Walking The Walk

It’s great to see that the public CMD+CTRL Cyber Range events we deliver have such a positive effect. The feedback we have received has been great – people love learning how to hack in simulated, free-form environments. In some cases, the feedback we receive is so good that we need to share it with others.

As much as we love seeing the uptick in interest from these events, we continue to see untapped resources that the industry as a whole must continue to train up. One of the groups needing the most help is the hackers of tomorrow – young adults. Luckily we had a naturally curious and talented emerging hacker participate in our March Hackness Cyber Range event and provide great information on how she and her peers are helping advance the interest in a variety of STEAM-related activities.

BiaSciLab is a 12-year-old who enjoys a good challenge and recognizes the importance of educating middle school-age girls about computer security. To help answer the difficult questions about how to get started, BiaSciLab founded girlswhohack.com to share her passion for hacking with others. We hope BiaSciLab’s guidance helps grow hacking interest among the young adults in your life!

Why did you start girlswhohack.com?

BiaSciLab: I found a lot of girls want to get into computer security but don’t know where to start. The middle school age is important because that is where many girls decide whether or not to get into tech.

Have you participated in Capture the Flag (CTF) or Cyber Range events like March Hackness before?

BiaSciLab: CTFs are one of my favorite things! I have participated in Warl0ck gam3z and NeverLAN CTF at DEFCON. BSides Philadelphia has a great crypto CTF every year, and I frequently get a few flags with my local DEFCON group when they do online CTFs. HackTheBox.eu is a fantastic site with plenty of real-life challenges that are constantly updated so it never gets boring. This year I also built my own real-life small business network CTF for WOPR Summit. The challenge was for hackers to break into the network and exfiltrate the secret files.

How do you find out about the March Hackness and other events you participate in?

BiaSciLab: My local DEFCON group does a lot of CTFs, so I hear about them through them. I also keep an eye out for “kid-friendly” CTFs like the NeverLAN CTF.

Do you ever feel nervous or concerned about joining CTFs like March Hackness? What would you recommend to others who might feel nervous about a new experience like this?

BiaSciLab: When I first started doing CTFs I was a little nervous, but then I found out that they have similar structures and that made it easy. My goal is not to put any pressure on myself and to have fun. Just get at least one flag! For beginners, you can always ask for help or get a buddy to work through it with you.

What would you recommend to others who are interested in learning how to think like an attacker but don’t know where to start?

BiaSciLab: If you are just starting out in the hacker world, a great place to get your feet wet is with a local group like DEFCON or other security MeetUps. Conferences are an awesome place to learn as well because there are people who are willing to help you get started on your path and show you some of the ropes.

Outside of technology, what are the most interesting things you’ve learned in your STEAM adventures?

BiaSciLab: I enjoy biology and have found cells and all the tiny organisms to be really interesting. I am starting a project to discover new life forms in the river by my house. There are millions of life forms in a river, but only about 250,000 have been studied and cataloged.

What else would you like the world to know about learning through hacking?

BiaSciLab: Hacking is an important life skill because it teaches you to not only think outside the box but to smash it!

We hope BiaSciLab’s feedback will inspire other young adults…and adults alike who are interested in a variety of STEAM topics, including hacking and secure coding. If you’re interested in learning more about BiaSciLab or supporting Girls Who Hack, please visit BiaSciLab.com, GirlsWhoHack.com, @BiaSciLab, and @GirlsWhoHack.

Q: Tell us about yourself.

Joshua: Growing up in Ghana, there weren’t programs like this that were readily available. When the Covid-19 crisis happened, I became unemployed. I took the opportunity to start learning on a variety of subjects and found the Cyversity scholarship program. After speaking with my mentors, who I had met through social media platforms like LinkedIn, or in study groups, I decided to apply and see what happened! I say I was half-way through the “entry-level journey” when I found the scholarship program and took it by the horns. In the program, there were participants from 11 different countries represented and I was the only one from West Africa. In order to use the TV as my extended screen for my studies, I would wait until my family went to sleep at night. After the program, I landed a job as a Tier 1 SOC Analyst with Virtual InfoSec Africa. I have been accepted to Cybersecurity Master’s Degree program in the U.S. and will begin those studies soon.

Q: What led you to apply for the Google Red Team Scholarship?

Joshua: During the COVID-19 healthcare crisis, I took the opportunity to start self-directed learning. I registered for several ranges and began studying the field of cybersecurity. Shortly after, I came across Cyversity and their opportunity to learn from Google and Security Innovation in their Red Team program. My mentors encouraged me to go for it and it was one of the best decisions ever because I love my career!

Q: Where do you hope to be professionally in one year? Five years?

Joshua: Finished with my Master’s Degree, and working in a Blue Team role and helping people in my community who want a career in security. I plan to partner with Security Innovation to bring a program to my local community in Ghana, Africa which will raise security awareness and bring career development conversations to people who would otherwise never get that education and access. Many of my peers are struggling to get their first jobs in security, even through they have skills and training. I hope to see more opportunities for jobs for junior people. My long-term career goals involve finding a role that works on Threat Intel, Machine Learning, AI, and Threat Detection.

