Updated: Oct 27, 2018
[Lesley Carhart, Full Spectrum Cyber-Warrior Princess]
Starting an InfoSec Career – The Megamix – Chapters 1-3
Even once a person realizes he or she has a passion for information security, moving in the field can seem a daunting task. The education market is oversaturated with degrees, certifications, and training programs. Meanwhile, many prominent hackers mock those programs publicly. Although I’ve touched on security education and training quite a bit, I’m continually asked to provide a resource for people who are trying to transition from school or other fields into Information Security roles. Ours is a healthy job market and we do need qualified and motivated applicants. The jobs exist, but we repeatedly see candidates being given false advice to get them.
With tremendous and very much appreciated help from many of my colleagues and friends in the field, I have endeavored to compile a comprehensive blog about starting an InfoSec career. This is a very lengthy blog broken into sections that may help people as parts or as a whole. We want you to succeed in our field. As always, please feel free to ask questions or leave comments / gripes / suggestions.
Chapter 1: The Fundamentals
Unfortunately, for all the interminable hacking tool tutorials and security guides floating around the internet, many InfoSec job candidates haven’t grasped two fundamental concepts:
To hack something (or defend it from hacking), you must have a solid understanding of how that thing works.
InfoSec is not a career that can be put in a box once you go home from work or school. You must be passionate enough about the field to be continually learning and aware of quickly changing current events. If you want a career that you can forget about once you go home at 5:00 PM, InfoSec is probably not the right choice.
The really intriguing thing about InfoSec and hacking in general is how they draw heavily from knowledge of all sorts of IT subjects. It’s difficult to understand attacks, malware traffic, or intrusions without a firm understanding of network ports, protocols, and architecture. Similarly, it’s difficult to understand malware or identify system compromises without a firm understanding of operating system architecture, hard drive construction, or programming fundamentals.
There’s a misconception that sophisticated attackers use lots of malware and exploits. This is simply not the case. The better a hacker is, the more likely he or she is to leverage preexisting software and tools to compromise a network whenever possible. With malware comes more risk of detection and forensics. It’s a wise choice to use an excellent understanding of the command line and remote execution to move laterally across a network.
If you’re considering a career in InfoSec please evaluate yourself on your knowledge of basic computer science and networking concepts. If you’re weak in one of those areas, consider some outside study. Merely following a Metasploit or an Ophcrack tutorial will not teach you how to be a good hacker. Understanding how Metasploit modules and communication work, or how Windows passwords are stored and passed may eventually. (Almost universally, I find more value in a candidate who can read a pcap than one who can execute msf console.)
In regards to the second concept – in some ways we as a field are victims of our own success. InfoSec jobs are advertised as high paying and cutting edge, so there has been a surge of graduates and applicants. Unfortunately, being a good security professional is something tremendously difficult for any training program or school to teach. Without an outside interest in learning more, enhancing skills, and studying current events, entry level candidates are often tremendously skills-weak.
I often screen candidates with relatively simple questions based on malware and technologies commonly seen (and documented) in the last 3-5 years, as that tends to be newer than university curricula. It’s also very popular to simply ask candidates what they are doing on their own time to enhance their security knowledge. Often, this question leads to silence (which given the wealth of free resources available is a dead giveaway the person will probably not work out). We will discuss some inexpensive ways to improve InfoSec knowledge at home later on in this blog.
Chapter 2: Choosing Education and Certifications
The debate over the value of (costly) college degrees in InfoSec is a continual and heated one, and likely will be for quite some time. I’m often asked if getting a (Associates, Bachelors, or Masters) degree is necessary to get a foot in the door in InfoSec. In the US, the answer is usually no. As I discussed previously, InfoSec interviewers usually value motivation, critical thinking, and self-study above all else while selecting entry level candidates. It is quite possible to write a resume which includes volunteer work, talks, and personal projects related to the field, and these usually are much better conversation starters than a degree.
That being said, there are a few notable exceptions. Government agencies and large corporations still tend to value degrees highly and may even refuse to waive them as a requirement for their hiring authorities. So, without a degree, resumes may simply be ignored by mandatory computerized HR screening.
