Starting an InfoSec Career – The Megamix – Chapters 1-3

Even once a person realizes he or she has a passion for information security, moving in the field can seem a daunting task. The education market is oversaturated with degrees, certifications, and training programs. Meanwhile, many prominent hackers mock those programs publicly. Although I’ve touched on security education and training quite a bit, I’m continually asked to provide a resource for people who are trying to transition from school or other fields into Information Security roles. Ours is a healthy job market and we do need qualified and motivated applicants. The jobs exist, but we repeatedly see candidates being given false advice to get them.

With tremendous and very much appreciated help from many of my colleagues and friends in the field, I have endeavored to compile a comprehensive blog about starting an InfoSec career. This is a very lengthy blog broken into sections that may help people as parts or as a whole. We want you to succeed in our field. As always, please feel free to ask questions or leave comments / gripes / suggestions.

Chapter 1: The Fundamentals

 Unfortunately, for all the interminable hacking tool tutorials and security guides floating around the internet, many InfoSec job candidates haven’t grasped two fundamental concepts:

  • To hack something (or defend it from hacking), you must have a solid understanding of how that thing works.

And,

  • InfoSec is not a career that can be put in a box once you go home from work or school. You must be passionate enough about the field to be continually learning and aware of quickly changing current events. If you want a career that you can forget about once you go home at 5:00 PM, InfoSec is probably not the right choice.

The really intriguing thing about InfoSec and hacking in general is how they draw heavily from knowledge of all sorts of IT subjects. It’s difficult to understand attacks, malware traffic, or intrusions without a firm understanding of network ports, protocols, and architecture. Similarly, it’s difficult to understand malware or identify system compromises without a firm understanding of operating system architecture, hard drive construction, or programming fundamentals.

There’s a misconception that sophisticated attackers use lots of malware and exploits. This is simply not the case. The better a hacker is, the more likely he or she is to leverage preexisting software and tools to compromise a network whenever possible. With malware comes more risk of detection and forensics. It’s a wise choice to use an excellent understanding of the command line and remote execution to move laterally across a network.

If you’re considering a career in InfoSec please evaluate yourself on your knowledge of basic computer science and networking concepts. If you’re weak in one of those areas, consider some outside study. Merely following a Metasploit or an Ophcrack tutorial will not teach you how to be a good hacker. Understanding how Metasploit modules and communication work, or how Windows passwords are stored and passed may eventually. (Almost universally, I find more value in a candidate who can read a pcap than one who can execute msf console.)

In regards to the second concept – in some ways we as a field are victims of our own success. InfoSec jobs are advertised as high paying and cutting edge, so there has been a surge of graduates and applicants. Unfortunately, being a good security professional is something tremendously difficult for any training program or school to teach. Without an outside interest in learning more, enhancing skills, and studying current events, entry level candidates are often tremendously skills-weak.

I often screen candidates with relatively simple questions based on malware and technologies commonly seen (and documented) in the last 3-5 years, as that tends to be newer than university curricula. It’s also very popular to simply ask candidates what they are doing on their own time to enhance their security knowledge. Often, this question leads to silence (which given the wealth of free resources available is a dead giveaway the person will probably not work out). We will discuss some inexpensive ways to improve InfoSec knowledge at home later on in this blog.

Chapter 2: Choosing Education and Certifications

 The debate over the value of (costly) college degrees in InfoSec is a continual and heated one, and likely will be for quite some time. I’m often asked if getting a (Associates, Bachelors, or Masters) degree is necessary to get a foot in the door in InfoSec. In the US, the answer is usually no. As I discussed previously, InfoSec interviewers usually value motivation, critical thinking, and self-study above all else while selecting entry level candidates. It is quite possible to write a resume which includes volunteer work, talks, and personal projects related to the field, and these usually are much better conversation starters than a degree.

That being said, there are a few notable exceptions. Government agencies and large corporations still tend to value degrees highly and may even refuse to waive them as a requirement for their hiring authorities. So, without a degree, resumes may simply be ignored by mandatory computerized HR screening.

Secondly, within these types of organizations, pay grade or promotion may be contingent on having a degree, so an entry level person without a degree might have to go elsewhere to move up. Be cognizant of the requirements at the place you’re seeking employment.