Q: What’s your favorite hacking accomplishment?

Joshua: I have been able to achieve Hall of Fame exploits with BugCrowd, ISC2, Ibotta, and Centrify. I also got my first role working in cybersecurity thanks in part to what I learned in this program, and so I consider that a big accomplishment.

Lindsey is an experienced Senior Quality Assurance Specialist at Imprivata with an interesting path to security.  She channeled her passion for sports into the classroom and then the business world to ensure the software that her company builds is reliable and secure.

Q: The technology field wasn’t on your radar early on, was it?

Lindsey:  No. For the first 14 years of my existence, honestly, I’d dreamed of playing professional baseball. Not only was I among the top pitchers in the league at the time, but I became the first female to hit an out-of-the-park home run (in the history of that field anyway.) But when in high school, coaches told me I’d have to start playing JV softball – as the catcher – I took my squelched spirit and started focusing my efforts inside the classroom.

Q: How did you get into technology and security?

Lindsey: My mom had been teaching high school math for decades and had recently taken on teaching a few programming classes. At first, I saw this as an opportunity to visit the computer lab for laid back study periods, but it quickly turned into piqued interest as I started to comprehend what the students were doing. One of them was even designing his own character sprites for an adventure game he’d been working on. I instantly knew that I had to learn more. In addition to signing up for the course on the spot, I spent more time with those classmates outside of school in an attempt to absorb all that I could – including how their scripts were being used in the wild… and by “the wild” I mean the machines on display in the local department stores’ computer sections. This was about when I first noticed that security was clearly necessary as well as severely overlooked.

So I took that intrigue, ran with it, and ended up studying Computer Science at WPI. Out of everything that I’d been taught, my main takeaway was that I didn’t want to be a developer. I wasn’t entirely sure what that meant I would end up doing, but for the time being, I started out in technical support for a functional testing and load testing tool suite. Soon after, the mountain of student loan debt made its way to me, which just resulted in taking on additional jobs – a few night shifts at a nearby Starbucks, along with weekends at a local gas station. I spent nearly every free moment I had working, and the rare waking moments that remained were spent playing World of Warcraft. I was living the dream, right?

The daily grind was unending and the toll it was taking on me was unsustainable, to the point where my real-life friends even took notice. That’s when we started talking about a trip to NYC for a hacker convention. The 5th HOPE took place in July of 2004, and while it was the first convention I’d ever attended, I knew the moment I arrived that it wouldn’t be the last. I came away from the long weekend feeling excited, but also a bit uneasy. I had just dived headfirst into this whole other world of information and danger that extended far beyond some school-aged kids running scripts on department store display PCs. When the opportunity arose to go back for The Last HOPE in 2008, I jumped on it, and came away feeling even more curious than before! The hackers I heard speak seemed to have such extensive collections of tools and skills in their various (and sometimes nefarious) tool belts, but I still had no idea where I came in or where I should start.

By then though, I’d made some professional headway as a manual quality engineer and was starting to become more family-focused in the off-hours. Between 2010 and 2016 I got married and had kids. This resulted in very little spare time (and very little energy) left to delve into personal interests, let alone professional development. It wasn’t until about a year ago that the stars aligned, and things started to change a bit.

Q: What got you interested in hands-on hacking? Were you intimidated?

Lindsey: I’d been working for Imprivata for a little over a year when a small group of us were invited to attend one of Security Innovation’s CMD+CTRL events downtown. I immediately volunteered as I presumed it would be a fun time, as well as a good learning experience. I performed adequately at best, but a tiny spark fired off in me anyway. Shortly after the event, I received an email stating that only 11% of the security workforce are women. My brain transported me back to high school baseball try-outs – I was already feeling inspired to pursue security, but for the sake of every girl who was told that the minor leagues were their ceiling, I felt it was my duty to bump this sad sorry percentage up some.

I made it my mission to attend more events like this. With Security Innovation’s and Imprivata’s powers combined, I got approval to attend Def Con 27 along with 14 other women. For 6 days in August, I immersed myself in as much security culture and healthcare-related content as was humanly possible. While hospitals and their data are often targets of attacks, I was pleased to learn that there’s a sort of “do no harm” code of conduct that most/some hackers adhere to. I came away from this convention with a renewed sense of purpose, along with a laundry list of terms to read up on and tools to learn. Since the convention, we’ve started taking proactive measures by assembling a security-focused team, which I’ve become a part of. Security Innovation opened its coursework to us to help in this endeavor, which has been incredibly helpful. Add to that, our QA group is partaking in a 10-week Python workshop, which I am sure will help me to absorb even more down the line.

Q: What is next for you in the security space?

