Getting started in information security…. notes to a student

Recently had a college student reach out for advice, and thought i’d share with the class:

My biggest issue with my current education is the broad scale and lack of clear direction on how to achieve my goals. I know that I am very interested in penetration testing. Ethical hacking in general is a very big interest of mine. But as for what area of security, I’m not even sure what the options are.

Cool – sounds like the biggest thing is to explore your options, and decide on a direction knowing full well this may change as you learn more. You may want to try writing your current goals down, and working toward them (or, better yet, backward from the end result).

Penetration testing is still a very… tradecraft career. The best thing you can do is dive in and start learning the underlying systems you’ll be testing. If i had to choose a tester that had a bunch of certs vs a tester that knew (and had admin’d) systems he’d be testing, i’d choose the latter.

Penetration testing has split into some broad specializations – though it’d be best to sample amongst them

  • Mobile
  • Web
  • Network
  • Embedded

Owasp is good for learning web and mobile.

Carnalownage, Metasploit, Offensive security are good for learning network.

Re: certifications – there are some really really good courses certifications – PWK/OSCP, and some really bad ones CEH/CPT,LPT. 

You’ll want to check out netsec’s career thread – this happens quarterly. This will give you a great sample of existing careers, and you can start to research on the things you’ll need to learn.

There are lots of [other] threads on the net about how to get started in infosec.

Here’s another one i wrote a few (zomg, 6) years back, specific to penetration testing

Reddit’s /r/netsec is a great resource for staying on top of what’s happening in the technical security field

Stack Exchange is another one with a bit more of a question/answer focus – good for researching when getting started.

As far as building a reputation while you’re in school, the best things you can do:

  • Get on twitter and start contributing – there’s a strong contingent of security folks on twitter
  • Jump on Github and start publishing tools / code
  • Jump on Bugcrowd and start hacking, building a profile 🙂
  • Publish papers, blogs, code, anything that you can point to as a resume builder
  • Go to conferences, meet folks. Find positive folks that will help you, and find ways to help them.
  • Learn everything you possibly can.

You’re looking for a job in a field that has -10% unemployment, so you’re in the right place at the right time. But be warned, it’s a fast-moving field and requires you to be very motivated if you want to be good.

It’s worth noting that the penetration testing / consultant career path generally requires a significant amount of travel, and can be disruptive to a family lifestyle. This isn’t always true, and there are certainly ways to make it work, but worth thinking about. Thoughts on work / life balance are for another post.

The one piece of advice i give everyone interested in getting into the field: Provide value without asking for anything in return. If you find someone you want to work with, just ask… how can i help? … Guaranteed, they don’t get asked that enough.

Hope this helps.

Also: I ran across this while writing, and there’s some classics here :).

This entry was posted in Uncategorized. Bookmark the permalink.

5 Responses to Getting started in information security…. notes to a student

  1. A very good post. I’ll shamelessly plug my blog post which tries to help young people in moving up career ladder in big consultancies like KPMG:

  2. Taylor Banks says:

    Awesome post, @jcran!

    I would also add that joining / attending your local “dc group” (defcon groups, circa 2003) is an awesome way to get involved in the community and meet LOTS of other like-minded infosec geeks.

    I founded the Atlanta group, dc404, in 2003 and was the PoC through late last year (when I sold the house, bought an RV and disappeared into the night). Across the past 8+ years, we’d see an average attendance of ~20 – 40 ppl/mo, including students, n00bs and jaded career infosec curmudgeons alike.

    Some rather well-known and highly regarded speakers cut their teeth giving presentations at dc404 almost a decade ago, and hundreds more have both taught and learned many important lessons at dc404 meetings throughout the years.

    For those in Atlanta, check out (better yet, join the mailing list, where I’ll be sharing this post momentarily), and for those in other cities, check for your area code. 🙂

  3. Pingback: David Tomaschik: Getting Started in Information Security | Hi-tech news

  4. Interesting post jcran!, what you are missing I think is “Computer Forensics” that is also a great subject to learn and explore 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s