Getting started in Information Security

I recently had a college student ask about getting into Information Security. Here’s his question:

My biggest issue with my current education is the broad scale and lack of clear direction on how to achieve my goals. I know that I am very interested in penetration testing. Ethical hacking in general is a very big interest of mine. But as for what area of security, I’m not even sure what the options are.

Cool – sounds like the biggest thing is to explore, and decide on a first direction knowing full well this may will change as you learn more. You may want to try writing your current goals down, and working toward them (or, better yet, working backward from where you’d like to be).

Penetration testing – or as you call it – ethical hacking, is still a very… tradecraft career. Fundamentally though, it’s a form of testing. The best thing you can do is dive in and start learning about the systems you’ll be coming up against. If i had to choose a tester that had a bunch of certificates and lab experience vs a tester that knew and had been an  administrator of systems he’d be testing, i’d choose the latter.

Penetration testing has split into some broad specializations – though it’d be best to sample amongst them

  • Mobile & IoT
  • Web Application
  • Network
  • Embedded

OWASP is good for learning web and mobile attack methodologies.

Carnalownage, Metasploit, Offensive security are good for learning network attacks.

Re: certifications – there are some really really good courses certifications – PWK/OSCP/OSCE. You should focus here first and foremost if you’re going to do a certification.

You’ll want to check out netsec’s career thread – this happens quarterly. This will give you a great sample of existing careers, and you can start to research on the things you’ll need to learn.

There are many [other] threads on the net about how to get started in infosec.

Here’s another one i wrote about 10 years back, specific to penetration testing. It’s amazing how much of this is still relevant.

Reddit’s /r/netsec is a great resource for staying on top of what’s happening in the technical security field

Stack Exchange is another one with a bit more of a question/answer focus – good for researching when getting started.

As far as building a reputation while you’re in school, the best things you can do:

  • Get on twitter and start contributing – there’s a strong contingent of security folks on twitter
  • Jump on Github and start publishing tools / code
  • Jump on Bugcrowd and HackerOne start reporting bugs, building a profile.
  • Publish papers, blogs, code, anything that you can point to as a resume builder.
  • Go to conferences, meet folks. Find positive folks that will help you, and find ways to help them.
  • Learn everything you possibly can.

You’re looking for a job in a field that has massive unemployment, so you’re in the right place at the right time. But be warned, it’s a fast-moving field and requires you to be motivated if you want to be good.

It’s worth noting that the penetration testing / consultant career path generally requires a significant amount of travel, and can be disruptive to a family lifestyle. This isn’t always true, and there are certainly ways to make it work, but worth thinking about. Thoughts on work / life balance are for another post.

The one piece of advice i give everyone interested in getting into the field: Provide value without asking for anything in return. If you find someone you want to work with, just ask… how can i help? … Guaranteed, they don’t get asked that enough.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s