apart to remove contact info… and therefore screw it up. It’s also worth asking for a copy, as some less reputable agents ADD skills!

Please check your CV for spelling and punctuation… oh and if you list reading on your CV as a hobby (which I’d expect from a 5 year old), please actually read something… and know what you read last.

Listing certificates on your CV doesn’t say your smart, it just says you worked at a company that had a training budget! Many HR departments put the same weight on a CISSP as MSc!

Photos in CVs… are just creepy!

It is extremely likely that an employer will Google you… look through your Twitter, Facebook, LinkedIn, etc… Even if it’s not legal/right. If you have a profile, make it a good one. If not, deny it’s you 😀

The Telephone Interview

Cut out the background noise… oh, and chance are the other end is on mute, reading their emails!

If you talk for 20 minutes and the other end says nothing, they might have gone! Get feedback. Challenge and answer.

The interview

Being nervous and mumbling… not good. The employer doesn’t care!

Don’t be late, and if you are, have a great excuse (i.e. brought a man back to life on the tube).

Nobody wants to hire somebody who you would want to spend a night stranded in an airport with. Maybe, look like a blanket?

Key questions

What is your password?… 30% of people answer, and they don’t get the job.

If you can’t stand the social engineering pressure of being asked, maybe this isn’t for you.

Nobody replies, “I don’t just have 1 password!”

Best answer was “I can’t tell you”… “because I don’t know what it is”. “Because it’s a pattern on the keyboard”. He then draw out the pattern on a fake keyboard. It was a crap password as well!

Have you ever hacked illegally?

The answer to this is always NO. If you can’t understand the context and lie accordingly, you’re probably not going to get the job.

The NO-WIN situation

Just like Star Trek… put them in a situation they can never get right. See how people who always succeed deal with failure. Covering it up and denying it happened, isn’t a good plan. Deal with the failure.

Team work

How you deal with communications and then follow simple instructions. It’s all about the communication and figuring out issues before they happen

Have you got any questions?

Do ask… and no, holidays isn’t a valid question.

Check you’re applying for the right job. Oh, and the right interview.

Don’t lie about your experience and job. It can be checked.

Don’t slag off your employer. The prospective employer knows you’re going to talk crap about them in the future too!

What happens when you get the answer (NO)

Don’t argue, but get feedback

Arguing doesn’t help. They’re not going to change their mind after all.


Infosec Europe Round-up

head_left1After 3 days on my feet, Infosec Europe has closed it’s doors for another year. I’ve got mixed opinions on this years event. I skipped last years show, but remember the 2007 show with (somewhat) fond memories. At the time I was job hunting (sort of) and spoke to a lot of vendors as somebody looking at security from the outside. Companies like SecureTest gave me some hints on what they looked for when hiring a penetration tester, and that was something that really helped me focus on what direct to head in. Saying that, other vendors (I’m looking at you Norman) thought that spending more than a few seconds talking to people who didn’t want to buy the product was a waste of time. Still, that’s all in the past. This year I was visiting with a number of specific goals in mind. I had a number of vendors to seek out and question on products, the future and how they do things. I also wanted to help out the SANS Institute on their stand, as I really believe in the training they offer. Although I didn’t manage to look around as much as I’d have liked, I did managed to get in-touch with the right people and talk about the right things.

Core Security Technologies were nice enough to invite me to one of the customer evenings. It was great to get to speak to Alex and Mike and get some information on where Core’s product lines are headed in the short and long term. It also gave us a good chance to give feedback on where we use the product and want it to move to help us more in our testing. Core Impact isn’t cheap, but after going through testing on Saint, CANVAS and Impact, we’re still a happy Core customer.

I managed to say hi to Dan Kaminsky while at the event. The Hall of Fame entry didn’t go so smoothly, but sometimes things happen. The panel that followed later that afternoon was good. Even just to see all the corporate suits in the room trying to understand some of the more technical points Dan made. As is typical with me, I turned up late for evening drinks at the Mariott and the evening get together was already done. Still, there’s always Hacking At Random in the Netherlands. 7081271

The one thing I saw at the event that actually made me sit-up and pay attention was at the Infoguard AG stand (a Swiss company). What they were selling (end to end layer 2 fiber encryption) was mildly interesting. However the demo they had off to one-side was enough to make me stop and double take. Using a small device bought from eBay, the Infoguard guys were demonstrating how simple it was to sniff one side of a VoIP call running over fiber. I’ve always thought that fiber was harder to sniff than copper lines, and for some reason always thought that it involved splicing into the fiber and therefore disrupting the service for a few seconds. The device Infoguard was using simple introduces a small bend into the fiber and uses the light that leaks out to capture the data. The device is about 800 pounds on eBay. A little much for day to day demos, but cheap enough to make this kind of attack a reality. So, make sure you’re encrypting your data before it hits the fiber. Nothing is safe nowadays.

cashEven Infosec Europe isn’t immune to a little bit of hacker fun. Although it’s not a Defcon logo, and  is more than likely just a configuration issue, the cash machine at the event didn’t seem to be so happy. Personally, I made the walk to a cash machine down the road, but each to their own I guess.

Overall Infosec this year was much the same as Infosec back in 2007. Same products, same vendors, same old same old. Still, networking opportunities made the trip well worth it. I’d like to thank everybody that I talked to at the SANS stand, as well as Core Security Technologies (thanks Alex/Mike), and  (@dakami I’ll buy you a Club-Mate at HAR2009). Next year, maybe I’ll stay home and just re-read the material from this year. I’m sure it’ll all be the same anyway 😉

Infosec Europe

Sorry for the lul in posts. I’m flying around a lot (back from Blackhat and almost straight to London for Infosec).

I’m flying out this afternoon to London and will be at Infosec next week. If you’re at Infosec give me a shout. You might be able to catch me at the SANS Institute stand as I’m helping out there were required.

Hopefully I’ll get a chance to meetup with a few people while at the event. Alex Horan for Core Security is there giving a talk, and Dan Kaminsky is talking in the Hall of Fame (maybe he has time for a beer or 3 after the event). Other than that, lots to see and do.