Derek Banks //
ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
More than occasionally I am asked how to get into Information Security as a profession. As attacks and breaches continue to escalate in frequency the demand rises for information security talent. I also frequently hear from those in a hiring role that it is hard to find people with the right skill set. So how does one land that job in a field that by some counts will have shortage of 1.5 million workers by the end of the decade? The answer is to develop good hacking kung fu. When most hear the words “kung fu” they think of Chinese martial arts. This not entirely inaccurate from a Western perspective, but the meaning in Chinese is closer to “the result of time and effort”. One must invest the time to learn the technical skills involved in attacking and defending computer systems and networks to develop their hacking kung fu in order to get that Infosec job that previously seemed out of reach. Just like learning the martial arts, getting started can be painful and the right mindset is key to becoming successful. It is also necessary to find a mentor and practice, practice, and practice some more. It may be easier for some, for example a systems administrator already in IT, but anyone can learn the necessary skills with the appropriate investment of time.First and most importantly, you must have a desire and a passion to understand how things work. You have to become someone that wants to understand how a particular computer system functions and once you figure it out, determine if the workings of that system can be used in ways that the original designers did not intend. In my opinion this is the essence of being a “hacker” and you need to always be in this mindset. Martial arts students learn base moves that are then built upon to create true martial skill. Similarly, in Infosec you need to learn base technical skills that are then used to understand a system and determine how an attacker could potentially take advantage of it. Infosec Basic Building Blocks:-Operating Systems-Networking-Programming The first foundation is to understand how operating systems work. You will want to learn both Linux and Windows. Linux because of the tools available and flexibility. Windows because when you land that awesome IT security job the majority of the computers in the organization will be most likely be Windows based. The best way to learn Linux is to dive right in and install it and start using it. Getting a book to help you along is a good idea, but nothing will beat the hands on experience of tinkering with it. For most, the easiest way will be to install Linux as a Virtual Machine on their existing system which is convenient as you will want to conversant in the language of virtualization in addition to the operating system fundamentals. The next key building block is is learning networking, specifically TCP/IP, the underlying protocol used for nearly all Internet communication. Depending on your level of knowledge, you should start out with a general concept book, such as Network + type training material. Next move on to more advanced material like TCP/IP Illustrated. Knowing TCP/IP is critical – almost everything you deal with will interface with it. Finally, you will need to know scripting and programming to some degree. Your level of exposure to programming concepts will determine what you do here. There are many languages to choose from. However the easiest to get started with is probably Python. Knowing bash scripting in Linux will also be very helpful. While you will most likely not be developing software for general use, there will be many times where you will need to automate something or develop a simple tool to accomplish a task. Becoming comfortable in one or more languages should be a goal, but know that it will not happen overnight. This can also end up being a significant investment of time in your quest for good hacking kung fu. Also, create a Twitter account and go follow a bunch of folks in the security community. You will learn about things days and weeks before the information hits news sites. You will see sites and blog posts that you would have never found by just searching the Internet. And even if you just mostly lurk, you will become part of a community that will help you along in your quest for new skills and be a good first step to find someone that will help mentor you. Realize that this will not be a one-week training course you sign up and pay for, this is a life-long endeavor. Once you get further down the road, just like different styles of kung fu, you will learn that there are subsets to IT Security that you can further specialize in such as forensics, malware analysis, intrusion detection, or penetration testing (and more) and each have their own detailed body of knowledge. It is an exciting journey that will be life changing and rewarding. You will learn new things all of the time, build upon those, and gain the hacking kung fu skills necessary to obtain and excel in an information security career.