Secondly, within these types of organizations, pay grade or promotion may be contingent on having a degree, so an entry level person without a degree might have to go elsewhere to move up. Be cognizant of the requirements at the place you’re seeking employment.
Personally, I usually view degrees favorably when they’re financially feasible. They show dedication to a task for two or more years, and an interest in some subject. I also trust credible universities to teach students general business skills like reading, presenting, and report writing (all of which are underappreciated but valuable in security). Thus far I haven’t seen much value in specifically gaining an InfoSec degree – I have come to expect those general skills to be taught better at a credible university in a History program than in an InfoSec program at a for-profit degree mill or technical school. Also, as I previously mentioned, established IT programs such as Computer Science, Computer Engineering, and Network Engineering can bring a lot to the table in terms of general knowhow.
Certifications are a trickier question because there are so many out there, and they serve different purposes depending on the niche field the applicant wishes to get into. I’d consider certifications a ‘nice to have’ for an entry level candidate – they are not likely to tip the balance much in a hiring decision, but they usually don’t hurt. (One exception: Due to the employment requirements and the purpose of the certification, I find it inappropriate when entry level applicants with no experience have [somehow] obtained their ISC2 CISSP ®. The certification is made for people already employed in the field with a number of required years in the field, so it looks a bit fraudulent.)
More appropriate for entry level candidates is the CompTIA Security+. It’s cheap, and it serves two purposes. The first is demonstrating some basic security terminology and concept knowledge. More importantly, it makes candidates eligible to perform government contract work under 8570 requirements. The CompTIA Network+ is also a safe bet, as it shows a bit of that basic network knowledge we’ve been discussing. Neither certification shows an advanced knowledge of their subject, but they are a good choice for getting a foot in the door.
I’ve recommended SANS / GIAC line of certifications in the past because I find their training and tests some of the most legitimate. Their certifications are some of the most technically respected to have on a technical resume. However, their certifications are also extremely expensive, with courses and books in the thousands of dollars and tests in the hundreds. There are some options to decrease the costs like their community offerings or work study program, but they may still be out of reach for entry level folks. If you can easily afford a SANS course and GIAC certification, absolutely take one applicable to your field (good general choices are GSEC or GCIH). If you can’t, don’t take it to heart – wait until an employer makes them financially available to you.
Offensive-Security offers the OSCP certification and course which is a fantastic choice for InfoSec applicants who wish to take a more offense-based route (or indeed, as exposure to those techniques to anybody in InfoSec). It’s real-world lab heavy. The course and certification are still expensive at around a thousand dollars, but may be more realistic than the cost of a SANS course.
I personally do not recommend EC-Council certifications for entry level candidates at this time unless they are specifically required for a role.
I’ll suggest some specific training and certifications as we discuss specific roles later on.
Chapter 3: InfoSec Fields and Niches
There was a time in the 19th century where a ‘scientist’ often meant a generalist – a respected scientist might have knowledge of biology, physics, and chemistry. As those fields grew in complexity, it became increasingly difficult for one person to remain current with all of the research and knowledge involved in even a single broad field. Today, we see scientists specialized in very niche fields, each with its own wealth of research. InfoSec is very similar. While in the 1980s a single security specialist could conduct penetration tests, configure firewalls, and investigate breaches, today that is much less common. There are many disparate fields which make up information security and an important decision for any InfoSec professional is finding which of those niches is are a good fit.
The first thing we have to understand is the distinction between the ‘red team’ and the ‘blue team’. While there is often some overlap in InfoSec job roles, we generally separate them into two broad camps – offense (red team), and defense (blue team). You may wonder why legitimate, “white hat” hackers would need offense. Consider the people who conduct professional penetration tests of organizations to generate reports on their deficiencies, and the people who conduct research into vulnerabilities. These are “red team” jobs.
The path to becoming a Blue Team InfoSec professional is usually somewhat different than the path Red Team professionals take. That’s not to say it isn’t tremendously wise for the two camps to cross-train. It’s difficult to conduct good offense without having a general knowledge of defense practices, and vice versa. We will discuss specific red team and blue team roles in the next two chapters.