Semrau Security

"Investigator" - The Origin Story

October 01, 2021 Brian Semrau Season 1 Episode 2
Semrau Security
"Investigator" - The Origin Story
Show Notes Transcript Chapter Markers

Ever wondered what it is like to navigate your way through an information security career?  In this episode, I go through what my story looked like as I entered the industry and give my top 3 tips for those who are considering a career in information security.

Infosec Chicago
Infosec Chicago helps organizations stay secure, no matter how scary the internet is.

Hey there!  I’m a full-time digital forensics investigator where my practice focuses on a variety of privacy and security research.  I also run a small information security consulting company called Infosec Chicago.  It’s been a while since I posted an episode, and that’s because I believe it is important to be focusing on unique content, and especially given my busy schedule, finding and cultivating unique content takes time; so, I don’t expect that this will be a weekly podcast or anything like that (but I do hope to start posting a bit more frequently going forward).

 

Today marks the start of National Cyber Security Awareness Month, and in honor of that, I wanted to talk a bit about how I got started in the industry and give some tips for those who are considering the information security industry themselves.  My interest in digital forensics goes back to when I was in middle school.  I had always had an interest and knack for working with electronics and I had already been the average audiovisual geek for a few years, so I knew I likely wanted to do something in technology.  At one point during middle school, a digital forensics investigator at the FBI gave a presentation at a summer activity I was attending that had a “spy theme” to it.  I was absolutely entranced with some of the showy things he was demonstrating like removing passwords from computers and documents, recovering deleted data, etc.

Of course, all of this is stuff I can do in my sleep now; but to 12-year-old me, that was the ultimate test of skill.  I began diving more and more into the “hacker” lifestyle, just putzing around with the old computer that my parents let me type up schoolwork on and I got to use the built-in pinball game on; but other than that, it wasn’t connected to the internet and didn’t really have any games on it (nor did my parents let me play console video games).  Part of the reason for the no-games rule is that several years earlier, on my parents had installed a Carmen Sandiego game on the family computer for me; only to get a malware infection a month or two later and blame it on that game and be paranoid of anything I wanted to install for years to come.  Yeah… that well-known commercial game that got installed from a read-only CD-ROM which was still sealed in the packaging from the store we bought it from is totally what caused that malware infection.  Never mind the fact that the family computer was connected to the internet and my dad constantly installed new games and programs with a tendency to click anything and everything without actually reading it.  <heavy_sarcasm>That tendency couldn’t have had anything to do with that infection.</heavy_sarcasm>

 

So, by the time it made sense for me to be using a computer for school, they got that old desktop that a friend was getting rid of, and that became my toy to play space pinball and minesweeper on; and of course mess with every setting, command, and registry key I could find.  I broke that poor thing so many times.  Of course, that just meant that I kept learning how to fix what I broke.  By the time high school came around, the typical rebellious phase didn’t turn to drugs and alcohol, instead I was figuring out how to hack my way around the internet filters that my parents had installed to let me use the internet for schoolwork but not for things like YouTube, Facebook, Stack Overflow, ya know… the typical teenager stuff.  Of course, I was stupid and didn’t think to cover my tracks after getting around those filters, so my parents would see that and try to make things harder to get around (which of course only encouraged me more since the harder it was, the more the “hacker high” became once I eventually figured out how to get around it).  #pwned.

 

