Monday, May 14, 2018

Cybersecurity Job Numbers from 3/11/2018 shows 285,681 open cybersecurity positions nation wide (not the 1,000,000 that I hear quoted so often).  The eight states with the highest number are:

  • California - 31,731 and a workforce supply demand ration of  2.6 (2.6 workers available per opening)
  • Texas -  20,007 and a workforce supply demand ratio of  3.2
  • Florida - 12, 641 and a workforce supply demand ratio of  2.9
  • Georgia -  10, 526 and a workforce supply demand ratio of  2.5
  • Virginia - 33,454 and a workforce supply demand ratio of  2.1
  • Maryland - 14,353 and a workforce supply demand ratio of  2.3
  • New York - 13,771 and and a workforce supply demand ratio of 3.5
 The other two states I am interested in are Washington and Oregon beacuse I live in one and work in the other:

  • Washington - 6458 and a workforce supply demand ratio of  2.6
  • Oregon -  3,098 and a workforce supply demand ratio of  2.2
In Demand Skills

Jobs by Certification

Percent Change in Available Jobs by Certification

Saturday, April 28, 2018

GPEN Certificate arrived

Doesn't actually mean much in the giant scheme of things, other than I worked for it and I guess that is what actually counts.  I know I said I was done with SANS and GIAC stuff for awhile, but I have to admit I applied to facilitate at the SANS Las Vegas conference in September because I really want to take the new SEC530 Defensible Security Architecture class.  It looks awesome.  This class doesn't have a cert associated with it so it does reduce cost a bit, but if I facilitate I would get the certification attempt free anyway.  Still 5 days of geeking out about network stuff which along with the ICS area is where my interests lie / lay (which is correct?).  

Friday, April 20, 2018

So whats going on here

Not much. 

Started indexing my ICS456 books (Fundamentals of Critical Infrastructure Protection).  I am still on track to be one of the first 100 with all 3 ICS certs.  Also working on Netwars continuous.  (Not superhard I admit, but I am working on it).  I have to take the GCIP exam by August 2 so that means that I will be done with this by the end of July.  Just in time for Defcon.

Wednesday, April 18, 2018

SF Cybertalks

Monday (16 Apr, 2018) A co-worker and I attended Cyberscoops “SF Cybertalks”, one of many events associated with the RSA conference week down in San Francisco.  I was attending to take my rightful place among the cybersecurity elite after passing my GPEN exam and to hobnob with the bigwigs.  I’m not sure why my co-worker was there; probably because it was free and they were giving us breakfast and lunch.

The talks began at 0830, after a delicious FREE breakfast of bacon and pineapple, with a keynote by Jeanette Manfra of DHS.  Her talk was called “How (Cyber)Defense Can Win Championships.”  The basic points of the talk were:

a)      We need to increase baseline security by better understanding systemic risk, identifying national critical functions, and using that information to disrupt the ability of threat actors to operate and degrade their operations.  This will narrow the attack space that threats can operate in.
b)      We need to start pushing vendors to more secure solutions thru purchasing power and procurement practices.
c)       Organizations need to stop chasing phantom threats.  For most organizations nation state hackers are not a real concern, use data to identify what is.
d)      Information sharing among peers needs to become a priority (i.e. ISACs)

Next after a delicious cup of coffee (not the recycled pig water we get at work) Amit Yoran, CEO of Tenable, talked about “Making Cybersecurity Suck Less”.  The basic takeaway here was IOT is going to force major changes on the enterprise, which security is not embracing.  This is causing security to be viewed as an impediment not a partner.  The way to deal with this is not by standing in the way but by:

a)      doing the basics well (CIS Top5) (pay attention this stuff comes up again),
b)      PATCHING,
c)       MFA (“if you aren’t doing MFA you aren’t doing security”) and
d)      continuous monitoring / incident response.

At this point I think I insulted the venture capitalist I was sitting next to by saying that VCs needed to stop investing in new products, we have enough of those, and start investing in innovative workforce development.  He took it in pretty good humor though and invited my co-worker and me to a cocktail party later that evening.  We had to decline because of our flight back to Portland. 

