Q and A: Matthew Lashner, OSCP - IT Auditor, Security and Privacy at Vanguard

Comfortably Dumb sat down with Matthew Lashner, OSCP to talk about how he found his way into this mile-a-minute industry we call home. Good times, tough times and all the bits in between. He's a great guy, an excellent security professional and I highly recommend getting in touch. His LinkedIn can be found here.

What were you doing before you decided to go into cybersecurity?

"I decided to go into cybersecurity in high school. At the time, I had been looking to become a special agent in the FBI and was doing everything I could to be more competitive with other applicants.

During this time, I was a police cadet for a local municipal police department, an Emergency Medical Technician, and working for the NASA HUNCH project as a project manager/team lead to design a mass measurement device that would operate in a microgravity environment (easier said than done)."

For you specifically, dive into some of the cool jobs and projects you got involved in!

"One of my favorite jobs was as an Emergency Medical Technician. I know it’s not really cybersecurity related, but it was an amazing experience, where I learned a lot about communication, time, and stress management.

Having peoples’ lives in your hands has a way of teaching you how to manage stress pretty well! I also love teaching, so a cool project that I am doing right now is building out a cybersecurity talk series for my organization that I will present on my own and with my team."

Technical experience you had before you joined your current role?

"I had pretty much no technical experience going into college. I may have learned HTML and CSS for a day, but other than that, the closest thing that I did was using CNC lathes and mills along with 3d printers. CNC mills used G-code, so it was basically just X, Y, and Z coordinates. Essentially, I knew absolutely nothing about anything. I like to (semi) joke that before I got into cybersecurity, I was the kind of person that would download a game mod, and if a command prompt came up abruptly and then went away immediately, I would click again to see why it didn’t work."

Why did you decide on cybersecurity specifically?

"As I stated before, I always wanted to be a special agent in the FBI, so I became a police cadet and an Emergency Medical Technician to get first responding experience (and to help people). While I was involved in the first responding world, I was able to talk with a lot of different people like police officers, special agents, military, etc. Every single person told me “don’t do criminal justice. They want you to be malleable and teach you how THEY want you to learn. Do something with computers.” So, I decided to apply to Drexel University as a Computer Science major, not knowing that there were other types of jobs and majors in the IT realm.

After being accepted to Drexel, I went to an open house for the College of Computing and Informatics. It was here that I first learned of some of the opportunities and pathways of the IT world, and cybersecurity.

When the dean of the college explained that there was a major that was focused on networking, hardware, and security, rather than programming, I immediately changed my major. I hate programming! That was honestly the reason I went into cybersecurity. I hate programming, I wanted to do something with computers, and security sounded really cool."

Courses, resources and the providers of them - if they were good, say so, if not, say so!

"My favorite course that I have taken so far is the Pentesting With Kali (PWK) course that leads to the Offensive Security Certified Professional (OSCP) certification. This course is provided by Offensive Security, and is by far the most challenging course I’ve taken, and the most I’ve ever learned from a course.

Aside from that, as far as resources go, I learned Linux by doing the Bandit challenges on overthewire.org. I was able to actually learn Linux by hacking, and I highly recommend it to anyone who wants to learn Linux."

What was your job search/interview process like?

"My job search is going to be different from a lot of others because I obtained my job as a co-op position through Drexel’s co-op program. Because of this, my job search and interview process only lasted a few weeks, and I was very inexperienced in cybersecurity at the time, so many of the questions interviewers asked, I either had to defer, or relate a college class or my EMT experience to.

This does bring up a good point, though, because I believe that many people have an issue relating things in their past to the present/future. What I mean by this is people have trouble drawing out what experiences have actually taught them. I worked at Taco Bell for two years, and yeah, it was a fast food restaurant, but I learned a lot there that I translated to my job in cybersecurity.

When you think of cybersecurity, you think of maybe the old movies with nerds who have social anxiety and aren’t fantastic at expressing themselves? Well, in reality, that is a prevalent issue; too many cybersecurity experts have a really difficult time talking to people, working on a team, and explaining technical concepts to non-technical audiences.

Taco Bell was my first experience really talking to people in a workplace setting.

Was it different than working in a corporate environment? Absolutely; however, it taught me a lot about communicating, especially about communicating as a team, and about diffusing tense situations.

I built upon those skills a LOT more as an Emergency Medical Technician, but that doesn’t mean that my time at Taco Bell wasn’t very formative for me.

The point is that no matter your level of experience, everyone has a different background, and that’s all significant and helpful in different ways, so it’s very important to think about that and to express that to potential employers."

Any setbacks/low points?

"Everyone has setbacks. It’s a part of life, and definitely a part of cybersecurity (all of my fellow hackers and OSCPs will relate). If you read my article on my OSCP journey (The 5 Stages of OSCP), you will understand a bit about just how many setbacks I had while taking the PWK course, and even during the exam. I like to preach staying calm. There will always be something wrong, something unexpected, something really difficult. What separates the good from the bad, and the great from the good is how we react in these situations.