Personally, I usually view degrees favorably when they’re financially feasible. They show dedication to a task for two or more years, and an interest in some subject. I also trust credible universities to teach students general business skills like reading, presenting, and report writing (all of which are underappreciated but valuable in security). Thus far I haven’t seen much value in specifically gaining an InfoSec degree – I have come to expect those general skills to be taught better at a credible university in a History program than in an InfoSec program at a for-profit degree mill or technical school. Also, as I previously mentioned, established IT programs such as Computer Science, Computer Engineering, and Network Engineering can bring a lot to the table in terms of general knowhow.

Certifications are a trickier question because there are so many out there, and they serve different purposes depending on the niche field the applicant wishes to get into. I’d consider certifications a ‘nice to have’ for an entry level candidate – they are not likely to tip the balance much in a hiring decision, but they usually don’t hurt. (One exception: Due to the employment requirements and the purpose of the certification, I find it inappropriate when entry level applicants with no experience have [somehow] obtained their ISC2 CISSP ®. The certification is made for people already employed in the field with a number of required years in the field, so it looks a bit fraudulent.)

More appropriate for entry level candidates is the CompTIA Security+. It’s cheap, and it serves two purposes. The first is demonstrating some basic security terminology and concept knowledge. More importantly, it makes candidates eligible to perform government contract work under 8570 requirements. The CompTIA Network+ is also a safe bet, as it shows a bit of that basic network knowledge we’ve been discussing. Neither certification shows an advanced knowledge of their subject, but they are a good choice for getting a foot in the door.

I’ve recommended SANS / GIAC line of certifications in the past because I find their training and tests some of the most legitimate. Their certifications are some of the most technically respected to have on a technical resume. However, their certifications are also extremely expensive, with courses and books in the thousands of dollars and tests in the hundreds. There are some options to decrease the costs like their community offerings or work study program, but they may still be out of reach for entry level folks. If you can easily afford a SANS course and GIAC certification, absolutely take one applicable to your field (good general choices are GSEC or GCIH). If you can’t, don’t take it to heart – wait until an employer makes them financially available to you.

Offensive-Security offers the OSCP certification and course which is a fantastic choice for InfoSec applicants who wish to take a more offense-based route (or indeed, as exposure to those techniques to anybody in InfoSec). It’s real-world lab heavy. The course and certification are still expensive at around a thousand dollars, but may be more realistic than the cost of a SANS course.

I personally do not recommend EC-Council certifications for entry level candidates at this time unless they are specifically required for a role.

I’ll suggest some specific training and certifications as we discuss specific roles later on.

Chapter 3: InfoSec Fields and Niches

There was a time in the 19th century where a ‘scientist’ often meant a generalist – a respected scientist might have knowledge of biology, physics, and chemistry. As those fields grew in complexity, it became increasingly difficult for one person to remain current with all of the research and knowledge involved in even a single broad field. Today, we see scientists specialized in very niche fields, each with its own wealth of research. InfoSec is very similar. While in the 1980s a single security specialist could conduct penetration tests, configure firewalls, and investigate breaches, today that is much less common. There are many disparate fields which make up information security and an important decision for any InfoSec professional is finding which of those niches is are a good fit.

The first thing we have to understand is the distinction between the ‘red team’ and the ‘blue team’. While there is often some overlap in InfoSec job roles, we generally separate them into two broad camps – offense (red team), and defense (blue team). You may wonder why legitimate, “white hat” hackers would need offense. Consider the people who conduct professional penetration tests of organizations to generate reports on their deficiencies, and the people who conduct research into vulnerabilities. These are “red team” jobs.

The path to becoming a Blue Team InfoSec professional is usually somewhat different than the path Red Team professionals take. That’s not to say it isn’t tremendously wise for the two camps to cross-train. It’s difficult to conduct good offense without having a general knowledge of defense practices, and vice versa. We will discuss specific red team and blue team roles in the next two chapters.

1 The Fundamentals

> 2 Education & Certifications

> 3 Fields and Niches

4 Blue Team Careers in Depth

5 Red Team Careers in Depth

6 Self-Study Options

7 Landing the Job]

[I highly recommend visiting Daniel Miessler’s blog on the same subject, located here: https://danielmiessler.com/blog/build-successful-infosec-career/]

31 thoughts on “Starting an InfoSec Career – The Megamix – Chapters 1-3

  1. Strongly agree w point 1, disagree w point 2. There are plenty of InfoSec jobs that don’t take a Rockstar and CAN be 9-5 jobs. Admittedly to get to the top you need talent training and passion, but InfoSec isn’t a special snowflake in that, it’s true for any knowledge worker from surgeon to InfoSec to logistics to marketing. IMO, ‘course.

