1 of 40

CIS 55

Welcome to the last lecture!

Guest
Review
Cybersecurity career overview
Hacking Competitions
Class Grading

2 of 40

Logistics

Last quiz (optional for extra points) will take place today from 12pm till 2:30 pm Sunday

And you will be done!

3 of 40

Schedule for Today

Security News
Guest - Will Pizzano (9:30-10:00 am)
Review Quizzes & Labs (30 mins)
Presentations

Frozenda -- nmap
James Lam -- nmap, metasploit
Israel Jones -- Metasploit

CyberSecurity Careers (5 mins)
Class Wrap-up & Grades (5 mins)

4 of 40

Security News

Flight Radar 24 under DDoS: https://www.paddleyourownkanoo.com/2025/03/05/the-worlds-most-popular-flight-tracker-is-fighting-an-ongoing-ddos-cyber-attack
Satellite hack: https://www.bleepingcomputer.com/news/security/new-polyglot-malware-hits-aviation-satellite-communication-firms

5 of 40

GUEST - Will Pizzano

Will Pizzano

Seasoned business and technology leader specializing in building companies and teams. As a lifelong cybersecurity technologist and CISO, he continues to provide strategic leadership while remaining hands-on to select clients directly.�

Cybersecurity Leader: Extensive experience in security and IT.
Successful Founder: Grew Sentant, leading to acquisition.
Security Expert: Skilled in compliance and incident response.
Mentor/Advisor: Currently guiding cybersecurity startups.
Diverse Experience: Worked with startups to large firms.

https://willpizzano.com/

6 of 40

Merritt College CIS 55 (Hacker Techniques) - Guest Lecture

7 of 40

Broad Context of Hacking -- Book

Edward O. Wilson once described the fundamental problem with humanity is that “we have Paleolithic emotions, medieval institutions, and godlike technology.”

Schneier, Bruce. A Hacker's Mind: How the Powerful Bend Society's Rules, and How to Bend them Back (p. 251). W. W. Norton & Company. Kindle Edition.

8 of 40

Review Quizzes

RAM
Nmap

9 of 40

Review Labs

Lab 2
SQL
Maltego Usage

10 of 40

Class Review

January 26	1 - Introduction	Nothing is due	CIA. �In-person meetup (Friday/Thursday) @ Jack London Sq between Mar 8 - 25 ~ 4-6pm
February 2	2 - Cryptography & Incident Response	Lab 1 Quiz 1	Ethics, Incident Response, Cryptography
February 9	3 - Pentesting Tools (Nmap, Nessus, Metasploit, SQLMap)	Lab 2 Quiz 2	Lab 2 - Linpeas (Linux Enumeration)�Nmap -T5 (fastest)�King of the hill - Happy to join if you make it and send a note discord.�SQLMap - Burp Suite
February 16	Holiday (President's Day)
February 23	4 - Threat Modeling, OSINT, OWASP, Recon Tools - OSINT, Maltego, Shodan, Censys	Lab 3 Quiz 3	Maltego Demo
March 1	5 - Cloud Security, LLM Security	Lab 4 Quiz 4
March 8	6 - Security Careers and Presentations	Lab 5, Quiz 5

11 of 40

Bug Bounty Class -- 60 mins

Fri, Mar 14 - 11-12pm

Frozendo
Davis
Tega
Cynthia
Israel

12 of 40

Careers!

13 of 40

Jobs in Cybersecurity are plentiful!

Cybersecurity field is expanding at impressive rate.
“In the U.S., there are about 1 million cybersecurity workers, but there were around 715,000 jobs yet to be filled as of November 2021”, according to a report by Lightcast, a market research company.
Especially after the pandemics (COVID-19) changed our work style, there has never been a better time to launch a career in cybersecurity. Almost every company in the world today needs experts who know how to build and protect systems to mitigate persistent and potentially catastrophic cyber threats.

14 of 40

Cyberseek.org

15 of 40

There are many types of jobs as well

Compliance specialists

Project Management

Detection & Response

Threat Analytics

DevOps

A bunch of others..

