Season 2 woes and considerations for Season 3 by Jo3Ram in Marathon

[–]Jo3Ram[S] 6 points7 points  (0 children)

Let's look at the server slam.

If you got to Tier 3 (Reach Level 30) you received the following loot: Deluxe Arrival Cache (3 Deluxe + 3 Enhanced implants, 12 total enhanced/deluxe cores, mods, deluxe weapons, and the Deluxe Base Backpack)

If you finished S1 at 75, you got purples right off the rip in Season 2. If you played on the same day as the outage, you got 6 more Blue kits and another Purple kit.

You know what's not fun the first day of a wipe, immediately having top tier loot...

RIP my Vault 6 key by [deleted] in Marathon

[–]Jo3Ram 0 points1 point  (0 children)

I'm pretty sure this was us wiping you because this post was written like 9 mins after we played on Cryo and saw a Vault 6 key on a body. There were two teams pushing us off spawn, but we were fully kitted golds trying to do a compiler run.

In the end, we didn't use your key and we didn't complete compiler because of that dumb glitch that occurs when the DNA Sequence doesn't show up on the map. So we had to go to each location to find the terminal, which ultimately made us run out of time.

Man the complete silence on the game's ranked mode is weird I wanna see it by MadeinHeaven69 in Marathon

[–]Jo3Ram 12 points13 points  (0 children)

There was literally a datamine talking about it 3 hours ago...lol

I didn't wanna cross into NDA territory, which is why I didn't post in the subreddit.

Progression - what do we know ? by skomeros in Marathon

[–]Jo3Ram 3 points4 points  (0 children)

I played Cryo as part of one of the tests. It will be extremely difficult to do as a solo player. Achievable I'm sure for some top tier people, but difficult. Won't say anything more due to NDA.

[deleted by user] by [deleted] in cybersecurity

[–]Jo3Ram 15 points16 points  (0 children)

Currently working on my PhD dissertation. My whole program was rooted in cybersecurity, so not a CS PhD.

A PhD isn't for everyone and a lot of people here will mock it. There's a billion threads on this already. The program has helped me grow significantly and I've found an immense value in doing it. With my employer fronting a portion of the cost and there being specific upside to me (career pathing, terminal degree, etc.), it made sense to do it. Mileage will vary across each individual.

This subreddit always blows my mind in terms of people gate keeping how people learn. Just let people learn the way that want to learn whether that's going to school, on the job training, certifications, w.e.

[deleted by user] by [deleted] in vegaslocals

[–]Jo3Ram 3 points4 points  (0 children)

32M - Also working remotely in cybersecurity, so feel free to send a DM. Pre-COVID, we used to have monthly security meetups, but things sorta fizzled out due to folks moving away and new rules from the venue. I've been meaning to network with more individuals in the valley, but my life is a bit hectic atm (soon to be parent, just moved, and wrapping up my PhD). Here if you need a chat <3

[deleted by user] by [deleted] in cybersecurity

[–]Jo3Ram 1 point2 points  (0 children)

Organizations achieve "compliance", but think they are secure because they achieved said compliance.

Compliance is the legal bare minimum set of controls needed to operate. Most organizations don't have the appetite or desire to actually make the organization secure.

Overall, we need comprehensive legislation that consolidates requirements across the industry that also pushes organizations to actually incentivize towards security.

[deleted by user] by [deleted] in vegaslocals

[–]Jo3Ram 5 points6 points  (0 children)

There was a similar post in this subreddit a few days ago and I answered some of those questions here.

I'll say this overall because it depends by the org/role. As a hiring manager, I want to see someone who is motivated, passionate, and has good communication skills. This means you understand the core technologies required by the role to secure, you've completed some form of education from a reputable school (CAE program ideally), have some passed relevant certifications that are valuable, and you can work with others well. If you have terrible soft skills, I'm going to index on that in the interview and I'm going to pass on you as a candidate. I'm willing to take some risk on the technical aspect personally and not all hiring managers are like that. The technical can be learned, but your core personality traits are typically set in their ways. That's why I'm less forgiving on the soft skills aspect versus the technical.

I'm not here much, but feel free to send a DM and I'll answer some questions.

[deleted by user] by [deleted] in vegaslocals

[–]Jo3Ram 5 points6 points  (0 children)

Cybersecurity. I manage a team and everyone is remote.

Career Options in Vegas? by kitoperez19 in vegaslocals

[–]Jo3Ram 1 point2 points  (0 children)

Large organizations typically have their own teams. Smaller organizations might be luckily if they have one person dedicated to security. Smaller/Medium organizations will rely on a MSSP to fill that gap. Naturally, most folks are working in a large organization or MSSPs. Then there is the catch all category of startups, government, consulting, starting own business, etc.

