Sunday, December 6, 2015

Where to Begin as an InfoSec Noob

The number one question I get or see across many security forums is often repeated several times a day: Where do I start for a career in IT or Information Security? Hopefully I will be able to answer a majority of your questions here:

Intro

Just note that the path of an Information Security professional isn't an easy one, or more people would be doing it. As a matter of fact the amount of people going into it is decreasing as technology gets more complicated.
“The demand for the (cybersecurity) workforce is expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million,” stated Michael Brown, CEO at Symantec
The US government even relaxed their visa requirements, issuing H1-Bs to foreign security contractors under the Specialty Occupation Program. They recognize the need to boost America's cyberdefense, and that there are millions of open job reqs that aren't getting filled.

The learning curve for a lot of people seems too steep, so they don't attempt it until later on in their career when they get more confident with their abilities. There's nothing wrong with that though! That's how many ended up in security in the first place! Most people in InfoSec are in their 30s to 50s. At 25 now I'm still the youngest person in every team I've ever worked with by at least 5 to 6 years - and I've worked at some big companies with large and mature security organizations. I started young and was crazy enough to choose this as a career. Just know this: It won't happen overnight so don't get impatient. I'm going to give it to you straight: This is probably a 5-7 year timeline at least. But the payout is worth it.
Top salaries are in the $200k+ range

  • Learn and understand a programming language. And I mean truly understand it. You won't be a good hacker if you can't look at code without really understanding what it's doing. Python is typically recommended. Most tools are written in it or similar language (like Ruby). Plus it's easier to automate web application pentesting using Python because the library support is really strong for such tools in Python 2.7.
  • Learn and understand the industry by gaining experience in a professional role. It's very unusual to end up in a security role without any prior experience. Get a job as a systems administrator or network administrator. School and degrees are not required (and often are a waste of time, more on that in the certifications portion). If you have true knowledge and certifications, it won't be difficult to find a position once you understand the rest of what I'll mention. Start small. Without professional experience you likely won't land a $60k/year sysadmin role. Your first role might even be making $13 an hour as a helpdesk operator. Additionally, understanding how the IT world works will make you that much better of a pentester. Just by seeing a few things on social media or scanning the resumes of your target you'll immediately know where to hit or what to look for when you're attempting to intrude in an authorized penetration test.
  • Know and understand network protocol. Obviously, you need to know very low level information on how computer systems and networks interact with each other. Full knowledge of TCP/IP, UDP, DNS, etc. is absolutely required. I wrote a guide here that explores TCP/IP 101 and manipulation with Python.
  • Network in the industry. Learning from others is the best way to learn. You gain different perspectives and can build off of not only your own experience, but others as well. Your peers will have all had exposure to a very wide variety of networks, vendors, tools and platforms. Learn from them. This obviously comes in line with building professional experience.
  • Metasploit, Burp, and other tools are only the tip of the iceberg. Using MSF console or another tool without really understanding what you're doing is script kiddie shit. Yes, it is totally possible for any monkey to figure it out - they are designed to be easy to use. There's a discernible difference between a professional who knows what they're doing with the tool and one who only has a limited scope of what to do with a tool because they've cracked a few metasploitable VMs. It isn't uncommon to have to tweak things. It doesn't always work right out of the box.
  • Social engineering is debatable security. If you handed a client a penetration test that had social engineering in it, and that's the only way you broke through the perimeter, they'd probably be mad and never return to your agency. Pentests ain't cheap. If they didn't ask for it, DON'T give it to them. You'll work out social engineering aspects when defining the scope. When clients are paying for an ethical hacker, they're paying someone to find things that they couldn't. Their security staff probably already knows the risk of phishing. You can save hardening against phishing for another service agreement with them. Give them the good stuff.
  • Certifications, not Degrees! Getting the right certifications gets you past the robo-resume crunchers and gets you in front of a potential client. Plus, in the process of getting them you'll actually learn useful and relevant information. Time to harsh up your mellow and lay down the reality: Your GPA and your transcripts are worthless to industry leaders. When I worked at Intel they ultimately want to know "is this person smarter than you?" Depending on how well you ranked to that question determined how badass you were going to be in the job. They didn't care if there was or was not a degree, just whether or not you were damn good at what you do. If you know what you're doing, companies and nation-states will come to you for your weaponized exploits.

