We’ve all been a n00b at some point. I don’t care who you are, at some stage of the game you didn’t know much, or started a new gig, or tried something for the first time in full view of other people, or whatever the case may be – you’ve been a n00b. My friend Raf Los at HP, who I’ve known for years and has been through the security gamut just like me, posted a really interesting semi-rant the other day. His observation? We crusty security types kind of suck at letting new people into the club. I don’t know about most of you (well, actually I do), I hated cliques in high school. The “you can’t sit at our lunch table” crowd. The “we’re having a massive party at XYZ’s house tomorrow night, and you can’t come” crowd. Yes, we all know who I’m talking about.
We’ve kind of become that crowd.
We’re not welcoming, or mentoring, or open-minded about new people coming in. Be honest – when was the last time someone arbitrarily asked you to guide them or lend some experience, where you really went out of your way to help them learn about infosec? This is, of course, for all you crusty types like me. Well, I was pretty lucky, I guess – I had a few really kick-ass people who let me ask a plethora of questions in the early days, and really bolstered my confidence and desire to keep forging ahead: Lampe, Herb, Jimmy the Slick…I’m talking to you.
So I have some advice for the n00bs. Those of you that aren’t truly n00bs anymore, you may want to check out an earlier post of mine called “Career Tips for Security Geeks.” Noobs, read this first, then read that one too. So here goes:
- Please please please please PLEASE do not come out of school with a degree in “Information Assurance” or some other bullshit and tell me you are a security professional. You are not. You are either a) still my intern for another year until I have hazed you sufficiently, or b) the new anti-virus admin. Yes, I’m serious. Experience and technical skills count in security – I’ma let you finish, but first you will be starting at the bottom rung of the ladder if all you have is said IA degree and a will to learn. This leads us to…
- Show me. Yep. Don’t talk theory, or concepts, or God forbid mention wretchedness like the Bell-LaPadula Model. Help me get security in order. Models don’t actually DO anything. They’re great for drunken whiteboarding sessions. And CISSP exams.
At this point, you’re thinking “Wow – Shack said he was going to help us out! He’s being one of those clique-ish types, though!”. Well…not really. That’s all the harshness I’m giving out, and there are good reasons for this advice. Well…one more, don’t get cocky. We’ve got way too many cocky folks already, and we’re trying to change the dynamic. So here’s some more practical advice for the n00bs:
- Really, the best security people came from some other backgrounds. I really think you should spend a few years doing something else first. Coding, systems admin or network admin, DBA, etc. How can you secure stuff when you have no experience with it? Security isn’t all about IDS, pen testing, etc. The most important security is mitigating risk in regular old technology design and use, and you should have some hands-on time with THAT before you go saving the world.
- Understand the following: TCP/IP, Cisco IOS, Windows admin (basic), Unix admin (basic). Pick a scripting language and endeavor to become a little bit proficient with it. Not a lot, that’s OK, but a little Perl-Fu or Python-Fu or Ruby-Fu or just Shell scripting-Fu can go a LONG way. These are basic skills. What about security? Re-read #1 above. Now do it again.
- Allocate $500 and go visit your friend Amazon.com. Or better yet, roll Ramen noodle style and get used books by perusing titles at www.bestbookdeal.com. It rocks. What to buy? Hacking Exposed, latest edition. Counter-Hack Reloaded. Network Security Hacks (2e). Everything written by Richard Bejtlich. Malware (Skoudis and Zeltser). Security Engineering (2e). Applied Cryptography. This is a good start, look for others too – read them and keep going. Plan on spending $50-100 a month on books.
- Understand how to lock down operating systems. Read the CIS benchmarks, DISA STIGs, and vendor guides from M$ and others. This is 101 stuff, and you need to know it WAY before you get to the “sexy” things like pen testing.
- Become familiar with a packet sniffer of your choice. Wireshark is good. So is TCPdump. Both are free, and you can start breaking down packets and looking at them to see what the hell is going on.
- Learn about Snort. Spend a month or so installing it, tweaking the configs, learning about rule creation, planning architecture and so on. Will it be your only IDS? Maybe, maybe not, but it’s the best for the $$$ and you need to learn.
- Download the Backtrack security assessment toolkit from http://www.remote-exploit.org/backtrack.html. Load it up in a test network (repeat – test network. Did I mention test network?) and start running some tools to learn about scanning (nmap, hping3), vulnerability scanning (OpenVAS, maybe Nessus for local scans or if you have a license), and pen testing with Metasploit and exploits from Milw0rm and others.
- Plan on going for the SANS GSEC certification. Forget about your CISSP or anything else right now, you need a solid set of fundamentals, and the SANS Security Essentials course is your best bet. I teach for SANS, full disclosure, but I endorse this with no bias whatsoever – it really is the best for newcomers to the field.
You now have the basics. Specialties, like code security, Web app security, pen testing, network security, etc all come a bit later. I won’t go into all that here, but you should be waking up every day with a fire under your ass. READ! Check out blogs and sites like darkreading.com, csoonline.com, packetstormsecurity.org, and others. Listen to Paul, Larry, John, Carlos and gang at www.pauldotcom.com to get in the spirit of things. And when you tell someone you are new to the field, and you have a legitimate question that they can help with, don’t let their lack of social skills get in the way. If they won’t help you, find some of us that aren’t worried about impressing the clique and we’ll help you. I got my OWN lunch table. And you’re invited. Unless you have, like, body odor or something. Then you’re not.