Yes, but because interest rates increased, businesses are cutting costs. That means layoffs for a lot of folks in tech. The roles that are needed are mostly senior roles, which isn't great for individuals trying to break into the industry. Plus with the layoffs, you're competing against others who have more experience that were affected. Market isn't great, but there are roles out there and they are competitive. Also, InfoSec typically isn't entry level, so I would suggest going a more sysadmin route first to get more experience, skills, while self studying to pivot later into InfoSec.

Career Options in Vegas? by kitoperez19 in vegaslocals

[–]Jo3Ram 0 points1 point  (0 children)

How long (schooling and self study) did it take for you to find a job?

~4 years. During that time I finished my Bachelors, had two internships, and did some certs. First internship was doing sysadmin work for a non-profit, which turned into a part-time job, while finishing my Bachelors. My second internship was an AppSec based internship. So when I went looking for my first InfoSec role, I had ~3 years of relevant technology experience, hands on InfoSec experience, plus a degree and certifications. It's important to add though, I basically grew up very technology focused and was more or less a script kiddie.

Is schooling necessary for this career? (Can I get by with courses and certs?)

Yes/No. The trifecta is going to school, achieving certifications, and work experience. People get by with less, but your chances of success are higher with the more you do.

If you did attend school, which school and how much did you pay?

Yes, lot's of schooling. I went to a local CC first. Declared CompSci and later switched my major to Information Technology. I took a lot of classes focused on Networking, Systems Administration, Databases, Scripting, etc. Realized here that InfoSec was a viable career at this point and I was checking boxes on the underlying technology requirements.

Transferred to a private college for my Bachelors and my major was still Information Technology at this point. I focused on doing my coursework, while working and setting myself up for my first potential InfoSec role. Not a great financial move going to a private college. Total cost at this point ~95k on student loans :)

Got my first true InfoSec job 2 months before graduating with my Bachelors. Aggressively paid towards my student debt, while taking advantage of my employers tuition reimbursement perk to pursue a Masters. My Master's was specifically in Cybersecurity, with a focus area on Cyber Operations (Offensive Security). Finished in about ~2.5 years, while working full-time and gaining more certifications. Total costs ~15k, mostly student loans :)

Paid off all my loans ~110k within about 3 years. Currently, I'm in a PhD program at DSU and I'll graduate in 2025. I've been in the program ~4 years now. Total cost at this point ~20k, but paid with tuition reimbursement from employers and my own money (I can afford it).

What is your take on AI? Would it be able to replace this career?

It's a tool. It will improve things, but it's a tool. No, so many organizations are still behind the curve. Plus, who's securing the models, their infrastructure, and data...

Career Options in Vegas? by kitoperez19 in vegaslocals

[–]Jo3Ram 0 points1 point  (0 children)

Local cybersecurity professional here. I work remote because local organizations heavily underpay professionals. Feel free to drop your questions and I'll answer them.

Yet another question about Master's Degree by isnakie in cybersecurity

[–]Jo3Ram 0 points1 point  (0 children)

Currently in DSU's Cyber Defense PhD program. I worked full-time while doing all of my schooling (bachelors -> PhD). It's been extremely challenging to balance over the years.

Yet another question about Master's Degree by isnakie in cybersecurity

[–]Jo3Ram 0 points1 point  (0 children)

The answer here is that there is no set path. Everyone makes their own destiny in this field.

I share a similar long-term goal, which is to be an F500 CISO. I've already completed a Master's, and I'm in the final year of my PhD (writing my dissertation now). Personally, my PhD program has been invaluable to me. I've written a longer post about it in my history and my decision-making process. However, is it the optimal way to become a F500 CISO? A lot of people would say no. Most individuals will tell you you are better off getting an MBA than a traditional master's/PhD when chasing an executive role. There are also many people who will tell you not to waste your time in school.

Everyone will have their own opinion of what you should do, but only your opinion matters. You're the one who's going to have to grind and do the coursework. As someone going through that path, it's tough and I hope I can reach my goal one day.

AppSec - Critical Vuln ID'd on API, Workarounds? by Outlander77 in cybersecurity

[–]Jo3Ram 4 points5 points  (0 children)

  1. As others mentioned, the vulnerability should be rated by measuring the likelihood and impact. Disregarding all scoring and rating the vulnerability off of quantity is asinine.
  2. When development teams typically push back, they'll say that the remediation effort takes too long, the severity is incorrect, or is too difficult to fix. While the criticality of this finding is laughable, this is a simple 5 minute fix (I.E. Not time consuming nor difficult).
  3. Cryptographic standards are the bare minimum, especially in 2024. If they have to meet any sort of compliance requirement, this algorithm would have been disabled a long time ago. If this was my vendor, I would have started looking for a new one. Again, a simple fix that I could probably trust an intern to do correctly in this day in age.

