Going from Zero to Zero.One
The Firehose of Death
If you’re looking for a nice, little yellow-brick road to follow to the promised land of a job in information security, I think you’ll want to stop reading here.
As you may know already, information security is one freaking huge field. You go to learn something and then you need to pause to just pick up a little something else first to help you, but oh, there’s just another little something to help that something and on and on.
I’m used to dealing with mounds of information and the nonstop nature of tech learning, but it’s still a challenge to keep up in the security field. I can only imagine what it’s like for someone newer to all of this.
So, rather than ramble on, here’s a quick n dirty list of things I’m doing to get myself marketable for a job in the infosec world (aside from building this site to show off my passions). I’ve gleaned this information from watching many talks and reading many articles, so it’s a mash-up of goodness.
Be sure to check out my infosec resource list where I put down people to follow, videos to watch, things to read and generally where to find stuff.
GOAL: The goal of this long article is to present a possible list of things to learn and activities to complete to demonstrate to a potential employer that you’re passionate about information security and to help you (and me) learn awesome things.
I don’t have cable/sat TV nor do I spend a good bit of money on entertainment. Why? Because there’s so much good stuff to watch and listen to online. I linked to my resource list above, but if you’re just starting out, I can easily recommend the single must-do/see thing online.
… wait for it …
IronGeek (aka Adrian Crenshaw) has a killer YouTube channel, which shows talks from all the great cons out there. Forget Netflix and Hulu, his channel is the real deal: DefCon, Shmoocon, Derbycon, B-Sides, etc. You can visit his site and get to the videos from there (or go right to YouTube). I tend to watch it nightly.
Code or Die
Short version: Learn Python for starters
Depending on what you’re looking to do, the level of coding know-how needed varies. I’ve been a developer for about 20 years now and in that time I’ve coded in several languages and while I continue to experiment with new ones, it looks like the garden-variety information security professional can do well by knowing one scripting language: Python.
Ideally, you’d know every language under the sun, but that just isn’t very likely. Also, knowing how to write Hello World in a language is meh and knowing how to code in a language today and how to code in it a year from now are usually two different things (read: if you’re not actively using a language it’s fading away slightly each day usually).
One reason why Python is extra good is it tends to be included in many Nix server distros, so knowing it can help you get things done.
Scripting For Fun and Profit
So you know Python and messed with C a little. Super. What now? Well, to round you out, you’ll want to at least get your hands a little dirty with two more goodies:
At the time of this writing, I have BASH experience (to a point) having done some server administration back in the day, but Powershell is something I need to check out.
I’d recommend checking out Pluralsight for quick training. For example, I’m thinking of checking out “Powershell v3/4 Essentials for IT Admins”.
And for Bash, they have this 4-hour training series: “Shell Scripting with Bash”.
Get Your LAB On!
Reading is great, but doing is vital. You need to get your hands dirty.
If you’re curious what’s in my lab, go read about it here.
What you need in your lab really depends on what your goals are. At a minimum, try to have a good base system where you can launch VMs off of, so that you can train up and experiment.
I’ve found the eBay can be a good source for older/used hardware. For example, I’ve bought Cisco routers and switches on there for $20 and older routers for $15. It’s worth browsing eBay with a cup of coffee now and then.
We Have But One Flag
One of the things you’re going to want to do very often is CTFs (capture the flag). I’ve heard many people say time and time again that CTFs and messing with VMs in the lab is where they got 70%+ of their skills and know-how. Do it!
What’s great is a lot of CTFs have walkthroughs from people, so even if you don’t know where to start, you can follow along and start learning.
Tip: Many cons have CTFs, so try to search for the con and CTF or CTF Walkthroughs, like this: “defcon ctf Walkthrough”
Here are some links to VMs, CTFs, etc (see my main infosec resource list for more):
- Vulnhub - A great start. Be sure to read the FAQ!
- DefCon CTF
- OWASP WebGoat Project
- Hack This Site! Great site to start playing around. Be sure to read the about page before starting.
Bringing Home The Bacon
At the time of this writing, I’m not employed as a information security professional (I’m a developer), so take this all with a grain of salt.
I tend to see a lot of paralysis by analysis going on (hell, I’ve done it myself from time to time). I see many individuals who want to be active in this field, but don’t know where to start or what to do. On one hand you have someone saying they can’t find enough people to hire and they need everyone. On the other hand, you have someone saying don’t even bother until you know a,b,c,d,e,f,g,h…z and have 20 years in this or that.
The way I see it is this: find what you’re passionate about and start doing it right now. Don’t wait until you think you know “enough” to get going because odds are you’ll never get that feeling as there is always a firehose turned right in your face with this stuff. Take me for example. I really want to be in this field. I spend each day just doing stuff (listening to podcasts, watching talks, setting up things, playing around). One day I know I’ll be in the field either because I know enough and/or some employer will realize just how hard I train/learn and see where my passions reside.
Suit up and start walking.