#MeetTheInstructor Fabrizio Siciliano
With nearly 20 years of experience in the InfoSec industry within the private and public sectors, and with more than 7 years primarily focused on the offensive side of the house, Fabrizio brings his real-world experience to the eLearnSecurity body-of-knowledge to provide the latest in IT security research and techniques.
How did you first get into IT Security?
I always had an interest in how or why machines worked the way they did. I would take them apart, figure out what was broken, try to put things back together again, and try to make them do things they weren’t always necessarily designed for. My underlying interest was always the aspect of security and how it related to computers and networks. My first job in IT had a security part so, in that sense, “securing things” was always part of what I did from the start. In the beginning, being a network and systems administrator helped build a solid foundation for the future path of my career.
Tell us a bit about what you did before joining us here at eLearnSecurity?
Before eLearnSecurity, I was a full-time consultant for 7 years with the same company, helped build, maintain and managed security services offering, and spent most of my days conducting wireless, internal, external and physical penetration tests for hundreds of clients throughout the US.
What course(s) did you develop and what motivated you to focus on that particular topic(s)?
Well, the most recent was the Penetration Testing Professional training course version 5. The idea behind this course was to get the content up to current practices and introduce newer techniques leveraged by today’s professional pentesters. We all know how quickly technology changes, and it’s important that we develop content that is current with techniques used in the infosec industry. Although we can’t stay “to-the-day” current, we try our best to bring the most updated tools and methodologies which reflect what we actually see in the real-world while conducting penetration tests.
What is your advice to succeed in your course(s)?
My advice to succeed in our courses is to do it for the right reasons. If you do something because you love to do something, you’ll do it with a drive and passion that’s important to have in this industry. Seek information, knowledge, and wanting to understand the inner workings of things. Approach the courses and technology as if you’ll actually be making a change in the world for the better of technology and for people. Above all, don’t get discouraged with others around you if you don’t immediately understand certain topics. There are many brilliant minds out there, and just as many “areas” to focus on that it can get overwhelming at times. My advice is pick a topic or two, become the best you can at them, and move on from there.
Do you have any interesting stories about security incidents you’ve handled in the past?
An interesting case that sticks out was an incident response effort for a client whose network had been overcome by run-of-the-mill ransomware. While there, we realized that, during our analysis of the incident, a different breach was occurring by a completely unrelated set of actors (or so it seemed) to the initial ransomware outbreak. On one hand was the element of ransomware, which is usually motivated by money – and on the other hand, a data breach was occurring underneath it all. Two seemingly unrelated events occurring at the same time. The important thing is that, through our efforts, we were able to reduce the damage to the organization and improve their overall security posture.
Any skills in particular that you think are crucial in today’s security landscape?
I would say that not only understanding “tools” and “techniques” used to “pop boxes” important, but also understanding the underlying technology those tools are being used over: the switches, routers, firewalls, network protocols, actual hardware… You’ll also need to have a good analytical mindset. Of course, simply telling a customer “you have these issues, here is how to fix them” is not the answer. It is very important to be able to translate the information you’ve gathered with the ability to demonstrate, identify and prioritize the resolution of certain risks to an organization.
What would be the best advice you could give to someone just getting started in the field?
Don’t give up. Focus on several things that interest you, and become the best you can at those. Start with the fundamentals in security, focus on a path, and work your way up. It is through knowing the fundamentals like the back of your hand that will help you in successfully being able to execute (and explain the results of) successful engagements in the long run.
Is there something about security that could convince students, enthusiasts, or other IT professionals in general, to pursue this career path?
The requirement for security within organizations has never been greater than it is now. We see this with almost monthly breaches of personal information, profit losses, and the simple fact that these events can have such a severe impact on the reputation of a company. If you want to help in making the digital landscape a better place for the future of humans, then security is the right place. Starting with security in mind as we develop the technologies we rely on a daily basis while trying to balance that with ease of use and convenience is a good path to take.
Interested in learning new pentesting skills? The PTPv5 training course is the best way to learn everything a professional pentester needs to know. Plus… we’re offering everyone the chance to enroll with a free Edition upgrade until June 30 😉