Aug 052010
 

I’ve seen a few “how do I get started in security?” posts online recently.  This is a running attempt to put together an answer.  Note that a lot of these are from my subjective experience.  They may not work for you.  Other people may also tell you additional, or conflicting information.  Do your own research, draw your own conclusions.

This is also not a laundry list of what you should learn, check off, and put on your resume — but a bunch of topics to consider gaining some degree of familiarity in.  Many of these I’m by no means an expert in, but I’m at least familiar with the concepts and have the basic understanding needed to figure them out and how they apply to my job.

The Technical Basics

You can’t learn security unless you’re familiar with the technology it deals with.  Learn the fundamentals.   Here is a very incomplete list.  You will never be able to do everything on it, at least not in depth.

It’s only fair to note that I come from an operations / architecture background, and that my primary experience is in network and systems security, plus authentication and cryptography.  Draw your own conclusions.

Operating Systems

Installation and management (systems administration).  My tip:  Start with one of the *BSDs (OpenBSD, FreeBSD, NetBSD) and Linux (any distro — what’s important is figuring out how to use the command line, what files are where, etc.), then Windows.  Set up a bunch of virtual machines (using VMWare or Virtual Box or equivalent).  A lot of companies use Solaris (get a copy of OpenSolaris and play with it) and AIX, although you’re not likely to get access to many of the enterprise-level software they use.  Learn systems administration, buy a good UNIX book.  Learn about jails / chroot and virtual servers.  Understand Windows Group Policy Objects (GPOs).  What is a kernel?  How does an operating system’s boot sequence work?  Where are logfiles kept, what formats are they in, and how do you configure system and application logging?

Coding / Programming

Scripting and programming.  UNIX shell scripting, Perl, C, C++, Java, Python, VB.Net, anything.  I was never good at much of this beyond very basic scripting, and that sucks.  If you go into any kind of either operations or investigation work, you’ll need this.  PHP, ASP, HTML and other high-level “languages” also help.  Understand the difference between compiled and interpreted, low-level vs. high-level languages.

Networking

Understand subnets and know how to calculate network masks.  Learn what routers, switches, and hubs are.  Know the basics of wired and wireless data networking.  Understand how different operating systems and applications deal with networks.  Learn the OSI model.  What are router ACLs?  VLANs?  Know how MAC addresses work

Network Security

What is a firewall and how is it different from a proxy server?  What is a packet filter?  Download something like M0n0wall or pfSense and set it up.  Buy a hub and learn to sniff packets with tcpdump and Wireshark.  Play with Netcat and get two Netcat sessions talking to each other.  Understand NMAP and how it works.  Learn what load balancers, reverse proxies, IDS and IPS do and how they work.  What is host-based vs. network-based IDS?

Applications

Set up Apache and IIS.  Set up MySQL, Microsoft SQL Server, or another relational database, and install multiple databases in a single instance.  How does ODBC work?  Set up a DNS server and learn about DNSSEC.  Set up an SMTP server and get it sending and receiving mails.  Learn about POP, IMAP, SMTP, Exchange, and their secure variants.

Authentication and Encryption

How does LDAP work?  What is Kerberos, NTLM, PAM, SASL?  What are SSH/SFTP/FTPS, and can you get passwordless SSH working?  What is ‘salt’?   Learn how to use John the Ripper and other password crackers (e.g. cain, able).  What are rainbow tables?   Set up sudo.  What is RBAC and how does it work?  Why shadow passwords?  What are file/directory permissions and how are they configured?

Understand the difference between symmetric-key and public-key encryption.  What is SSL / TLS?  Can you set up OpenSSL and issue your own certificate?  What is x.509 and what are digital certificates?  What is a PKI, a smart card, a root certificate, a CRL?  What is a hash?  What are checksums?  Can you set up PGP/GPG?  What is IPSEC, and what are its different implementations?  Can you set up KAME between two hosts?  What are cookies and how do they work / how can they be abused?  What is the difference between encryption, signing, and non-repudiation?

Other Tools

Download and play with BackTrack and learn some of its tools — Wireshark, Kismet, Metasploit, etc. — it also includes some of the applications I mention above.  Play with dsniff and at least familiarize yourself with what its various components do.