    Degree's aren't necessarily a complete waste of time. If your end game is to land a job in IT Security or a related field, you don't need to fetch a degree right away (if at all). My issue with them is a lot of young students think that just by earning a degree they will automagically learn how to hack or how to get marketable skills. Degree courses only teach you the concepts. They won't teach you how to write secure code. They won't teach you how to spin up a honeypot to catch that APT that's been hammering your network. The same concepts that certs like the CISSP or Security+ teach. Certification organizations recognize this. For example, ISC^2 removes 1 year off the 5 year requirement if you have a Security+ OR a Degree. One can be studied for in 4 weeks, the other takes thousands of dollars and years off the clock. I'm not alone in this regard. ISC released a study that found members with a CISSP earn, on average, $30k more per year than those without. The difference in salary is negligible with a masters. You want to get a degree for the right reason - for your academic growth and personal development.

    Trying to earn a degree in computer science or information systems/security for the purpose of hoping to land an IT job is not the right way to do it. I'd only recommend that route if you want to go into a career as a Software Developer/Engineer - or an actual computer scientist (Quantum computing and robotics, that's what I'd go back to school for). Many schools have programs where you'll work before you even graduate. Take advantage of them if you go that route, because fuck it, you're giving them $40,000 anyways.
  • Watch your background. Obviously, don't go hacking away and getting arrested for BS when you're starting out. It may be too tempting because it really is too easy. Having a record of any kind makes it difficult to break into certain markets, like the government or organizations that are governed by federal or state regulations (finance, gov orgs like NASA, public utilities, medical, etc.). Conducting any kind of illegal activity and getting caught for it could very well end your career or halve the potential employers you could work for depending on charges. Really cliche, and I don't judge by any means, but don't steal shit and stay out of drugs and it's pretty much a non-issue at that point. A lot of advice seems to glaze over or completely neglect to bring up this point. Yeah, I'm 90% sure 90% of us have done SOMETHING illegal or at least really in the gray area. But that doesn't make it ok for you 'just because others did it too.'


    Love to learn and live to do it. There's an ancient Greek legend that can apply here: Milo of Croton, an ancient Greek Olympic athlete. I suggest you read it, because starting will be similar to that. The story goes like this: Milo carries a baby Ox every day. As the oxen grew and matured, so did he and his strength. Eventually he was able to carry a full sized Ox like the average guy carried a sack of flour. I know the feeling all to well of staring at the mountain of information and wondering where the hell you even start to scale it. Remember Milo and start small. I constantly learn new things from electrical engineering to new computer science concepts. The truly successful in our industry are the self-start self-study nerds. The more information you want to vacuum up every day the stronger you'll get - just like Milo. Just don't do it all at once. You can't go lift an full sized Ox right from the beginning.

