Today’s interview is with aspiring penetration tester Mark Shrout. Practically a life-long metro-DC resident, Mark has served in various DoD network analysts positions and is is currently the primary engineering for several clients. In his free time he’s studying pen testing and contemplating some good relevant certs to tackle.
As usually we would like to give a big shout-out to Andrew “@andrewsmhay” Hay, who started this whole Information Security D-List Interview idea. Similar to how we created the NovaInfosec Twits concept based on the popular Security Twits lists, we decided to bring this interview format to our blog but just focused on people that live, work, or play in NoVA, DC, and MD. The whole idea is to help the local infosec community get to know one another a little bit better. Finally, if you’d like to nominate someone for a NovaInfosec D-List Interview, please Contact Us and let us know why they should be featured.
And without further ado, here’s the interview…
Q1: How did you get started in infosec and end up in the metro-DC area?
A: Perhaps I’ve always been a bit of a “hacker,” taking things apart when I was younger to figure out how they work, and putting them back together again (not always successfully). I worked for several years at various companies doing desktop support, but then a good friend of mine told me about the web series Hak.5, and I was hooked. I watched every episode and began following guys like Darren Kitchen (@hak5darren) and Rob Fuller (@mubix) on twitter, which led me to discover the entire network of security professionals that use twitter.
From there I began finding local group meetings like NoVAHackers and CapSecDC, and even attended my first security conference by flying to Vegas for Defcon with a few friends (yeah, Defcon was my first). While working in a network analyst position as a DoD contractor I did self-study and passed the Security+ certification to give me a better baseline of security knowledge.
My current position is still not a completely “security” position, but being the primary engineer for most of the clients I support, I have the opportunity to put my security knowledge to good use and help them better protect their environments.
As for being in the DC Metro area… Well, I lived most of my life in north-eastern Maryland, since I was 5 years old. During the course of my collegiate “career,” I moved around a bit and eventually landed myself in Montgomery County, largely due to the expansive job market provided by DC/NoVA area, but a pretty girl had something to do with that too. These days I live in Germantown, though most of my client work is in downtown DC. Not a fun commute, but not the worst I’ve ever had.
Q2: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?
A: As for formal college education, I have a Bachelors of Science in Information Technology. Unfortunately for me, all these infosec/cybersec focused degree programs were only just beginning to crop up as I was finishing my degree. The degree helped me get started in IT which has since led me to the security path.
Also, as I stated in the previous answer, I took the Security+ certification using only self-study materials, to gain a good baseline of knowledge. I found it to be very easy certification. Beyond that, I regularly attend local group meetings and study what I can in my free time. I recently took on the task of learning penetration testing skills, setting up my own VM lab on my slightly dated ASUS laptop. I had a very nice kick-start to Metasploit, by way of a brief tutoring session with Georgia Weidman.
All this has added value to my career, because it’s allowed me to use this knowledge to better assist my clients and to expand my duties within my current position.
Q3: What advice would you give to people who want to start an infosec career in the local area?
A: Reach out to the local community, there are so many groups/spaces around here you have no excuse for not being able to find something that fits for you. There are the groups that have talks such as NoVAHackers or OWASP (DC or NOVA chapters) or groups like CapSecDC which is an informal bar meetup. I have to admit I haven’t visited all the spaces, but look into them. To name a few, there’s HacDC, ReverseSpace, Unallocated Space and there’s probably more that I’m not remembering or don’t even know about.
Get study material for the Security+ exam and use that as I did to gain a good baseline of information. It’s not a cert that’s going to get you a new position tomorrow, but it’s a good starting point if your just beginning to learn security.
Find something that really grabs your interest and spend your free time researching more about it. Put that knowledge into a presentation and come out to NoVAHackers and present to the group what you’re working on. We have a great community here in DC/NOVA, most everyone I’ve met is willing to answer questions and pass along their knowledge.
Q4: What was your favorite local infosec assignment (and why)?
A: I don’t know if I have a real good answer to this question, but the most fun thing I’ve done recently was participating on the Red Team at the MidAtlantic CCDC. It was a great amount of fun getting to work with and watch the other, much more skilled team members in action. I definitely would like to do this again, but found out quickly during the event, that I still have A LOT more to learn.
Q5: There are a lot of metro-DC infosec meetups and conferences. Which ones do you recommend attending (and why)?
A: I highly recommend the NoVAHackers group. Their format for talks and requirement/encouragement to present to the group creates a great environment for friendly, open exchange of information and new ideas. The OWASP chapters NoVA and DC also have regular meetings with good speakers on a variety of topics. There is also the bar meetup group CapSecDC, a once a month informal gathering of professionals for having a drink or two and some good conversation. Ultimately the best site to find what’s going on is right on NovaInfosecPortal’s calendar which is regularly updated with new events in the area.
I also have to mention Shmoocon as a great local conference in DC. However, because of the very limited available tickets, you have to be ready for a battle on ticket sale days; though it’s usually only a matter of seconds before their sold out each round.
Q6: What are your favorite locally based infosec resources (e.g., blogs, podcasts, email lists, IRC channels, forums, and social network lists/groups/fan pages) (and why)?
A: Well, most of the blogs and podcasts I read and listen to are not particularly from this area. I haven’t been as diligent lately about keeping up with the resources I used to, but a couple of the podcasts that I’ve regularly listened to include Security Justice, Exotic Liability, and Social-Engineering.org podcast.
I can’t seem to stop mentioning NoVAHackers in almost every answer, but “if the shoe fits…” right? So yeah, their mailing list is an excellent resource for a wide variety of information. Ask questions, share new information on projects you’re working on, or read about what others are working on.
Q7: If you had advice to give to the federal government and their contractors to improve “cybersecurity,” what would it be (and why)?
- The newest, shiny appliance/software will not fix all your security problems.
- Think above and beyond basic compliance and standards.
- Don’t make user education so boring, find ways to make it interesting and engaging, such as an interactive meeting with a guest speaker from the security community.
Q8: What projects (if any) are you working on right now?
A: I’m not actually working on any particular projects at the moment. Most of what little free time I have is spent working on expanding my penetration testing skills and trying to decide what, if any, certifications to work towards. I’ve heard a lot of good things about OSCP, so have very much been considering taking that training and certification, and of course there’s also the CISSP. Granted I don’t really expect to learn a whole lot from the CISSP, but it is certainly known to open doors, especially if I wanted to work in the government sector.
Q9: Is there anything else you would like to let your fellow infosec pros know?
A: The only thing I’d say to infosec pros out there is: Keep passing on what you know, and give a helping hand to those getting started in the industry. We all have to start somewhere and the better mentoring the newcomers get the better we can improve the industry as a whole.
Q10: How can people get a hold of you (e.g. blog, twitter, etc.)?
Again, if you’d like to nominate someone for a NovaInfosec D-List Interview, please Contact Us and let us know why they should be featured. See ya!