We find ourselves in strange times. In response to the ongoing coronavirus epidemic, organizations have swiftly closed their offices and mandated that all employees begin working from home. This development has created security challenges with which many organizations are still grappling. That’s not the only impact COVID-19 has had on security. Social distancing orders have separated security professionals from peers, training materials and conferences—resources that play an integral part in up-levelling these individuals’ skills. The reality is that digital threats continue to emerge despite the quarantine measures, so security professionals need to find a way to continue to develop their skills while they’re isolated in their homes like everyone else if they hope to keep their organizations safe. But how do they do that, exactly? We asked several infosec experts to share their thoughts on the matter. Fortunately, their answers yielded an abundance of resources that can help infosec personnel get the training and skills development that they need. Here’s what these experts each had to say.
There are some great resources out there that can help people elevate their information security skills to every level. Pluralsight is an amazing platform, and it is free for the month of April. Cybrary is another excellent learning platform that’s focused on helping people who are interested in cyber security and IT by providing them with lots of great free content. Autopsy digital forensics training is freely available to anyone who signs up before May 15, 2020. Meanwhile, if you’re planning on using some of your time to learn more about the cloud, there is a fantastic course freely available on freeCodeCamp’s YouTube channel to help you become an AWS Certified Cloud Practitioner. FreeCodeCamp has lots of other free technical courses on YouTube, so check them out here. At Cygenta, one of our most popular blog posts is all about getting into the cyber security industry, so if you’re just starting out, take a look and subscribe to our YouTube channel for everything from cracking passwords to understanding social engineering. And if you have little ones that need entertaining or if you just want something fun to occupy your time, check out our free activity book with challenges that include coloring in, spotting the security flaws and solving a cipher puzzle.
Rita Nygren | Business System Administrator, BI & Project Management, Tripwire
Two resources in particular stand out for me. First, if you’re looking to improve your AppSec skills, I would definitely check out the OWASP Foundation’s Virtual AppSec Days. The virtual training conference will enable attendees to deepen their familiarity with defending Kubernetes environments, automating security in DevOps and a plethora of other topics. Second, you can definitely take advantage of the SANS Institute to take advantage of all the learning materials they have to offer. Organizations can use SANS’ work-from-home security awareness kit to build their employees’ awareness of evolving digital security risks, for instance. Additionally, security professionals who choose to purchase an OnDemand course through April 30 can get a free GIAC Certification attempt. You can learn more here.
Stuart Coulson | Manager, Business Engagement, Cyber Security Challenge
Working from home may be new for some, so the work environment will be different. The desk, the sounds and perhaps even the kit you are using may be different, so my first tip is to try and create a ‘work environment.’ Have a defined area to work in and have set hours you work there. Outside of them, close down your kit and put it away. Think clear desk policy! My second tip is sound. Try MyNoise.Net and use the Café Restaurant setting to give an ambience of a working environment. There are also YouTube videos of office sounds you could use. I do not recommend listening to a radio or music, as you end up singing along. Third tip: these are unprecedented times, so ensure you have at least one camera session call a day with team members to check in with. This will help you chat. It’s great for mental health, but it also keeps you in touch with the team. If there are any social nights, then definitely attend those too. Finally, get fit. Take this time to get yourself mentally and physically fit. Do some online courses to expand your knowledge and also consider 30 minutes per day of exercise. Good luck, everyone, and remember: you’re not the only one struggling. We are all struggling in some way, so be brave and talk to someone about how you are getting on.
Chloé Messdaghi | Vice President of Strategy, Point3 Security, Inc.
While dealing with COVID-19, we need to focus on the mental health of our colleagues, employees and ourselves. Separating personal life from work life has become a tricky situation. So too has dealing with the waves of emotions that this pandemic brings. We have people who were already dealing with depression, anxiety, and burnout prior to COVID-19... and now it's much worse. With COVID-19, we are dealing with severe emotional and physical burnout. I highly recommend everyone within infosec to share the below resources with everyone they know in and out of infosec because it can save someone's life.
- 24-hour Suicide Prevention Lifeline: 1-800-273-8255 or text 838255
- 24-hour Domestic Violence Hotline: 1-800-799-7233
- Disaster Distress Helpline: Call 1-800-985-5990 (TTY 800-846-8517) or text TalkWithUs to 66746 for 24/7 support
- Crisis Text Line: Text HOME to 741741 for 24/7 crisis support
Alethe Denis | VP, Dragonfly Security
Regarding upskilling or continued education opportunities during the quarantine, I wanted to share something that Marcus Carey started and that he’s decided to call “QuarantineSec.”
He’s offering free training to anyone who is prepared to put in the time and do the work towards the Sec+ or Network+ certifications. He’s teaching the classes twice a week in the evening. He has sponsors lined up to make sure students can not only get the knowledge they need to pass the certification exams, but also take the tests at no cost to them.
