In Part 1, I discussed several important elements to landing a hands-on security gig, including passion and having the skills to pay the bills. Now, I’ll continue to guide you through various other essentials that could impact your career.
Tools vs. Knowledge
A good security analyst understands how various tools work, along with how to run the given tool. Far too often, I run into someone who lists a common security tool like aircrack-ng on his or her resume.
If you list such a tool, be prepared to answer the following questions:
“What does this tool do?”
“Why is this tool important?”
“How does this tool work?”
See that last question? That question is critical. When interviewing, be prepared to feel as though you are sitting in front of an inquisitive four-year-old. If you have never been around children at this age, just know that they often respond to answers with the follow-up questions, “Why?” and “How?”
Let us review a successful line of questioning:
Interviewer: “How does aircrack-ng work?”
Interviewee: “It lets you crack into wireless networks.”
Interviewee: “That depends on the type of wireless network.”
Interviewer: “OK. An 802.11g network protected using a Wired Equivalent Privacy (WEP) shard key. How does aircrack help you crack into this type of network?”
Interviewee: “WEP is insecure, so aircrack takes advantage of the insecurity and lets you crack the pre-shared key.”
Interviewee: “WEP uses the RC4 encryption algorithm, which happens to use 24-bit initialization vectors (IVs). This leads to the algorithm re-using some IVs with the same pre-shared key. Through collecting enough IVs, aircrack can crack the pre-shared key.”
Interviewer: “Cool. How do you do it?”
Interviewee: “You can do it many different ways. Any specific one?”
Interviewer: “Nope. Go!”
Interviewee: “You can start by running airmon to put your wireless card into monitor mode. Then you run airodump to find nearby networks. When you find a WEP network…”
The idea here is that not only does the interviewee answer WHY the vulnerability exists, but he or she also provides the steps required to perform the activity. You need to embody this type of knowledge in this field. If you cannot explain how the open systems interconnect (OSI) model works and how it relates to security, I do not care much for your being able to use tools like tcpdump or Wireshark. When it comes down to the nitty-gritty, you’re not showing me that you understand what is happening behind the scenes.
“I love Wireshark.”
“It lets me see what happening on the network.”
…and so on. If you cannot describe how Wireshark pulls apart frame data, extracting data all the way up and down the layers of the OSI model, I would think twice about putting Wireshark in a normal “Skills” section of your resume.
Above all else, a security professional needs to be able to think critically. If you have never seen a particular type of traffic but you find yourself face-to-face with this seemingly unknown beast, you need to be able to analyze the content, make assumptions, follow-up and derive answers. Even in an interview, you might find yourself sitting in front of a log file that you have never seen in your life.
“What type of log file is this, and what do you see?”
“I don’t know. I’ve never seen this before.” ß WRONG attitude
“I am not sure just yet, as I am unfamiliar with this particular log format. Let me analyze this sucker and see what I find…” ß RIGHT attitude
The panel will want you to walk through things with which you have no previous experience, as they want to know how you think. Remember to implement critical thinking skills when reviewing something new. Do not be afraid to state that you are unfamiliar with something.
Meanwhile, remain flexible when reviewing new content. I love hearing things like “Well, X reminds me of this thing I have seen before, Y, so I would think this might indicate that blah blah.” Make guesses. Do not be afraid to venture out of your comfort zone. Most importantly, let the panel know why you make each jump in logic.
I, by no means, intend to put on a resume-writing clinic. However, I must comment on a few things regarding resumes. Harking back to my comment about false hope, there is something everyone submitting a resume for a technical, hands-on position must know:
DO NOT list something in your “skills” section if you do not fully understand the topic.
If you are going to include something on your resume, be prepared to answer low-level technical questions about that very thing. For example, if I see “Python” listed under your skills section, you will be asked very direct questions about the Python programming language. If you are not comfortable with going up to a whiteboard and writing a program in Python, do not put the darn thing… you get it.
This does not mean that you cannot list a newly acquired or (recently forgotten) skill on your resume. Rather, I recommend that you list skills by level of familiarity. Think about having separate “Skills” and “Familiar With” sections. Let us pretend that you have “object-oriented programming” along with a particular language in your skills section. Furthermore, you list “Python” in your “familiar with” section. In this situation, I am not going to go into the interview expecting you to be able to explain the difference between the urllib2 and Requests Python libraries. Thus, we avoid the issue of false hope. I will, however, expect you to be able to read some Python code and explain what is happening.
Boiling it down: If you put Wireshark on your resume, be prepared to walk me through a particular procedure using the tool. Do not be surprised if I turn my laptop toward you with a PCAP open in Wireshark and ask you to navigate through the capture, explain what you see, and analyze the data. Is that something with which you would be comfortable?
The key thing is to remember that you will be tested. Be prepared to think outside the box and walk through your thought process. Embody passion. Show that you care and that you will always be ready and willing to learn new things. Show your skillset; do not let it hide in the shadows. When editing your resume, be sure to include what you truly know, and do not be afraid to acknowledge that you are familiar with a concept. Explain how things work; do not just talk around them working. Overall, push your limits and show that you care.
About the Author: Ryan J. Chapman (@rj_chap) works as an Incident Response analyst for Bechtel Corporation. Ryan enjoys the challenge of handling incidents, reversing malware, and automating tasks for the Security Operations Center. He also loves public speaking and has presented at BSidesSF, CactusCon, Splunk Live!, and at the University of Advancing Technology’s Tech Forum. Ryan has an MS in Information Assurance and a BS in Computer Networking. He also holds the GREM, GCIH, LPIC1, Security+, other certifications. Ryan has a fondness for retro gaming and enjoys “nerding it up” with his friends.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock