The Information Security Profession – Where do I Start?
I am often asked by individuals to provide advice or guidance on how to get started in the field of information security. Many college students tell me they want to be a hacker, an IT systems penetration tester, or other type of cyber security professional.
I often find it difficult to tell them what to do because for me there was no road map. Nobody guided me in the pursuit of becoming a security professional. I had a hunger to learn about security technology, and that turned into a passion. I wanted to get my hands on anything I could in order to learn more about the entire range cyber security topics and issues. I constantly played with open source software, read books, and even offered free consulting services to businesses in order to refine my skills and grow my knowledge base.
Granted, some aspects of this approach were not very smart. I probably should have had some legal protections for the potential of liability when I delivered free services. I might have thought about a direction or career road map to provide a clear plan for obtaining certifications. I might have thought about focusing or specializing in specific areas of information security.
With that said everyone needs to or should start off with the basics. You have to understand the underlying technology before you can begin to secure it. This is why I would recommend learning the fundamentals first such as the various operating systems (Windows, Linux, MacOS), networking devices (Routers, Switches) and IP and routing protocols (TCP/UDP, DNS, RIP, OSPF, etc). I would also include virtualization technologies and the cloud. A good question to ask yourself is can I explain in detail how an email gets from one inbox to another? Sounds simple, but there are many steps that make it happen.
My experiences have given me some deep insight into this industry, but I don’t know everything about information security. I encourage the readers of this blog to leave advice or thoughts about the topic in the comment section below.
The first step is to figure out what is cyber security, information security, or anything else you might call this thing we do.
Security frameworks are useful for understanding the major pieces or parts of information security programs and operations. For instance, ISO/IEC 27002 is a framework (called a standard) that is comprised of chapters or major ‘pieces’ such as identity and access management, security operations, physical security, personnel (think HR operations) security, incident response, and other information security topics. Companies typically pay to have a copy of the ISO and can get certified as being compliant with it.
But fear not.
There is a freebie framework out there called NIST Special Publication 800-53. NIST stands for the National Institute of Standards and Technology, and is a non-regulatory agency of the US Department of Commerce. Give it a glance when you have some time. It is comprised of security controls for federal information systems, and includes a risk management framework used to determine what controls should be applied and under what conditions. That may be oversimplifying it to some degree, but NIST 800-53 is useful for getting an idea about security controls and the 17 areas they cover such as access controls, business continuity, incident response, and others.
There are also other NIST 800 series documents that give specific guidance regarding the implementation of security functions or operations such as risk management, incident response, vulnerability management, and a wide range of other security-related topics.
This is the first one I would recommend for you. It is not specifically focused on cyber security, but rather on technology (mostly consumer technology). Tom Merritt, the host, is one of the most gifted journalist I have found to date. His show will give you a valuable insight on technology and provides some emphasis on related security concerns. When guest host Darren Kitchen attends, which is relatively often, the show tends to be more focused on cyber security.
Speaking of Darren Kitchen…he runs the Hak5 Network
Hak5 consists of multiple seasons of cyber security related episodes consisting of shows, topics, guides, tips, and news. Start from season 1 and work your way to the current episodes in order to get caught up and ‘graduate’ from this piece of your education. I use the shows as Wiki sources when I need to find information on a specific topic, such as how to create an OpenSSL VPN server.
This is a great one that is very focused on information security topics. You will get the technical aspects of current security issues across a wide range of industries and information relating to hackers and their activities.
There are a few others, but this is a list for beginners. Yes, these podcasts will eat up a few hours of your week, but this is just the beginning of the dedication you will need to successfully pursue a career in information security.
Dr. Chaos Security Podcast
I know it is shameless of me, but I also have a few podcasts that might be worth your time.
Check out our deep dive into understanding malware:
There are some excellent free trainings programs you can complete as part of your path to cyber security enlightenment. One of my favorite and free resources for excellent training is Cybrary. It is a growing community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience. Check them out at https://www.cybrary.it/.