So what now? Where to start
Generally speaking there is a lot of information and there is not any best place to start. Take my information and use it to work out the best path for you.
  • Don't underestimate books. If you were involved in a public school system, you're familiar with textbooks. The majority of what you know now was learned through textbooks. Think about it. All the teacher did for the most part was assign work for you to do in your textbooks. Now you're your own teacher. Build yourself a curriculum and force yourself to adhere to it. Environment is everything. If you're in a distracting environment (that includes being alone at your house) it makes it almost impossible to learn. It's so easy to click that damn Reddit bookmark and just lose 3 hours of your life. However, that's 3 hours of time you just robbed from yourself. If you're a student, your school's library is a great place. A public library as well. Anywhere public with a solid learning environment is best. This includes downtime at work too, believe it or not. If I ever have a free moment, I usually spend it wisely and knock another chapter out of book if I can, or maybe rebuild or add a new feature to a tool I built.
  • What is the general certification path? Again, there isn't any solid answer for this question. Generally recommended is: Net+, CCNA, Sec+, CISSP, Master something like Python, C|EH, OSCP, Use your employers $$$ to get some GIAC/SANS shit like the GPEN because its super-ultra-mega expensive. Don't buy the SANS stuff with your own money. If you're going to do that just buy yourself a motorcycle and ride to Alaska instead. Money better spent at this point in my opinion. When you're old and crusty with 10-15 years experience, invest in a masters degree. By then you may have plateaued pay wise and NOW the timing is right for a degree, but it isn't totally necessary. A degree doesn't really increase your pay in InfoSec like it does in other fields, but it does help you get into a non-technical and sometimes a technical management role which will probably pay better with overall total compensation (pension, etc.). By now, stuff that was around when you were a kid is being called 'vintage' by young technology addicted people with ridiculous hairstyles, so that pension and 401k stuff you didn't give a shit about on your offer letters 15 years ago matters more than it did when you were 20.
  • The CompTIA Network+. This is for those of you who have no idea what the hell a value of 06 means in the protocol information of a packet dump. It will teach you the basics. It's like pouring the cement foundation for what you're going to build next. You can't build up without a foundation, it just doesn't work that way.
    The thing is with certifications is they have different versions. So get the right book for the current version of the test. At the moment the current version is the N10-006 exam. (People from the future, be sure to check CompTIAs site for the current version). Try this material to study for it ISBN-10: 0071848223.
  • Cisco Certified Network Associate (CCNA). Once you have a solid foundation in networking it's time to build that up with actual skills. It is impossible to pass the CCNA without knowing your way around the terminal in Cisco's IOS. This will teach you how to work with the most common networking equipment vendor: Cisco. It also goes more in depth with networking concepts and how they apply to the IT world. Knowing networking isn't enough. You also need to be able to answer questions a business might ask like "How do we achieve network segmentation between these applications?" Experience will be able to answer that best but you can start with the CCNA. The current exam at the time of this post is the 200-120 CCNA. I recommend ISBN-10: 1587143879. Seeing as how this directly involves in working within a terminal on an actual switch through the console port, Ihighly recommend picking up a used Catalyst 3500 series switch so you can get intimately familiar with the remote terminal.
    • CCNA; Routing and Switching Reference:
      Book: ISBN-10: 1587143879
      Exam Code: 200-120 CCNA
      Voucher URL: Link
      Recommended Training Hardware: Cisco Catalyst 3500 series (Typically $75~$200 used depending on model)
  • Get to work! By the time you have a solid understanding of network and routing and have achieved a few certificates, you should be working somewhere in IT. You absolutely need that experience. Also, most employers will pay for training so you don't need to fork the money over for the increasingly more expensive exam vouchers from this point on. If you're having trouble finding work with the CCNA and Net+ under your belt, you need to look smaller. Remember the Ox analogy? You might have to take a helpdesk role or expand you experience to include Microsoft and Linux systems administration. There are certificates for those, but they're not totally necessary. Don't look at big companies. Look at small local companies. You also may need to expand your job hunt to nationwide or at least statewide. Don't be afraid to move. This is your career after all. Passing up a nice opportunity because you're afraid to take the plunge and move to another state isn't a wise decision. Because of my line of work I've had the opportunity to live, work and travel all over the US! Just keep in mind you'll never break into any real info sec role without prior experience - degree or not. Once you have your foundation built don't pour your time anywhere else but resume building. One of my first ever contracts was as a network administrator at a start up. Sometimes it's not all about the money. What I learned at that role landed me a Systems Engineering role at a larger company making more serious money a couple years later, and they loved how technical I was. I couldn't have done it without my lowly net admin role where I got exposure to all kinds of amazing tools and equipment.
  • CompTIA Security+. The Security+ had a bad rep with the older version. It wasn't technical enough with older versions. Well now, that has changed. It's actually challenging, and a really good solid foundation to launch into the CISSP with. The current exam you want to take is the SY0-401. The SY0-301 is the older one that's about to be depreciated. Don't bother with that one, it sucked in my opinion. This exam will go into networking concepts, as well as security concepts like business continuity, CIA, and other things you'd expect to find on the CISSP. If you're fresh into security, it's a good way to start. The exam vouchers are cheap and like with all CompTIA certs, coupon codes or programs for vouchers are widespread. It's a low-cost low-risk intro into the CISSP. Additionally, it knocks an entire year off the experience requirement for the CISSP! Very useful for getting a headstart. It has it's place so don't bash it.
