Context Security

This is content that I previously posted to the GIAC Alumni mailing list.  This was written in response to a request from someon who had recently earned the GCIH credential and was interested in information on how to score a infosec job…

****************************************************************
You’ve already gotten some great advice that I agree with wholeheartedly.

Also, with the GCIH, I think you have learned a very effective attack
methodology that is overtly applicable to job searching.

“If you know neither your future employer nor yourself, you will surely never get a jobby-job” – Sun Tzu  (or some variation upon that theme.

Joking aside, I very much think that the attack methodology is applicable…
For those that chose another GIAC cert or GCIHers that are rusty on the
Attack Methodology, the phases, and how they apply to job seekers, are:

Reconnaissance – This phase is the steady state for the job seeker until an
attack/search is successful (and if you are young then this seems to be your
steady state regardless).  Here you are looking for possible targets, which,
upon finding, you will perform more detailed recon.

Scanning – this is where you craft your packets (read:resume) based on the
recon above and fire them at the target organizations.  You also might try
to glean further information in a more active manner; port scan some target
individuals (employees of the target org) to determine possible weaknesses.
If offered an interview, the recon and scanning become more focused on
actionable intelligence with which to convince the org that you, in fact,
are the droid they are looking for.

Exploitation – This phase of the attack is where you leverage all of the
intelligence and weaknesses gathered in the recon and scanning phases and
try to successfully score the job.  The information warfare concept of
perception management (see gnothi sauton/nosce te ipsum/know thyself for
additional information) should be well understood to be successful in this
phase.  You know what they want/need because of the previous two phases, now you have to convince them of your being the only rational choice.

Keeping Access – Congratulations! Your attack was successful and you have landed a position.  Now you must determine a means to ensure you maintain said position.  In particular, you might look to perform a privilege
escalation attack.

Covering Tracks - I should like to think that this one isn’t as directly
applicable to job seeking behavior, but I suppose it depends upon the
lengths that you went to in order to score the position.

<shameless plug>I will be teaching these phases in detail at Community SANS Tucson in December.  See my sig for a 15% discount code on this and other Community SANS events</shameless plug>

gnothi sauton/nosce te ipsum/know thyself

In addition to the emphasis on the target organization, you also need to
think about yourself. We generally are pretty aware of our strengths, so I
recommend you think of yourself from the vantage point of someone who is
attempting to sabotage your attempts to land the job at the target
organization.  There very well might be someone within the organization that
is threatened by your presence and will do what they can to keep you from
being hired;I’ve seen it at work both consciously and otherwise too many
times.  Even if there isn’t an evil insider (we’ll call them, incident
handler to keep with the analogy) trying to thwart your successful
compromise of the target, you will have made yourself a better attacker
(candidate) for having thought of her (be she existent or a figment of your
own paranoid imagination

Although I think the mindset/framework above is the most important aspect of a successful job search, here are some detailed tips sans the analogy/reference model…

Security Recruiters
Although I have never used any of these organizations, you might want to
consider an Information Security focused recruiter like the following:
http://www.altaassociates.com/ (current public searches:

http://www.altaassociates.com/pb_html/pb12112007144032.php)

http://www.securityrecruiter.com/ (current public searches:
http://www.securityrecruiter.com/job_openings.php)
http://www.ljkushner.com/

SecurityFocus Jobs
Also, if you haven’t already, I would check out SecurityFocus Jobs
http://www.securityfocus.com/jobs (current postings:
http://www.securityfocus.com/jobs/opportunities).  I find the signal-to-noise ratio to be much higher here than in standard job sites.

LinkedIn Toolbar
(Caveat emptor: the LI toolbar previously had a well publicized remote code
execution exploit, http://www.securiteam.com/exploits5QP0L15M0Q.html, so, as with any software YMMV).

Regarding LinkedIn, which a previous response already mentioned, one
compelling/clever add-on component for the job seeker is the JobsInsider
portion of the LinkedIn toolbar.  The basic premise of the JobsInsider part of
the LI toolbar is that it can tell you how you are connected (via LI
connections) to a hiring company as you browse postings on major job sites
(monster, careerbuilder, dice, simplyhired, etc.).  If nothing else, it is
interesting to see how many licks it takes to get to the center of a given
company’s Tootsie Pop…  (For you Pen Testers out there, I think this is an
interesting adjuvant to the reconnaissance phase that can be later used for
social engineering pay dirt (depending on your rules of engagement, of
course)).  If you end up applying for the job this can help in myriad ways
(use your imagination and/or review the “Research Your Target” section of the
blog Rick W. posted earlier: http://it.toolbox.com/blogssecuritymonkey/get-hired-in-security-today-12526).

LI Toolbar JobsInsider info here:
http://www.linkedin.com/static?key=jobsinsider_download

Hope this helps.

Seth
———————————————-
15% discount – SANS Alumni can use the following code for a 15% discount on
these or any Community SANS Event: COINS-SM
10% discount – Anyone else can use the following code for a 10% discount on
these or any Community SANS Event: COINS-SM

Upcoming classes I will be teaching:
SEC542: Web App Pen Testing (Memphis 10/20-10/23) -
http://www.sans.org/training/description.php?tid=1722
SEC401: Security Essentials (@Home) -
http://www.sans.org/athome/details.php?nid=14379
SEC504: Hacker Techniques, Exploits & Incident Handling (Tucson 12/8-12/13) -
http://www.sans.org/training/description.php?tid=1442
———————————————-