Sunday, September 7, 2014

Advice for Getting into the Information Security Profession

Each Fall I am a guest speaker for Brigham Young University's Information Security graduate program. Much of the time is spent fielding questions of students. Last week, one student asked, "What should I be doing to ensure I can land a good technical job in Information Security?" Rather than answer right then, I asked if I could answer through a blog post. So here it is.

Assess the security of networks, systems and web apps.  Information Security is about protecting assets from unauthorized access and destruction. To be a good security practitioner you have to be familiar with the tactics and techniques for compromising systems. This will enable you to assess your own systems for vulnerabilities, as well as improve your ability to design and operate preventative and detective security controls. Get going on web application hacking with the OWASP WebGoat application, an intentionally insecure web application. Scan your own network and others you can get permission to assess using mmap, nessus, and other tools. has a good listing of security software for assessing networks. Get familiar with these tools. Use them.

Code. Pick a language - whichever you prefer. And learn to code reasonably well. I am strongly of the opinion that you have to know how to code in order to know how computers work and how to secure them. Learn by building something. Pick a project and code it up, preferably something with network communication involved. Code a port scanner. Code a web application security scanner. There are a hundred out there, but by building your own you will develop expertise in that security domain.

Resources for learning to code: Codeacademy for getting going on the basics, Google searches and stackoverflow for when you get stuck.

Stand up and operate a small network that is Internet accessible. You have to know networking and you have to know what happens to networks on the Internet. Get a used  Cisco switch and use its capabilities to log and control access. Fire up Wireshark and learn the networking protocols.

Resources for networking: Cisco documentation. The Cisco Certified Network Associate (CCNA) material is pretty decent. Wireshark network protocol analyzer. Read TCP/IP Illustrated Volume 1 while you are analyzing network traffic.

Run a network IDS on your network. This will open your eyes to the attacks occurring on the Internet and get you into intrusion detection and response. Use Suricata or Snort.

Wrangle and analyze data. Data collection and analytics is increasingly important in Information Security. Know how to work your way around relational databases, NoSQL databases, and stretch for Hadoop if you have time. I recommend getting going with MySQL or PostGreSQL and Mongo. Use one of these databases in your coding project. Also, use a database to store and analyze traffic from your network.

Read. Set up an RSS reader such as Feedly and load it with Information Security research and general news sources. Also, stay up on the industry or industries you are interested in practicing information security. InfoSec doesn't exist in a vacuum. Know the context in which you want to practice Information Security well. Reading will also help you shape an increasingly integral picture of Information Security trends and inter-relationships.

Some of the better books on my shelf include Practical Unix and Internet Security, Applied Cryptography, Programming Ruby, Building Secure Software, TCP/IP Illustrated Volumes 1 and 2, all the Neal Stephenson books :), Security Engineering, Exploiting Software, Hadoop the Definitive Guide, and Network Security Assessment.

Write. Your ability to communicate well will determine the scope of responsibility you take on in your career. Write up your research. Post it to a blog. Present it at a conference. Be a student of writing well. If you have only one book on writing, get The Elements of Style by Strunk and White. Essential.