I have had (and continue to have) the pleasure of helping my two children learn and grow into the amazing, wonderful young adults that they are today. Every year their schools have “Career Days” where people in the community take some time away from their work and share with students what it is like to work in their careers. Each presenter usually has about 25-30 minutes to convey important aspects of their profession such as:
- What is a typical day like for you?
- How much money can people make in your field?
- What are things that students in [insert grade here] should do to become a/an [insert profession here]?
- Are there certain college majors that would be good for people to choose to become a/an [insert profession here]?
I’m sure that you get the idea. Every year I create my presentation and try to…
Connect with the Audience
When creating my talks, I try to think about topics in my profession that the audience, by they elementary, middle or high school students are affected by and can relate to. Discussing how reused a Apache Tomcat default username and password to upload and deploy a customized WAR file to an application server to compromise the system and then how the WAR file sent a reverse TCP/IP shell to my host pentester server in my cloud instance…this would not go over well with any crowd that was not infosec savvy.
I try to think of an example that each person can understand. Some examples I’ve used:
- Elementary Schoolers – “Find the vulnerable system” – I bought 100 #2 pencils and broke 2 of them in half so their eraser end was still in place. I then picked them up and made it so all the erasers lined up. The 2 shorter pencils were inside the normal ones. I had the students grab a pencil and see if their system was shorter/was the vulnerable one. Then I told about how many times I have hundreds of systems I need to assess and my first job is to find the systems that are more vulnerable to attack…just like finding a broken pencil in our pile.
- Middle Schoolers – “What is a ‘good’ password?” – By the time my kids were in middle school (grades 6-8), they had a lot of experience with passwords. So when I presented to their classes I showed examples of a variety of passwords in my preso and asked them to rate if they were good (strong) or bad (weak). To make this more interesting I threw in there passwords with keyboard walking such as !QAZ2wsx#EDC4rfv which looks good but which is easily guessed using techniques from https://github.com/Rich5/Keyboard-Walk-Generators. Describing how an attacker can use a weak password, can “crack” passwords using huge password lists and can gain unauthorized access to systems are easy discussion points here. Passwords lead into other things that hackers do and so this was a natural method of “reaching” my audience.
- High Schoolers – “Peaking Behind the WiFi Curtain” – I’ve written up a longer blog post at https://webbreacher.com/2014/04/16/all-is-not-what-it-appears-to-be-a-high-school-demo/ describing how I used the FakeAP software to make some WiFi access points that the students could see on their phones/devices. This allowed me to address how being an attacker is partially about tricking our victims. They shouldn’t trust everything they see on the internet. This naturally leads into discussions about fake social media profiles, stalkers, and more.
Break it Down
Some of you know that I’ve had a few other “careers” besides infosec/computers. In my early 20s, I applied to medical schools to become a surgeon. I remember at one of the medical school interviews, an interviewer said to me:
I only have one question for you. Let’s say you are in a truck crossing a desert in a foreign country. I [the interviewer] am a native of that country, am riding on my horse and speak English. I stop you, point at your vehicle and ask how it works. Tell me what you’d say.
So I described at a high level how my vehicle needs energy (gas) to move much like his animal needs food to get its energy.
Tell me more…
was all he said. You can probably see where this is going. He had one question with 1,000 follow-ups to get me to go deeper into the explanation. At the end, I was explaining the molecular interactions between atoms and many physics topics that I’ve long since forgotten.
At some point, he stopped with the “Tell me more…” responses and explained that in the medical field they have to explain some very technical and complicated issues to people of a variety of educations, experience, and knowledge. I’ve found this to be very true within the infosec world. Talking to an executive versus a developer, I use different language and concepts to describe weaknesses and risk. This extends to my presos at career days as students in the 5th grade have different life experiences and overall impression of the world than an 11th grader. Leverage this.
One other point that I tried to get across to the students was that, when I was in X grade, my position, my job, my career had not been invented yet! Their career too may not have yet been invented/created/conceived so, try things, fail and be flexible.
Make it Exciting (or at least not dull)
Realize that career days can be amazing events that open childrens’ eyes to future career possibilities or they can be just another boring day at school. It depends on me, the presenter. This is where my Infosec Cheerleader persona really comes into play. I want kids to look at the wide variety of positions in infosec and understand, like sports, that we are a team and each person, whether on the defense, the offense, a referee or an owner, we all work together (or should).
The best part about presenting to the middle school my kids went to was getting feedback from the students. The school mandated that each child write up a note to the person who had a presentation that they enjoyed most. I love reading these letters (even though I know the school makes them write these as assignments) as they have some insights into what topics made an impact on the kids. Below are some of the feedback I received.
Let me know
Do you have techniques that you use when doing these talks? Let me know on Twitter or in the comments below.