- Vulnerable U
- Posts
- 🎓 VulnU #008: The Top 5 Obstacles Newcomers Face in Infosec (And How to Overcome Them)
🎓 VulnU #008: The Top 5 Obstacles Newcomers Face in Infosec (And How to Overcome Them)
Unpacking the jargon: Insights from an infosec veteran on mastering the basics
Read Time: 7 minutes
Hello! We’ve all had to start somewhere and I’d like to reflect on some common struggles for newbies breaking into the infosec industry. In this week's edition of Vulnerable U, we're exploring:
🌐 The Language Barrier: Why it's so hard to grasp the basics
📚 Learning the Lingo: Demystifying the jargon
🥣 Acronym Soup: A common obstacle for newcomers
❓ Don't Be Afraid to Ask: Speak up when you're puzzled
🧠 Pay Down Your Ignorance Debt: Pursue growth, not just being the smartest
Have feedback for us? Just hit reply — we'd love to hear from you!
Lets get vulnerable
Topic of the Week:
Embarking on my infosec journey over 15 years ago, I recall feeling utterly bewildered. 🤯 The jargon seemed like an alien language, and understanding conversations was a challenge, even when I mustered the courage to join in. 😓 Looking back, I've realized that many others have faced similar struggles, grappling to find a starting point for learning in this field. 🧗♀️
🌐 The Language Barrier
I tried to decrypt the SSL/TLS traffic from my WAF, but my SIEM kept alerting for DLP, so I had to run a SOC triage and BOLO for any APTs. Is this Klingon?
Starting out in infosec can be intimidating! With unfamiliar terms and concepts, it's easy to feel lost. But don't worry – we've all been there, my first few infosec conferences I mustered the courage to join conversations, pretending I belonged.
Soon, I realized I knew next to nothing! I had no sysadmin experience, and my IT Help Desk background didn't cover Linux or security.
With hundreds of people seemingly understanding the speakers, I struggled to grasp basic concepts – it was quite intimidating!
🔑 Key Takeaway: We’ve all been at the “I don’t even know what question to ask to figure this out” phase.
📚 Learning the Lingo
📝 When watching a talk and feeling lost, take notes on confusing parts and look them up later. Smartphones are a huge advantage for learning on the go! 📱
🗣️ In a group conversation, don't hesitate to pause and ask for clarification. Remember, there's no shame in seeking explanations! Anyone worth talking to will be glad to help you follow along. 😊
🌐 If you come across a Twitter or Reddit thread discussing a topic you're interested in, jump in and request an ELI5 (Explain Like I'm 5) rundown. 🖐️
💡 Embrace your newcomer status! It's a powerful tool for asking questions and learning without any expectations. Make it work for you! 👍
🔑 Key Takeaway: Use your "newbie" status to ask questions and learn more.
🥣 Acronym Soup
Here's a two-part tip:
1️⃣ For acronym users: Always spell out acronyms the first time you use them in a thread or conversation. Just like what we did with ELI5 earlier! 📝
2️⃣ For those puzzled by acronyms: Don't pretend to understand to avoid embarrassment. Instead, look them up or ask for clarification. 🕵️♂️🗨️
🔑 Key Takeaway: There’s only 2 bullets. Just read them.
❓ Don't Be Afraid to Ask!
Asking "dumb" questions is crucial for growth. 🌱
No matter who you are or what reputation you think you need to maintain, ask those "dumb" questions. A few outcomes may arise:
1️⃣ People will respond, apologize, and slow down to clarify. 🗨️
2️⃣ Some may struggle to answer basic questions, revealing their own lack of understanding. This happens often in infosec! 🧐
3️⃣ If they laugh, you've quickly spotted someone not worth your time. 🚫
🔑 Key Takeaway: Embrace curiosity and ask questions without fear.
🧠 Pay Down Your Ignorance Debt
While we've focused on clear communication and newbies speaking up, there's another crucial aspect. As a beginner, you're unaware of many things, you don’t know what you don't know. 🤔 Resist the urge to quickly become the smartest in the room; instead, aim to constantly surround yourself with more knowledgeable people. 🌱
To lower your ignorance debt, invest time in learning as much as possible early on. 📚 Even if that means taking the slow road to a “better” job. Build a strong foundation to identify your knowledge gaps, discover your niche, and accelerate your learning journey. This approach will pay off in the long run! 🚀
🔑 Key Takeaway: Focus on growth and finding your niche in the infosec world.
