Ask Lesley InfoSec Advice Column: 2017-03-16

This week, I address some burning questions about education and training.  As always, submit your problems here!

Dear Lesley,

Let’s cut to the chase. I hate coding. I don’t enjoy building things from scratch. I do, however, love taking things apart, and would probably be able to learn to code if I started in that direction.

I currently work as a Linux sysadmin in the web industry, with a couple certs (and 4 years) under my belt so far. I love infosec and want to move in that direction, but I have no idea where to start, given my utter distaste for traditional methods to teach coding.
Do I just… download some arbitrary code and take it apart? That seems like a horribly insecure idea, but I’m just not sure where to start. I also tend to have serious issues with confidence in everything, especially tech. Please help! ”    

– Flustered and floundering

Dear Flustered,

I don’t like coding, either. It’s actually not uncommon in infosec – we tend to like rapidly changing environments instead of the routine patience involved in coding. I’ve spoken to many ex-programmers and ex-CS students who agreed.

I see two routes you can go if you think anything like me:

  1. The scripting route: Many, many blue team and red team tools are Python and Ruby based, and many of them are extensible by design. Pick offensive or defensive security, then choose a tool set in one of these common languages that interests you. (For me, it was the Volatility framework). Take apart a few existing scripts and see how they function in real life. Then pick some interesting feature to add in your own script. This won’t necessarily teach you how to write a stellar production application, but for most security roles scripting is what you need.
  2. The reversing route. If analyzing malware piques your interest, that’s a great way to learn how software works all the way down to the assembly level. The intrigue can be a great motivator to learn. Definitely don’t pick commodity malware out today to analyze -it’s purposefully hard to reverse! Start with a book like Practical Malware Analysis or Malware Analyst’s cookbook that has detailed, step by step tutorials from the very basics. Learning how to take something apart can be a great way to learn how to put it together, and you’ll definitely figure out what fundamentals you need to brush up on on the way.

Dear Lesley,

Looking into the future…what would you guess would be the safest career path/area to focus on now in security, considering the growth in available off the shelf tools to get the jobs done. Would penetration tester still be needed for example in 10-20 years time?  

–  Spinner.

Dear Spinner,

First off, no guarantees – I’m not clairvoyant. There definitely is something of an infosec bubble as more people enter degree programs. However, there’s a caveat – being a great hacker is a personality trait, not a skill that can be taught academically. If you’re innovative and adaptable, I sincerely doubt you’ll have trouble finding work in that time frame.

In terms of automation, some tasks automate better than others. Unfortunately, the one that automates the best is the entry level security analyst gig. Merely passing the Security+ and being able to read and route SIEM events may not cut it in a couple years. You’ll need creativity and a broader skill set. More advanced defensive and offensive roles will require human attention for the foreseeable future because attackers innovate constantly. While a magic black box may pick up a new zero day, remediating and understanding the impact and additional factors is more complicated.

Security engineering continues to become more automated. The need for people to simply maintain static blocklists, signatures, or firewall rule sets will continue to decrease. Those jobs are trending towards more advanced SIEM and log aggregation management.

The jobs I see in the most demand with the least supply right now are malware reversing at an assembly level, threat intelligence with an actual political science or foreign studies background, and higher level exploit research (coupled with good business and communication skills).

Dear Lesley,

How does one begin exploring the world of sec without coming off as a script kiddie or just wanting to be an “edgy hacker”?     

– Careful but eager beaver

Dear Careful but Eager,

I’m really sad you feel that you have to ask that question, because merely asking it means you probably aren’t the type you’re concerned about. How do you know if you’re skidding it up? You enter commands into a hacking tool with no idea what they are doing, and much more importantly, no interest in knowing what they are doing. Being a good hacker has nothing to do with pwning stuff. It has to do with understanding how lots of stuff works and being able to manipulate that to your advantage.  (I should put that at the top of my blog in huge red letters!)

Imagine you’re a secret agent, needing to break into a vault. You can take one other person with you. Person 1 is another agent who has read a few books on how the vault works. Person 2 is the engineer who has been installing and maintaining the vaults for 30 years and has agreed to help you. Who do you pick? I’d pick the second person, who knows the system inside and out. I can teach her to sneak around a little and how to wear a disguise. Person 1 doesn’t know the foibles of the vault and only knows how to attack it the way the books said.

To summarize, you skid check is how many commands you enter in Kali or Sift or whatever without bothering to figure out what the heck you are doing. When you’re learning, the goal is understanding that, not getting a shell.

You shouldn’t care what you come off as. If you’re genuinely interested in learning, plenty of hackers will be willing to help you.

Dear Lesley,

(tl;dr at the very last line)

I am a novice who is looking to break into the field of security. Currently, I have received an offer to read a book (The Web Application Hacker’s Handbook) and participate in an assessment to show if I can perform the work necessary to do the job. Essentially, the assessment (from what I’ve gathered) is to assess the security of a vulnerable web application and then reverse a protocol.

Coming from a mathematics background with limited formal education in computer science and no formal education in networking, the book is hard to digest. I have setup pen test labs such as DVWA and WebGoat which I am practicing with and I have made surprisingly good progress in these labs. I’ve also learned a little bit about networking through much trial in error in setting these labs up in safe environments!

However, I fear that even if I pass the assessment, I will not be offered a position due to my lack of networking knowledge. I am aware of certifications such as OSCP and Security+ to bolster my background, but they suggest a solid understanding of networking before enrollment in the courses or studying for the examinations.

Do you have any recommendations on books/courses/certifications that would take an individual from zero-knowledge of networking to the suggested level of networking knowledge for these kinds of security certifications?

– Not a smart man

Dear Smart Man (I refuse, because it’s untrue!),

It really sounds like you’re doing everything right. You have correctly recognized that solid TCP/IP knowledge is really important in security. The lab is fab. But, you can do other things in that lab. Like take a step back from the security tools, and concentrate on the networking ones. How long have you spent in Wireshark, just observing and filtering through network traffic? Something just watching what’s going on and identifying common ports and protocols can be huge. What does opening a website look like, and why? What does a ping look like? What does it look like when a new computer is connected to the network?

Certs (and associated books)… There are a lot of options in network land. Network+ is okay for fundamentals and really cheap (although an inch deep and mile wide). WCNA is the Wireshark specific cert, but by nature teaches a pretty in-depth level of knowledge of reading packets. It’s also quite affordable. If you have 600 bucks and free time, I’d do both (in that order) and blow those folks out of the water with your resume. If you don’t have those resources, they give you some great study materials to start with.

There are endless good books and blogs on TCP/IP out there that will get you started and give you an understanding of the OSI model and common ports and protocols. Hands on experience in your lab or on your home network  is much more important.




3 thoughts on “Ask Lesley InfoSec Advice Column: 2017-03-16

  1. NetEng here. I really liked Stephens’ “TCP/IP Illustrated” for learning the deep stuff about IP. That was several years ago, though, so I don’t know if there’s something better that’s come along lately. If you end up wanting to learn about some of the layer 2 and routing deep stuff, you can’t go wrong with Radia Pearlman’s “Internetworking”, but that’s probably more esoteric than you want to be if you’re angling towards infosec.


  2. Pingback: Week 11 – 2017 – This Week In 4n6

  3. Pingback: Ask Lesley InfoSec Advice Column: 2017-03-16 | Hacker News Info

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s