Getting Started in Security

I get a lot of people asking me how they can get involved in security.  Some of them are IT pros who have been in their careers for many years while others are new, like a help desk novice.  But they all want to get involved because security is the exciting place to be.  It’s the hot place that isn’t going away, unlike the rest of IT that, it seems, management seeks to automate out of existence.

Well, they’re right.  Or some of them are, at least.  It’s currently the sector least likely to be automated out of existence, but that’s largely because it’s currently too complex to do.  I remember when a lot of IT was like that.  We did much of our work by hand, as scripting was a luxury, especially on Windows.  Security will come to that point, too, but it will probably be a little while.  There are simply too many legacy systems around for it to be otherwise.

Anyway, here are some tips for getting involved in security.  These are based on my own experiences coming up from informal desktop support through servers and then into security.

  1. Start thinking like security people.  Security people by and large think…differently.  The hacker ethos is there, and it’s not just about breaking into systems.  It’s about changing things to get the desired outcome.  This applies to offense, defense, and things that have nothing to do with either.
    Here’s the hard part: If you don’t know how to do this, by all means, ask.  We’re usually happy to explain how we approach our work.  Have lunch with security people you know.  Read papers, books, and weblogs.  Watch videos from past conferences.  Even better, attend conferences like DerbyCon and your local BSides, places that are welcoming to people who are new to the field.
    Once there, ask to join a conversation.  There’s a good chance you’ll be able to join, even if just to listen.  Don’t pretend you’re better at something than you are, because you’ll be found out in about nine seconds and shunned.  And they will remember you if they see you again, like across the table in an interview.  Security is a much smaller field than people think.
  2. Integrate security into your daily work.  If you work on the help desk, start asking yourself how the callers’ actions could cause security problems, taking notes about your thoughts and running them by your security staff (another reason to have lunch with them).  If you’re further along, learn how to harden the systems you maintain.  Don’t change anything without permission, of course, but read about others’ experiences, and realize that one size does not fit all.  Just because a respected guide recommends wiping the page file on reboot doesn’t mean it’s a good idea for your environment.  The more you do this, the more you start thinking like security, the better you’ll get on with them, and the better chance you have at joining them one day.
  3. Integrate security into your daily life.  This isn’t just hardening your home systems.  Learn to spot security issues as you go through life.  I have some friends who think it’s sad and/or paranoid, but when I walk into a building, the first thing I do is start looking for ways to subvert the security in case of an emergency.  This develops mental reflexes that are necessary in any security role, as the ability to spot something amiss and react to it is critical regardless which side you’re on.
  4. Set up a lab and tinker.  Scrape together a system at home and install a free hypervisor like VMWare ESXi, KVM, or Xen.  Or get a copy of VMWare Workstation (or Player if you can’t afford it) or VirtualBox and install it on your workstation.  Download ISOs of older software like CentOS 5.0 and start looking up exploits against them.  Once you find them, look for ways to mitigate them without patching because patching is not always a solution for a number of reasons.
  5. Learn multiple operating systems.  You’re going to be interacting with a lot of different gear from different times.  If you’re most comfortable on Windows, start learning Linux.  When you do, it’s best to dive in, spending  at least a week using it as your sole operating system to force yourself to learn how it works.  Then find other environments that you don’t know and learn how they work.  You’re not necessarily going for mastery, but some familiarity with how they work goes a long way.
  6. Learn a scripting language.  Even if you’re not a developer, you need to learn something about automation.  You have two primary choices based on default installations: Python for Linux and PowerShell for Windows.  A third option, primarily for Linux, is Ruby, which is in some ways easier and more compact (and Metasploit is written in it).  Regardless, you need not be an expert (though it helps), but you should be able to read a script and describe its flow.  Find an idea and start writing it yourself.  You’ll likely do it badly, but if it’s yours, you’ll have more passion and drive to finish it, and that will help you learn.
  7. Keep your eyes open.  Security opportunities won’t always be as obvious as position postings.  Have lunch with security people.  Volunteer to work on security projects (even if security people aren’t involved).  Volunteer your time with non-profits: the smaller ones, especially, can use some help.  Go to conferences (the point bears repeating).  There’s value in who knows you as they might pass word of a new opportunity along.
  8. Don’t whine.  Very few people got into security purely by luck.  Many of those who did failed to get anywhere.  Getting into security usually takes work.  Getting ahead in security takes more work.  What will irritate security people is when someone whines incessantly that they can’t do something but clearly haven’t put forth any real effort.  Show you’ve put forth the effort and you stand a chance of getting in and/or getting ahead.

That’s what I usually tell people, though this is (amazingly) a much shorter version of the discussions I usually have.  I’m happy to talk with anyone who wants to get into security.  We still need all the help we can get.