💪 Keep learning, asking questions, and growing! We're here to support you every step of the way. See you in the next issue! 💌
Elective Reading
Here are some things I’m reading right now and some cliff notes or thoughts:
New use of the word “jailbreak” we’ll have to get used to. Two people tricked the bot into sharing instructions on how to make napalm and meth.
Last year, Krebs wrote a series on the proliferation of fake executive accounts on LinkedIn.
This week, we learned some remarkable new details about the recent supply-chain attack on VoIP software provider 3CX.
North Korean hackers using legions of fake executive accounts on LinkedIn to lure people into opening malware disguised as a job offer
Malware targeting Mac and Linux users working at defense and cryptocurrency firms
Software supply-chain attacks nested within earlier supply chain attacks
“This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack,”
Last week I linked a news article about the majority of firms staying quiet on data breaches. I looked at it more from a “this isn’t good for the whole” lens. Troy from haveibeenpwned had a different, scarier, take:
If you try to cover up a data breach, you’re going to spend years wondering when that email from me is going to arrive…
— Troy Hunt (@troyhunt)
8:21 PM • Apr 14, 2023
Joseph Menn article super interesting this week.
“The attacks struck phones with iOS15 and early versions of iOS16 operating software. It’s the latest sign of NSO’s ongoing efforts to create spyware that penetrates iPhones without users taking any actions that allow it in.
Citizen Lab has detected multiple NSO hacking methods in past years while examining the phones of likely targets, including human rights workers and journalists.
Apple sues Israeli spyware maker NSO over its Pegasus spyware While it is unsettling to civil rights groups that NSO was able to come up with multiple new means of attack, it did not surprise them. “It is their core business,” said Bill Marczak, a senior researcher at Citizen Lab.”
Ransomware at a cupholder factory shut down Toyota’s production line. Talk about a supply chain attack…
Huge fan of YubiKey - have a whole thread on twitter about them recently as well. Been meaning to make a cheatsheet PDF for my readers but then I found one here! (I still might make a quick and easy one for you guys)
I'm sure you've heard of it. But do you know why YubiKey and FIDO2 auth can make you virtually phishing proof?
— Matt Jay (@mattjay)
6:56 PM • Apr 2, 2023
Good summary of a post from Google’s Threat Intel group - https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/
Russia targeting the energy sector, telegram phishing campaigns, and more.
A startup I’m keeping a super close eye on (they’re not paying me to say this …yet) - put out some great content this week.
They’ve productized the “paved roads to production” concept the founders build at Netflix. Here is some common cloud misconfigs that often make their way through without guard rails in place.
Not everyday you get an interview with a blackhat. Interesting look behind the curtain with the hacker responsible for the Western Digital breach. (Lorenzo Franceschi-Bicchierai is one of the best in the biz. Just another example of great infosec journalism)
Community Spotlight:
I’m a huge fan of great investigative journalism. I think the sunlight disinfectant that journalists provide is a crucial part of our society and keeps us closer to a balance of power.
Because of that I’m also a huge fan of my friend Runa Sandvik’s work. She is a cybersecurity vet who’s taken on the charge of protecting journalists and other highly targeted and at-risk individuals.
She did a long form interview this week that is worth the read into that world:
She’s also been tracking closely the targeting of a journalist by nation states using the Pegasus malware:
This morning, @ArtemisSeaford told @EP_PegaInquiry about what it was like to be targeted by sophisticated spyware in an EU member state. “The combination of the power of the state with the technological capacity of spyware is truly terrifying.” multimedia.europarl.europa.eu/en/webstreamin…
— Runa Sandvik (@runasand)
11:01 AM • Apr 20, 2023
Not many people doing more important work in the entire industry than Runa. I’ll be cheering her on from here.
Extra Credit:
Help Us Grow! If you know someone who might be interested in joining the Vulnerable U community, please share this newsletter with them! As of now, spread will just be by word of mouth.
Parting Thoughts:
That's it for this week's issue! I hope you found the content valuable and enjoyed the read. If you have any feedback or suggestions for future topics, I'd love to hear from you.
As always, if you have any questions or concerns, please don't hesitate to contact us. I’m here to help, and I'm always happy to hear from my readers and assist in any way I can.
Stay safe, Matt Johansen
@mattjay🎓 VulnU #007: