This has been a fairly common topic over the last year and I've seen plenty of blog posts and presentations about the subject. For me personally, many just don't cover the information I've found to be essential during my entrance to InfoSec. The industry of Security spans a very large range of possible jobs and roles and for the sake of time I will be primarily covering the areas of security that are of greatest interest to me, those which I consider to be very technical and hands-on.
Let's explore now some of these topics and my experiences.
How do I get the experience without the job?
The most common question I hear when people ask about getting into InfoSec is very similar to the question you hear from those just leaving college or attempting to obtain a job in many other fields. It's the age-old chicken and egg question. A key difference in the technology field is that in many areas this problem is very solvable by your average curious mind. Do you go to school? Do you get certifications? Do you take a non-paying intern positions? How in the world can you get experience doing Security, when you don't have the experience to get a job that gives you that experience?
There's this incredible thing out there that we use every single day. The Internet has provided us with an incredible source of knowledge that every day, people are adding new and new information to that can help you learn and explore.
Consider some possible educational paths:
- Structured Learning
- Self Learning
- Read Books/Tutorials
- Build a home Lab
- Play Wargames
- Publish Code, Projects or a Blog
I myself took the path of Self Learning. I acquired a stockpile of computers and began playing with Linux from my very early teenage years. This is my most common answer to people who ask how to learn more about security and build their skill set. I do believe there is great worth to a traditional education, but for those who cannot afford it, or do not have the time to go back to school full-time, I believe there are wonderful alternatives.
Reading Books and Tutorials
There is a vast world of books that are available from all your major bookstores and online retailers that spread the broad spectrum of InfoSec. You can easily find endless resources on Exploitation Development, Application Security, Malware Analysis, Reverse Engineering, Fuzzing, Secure Code Development, and much more. While many of these books are quickly out dated by the speed at which both offensive and defensive security is moving, they are still wonderful places to start and build a foundation from which you can branch out from and read whitepapers or watch presentations on the most up to date techniques.
- The Shellcoder's Handbook
- Hacking: The Art of Exploitation
- A Guide to Kernel Exploitation
- Malware Analyst's Cookbook
- Practical Malware Analysis
- The Web Application Hacker's Handbook
- Metasploit: The Penetration Tester's Guide
There are also tons of online tutorials that cover a whole range of topics from understanding Windows memory paging to specific tasks like hooking/injecting an application. Every day I read at least one new blog post covering a very specific and exciting new method of exploiting a specific bug, or detailing the inner workings of a new piece of malware.
- Metasploit Unleashed (metasploit/pentesting)
- Lena Tutorials (reverse engineering)
- Corelan Tutorials (exploit development)
Now that you've read some books and are beginning to get an idea of the theory, how do you get practical experience?
Wargames and Home Labs
For myself, this step and the previous went hand in hand. I would both research and investigate new books or tutorials based on the challenge I was trying to solve, or would seek out new Wargames to play that were centered on my specific area of studying.
My first Wargame experience was with the various Web based challenges, such as the recent StripeCTF, which covered many of the basic OWASP Top 10 vulnerabilities and so much more. Another invaluable resource is the OWASP Broken Webapp Project, which provides a Virutal Machine loaded with a huge assortment of vulnerable web apps. Some of these, like the Damn Vulnerable Web App, will help guide you and direct you to specific kinds of attacks. Other challenges will provide a normal looking web application and let you navigate your way through the site searching for attack points.
More recently my interests moved to Linux Exploitation Development and I found myself at the wonderful Smash The Stack website. (Disclosure: I am co-author and admin of the Wargame Logic at Smash The Stack). This site hosts a collection of Linux servers that you log in as Level 1, and proceed to escalate your privileges to the next level up. This can be done through Stack or Heap based Buffer Overflows, Format String vulnerabilities, or some of the most incredible Logic flaws you'll encounter. The game while used along side the books Hacking: The Art of Exploitation or The Shellcoder's Handbook, will provide you with an incredible amount of practical experience.
If Malware Research or Reverse Engineering is your interest, there are many guides on setting up your own home Lab for trying this yourself.
Once you've started doing work, you can share that knowledge with others.
Writing code, publishing projects or blogs.
A great way to get your name out there and to build a portfolio at the same time is to publish your own tools, or to join an open-source project and begin writing code. You will learn a great deal about software development, the tools utilized, and most importantly, the process. At the same time you are building your resume by being able to provide real world examples to future employers of your work. You are also showing them initiative and drive.
Additionally, one of the easiest ways to build a name and resume is by publishing your own online blog. There is an incredible amount of unique research that is published by professionals, amateurs, and enthusiasts within the industry. There is nothing stopping you from hopping in there and participating.
You can start with your own record of your trials and tribulation of self-education. I guarantee you during your time of studying that you will encounter interesting and fascinating new things that will inspire and motivate you to pursue research. Blogging about this process and time line is a fantastic way to show progression and personal development.
This topic is always a hot debate. Everyone has their own opinion on the value of certifications. It's a big question that depends on a lot of variables. Every area of InfoSec is going to have it's own ideas of what certifications matter or are of value. In my personal opinion, certifications are not required. That being said, I still greatly value them regardless of that statement. My point here is only that you need not feel like you must get certified to get a job. It can and will help you, but is not a requirement in the process.
Since I enjoy the hands on and very technical parts of InfoSec, I always value the certifications that exemplify those skills the most. When selecting a certification to pursue, I usually start with the end. What is the actual test like? Is it multiple choices? Is there a lab?
The importance here for me is that if the test is 300 questions of multiple-choice questions, that doesn't actually verify that the tester can reproduce the material. I personally prefer the tests that end with some kind of hands on lab that requires the tester to actually prove functional knowledge of the topic at hand.
To what direction you go, will be your choice. Certifications are always great on a resume, but don't put them above your own personal research and publications which show applied knowledge.
In the end
Everyone has his or her own path. No one path is right for everyone. In fact, you should pursue your own path and not follow in everyone else’s footsteps. I hope this may be of some assistance to you, and I look forward to seeing you in the industry or at conventions!