Over the past few years, I’ve had the pleasure of welcoming interns on our security research team. One of my goals was to pass on knowledge of security to these folks and pique their interest in (a career in) security. The goal of any teacher is to pass on their knowledge to the younger generation, in essence creating a miniature version of ourselves, which is hopefully somewhat better.

Let me take you back in time to 2015 when we had our first round of interns. I had the bright idea to go full-throttle. We loaded up Kali Linux, launched a Damn Vulnerable Web App instance, started scanning with OpenVAS and NMAP and then used Metasploit to attack everything we could. The problem with this was that these young interns had no experience in security. Their eyes were the size of saucers, and they walked around looking confused.

The next two years, I reeled it in a bit and started with essentially having them complete a book report on that year’s Verizon Data Breach Investigations Report. What I wanted them to understand was some of the key terms in security, how attackers work, what attackers are after and what defenses organizations are using to protect against these attacks.

Once this was complete, I kicked them out of the building. I had them run through a scenario of needing to gain access to an encrypted file on their computer back at their desk. Starting from the street corner, I had them provide a report of every security control they encountered on their way to the text in that encrypted file. These could be mitigating controls, such as door locks, security guards or passwords on the computer. They could also be deterring controls, such as video cameras. Nobody ever gets every (Read more...)