Another resource I would highly recommend is IronGeek at https://www.irongeek.com/. This one is run by security superstar Adrian Crenshaw. Adrian has worked in the IT industry for the last seventeen years. He runs the Web site, which specializes in videos and articles that illustrate how to use various penetration testing and security tools. Almost all the best and most recent security talks from the world’s top researchers can be found on that site. In fact, if you can’t make it to security conferences, simply go to https://www.irongeek.com/ to view content from them!
Read as ‘these will cost you’.
SANS is one of my favorite places for cyber security training. Without SANS, I would not have been able to accomplish what I have in the rapidly evolving world of cyber security. Their training programs are, in my opinion, the best in the world. SANS is the most trusted and by far the largest source for information security training in the world. The organization also develops, maintains, and makes available (at no cost) the largest collection of research documents about various aspects of information security. SANS also operates the Internet’s early warning system – the Internet Storm Center. Check them out at https://www.sans.org/
Certifications have value in the cyber security industry. They demonstrate a level of skill and acumen within the industry. They also demonstrate a level of individual determination to advance a career within a discipline. Certifications basically tell the world that you have a level of competence within a highly specialized field.
Certifications are extremely tough to recommend from my perspective. Just as there are many positive aspects of certifications, I have some issues with them. Certifications, when simply considered by their own merits, might have very little value when evaluating potential employees or vendors and their abilities. Employers need to also analyze an individual’s real-world experience, depth of understanding within their profession, and the passion behind the certifications. Some certifications are controversial in the value they provide, and some professionals believe they are just a cash grab by certification vendors in order to make easy money from hot industries (such as cyber security).
From my perspective, I think certifications provide value. When I started off my career in cyber security, certifications were a good way for me to have a more tangible plan on what I wanted to accomplish, reinforce what I knew, and they gave me a measurement of progress. Just like anything else in this article, certifications will not automatically advance your cyber security career. Hopefully I can give you some perspective and tips for analyzing them and choosing wisely.
These are basic entry level certifications that will familiarize you with cyber security, the general security operational environment, and give you a foundation for expanding your skills and knowledge.
My personal advice is to use books, self-study, and online resources to help prepare for these certifications. With a little work and passion to learn, you should be able to accomplish most of these certifications through your own efforts.
Look into these certifications for your technical training and knowledge base:
I recommend starting off with the Certified Network Defender (CND) and Certified Ethical Hacker (CEH) certifications. Completing the entry level certifications (listed above) and perusing the Cybrary for free online training should help you prepare for the CND and CEH. There are also some great classes available for the CEH.
I would recommend self-study for the CND, and (depending on your comfort level) online classes or professional training for the CEH.
I would also recommend getting the Certified Hacking Forensic Investigator (CHFI) certification when you get a little more experience under your belt.
There is also a great certifications offered by the SANS Institute. Please understand that SANS courses are premium in price, quality of materials, classroom teaching methods and the overall educational environment. I have spent more money per course on SANS classes than any others, and in every instance I have been extremely satisfied with the results. I recommend looking at the Global Information Assurance Certification (GIAC) arm within SANS. There are about 20 certifications at various levels (introductory to expert), but I would start with the GIAC Security Essentials certification and take a SANS course. You can then build your skills and certifications based on your interests, industry needs, or your professional growth plan.
I like these certifications because they are somewhat niche and make you stand out in the world of cyber security, particularly among other professionals. I strongly believe these certifications can be achieved thru self-learning, but be fair warned they can require a significant time investment on your part. Prior to diving into specialized certifications, I would also assume you have mastered at least some of the courses and certifications listed above.
Here are a few I included as examples. Again, all certifications and training depend on your professional development plan. Which you should have created. Look…we talked about this. Make a plan.
This certification is offered by ISACA and focuses on the audit, control, and security of information systems. There is also a strong emphasis on IT risk management and the governance associated with managing IT, security and audit. There seems to be a fairly high degree of respect for this certification within all industries and IT operations.