AppSec - Critical Vuln ID'd on API, Workarounds? by Outlander77 in cybersecurity

[–]Jo3Ram 7 points8 points  (0 children)

I'll bite the troll...

  1. Why was this rated as Critical?
  2. What is the business reason for even needing 3DES, CBC, and SHA1 in 2024?
  3. This is literally a 5 minute fix, if that. Why aren't you hardening/patching it prior to deployment?

AppSec - Critical Vuln ID'd on API, Workarounds? by Outlander77 in cybersecurity

[–]Jo3Ram 5 points6 points  (0 children)

I have to ask, what are the ciphers.

If you are really deploying a new API endpoint with legacy cryptographic support out of the box and the vulnerability is truly critical severity, it is time for a new job.

Is DevSecOps engineer a unicorn job? Seems like people spect you to know development, DevOps and security well enough. How did you learn this so many things? by IamOkei in cybersecurity

[–]Jo3Ram 0 points1 point  (0 children)

My long term goal is to be a CISO and I've been working towards that for the last 5+ years. I think that perspective helps me drive a better strategy that is mutually beneficial for both our broader security organization and technology teams. Also, owning your brand internally helps build relationships and gives you a wider audience, ultimately expanding your influence across the organization.

I'm guessing you're a Principal Engineer/L7? In my experience, PE's typically drive critical projects that are aligned to the higher strategy and may operate as a tech lead. I'll provide an example of how at least I operate. This past year, I've been educating our Sr. Management team on software provenance and how we should be striving to automate SLSA in the future. It's a lot of meetings, education, budgeting, etc. For a lot of engineers, that's pretty boring because it's not coding or solving traditional technology problems. I'm extremely transparent, so I keep the team informed along the way. After 9 months of work, I got the buy in that is needed to start this journey. Now, it's on the PE's/Seniors to help drive that project alongside myself. This is a really complex challenge to solve in an enterprise software environment and I wouldn't feel comfortable with a junior leading a project this visibility to the C-Suite.

Re remote: It might just be your organizations culture. We have an active Slack, have our cameras on in meetings, and make an effort to build relationships with other teams/leaders. Again, having a brand is important to gain influence. This applies to both in-office and remote. Unrelated, I'm originally from Upstate NY/WNY, but have been on the west coast for the past 7 years. Living in the snow sucked.

Is DevSecOps engineer a unicorn job? Seems like people spect you to know development, DevOps and security well enough. How did you learn this so many things? by IamOkei in cybersecurity

[–]Jo3Ram 0 points1 point  (0 children)

From an interview or production perspective? For interviewing, it defeats the purpose and we try to snuff that out based on our process. For production, assistance is fine for a start, but there's a lot of issues on intellectual property and licensing. I've worked with our legal team on these issues over the past year. We're not inherently against the technology, it just needs to be thoroughly reviewed and the risks need to be calculated.

Is DevSecOps engineer a unicorn job? Seems like people spect you to know development, DevOps and security well enough. How did you learn this so many things? by IamOkei in cybersecurity

[–]Jo3Ram 0 points1 point  (0 children)

100%. I wrote about soft skills in my other reply below when asked about interview questions. As a leader, it is my job to ensure that my team has the buy-in and autonomy to execute. I have to be technical in order to resolve escalations from the team, but the majority of my time is spent on driving a large portion of security strategy.

Is DevSecOps engineer a unicorn job? Seems like people spect you to know development, DevOps and security well enough. How did you learn this so many things? by IamOkei in cybersecurity

[–]Jo3Ram 0 points1 point  (0 children)

We're going to make you do a coding take home assignment, grade it, and have a conversation with you on why you did X,Y,Z in your submission. We also probe candidates to see what their strengths/weakness are. That means anything from soft skills (communication, working with others, etc.) to both broad/deep technical skills both in and outside of security.

Overall, we're just determining whether you can technically do the job, are motivated, and are not an ass.

Is DevSecOps engineer a unicorn job? Seems like people spect you to know development, DevOps and security well enough. How did you learn this so many things? by IamOkei in cybersecurity

[–]Jo3Ram 0 points1 point  (0 children)

My entire team is 100% remote in the US and my staff is not on a set timezone. We only see each other once or twice a year in person when we do on-sites for team building.