Small-town street scene in Illinois American flag flapping in breeze by huge painted American flag fading from brick wall
 

Episode 17 - Starting a Cybersecurity Career plus Insight for Employers

The guys talk with Haidon Storro, who brings a different point of view to corporate cyber education. Haidon is an exceptionally motivated cybersecurity professional who recently graduated college and started her career. She shares her journey from finding a passion in technology, to getting educated and finding her first full time role in the industry. It's a highly competitive market for recruiting cybersecurity professionals and Haidon’s insights are critical for employers to understand when trying to recruit junior team members.

 Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com
Be sure to rate the podcast, leave us a review, and subscribe! 

10103417-small

Send Us Your Questions & Rants!

welcome to the cyber rants podcast where we're all  about sharing the forbidden secrets and slightly  
embellished truths about corporate cyber security  programs we're ranting we're raving and we're  
telling you the stuff that nobody talks about  on their fancy website and trade show giveaways  
all to protect you from cyber criminals  and now here's your hosts mike rotondo  
zach fuller and lauro chavez hello and welcome  to the cyber ants podcast this is your co-host  
zach fuller joined by mike rotondo and lauro  chavez we have a different a little bit different  
episode today we have special guest hayden starrow  joining us and we'll talk to her and her about her  
progress in the cyber security industry and we'll  dive into a little bit about how we got to know  
hayden and and such here shortly but mike before  we do that will you kick us off with the news  
good day and welcome to the headline there's  nothing we can do about this file yandex suffers  
data breach after sysadmin sold access to user  emails yeah that's kind of your worst nightmare  
nothing we can do no it's just like yeah okay i  just chose this one out because hey valentine's  
day was last week but pre-valentine's day  malware attack mimics flower and lingerie stores  
so be careful with what you bought ransom  attackers set their sights on saas saas is  
becoming a bigger and bigger attack platform  they're hitting it harder so be careful  
um or ran somewhere security researchers  discover help desk software vulnerability  
uh this is in desk pro which is another you know  remote access software solution for help desk so  
if you're using it make sure it's  patched it's a cross-site scripting issue  
apple patches severe mac os big sur data loss bug  so if you're on a mac make sure you're up to 11.3  
interesting article on this i really  recommend that you check out the link  
on our podcast called how one man soundly  infiltrated dozens of high-tech networks  
apparently there's some source code that's been  published by a few vendors you might have heard of  
apple microsoft tesla uber yelp and others um that  is customized internally and can be easily hacked  
so be careful with that and check out that link  from the really isn't that you're bad enough  
already more bosses are using software to monitor  remote workers and not everyone is happy about it  
um not surprised we've come a long way since  mouse jiggle um but this is getting a little  
more sophisticated rdp the ransomware problem  that won't go away yes rdp is becoming more and  
more of an issue attacks are becoming more and  more of an issue masslogger swipes microsoft  
outlook group google chrome credentials hackers  are now leveraging microsoft windows help files  
as an attack vector um definitely an interesting  attack story definitely recommend you look at  
that from threat post details tied to safari  browser-based scam club campaign revealed  
this is back on big sur 11.01 it affected  google and safari um so recommend you upgrade  
if you can micros microsoft pulls windows  kb 4601 1392 for blocking security updates  
and then had to pull another for blocking  security updates so that was kb5001079 so  
um good job microsoft and finally first malware  design for apple m1 chip is now discovered in the  
wild apple's venturing into making their own  chips and we've already got malware for it so  
world is exciting hey laurel any uh anything  you want to add not as exciting as the new m1  
chip malware that's pretty cool well what  can you say it's evolution right on the  
exploit front not a lot to talk about other  than you know there's been some some recent  
you know i guess zero day bugs with ipv4 ipv6 and  things like that i haven't seen any exploits come  
across any of the main lines you don't have  to like pay for to try and see if they work  
so exploit database not reporting  anything of that use which is good  
and still patch those vulnerabilities but  there's no exploit capability that we're  
seeing today that's within at least the free  range right unless you're developing yourself  
which is a whole different topic however what is  interesting is it there's quite a few php based  
web applications that have had exploits written  for them in in this last week all of them geared  
towards online learning which i thought  was kind of interesting so some of them are  
the teachers record management system it's got  a sequel injection uh that someone wrote again  