Next there was a fireside chat regarding North Korea’s Hack Mindset.  The jist – North Korea isn’t crazy, despite what we may think.  Their cyber-operations and nuclear programs are designed to level the playing field against the greater powers and as revenue generators / sanction evasion tools, as well as to keep the Kim regime in power.

Adam Hickey of DOJ talked about “Privacy and National Security” next – basically a rehash of the 2016 election interference issues.

Galina Antova of Claroty, Lesley Carhart, of Dragos, and Edgard Capdevielle of Nozomi, talked about “The Growing Need to Protect the Grid” This was another recap - Yes, we are under attack, but active monitoring / active defense can help mitigate.  This was the talk I was most interested in so I was hoping for a little bit more.  (Don’t get me wrong it was a good talk and I enjoyed it, I was just hoping for a little more new information / perspective) 

Another fireside chat, this time with Marianne Bailey of NSA and Essye Miller CISO / SISO for DOD.  This centered around DoD’s growing bug bounty programs and efforts to get more women in cybersecurity.

Networking break – I spent 15 minutes talking to the Chief Marketing Officer for Nozomi Networks.  Mainly about the general direction of cybersecurity and about the demo of Nozomi products I had seen while at the SANS ICS Summit. 

Cyber View from the White House was canceled by Rob Joyce’s sudden decision to resign as Homeland Security Adviser and return to the NSA.

Election Security panel – honestly I kind of tuned out and was talking to one of the journalists next to me. (I should have mentioned My co-worker and I got there early and grabbed seats at what I think was a VIP table)

GDPR panel – This was more a discussion of how GDPR would affect Google and Facebook than an actual discussion of the regulation.  Lisa Hawke, the lawyer on the panel, kicked butt.  If I ever need representation I am calling her.  “Too big to comply’ is not acceptable to regulators”

Donna Dodson of NIST and Stina Ehrensvard of Yubico discussed the difficulties in driving MFA acceptance in a panel called 10 percent is too little: Time to pay attention to two-factor authentication.  The consensus seemed to be that a lack of open standards, incentivation, and lack of ease of use are hindering adoption.  I would add poor vendor support and always having to have my phone with me. 

Last talk of the day Scott Smith, Asst. Director of the FBI Cyber Division on the Cyber Threat Landscape , the FBI’s perspective:

a)       80% of breaches can be prevented by regular verified PATCHING
b)      MFA is critical
c)       Do the Top 5 of the CIS Top 20 Controls (told you this stuff would make a reappearance)
d)      Develop a top down security culture

Cyber9/11 is ongoing with an increase in frequency and sophistication of attacks.

Sunday, April 15, 2018

Passed the GPEN, to celebrate I am now re-reading Industrial Network Security

and working on the OSCP and the GCIP

I had forgotten how much stuff was jammed in Industrial Network Security, I was mainly going for the re-read to help pass the GCIP exam, but damn there's a lot.  I may have to read and study at the same time (I know, "want some cheese with that whine")

Oh and I am headed to San Francisco.  Attending the CyberScoop CyberTalks there then headed back tomorrow afternoon.

Saturday, March 31, 2018

Ready Player One (FILM) Review

So, I just got back from Ready Player One and all I can say is don't see it. 

To begin, I am a fan of the book.  It's not my all time favorite but it was a good read and had a reasonably coherent story line, although there were some plot holes. So what the hell let's just throw all that out and wing it.  Literally nothing is the same except for some names.  The entire basis of the story is change as well as the tone.  It really comes off as a comedy rather than a coming-of-age story. 

As I told the person I went to see it with it's like Kline said "Hey, Mr. Spielberg I know this book made me rich and famous but let's just bend it over the trash can and butt-fuck it to dearh."

Look, I know the story couldn't be 100% faithful to the book, but they even changed the hero (at least in my opinion) and even the basic concept of the OASIS.  They did the story no justice here.


Cybersecurity Job Numbers from 3/11/2018 shows 285,681 open cybersecurity positions nation wide (not the 1,000,000 that I hear quoted so often).  The eight states with...