Heck yeah! A new decade. There will certainly be a new meta for 2020 within security, with dozens of new events, job types and incidents that will occur.
If you check my last post (excluding all those in the 'draft' section) it was 2017. Ouch. Quite literally, there was a huge phase of my life were all my creativity was dedicated to getting married, the Privasec RED team and DroneSec. Going from a consultant, to managing a team to then an executive leadership position has really carved out a lot of my time for anything additional to work other than SecTalks. I'm not at all upset about it, but I did enjoy regularly blogging and sharing my thoughts before that. What a better way to kick off the first day of business for 2020.
It wasn't just my blog that suffered from a lack of effort - I stopped replying on almost all social media; from Quora, to reddit, various forums and barely even touched twitter. It's been nice, sometimes the toxicity and drama of these platforms makes me happy I invest my time and effort into proprietary stuff. At the end of the day though, there was a large amount of time in my life where I was searching for answers in InfoSec, and appreciated help and blogs as much as the next guy/girl. For that reason, I'm picking this back up - plus, for all the years 2017 and below I had something to reflect on. For 2018-2019, it's almost all business output! Ouch.
First off - i'm going to start consolidating some of my other posts/comments/discussion from other sites to here. Let's kick off with two recent reddit Q&As on some of my favorite topics, InfoSec and Gamification:
Q: Trying to get workers inspired about their eLearning System via Gamification:
A: "Really interesting take. Maybe you should look at the incentives - what might motivate some might be different for others. Gamification can be the method of delivering incentives such as, 10 challenges in a row = premium parking spot at the workplace for a month. Or, a dinner with the CEO after 100 challenges completed. Others might be motivated by public profiles showing their score vs others, and getting that respect having achieved 100/100 for all sections.
You’ll need to get upper management support in this, to make sure the incentives match the underpinning gamification (is it dev built or a plugin or?). If supported and announced by upperman you’ll have what you need for people to get involved - at the moment people really don’t have a reason to enjoy the platform and probably don’t understand the concept of gamification either.
You have a great opportunity here. Happy to discuss more of you can provide a few more details about what you’re trying to achieve and how often they’re meant to use the platform etc (e.g HR or skills in general?)"
Q: Trying to get into InfoSec/Pentesting as someone with a military background:
A: "Look at eventually achieving your OSCP ( https://www.offensive-security.com/pwk-oscp/ ). Record and document your methodology as you get involved in Capture-The-Flag (CTF) competitions, as they simulate breaking into networks, websites, etc. You can do comps such as CSAW CTF or always-on 24/7 ones like picoCTF. These are proofing and allow you to think outside the box - speaking of box, check out HackTheBox and PentesterLab. I can guarentee you you will not find a better training platform than PentesterLab. It is well worth the money. Given your background, you come in with some great strengths. Focus on Open-Source Intelligence (e.g. automating OSINT with Python course) and how that can aid your reconnaissance and enumeration skills. Finally, join a local hacking community whether it be Bsides conferences, OWASP or SecTalks meetups. You get awesome quality talks/lectures/CTFs/teammates for free while getting a radar ping for jobs out there. Record everything and blog about it if you can, to help keep you accountable.
Finally, don't be scared to go for pentesting interviews. You learn what's required/needed and they can help point you in the right direction. Buy NoStarchPress books on computer security/hacking and read them whenever you can. Good luck and hopefully see you at DEFCON or any other hacker con one day!"
That's it for today - next up, i'll cover my Black Friday InfoSec deals collection, what happened over the past two years and publish any lingering 'drafts' never released.
Have an EPIC 2020 and Happy New Year!