This has been a fairly common topic over the last year and I'veseen plenty of blog posts and presentations about the subject. For mepersonally, many just don't cover the information I've found to be essentialduring my entrance to InfoSec. The industry of Security spans a very largerange of possible jobs and roles and for the sake of time I will be primarilycovering the areas of security that are of greatest interest to me, those whichI consider to be very technical and hands-on.
Let's explore now some of these topics and my experiences.
How do I get the experience without the job?
The most common question I hear when people ask about getting into InfoSec is very similar to the question you hear from those just leaving college or attempting to obtain a job in many other fields. It's the age-old chicken and egg question. A key difference in thetechnology field is that in many areas this problem is very solvable by youraverage curious mind. Do you go to school? Do you get certifications? Do youtake a non-paying intern positions? How in the world can you get experiencedoing Security, when you don't have the experience to get a job that gives youthat experience?
There's this incredible thing out there that we use every singleday. The Internet has provided us with an incredible source of knowledge thatevery day, people are adding new and new information to that can help you learnand explore.
Consider some possible educational paths:
- Structured Learning
- Self Learning
- Read Books/Tutorials
- Build a home Lab
- Play Wargames
- Publish Code, Projects or a Blog
I myself took the path of Self Learning. I acquired a stockpile ofcomputers and began playing with Linux from my very early teenage years. Thisis my most common answer to people who ask how to learn more about security andbuild their skill set. I do believe there is great worth to a traditionaleducation, but for those who cannot afford it, or do not have the time to goback to school full-time, I believe there are wonderful alternatives.
Reading Books and Tutorials
There is a vast world of books that are available from all yourmajor bookstores and online retailers that spread the broad spectrum ofInfoSec. You can easily find endless resources on Exploitation Development,Application Security, Malware Analysis, Reverse Engineering, Fuzzing, SecureCode Development, and much more. While many of these books are quickly outdated by the speed at which both offensive and defensive security is moving,they are still wonderful places to start and build a foundation from which youcan branch out from and read whitepapers or watch presentations on the most upto date techniques.
- The Shellcoder's Handbook
- Hacking: The Art of Exploitation
- A Guide to Kernel Exploitation
- Malware Analyst's Cookbook
- Practical Malware Analysis
- The Web Application Hacker's Handbook
- Metasploit: The Penetration Tester's Guide
There are also tons of online tutorials that cover a whole rangeof topics from understanding Windows memory paging to specific tasks likehooking/injecting an application. Every day I read at least one new blog postcovering a very specific and exciting new method of exploiting a specific bug,or detailing the inner workings of a new piece of malware.
- Metasploit Unleashed (metasploit/pentesting)
- Lena Tutorials (reverse engineering)
- Corelan Tutorials (exploit development)
Now that you've read some books and are beginning to get an ideaof the theory, how do you get practical experience?
Wargames and Home Labs
For myself, this step and the previous went hand in hand. I would bothresearch and investigate new books or tutorials based on the challenge I wastrying to solve, or would seek out new Wargames to play that were centered onmy specific area of studying.
My first Wargame experience was with the various Web basedchallenges, such as the recent StripeCTF,which covered many of the basic OWASP Top 10 vulnerabilities and so much more.Another invaluable resource is the OWASP Broken Webapp Project, which providesa Virutal Machine loaded with a huge assortment of vulnerable web apps. Some ofthese, like the DamnVulnerable Web App, will help guide you and direct you to specifickinds of attacks. Other challenges will provide a normal looking webapplication and let you navigate your way through the site searching for attackpoints.
More recently my interests moved to Linux Exploitation Developmentand I found myself at the wonderful Smash The Stack website. (Disclosure: Iam co-author and admin of the Wargame Logic atSmash The Stack). This site hosts a collection of Linux servers that youlog in as Level 1, and proceed to escalate your privileges to the next levelup. This can be done through Stack or Heap based Buffer Overflows, FormatString vulnerabilities, or some of the most incredible Logic flaws you'llencounter. The game while used along side the books Hacking: The Art of Exploitation or The Shellcoder's Handbook, will provide you with an incredibleamount of practical experience.
If Malware Research or Reverse Engineering is your interest, thereare many guides on setting up your own home Lab for trying this yourself.
Once you've started doing work, you can share that knowledge withothers.
Writing code, publishing projects or blogs.
A great way to get your name out there and to build a portfolio atthe same time is to publish your own tools, or to join an open-source project and begin writing code. Youwill learn a great deal about software development, the tools utilized, andmost importantly, the process. At the same time you are building your resume bybeing able to provide real world examples to future employers of your work. Youare also showing them initiative and drive.
Additionally, one of the easiest ways to build a name and resume is bypublishing your own online blog. There is an incredible amount of uniqueresearch that is published by professionals, amateurs, and enthusiasts withinthe industry. There is nothing stopping you from hopping in there andparticipating.
You can start with your own record of your trials and tribulationof self-education. I guarantee you during your time of studying that you willencounter interesting and fascinating new things that will inspire and motivateyou to pursue research. Blogging about this process and time line is afantastic way to show progression and personal development.
This topic is always a hot debate. Everyone has their own opinionon the value of certifications. It's a big question that depends on a lot ofvariables. Every area of InfoSec is going to have it's own ideas of whatcertifications matter or are of value. In my personal opinion, certificationsare not required. That being said, I still greatly value them regardless of that statement.My point here is only that you need not feel like you must get certified to geta job. It can and will help you, but is not a requirement in the process.
Since I enjoy the hands on and very technical parts of InfoSec, Ialways value the certifications that exemplify those skills the most. Whenselecting a certification to pursue, I usually start with the end. What is theactual test like? Is it multiple choices? Is there a lab?
The importance here for me is that if the test is 300 questions ofmultiple-choice questions, that doesn't actually verify that the tester canreproduce the material. I personally prefer the tests that end with some kindof hands on lab that requires the tester to actually prove functional knowledgeof the topic at hand.
To what direction you go, will be your choice. Certifications arealways great on a resume, but don't put them above your own personal researchand publications which show applied knowledge.
In the end
Everyone has his or her own path. No one path is right foreveryone. In fact, you should pursue your own path and not follow in everyone else'sfootsteps. I hope this may be of some assistance to you, and I look forward to seeing you in the industry or at conventions!