Lindsey: While these seem like great places to start, my biggest struggle is with how incredibly vast the world of security is. Even if I were to complete all the coursework and master Python, I worry that it won’t be clear “what’s next” or what to do with what I’ve learned so far. I am confident though, that as I continue to learn, my professional curiosity and personal ambitions to break barriers will answer that question. With my enthusiasm for security always increasing, and with Imprivata’s continued support, I’m sure the answer will lead me to future conventions where I can learn about new technologies, along with their vulnerabilities, in order to fuel my growing interests and learn how best to apply them.

For years, we have been profiling experienced security practitioners as well as those still getting started. Our reasoning is simple – there is no one surefire way to gain the experience and knowledge necessary to thrive in the world of cybersecurity. Nearly everyone has a different path – some are PhDs while others barely made it out of high school. Some had deeply technical backgrounds while others stumbled into security out of pure curiosity. Even with the lack of a defined path, we’re hoping that these profiles help individuals figure out the best path for them.

Luckily, as we profile more people we start to see more trends emerging. Online resources like this community site and Hack The Box have been discussed as great places to learn. Attending events that have introductory courses and Capture the Flag (CTF) competitions helps to build skill sets. But one point that is common to almost everyone is becoming part of a community. Whether it’s a local OWASP chapter, DEF CON group, or virtual CTF teams, everyone we work with has found that being part of a community has been an invaluable experience.

Our team was lucky enough to see the early stages of an OWASP group resurrection when we hosted a CMD+CTRL Cyber Range event for OWASP Nashville. After months of effort, Mark Geeslin, Joel Tomassini and Casey Rosini have rebuilt a solid group fueled by the red hot tech community in Nashville. Among the participants in the group is Kevin Bailey (aka Frostedmonotony) who despite a lack of security experience finished in the top 5 of all participants at our event. We asked Kevin to provide some background and recommendations for others that may be interested in building up their security skillset.

Q:  How did you get interested in hacking?

Frostedmonotony: I started by breaking into my parents’ Windows 98 machine to play games after they had gone to bed, and it evolved into a hobby after watching the movie ‘Hackers’ in high school. I became a Student Webmaster for my high school’s website and would leave notes on the IT team’s computers telling them how I got in again. It is now quickly becoming a passion of mine.

Q: How long have you been coding? What interested you in learning to become a developer?

Frostedmonotony: My interest in becoming a developer came from wanting a career change out of the Auto Industry. I’ve always wanted to work with computers in any way possible. I learned Linux in high school, playing with Backtrack and Ubuntu from my personal laptop. I recently started Vanderbilt’s Coding Bootcamp and have learned HTML, CSS, Javascript(Front-end, Node.js, React, Mongo), and SQL.

Q: Can you tell us a little bit about Vanderbilt’s Coding Bootcamp?

Frostedmonotony: Vanderbilt’s Bootcamp Program has shown me how to understand a lot of new material quickly and use that material to build an ever-growing skill set. When the dust settles and it is finished, I will be a certified Full-stack Software Developer. This will enable me to build front end websites and applications as well as the backend database and server operations required to run the sites. After I am finished with this class, I will be pursuing my OSCP certification and then continue to expand my certification library. It is impossible to know how to do it too much!

Q:  How did you learn about the Cyber Range event at OWASP Nashville?

Frostedmonotony: Through my instructor at my Bootcamp, Brandon Evans. His coworker is the OWASP chapter president and my class was invited to join.

Q:  Did you feel nervous or concerned about participating in OWASP events like the Cyber Range? What would you recommend to others who might feel nervous about a new experience like this?

Frostedmonotony: I was very nervous about the competition in the beginning since many classmates, Security Mavens, Senior Engineers, and Team Leads were my competitors. Initially, I chose to team-up with a classmate and hit the ground running, but halfway through I was on my own. By the end of the competition, I achieved 4th out of 30 competitors. The competition was very intense but very exciting!

Q; What would you recommend to others who are interested in learning how to think like an attacker but don’t know where to start?

Frostedmonotony: To start thinking like a hacker, consider that everything might be a hidden doorway. Somewhere there is a backdoor in, you just have to find it! You need to know what you are getting into before you try and break it. ALWAYS DO YOUR RECONNAISSANCE!

Q: What else would you like the world to know about learning through hacking?

Frostedmonotony: In a world where everything is becoming computerized, everything is also becoming more vulnerable. The more information someone can find, the more dangerous they can become. Hacking is beneficial in showing where holes are so you can go in and patch the holes up to prevent future data loss.

Q: How did you get into security?

Elizabeth: I like to think that Security happened to me because I have always been science inclined. I wanted to study Engineering at the university but I was offered a cybersecurity program instead. It took a lot of research and convincing because it was the first time I had heard of “cybersecurity” – but I took the offer and since then it has been an interesting journey.

Q: What do you find most interesting about security?

Elizabeth: in cybersecurity, the mode of operation is not the same every day. There is always something new to consider.

Q: What do you find most challenging about security? How do you overcome it?

