Breaking in to Security - The Conclusions, Part 2
In part 1 I looked at the quantitive data I collected so in this part I'll be going through the qualitative answers. If you can't remember which is which, like me, numbers in part one, opinions in this part.
When going through all the answers to the questions in this part I found a lot of repetition, both in the answers to a single question and also across questions. Some trends were very easy to spot and I'll try to document those as best as I can. There were also some very good off-the-wall answers which I'll throw in for their pure comedy value.
What do you know now that you wish you'd known when starting out?
The biggest thing which came up in this section was that it isn't all about your technical ability. People skills, managing management and supporting clients was considered very important. When working as a consultant you will be spending lots of time on site, or at least on the phone, with clients so you have to be comfortable dealing with them.
People skills are also important if you are an in-house consultant. If you can think of your boss or the department you are testing as a client and be able to treat them like that when necessary then your job will be a lot easier.
"I think it's important to note that information security is a role in a company that involves dealing with people. Brush up on your public speaking and negotiation skills. I'm much better at hacking silicon than I am hacking carbon, but each is important. Take time to learn and practice those soft skills."
Along a similar line, having business skills helps you empathise with the people you are doing your work for, be that clients or internal departments. These next two answers help explain this:
"Security is a balance between risk mitigation and corporate earnings. Companies must continue making money to pay your salary. Ergo, the best security may not be the right security."
"Business skills are more important than technical skills."
Security is rarely considered the top priority for a business so doesn't often get the funding and support we in the industry feel it deserves. Quite often usability will trump security, as will costs. In these situations you have to be able to understand why this is happening and be able to put up arguments which will stand up at the appropriate business level. If these arguments fail then having alternative suggestions is always useful. It is also a good idea to make sure your suggestions are fully documented in case an incident occurs which could have been prevented, this isn't so you can gloat after the fact but to ensure you are covered in case someone comes after you for not preventing the problem. Finally, you soon learn that companies are never 100% secure, despite our best efforts. Don't get hung up on this just do the best you can.
Another related area is report writing. It is an area of the job that very few people enjoy doing but to do your job well you have to write a good report, as this answer says:
"It's all about the report... you can be the best penetration tester in the world, but if your report sucks, so does your test!"
Your report has to be able to convey the findings of your work, be it a pen-test, PCI audit or even a reply to a help-desk ticket, in a way that the intended audience can read it, understand it and act on it. Some reports are read by a variety of people, from non-technical upper management to low level admins, the report has to be able to be understood by all of these users.
Techies are generally an introvert group however the security community is generally a very friendly one and networking is a vital skill. This comment says it all:
"Get out there and network, don't be shy we are a friendly lot"
While on networking, I'll add that you should also be networking within your company, especially in-house staff. Being friendly with people from different departments breaks down opinions that are often formed against security staff. We are often the ones who say no to Facebook or force them to have 10 character passwords that need changing every 30 days. If we have allies in the different departments we can explain the reasons to them and let them spread the word. Friends in the finance department are also useful when budget time comes around and you need that new firewall or friends in HR when the training budgets are decided.
A few last comments which I think are worth including:
"You will live in hotels"
"Pen testing is not so glamorous as it appears"
"Cons are bad for your liver"
What one piece advice would you give to someone wanting to start a career in security?
The overwhelming answer in this section was that knowledge is everything, the more you know the more opportunities you have, be that the opportunity of getting DA on a test or of getting that next job.
These two answers go well together:
"Set a lab environment up to practice with, virtualisation makes these easy these days."
"Study hard, do the labs and exercises, experiment with tools"
Before you even think about applying for your first job make sure you have the basic skills for the sector you are interested in. For pen-testers that means putting together your own lab and running tools against it. VMWare, VirtualBox and various other VM tools are available so a single machine with a bit of power will be able to run various different scenarios. I highly recommend getting a Microsoft Technet subscription. In the UK I'm paying £99 a year for access to all MS OS platforms and major applications, for me it is a no-brainer.
One of the great things about being a pen-tester is that most of the tools used day-to-day are free and open-source and those that aren't often have free or demo versions you can play with. Grab a copy of Kali, Samurai WTF or one of the many other live ISOs and get learning.
"Develop skills in other areas of IT (system administration, network management, development, etc.) either before or in addition to InfoSec"
Most of the people currently in security had their start in a different field then moved over into security and this answer reflects this. The belief is that if you don't know how to configure and administer a network or write a web app then you won't be able to fully test/audit/defend it.
A question I had at the end of my BSides talk was about ethical hacking university degrees and how they fitted into this way of thinking. My honest answer is that I've not seen enough people in the industry who have come in direct from university to be able to give a good answer. The ones I have met have been people who would have ended up in security regardless of what other career they started in, these are people who have the natural passion for security.
I personally believe that being a developer for 10+ years before starting testing has given me a very good insight into app and web-app testing. I know the mistakes I've made over the years and have a good feel for how apps are running behind the scenes without ever having to see it. It also helps me to talk to my clients, for example after a web app test I can sit down with the developers and explain what I found and offer remediation advice in a language they understand. I can also empathise when they tell me why they made certain decisions and how the stress of a release deadline forced shortcuts that none of them wanted to make but were forced to.
I think over the next 5 years the first set of students who came out of ethical hacking degrees will start to move beyond junior position and will start to become known, this is the time we will find out whether going straight into security is a viable option or whether having a solid background is really a requirement.
