How To Get Your Start In Security
For the aspiring security professional, the field can seem a bit like a quagmire at face value. Depending on how much experience you have in IT, the transition can range from challenging to difficult. This article will assume you have at least a beginner’s understanding of the IT landscape, and offers a wealth of information for zeroing in on a security career.
As with anything in life, you’ll only ever get out of this venture what you’re willing to put into it. Before landing my first security gig I already had several years of experience, ranging from internships to professional consulting, as well as military service. I was also maintaining and pursuing various certifications. Most importantly, behind the scenes and away from the eyes of my peers, I was spending several hours a week in my lab conducting research, staying up to date on security news, taking part in wargames and capture the flags, and building this website. If there’s one thing I want to convey, it’s that security generally is a second career. It requires a significant amount of knowledge and experience to finally break into, and a little bit of tinkering on the side or an unrelated IT job isn’t exactly going to get you in. On the flipside, you have to make the best of your situation, molding it and milking it for the most experience you can get out of it. Helpdesk roles may not be security-oriented for example, but they’ll introduce you to concepts like permissions and security groups. Don’t worry about your job title – find value in the things you do and build from there.
Just as IT is an umbrella term for dozens of professions, information security spans much further than the hacker persona that’s been adopted by the public. Some possible career opportunities include:
Risk and compliance
Regardless of your career aspirations, I love Eric Steven Raymond’s “How To Become A Hacker” because it touches on the mindset and ethos required for attaining a prosperous occupation. He writes his article almost exclusively from the eyes of a developer but offers guidance that can be applied anywhere on the security spectrum:
Freedom of knowledge and information – though this can lead into a political and philosophical rabbit hole, it can be translated as resources needed to excel in the field. There are tons of free tools, classes and communities that make progressing in this career possible. More on that later.
Put in the effort – Whether you come from a technological background or not, security requires a very diverse pool of skills. Do your due diligence and don’t look for handouts. Ongoing education and awareness are needed for progression.
Contribute to the community – going back to the freedom of information, it’s there only because the community invests in itself. Maybe one day you’ll find yourself writing a guide on how to make a career out of information security.
Finding the right information can be challenging right at the beginning, and so knowing what to research and what questions to ask will be crucial in your infancy. Here are some communities that may help to orient you in the right direction:
You’ll benefit the most from these at first by lurking in the background and just absorbing the content. After some time you’ll notice waves of beginners asking the same questions week after week. Don’t be that guy; Remember this is a self-made community and no one is going to want to hold your hand. If you’re working on a project, research and troubleshoot as much as possible before turning to others so you can ask intelligent questions.
Outside of the above security hubs, there are numerous other websites offering various resources. Many of these are just general security news outlets, while others provide ideas for projects, notices of security advisories, career roadmaps, and so on:
Despite the above, tons of reading material isn’t going to be enough. Any IT discipline is going to be highly technical and requires a hefty amount of hands-on experience. For these purposes, you’ll want to invest in a home lab for yourself to experiment and expand on the concepts you’re reading about. Don’t be intimidated by some of the networks you’ll see on r/homelab. To really get started, all you’ll need is a decent laptop capable of virtualization with 8+ GB of RAM and a decent amount of drive space. For additional help on spinning up a lab of your own, visit my home lab series. I’ll let your curiosity do the majority of the work here, but some helpful resources for practical application include:
https://www.hackthissite.org/ - start here. Just see if you can pass the “idiot test”
http://overthewire.org/wargames/ - my personal vote for best Linux command line tutorials. I say “tutorials,” but you’ll spend the entire time figuring it out yourself
https://www.vulnhub.com/ - your one-stop shop for vulnerable VMs
http://ringzer0team.com/ - CTFs and challenges ranging from forensics to reverse engineering
http://www.ringzerolabs.com/ - technical how-tos
https://backdoor.sdslabs.co/ - online CTFs
https://pentesterlab.com/ - exercises covering a wide variety of topics. They also offer a paid platform
Regardless of your experience I think you’ll find yourself hitting a wall at basically every turn. Don’t let this discourage you, and don’t be afraid to research solutions. Put as much effort as you can into solving each problem, but don’t beat yourself up for not knowing the answer. Once you understand the solution and how to get there, you’ll have your bases covered for next time. This was my biggest problem starting off, and really hurt my growth in the beginning. Be open to new things and don’t take it personally when you struggle with a topic. There’s so much to learn that the struggle never goes away, and soon you’ll learn to thrive in this domain.
Certifications. Some people hate them, others swear by them. I personally pursue certs just to have them, and because the study material is generally a trusted source for learning and enforcing industry best practices. Some organizations may offer financial incentives for earning certifications, while others blow off employee education. Regardless, it boils down to whether or not you’ll pass HR screening. Say you submit an application to an employer who receives ten other resumes from similar candidates. The only difference between you and them is that they all have their Security+. It’s very possible your resume will find its way to the trash. A candidate who has achieved additional credentials on their own time demonstrates not only expertise, but also discipline and a passion for the industry.
There are a lot of certifications out there. Some are better than others from a technical perspective, but all can be leveraged in their own way. There are recommended “roadmaps” explaining the order they should be achieved, but for simplicity’s sake I’ll break them down into tiers.
(ISC)2 Systems Security Certified Practitioner
EC Council Certified Ethical Hacker
Offensive Security Certified Professional
(ISC)2 Certified Information Systems Security Professional
ISACA Certified Information Security Manager
Offensive Security Certified Expert
Advanced GIAC certifications
Advanced SANS courses
The fact you’re reading this speaks to the curiosity that already exists within you. If this is a journey you’ve dreamed of embarking on, begin today. It’s a long uphill battle riddled with late nights, confusion, and uncertainty just waiting to be conquered. Whether you’re advancing your career or starting completely anew, the only thing standing in your way is you. And perhaps learning how to code a little, create scripts, administer Windows and Linux environments, perform exploits, understand cryptography, deploy and bypass security controls, utilize command line tools, manipulate human nature, analyze malware and debug code.
“You need motivation and initiative and the ability to educate yourself. Start now...”