Elizabeth: the constant evolvement of technology contributes to how complex and dynamic the cybersecurity industry becomes. To overcome this, I try to stay current with developments in emerging technology, security threats, and solutions. Engaging and following up with global conversations is also another way to stay informed.

Q: It can be difficult to build up security skills. How did you learn/self -teach)

Elizabeth: for me, it was more of an on-the-job approach. I had learned some basic skills as an undergraduate in school but most of my major skills are from what I have learned on the job and in my personal development effort. You have to be dedicated to self-improvement to be relevant in this industry. Also, you can help your learning by finding a tribe or small community committed to helping its members develop relevant skills. Also, formal training can be expensive so you can take advantage of online free courses and pay for formal courses when you can afford one.

Q: What do you like most about CMD + CTRL cyber range?

Elizabeth: cyber ranges, CTFs, and other hands-on platforms are a good place to practice your skills and learn. You might never know how to respond to an incident until you are faced with one.  It also reveals areas where you need to improve your skills.

Q: What recommendations would you have for others that are interested in learning more about security and hacking?

Elizabeth: you have to be dedicated to your personal growth. In this industry, there is a lot of value and opportunity that the community gives you; find a community, leverage on the opportunities and contribute your quota to the community.  It’s important to believe in yourself and remember that whatever you set your heart to do is achievable.  Lastly, never be afraid to ask questions – nobody knows everything and we are all a work in progress.

Q: Other than CTFs and cyber ranges like CMD+CTRL, what tools or resources would you recommend to others looking to extend their skillsets?

Elizabeth:  Twitter is great but you have to know how to leverage it beyond just a social media platform. It gives you access to people. The InfoSec community on Twitter is a good place to meet and learn from people.  Also, cybersecurity blogs and forums like Peerlyst are fantastic.

It’s easy to forget that the backbone of securing systems is the hundreds of thousands of people working every day behind the scenes. The headlines typically focus on data dumps, compromised systems, rumors of government backdoors and other issues, but it’s becoming increasingly important to highlight the people who help prevent even more of these headlines!

During our recent Hack Through the Holidays event, we saw several skilled security testers (aka hackers) that outperformed all others. To help demystify what an ethical security tester looks like, and to encourage others to start exploring security careers and training, we’ve put the spotlight on these “good guys who hack” to help us all. Please share these with colleagues, friends, and students in your life who may be thinking about a career in security, but aren’t quite sure where to start!

Today, we are highlighting Andre Gott, a former programmer, and current, release manager who enjoys finding web vulnerabilities and telling others how to fix them. Andre scored a whopping 9,745 points during the CMD+CTRL Cyber Range event and solved 45 of 48 challenges before being pulled away for a vacation in England. Great job Andre!

Q:  How did you get into security testing?

Andre: I taught basic attacks such as SQL injection, working for a dominant static analysis vendor and am now performing security assessments and secure SDLC consulting full time with the Denim Group.

Q: What is the most interesting exploit, vulnerability, or finding that you’ve discovered (and are willing to share)?

Andre: I’ve found that using SQLmap makes Blind SQLi much more exploitable and ‘fun’.

Q:  It can be difficult to build up the knowledge and skills needed to become a good hacker. How did you learn these skills?

Andre: I regularly participate in various Security Innovation CMD+CTRL Cyber Range events. I also leverage the knowledge of co-workers and the LinkedIn community.

Note: We promise we didn’t nudge Andre to say this, but we’re excited our CMD+CTRL Cyber Range events leave such a good impression on him!

Q:  What recommendations would you have for others that are interested in learning more about security and hacking?

Andre: “Just Do It,” as the slogan goes. There are numerous deliberately vulnerable websites you can download and install for free (preferably on a VM!) and so many tutorials and videos to be found online.

Q:  Other than Cyber Ranges like CMD+CTRL, what tools would you recommend to others looking to extend their skillsets?

Andre: Start your education with Burp, Zap, SQLmap, and Shodan, but don’t stop there.

Q:  What were the main factors that drove you to become a top scorer in the CMD+CTRL Cyber Range?

Andre: Approach assessments with a quality engineering mentality. For example, don’t just test one or two pages for SQL injection, but test EVERY route. That means spidering and status accounting, to ensure all routes are found and tested, are even more important than ‘cool new exploits’. Remember that it only takes one missing annotation or configuration setting to bring down a production site.

Q: What other guidance do you have for anyone interested in building their hacking skills?

Andre: Don’t overlook BrightTalk, YouTube, and security blogs as a source of anything you might care to know.

The excitement in learning is critical for quickly adopting new skills.  As impressive as our CMD+CTRL Cyber Ranges are for accomplishing this, a primary contributor to success is the ability for participants to quickly learn and “do something”.  From the proctors to cheat sheets, our team provides everything needed for a quick ramp-up. However, it’s the willingness of participants to share,  demonstrate and educate peers about their findings that provides such an immersive and indulgent learning environment.