This group of answers all fall in to a category I'll call "Get yourself known":
"To get involved in different projects and contribute, there are a lot of open source projects you can contribute to in different ways."
"It's all about reputation. Certs are useful, but if you are unknown you won't be taken seriously. Get out there, meet people, and learn from them!"
"Start a blog.. not for fame and glory but more for keeping a record of what you learn. Doesn't matter if no one reads it, do it for yourself"
One of the really good things about the infosec community is that when you have a problem you can usually ask a question and get an answer. Something you will find though is that if you have a bit of a reputation and people know you then you are more likely to get an answer quickly. I've been saved a number of times while on site by being able to go directly to the author of a tool and ask them about a problem I'm having. Even if the answer is "Ye, I know that is broken", which I've had, it saves you the time messing around trying to work out why the thing isn't working.
How you get that reputation is up to you but a good way to get started is just to start contributing to forums or mailing lists. Start by asking questions, when you get answers say thanks and if you can give some feedback. You will soon find that you are able to start to answer questions or at least offer suggestions. People will pretty quickly start to recognise your name. Don't worry about stupid questions but when you are asking things don't expect to be spoon fed answers, ask specific questions, mention what you've already tried and show that you have put some effort in already. Having someone expect you to put in effort to answer a question when they don't show that they have put any effort in themselves is a way to create a bad reputation.
Starting a blog is a good idea, even if what you are doing seems really basic. Remember most people have gone through the stage you are going through and if you are stuck on something, or can't find instructions on how to do it, then there are probably a load of other people out there in exactly the same position. Even if you just write things to document them for yourself then it shows interest and is something you can show to a prospective new employer. I've written a few blog posts just because I've got a technique that I often forget so need a way to remember it. Whatever you do though, avoid plagiarism at all costs. I've seen too many blogs that just scrape content from other people blogs. Some will reference the original author, usually in small print, but often no source will be given. Stealing other peoples work will quickly get you shunned from the community and a bad reputation is very hard to shake as some companies are finding out. Check out attrition.org to see some of this in action.
If you are a developer then creating tools or contributing to existing projects is a good way to get to learn new skills and get your name out there. As with the blog, if you find that you need to do something and there isn't already a tool to do it, then write it, there will be other people wanting that tool. If you are not a developer then you can still help out with existing projects. Projects always need people to write user guides, maintain web sites, design logos, beta test and do all sorts of other jobs that they don't get time to do themselves. If you get known as the person who can write a good how-to then you will soon get a reputation, and a lot of work.
The last suggestion for this category is to join a group, whether it is a virtual or physical group. Hackerspaces are being created all over the world and are great places to meet like minded people, similarly Defcon groups and 2600 meetings all attract hackers and security enthusiasts. If there isn't a group in your local area see if you can set one up, doing that will definitely kick start your reputation. IRC and forums are good virtual groups to get involved in. There are loads of IRC servers and channels out there so don't be put off if the first ones you try aren't for you, keep looking. As with the mailing lists, start by listening, then when you've got the feel for how the channel operates start to contribute.
This next answer is just one of a bunch of similar:
"Learn to program (scripting at least)"
As I showed in part 1 the general opinion is that programming, while not essential, is a very useful skill to have.
I spotted this comment and feel that it is a very important one:
"Learn whats going behind the tools you are using"
A lot of people learn how to use tools but never bother to understand what the tool is actually doing. Without knowing what is going on when you run the tool you always run the risk of things going wrong, or at least not going as you expect, and when something does go wrong you should always be able to explain what was happening at the time and assess what happened and what possible damage has been caused.
Some comedy answers from this section:
"Work your ass off! Everyone else does so you better get used to it." - Most of the time but we also party hard as well
"Get in bed with the operations and finance people (not literally, however this might also help)"
Is it OK to "practice" on sites/ companies without permission if you don't do any damage?
The overwhelming answer to this was "NO". There are now so many vulnerable virtual machines, applications, products etc available that there is no need to go after someone elses network. Even legitimate researchers who have accidentally found issues with products or applications and have attempted responsible disclosure have been threatened with legal action so if you try this don't be surprised if you get caught.
The answer that best sums this up is:
"Only if you want a new 'room-mate' called Bubba......"
What I'm not covering
There are two questions left that I'm not going to cover in this conclusion:
What do you see as the next up and coming area?
Is there anything you feel you did wrong that you would advise against?
This is because I want you as readers to go and look through the raw data yourselves. Going through it you'll find some really interesting information, much more than I could put in these two blog posts. You are also likely to find trends that I've not spotted or things that are more suited to your own situation. Remember, I set this up because I wanted to try to get a non-biased set of answers but as soon as I put it out there I realised that I'd created it with questions which were biased by my experiences. By digging through the data you will be able to negate some of the bias that I've added in this write up.
References
I'm just going to list these, your homework is to go out and find the good ones:
- Podcasts
- Mailing Lists
- Forums
- Conferences
- Youtube
Finally, check out Infosec Mentors, they are a group who help put together industry experts with industry new blood with the hope that both will learn from each other. And I have to give a mention to SecurityTube where you will find a whole host of security related videos and free courses.
Final Conclusions
- If you aren't passionate it is just another job
- Get stuck in, learn and show your interest
- Don't be afraid to ask questions - but show you've tried to find the answer yourself first
- It isn't all about the tech
Final Thanks
Thanks to everyone who filled in the survey and who helped promote it, without you this project would not have got off the ground.
