Nobody enters a new profession as an expert. The information security industry is so lucrative right now that schools are now implementing Information Security programs. As some of you may know, I am currently 22 years old and about to graduate college with a degree in Information Security. I will be the very first to say that after 4 years in a program tailored to security, I have learned nothing that will ever directly apply to a job in Information Security. You may ask “How is that possible?”. The answer is simple. These degrees don’t teach you skills that you will use in the field, they teach you how to think critically, problem solve and most importantly, they teach you how to learn.
I am going through the same process that thousands of students (and others) are going through. Information Security is scary, overwhelming and fast paced. As someone entering the industry (especially if you are young), you have A LOT of catch up to do. Not only do you have to learn and understand current attacker methodology and techniques, you have to learn past methodologies and techniques as well. Combine this with the need to learn scripting, programming, networking, protocols, etc. and you will find yourself stressed out and overwhelmed. I have encountered this first hand and am even going through it as I write this and because of that, I want to give a few tips to those either entering the industry or thinking about entering the industry.
1. Passion is essential
“If you love what you do, you’ll never have to work a day in your life”
This says it all. Learning concepts isn’t hard when you want to learn it. Same goes for applying those concepts. If you have passion toward information security, you are miles ahead of the majority of other folks in the industry. There are a lot of people that do this job because of the money. I can honestly say that I would remain in the information security/offensive security industry if it paid minimum wage. The job is easy if you love it.
2. Never Stop Learning
Concepts, technology and methodology will always be changing. Not only do you have to learn the past, but you have to learn the present and the future. Be a sponge and absorb every little bit of information that you can.
3. Learn the basics
First, learn the basics of computers, networking and programming. If you have a genuine passion for computers, this will be easy. I recommend getting a job doing helpdesk or general systems administration. For example: I started working the helpdesk at a small company my sophomore year in college. All I did was fix monitors, printers and basic networking issues. After two years, I got a new job working the helpdesk and doing sysadmin work for a larger company. This gave me the opportunity to branch out and learn how a corporate network is setup and functions. I was able to learn the ins and outs of a domain and how it operates. With the basic understanding of how things work, you can then branch out into how to break them. Without this basic understanding, it will be hard to operate with an offensive (or defensive) mindset.
4. Dive in
From my experience, the only way to learn is to just jump in the deep end. Get in the weeds of things going on, even if you don’t understand it. The security industry is excellent at mentoring, so find few people and stick by them. Most of the security professionals understand that by investing in you, they will help bring up an additional professional in an industry that is in desperate need of passionate professionals.
As I stated above, get in the weeds of things, even if you don’t understand it. There are TONS of open source projects and tools out there. Find some that interest you and try to contribute. Or, even better, start your own research. Contribute to the community by completing and sharing some of your own work. For example: When I first started, I had a massive interest in client side attacks. I started researching different client side attacks and in 2013, I found an old article from 2003 about malicious Microsoft Office macros. I decided to dive into that and started to do work geared towards using VBA macros in client side attacks.
6. Start a blog
This is something I cannot stress enough. By starting a blog, you are creating a portfolio of all your work. This is something other students and professionals can reference. Employers also like it as it details all of your work. This goes with tip 5. As you do your own research/work, write about it. Not only will you be contributing to the community but you will also be building up a portfolio.
7. Keep your head up
As I previously mentioned, the security industry is awesome about mentoring. I should also note that there are also people that find joy in tearing you and your work down. As you learn and grow, realize that you are not an expert in everything and you are human. Humans make mistakes, so you will too. When that happens, chalk it up as a learning experience. Don’t get discouraged or angry. The industry revolves around learning, no matter how brilliant you are. For example: I did some research with Alternate Data Streams and using them with PowerShell and VBScript to obtain persistence on a compromised host. I did as much research as I could, wrote some code, published it and wrote a blog post. I was just entering into technology when Windows XP was phasing out so I had no experience with Alternate Data Streams. All I had was what I read and the code I wrote. When I published my blog post, I made the mistake of claiming this method of persistence as “Fileless”. As soon as I shared my post, I got torn apart by forensic and Incident Response professionals. They bashed me since Alternate Data Streams are not fileless, as I claimed them to be in my post. To be honest, I felt dumb and was tempted to just delete the post all together. This will happen to anyone that contributes, I promise. Instead of getting discouraged, I remained professional, fixed my blog post and thanked those who jumped at the opportunity to smack me in the face. I’m glad they did because now, I know that Alternate Data Streams are not fileless. I took that as an opportunity to learn from those who are smarter than me. Again, just keep learning.
8. Remember where you came from
As you grow as a student and professional, you will likely become an expert in the field at some point. When this happens, don’t turn into a gigantic asshole. As I previously mentioned, the security industry is awesome about mentoring but there are also people who will sit and wait for the opportunity to bring you down. A lot of people see those new to the industry as “n00bs”, “dumb” and “inexperienced” and in turn, won’t give them the time of day. When someone comes to you with a question, no matter how dumb, answer them. They are asking you for a reason and being an asshole about it helps nobody. You were in that spot once so when someone approaches you (or “sticks with you”, as mentioned in tip 4), take them in and give them guidance. I have started to see that the security industry is kind of like High School. There are different groups with different attitudes. Someone just entering the industry feels exactly like the first day of high school. They just want a friend. If you invest in someone, you will help grow them into a professional. This cycle repeats, so they will then hopefully do the same thing for the next rookie, etc.
9. Get yourself out there
Go to conferences and hang out with people. This is even more important when you are trying to get into the industry. By going to conferences, you can talk to people that you may see as an idol. Almost everyone will sit down with you and talk, because they understand the concept of not being an asshole. Those are the people you need to stick by. Example: I started my journey into information security in 2013. I knew nothing and I knew nobody. I had a small presence on Twitter where I just followed some security guys, but that was it. I couldn’t afford to go to a conference, so I didn’t. I made a comment on Twitter one day about wanting to go to DerbyCon sometime and was met with open arms. Tickets were sold out, but someone offered to sell me their ticket. I was thrilled, but couldn’t afford to buy the ticket or hotel, so I politely declined. A few minutes later, that same person decided to just give me their ticket. They didn’t know me or what I was about, but they gave me their ticket anyway. I told my parents that I was going to this conference and that I would be sleeping in my car. Luckily, they decided to pay for the hotel. I ended up going to DerbyCon in 2013 and had the time of my life. I met some awesome people, made some amazing friends and saw some awesome talks. Going to the conference, I knew nobody. After the conference, I felt like a part of the family.
10. Stay humble
There is not a single person that is an expert in everything. There will always be someone smarter than you in certain areas. Put your ego aside and accept that you are not the smartest expert in the field. The moment that your ego gets in the way is the moment that you stop learning and fall behind. Share your knowledge and expertise with others and take in the knowledge and expertise of others. Sharing is caring.
All I can say is stay true to yourself, contribute, get your name out there and never stop learning. When given the opportunity, share your experiences and knowledge with those who want to learn. Ask questions, learn and get in the weeds. The last thing the industry needs is a “professional” who runs Nessus and puts their logo on the report.
And most importantly, keep a good attitude and have fun