    Like

  2. Good start to the Blog.
    I can only agree that Security/InfoSec is a state of mind
    And as with anything in the IT field nothing is static. You need to stay curious and explore.

    Like

  3. Pingback: How to become a pentester | Corelan Team

  4. Awesome post. Thanks for sharing. One suggestion I have for people who want to break into infosec is invest in a lab (at home or use a cloud provider like AWS), participate in CTFs, and attend events (conferences/ meetups).

    Like

  5. Thanks for taking the time to post this. I’m looking forward to new chapters! I’m currently working on the OSCP cert, but after reading your blog, DFIR does sound interesting. My only concern about getting into a security job is the possibility of taking a pay cut to switch over from my current specialties after a decade in IT. Other than that, I have confidence that I can “hack it”.

    Like

  6. Great article. I think your points could be used for many sectors of IT. For the last several years, I worked mainly as Automation Engineer/SDET on QA teams. I began to shift into infosec only recently. It’s hard for me, as I’m in my 40’s. I was given some training with offensive-security.com – which was great…. Since then I just keep learning. What I’ve come to realize is… I may not be able to compete with the infosec crowd, but I enjoy it and I add value with what I’m learning.

    Aside from this, it’s hard for newcomers to IT (any field) to get that first gig. One of my side interests is offering free training to those interested in Software QA . Those students who had passion for learning, really excelled. They did hit a hurdle though. IT tends to filter people who have zero experience. It’s quite hard placing someone for the first time. I try to encourage my students to write what the learn in blogs, post articles on LinkedIN, but even then it can be challenging. Most recruiters won’t even work with my students, since they have no on the job experience. Those I placed, were through connections I have in the industry.

    I would imagine this problem is a general one, that also exists in infosec, what advice do you have for new people coming into any IT field?

    Like

  7. Looking forward to the remaining chapters. The “Self-Study Options” chapter is of particular interest to me. A recommended reading list of relevant books that cover the Security Engineer fundamental skill sets, and the various InfoSec Fields would be very helpful.

    Like

  8. Pingback: Quora

  9. Pingback: TechExams.net IT Certification Forums

  10. Great write-up!

    Looking back at this, I really got into security after our customers ran VA scans on sites we hosted for them, gave us incomprehensible (at that time) VA reports and expected us to fix them ASAP. And they had no idea what the VA reports are talking about…

    The classic example was this IT security officer who told us to fix “missing valid SSL cert from recognized CA” on this website hosted using his org’s domain name. After we educate him, he told us to look for alternative solution to SSL certs. 😦

    Like

  11. Pingback: Women In InfoSec – GRCers more than hackers? If so, so what? Plus bigger cultural questions | Infospectives

  12. Pingback: TechExams.net IT Certification Forums

  13. Pingback: Incite 12/2/2015: Grateful Habits | OSINFO

  14. Pingback: TechExams.net IT Certification Forums

  15. Pingback: TechExams.net IT Certification Forums

  16. Pingback: Infosec: You are probably already doing it | Silicon Shecky

  17. Pingback: Interviewing InfoSec Entrepreneur Lance Miller | InfoReck

  18. Pingback: Interviewing InfoSec entrepreneur Lance Miller – By: Robb Reck | Jobber TechTalk

  19. Pingback: Starting an InfoSec Career – The Megamix – Chapter 6 | Hacks4Pancakes' tisiphone.net

  20. Pingback: Starting an InfoSec Career – The Megamix – Chapter 7 | Hacks4Pancakes' tisiphone.net

  21. Pingback: How to break into information security – Steven Campbell – Network Security Engineer, OSCP, OSWP

  22. Pingback: Introduction to DFIR – sec.uno

  23. Pingback: A Hacker Hunter’s Advice for Getting Into InfoSec – Safe and Savvy Blog by F-Secure

  24. Pingback: How to Start Your Career in Cyber Security – Safe and Savvy Blog by F-Secure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s