Security / Cracking Techniques

What is penetration testing?  White box / grey box / black box testing?  What is SQL injection?  How does XSS work?   What is a buffer overflow?  How does fuzz testing work?  ARP spoofing?  Session hijacking?  Privilege escalation?  How would you sniff network traffic (hint — see above)?  What are different kinds of keyloggers?  What is a virus, a trojan, a man-in-the-middle attack?

Non-Technical Stuff

A lot of security is based around laws and best practices.

Laws

You should be aware of legal issues surrounding the following, across various jurisdictions:

  • Privacy
  • Data protection
  • Wire and communications fraud
  • Reporting obligations

Related laws also concern the following

  • Financial disclosure and due care (e.g. SOX 404)
  • Medical records (e.g. HIPAA)
  • Risk management (e.g. Basel II)
  • Safety and due care laws
  • Contract law

There are a lot of laws that cover things like financial risk, operational risk and liability, intellectual property / secrecy rights, and rules of evidence.  They vary hugely between jurisdictions.  Keep this in mind.

Standards and Best Practices

The past years have seen an increasing degree of standardization and development of frameworks that may at least be useful as references.  A few examples with at least some security relevance:

There are also innumerable organizational requirements and contractual standards (e.g. stock exchange security rules) that a company or group may have to follow.

My personal advice:  give yourself at least a basic idea what the big ones are (in your field and cross-disciplinary), and what they’re about, take what makes sense.

Concepts

What is risk?  What is a vulnerability?  What is a threat?  What is CIA and why is it important?  Figure out the differences between privacy and anonymity.  How is availability calculated?  What’s the difference between a policy, a procedure, and a process?  Who is responsible for what, where, when?

Education and Networking

Courses and Certifications

Technical

I took a few basic Cisco and systems administration classes — these were helpful, but I’m not a big fan of coursework.   Your mileage may vary.  In addition, I’ve done several individual sessions (for example, an NMAP “dojo” with the guy who wrote it) that were pretty helpful.  Most of my knowledge comes from experience and personal learning, though, so I can’t comment.  My general opinion:  great, if you can get someone to pay for it.

Degrees and Diplomas

Groups like Royal Holloway, ETH Zurich, and CERIAS offer diploma courses in information security.  What do I know, I have an undergraduate degree in international relations from Cal, and an MBA.  Not directly academically useful to my career, but very interesting in terms of environment and exposure to people smarter than myself.  That should be your primary goal anyway.

The NSA has a list of accredited schools with information security programs.

Security-Specific

There exist tons of security courses, including SANS trainings, ISC², and others.   I passed the CISSP exam, which was interesting-if-basic, and decided against throwing more money at certifications.  As with the technical courses above, my personal opinion is that if you can get someone to pay for it and to give you the time for it, superb.

Subjective view:  I would be suspicious of any employer that requires technical certification if you have any kind of professional experience.

Dan Guido (see under “Other Resources”) has a list of courses if that’s your thing.

Conferences and Networking

A lot of this field is about meeting people.  Plus, conferences can be a lot of fun (often you end up going out and getting drunk with a bunch of geeks, which is usually rewarding in itself, in addition to actually letting you watch good presentations.)

I’ve attended http://cansecwest.com/ and CERIAS, which are about as completely different as it gets in terms of focus

The downside is that a lot of the security area is about personalities — don’t let that discourage you.  Odds are you’ll never be a vulnerability research rock star with fawning hordes of nerd groupies, but that’s not the goal, right?

Meet people.  Again, meet people.  Get to know them.  Don’t worry so much about making friends with the “big names”, but familiarize yourself with the people in your company, in similar companies, in your city, and in your field.  I run a small security mailing list, originally designed to let IT security types in Switzerland get together for beers and pizza.  Do the same.  Stay in touch — these people are your network (and can be pretty cool to boot.)

Try to help others as much as you can — on forums, and on mailing lists.  In addition to being good karma, it often will help you learn for yourself.

Books and Materials

RFCs are your friends.   They’re written extremely densely, but the information is there.

Sign up for mailing lists, specifically in aspects that interest you (these are often flooded, so don’t try to take in everything at once.)  Security Focus is a good start.

Check a few pages regularly for information on security vulnerabilities.  Secunia and the F-Secure blog are decent.

Other Resources

Dan Guido has a good writeup of what to look for.  Look for pages written by people like Bruce Schneier, there are too many to even start listing.

Career Decisions

What do you want to do?

This is a tough one, seriously.