This certification allows you to understand wireless (802.11) security issues and certifies that you have the ability to secure wireless networks. It is valid for three years, at which point you either advance to a Certified Wireless Network Engineer (CWNE) or retake the CWSP examination. Both certifications are vendor neutral.
Blogs and cyber security news sites are a great way of getting to understand cyber security. I use Feedly as my Rich Site Summary (RSS) reader catch up with cyber security news on my computer, mobile phone, or tablet device in my free time. I follow over a dozen blogs. I am attaching my OPML file (https://mega.nz/#!GkJAhRqZ!P5Q5GPzvHXMyLXAS5IN8qZRr9Q6PQY1DQ3Hirzh7_MQ), which is basically a personal blog following list. You can simply import this into your favorite RSS reader and start following the same blogs I regularly read. I normally try to wake up early on Sunday and do a few hours of reading each week.
Once again, click here to download my personal OPML file of some of the blogs I follow. If I missed a few you think I should have, please leave a comment below.
I included most of them in my OPML export. However, one thing I would modify is putting Naked Security and Motherboard in the top ten. They have had excellent cyber security information in this past year, and in my mind they have really been on top of their game. Christina has them both on her list but I would place them higher in the priority rankings.
BSides is a community-driven cyber security conference. It is organized by cyber security enthusiasts. Most likely there are even a few of them located close to you. These occur in almost every city. Some of the best cyber security talks, training, and networking events happen at Bsides. Normally the cost is minimal or even free.
Each BSides is a community event built for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations occur about the next big information security thing.
You are just get started
Once you have the basics you have options of what to specialize in. This might happen over time as you gain experience or you may already know. You could go for the holy grail and try to master all the different areas, but again that will take time and experience. There are many ways to break up the various security fields, but below I have broken them down into 3 high level areas with specializations within each.
These positions are usually Security Directors for Chief Information Security Officers. They are responsible for building the security programs and ensuring that the right security controls are in place to adequately protect the companies cyber assets. Usually you will use a framework to guide you through your security program build out like ISO or the Cyber Security Framework.
These positions are usually for more senior/experienced people. Depending on the size of the company you may need to be somewhat technical, but a lot of the job is more management. If it’s a smaller organization, you may have to have both strong technical and management backgrounds. Because of the security skills shortage we have seen many IT leaders move into these positions.
This area is all using technology and knowledge to defend your cyber assets against the adversary. It’s usually installation, configuration and management of security technology.
Security Technology Management and Monitoring
Managing firewalls/IPS, etc
Monitoring – Could be in a SOC
Incident Response and Forensics
Malware Analysis /Reverse Engineering
Secure Coding – Developer
Data Mining /Machine Learning , etc
Security Assessment/Auditing – Part of building a security program
More controls review and risk management
Network/System Ethical Hacking
Web Application Security Testing
Okay, you asked me how to get started in cyber security. You might be asking yourself why I have not spoken about Blackhat, DefCon, or your favorite cyber security certification, vendor certification, blog, or book?
I did not want to overwhelm beginners that are starting off in the cyber security profession.
As you go on the journey you will discover many more resources that may suit your needs or take you down paths of interests that I simply could not cover here.
I encourage you to share, write, or even blog about your experiences, findings, and what you have learned. Don’t worry or think about your self-perception of having limited experience. We all start somewhere, and we are certainly on different levels of understanding throughout a wide array of topics within this profession.
Ask. Discuss. Contribute. You will be helping beginners and seasoned professionals alike by sharing your extremely valuable perspective and ideas.
Aamir Lakhani (known as Dr. Chaos) is a leading senior security strategist. He is responsible for providing IT security solutions to major enterprises and government organizations.
Mr. Lakhani creates technical security strategies and leads security implementation projects for Fortune 500 companies. Industries of focus include healthcare providers, educational institutions, financial institutions and government organizations.