I thought this was extremely generous and kind-hearted, and wanted to highlight this effort for our community. Lots of businesses are offering free courses and opportunities to learn at a discounted rate. Marcus has gone above and beyond to facilitate free education and free certification. For the students who put the work in, they can earn the opportunity through his course to take the tests for free. We need new and up-skilled infosec professionals now more than ever before.
Marcus ( @marcusjcarey ) is a wonderful human, and he has made a huge time investment here, while most of us are hiding in our pantries binge-eating snacks and coffee just to function normally ;) Thanks for the opportunity to share my thoughts. Here’s more information about QuarantineSec.
Matthew Jerzewski | Software Engineer, Tripwire
I started off in infosec in college when a professor had us do some pentesting on an OWASP project called WebGoat. The project is a deliberately insecure web application that people can test common vulnerabilities found in Java-based applications. It teaches how to explain, perform and mitigate common vulnerabilities which I have been able to take and apply into the real world. Another resource I learned about after college was a website called HacktheBox. This was a neat site because in order to gain access to resources, you first have to “hack” your way in to get the invite code. Once you gain access, they have different challenges available to you, and it’s tons of fun to just pick up when you’re bored or if you want to practice. When you want to give your brain a chance to cool down, I would recommend watching Mr.Robot. It has four seasons and has amazing writing and acting regarding the infosec world. While watching, notice the titles of the episodes for some laughs.
Lidia Giuliano | Information Security Professional
Information Security has so many fantastic resources available with so many people offering their time to mentor others who are just starting out or wanting to extend. For me when I started out, I did a lot of coding and system administration. I wanted to understand what was under the hood of many things. Try to do some coding a few hours a week if you have time and there are endless tutorials online. Especially if you plan to be a security consultant or engineer in a DevOps world, this will help you out a lot. If you want to get your kids started, checkout https://www.codecampworld.com/ their platform is currently open, for python https://www.learnpython.org/, or follow your local Coding groups (if female @womenwhocode, @codelikeagirlau, @devopsgirls), or other coding twitter handles for useful information on meetups and learning sessions. There are a ton of secure coding tutorials and blogs, just to name a few Tanya Janca (@shehackspurple) has blogged and spoken a lot in this space as has Jim Manico (@manicode), his videos are great. As a parent, there is always a lot going on, so staying up to date with the latest is really important. Whether I am walking, catching the train, or trying to reduce that long commute, I try to occupy myself watching to webinars, listening to podcasts, recorded conference talks or even online training. Some of my goto podcasts include, Risky.biz (@riskybusiness), Paul’s Security Weekly (@securityweekly - there is an entire series), Humans of InfoSec (@humansofinfosec), Brakeing Security (@brakesec), and literally a ton of others. Check out Black Hills Information Security (@BHinfoSecurity), they have webinars for beginners (https://www.blackhillsinfosec.com/30-things-to-get-you-started/) to advance techniques, SANs have free webinars, BlackHat have monthly webinars and the number of recorded talks from your favourite conference will keep you awake for years. For anyone wanting to learn cloud, many of the main providers have opened up their resources for free certification learning and online exams which I am personally really excited about, with some offering free credits to use their platforms. This is a great initiative. A lot of information is available on twitter, ignore the trash and start following some of your favourite infosec folks. There are good people mentoring, providing advice, and who just want to help.
Sarah Holt | Customer Experience Manager, Tripwire
As you know COVID-19 is changing the way cybersecurity professionals reach their goals. Here at Tripwire, we are providing additional resources for our customers designed to help keep your cybersecurity program running effectively during this challenging time. Tripwire customers can take advantage of one of our many free and discounted training offerings for a limited time, including certification. We are also offering a 25% discount on all training throughout 2020. In addition to our customers, Tripwire channel partners can deepen their knowledge with free partner bootcamp training. Why not take this time to learn and grow. As many have seen connecting in a digital world is more important than ever before, teams are connecting via remote happy hours, lunches, game hours, virtual walks and more. Let’s stay connected with other like minded security professionals as well. A great place to stay connected is in our Customer Community where you can share best practices and get additional assistance on your Tripwire instance. (You can read more about that here, Why It’s Important to Have a Customer Community in the World of Cybersecurity). I'm allocating my daily commute time to elevating my game, both personally and professionally, enjoying a daily sunrise or sunset walk, listening to a variety of podcasts from Brené Brown to Talking Cybersecurity. I encourage you to do something for yourself today, take that walk, geek out on those podcasts or blast your favorite genre and dance around in your living room!
Dr. Edward Amoroso | Founder and CEO of TAG Cyber and Research Professor at NYU
Expert skills development for information security professionals should be viewed as a lifelong pursuit, rather than a one-shot deal during a pandemic. In our work at the NYU Center for Cyber Security (CCS), we've begun to develop programs that support not only current students, but the alumni (and general public) on cybersecurity topics related to technology, policy, and even legal.
This idea that learning and skills development should be a continuous process is certainly consistent with the on-going innovation we see in our industry. Imagine if your learning stopped twenty years ago: You'd have trouble making sense of virtually everything we take for granted today in technology and information security.
