An education in Infosec, or how I became Phishy the mascot for a day
I was wrapping of my first year at RIT, which as a transfer meant I was actually taking sophomore and junior level courses and I. WAS. STRESSED. Both my academic and co-op advisors had reached the conclusion that I needed to start considering where I wanted to complete my first term of co-operative education. If you're not familiar, co-operative education is similar to an internship; the differences are that it is paid experience, and that you needed to do more work than fetch coffee and shadow people. Was I really ready? I didn't feel half as smart as some of my classmates, I felt like knowing how to do basic subnetting and configure RIPv2 was not enough. I didn't know if I wanted to stay local or travel; I didn't know what IT role would be most beneficial. A few weeks later, the lead Information Security Engineer for the college appeared in one of my classes to talk about best practices and to advertise their need for student co-ops. I really didn't know anything about security, but I loved RIT as a campus and I was eager to learn something new so off my resume went.
Somehow, I landed the co-op. And in November of 2011 I started working on real live projects in a production environment. To paint a picture, at the time the ISO@RIT was three full-time employees. Ben was the policy and program manager, Jim was the digital forensics investigator, and Paul (my boss) was the Security Engineer. The department was also powered by students. Two full-time co-op students - one junior and one senior - ran a number of long term projects and ongoing reporting. One to two part-time GCCIS* students worked on smaller engineering projects, and 1 - 2 communications students assisted with the ISO's social media and PR campaigns.
As a junior engineer, my load started relatively light and heavily supervised by the senior student and Paul. I learned how to do vulnerability reporting using Rapid7's Nexpose and Tenable's Nessus. Scans were run prior to the start of each term across the campus, and then smaller scan sets were done weekly/monthly. Once servers with vulnerabilities were found, it was also my job to reach out to the system admin who owned it and explain what the vulnerability was, and how to correct it. This was a big part of my first co-op term.
Research played an important part in the student's day to day duties also. Myself and the senior engineer made time every day to research recent and developing attacks and threats, and report them based on severity to the lead engineer. We also were allotted time to educate ourselves on available security tools on the market. This meant attending webinars, using community forums and even spinning up a virtual machine or two for testing purposes.
What quickly became my pet project throughout all terms of my co-op was the management and administration of our office's virtual environment (being an Networking & Systems Admin major paid off). It was a humble setup with two servers on ESXi 4.1 and 5.0, a handful of templates and < 30 vms. It was, however, a perfect time for me to test and expand my knowledge of server management. I handled all patching and cleaned up office documentation. I performed snapshot management and rollbacks, and I even owned and performed the upgrade of both servers to ESXi 5.5. Flawlessly, I might add.
After my initial term, I became the senior co-op and fresh meat named Max was brought in as my junior. I had the honor of bringing Max up to speed on our policies, our practices, how to document, how to do vulnerability scanning. I loved every minute of being a mentor. Max was (still is) a very bright and talented guy and he probably didn't need as much help as I offered, but he was very gracious and humored me all the same.
On top of my newfound training duties, I became eligible to assist with more complex projects in the office. One of these projects included the discovery and removal/mitigation of personally identifiable information (PII) on all staff and faculty devices, and all servers across campus. This was a massive project that started before my time in the office, and likely continues today (seriously - PII never dies, it is basically a digital cockroach). I can't give out specific numbers on how many entries existed during my time working on it, but I can say this much: I am beyond proud of the progress I made leading the cleanup efforts with Ben.
These four primary projects taught me so much about information security. I learned how to implement tools and procedures to harden a truly enterprise-scale IT footprint. I learned about different attacks and threat vectors that can occur across all verticals of IT. I got smarter on proper documentation of infrastructure, and how to teach and share best practices among my peers. I gained a little industry knowledge on academia and on how very differently the IT machine operates there compared to private sector. Most importantly, I gained great mentors and was encouraged to believe in my capabilities.
The crowning moment of glory for me was RIT's Move-in weekend 2013. I had the honor of being the moderator for the information security panel given to over 2000 incoming freshmen and allowed to don the ever-coveted mascot for the ISO, Phishy.
Yes, this is actually me! Phishy + RITchie, mascot pals for life. Photo credit: RIT Information Security Office
Yeah, you saw that right. During the move in activities, I got to wander the field house with a handler so we could educate freshmen on phishing and other social attacks. I'm basically qualified to be the next Philly Phanatic... right?
Moderating and wearing my finest RIT orange, with moral support from Max as Phishy and Ben on the panel. I am truly happy, proud, and nervous-sweaty in this moment.
Just keep swimming,