available from medically pro there was a school of  an attendance monitoring system again uh crosstalk  
scripting on that and a stored cross-site  scripting piece so that you can you know  
consistently reflect um school file management  system um another cross-site scripting on that  
you know interesting tasks for the teachers  uh teachers task management and to sum it up  
another one is um online school management system  uh version one and that's sql injection too  
so um it looks like you know there's like  this online education platforms that you know  
companies are trying to write to help support  this so we're more remote learning capability  
that we we need now we're in the pandemic and  obviously the hackers are taking advantage of  
that so please please in in in the light of our  kids don't don't speed to market this stuff you  
know make sure that you're doing your sdlc and  checking for lost stuff because sql injection  
just shouldn't come up anymore i mean it's just  it's just really it's just really negligent to  
build an online application that still has  something like that that's it for exploitation  
zach i'll turn it back over to you all right  thank you well negligence is a is a big problem  
and leads to a lot of breaches so certainly out  there we've been talking in the cyber ants podcast  
quite a bit about building the team finding  team members good people um this is something  
our security services firm science sector really  prides itself on quality over quantity and just  
working with some outstanding individuals in that  we also do some work with grand canyon university  
and help them as far as our security programmers  we were in touch with faculty students um the  
cyber range that they have there and it's  really been really been great to see that  
organization grow their security program um and  in doing so we met hayden storrows with us today  
and uh met her as a as a student when she was a  student there at gcu and she really stood out from  
the crowd you know there are a lot of people that  just go into cyber security because there are jobs  
available and there's demand for it but she really  uh truly has a passion and it showed and so we um  
started working together and hayden helped  tremendously if you've read our book you're  
you'll see a mention of her in in the first  few pages of the book i'm helped tremendously  
uh with research he's done a lot of writing on  blog posts and things for us and really just true  
uh has a true passion for technology and cyber  security so we thought we'd bring hayden on  
today and have her talk a little bit for those  people that are looking to get into the industry  
especially and also for those people that are  looking to employ cyber security professionals  
that are that are newer to the field thought it'd  be great to get hayden's perspective on what all  
this looks like out there you know and because  she comes at it from a different lens than we do  
so thank you hayden for joining us today we really  appreciate having you and um as always it's it's  
just a pleasure to uh to work with you thanks zach  and laurel and mike for having me um certainly  
the honor is all mine like i'm super stoked to to  speak and share a little bit of my perspective and  
i guess we'll go with math to how i got to  security great yeah thank you and speaking of  
which do you mind sharing a bit about what made  you decide to pursue cyber security as a career  
and how you got started in it sure so i kind of  never so i never like knew that i wanted to do  
cyber security um i kind of got lucky where like  senior year of high school was two in colleges  
and gcu offered to buy people from my area just  like like a thousand miles from arizona for free  
to the college and that was kind of when i first  heard of cyber security like i was just kind of  
the typical i guess like high school student  didn't really know but knew that i needed to  
get a get a degree you know get a job and whatever  but then when i was touring gcu they had like a  
like a session on some of the degrees they  offer and i've always been good at technology  
but like you know just typical like fixing a  printer or helping my parents restart their you  
know fire tv like nothing actually super advanced  but anyways turning it and hearing like how much  
like i guess opportunity but need there is  for defenders and i guess red team as well  
and that kind of like sparked interest in me  and seeing that it was such a like like quick  
fast-paced you know agile environment compared to  like what i was thinking of i was heading towards  
like pharmaceutical type stuff and then i was like  like screw that like that's boring if i could do  
something that's you know like really requires  some critical thinking and it's always changing  
and so that kind of and then on top of that  also the whole um doing something that's like  
meaningful so like yeah being an accountant  yeah you're helping people whatever but like  
cyber security you're really like there  you know especially with iot going out  
and 5g and all these you know buzzwords going  like it's a real opportunity to i guess help  
humanity so that's that's kind of how and then  i guess i also had so then after okay so i got  
back from the tour came home and i was like told  my parents like i know what i want to do now and  
