So you want to get started in information security
I have seen many posts and threads about how to get started in information security / cybersecurity and recently I have been asked by a few individuals to provide information on the same topic.
While there are a lot of good sources of information out there on the practical tasks/steps that people must take to enter the field, I have seen nothing that explains the mindset and overall philosophy (at least the one I believe in) for how to go about it.
It’s all about a mindset
One must admit that you have a desire to join a field that is working on a problem that is yet to be solved. While there has been progress made as far as implementation of security controls that work for the masses, a lot of them are now being criticized or displayed as ineffective (might post another rant about this soon…).
With this in mind, first thing to know is that there are no set of answers to solve all the problems and in fact, this is a field where not one expert can have all the answers.
This field is composed of a community of professionals. While information security is a hot topic and everyone is talking about it, the community is fairly small. There are certainly, as with any community, two sides of it one that builds people and the other that is composed of those who want to push people down. Find yourself a good network of people who support each other, welcome everyone, and treat people equally.
There are plenty of lists of people to follow on social media, start with a few and grow from there. Also, while you may be starting in information security, that does not mean you cannot share your point of view or help someone else. You may come from a field where security can be difficult and your insights are extremely valuable. Or just in general, provide insights, the value of information increases with the number of data points provided.
A lot of debate about this recently. I do not necessarily believe in mentoring as this is almost always done from an angle where there is some sort of superiority. Instead, find yourself some peers who can help and guide you in a way that you make your own decisions. The path is not always binary, so having people along the way to help and guide you is always the best approach. (See Community)
Here’s my general mindset: I treat others as I want to be treated by them. My perspective is that there is something to be learned from every person, so I pay equal attention and open mind approach to everyone regardless of experience, title, social status, etc. I also communicate with them using equal tone. Never walk into a room thinking that you’re the smartest person in there, and if you truly are, I’d suggest you find a new home where that’s not the case.
Always look for the opportunity to learn!
Security is about reducing risks
At the end of the day, not all problems are going to be solved. The one thing to keep in mind is that you have to be pragmatic about security. Not all issues or risks need to be solved. Certainly, not all risks require the same priority or mean that the sky is falling. Take a step back, understand the threats of your organization, self, or individuals you are working with, then implement the right approach.
To add more information on this the peeps from Decipher posted a great resource about how to tackle vulnerability management. I highly recommend that you read at your leisure: here.
One recent example of this was the Meltdown and Spectre vulnerabilities. While the scientific research that went into discovering these is incredible, it’s applicability to a business is something that as a security professional we had to internalize. Understanding the vulnerability, impact, and likelihood (this is what prioritizes risks), we determined to not rush into applying patches without first truly understanding the impact of those. This proved to be the best approach as initial patches created more problems. With that said, we did determine there was an environment that required higher priority since it is a shared/hosted environment where the vulnerability can expose data. Luckily, this vulnerability fell into the vendor’s side of the responsibility model and they took care of it with transparent reporting and feedback.
Approach makes it or breaks it
Remember, you are trying to solve problems that most people either 1) do not understand the problem, 2) do not see the problem, 3) do not agree with any solution, or 4) have fear that the solution will impact their daily life. You may be working with executives, technical people, non-technical people, grandparents, or kids. Not everyone will understand how to use or see the value of that new shiny toy that you are so eager to get them to use. Security needs to be for everyone. If it does not work for the masses, then re-think your approach. While there may be exceptions to this statement, in general, security implementation is meant to allow people and organizations to operate within acceptable levels of risks and not interfere in such a way that the security solution will be tossed to the side and ignored.
A personal example of where my approach lead to success was convincing people to use and implement two-factor authentication and password managers. While this practice seems to be a default behavior of any risk aware person, you are asking those who are not to take on a second step to get access to their data/information.
How do you convince a grandmother that she needs to spend another 30 seconds to a minute before she can like her grandchild’s picture? Or how do you convince your parents or child to not use the same password for everything (regardless of how convenient it is)?
The solution is approach and utilizing mechanisms that are easy to use. Constant communication of good practices, providing access to tools or methods that facilitate those and have a transparent feedback mechanism (fix the issues, of course) is an approach that will most likely lead to success.
For example, your parents agree on using different passwords but prefer to write them down on a notebook that is stored in a locked cabinet? Sure. In my case, this minimizes the risk considering the threat profile. Someone breaks into their house, I have more important things to worry about than digital assets.
Understand your audience and their main concerns. Do not drive to conclusions without being exposed to context. Always improve.
Never stop learning. Curiosity is never a bad thing.
Information security continues to evolve and rapidly. Professionals in this field have had to learn and grow at a faster pace than any other field. We have had to play catch up to decades of maturity on the engineering and product sides. In addition, the technology that is used by those who we work to protect evolves at an incredible pace, therefor we must keep up.
Do not settle for what you learn in school or at conferences, information security education should never stop. Understanding that passion is a commodity and we all must make ends meet, I am not suggesting that you read everything. What I propose is that you find sources of information so that you continue learning at a pace that fits within your lifestyle. Meet people, read blogs, follow people on Twitter, learn different perspectives and points of view, read books, etc.
Just overall, be curious about what you do and how you can be better at it. More importantly, how can you make it better for others.
I must admit, I happen to be one of the lucky ones who had a passion for information security / computer science from the beginning. I always made a personal challenge to read and self-educate for at least 8 hours a week, sometimes more. I joined a network of people on IRC whom I shared knowledge with and learned from (learned more than I shared, to be honest). I looked for challenges where they would present themselves, even if those did not directly lead to better grades, new job, better job, or promotion.
With that said, here are some good resources that others have put together:
(Apologize for any repeats)
I would also recommend some books:
How to Win Friends & Influence People — Dale Carnegie (Highly recommend this one over the others. This helps with soft skills)
The Web Application Hacker’s Handbook (in fact, the Hacker’s handbook series)
The Tangled Web: A Guide to Securing Web Applications — Michal Zalewski
The Art of Software Security Assessment — Mark Dowd
Hacking: The Art of Exploitation — Jon Erickson
(My personal recommendations, I am not associated with the books or the authors)
I am not suggesting that you go and buy them all, but some good resources to get when resources are available. There are definitely more books and sources of information out there that I recommend you find. Let me know if you need help doing so!
Lastly, have fun!
This is definitely going to be an adventure! Enjoy the ride and always know that you’re not alone. There are others who are going through the same, will be going through it or have gone through it. Speak up, share experiences and insights and never let anyone put you down.