I'm Kristin Judge, Cyber Security Education and Awareness Expert AMA!

Despite having "easy tips" for people to stay safe online, people still fall for phishing/scams every day (possibly at an increasing rate, as more people come online around the world). It's only going to get worse.

Do you feel that your current advice is getting the message across?

I work in IT, and despite numerous lectures from me, my parents still ended up getting scammed. I genuinely don't know how to help them!

My questions is similar: What are some tips you can share about educating users? I have almost 900 people that I try to educate with weekly emails about Cybersecurity.

I try to encourage champions in each department. Similar to how we have a fire captain on each floor that takes responsibility for sharing tips and bringing everyone together to talk about security at a lunch and learn each week. You do not have to make up your own content. Use some of ours on Staysafeonline.org or stopthinkconnect.org, and have others share their thoughts. If the message always comes from the IT security person, they will not hear it. Check out OUCH: https://www.consumer.ftc.gov/scam-alerts. Write to SANS Security the Human community to see if you can get in the group to talk to others who are doing awareness: [email protected]. Tell them NCSA sent you! Another tip, share with people that the information you give them to stay safe at work also works at home. They will buy in more.

Do you feel that your current advice is getting the message across?

So, no?

I do think we are making a difference! The SMB workshop we have done over the past year has had an effect on behavior. Awareness and education is only good if people actually change behavior. After taking our workshop, some people did add two factor, improve passwords and get encrypted email. Most people who attended the workshops (over 90%) took the materials back and shared them with people in their offices. 100% feel better about their ability to secure their data. We are making progress!

Well, my parents got scammed too...so no perfect answer. What I have found out is after there is a breach, we need to teach. I try to capitalize on when someone is a victim for the first time. They are more likely to listen then. Before then, I think most people are intimidated by the process. If you sit down and put 2FA on your parents' accounts, that may work. That's what I did.

Thanks for replying!

They got scammed due to some fake anti-virus, so sadly 2FA won't be of much help.

I will point them in the direction of your website - I might even make it their homepage ;-)

Good point..same can be said about putting real anti-virus on their computer and blocking their pop ups. I put all the security on my parents and family computers. I do sit in small groups with folks to teach in private. People are embarrassed that they don't understand. I remind everyone that this Internet thing is very new. The smart phone has really only been around for 10 years. You are not expected to be an expert in this yet! Be patient with yourself. That seems to help!

Sign them up and yourself for the FTC Scam Alert: https://www.consumer.ftc.gov/scam-alerts You will get a note once a week or so on the top scams hitting the country. I share them far and wide when I get them.

Hello Kristin, Im working as an IT help desk right now and want to explore the security side of my field. What are some things that you wish you knew when starting in your job field that you know now?

Just knowing how many jobs and opportunities there are in cybersecurity. Truly any company you talk to has needs that are unfilled. If you have time to get a certificate and specialize in something you enjoy, go for it. Don't wait! We need you! I encourage anyone I talk to that has an interest in cybersecurity to get connected.

what certificates do you recommend going after. Are there multiple ones you would recommend? Also I am in college now, and ive had this talk with a few people. Do you think you should do college still with getting certificates, or just certificates. Some people even say don't get your certificates and just do college. Whats your take on that?

edit: also thank you so much for replying!

That is the question we are struggling with nationally in many of the discussions I take part in. There is no one answer! My best advice would be to talk to a few companies you would want to work with and ask them what requirements they have. The educational institutions, HR departments and security department leaders are sometimes not talking the same language. We are working on that, but we are a bit behind. I will post some resources here for you to start looking around: Find out what you like by looking at some free training: http://www.tomsitpro.com/articles/free-infosec-training-for-it-pros,1-2707.html

You can take these free online courses and add them to your resume: https://ics-cert-training.inl.gov/lms/ Just make up a Company name when you register.

You should take the SANS CyberTalent Test here. Scroll down to find it. It will help you better understand what you need.  https://app.brazenconnect.com/events/sans-cybertalent-fair-may2016#!eventLanding;eventCode=sans-cybertalent-fair-may2016

This is a good site to check for student or internship opportunity. I put in network security and came up with this search: http://www.internships.com/search/posts?Keywords=network+security&Location=&Radius=Hundred&Company=&ListingType=EntryLevelJob&Sort=MostRecent&FilterBy=&Page=1

Cyber Career Research http://www.npower.org/Our-Programs/Symantec-Cyber-Career-Connection-NYC.aspx http://www.cyberdegrees.org/ http://www.cyberdegrees.org/resources/free-online-courses/

Thanks for doing this Kristin, is the NCSA going to change any of it's messaging with the recent public ransomware attacks IE: people locked in hotel rooms, the CCTV camera's taken out in WashingtonDC? And does the current executive administration bear any issue or pressure towards the NCSA and what your trying to do?