  • ISC2 CISSP: Certified Information Systems Security Professional: This has become the defacto security certificate in the industry and is practically mandatory... for HR purposes. Yes, that's right. It's a common misconception this actually teaches anything about hacking. It does not. It is NOT a technical certificate.What it DOES do is expand more on the business concepts you learned about in the Security+. It will teach you everything from what fire extinguisher to use in the event of an electrical fire (I'm not kidding) to a brief overview of firewalls and architecture design. It covers a very wide and broad overview of Information Security and IT in general. There is not a lot of depth in the program as far as raw technical knowledge goes. I'll describe it like this: It's like a lake that's 10 miles wide and 2 inches deep. Lots of coverage, not much depth. That being said you absolutely should get it, just don't misunderstand what this certificate is. You won't be a 1337 h@x0rz just by getting your CISSP. I've seen plenty of people who passed the exam but don't even know what a reverse shell is. But it will help you land that SOC Analyst role at UltraMega Corp, Inc., ltd LLC. That's when you'll start picking up real skills.
  • Learn a Programming Language! Now, if you haven't been working on this slowly over time, now is the time. You're going to need to write your own tools or tweak existing tools at some point by this point. Python is THE language to learn first. Not only is it easier to learn than any other language, it is what probably 90% of the tools are written in and has amazeballs library support for info sec tools. There's lots of ways to learn but the best way I found was the Learn Python the Hard Way book. I've recommended it to a few people and they all ended up launching into other books and landed roles in web dev after about a year of self study. LPTHW won't work unless you do EVERYTHING. Answer and understand every extra question the textbook asks. Buddy up with some programmers at your work place and ask them to mentor you when you get stuck. Having someone explain it to you like you're 5 is an awesome thing. One thing to be wary of when asking experienced programmers is they may look at your code and recommend 5 other random libraries you've never heard of. Take it with a grain of salt. Programming is like handwriting, we all write it differently. You won't totally know everything about code after a book like LPTHW, but you'll be able to launch into other books. 4 or 5 books later you'll be awesome. One thing I'd like to mention that worked better for me is to get the actual physical book. Soft copies like PDFs have never cut it for me. I carry around the books I'm working on with me every day and set them on my desk. It's a good physical reminder that I need to finish them every day and having a physical copy makes it much easier to just flip it open to the book mark and pick up where I left off. Plus you look like some bad ass wizard with a giant bookshelf of programming manuals.
  • EC Council Certified Ethical Hacker; C|EH: Like the Security+ and Network+, this is a foundation into penetration testing. This is like the "introduction to tools." It goes over the tools and tactics for basic network security penetration testing, like using Metasploit. It's a great resume builder and learning experience to take your next step away from an Information Analyst role and into a more technical role. Those tools are designed to be easy to use, so believe it or not, you don't actually need to know shit about security or hacking to take and pass this exam if you study hard enough. To be fair, the same can be said for any of these certifications. It just seems to happen a lot more than usual with this one, maybe because of the way it's marketed. DO NOT do that. Don't be that guy. You devalue the certificate and the people who have worked hard to achieve this certificate AND know what they're doing. You'll get crushed in an infosec interview if you up and get this cert without a good foundation and expect it to teach you what you need to know to get a specialist role. You'll waste the employers time and your own. Plus you'll look like an idiot and pretty much ban yourself from working at that company (those managers stick around for long times at larger companies, and yeah we will remember you if you apply again 2 years later as 'that one guy'). Version 9 is the latest at this time, it recently replaced version 8.
    • C|EH version 9 Reference:
      Book VERSION 8: ISBN-10: 111864767X
      The v9 exam is really new, so books may not be released yet. Check the vendor reference link for any version 9 material.
      Exam Code (v9): 312-50
      Voucher URL: Link
      Vendor Reference: Link
  • Offensive Security Certified Professional; OSCP: Try harder! This exam is tough. I'll put it this way: The exam is 24 hours long, and you have to actually hack into systems. There's no questions. There's no multiple choice. Just an objective. Most people use almost that entire time to do the exam and write the pentest report. If you're ready to put your skills to the test and prove you can faceroll systems with Metasploit, this is the exam to take. It's like a shining beacon of awesomeness on your resume too. If you have this certificate there is often little doubt that you know your shit if it's backed up with some solid experience and industry reputation. That being said, it specifically covers several tools widely used in the penetration testing biz. It won't teach you how to hack into satellites to broadcast traffic in order to hide your botnet or any fancy shit like that. But you'll be able to break systems that have common vulnerabilities no problem. This test takes MONTHS to prep for. You absolutely need a really solid background with everything previously mentioned in order to successfully complete the lab. Even as tough as this cert is, it's still considered entry level. That's right. After everything you've learned and even with an OSCP you're only starting to crawl. Writing your first 0day and publishing your first CVEs are a still a few paces ahead at this point. I told you it would take a while. Your Ox is essentially a juvenile now. You're pretty strong but it isn't fully matured yet and neither are you :)
    • OSCP Reference: Book: Due to the nature of this test there isn't really any book, but there are several that will help. ISBN-10: 1494861275 
      Exam Code: Exam is handled by them and not a third party like Vue. Check the reference site for more information.
      Vendor Reference: Link
      Vendor Lab Reference: Link