16 of 40

17 of 40

18 of 40

Many paths

The truth is that there is no real path to cybersecurity as a career; teenage hackers who target Navy intelligence officers with cyberwar backgrounds, political operatives who focus on privacy issues, or even political activists who go on to succeed in cybersecurity careers

19 of 40

Eternal students

IT Security is not a career you can just pick up a degree for and be set for life. Cybersec is extremely vast in subject matter and constantly changing with technology. You need to be an eternal student to be a competent professional. To build your resume for a decent cyber security job you may need hackathons, cyber competitions, cyber conferences, technical projects, certifications, formal education, higher education, and of course work experience. If you have passion for cybersec, all that stuff won’t sound like chores or annoying obstacles. Rather they are challenges you want to overcome for a greatly rewarding vocation.

20 of 40

Practice

I don’t have a cure for impostor syndrome, but I will say: we are all impostors. We all “fake it till you make it”. It’s more like “practice till you make it”(though that doesn’t sound as smooth). No one is born being good at what they do, it takes thousands of hours of practice. You aren’t exactly that thing you want to become until you practice hard enough to become it. Until then, you are, in a sense, ‘faking it’. Pentesting is no different.

21 of 40

From technical perspective..

If you really want to be a cybersecurity professional who is very good at what they are doing, I can tell, from my experiences that having a piece of knowledge about the fundamentals of programming (preferably Python), computer networks, and Linux is critically necessary.

22 of 40

Networking & Linux

A cybersecurity professional should know the basics of computer networks such as network devices (ex: Router, Switch, Hub, Bridge, etc.), OSI and TCP/IP models, IPv4, IPv6, MAC address, ports, etc.
Most machines security sorts within the industry run some form of Linux within the foundation so there’s no getting around much of it. You may discover Linux type commands in switches, firewalls, stack balancers, and everything else beneath the sun
Linux plays an inconceivably vital portion within the work of cybersecurity proficient. Specialized Linux disseminations such as Kali Linux are utilized by cybersecurity experts to perform in-depth entrance testing and vulnerability assessments, as well as give measurable investigation after a security breach.

23 of 40

Labs / CTF

Hack the Box, Try Hack Me, Proving Grounds are all websites that host purposefully vulnerable virtual machines in an easily accessible network. Anyone on the internet can advantage of these VM’s to sharpen their hacker skills(most of the stuff being free to access too). Vulnerable machines are like hacker puzzles, some focus on web application exploits, some exploiting windows, some exploiting Linux. Your mileage may vary as far as how ‘real world’ applicable these puzzles are in actual penetration testing.

24 of 40

Bug Bounties

The stories of hackers working on their own, making tons of money, even becoming millionaires, all off bug bounties are pretty exciting, but that’s the top 1% of the 1% of bug bounty hunters. The reality is doing bug bounties is slow, hard work, usually with little to no monetary reward for us 99%. That being said, the average hacker on HackerOne makes $20,000 for largely part-time work, which is a pretty decent side hustle. As long as you keep your expectations in check, bug bounty hunting is an extremely rewarding side hustle and shows on your resume that you can apply your hacking skills to real world systems.
E.g �https://www.bugcrowd.com/
https://www.hackerone.com/

25 of 40

The Three States of Digital Data�

Data at rest; Data at rest is a term that refers to data stored on hard drives, flash disks, in the cloud, or even on mobile devices.

Data in motion; Data in motion is data that is currently traveling across a network or processed in a computer’s RAM ready to be read or updated.

Data in use; Data in use is data that is being processed by one or more applications.

26 of 40

CIA Triad

In analyzing cybersecurity, the first step is to look at the CIA triad, which is a well-known model for the development of cybersecurity.

Confidentiality is the ability not to disclose information to unauthorized persons, programs, or processes.

Integrity means that protection against improper modification and destruction of information, ensuring that information cannot be changed undetected, and ensuring the integrity of the information.

Availability ensures that information is available to those in need that includes timely and reliable access, regardless of the time of day, place of residence, location, or other factors.

27 of 40

Being a Hacker vs Being a Bug Bounty Hunter

Being a cybersecurity professional doesn’t necessarily to be a hacker or a bug bounty hunter.

Bug Bounty Hunt is the process of searching for bugs, finding vulnerabilities, and reporting the reward to the security team of the site.

