Security 101: bitter sweet beginnings
I am creating this entry for my friend Sean. He was curious as to how to get into the security field. So here goes:
Why getting started is difficult
There are a few reasons getting into the security field is difficult. I have narrowed it down into a couple of reasons:
- The knowledge base grows faster than you can learn – What I mean by this is that new things are being developed/discovered ever few minutes. I remember getting started in security, I would spend time learning something out of a book, or off of a webpage, just to find out that it was now old news. I would try fervently to climb the ladder, starting at the basics working my way up. However, after trying desperately to climb as fast as I could I began to notice that the ladder was growing taller faster than I could climb! This can be disheartening.
- the width is just as big as the depth – There are so many different aspects of security! Testing, Incident Handling, Infrastructure, Management, etc, etc. They all seem to be quite similar, but also quite different in the kinds of skill sets they require! I remember feeling like the deeper I tried to delve into one area, the more complex and slower the learning became; Therefore the more I was falling behind in the other areas! This was very frustrating.
- the starting line is quite vague – The first article I was told to read was Aleph One’s Smashing the Stack For Fun and Profit. Because I was 15 years old with little lower-level language experience. O was completely overwhelmed. I would run into phrases and words I didnt understand. I would search to learn about those things. In the course of getting definitions of those terms, I found myself encountering more nonsensical data! Therefore my search began digging deeper and deeper, eventually becoming a hole that never led back to my starting point. This was overwhelming.
Disheartening, Frustrating, and Overwhelming…
So you see, getting started in the security field is difficult. I am sure many people have different experiences. I suppose getting started through formal education, or work experience helps. I pretty much had nothing except the web, IRC, and some less-novice hacker than I who I could throw questions at. It was a miracle I didn’t just give up on it. I am going to share with you some tips/mindsets I developed from my experience, as well as some resources and wisdom I can share looking back on the situation.
(A quick word from the Mentor)
In order to succeed, you just need to commit yourself. If you are committed, you are going to do amazing! Seriously, Security is quite technical, but amazingly simplistic. To explain what I mean, let me share with you a quote from the Hacker’s Manifesto (i know, i know, just bare with me):
I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me…
Or feels threatened by me…
Or thinks I’m a smart ass…
I like this quote because it takes the magic out of computers. It reminds me that a computer simply has a set of rules, and that understanding those rules enables you to manipulate the system. Therefore, when learning security, remember that you are really just learning rules. Don’t get caught up in the proscribed methods, but recognize why those methods produce the results they do. If you do this, you will find yourself asking the RIGHT questions, and finding the BEST answers. This is KEY.
Now that we have that out of the way, I am going to address the three issues I listed above:
- Knowledge base - This is simple. Don’t become disheartened. Just learn to plug yourself in. In the military, when doing combat maneuvers, you always provide security. Security elements will protect the primary element from becoming overran by any unexpected enemy reinforcements. Do this in your learning. Plug in to sources of the newest developments in the security field. This will ensure that you are learning the new stuff while you are catching up on the fundamentals. I recommend a few sources for this:
- Mailing Lists: These are a great resource. Most security lists are very well moderated, and very active. I recommend most of the SecurityFocus lists, the Metasploit list , and maybe a few others. That should be enough for now.
- Blogs: Blogs are a great resource. Some are better than others, but they are a great place to start. Check out my favorite security links located on the right panel of my blog. Some of my favorites are Darknet, and Mubix’s blog.
- Podcasts: I Love my podcasts! I am always looking out for new ones! I strongly recommend PaulDotCom and SecurityNow. In addition you might like Hak5, and some others. I also recommend the SANS Internet Storm Center casts to be caught up to date on the latest and greatest security vulnerabilities.
- News: These are critical. In my opinion the best site overall for security is Packetstorm. They offer learning texts, tool archives, and the latest news. I also watch the SANS ISC journals, and the SANS reading room.
- Twitter - The security industry is extremely active on twitter. You should plug yourself in to them to get started. I think all but 2 of the people I follow on twitter are security based. Go ahead and use that as a good place to start.
- Width vs Depth: When it really comes down to it, you will just need to find one (or two) areas you really enjoy. When I say “Enjoy”, i mean it. You may want to end up doing management, but to start out I would find what appeals to you the most. This will guarantee that you keep interested, and will feel accomplished as you learn things! One thing I quickly learned was the amount of spillover that occurs at the deepest parts of each security emphasis. Truly, infrastructure will eventually lead to testing/auditing, as well as incident handling, and so on. Like I said, find something you like, build a good basis, and then don’t be afraid to dive deep into what you enjoy. You will eventually find that you learn about all aspects of security, and wont mind the areas you lack in. The Security community is such a shared pool of knowledge, that learning from each other is half the fun. On that note, here are some tips to assist with this process:
- Find your emphasis: Ask people on the mailing lists, search through forums, look for job descriptions. What I did was figure out what I thought was cool (breaking stuff), figure out what it was called (“hacking”), and then research what professional positions existed (Penetration Testing).
- Find a mentor: Its all about who you know. Find someone who can help you answer your questions. They dont need to know everything, they just need to help point you in the right direction. My first mentors were a group of guys in an IRC channel. freenode has a ton of free channels. I would recommend checking out the above podcasts and looking into their IRC channels for people to help.
- Hands-On as soon as possible - Get your hands-on right away. Download BackTrack to get your hands on a lot of new tools, and start learning linux. Don’t worry about knowing ALL of it; just learn what you need, and as further needs arise figure out how to do it. A great resource to figure out how to do things is SecurityTube. This site will give you tutorials and presentations on almost anything you need to know, from programming to hacking, etc. There are also a lot of great resources for practicing security related activities. Some of these are:
- Certifications – I have found certifications to be great learning opportunities, not to mention how they increase your professional marketability. There are so many certs out there, that you can find one for whatever you are interested in. For those looking to do government/military work, I would look at the DoD 8570 to see what certs would give you the most flexibility for jobs. Here are some that I suggest:
- Security+ – Overall great certification. If you want a good place to start for just overall security knowledge, this is the one you want.
- eCPPT – I havn’t done this course, but I have heard nothing but great reviews. It includes the courseware for life, making it an excellent resource after you get the certification.
- CEH – This is a great starter for those interested in penetration testing, or incident handling. I would strongly recommend this.
- CCNA – If you are going to be doing more infrastructure, you may want to look into Cisco stuff. I put the CCNA because its considered the entry level Cisco cert. You eventually might want the CCNA-Security and some of the other certs that qualify you for firewalls and ids configuration.
- CHFI – This is a good Incident Handler certification. Pretty cheap. I think you have to take the CEH before you can take this one.
- Starting Line: There is none. Thats okay. You need to learn to revel in the successes! Become a sponge and just absorb everything. When you read something you don’t understand, dont fret. Just remember it, let it serve as a placeholder, and learn about it when you can. Dont let this be overwhelming! Let it be FUN! Find opportunities to teach others and you will figure out more than you would have initially. There are a few things I would recommend you learn that will answer a large amount of your potential questions:
- TCP/IP – Learn about TCP/IP packets, layers, and basic communications. Understand these and you will do well. I would take the time to read the RFCs for these specific protocols.
- Basic Programming – Being able to read through code logic. not necessarily know how to program.
- Linux/Windows commands – knowing your way around the command line of both these systems will help greatly.
Hopefully this has been a good start to helping those get involved. Feel free to ask any questions.