so then from there i just kind of i got lucky  when there was um an internship in my town so  
it's like a smaller it's not like tiny but it's  not really like a tech city and that security  
internship was what really like solidified  like okay i want to do this for forever  
so that's kind of that's how i got started what  about school hayden what what would you say um  
as far as as far as your learning and your course  to get prepared for a job i mean did you think you  
got most of your knowledge in school did or were  you doing a lot of work on the side as a hobbyist  
uh tell us tell us about that and kind  of where you picked up your skills  
that you have today sure so i guess for any  job you need to have like foundation and so  
i came from i was somewhat techie that i knew a  little bit about you know joe breaking an ipod  
like small stuff like that but not any sort  of enterprise or anything like that and so i  
at the internship one of the things  they told me like you should do  
is get your a plus which is like a basic i.t  fundamentals how computers work how you know  
traffic goes across the network things like  that and so i guess a combination of school  
and then certificates i got a few and then  the internship they were honestly all really  
valuable i guess school gave me the more  textbook stuff you know how a server works and  
um soft skills as well we've learned like business  stuff and how to get budgeting for projects and i  
wish we had more technical honestly because like  our ethical hacking class and stuff like that was  
very very like very basic but um enough to like  i guess get get me started especially with cyber  
security being so new i mean kind of the guinea  pigs in general at the school so i didn't i wasn't  
like disappointed but the internship is kind  of really where i learned most of my i guess  
knowledge and because that's just like that's real  world that's the stuff that's happening every day  
um so that that gave me a lot of knowledge and  then just for fun on the side i did i did some  
like hacking competitions i guess you could  say it asu and um obviously online there's so  
many resources with youtube udemy so i kind of did  like a combination of like everything you could do  
and then uh another thing i got to do which was  really like also somehow i got lucky is i got to  
go to black hat which is like a cyber security  office that's like the world's largest where  
red team blue team purple team grey team any team  everyone just goes there it's like um so i got to  
go to that and learn a ton that was super super  eye opening of like how all of the car hacking  
and just all these really like i realized how like  everyone's so so smart in this industry so always  
always dream to learn but i guess those were  the basics and tell us about um so you you went  
through the internship your school you followed  that path and tell us a little bit at least  
what you can say about what you're what you're  doing now and what types of roles you picked up  
or what types of activities you picked  up when you got into a full-time role  
so i got hired on as like the job title security  analyst for the security operations center and it  
it's a lot of ticketing type work so we'll  get an alert that something has happened  
and then i'll go investigate it and because  i work at like an industrial control system  
company they're very tight-knit on internet  access so lots of just people trying to get  
access to because we block uncommon tlds and block  executables for everyone like it's just very so a  
lot of like analysis like okay is this site safe  or you know why do you need access to this site  
that is in you know ukraine i don't know if you  need this for a small town company in spokane  
and a lot of telling people know which is and  you get used to it but as i do that and then  
also i get to do some more i get to read antivirus  reports and examine our fishing inbox that we have  
and that's kind of and then also i'm doing things  like cleaning up our active directory we have a  
bunch of old shared accounts stuff like that um  and then a lot of i don't know if you guys have  
heard of splunk which i'm sure you probably  have splunk but lots of splunk stuff they've  
because i took a splunk class online it was free  and anyways splunk is really like not to nerd out  
but the power of the data and so with that when  we're a little bit i guess slower with our tickets  
um working on creating queries to identify like  data exploration creating queries to identify um  
like anything you can think of you can probably  do splunk so i guess that's kind of kind of  
what i do and then obviously i'm we have a call  like a line that people can call if they have  
urgent requests because we block like usbs we  block so much stuff that's it's i mean it's strong  
it's like it's good from a security standpoint  but from a user standpoint it can get tedious  
to keep submitting tickets but anyways um i also  monitored the call line so to answer a call and  
that kind of helped me a lot with slowing down on  my talking because i talk kind of fast and then  
also people skills because some people are just  really frustrated or things like that i've never  
actually heard of a frustrating computer yeah  that's that's so strange it must be unique to  
your company yeah it must be your computing it's  always security it's literally always security's  