Sara has spent years expanding local High School software education with initiatives that have increased female enrollment rates, expanded extracurricular activities and developed new computer science curriculums. We spent some time with Sara who shared her story and recommendations on how others can educate themselves and others in computer science and cybersecurity.

Q: Tell us about yourself and how you got involved in educating others about Computer Science and Cybersecurity?

Sara: I started out as a Computer Science major when I was 17 as a college freshman, but changed my major after taking an uninspiring beginner’s course that was filled with flowcharts and very little excitement. I lacked resources and resiliency, which is why I think it is so important to serve as a mentor to youths from under-represented backgrounds.

For the past four years, I’ve been a High School Computer Science teacher leveraging the programming skills I honed while working towards a Master’s degree in Computational Linguistics. Teaching CS to high schoolers made me realize I wanted to go back and learn about software engineering, so I took academic leave to do just that. While on leave, I periodically return to the high school to tutor students in AP Computer Science or to lead fun programming/Arduino workshops after school.

Q: How have you built up your Cybersecurity skills over the years?

Sara: Being on academic leave has allowed me the time to explore internships in the industry. This past summer, I completed an internship with Qualcomm in San Diego, CA. During the internship, I was able to participate in my first Security Innovation competition using the Gold Standard Cyber Range with senior engineers and managers!

Perhaps the most helpful skill I had going in was my knowledge of SQL, which allowed me to uncover SQL Injection vulnerabilities. Beyond that, I’ve always been quite good at social engineering since I started using the Internet as a curious teen in the 90s. In fact, I met one of my best friends in high school because he got blamed for one of my hacks — whoops!

Q:  What resources would you recommend to others interested in growing their security skills?

Sara: The best way to pick up new skills is to learn from others who know things that you don’t! I learned a lot at my first SI Cyber Range competition at Qualcomm, which I was then able to apply in Hack Through the Holidays with InstaFriends. And of course, check out OWASP for a variety of tools, education, events, and meetups!

Q:  There are a ton of places to learn from others – what do you attend or recommend?

Sara: I enjoy the inclusivity of the ACM Richard Tapia Celebration of Diversity in Computing Conference and hope to one day attend Grace Hopper and DEFCON. Groups I currently participate in include Women in Computing (WIC), NCWIT, and Women Who Code.

Q: What advice would you give to other professionals who want to help others build their skills?

Sara: Volunteer as a mentor at hackathons or, if participating in an event, group up with people with mixed skill levels so you can serve as a mentor to beginners. Make sure to understand that being a mentor doesn’t necessarily mean being the leader or boss.

I also volunteer to lead a workshop at a local high school, especially in areas with students from backgrounds that are typically underrepresented in tech. There are also organizations such as Microsoft Philanthropies’ TEALS, through which industry professionals can mentor high school computers, science students. Many of these events and organizations can be easily followed on Meetup and LinkedIn.

Our team and many others encourage people to follow Sara’s path and help expand computer science education to larger and younger groups of people.

One of the biggest challenges facing the security industry today is the lack of skilled people. No matter how many firewalls are stood up, scans are run, or courses attended, almost all security efforts require highly trained practitioners. Whether it’s penetration testers, developers, hiring managers or release engineers, there are thousands of unfilled roles waiting for the right hires.

Unfortunately, not enough of those people exist. The need for talent has far outgrown the supply, leading to the natural emergence of new training mechanisms. We strongly believe that there is a huge community of smart, curious and driven talent that just hasn’t had a chance to learn! That’s why we run free public CMD+CTRL Cyber Range events to help those with an interest in hacking build a skill set for it.

Today’s profile is especially exciting because it highlights how an engineer with minimal security background can quickly unlock their hidden talent. Brandon Evans is a Senior Software Engineer at Asurion who attended our Capture The Flag event at AppSec California. To everyone’s surprise, including Brandon, he ended up winning the Gold Standard challenge, quickly mastering the skills needed to exploit a variety of vulnerabilities including XSS, SQL Injection and CSRF, while also being particularly adept at crafting phishing attacks. Brandon is the type of emerging security champion we like to see!

Q: What is your day job?

Brandon: I am a Senior Software Engineer at Asurion. I work on our Tech Expert service, which offers personalized help, guidance, and tips across all of the customer’s connected devices. Currently, I lead the team that powers the payment system for the Anywhere Expert platform.

Q:  Had you ever participated in CTF or Cyber Range events before?

Brandon: I didn’t even know what a CTF was! I knew that it had something to do with hacking, but beyond causing some mischief as a teenager, I didn’t have any practical experience in the field.

Q: Did you feel nervous or concerned about joining the CTF? If so, what would you recommend to others who may feel the same way?

Brandon: Absolutely! When I talked about it with my team, I learned that Asurion holds an internal Capture the Flag event annually. Apparently, one of my coworkers managed to win the last one despite never participating in such an event. This inspired me to give it a shot. To other CTF newbies, I say you should just go for it! Penetration testing is all about experimentation. You’ll try doing something that no normal user would think of, find a way to take advantage of the result, use that exploit to get further into the system, and repeat. Unlike in a production system, you won’t get caught and booted off the network, so never be afraid to try anything.

