Wow! I can’t believe Gen Con is already over. We had an amazing time at the con and giving our Hacking in Fiction panel for 43 lovely people on Thursday night. I want to extend a big thanks to my co-speakers, Johnny and Beltface. We ended up going over our allotted 90 minutes again – mostly because we had so much fun answering fantastic audience questions. Also, thanks to our many Twitter friends who came out to roast us, like Joe, 0DDJ0BB, Lslybot, and Justin!
Just some awesome costumes I snapped pictures of!
Our most frequently asked question that I want to restate here for the world was, “I don’t have much experience; how do I get into infosec/hacking?”
If you’re asking us that question, you’re on the right track. I firmly believe have the best community out there in a professional field. There are tremendous resources for anyone out there who has the will and motivation to be good at infosec. They usually don’t come with any dependency on expensive degree programs or certifications. My recommendations are:
- Go to independent security conferences, Def Con, DerbyCon, Shmoocon, GrrCon, and various local BSides are great options to learn about security and network with other people who share your interests. You can get into most of these conferences for 100-200 dollars and a hotel room. There is no experience requirement, and there are usually talks at technical levels from management skills to sophisticated reverse engineering. Yes, these conferences can be intimidating, but follow basic best practices like not using a credit/ATM card, turning off WIFI on your phone, and not bringing a production computer, and you’ll find them an intriguing and welcoming environment with lots of fun!
- Use your internet resources. Blogs, Twitter, and Podcasts are a great way to learn more about current events in InfoSec. Don’t rely on bulletins from vendors or government agencies. Some of my favorite general security news sources are:
Paul’s Security Weekly
Naked Security – Sophos
Krebs on Security
Dark Reading | Security
Steve Ragan | CSO Online
We Live Security
- Find your local hacker meetups and attend. As well as 2600, DC(area code) groups, and BSides, many metro areas have independent security meetups. These are a great way to network and find a mentor.
- Do publicly shared CTF exercises to learn more about hacking. Beyond “Hack this Site“, many agencies post online ‘Capture the Flag’ exercises in blue team and red team areas of security that allow you to take your best shot at a hacking simulation and then see the results when it ends. I recommend all of the SANS exercise, especially their holiday challenges.
- Build your own lab, and experiment! It’s really not that expensive to build a hacking lab at home. Virtualization has made it relatively affordable to construct a VM lab environment with an attacker and defender machine(s) in which you can simulate the area of security of your choice. It looks fantastic in interviews if you can describe your home lab an d
- Don’t get intimidated! While I highly recommend you always be certain you have permission to hack the computer network(s) you are experimenting with, there are plenty of legal and affordable ways to learn more about information security. Everyone who legitimately claims to work in ‘infosec’ or ‘cyber’ should have a solid understanding of how bad guys think. Avail yourself of available resources, and test your skills!