tl/dr; There are a lot of ways to get into infosec. I’ll try to outline some of the things that have helped me along the way and provide some resources to help you.
We recently had the pleasure of sponsoring BSides Kansas City. Side note: if you haven’t been, you should really consider going. This is a great con. As a sponsor, we had a booth in the vendor area, which allowed us to meet many of the attendees. While I was working the booth, I had at least a dozen students, both high school and college, stop by. Every one, regardless of what school they were at, introduced themselves and had essentially the same question – “What would you recommend I do to get into infosec?”
The possible answers here are nearly limitless. There are so many paths that can lead to a successful career in this industry and I can only speak to the things that I believe helped me. I’ll try to summarize those here.
Culmination of Experience
The experiences we have and the things we learn along the way provide each of us a unique perspective on solving problems in our industry, irrespective of the particular specialization. The one thing I feel has made me effective as an analyst, incident responder, and penetration tester, is experience with a broad range of technologies and skillsets. In my career, I’ve been a web developer. I spent time on the helpdesk. I’ve run an ISP which gave me networking, email server administration and Unix experience. I’ve been a developer. As a Windows admin, I had experience with windows workstation and server OS, DBA experience, and Exchange administration experience.
You can learn a lot of these skills on your own thanks to the wonders of virtualization. At one point, I had 13 computers in my bedroom. Now you can have all of that in one workstation with a little extra RAM. Figure out a technology you want to learn, and build the infrastructure to support it. I wanted to learn more about databases, so I wrote a web app that used a PostgreSQL backend. I wanted to learn about Java, so I wrote an app that monitored environmental sensors and stored that data in an RRD database and displayed graphs of that data in a web app.
Eventually I wanted to learn about security. The number of resources here are practically overwhelming. There are so many different vulnerable VMs and online challenges that you can spend years learning. My basic recommendations are the same for everyone. Here are some of my favorite resources:
- VulnHub – a repository of vulnerable VM images
- OverTheWire – A collection of security challenges in different disciplines you can play online
- SmashTheStack – A collection of security challenges in different disciplines you can play online
- HackTheBox – An online penetration testing lab. The Pro option gets you accessed to retired machines for more testable machines.
- SANS Holiday Hack Challenge – An annual affair designed to test skills in several different infosec disciplines
This list is not meant to be comprehensive. It’s just a good place to start that will keep you busy for a long time. Please note, this list is more offensively focused, as that’s where my interests lie. There are other resources out there if you’re interested in reverse engineering, or forensics, for example.
In addition to technical experience, I’m 100% serious when I say I believe the various humanities classes I took in high school and college have been extremely beneficial. My music history, art history, and literature professors taught me more about critical thinking than any other courses I have taken. They taught me how to think about the world differently. This is a critical skill in information security.
I’m not talking about routing and switching here. I’m talking about building personal relationships here in the real world. My career has benefited tremendously by building relationships with other people. I simply would not be where I am today without the people I’ve met along the way.
For some of us, meeting and talking to new people is intimidating. How do you meet new people and build relationships? Jake’s tweet here sums up my approach perfectly.
Lots of people note that extroverting is hard. It is. It’s not natural for me either. I just find someone along the wall not talking to anyone else and say “Hi, I’m Jake from Rendition. I do Red Team and DFIR. What do you do?” This will start a conversation most of the time. https://t.co/C0QqharJZa
— Jake Williams (@MalwareJake) April 29, 2019
But why is this important, especially if you’re new? The answer is simple – you don’t have the resumé experience yet. The person you meet at a con might be able to get your resumé in front of the hiring manager when HR will reject you for not having the “necessary qualifications.”
In an ideal world, all you should need is the necessary experience (work, school, or otherwise) to get the job. We don’t live in that world. Who you know is at least as important as what you know, so it’s in your best interests to get to know more people. Find a local con, like a BSides event, and meet some new people. If you don’t have a BSides near you, look for an ISSA event, or an ISC2 meetup. Get involved in the computer security club at your university. Seek out some of the great infosec Slack channels.
Getting Experience Without a Job
If I were in the position to be hiring someone new to infosec, there are several things I would look for to demonstrate experience and willingness to learn. In no particular order:
- Speaking Experience – Whether it’s at a con, a local meetup, or a presentation at the university computer club, this demonstrates a willingness to learn new material and put yourself out there.
- Personal GitHub – Reviewing a candidate’s GitHub tells me several things – Can they write code? Reviewing pull requests and issues helps me understand how they communicate difficult technical concepts. It also demonstrates a willingness to contribute back to the community, which is something I value.
- Personal Blog – A personal blog helps me understand someone’s writing style. How do they convey difficult technical concepts? What are their interests? It also demonstrates a willingness to contribute back to the community.
- Involvement in a university computer club or CCDC team – This demonstrates that the candidate is willing to go beyond the minimum necessary course load and that the candidate is interested in learning outside the classroom.
- Participation in CTFs / HackTheBox – This tells me the candidate is interested in learning more and challenging themselves. If they’ve placed well, it also demonstrates technical aptitude.
- Attendance at Cons – This tells me the candidate is likely curious, interested in learning new concepts, and likely interested in meeting new people.
I don’t have a formal education in computer science or security. When I was in college, computer security wasn’t a career or offered as a curriculum. If I was looking at college as a path to an information security career I wouldn’t look any further than Dakota State University.
The DSU students I’ve met have all been incredibly bright and talented. I’ve met graduates who work at the NSA and other three letter agencies, well-known shops like TrustedSec, and many other sought-after employers. The professors and the curriculum are top notch, and are well-respected by many in the industry. If I got a resumé from a DSU alumnus, I would definitely give that candidate a closer look.
No blog on getting into infosec is complete without sending its readers to Lesley Carhart’s fantastic blog posts on this subject. Lesley provides tips on writing a resumé, tips for learning, and a fantastic series on breaking into infosec. You can find the blog at https://tisiphone.net/category/security-education/