Getting Started in Information Security

Not a journey for the faint of heart Dakota Nelson
Aug 18, 2016

Infosec is a way of life.

I’m probably getting nods from half of the information security (infosec) industry after saying that, and a disgusted look from the other half. For better or for worse, security is more than just a job for a huge number of people. What this means for the field is a whole different blog post, but it does certainly mean one thing:

Breaking into the security industry is staggeringly difficult for beginners.

As someone put it to me:

I have tried to learn the basics of it but it seems like an industry that you must love so that you would know about it … and I am struggling with this task.

In other words, “how do I even get started?”

Below are some resources that I and others have found useful for our first adventures in IT security. (have more things you think should be added? let me know)

Keep in mind, though, as you read through the resources below, that security is an enormous field. Nobody can understand it all, much less be an expert at everything. Does that sound intimidating? It shouldn’t - because you don’t have to understand it all. Poke around in the stuff below. Look at the things that seem interesting. Skim aggressively. And when you find something you love? Dive in!

Philosophy

Nope, I’m not joking. Well, maybe a little - these articles provide a great overview of the field that is information security and how to get started.

• Derek Banks at Black Hills Infosec talks about the path to developing your “Hacking Kung Fu” in http://www.blackhillsinfosec.com/?p=4655.
• Parisa Tabriz at Google gives a great overview of security with plenty of career advice over at https://medium.freecodecamp.com/so-you-want-to-work-in-security-bc6c10157d23#.oc408ew0a.

News, Events, Etc.

Staying up-to-date is perhaps the most taxing part of the infosec lifestyle. Everything moves incredibly fast, and the firehose of information can be hard to keep up with - or turn off.

• Bruce Schneier runs a great blog at https://www.schneier.com/ that provides a beginner-friendly introduction to current events.
• Lawrence Hoffman at Black Hills Infosec does an excellent weekly news roundup in his aptly named weekly blog post, Lawrence’s List - http://www.blackhillsinfosec.com/?s=Lawrence%27s+List
• Another fantastic weekly news and events roundup comes from Scott Piper over at https://summitroute.com/blog/.
• Security Weekly is a major information security podcast run by Paul Asadoorian. A massive list of Paul’s RSS feeds at http://securityweekly.com/PaulsFeeds.opml gives a peek behind the curtain at the impressive information-gathering machine powering it all.
• A variety of security experts converse on the DailyDave mailing list at http://seclists.org/dailydave/, which has a notable focus on the larger strategy and politics behind security.

General Overview

One of the most difficult parts about security is that there’s just so much scattered knowledge to know. These lists should help get you up to speed - no need to memorize everything, a good overview and an ability to quickly look things up should do. Find something particurly interesting? Go crazy!

• https://github.com/sbilly/awesome-security
• https://github.com/infoslack/awesome-web-hacking
• https://github.com/enaqx/awesome-pentest
• https://github.com/rshipp/awesome-malware-analysis
• https://github.com/carpedm20/awesome-hacking

In-Depth Introductions

Want a comprehensive compendium of knowledge on a a topic? These are great ways to get started on an aspect of security without hopping frantically across the Internet.

• In Hacking the Xbox , Andrew “bunnie” Huang provides an incredible book introducing hardware hacking and detailing various ways to “enjoy a Microsoft Xbox game console without the mindless tedium of playing video games.” A free copy has been released by the author at http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf.
• Ever wondered how exploits actually work? Hacking: The Art of Exploitation is a great place to start. I’ve heard of people avoiding this book due to the somewhat campy title - something something don’t judge a book by its cover.
• Want to know how to do offensive security professionally? Penetration testing is real, and Georgia Weidman shows you how in Penetration Testing: A Hands-on Introduction to Hacking. (I hear if you use code GEORGIA at checkout good things will happen)
• While this course is somewhat focused on Cobalt Strike, an advanced attack tool built by Raphael Mudge, the lessons learned in it apply everywhere. Check out http://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes/ for nearly 6 hours of great lessons on how modern advanced attackers do their thing.

Conferences

There are security conferences across the world where people come together to talk about and share the things they find fascinating. Most of them record and release their talks, so you can share in the learning even if you can’t travel.

• https://infocon.org/ is an absurdly large collection of talks from a huge number of conferences. Have at it!

The Black Market

Seriously - learning from attackers is a great way to understand what the current cutting-edge techniques are. Adversaries have strong incentives - making a living, not getting caught - to be the best they possibly can. Besides, these are the people you’ll likely be defending against someday. It’s best to get to know them.

• After breaching Italian security company Hacking Team, a hacker calling themselves Phineas Fisher wrote this partly-political mostly-technical article about how it was done: https://ghostbin.com/paste/6kho7
• This groundbreaking report argues that Mandiant, a company which has since been purchased, was able to identify a unit of the Chinese military which is “one of the most persistent of China’s cyber threat actors.” The report is dense, and you can find it at https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.

Hands-On Practice

Actually putting your knowledge to use is the best way to learn, but hacking especially can be a bit difficult to get experience in without breaking a law or two. Here are some ideas on how to do it the right way.

• For those just starting out in security, https://picoctf.com/ is a great starting point. It’s meant to be beginner-friendly, and provides a very polished experience to learn some hands-on security techniques.
• In the same vein, http://pwnable.kr provides great introductory challenges with slightly less gamification.
• What’s a CTF, anyway? https://trailofbits.github.io/ctf/ctf.html provides an excellent introduction.
• Now that you know what CTFs are, want a big list of them? Look no further than http://security.stackexchange.com/questions/3592/what-hacking-competitions-challenges-exist.
• Perhaps you’d like all the CTFs on a calendar? Don’t worry, https://ctftime.org/ has you covered.
• If you’d like to practice in a more freeform environment, you can use https://www.dionach.com/blog/review-of-purposefully-vulnerable-applications-to-practice-hacking to help you set up your own systems to play around with.

People

You have more questions? Many others have gone before you, and most of them are happy to help. There are more wonderful security people on Twitter than I could possibly count, but here are eight in no particular order to get you started:

• @mubix
• @dafthack
• @egyp7
• @dotMudge
• @SwiftOnSecurity
• @thegrugq
• @strandjs
• @harmj0y

Overwhelmed? Take a deep breath: you don’t have to know everything. Skip around, skim for things that look interesting, and only dive in if you want to. Everyone was a beginner once - focus on discovering something you find fascinating. The joy of learning is the real objective here - enjoy the journey, and keep in touch.