Exploring Information Security

View Original

My recommendations for getting started in security

BSides Nashville 2017

I feel like I’ve been asked this question before. “What advice do you have for getting started in infosec?” I swear I’ve been asked this before. I don’t think I have though. At least that I can recall. Usually, the questions are more specific than that.

I believe there are multiple paths to getting into infosec. I’ve talked to a lot of professionals in the field and there are no two paths alike. Everyone’s path is different. First, I would ask you, “What do you want to do?” What are your aspirations in the field. I want context, because I’ll provide someone wanting to go into pen testing with different advice than those going into digital forensics. Both fields have their positives and negatives. Make sure you understand both. I would recommend strongly looking at the negatives more than the positives.

Pen testing is the area I see a lot of people wanting to get into. Did you know that 60% of your time will be writing reports. Yes, you have to have good communication skills to excel as a pentester. You also have to know what actionable advice you can give for an organization. The best pentesters can provide advice with context. “I know you still have to run XP for your business to operate. Have you thought about putting those machines on their own VLAN.” If your advice to a hospital is to upgrade their XP machines, you’ll be frustrated a year later when you find the same issues haven’t been addressed.

For me the “fun” is solving the challenge of securing those vulnerable applications running on a legacy OS. Understanding and responding to the chaos that is the new named vulnerability. One of my most eye opening experiences was discovering that our application running IIS was in fact vulnerable to Heartbleed, because our WAF was Linux based. Then having to report that to leadership and providing guidance on whether to keep the WAF in place and be vulnerable to Heartbleed or turn it off and be vulnerable to other types of attacks. Defense is the more intriguing and challenging side of security.

Don’t get me wrong, I love my hacker buddies and marvel and the things they can do. I just find it more satisfying to build something in security that is lasting and makes a positive impact on an organization. Occasionally I get to break into things and assess an application for security issues (not something to overlook if you want to red team). Most of my time is spent hardening systems and applications. 

I recommend working your way up the IT ladder. It’s very important to understand how a help desk works. How a server works. How a network works. My belief is that security is an advanced niche within the IT field. You don’t get into security coming straight out of schooling unless you’ve already worked with computers for several years. Some people can make the jump into security and be successful (remember multiple paths). They usually have several years of experience working with computers on their own.

I think there are benefits to working in other departments before jumping into security. Most security controls are put in place by other departments. Having an understanding of their goals and challenges helps when working with them towards a security solution.

My experience is along those same lines (yes, I’m biased). I joined the NAVY for six years as an Electronics Technician coming out of high school. I got some computer experience along with some other general electronic experiences. The most beneficial thing I learned in the Navy was troubleshooting. I learned how to troubleshoot issues in a circuit boards. Figured out if it was a transistor or a chip that was causing the issue. What an open and closed circuit meant. A lot of those same techniques applied to troubleshooting a computer, server, network issue, and security problem.

I got to patch our machines on the SIPRNET (secret military net). Handled the creation and deactivation of user accounts. Being stationed in San Diego allowed me the opportunity to tag along for a ride to Las Vegas to attend DEFCON. I had no idea what I was doing (the casinos were fun). I did attend a few talks and found them fascinating. It didn’t exactly spark an interest in security at the time (maybe a seed, though). I had a great time serving in the Navy and I learned a lot. I was able to put a lot of my experiences on a resume.

After the Navy, I pulled cable and inventoried electronic equipment. I didn’t apply myself as much as I could have coming out of the Navy. Which is why I ended up working entry level IT jobs. I had the experience for positions higher on the IT ladder. After about six months of that I landed a system analyst II role (advanced help desk) at a manufacturing plant. I got some good computer experience, with a little server and networking experience.

I also got some security experience. Try keeping manufacturer workers from writing the password (in marker) on the floor computer monitor. The computers on the floor needed constant maintenance because they were getting malware on them. I worked with the network team after we were told our phone bill was through the roof. Someone was using our phone system to make long distance calls due to a vulnerability in the phone system (patch your shit).

From there I moved to a network/system administrator position with the state of South Carolina, at the department of Juvenile Justice (the kids knew all the good proxies). This is where I started to learn the ins and outs of network and system administration. The first appliance I got to play with was our SourceFire box (intrusion detection system). It had been setup and never touched (or monitored for that matter). I started getting familiar with it (why are we talking to China?!?) and setup my online SOC for identifying machines that needed to be cleaned or reimaged. I also got introduced to forensics and some other security concepts. My other responsibilities included webfilter, spam filter, load balancer, imaging, and backup administration (sucks!). All of those responsibilities have played into my roles as a security professional.

After that I jumped to my first security role with the Department of Employment and Workforce. Six months into that role our website was defaced. Mind you, this was two to three months after the Department of Revenue announced a breach (we made the local news). My previous experience allowed me to be useful during our response to the incident. At one point, I had two different vendors on the phone (in the wee hours of the morning) asking them to explain how the attack had gotten by our WAF and intrusion prevention system (IPS). My experience from previous roles both in the security field and outside it allowed me to remain calm and collected.

My recommendation for getting into security is to get some information technology experience. I promise you’ll be doing security related activities in those roles.

This blog post first appeared on Exploring Information Security.