I wanted to be a UNIX systems administrator, back when tech was still fun.  Then, one day, someone dumped a firewall book on my desk, and said, “you’re the security expert, read up.  Congratulations.”  I bounced around in architecture, operations, compliance, policy, and training work, before ending up doing mainly incident response and risk management.    In fact, most of the people I know who are good at “security stuff” gradually evolved into their roles, rather than deciding early on “I want to do this or that”.

Of course, to be fair, nowadays a lot of the field is more structured.  Your mileage may vary.

This is a really arbitrary, artificial list.  A lot of the following fields overlap heavily:

Operations

Mainly network security and authentication.    Lots of systems administration.  Usually lots of relationships with OS- and application administrators.

Architecture / Development

Designing and creating stuff.  Can be “low-level” (i.e. network security architect, which firewall goes where), or “high-level” (designing policies and rules for putting various types of technologies to different kinds of use.)  Could also involve writing software or configuration files.

Research

Either academic, commercial, or individual (whee, lookit me, I h4x0r3d a web site).  You try to find new vulnerabilities, or work on new security technologies.

Policy and Compliance

The people who write the rules of what companies should do to ensure security.  Relevant to audit.  Generally high-level, deals with laws, best practices, and organizational-level risk management.

What I currently do (security risk assessment) is related to this — I work with projects and try to make sure their technology is reasonably secure and they follow all the rules, then suggest ways they could do things better, pre-emptively.

Penetration and Code Testing

What it sounds like — you get paid to try and break other people’s toys and tell them what they should do better.  Usually nowhere near as fun as it sounds like, as it mostly involves fairly strict limitations (e.g. you can’t take down banking systems, you have to follow strictly defined procedures) and lots of paperwork (letters of authorization, formatted reports, etc.)

Forensics, Investigation, and Incident Response

This is fun, but occasionally frightening and frustrating.  Its main component is following up on abuses of policies and laws.  This includes, but isn’t limited to:  attacks from inside and outside, harassment, violation of technical policies, industrial espionage countermeasures, and electronic fraud investigation.  Also deals with damage control from things like denial of service attacks or other things going wrong.

It tends to also involve cooperation with architecture and operations people, in terms of things like preventative or reactive patch management.  Warning:  may seriously impact your faith in human decency — from the management attitudes and legal techniques you deal with as much as the rancid child pornography you’re likely to be exposed to.

Where do you want to work?

Never forget that, in almost any security job, you’re a service provider whose job is to restrict what people do.

It’s important to figure out if you want to work for yourself (can be very difficult at first), as an employee, or as a contractor.

My experience is mainly in the following fields:

Financial Services

Banks pay well.  They’re among the biggest security consumers.  They tend to have access to lots of new technology and move pretty fast, but are also lots of management.  Can often be very personality-driven, usually more formal than other work environments.  Depends heavily on whether you work in private, retail, or investment banking, insurance, finance, or others.

Medical / Diagnostic

Much slower-moving than finance.  Heavily focused on QA (e.g. data integrity).  Usually lots of very smart people — security is comparatively new to these guys and heavily laws-driven.

Education

Stay away.  Seriously.  My only advice.  Feel free to draw your own conclusions, but in my career, it’s been the most political, ill-paid, big-fish-small-pond nastiness I’ve ever encountered.

Services / IT Products / Consulting

Usually reasonably paid — the advantage is that you’re working with other tech people.  The disadvantage is that, in most cases, your employer often takes a significant chunk of your paycheck.

I have no experience in the following:

Government / Military

Lots of money, salaries generally not that good, new technology but very strict rules.

Industrial

Commercial

Non-profit

….and others.

Most importantly, some pieces of advice that apply to all jobs:

  • Always try to talk directly to the manager who’ll be in charge of the group you’re applying to.  Going through HR is often a dead end.
  • Never ever lie on resumes.  Don’t be afraid to publicize yourself, though.
  • Avoid politics.
  • Never burn bridges.

I hope this helps.

 Posted by at 11:27 am

  One Response to “Getting Started in Security”

  1. I am a recent entry in to this field working as an analyst since about a year, having previously worked on grid computing. I can vouch for everything you have listed as being right on the mark, especially about people who end up in this field not starting in it.

    Your blog has a lighter vein to it making it an extremely enjoyable read, which is a rare thing in this field full of MIB. Keep it coming.