We recently received an email from someone working on their degree who had some questions for whichever tester we could round up. They were great questions and since we get asked similar things quite frequently we decided to create a 2-part blog post answering them with the help of several testers. See what they had to say about their own journey and don’t forget to check out Part 2 on Monday!
1)What initially inspired you to pursue your career in information security?
The only thing more exciting about interdepartmental business processes is breaking interdepartmental business processes and exploiting them. – Kent Ickler
Before specifically being interested in InfoSec I knew from a very young age that I wanted to at least work with computers. My family wasn’t all that technical regarding computers but we had a few throughout my childhood that really sparked my initial interest. We had an Apple IIe that I spent a lot of time trying to figure out. I talked my dad into letting me order a “Build-Your-Own-Computer” kit around the age of ten or so and built it by myself (incorrectly, but I learned a lot). It wasn’t until college though that I found out that computer security is what I wanted to pursue. I took a course on Ethical Hacking and learned that I could hack companies legally and get paid for it. Now that’s what I do. – Beau Bullock
My dad inspired me. He was a low-level firmware engineer so I grew up in a house where our kitchen table was full of the hardware he was reverse engineering, dumping EEPROM’s, creating binary patches, and even “backing up” my Nintendo games. Between the PC just being released and the exposure to the consistent tinkering, I quickly adopted a very similar mindset and began trying to figure out how technology worked under the hood. – Mike Felch
I got an email from a person whose signature was a complete RSA implementation in something like four lines of painfully-unclear Perl code. The story goes that the US government considered it a munition, and illegal to export. That got me in three ways. First, I was surprised that it was possible to do encryption with such a small program. Second, I could not believe that this block of text – that looked like line noise on a bad modem connection – was a way to do it. I wanted to be able to understand things like that. Third, I was intrigued by the idea that sharing this bit of text was the legal equivalent of shipping weapons of war.
I’m not sure if this is the exact one I saw or not, but it shows the idea:
I really wasn’t aware of infosec as an industry or career path until I switched majors to computer science in college. I took an introductory infosec course as an elective, and I was instantly hooked. I knew I wanted to do something in this industry. – Craig Vincent
I stumbled into it, also I liked the movie (Hackers 1995). The SANS Institute offered my college (US Air Force Academy) scholarships to spend our spring break taking a SANS course. I was a PoliSci major at the time, but our CompSci students weren’t interested in sacrificing their spring break. I was. It changed my life. –Matt Toussain
This is probably the worst answer, but I actually pursued technology/security because I knew the market was large and there were lots of job opportunities and it paid well. A better answer from a security standpoint; when I applied for an internship with BHIS I only had a vague idea of what the company did, and what red teams were. Somewhere in the middle of the interview, I began to realize, ‘Wait, these guys hack people and those people pay them for it? That’s a real job?? I need to work here.’ –Kelsey Bellew
It’s hard to pin down exactly. It could be learning basic networking while trying to bypass school firewall restrictions in order to play games or watch Youtube, accidentally discovering remote connection methods and persistence mechanisms in order to play pranks on friends’ computers, or maybe the lone flyer in a tucked-away corner of college campus that led to a phone call with John where I asked him if incredulously if hacking banks was actually legal. – Ethan Robish
I chose this career as I always enjoyed figuring out how to fix computers and how they worked in high school so thought why not make this my goal. Granted, I took two years between high school and college to make sure it’s what I wanted to do by doing some odd jobs. – Derrick Rauch
I was working in construction from like 1999 to 2004 to get through college and realized how hard it was every day. Looking back, it was nice to leave my work on the job site, but that was where it started. One of my roommates was in the CIS program and loved it. I jumped. HP hired me out of college just about as soon as I graduated in 2005. Tech support, front line – truly the grind. It was the start of four jobs in this field that landed me at BHIS. ProTip: The customer service, tech support, help desk, etc., these jobs are crucial to forming a solid background in computer science. Learn how to solve problems effectively. Learn how to discern between useful web search results and wastes of time. Employers don’t want to hire you for what you know. I generally believe that anyone (some computer background) can be trained to accomplish digital tasks. I can’t train you to manage your time well. We can’t train people to be nice, treat others like human beings, or to be steady under pressure. And truly, those are the skills that will put you at the front of the line. It worked for me and everyone else at BHIS too. –Jordan Drysdale
2)What would be one important piece of advice for someone who is considering going into this field?