By the time I got to my last year of high school, I was still convinced that I wanted to do digital forensics for a living.  I had already started doing computer repair on the side a few years earlier (my business was what most in the computer repair industry would have called a “trunk slammer” business, but for a high school student, it was still better money than I was making teaching rock climbing at the local gym; and I enjoyed helping people).  Instead of studying for the SATs and ACTs, I took reading and writing competency tests at our local community college (COD) and started my first computer science class.  The professor was great and gave me fantastic career advice, but the class was too basic for me.  Quite literally… one of the projects towards the end of the class was quite literally writing hello world in visual basic.  By this point I had already been doing some advanced batch scripting and had done a bit of very rudimentary .NET and C++ development, so instead of focusing on programming classes, the next semester I took computer repair and networking classes instead.  This is where things really started to click, and I poured myself into networking, security, and eventually took the 2 digital forensics classes that they had and a few criminal justice classes.  The digital forensics classes only further intensified my desire to follow that career path, and by the time I finished the second one, I became the first student at COD to pass the AccessData Certified Examiner certification.  Of course at the same time that I was taking these networking, security, and forensics classes, my grayhat side of me was only intensifying.  I’m not going to go into a ton of details other than to say that by this time I had learned my lesson about covering my tracks and was pretty careful about leaving enough information to where someone could actually prove it was me… and that’s probably a really good thing for certain records.  Now that isn’t to say that I was being malicious… I was just having fun.  But, I still wish I had known about how CFAA was worded and some of the potential consequences much earlier.  These days while I do look back and laugh at some of the pranks I pulled through hacking around that time, I can only sigh knowing that I’ll never be able to top any of those, since I am extremely careful to follow CFAA and stay on the whitehat side of ethics these days.

 

After awhile it was time to start thinking about transferring to 4 year schools to finish my degree.  At COD I had made a really good friend who was going to be transferring to Illinois Tech a little before I would be transferring, and I also knew that one of my favorite professors at COD taught at Illinois Tech as well.  I looked into it a bit more and found that they had a fantastic cyber forensics masters program, and one of the faculty teaching that was one of the OGs of the industry – quite literally one of the people who had forgotten more than I will ever know.  I figured I would go there at least for the bachelors degree and see how things went after that.  It turns out that Illinois Tech was a really good compliment to the experience I had gained at COD.  While COD was extremely hands-on and trained students to go straight into a networking job or something of that nature, the program at IIT had a much heavier focus on the theoretical nature of the field.  That isn’t to say there weren’t hands-on experiences at IIT, but hands-on knowledge is only as good as the firmware version number.  As things change and progress in the industry, that knowledge will change and become outdated quickly.  Of course having hands-on experience is extremely important to have as a foundation. Theoretical knowledge helps you stay relevant even as things change.  I remember as I was looking for gen-ed classes I could skate by in, I noticed a humanities class called “Standards Based Web Development” – as I was clicking the register button as fast as I could, I was chuckling to myself “only at a tech school would a web development class count as a humanities class” I was thinking.  I figured it would be an easy “A”.  Boy was I wrong.  I still got my “A”, but I had to work for it (and the work was challenging rather than busywork, which only helped me enjoy it more).  As I and many others who took classes with this professor would often say (in a good way) after the class was over “Professor Stolley ruined the internet for me”.  I’ve had lots of professors that I’ve liked and learned a lot from over the years, but Professor Stolley is certainly one of the more influential on how I approach security… he used web design as a vehicle to teach human computer interaction, which I believe is absolutely fundamental for anyone in information security to have at least a cursory understanding of.  I don’t claim to be an expert in human computer interaction by any means, but a number of human computer interaction studies (along with my complete lack of faith in humanity that came from working in retail for a few years in early college) are fundamental to how I approach security today.

 