fault anytime it's like oh we didn't do that like  oh security so it's like a running joke now that
that's that's always been the joke the security  is the problem yeah oh you're gonna get that for  
the next 30 years or so oh yeah by the way is it  true that reading cyber rants is the equivalent of  
a four-year college degree yes yes yes it  is yes that is you know that's the quick way  
shameless plug especially the part that you read  that you wrote so you know there's a lot like  
valuable information in cyber ants like i'm not  even like biased i'm just saying like objectively  
speaking it is a solid book did you did you give  it to everybody you know for christmas i gave it  
to my parents and yeah that was it but i still  have all the copies so we'll see hey you gotta  
you gotta make sure they're worthy right you  can't just you can't just you know cyber rants  
book giving out gun goes burr you know you gotta  make sure you give them the right people right so  
very cool so i so that's all that's awesome and  and so let me ask you now that you've you've had  
a kind of an opportunity to to you know be in an  active team and and kind of see the daily things  
what organizations big mature organizations  right i don't mean in size i just mean in  
activities right the measures they go through  to maintain regulation and compliance and  
you know the all the stuff that has to happen  on the back end from the analysts looking at  
logs to the splunk data you know aggregation and  parsing and everything else that you want to do to  
get the data you need where do you see yourself  in in the next 10 years and in cyber security  
do you still see yourself in cyber security in  10 years and then where do you think you you'd  
see yourself being have you have you found  a favorite spot yet that you got your eye on
yeah kind of going off the internship again um i  got to work under you know a great team i still  
work with them but at the time there was a threat  hunter well we we he left for a different company  
and they gave him more money but anyways he  was a threat hunter and um like that really  
the idea that you've already been compromised  but trying to find like where's what's you know  
what's hiding kind of like the needle in the  haystack um so i would like to you know shift  
more from analysts to the hunter with time um  that's just that's like you know a three to five  
year experience role at minimum just because  it requires like a very uh wealth of knowledge  
of enterprises and anywhere from network to like  coding to so you have to know kind of everything  
but i kind of i like that and when i am air quote  hunting because sometimes my manager would be like  
hey do we have any telnet traffic from blank and  just like random things like that or sometimes  
i have like hr investigations where they'll be  like was so-and-so on facebook at this time and  
things like that but that's not really hunting  but the actual hunting that i do when i  
can is it's very enjoyable and something that  i would like to get more into and more advanced  
with my knowledge if you want to stay in the cyber  security industry i kind of have started kind of  
in the beginning mentioned that if i don't have a  job i have to find a new one but if the case that  
i can't work remote with my current company i  still want to work with either like some sort  
of energy company or utilities or power so ics  sticking with ics and you know not finance or  
education or health care or whatever but that's  like this is all like i want it's not like it  
might not happen it might but i would really  like to stick with ics for the rest of my life  
or i guess working career why is that is it just  that type of interview that you like or is it  
the idea of like helping people like sure i'm not  saving people's lives but you know the electricity  
that the company i work for generates is doing  that and then it's it's i guess a little bit more  
i don't know i don't say sophisticated is the  word but the idea that okay i'm not protecting  
from script kitties or you know someone who's  just trying to financially be motivated like  
sure we have money and oops customer records  whatever but it's like okay we're responsible  
for the power grid like this is and then also it's  just fun because we get a tour a lot of dams and  
do our you know access point scanning and so a  little bit of outdoorsy too i suppose because  
you know the power people always  need power so if something happens  
to the economy or something i feel like that's a  little bit more than if i were for a startup or  
not not like silent sector i'm seeing  like a general like startup like oh i have  
you know grab hub or something before that blew  up but so that's actually i'd work for it too i  
think we know people that might be able to get  you an interview yeah my boss is a pretty cool  
guy and i mean word on the street is that  you've got what it takes to work here so
and and hayden what advice for uh we we speak  a lot as you know of course in the book and  
in the podcast we speak a lot to those  um security and i.t team leaders both  
and and organizational leadership tell them a bit  about what you are looking for when you're out  
starting your career looking for jobs what  attracts you to an organization and and what  