Usually, the word “hacker” is used with its negative meaning. From this perspective, a hacker is a person who uses knowledge to somehow undermine technology and steal something valuable or other malicious. Hacker, on the other hand, can be categorized into three;

28 of 40

Hats

White Hat Hackers; White Hat Hackers exploit vulnerabilities not to gain a personal advantage but helping organizations assess and strengthen their network security against bad actors.

Black Hat Hackers; Black Hat hackers are cybercriminals who infiltrate computer networks and use the compromised data for personal purposes, so if you are looking for a solid career path, look no further than Black Hat hacking — for those who want to go.

Gray Hat Hackers; Gray Hat Hackers violate ethical standards or principles, but without the malicious intent ascribed to black hat hackers.

29 of 40

Few Vendor-agnostic Certs

OSCP (Offensive Security Certified Professional); The Offensive Security Certified Professional (OSCP) is the companion certification for our Penetration Testing with Kali Linux training course and is the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.
CISSP (Certified Information Systems Security Professional); The Certified Information Systems Security Professional (CISSP) is an information security certification for security analysts.
CISA (Certified Information Systems Auditor); The CISA designation is a globally recognized certification for IS audit control, assurance, and security professionals.
CompTIA Security+; CompTIA Security+ is a global certification that validates the baseline skills you need to perform core security functions and pursue an IT security career. https://www.comptia.org/certifications/security
ISC2 Certification: https://www.isc2.org/certifications/cc

30 of 40

OSCP Study Group

https://www.cyberdefendersprogram.com/oscpstudygroup

31 of 40

There are �a lot of certs� out there..

32 of 40

What the future holds

There are two important technologies that are going shape cybersecurity deeply for sure. Blockchain and Artificial Intelligence.
You should know, at least, the fundamental concept of these technologies and have an idea about how to implement them into cyberspace.
In my opinion, having knowledge about these technologies will be required for cybersecurity positions in the near future.
Check out OpenAI chat.

33 of 40

What about AWS�specific certs?

https://acloudguru.com/

34 of 40

Blogs

https://aws.amazon.com/blogs/security/
https://krebsonsecurity.com/
https://www.schneier.com/
https://danielmiessler.com/
https://www.troyhunt.com/
http://www.darkreading.com/
There are hundreds/thousands of good blogs out there

35 of 40

My resources to stay updated

https://aws.amazon.com/blogs/security/
https://krebsonsecurity.com/
https://www.schneier.com/
https://danielmiessler.com/
https://www.troyhunt.com/
http://www.darkreading.com/
There are hundreds/thousands of good blogs out there

Schneier on Security

Krebs on Security

Crowdstrike blog

Dark Reading

Daniel Miessler blog

Troy Hunt

CSO Online

There are hundreds of them..

36 of 40

Books!

37 of 40

More resources

https://www.cyberdefendersprogram.com

38 of 40

Keep in touch!

Add me on LinkedIn, if you want to: https://www.linkedin.com/in/vaibhavb
Let me know if I can help you with career advice, resume, etc.
If you have something nice to say..: https://www.ratemyprofessors.com/add/professor-rating?tid=2886941

39 of 40

Resources Links from Sumedh

Level 100: Good introduction to the end-to-end terminology by Jeff Crume, Distinguished Engineer at IBM. https://www.youtube.com/watch?v=jq_LZ1RFPfU&list=PLOspHqNVtKADkWLFt9OcziQF7EatuANSY�
Level 300: Detection and response function of enterprise security, with hands-on exercises. The class uses Microsoft Sentinel for the hands-on lab, but the teacher does an excellent job of keeping the explanation abstract enough that it applies to Sentinel alternatives also. https://www.udemy.com/course/microsoft-sentinel-from-zero-to-hero/�
Level 300: Another good video series on detection and response. Introduction https://youtu.be/8Oa_lT3IOpo?si=wGGz_xLUhE2HkVn0 and full playlist https://youtube.com/playlist?list=PLeaA8CQiZrWyodUEdNL2yBA4dM5TTBkrI&si=r56rtt5FPCtSVRd3�

40 of 40

That’s all, folks!