My advice is to view learning as a gift you give to yourself. Find great materials on-line. Read amazing eBooks. Watch on-line classes on interesting topics. And yes - perhaps consider enrolling in a university curriculum to develop a deep understanding of the foundational issues. Regardless of the specific path, make sure you treat skills development as a must-do for the rest of your life!
Speaking of eBooks, during this time myself and my colleague Rich Powell have actually created a new eBook called, "Working from Home: A Guide to Navigating the New Normal". If you are in need of some Pandemic entertainment and world-class comic relief, then this book is for you! This step-by-step guide, starring a fictitious social media cartoon sensation (and sometimes cybersecurity expert) named Charlie Ciso, will teach you to build a fake Zoom backdrop that will get you promoted to senior VP in ten days or less, fill your stay-at-home cupboard with more junk food than any of those weird Googleplex facilities, plan your return to the physical office with an airtight NASA-designed glass helmet, and much more! You can learn more about the book here: https://lnkd.in/dnHRFkK.
Angus Macrae | Head of Cyber Security
The reality for many security professionals, including myself, is that they have actually found themselves busier than usual during the pandemic. They’re dealing with a myriad of new challenges. But while we're all having to lock down and 'social distance,' we still need to find time and ways to continue developing our skills and knowledge. To stay sharp and keep up with those CPEs, I will be tapping into the wealth of online, on-demand learning opportunities that (ISC)² is offering free to its members and associates. Many other security training providers and vendors are also offering free or heavily discounted rates at this time, so it’s worth checking into. If you have unfortunately found yourself with more time on your hands than usual as a result of the crisis and need some focus to distract you from the dark times we're going through right now, how about pursuing a whole new security qualification or certification through online training? It could eventually change your career path for the better whilst also helping the security industry bridge those skills gaps we've been discussing here on the State of Security. Professional certifications are challenging and demanding, of course, so if that sounds a little too much right now, maybe there's still an opportunity to dig out those security or other IT/programming books you bought with the intention of reading but just ended up gathering dust on a bookshelf (virtual or otherwise.) We've all done that! I'll miss the quality conferences and seminars I was planning to either attend as a delegate or as speaker this spring. Whilst many of these will also move online, it remains to be seen how well they will work, as they will certainly lack the face-to-face networking that always plays a key part of the experience along with the additional (if unofficial) learning these events offer.
Bob Covello | Cybersecurity Writer
All of the other folks on this post have offered exceptional advice about some of the technical skills we can improve while we find ourselves in this strange environment. The world of information security is so expansive that there are nearly infinite areas to explore. Imagine if you just wanted to explore the nuances of every Linux distro out there. It is mind-numbing! I have always been a strong supporter of the value of personal growth along with technical knowledge. In a way, this period of forced isolation can allow us to reinvent ourselves, to come back to work with renewed skills as well as spirits. My recommendations for this renaissance are the following podcasts, which are fantastic for personal growth and general knowledge:
- The Jordan Harbinger Show – Jordan is an expert interviewer, and he speaks with some of the most successful and fascinating folks around. This is not your ordinary interview podcast. Jordan asks insightful, well-researched questions, always delving into the dynamics of the human condition. https://www.jordanharbinger.com/
- Stuff You Should Know – Chuck Bryant and Josh Clark explore everything from the humorous to the extremely serious on this informative and educational show.
- This American Life – This podcast from National Public Radio features stories in multiple parts that allow us to step outside of our own existence to see challenges and triumphs of others.
Here’s wishing you the best outcome once this trying time has passed.
Tanya Janca | CEO and Co-Founder, Security Sidekick
For people wanting to learn more about how to secure software, DevSecOps and cloud security, I shamelessly suggest they subscribe for premium content on my site, SheHacksPurple.dev. For those only wanting free content, I have created a post on how to start learning application security. You can view it here.
Chris Hudson | Lead Professional Services Consultant, Tripwire
Recent training highlights for me are the AWS and Azure training courses. They are great ways to get up to speed with the nuances of some of the more complicated cloud concepts out there, and they helped in no small part by having great lab set ups to test out your learning. (It reminds me how great the free tiers of these platforms are for doing your own testing.) I’d also suggest reaching out to colleagues. There could be a great opportunity to shadow or find peers who are working on interesting side projects that might benefit from an additional pair of eyes whilst also granting you an opportunity to get involved and maybe even give back to the community (via an open source project, for example). Finally, I’d also recommend doing a bit of personal tracking. I find training sticks with me much better if I’ve got a log of what I learnt. In some cases, those notes might up being something I will tidy up to share with colleagues later on, and even a few lines of a script learnt during training can quickly build up to an impressive repository that will make you appreciate the value of training, all while helping you to remember it that little bit easier when you next need it! Do you have an infosec training resource not shared above that you think would help people in this time of quarantine? If so, please let us know on Twitter.