Q: What did you enjoy most about the CMD+CTRL Cyber Range?

Brandon: I loved how interactive the system was. When you find an exploit, you immediately get a pop-up that tells you how many points you’ve earned. It feels a lot like a video game. Very addicting.

Q: What would you recommend to others who are interested in thinking like an attacker but don’t know where to start?

Brandon: At Asurion, our customers and partners have entrusted us with protecting their data, and we take this very seriously. As such, the engineers play the role of defenders, creating new features and products while employing best practices to minimize our associated risks. To think like an attacker, I simply need to imagine myself being on the other side of the battlefield. What mistakes would the engineer most likely make? Which parts of the system would have received the most care and attention for its design? What user activity would tip off the engineer that I’ve penetrated the system? Learning how to think like a defender will inform you how to think like an attacker and vice-versa.

Q. Was the technology/security field on your radar early on?
At a young age, I always wondered if there was someone (perhaps a tiny alien) inside computers that made them so smart and quick. Now, I look back and laugh at my imagination as a young child. That enthusiasm let me pursue a degree in Software Information Technology.

Q. How did you get into it?
I began my IT career as an IT Support and Network Analyst, and eventually as a Network Security Analyst which became the start to my career in Security. I was introduced to Security in 2013 by my mentor from ISACA under their Young Professionals program. My mentor introduced the basic concepts of Security and inspired me to explore it as a profession. I was encouraged to read security blogs like Krebsonsecurity, which would get me familiar with Security trends, incidence as well as possible career prospects.

Q. What do you find most interesting about it?
The fact that is always something new to learn and discover every day. And my curiosity is piqued when it comes time to delve deeper into security issues.

Q. What do you find most challenging about security? How do you overcome it?
The constant pursuit to keep up with the changes in the Cyber Security industry can be a challenge. Sometimes, you learn something new today and might never get the chance to use it as you may have to move onto learning an entirely new concept or tool. To overcome this, I stay in touch with industry trends through webinars, newsletters, and conferences.

Q. It can be difficult to build up security skills and confidence. How did you learn/self-teach?
Having my background in IT has certainly helped me in building my Security skills, nonetheless, there are some concepts that are still new and require extra effort on my part. My desire to learn and develop has helped me over the years. When I come across a new concept, I research more about it, and depending on how intense it may be, I take up courses online or attend workshops. Also, my home lab is where I get to break and fix things, this way I build my knowledge.

Q. What do you like most about CTFs or CMD+CTRL cyber range (if applicable)?
The CMD+CTRL cyber range was eye-opening into the world of CTFs, I was able to have fun while learning. I liked that it was interactive and educative, there was at least one Security concept to test for every challenge. For the CMD+CTRL cyber range, the preparatory session, support from the team, and being able to ask for help on the Slack group was a plus. Generally, CTFs are great for testing knowledge and revealing areas where you need to improve, which is great.

Q. What recommendations would you have for others that are interested in learning more about security?
Professional networking, self-development, and volunteering. Joining security groups and organizations will keep you informed about events, training and workshops, and technologies. Research on topics that interest you, reach out to others in the field for advice, seek out mentors, join local groups, and learn from online resources. Being informed will also aid in finding your niche as you grow in Security. It is also important to explore and try things out on your own. Self-learning does payout in this field. And always believe in your self, we can do whatever we set our minds out to accomplish.

Entering the world of cybersecurity can be a process that has many more questions than answers, particularly if you don’t have a community to help you along the way. Finding the resources, guidance, and time to jump into a challenging field can intimidate many and often discourages talented minds from fully exploring their capabilities.

While many new cybersecurity learners know they’ll be challenged by technologies, tools, and ways of thinking, they often don’t realize the amount of perseverance required to be successful. Put another way, if you want to become a hacker, get ready to bang your head against many proverbial walls before finding that one little hint, clue or error that will lead you to an ever so satisfying exploit.

Much like learning a trade, learning to hack is best done with an open mind, positive attitude, approach, and acknowledgment that the challenges presented can be overcome. This approach to learning is why our team was so excited to discover a blog post written by Drew Wade. Drew is a former Academic Anthropologist making a mid-life career change to cybersecurity. In his blog Drew shared his methodologies in exploring Security Innovation’s Shadow Bank and Instafriends Cyber Ranges, tools he used, lessons he learned, successes, failures and final results – not bad for a post of under 1,000 words!

Drew was kind enough to answer more questions for our team in hopes of helping others interested in a cybersecurity career. Take some time to read Drew’s suggestions then sign up for our Attack in Autumn competition.

Q: What names and handles do you normally go by?

Drew: My name is Drew Wade. I usually participate in CTFs as Whiskey++.