would turn you away i think for me uh personally  speaking the biggest thing that i really look  
for i guess is culture so i was willing to the  beginning when i was looking for a job so i had  
a couple of offers and the culture i work at  is like i really do enjoy it but it's not as  
much in common with my co-workers than at this  other company that i was actually like they  
offered me the job so i was like okay i would take  a substantial pay cut but i would maybe more enjoy  
lunch breaks and you know i'd actually have  something in common with my co-workers versus  
the ones right now i have like they're great a  little older but it's just kind of there's not  
a lot you have in common so it's like lunch is  always awkward and things like that but i guess  
the culture and then number two i would say is  like continued education like they support you and  
that they have a budget for training especially  with cyber security like obviously every industry  
you need to train and continually train if you're  not staying up to date on trends if you're not  
allocating enough time to you know read up on  things learn new tactics um or not tactics but  
learn what you know ttps are being utilized by  the adversary or if you're reading news from  
three years ago or like that's so irrelevant  to what's gonna happen tomorrow and being you  
gotta stay like up to date so i guess for me is  excuse me culture and then if they had a budget
um so the company workout they don't  really they don't really budget at  
all for training so if you want to take  a sans class which you know eight grand  
that's a no but they will sponsor you and like  pay but they'll reimburse you if you pass an exam  
that means you're still putting away the time  aside buying the resources paying for the exam  
all the stuff and then the other company  interviewed at they're like oh yeah we have a  
hour per day or hour per week or something  like that where no you know if there's
a study or not just study  but they can read stuff or  
look at new threat feeds or anything like  that so i guess those are probably the two
well what would you what would you say so looking  back and switching gears slightly looking back  
on your path and getting started now that you're  you're established and such and moving forward  
in your career what advice would you give  to other people that are really aspiring to  
make a career out of cyber security i would say  because i was i feel like when i started i was  
a little bit more like timid and kind of like  everyone i think everyone in this industry is  
so smart so i just get very intimidated i'm like  i don't want to ask something that's stupid or  
you know but it's just like you have to just ask  like you know and if if you're not even sure if  
cyber security is right for you like they're just  lean in if you even have you know one percent  
interest in it because there's so many avenues you  don't have to be a hacker you don't even have to  
know anything about computers like i literally  knew nothing about computers i mean now i know a  
decent amount but it you know there's so much that  you can do with it so i guess be curious and don't  
like don't be nervous so don't don't second-guess  yourself because if you have the question like  
i mean it shows curiosity it shows critical  thinking if you ask it but i guess i'd probably  
be my advice don't be scared to put yourself  out there and ask questions thank you mike and  
lauro any final questions for hayden no i think  you know not knowing about computers makes you  
you know a prime candidate for it management
i'm sorry it's a little harsh
yeah i was going to say that that'd be perfect  that's a perfect one especially the the cso rule
sorry to a lot of the fans up there  we're just kidding with you it's okay  
yes yes we we are here to poke fun so forgive us  that's that's the only reason i'm here is for the  
clown show so i yeah i didn't realize you didn't  know that sorry i'm here for the sound effects i  
didn't mention stupid questions and i asked stupid  questions all the time so um i think i think you  
never stop asking them you know but uh well thank  you so much hayden i appreciate you joining us  
today and it's just always always great to to work  together on different projects and such and so  
and uh thank you thank you to all the listeners  if you have any questions for hayden or for us  
um please send them our way and uh  please uh please rate the podcast on your  
favorite podcast platform and uh let us know your  comments you know we want to hear from you we want  
to continue to make these better and uh invite  more guests and and and help collaborate with  
more people in order to share this knowledge the  world because it's really really is needed we're  
all in even though we have different niches in the  industry that we take care of different aspects  
we're all in this together really against the  fight against cyber crime so we have a lot more  
to do and um i'm i think we're we're headed in  the right direction but um a continuous battle to  
uh subdue cyber criminals over time so thank you  everybody and have a great rest of your day thanks  
pick up your copy of the cyber ants book  on amazon today and if you're looking to  
take your cyber security program to the next  level visit us online at www.silentsector.com  
join us next time for another  edition of the cyber rants podcast