Ok, my view is tainted, but (correct me if I’m wrong) defense seems very similar, find out how to break it, then figure out how to fix it, rinse, repeat. You want to secure a router? Figure out what kind of attacks there are against routers and networks, then solve them.

Either that or you’re pretty much zombie feeding off the brains of others.
Nothing wrong with getting up to speed, but after that you need to think for yourself, or someone else will and they will have your data.

Your advice seems pretty arbitrary to me (as most “advice to newbies” posts are), and that I take issue with, if you’re going to be admining a unix/juniper network, why do you need windows/IOS skills?

I may not be the best person to be giving advice to n00bs who want to be admins, but, I have to say, if you ask someone a question, and they give you an answer, think about it a little, try out the code they sent you, or whatever before telling them you want an easier explanation.(I had this happen, lets say 30 mins ago, it just pissed me off and caused me to /block the person)

You’re right that the “pwn20wn media glory hound” wouldn’t make a good admin (maybe even a poor pen tester, after all, vuln discovery && exploit dev != pen testing, but you probably would want him, or someone with similar talents, on your product team if your goal is to stamp our vulns or develop exploit mitigations), but they don’t want to be admins either, having said that, the kiddie, while he may admin your network just fine, isn’t going to make it secure.

P.P.S. Do you actually see many people who want to get into infosec to be sysadmins? I’m actually curious here…it seems kind of an odd wish.

Which pretty much sums up my view of all the guidance you gave. I never want to admin an IDS, in fact I wish that industry would just go burn, same with AV, nor do I ever want to deal with forensics (my view of disk forensics is: don’t touch disk, and if you have to, root the damn thing and clean up after yourself), this doesn’t mean the security industry has no place for me, it just means that I’m going to be hacking things, rather than defending them.

I doubt anyone who this is relevant to will get this far, but this list is really only useful if you want to be an admin of some sort. If you want to pen test, what you probably mean is you want to hack things and not be on the wrong side of the law, in that case go learn to hack things, if you’re not going to hack IDS’, don’t learn about them, if you’re not going to hack cisco gear, don’t learn IOS, if you’re not going to hack windows, etc.

IMO, unless you want to be a generalist (read: admin) pick a target, learn it well, figure out how to hack it, rinse, repeat, until you run out of ideas or get bored of the target.

Having said that, you’re spot on about just learning “security” is a waste of time. I came to security by way of developer land, but this doesn’t mean that anyone else needs to, but if you want to hack code, you’re going to have to be able to read it, if you want to hack networks, you’re going to have to know how they work and how to generate packets.

Either that, or you’re going to end up like one of the many corporate Backtrack/nessus/metasploit kiddies out there. There’s a place for people like that, but it’s not a nice place.

/rant off

Also, the one piece of advice I’d give to anyone who wants to break things that has served me well is: once you’ve got a target, and are fairly comfortable with known attack strategies and things at that layer, look a level below. If you want to write overflows, learn the OS (and to some extent CPU architecture) you’re targeting better (and I won’t mean learn to use it, learn how it works), if you want to hack webapps, learn the language they’re sitting on (and, again, how it works internally). You will find more ways to attack things this way, because you can bet that none of the devs have done this.

This post was mentioned on Twitter by daveshackleford: New blog post: One for the n00bs http://bit.ly/2Eqeso...

By way of example, DC404 is now over 6 years old, and although it started as a handful of my friends hanging out with me at a local coffee shop, we now consistently have topical presentations, regular monthly attendance of 20 – 30, with at least 25% of each month’s attendees being new to the group, new to the industry and/or both. We welcome, encourage, and appreciate the involvement of those who aspire to become security professionals, and hope that all of you, whether in Atlanta or elsewhere, will find your local community and get involved!

(And oh yeah.. hey Shack, when are /you/ gonna make it out to a DC404 meeting?

This pretty much mirrors my own path. Help Desk-> SysAdmin-> DBA/Developer-> InfoSec. Along the way I encountered security incidents in several of these positions, which ultimately lead me to the field. Being able to talk to system administrators, DBAs and developers in their language and know where they are coming from is invaluable.