SI: Tell us about yourself and how you became interested in cybersecurity.

Drew: I began my career in Academic Anthropology where I would CT scan mummies and develop forensic identification techniques. I’ve always had a technical inclination so I enrolled at Mohawk College’s Network Engineering and Security Analysis program where I have also helped start Mohawk – the Mohawk Cybersecurity Club.

During a career panel at last year’s SecTor conference, the presenters explained that participating in CTFs was beneficial for a few reasons – it demonstrates involvement in the security community, built offensive security skills, and showed employers you were truly interested in cybersecurity. It doesn’t hurt that they’re a lot of fun too! Since then we’ve started bringing CTFs and wargame challenges to the club on a regular basis. I also started attending security community events like TASK and OWASP Toronto, which is how I found out about Security Innovation’s Cyber Range events.

Q: How have Cyber Ranges and CTFs played a role in your cybersecurity education?

Drew: Despite the time required at Mohawk and my associated co-op I have managed to participate in over a dozen CTFs and hackathons. I do my best to blog about my experiences to help others learn – you can find my CTF and hackathon writeups here. Many of the CTFs I participate in are found through CTF Time, but others like March Hackness are found during OWASP events.

This summer I also had the great pleasure of volunteering with the Canadian Collegiate Cybersecurity Exercise where a mix of student blue teams, industry red teams, and business white teams train together in a well organized and realistic way. I look forward to Mohawk participating next year!

Q: Your blog does a great job describing your methodology, successes and dead ends. What helps you dig deeper for issues even if you’re not sure you’re on the right track?

Drew: I’m really curious and there to learn as much as possible. I keep asking “What if?” and looking for resources, hints, tips or indicators that give me a new lead to chase. My go-to resource is Google for all variety of searching and learning, but I generally stay away from other people’s write-ups so I can get the full learning experience.

I’ll stick with a line of inquiry as long as I’m still finding resources or signs that might lead to a solution. There are times I give up on a line of inquiry because it’s beyond my understanding or is frustrating, but I always try to go back to those unexplored avenues. Occasionally I’ll even go back to a particularly interesting challenge after a CTF is over just to see if I can solve it.

Q: What are your goals when participating in Cyber Range events or CTFs?

Drew: I don’t go into the events expecting to win, I go into them expecting to learn and have fun. The worst-case scenario is that I only learn one thing while trying to understand the site. Even if that one thing is identifying a new area where I need to learn more then it makes my effort worthwhile.

As it was, March Hackness allowed me to learn quite a bit. I got the chance to practice some skills I learned previously and also explore the site architecture. I also got a glimpse of things I didn’t know, and still don’t know how to exploit, but those just give me an idea of where I need to learn and explore in the future.

Q: What would you recommend to others new to cybersecurity and figuring out where to start?

Drew: CTFs and Cyber Ranges are a great entry point, but there is a wide range of difficulty levels. Start at one that’s aimed at education and training rather than competition, even if they’re aimed at middle or high school students and require you to ditch your ego!

I also like wargame sites like CTFLearn, CyberTalents, and OverTheWire. They have a variety of difficulty levels that allow you to build your skills and gain experience. If you decide you want to learn more about a particular type of challenge then there are topic-specific sites focused on reverse engineering (crackmes.one), mobile security (MOBISEC) and network attacks (Hack The Box).

Q: What else would you like the world to know about learning through hacking?

Drew: Learning through hacking is how most day-to-day problems are tackled and how most professionals learn on an ongoing basis. Whether through malice or ignorance, people are constantly breaking, misusing and poking holes in the systems we work hard to secure. A hands-on approach to learning allows security professionals to better understand and fix those issues now while also designing better solutions in the future. Remember, these are not issues that people or businesses plan out in advance – they are problems and solutions that pop up along the way and require immediate solutions.

Also remember that individual CTF challenges aren’t always necessarily realistic or common, but do provide you with interesting technical problems that can be overcome by understanding the underlying issue and attempting possible solutions – the same creative process as solving those day-to-day problems. Luckily Cyber Ranges and CTFs provide the opportunity to learn and apply your skills while allowing you to risk nothing during the learning process.

Q: Tell us about yourself.

Thelma: From my humble beginnings in the dusty streets of Glen View, Harare, Zimbabwe, I have always strived to learn something new and share my experiences with other people. Following the untimely death of my father, I appreciate the challenges faced by the African girl child and I hope to inspire young African girls and boys through my accomplishments. I love traveling and I was privileged enough to be able to visit England, Botswana, and Wales, as well as live in South Africa for four years. While here in the US, I have managed to travel to over 30 states and loved the opportunity of learning different routines, traditions, and culture as well as interacting with experts in information technology and business which enabled me to grow as an individual. Residing in a different culture benefited my perspective on looking at the world with different lenses from a place of understanding with less misconceptions because of our uniqueness.

Q: What led you to apply for the Google Red Team Scholarship?