We are working on an IoT campaign that helps people understand the security for their online devices like cameras, baby monitors etc. The technology is changing fast, so it will be a constant effort to get best practices out. I tell people to bring IoT devices in their homes if they are willing to read the privacy statement, set the security settings and update the software when needed. That will take some work!

We have not worked with the new administration yet, but we did work with the former President's office on the joint initiative called www.lockdownyourlogin.com. Teaching people to put stronger authentication on their accounts. Do you have two factor on your email? We all should!

Yes, I have 2FA on every account that accepts it. Unfortunately, my parents on the other hand.. cannot understand it so they don't and I just helped them create passphrases.

Passphrases are a fantastic step for them. Now just teach them to not click unless they know it is secure! Only so much we can do!

Hey Kristin! Thanks for taking time out of your day! Do have any advice for upcoming cyber security enthusiats getting into the field?

Thanks for asking! We need you! You may have heard about the amount of jobs for cybersecurity professionals on the technical level. Check out http://cyberseek.org/ to see where the jobs are and start finding a mentor.

The NIST Cybersecurity Framework lists all the potential jobs and what it takes to get there: https://www.nist.gov/cyberframework

Hi Kristin! Thanks for doing an AMA! Three questions:
Are you familiar with the "CyberPatriot" competition created by AFA?

Do you prefer using GUI's or using a CLI when securing a computer?

What is your preferred Anti-Virus/Scanner?

Thanks again!

Q1: CyberPatriot is a fantastic program for 3rd grade thru high school. I was honored to be a coach for a team in my community last year.

Q2: Don't know that one!

Q3: I suggest people put "best anti-virus of 2016" and see what the top industry magazines suggest. They usually put the options in a list by price and help you figure out what is best for your situation. I was able to get one that I could put on 3 devices for around $50/year. That was best for me.

Isn't non-technical "educators" spewing corporate-written dogmatic paradigms one of the main things that are most delegitimizing the field in general?

Turning cyber into a battlefield of vendor management while attackers are free to stroll on through unscathed?

Thanks for bringing up this point. Not sure exactly where you are trying to go, but I have found that the audiences I speak to (elected officials, small businesses, consumers) appreciate learning from non-technical folks. It is like an algebra teacher trying to teach addition to 2nd graders sometimes when technologists teach online safety. Our advice is not "corporate written" either. NCSA tests messaging in focus groups and researches the best way to get the messages to consumers. I am more than happy to keep discussing the second point, "Turning cyber into a battlefield of vendor management while attackers are free to stroll on through unscathed?" Not sure what you are trying to get across. Thanks for the conversation!

Why has the usage of All-Source Analysts or Fusion Analysts been perceived as witchcraft/Voodoo Magic by the tech community?

The US government backs Firelie, however the concept of a whole solution, (not end point protection) is unheard of in the tech community with the exception of Norse. (They have a box like Firelie but they use sensor traffic to see what's coming out of the network, not just defending against what's coming in.)

My strengths are on the education and awareness side. You went a bit too technical for me on that one. Hopefully someone else will chime in.

Hello Kristin, thanks for doing this. What are some good volunteer opportunities to strengthen my skill set in information security? I have taken quite a few information security classes, but lack hands on experience.

Maybe getting involved in cyber competitions or an internship would be a good place for you:

Here are some non-military internship ideas. Staring in a Federal government agency would open many many doors:
 https://niccs.us-cert.gov/education/internship-opportunities http://www.cyberaces.org/courses/ https://tutorials.cyberaces.org/tutorials https://www.cybrary.it/ 
 Competitions: No need for experience in college : National Cyber League https://www.cybercompex.org/ https://www.cybercompex.org/pages/nice

National Cyber Security Student Organization http://www.cyberdegrees.org/about-this-site/ https://www.cybercompex.org/ 
 Also, University of Arizona (my old rival) has a new cyber range that you can participate in for free from anywhere. Incredible resource! http://azcwr.org/

Good luck and don't give up! We need you!

