Life as Security Researcher: Turning a Hobby Into a Career

Listen to this podcast on Spotify, Soundcloud or wherever you find your favorite audio content.
We’re excited to have launched the Beyond The Perimeter Podcast: the podcast where we discuss everything security. 

Each week, we will discuss the latest and biggest breaches to hit the news and talk to different security experts to learn about their experiences in the security industry. In this edition of the Beyond the Perimeter Podcast, we tackle the EasyJet Breach and learn from independent security researcher Ryan Nolette how he made a hobby into his career.  

Breach of The Month: EasyJet 

On May 19th, British low-cost airline group EasyJet announced that they had suffered a data breach. They declared that the highly sophisticated cyber-attack affected over nine million customers. Details from the breach included full names, email addresses and travel data such as departure, arrival and booking dates. While the breach itself occurred in January 2020, EasyJet notified the UK’s Information Commissioner’s Office at that time, but waited four months to notify its customers. EasyJet did not immediately give details on how the breach occurred, but said it had “closed off this unauthorized access”. It’s most probable that a phishing attack was the culprit of the breach.  Our advice for all EasyJet customers is to change their passwords and check for any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further personal information.

For more security tips and insights, I interviewed independent security researcher Ryan Nolette who explained his experience with information security at a young age and how it formed his career today. Ryan has held roles in the InfoSec field and consulted on threat research, incident response, and every level of security operations. He is an active speaker and writer on threat hunting, cloud security, and endpoint security.

Attracted To Information Security From an Early Age

If you ask security enthusiasts, many of them will tell you that their interest in security started at a young age. In Nolette’s case, movies and books about hackers, as well as early discussions with his school IT worker, sparked his interest in Information Security. “Infosec has always kind of been an interest to me. The movies that I was starting to watch, the Hackers trilogy and The Art of Deception by Kevin Mitnick came out and a colleague of my dad at the time told me to go check out that book and it was very interesting actually reading about the experience, the stuff that he went through and then how that related to the movies there.”

Initial introduction sparked into more of personal interest to Nolette. “From there it just kind of really – the interest grew and grew as I started researching the topic more and more. We started off with people doing pranks to each other in class and whatnot. You know, pop out the CD-ROM of your neighbor’s computer, things along those lines and it kind of escalated to well, you take those concepts and now we expand them out into these overarching, more in-depth topics that are enterprise-level and now instead of your adversary being your classmate, now your adversary is whoever the attacker is in the world and it’s just a change in scope and severity. I had a pretty interesting IT or a general worker for our school system that I went to had an open conversation about technology in general and we’ve learned an awful lot about my school’s network and the town network worked through that.”

Learning From Security Experts over the Years

In the late 1980s and early 1990s, the number of places to learn about networks and security was limited. Nolette described how he learned on the go and through experiences. “It was more of a silo for me. I didn’t know those forums existed at the time. How I learned things was from some of my schoolmates who were interested in computers and operating systems. It was definitely an interesting experience and unfortunately, at that time, it was very hard to get the information, to gather if you didn’t know where to go look.

The times have changed and now it’s much easier to learn security practices from experts around the world. “Now it’s significantly easier since I started in the industry and I’m really, really a big fan of that and that kind of leads into – if you want to get started in the industry, just go to a conference. There are free and cheap ones all over the world. I’m on the East Coast of the United States and there’s a BSides conference in pretty much every state and that’s a wonderful, affordable conference to go to and they handle a very large group of attendees, whether they’re the presenters or the attendees on their own. They really foster a collaborative environment. So you can go in and ask questions. You can attend one day of a conference and learn about 10 or 20 different vectors of security and that kind of lets you figure out what you’re actually interested in.”

Endless Amount of Security Content While Remote  

With the majority of the world working remotely, the face to face events have been canceled. Nolette highlights the different virtual opportunities for security minds like himself to learn remotely. “One of the best things that came about from this is I’m a big Reddit fan. So there’s a couple of different security subReddits and they have curated lists of virtual conferences, free online training and discounted tools and training. They’ve kept them pretty up-to-date and it’s just spreadsheets of these different resources that are available to you. So definitely check that out as a starting point and get a bunch of things online.”

With the current remote situation, the security community has gotten a bit creative to spread their knowledge. “While I know there are a few new conferences that even launched because of the work from home and the virtual conference idea. A new conference is basically going to put all the attendees on a Zoom call without any of the security restrictions on it and just kind of see what happens. So there should be some fun stuff like that.”

You can follow Ryan on Twitter and read his latest content on his Github page.  

If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.