Thelma: The continuous cyberattacks and shortage of cybersecurity experts in mitigating the associated risks led me to apply. Moreover, I came to understand the importance of carefully studying the business aspect of the cybersecurity market. I wanted to ensure successful implementations of cybersecurity awareness, products, and services proposed to the management level.

Q: Where do you hope to be professionally in one year? Five years?

Thelma: In five years, I plan to be back in my home country of Zimbabwe and a pioneer in cybersecurity. My vision is to up- skill the cybersecurity educational system there. The uptake of mobile technologies and electronic business transactions present immense opportunities for cybersecurity because of the inherent risks of these technologies. Towards this, my one year goal is starting a blog and other related social media accounts with the mission to bridge the gap between people and cybersecurity, especially, young African children, by demystifying cybersecurity through my foundation, CyPeeps.

Q: What’s your favorite hacking accomplishment?

Thelma: My best friend and I were the 2020 Capture the Flag Hacking Competition Winners at Blacks in Cybersecurity Winter Conference. This was our first attempt and to my amazement we won the competition!

It’s no surprise there is a massive cybersecurity skills gap that has left technical teams searching for any experienced talent they can find. Unfortunately, many curious minds trying to break into the field are often surprised by the shortage of training programs and junior level opportunities that could help close the skills gap in the long term. For example, a recent survey identified that 81% of ethical hackers are self-taught – a staggering number that shows the relative lack of formal educational opportunities available to future talent.

This reliance on self-taught talent also highlights the difficulties faced by educating the cybersecurity workforce as a whole. Without clear guidance, freely available resources, and solid communities, the cybersecurity field loses swaths of potential team members well before they even explore their abilities. While the highly motivated top-minds still make the cut, those that could thrive with just a bit of guidance fall through the cracks at an alarming rate.

Communities like OWASP and ISSA have done an outstanding job of grassroots education however, they can still only solve a fraction of the problem. There is still a significant need for groups that will help train and encourage the next generation of cybersecurity minds.

Naturally, the Security Innovation team is always thrilled to discover organizations that are driving cybersecurity education forward. One such group is The Undercroft in Tampa, Florida, which has resurrected the structure of Medieval guilds to foster the growth of talent. We have been so impressed by their first year’s progress that we sat down with Creative Director Chris Machowski and asked for his guidance for others trying to address this skills gap.

Q: Can you tell us a little bit about the Undercroft, why it was launched, and who it aims to serve?

Chris: The Undercroft is a cybersecurity guild, development center, and incubator for growing InfoSec companies in both Tampa Bay and nationally. We launched in late 2018 as a place where individuals could work, collaborate and grow as security practitioners. In just over a year our guild has become known as a spot that serves all aspects of our industry – from the student looking for practical experience to SMEs giving back to the community by guiding and mentoring the next generation of cyber talent. We also help traditionally underserved communities including encouraging children to consider cybersecurity as a viable career path and guiding small business owners on how to keep their business and information safe.

Q: How did you find out about Security Innovation’s Cyber Ranges?

Chris: Two of our Guild Masters head up the Tampa chapter of OWASP. They were looking for a space to host a Security Innovation meetup to help train their community using the Shadow Bank Cyber Range. Naturally, we were happy to open our space to them and the event was a huge success. Our members could not stop talking about it and asking when the next one was going to happen. Cyber Ranges are an excellent way to bring people together, develop skills, and build teamwork. We were so impressed by the event that we even created a recap video!

Q: How has your community received live events like the Cyber Range at The Undercroft?

Chris: Live events have been one of our biggest draws. Whether it’s an hour training session or a 72 hour CTF it’s not a problem – our open team areas and individual workspaces meet all of our community needs. And since we have full control of the space there is no fear of tech issues or being kicked out mid-event. The Tampa Cybersecurity community is thirsty for more live events and we want to be the ones who can deliver them.

Q: What would you recommend to those who are interested in learning how to think like an attacker but don’t know where to start?

Chris: The best way to start is to immerse yourself in the community where success can help breed more success. If you interact with people who have deep knowledge and experience you are going to absorb more information and learn much faster. Organizations and guilds like The Undercroft are the perfect places – the Cybersecurity community has a reputation for being intimidating, but our dynamic and diverse membership helps to avoid that dynamic and embrace new members.

Q: How do you help ease the nervousness or uncertainty that may come with being a first-timer at a cybersecurity event?

Chris: First, remember that you are exactly what the industry needs right now – fresh ideas, new perspectives, and more diversity. The best thing you can do is take the risk of putting yourself out there. If you make it known that this is your first event, you will be pleasantly surprised at the warm welcome and guidance that you receive.

Also, the outside perception of the cybersecurity community can be a cold one, and it can be very uncomfortable being the new person. If you can remember the common theme we all have is to make the future as secure as possible, then you’ll find the community quite welcoming.

We hope the guidance provided by The Undercroft team helps others organize groups, host events and build guilds to grow their local cybersecurity talent base.