5 comments:

  1. First and foremost, a big thanks for these guides you are making, they are a big help for security noobs like myself.

    These certificates you are talking about, are they valid outside of the US, like Europe?

    ReplyDelete
    Replies
    1. Absolutely! These certifications are valid anywhere globally. They vendor non-specific (with the exception of vendor certs like Cisco's CCNA) and are under no particular legislation. They are acceptable in the US or any other country. Often times they include tests in multiple languages.

      Some certifications, like the CISSP, may be tricky for non-US citizens. They require background checks and document turn over for identity verification. I would check with those organizations if non-US citizens are able to take these exams.

      Delete
    2. I see. Thanks a lot for answering, I will do further research as to what is available for my country.

      Delete
  2. Thanks for the post, I'm a self taught FEND coder and have veered off into the infosec route, much more my personality. This is a great post and I'm ordering LPTHW tonight!

    ReplyDelete
  3. Supernoob liberal arts major here. I was thinking about applying for a master's program in IA/InfoSec, but I'd need remedial STEM coursework just to get in. Once I started looking at certs versus shelling out for more education, I pretty much came to the same conclusion you've put forth.

    Learning Python (the hard way) has been on my radar for some time, and the academic advisor for that grad program recommended I start learning it before applying for the program (which I don't think I'll do at this point).

    The knowledge progression I developed for myself mirrors yours, only I am considering getting IT Fundamentals and A+ certs from CompTIA before Network+. Lacking any professional IT experience, I would likely have to take a helpdesk gig, and so I figured A+ would help me in that regard. What's your thought on A+? More concrete for the foundation, or unnecessary?

    Thanks for the guide.

    ReplyDelete