Towards the end of my bachelors program, I had spent a bit more time there than I would have liked because I was also working full time throughout most of my program.  I spotted one class that I was fairly sure I didn’t need – the class that was basically the undergrad program’s survey of information security.  After all, by this point I had already passed a number of security certifications and had gained quite a bit of experience in my internship and what had eventually turned into essentially a security engineer position with a flexible schedule (but was still called an internship to give me that flexibility).  I knew the professor had a good reputation, but I still begged with our department chair to give me credit for that class based on one of my certifications.  He declined stating that there were just a handful of things in the class that my certification didn’t cover.  Plus he pointed out that the adjunct professor worked in digital forensics, which our department chair knew would interest me.  I somewhat reluctantly forked over the significant amount of money that was my tuition, and took the class.  I figured I would make the best of it… even if I did already know quite a bit about most of the topics being discussed.  Maybe I could find new methods of doing something that I had already known one way of doing something, and maybe I could use the time to dig a bit deeper into some of the concepts outside of class.  Maybe the professor would be someone I could engage with and learn more about forensics from in a conversation or two outside of what was being focused on in the class.  It turns out that professor did make things very interesting and engaging.  The class material was mostly a review for me, but as I had planned, I learned different little tricks that you can always pick up when seeing how someone else approaches things; and on the few things that I didn’t have as much existing experience with, I dug a bit deeper outside of class.  One thing I had played around with in the class was Burpsuite.  I had used OWASP ZAP before, but had never really messed with Burpsuite thinking “why would I use a neutered version or pay money for something which there is an open source alternative for?”  Yet, using it in the class, I found that I really did like it.  A few weeks later I saw that Bose had made the news for spying on people through the quiet comfort headphones companion app.  The allegations that were made didn’t sit right with me.  The law firm that filed it (which sounded vaguely familiar, but I wasn’t in law school so it’s not like I was really paying much attention to law firms at the time) was essentially claiming that Bose was gathering information from another app running on the phone; and then sending that off to third parties.  That didn’t seem possible to me at first and they didn’t include any evidence in the complaint.  I happened to have a pair of the headphones they supposedly tested it with; so I figured this would be a good chance to test out Burpsuite a bit more and intercept the traffic from the Bose Connect app.

Sure enough, my tests confirmed the factual allegations of what data the app was sending to third parties.  I decided to write up my findings into a report, and on one of the social media posts where Bose was denying the allegations, I simply linked to the report and asked them how they explained it if that wasn’t true.  It was getting late by this time and I had to work the next morning, so I went to bed figuring I wasn’t going to get a response anyway.  The next morning I woke up, and saw a ton of failover notifications sitting in my email from my web server (it was a pretty small server, and the failover functionality was pretty much something I had built out for fun… it wasn’t a critical website in my mind).  I thought it was weird, but I was running a bit late so I ignored it and got to work figuring I would fix whatever was wrong with the failover mechanism the next day.  I walk in the door, and my coworker that was in the cube next to me says “oh hey – I just read your article!”  As it turns out, someone had seen that comment and posted a link to my report on the cybersecurity subreddit, and it had gone viral (with close to a million views overnight).

 

I happened to have my class that night, so I took off from work a little early to get dinner before class; and as I was waiting for my food, I decided to look into the law firm that filed the lawsuit a bit more… after all… the name “Edelson PC” had sounded a bit familiar before and I was curious if I knew any of their other cases.  I had heard of some of the other cases, but didn’t know a lot about them – certainly nothing where I would have recognized the law firm’s name from.  As I was finishing my meal I took a look at the staff profiles they had on their website… a few scrolls down, there was my professor’s picture with the title “Director of Digital Forensics” staring right back at me.  I just about choked on my food – after all, I had started the introduction to my writeup saying I didn’t believe the allegations.  That night professor Davis walked into the classroom, he exchanged the standard pleasantries, then asked if anyone had heard of the “Bose privacy lawsuit”, a handful of my classmates put their hands up, and I rather sheepishly put my hand up.  Professor Davis continued “well, I know Brian has… because I read his paper on it today!”  I laughed nervously as he started explaining what the lawsuit was about.  After class we had a good conversation about what I published in terms of suggestions he might have in the future about how to approach things and some of the legal strategy they were using.  The rest of the semester progressed and was fun… one of my friends taking the class and I had a friendly contest to see who could get the highest score in the class… with each test we were consistently within 1% of each other; and overall it was a really fun class.