My go to is always take a break. I know, it’s simple and cliché, but I honestly do this. I am self-aware; when I need to calm down, I do that. There was a point during PWK where I spent a week not getting anywhere. I was so sure that I was never going to make it. I started going from machine to machine just stressing out more and more, so I allowed myself one day to relax. I didn’t look at it for a day, and I promised myself that I would pick one machine to focus on when I got back. Once I refocused, I was able to get back on track.

I also feel like a low point that everyone goes through is when they try to break into cyber, but they know absolutely nothing.

'How can I learn more about this?'

'You have to play around with it.'

I got this answer so much. 'Spin up a VM and play with it.'

For a new student in cybersecurity, that is less than helpful.

I spun up a few VMs, but I never knew what to do with them! It wasn’t until I had actual goals in mind that I started learning stuff. I started with a Kali VM to try overthewire.org, and from there I really started learning!

It’s true that you need to get your hands on stuff to really learn, but for me, I just got so overwhelmed because I didn’t have the guidance on HOW to get hands-on."

What is your job actually like? Good AND bad points...

"I work as a cybersecurity auditor, so my job is a lot of writing. I get to learn all about an area of security like Privileged Access Management, Vulnerability Management, Physical Security, etc., using frameworks such as NIST 800-53 and then go and see how it is implemented within the organization.

I take a lot of notes and document if controls are designed and operating effectively.

Like I said, it’s a lot of work, but it’s also very interesting. I get to see a lot of the organization and put my hands on and learn so many different facets of security. I’ve also learned so much about risk-based decisions from this job.

I’d say the downside to the job is that I’m not as hands-on as I’d prefer to be. I like pen-testing and hacking, and, although my company is very progressive as far as internal audit goes, I don’t get to do a lot of that.

One way that I try to make up for that is by training other people. I am currently in the middle of about 6 presentations on security topics such as risk-based testing, Third Party Vendor Management (GS007, SOC Reports, etc.), and web application testing. These presentations keep me researching and refreshing the concepts in my mind. I also give presentations to less technical coworkers on technical concepts such as the difference between HTTP and HTTPS, as well as basic attacks like SQL injection (SQLi) and local/remote file inclusion (LFI/RFI).

All that being said, I get to work with fantastic, intelligent professionals every day. I learn so much from my team. We have penetration testers, network security, endpoint security, system admins, and governance professionals, all on the same team, which really isn't common in audit. They are all good friends of mine and they provide a cultivating and fun atmosphere. That's why I love my job, and that's the reason I stayed on past my first six month co-op."

Advice you wish you'd have had before you started?

"I wish that someone had told me that it’s okay to not know everything (or anything for that matter). I spent so much time being overwhelmed by the stuff that I didn’t understand that I didn’t learn as much as I could have. I wish someone would have sat me down and explained that there is so much more to computing and to cybersecurity than anybody fully understands, so you just need to pick something and learn about it.

I remember not knowing where to begin, and just being paralyzed for so long that I had to simply rely on my classes to give me the foundational knowledge.

What I realized was that there is no way to simply soak up all of the knowledge. I really had to just pick something I wanted to learn and then learn it. My decision was to learn networking. I paid 5$ for an online course for Network+ and I went through the whole thing. I learned a lot from that class, and I even went back to something that I had tried before but had been fairly unsuccessful with: hackthebox. With my new, deeper knowledge, I had a starting point from which to base all of the research I had to do for hackthebox. I feel like I am still simply continuing that journey by diving into one subject at a time, using the knowledge that I have from past subjects as a foundation for the new ones."

What is your end goal?

"I think that this is a pretty interesting question.

So many people don’t have an end goal, and it’s a point of anguish for a lot of them. People don’t like aimlessly floating, not knowing what they’re working for.

For most of my life, I KNEW I wanted to be a special agent in the FBI. Now, I am not entirely sure; I still might, but it’s not a definite anymore.

Honestly, I am okay with that though. I know it can be scary to wander about, but I am enjoying it! I challenge myself endlessly. In high school, I worked part time, took night classes to be an EMT, and project managed for NASA after school (still taking AP credits).

Then, I actually worked 12-14-hour night shifts as an EMT while project managing for NASA and doing school during the day. I would actually go straight from work right into school in the morning!

Now, I just got my OSCP while working full-time, and I am now starting my Master’s in Cybersecurity while doing my Bachelor’s in an accelerated program!

I am just doing what I want to do because I want to better myself.

I don’t really know my end goal, but I am taking it one step at a time.

For my next step, I know that I want to transition either to red teaming or to penetration testing. After that, who knows?

All I know is that I will continue pursuing things that interest me and keep me learning. What more could you possibly want?"

Matthew Lashner, OSCP currently works at Vanguard as an IT Auditor on the Security and Privacy Team. His LinkedIn profile can be found here.