I don’t know if you can “start out” in IT information security. I didn’t, I’ve worked hard to get here and consequently have a decent understanding of many different aspects of IT and how businesses actually work. – Kent Ickler
“Try Harder” is the motto of Offensive Security, and it has stuck with me since I was working on the OSCP back in 2011. Both in InfoSec and in life I’ve found that motto to be an extremely important staple of how I get things done. There are many times when you will hit a wall and think something is too difficult and want to give up. Just know that there are vastly unexplored territories in computer security that likely contain vulnerabilities that will only be discovered by pushing yourself further.
Another motto that I live by now is one I learned from Mike Felch (@ustayready) when we were working on the “Bomb Defusing” challenge at DEF CON in 2017. That motto is “Fail Fast, Fail Often, and Fail Forward”. When you are working on solving a problem spend more time failing and less time analyzing the problem from a distance. Document what you did, why it failed, and then try something different. If that fails too that’s okay. The key here is to learn from what you did so that you can arrive at a solution sooner.
I know you only asked for one important piece of advice but here is a third: Learn a programming language. It will be an extremely useful skill that you will be able to utilize to modify a current tool, or write a brand new tool. – Beau Bullock
Be ready to always learn and sometimes be frustrated. IT/Security is always changing and things that work three weeks ago may not tomorrow. – Derrick Rauch
Don’t specialize too soon. Develop a broad base of fundamental skills before getting into “security.” Programming, networking, database management, system administration, etc. If you don’t have a solid grounding in the systems and environments you want to secure, you’ll always be struggling. (You’re going to struggle anyhow, but without a good background, you’ll waste time struggling with the wrong things.) –Brian BB King
Get as much hands-on experience as you can. Build some sort of lab or test environment at home. Even if you’re just practicing exploiting some of the intentionally vulnerable virtual machines that are out there or messing with your own network, that experience is super valuable. John’s 5 year plan webcast has some good examples of things you can do for cheap/free at home. – Craig Vincent
Don’t worry too much about the degree. After I got the bug for hacking I figured computer science was the field to go. For me, changing majors was a mistake. As a fuzzy major, I was spending time tinkering with things, coding on the side for my own edification. As a computer scientist, I was given designated “assignments” to accomplish. It sucked the passion and perseverance out of me while simultaneously giving you challenges with known solutions to solve. One of the most critical skills in information security is the ability to go off-script. There is no better way to learn this than to tinker… on your own. While a STEM major may provide some value in my experience this pales in comparison to sheer passion, proven ability, and experience. While you are studying take the opportunity to look beyond your degree, find and contribute to open source projects, tinker. – Matt Toussain
Find some aspect of cybersecurity that really interests you, and make a personal project out of it. This will teach you so much more than you could just learn in a class, and talking about that project makes you an excellent candidate during interviews. –Kelsey Bellew
I’m going to echo what others have mentioned: find a mentor (ideally local). Go to security conferences if you are able or find local city or college meetups if they exist. Find other people in college who are interested in the same thing. Try to find a security professional locally (try searching LinkedIn, Twitter, Facebook, or conferences) and meet up with them. Just try to be as likable as you can and respect their time. Show your enthusiasm and willingness to learn and help. If you already have skills, chances are you can find an internship where you can do your utmost to contribute and learn. We love interns who are self-driven, ask questions and find ways to add value rather than wait for someone to have the time to give them step by step instructions. Or if you still have some basics to learn, take any advice a mentor can give you, take action, and then report back after a few months with what you’ve accomplished, learned, etc. It’s a huge compliment to take someone’s advice and actually put it into action. Not only have you shown you respect that person, you have also shown you are self-driven, able to learn, and that you now have more valuable skills and experiences to bring to the table. – Ethan Robish
I’ve sold the ranch on this one already, but here goes. It is okay to take an entry-level job in IT at a help desk, for a local ISP, for a local firm that provides some form of managed services. Desktop technicians become server technicians. We hire server techs because they know how to make the world go around. Learn about networking. I don’t mean people networking, I mean connecting systems together. Learn what layer two is (MAC to MAC device communications – ARP) – switches live here? Why does ARP matter to layer three communications (routers live here)? Layer four is protocol communication — HTTP is port 80, SSL is port 443. So, my web server is mac aa:bb:cc:dd:ee:ff at 10.1.1.10 and is listening on port 80. What does a packet destined for this device look like? Truly, learning how to communicate with this device from a local device at 10.1.1.20 and what those packets look like, verses from my house, and routers, these fundamentals are so crucial to the functioning of the general internet and business as a whole these days. The fundamentals of infosec start with networking. –Jordan Drysdale
3)What was the biggest hurdle that you encountered when you were first getting started in information security and how did you overcome it?