The semester following that was my last one for my undergraduate program, and upon graduation, I was expecting a full-time salaried position at the company I had been interning at.  It had been pretty set in stone for awhile that they wanted me; but a month or two prior there was a change in leadership and everyone was watching their budget, so the timing wasn’t the greatest.  I began looking at other options while they him-hawed.  During this time I reached out to Professor Davis and asked if I could use him as a reference as I was looking and/or if he knew of any positions (which I’ll now admit was a thinly veiled way of asking if he had any openings at his firm – especially since by this time I knew he had hired at least one other student from Illinois Tech that I was friends with).  He did agree to be a reference and put some feelers out for me at one of his previous companies; but he didn’t have any openings at his firm at the time.  A few weeks later I did receive a full time security engineer offer from the company I interned at, and ended up accepting it; and happily helped them transform their security operations even more since I was the first employee they had hired specifically for security.

 

Eventually I got a call from professor Davis asking if I was still looking for a position as he had one open up at his firm.  Even though I wasn’t particularly looking at the time, I knew that the work that they were doing at Edelson was right up my alley by combining digital forensics with privacy and security.  After a phone interview, I went to what was without a doubt the longest interview schedule I’ve ever had, the rest is history - I’m now a full time investigator at Edelson PC.  It has been interesting seeing the differences between the legal community and the IT community, as well as the similarities.  Both are very intense industries, but often in different ways.  I recently finished my masters in Cyber Forensics and Security, and am beginning to settle down and start looking at helping future generations of IT and information security personnel meet their goals through mentorship and hopefully in the near future starting as adjunct faculty.

 

So, here are some of the recommendations I have for anyone looking to get started in information security.  First of all, figure out what your passion is within the industry.  It’s ok if it takes a little longer to figure that out… I was lucky in that I knew what I wanted to do from the beginning, but not everyone does, and that’s ok.  But, by finding your passion and moving towards that specifically, you will overcome a lot of the hurdles that can come at you… you will be more motivated to put in the extra effort and show those around you what sets you apart.  In my experience, when you least expect it, that little bit of extra work will make all the difference.  Second, by finding your passion, you will be set to figure out your motivation.  I can tell you right now that if your motivation is simply the salary, there are easier ways to make money.  Most people who I see who aren’t motivated by the work and their passions that go into infosec for the money end up working basic helpdesk or level 1 SOC analyst jobs the rest of their career… and those can be very tedious.  On the other hand, if you are passionate about the work, the money will naturally come in short order.  The other money part to consider is that once you know what your passion is and what motivates you, your path will be much more directed meaning that you aren’t going to be wasting money pursuing classes and certifications that don’t interest you as much.

 

The next piece of advice I have is to always be networking.  From my experience, a good part of getting your foot in the door for the industry comes from chance and who you know… that was the case both when I got my internship as well as from the story that I just told that led up to me getting my current job.  You never know when the random person you meet in your social life, in a class, or even at the bus stop might be your next valuable contact.  COVID has obviously thrown a wrench in being able to network to the same extent that we used to be able to, but events are starting to open back up again, so if you feel comfortable meeting in person, now is the time.  On the other hand, COVID has also opened some doors.  If you think you might be interested in relocating (or even working remotely since a lot of remote opportunities have opened up recently), then attending online events means that you can expand outside of your local area.

The final piece of advice that I have is that when you are looking at taking classes and getting degrees and certifications, value your time along with the program cost.  All too often I see people only considering what the tuition or fees are and not putting a dollar amount on your time.  Especially as you progress in the industry, your time will become more valuable, so it’s important to factor that into your equation.   Depending on what you want to do in the industry, a degree may not be necessary… always do a cost benefit analysis.  Now, that’s not to discourage anyone who does want to do a degree program… obviously I believe in higher education since I’ve spent so much time and money in it and I’m looking to work in it… I do think there is value especially at the community college level.  But, I’ve also seen so many of my peers spend over $40k a year on tuition only to go work in a completely different field that they really enjoy but has nothing to do with what they studied.

Housekeeping
"Investigator" - The Early Years
"Investigator" - Undergraduate
"Investigator" - Finding The Spy
"Investigator" - The Security Engineer
"Investigator" - The Call
Recommendations For Future Infosec