Thanks for the answer! I have actually used the cyber range before (I actually graduated from UofA; hopefully you are not ASU), but I will check out the other resources.

I am a Sun Devil, but we can all get along :-)

forgive me if this seems like a snarky question, but is your expertise education/awareness/evangelism or cyber security? b/c i'm not seeing many actual infosec questions being answered, more lightweight things.

No forgiveness necessary! I consider my expertise being similar to an interpreter. We have people who understand cybersecurity on the infosec level and those who are using connected devices every day without understanding the way to be secure. I help take information that the infosec community believes is best practices and teach non-technical people how to best use the knowledge of technologists. When I teach online safety at public events, I encourage the technologists to share their insight with the group and have the utmost respect for my infosec friends and partners. There is plenty of work for both of us! Hope that answers your question!

how did you guys hear or get started with vcs?

I was asked to be a guest on their AMA after one of their staff saw me present in Ann Arbor on SMB cybersecurity.

As a cyber professional what was your reaction to Trumps outright denial of Russian involvement in the US election.

What more past PCAPs should the tech community provide as "proof"?

You say "as a cyber professional" but ask a political question...This is not really the best forum for me to give my opinion on that while representing NCSA. The conversation will continue for many years though...

Is it TOR still secure for browsing sensitive content?

I will have to defer to the technologists VCSolutions on that!

What are the coolest aspects of the future cyber environment that excite you the most?

The coolest and scariest aspects of the future are the same for me. The fact that cyber is a part of everything we do now gives us unlimited possibilities and unlimited vulnerabilities at the same time. I try to focus on the positive and feel good when I have the opportunity to educate someone on how to stay safer online.

Do you believe our election was "hacked" or influenced by any sort of cyber attack?

Most likely only those with top secret clearance could have any knowledge at this point. That is NOT me. What I do know is that we need to be vigilant as a government, private sector and personally to understand our vulnerabilities and do what we can do secure our accounts.

[deleted]

I use one too...my advice is to put "best password manager in 2017/2016" into a search engine and find the one that works best for you. Having a passphrase instead of a password and adding 2FA are critical. Two factor authentication could have stopped so many of the big breaches we have seen in the past few years. Read the articles on the breaches, and it usually spells it out.

Kristin! How does one best get into the security field? I've read comments from owners of some popular security firms that certification like CCISP are a bit useless, and, actually a bit frowned upon in some instances. I'm a developer with 10+ years of web development and plan on reading through this list of books recommended by Thomas Ptacek: https://goo.gl/8XJ3fC. Any advice is welcome, and thank you for this AMA!!

Scroll through some of the other Q and A here for some resources I shared that may be helpful. The best advice would be to meet with a company you are interested in working for and find out what they are looking for. Sometimes the HR folks do not speak the same language as the ones running the departments who need the talent. Start by doing SOMETHING. Maybe taking a SANS course. Networking at those courses can be useful too. Reading is good, but by the time the books are printed, the landscape can change. I suggest getting out and getting connected!

What first steps would you recommend for someone wanting to get into the network security / infosec field?

Much of my best advice is in the earlier threads, but one thing I did not mention was to go to MeetUps or Tech Talks in your area. I try to go to Duo Tech Talks in Ann Arbor when I can to meet people in the field. https://www.meetup.com/Duo-Tech-Talks/messages/boards/ Networking will get you connected to opportunities. If you live by a school that is part of the Scholarship for Service, you may consider getting a degree and then working in government for 2 years after. Start talking to people in the field. Best first step I can offer!

Whats your password?

Good try...I use a passphrase with capital letters, lower case letters, numbers and special characters. Long and strong!

Hello Kristin thanks for doing this. I'm in my early thirties and considering a career change to cyber security and software coding. What am I looking at in terms of basic education needed to enter the field at the bottom?

At a minimum you will need some certifications depending on what you want to do. I have put a lot of advice/resources about this topic in the Q&A above, but one thing I did not mention was to go to a confrence like Thotcon, Black Hat or RSA. There you can network and meet technologists and companies. Also, https://www.secureworldexpo.com/ and http://www.billingtoncybersecurity.com/ bring in some of the top talent in a atmosphere where you can do some great networking!