Biggest hurdle I had was the impersonation syndrome. It’s real. I knew a little about a lot of things. For a long time, I tried to keep up with my co-workers’ careers. Turns out everyone brings something important to the table. Working at BHIS is great because we work together, share ideas, knowledge, experiences. We all grow and all become better security analysts, hackers, and humans. – Kent Ickler
The biggest hurdle I encountered was getting an initial role in InfoSec. I knew from that Ethical Hacking course in college that’s what I wanted to do but didn’t have any experience. While still in college I got an “IT-related” job in operations where I basically was in a SOC but mainly just kept things running. It wasn’t really an “InfoSec” role though. I was able to eventually shadow with the security department at the company I was at to get my feet wet in InfoSec. Eventually, I applied for a “Systems Analyst” job at another company but in my interview, I spoke a lot about my interests and motivation to work in a computer security role. They actually ended up creating a brand new “Security Analyst” role for me after that interview. – Beau Bullock
The internet was brand new which meant there were very limited resources. Understanding deep technical vulnerabilities meant I had to understand the inner-workings of the technology so that I could understand the security problems when they were introduced to me. In the late 90’s early 00’s, we would gather on IRC channels and collaborate on discovering new security vulnerabilities then release the details in e-zines. It boiled down to having an inquisitive thought-life, being surrounded by a group of people smarter than me, and always being willing to share regardless if I felt it was share-worthy or not. – Mike Felch
I think having no security experience was probably the biggest hurdle. When I had a chance to represent my team (a kind of development group) on a project being run by the security group at my company, I jumped at it. I did my best to understand the project’s goals and how it would affect my team. I asked questions, found answers, and got to know the person leading the security side. After a few weeks of working together, I asked him if they were hiring. He said they were. I applied and made an internal transfer to the security team based not on my security skills, but on how I handled that project. –Brian BB King
I struggled with trying to find a balance between work and life and I finally realized and accepted that one can not know everything in this field and that is okay to focus on what you enjoy in it and don’t let life pass you by. – Derrick Rauch
Figuring out what I actually wanted to do was probably the hardest thing. When I started looking at getting into infosec, it was kind of daunting how broad the field was. There were many different paths to get started on, and many of them required some very different skills. In terms of how I overcame it? I guess you can say I brute-forced it because I got it wrong the first time! I used to think I wanted to be a malware analyst. It wasn’t until I had spent hundreds of hours studying, developing those skills, and playing with malware samples that I realized I really wasn’t cut out to be a malware analyst. Some things sound like way more fun than they actually are, and malware analysis just wasn’t for me. The best advice I could give to someone starting out is to try different things until they find something they really enjoy. – Craig Vincent
My biggest hurdle was the gaping holes I had in my networking knowledge. Most of the testers at BHIS at the time came from very varied backgrounds where they had lots of experience in everything computer related, or they had previously worked as network administrators. When I first started (and coming from a strictly computer science/coding background), I hardly understood the difference between an internal and external network. I overcame this reading a lot of technical articles/Wikipedia/RFCs, getting first-hand experience, and asking a lot of questions even when I thought they would make me sound dumb. –Kelsey Bellew
Going from college to an extremely small consulting business, there was very little feedback or direction. With college, you have grades on every assignment so you know if you did well. With work, you’ll only really ever know if you seriously screwed up. If you’re very lucky you will know if you did well but most of the time you just have to find your own self-confidence while still staying humble and being receptive to any feedback that may come your way. – Ethan Robish
With my first job solving complex networking problems for enterprise customers at HP, it was immaturity. I was young, did not have a large support network around me. It took my manager being one of the best people I’ve ever met (still text) to get me headed in the right direction. I didn’t know how to talk to people, look them in the eye. I didn’t know how to listen either, which turned out to be way more important. As my life in IT progressed, there were lots of other challenges along the way. Learning how to balance life, right? We all need to have healthy habits outside the workplace, which was easy in Colorado. Hiking, biking, snow riding, all those things. Family eventually, lack of sleep. As pay goes up, generally so do responsibilities. I carried an after-hours pager for a long while, which sucked. Bad, especially already being tired and getting calls in the middle of the night. At BHIS, I quickly realized there was something significant missing in my background. I have been struggling to write scripts, code, programs and basically develop functional code since I started here. I’m still struggling with this today. –Jordan Drysdale
A huge thanks to all of our testers who took time out of their busy schedule to help answer these questions!