Home > Information Security > One for the n00bs

One for the n00bs

October 21st, 2009

stfu_n00bWe’ve all been a n00b at some point. I don’t care who you are, at some stage of the game you didn’t know much, or started a new gig, or tried something for the first time in full view of other people, or whatever the case may be – you’ve been a n00b. My friend Raf Los at HP, who I’ve known for years and has been through the security gamut just like me, posted a really interesting semi-rant the other day. His observation? We crusty security types kind of suck at letting new people into the club. I don’t know about most of you (well, actually I do), I hated cliques in high school. The “you can’t sit at our lunch table” crowd. The “we’re having a massive party at XYZ’s house tomorrow night, and you can’t come” crowd. Yes, we all know who I’m talking about.

We’ve kind of become that crowd.

We’re not welcoming, or mentoring, or open-minded about new people coming in. Be honest – when was the last time someone arbitrarily asked you to guide them or lend some experience, where you really went out of your way to help them learn about infosec? This is, of course, for all you crusty types like me. Well, I was pretty lucky, I guess – I had a few really kick-ass people who let me ask a plethora of questions in the early days, and really bolstered my confidence and desire to keep forging ahead: Lampe, Herb, Jimmy the Slick…I’m talking to you.

So I have some advice for the n00bs. Those of you that aren’t truly n00bs anymore, you may want to check out an earlier post of mine called “Career Tips for Security Geeks.” Noobs, read this first, then read that one too. So here goes:

  1. Please please please please PLEASE do not come out of school with a degree in “Information Assurance” or some other bullshit and tell me you are a security professional. You are not. You are either a) still my intern for another year until I have hazed you sufficiently, or b) the new anti-virus admin. Yes, I’m serious. Experience and technical skills count in security – I’ma let you finish, but first you will be starting at the bottom rung of the ladder if all you have is said IA degree and a will to learn. This leads us to…
  2. Show me. Yep. Don’t talk theory, or concepts, or God forbid mention wretchedness like the Bell-LaPadula Model. Help me get security in order. Models don’t actually DO anything. They’re great for drunken whiteboarding sessions. And CISSP exams.

At this point, you’re thinking “Wow – Shack said he was going to help us out! He’s being one of those clique-ish types, though!”. Well…not really. That’s all the harshness I’m giving out, and there are good reasons for this advice. Well…one more, don’t get cocky. We’ve got way too many cocky folks already, and we’re trying to change the dynamic. So here’s some more practical advice for the n00bs:

  1. Really, the best security people came from some other backgrounds. I really think you should spend a few years doing something else first. Coding, systems admin or network admin, DBA, etc. How can you secure stuff when you have no experience with it? Security isn’t all about IDS, pen testing, etc. The most important security is mitigating risk in regular old technology design and use, and you should have some hands-on time with THAT before you go saving the world.
  2. Understand the following: TCP/IP, Cisco IOS, Windows admin (basic), Unix admin (basic). Pick a scripting language and endeavor to become a little bit proficient with it. Not a lot, that’s OK, but a little Perl-Fu or Python-Fu or Ruby-Fu or just Shell scripting-Fu can go a LONG way. These are basic skills. What about security? Re-read #1 above. Now do it again.
  3. Allocate $500 and go visit your friend Amazon.com. Or better yet, roll Ramen noodle style and get used books by perusing titles at www.bestbookdeal.com. It rocks. What to buy? Hacking Exposed, latest edition. Counter-Hack Reloaded. Network Security Hacks (2e). Everything written by Richard Bejtlich. Malware (Skoudis and Zeltser). Security Engineering (2e). Applied Cryptography. This is a good start, look for others too – read them and keep going. Plan on spending $50-100 a month on books.
  4. Understand how to lock down operating systems. Read the CIS benchmarks, DISA STIGs, and vendor guides from M$ and others. This is 101 stuff, and you need to know it WAY before you get to the “sexy” things like pen testing.
  5. Become familiar with a packet sniffer of your choice. Wireshark is good. So is TCPdump. Both are free, and you can start breaking down packets and looking at them to see what the hell is going on.
  6. Learn about Snort. Spend a month or so installing it, tweaking the configs, learning about rule creation, planning architecture and so on. Will it be your only IDS? Maybe, maybe not, but it’s the best for the $$$ and you need to learn.
  7. Download the Backtrack security assessment toolkit from http://www.remote-exploit.org/backtrack.html. Load it up in a test network (repeat – test network. Did I mention test network?) and start running some tools to learn about scanning (nmap, hping3), vulnerability scanning (OpenVAS, maybe Nessus for local scans or if you have a license), and pen testing with Metasploit and exploits from Milw0rm and others.
  8. Plan on going for the SANS GSEC certification. Forget about your CISSP or anything else right now, you need a solid set of fundamentals, and the SANS Security Essentials course is your best bet. I teach for SANS, full disclosure, but I endorse this with no bias whatsoever – it really is the best for newcomers to the field.

You now have the basics. Specialties, like code security, Web app security, pen testing, network security, etc all come a bit later. I won’t go into all that here, but you should be waking up every day with a fire under your ass. READ! Check out blogs and sites like darkreading.com, csoonline.com, packetstormsecurity.org, and others. Listen to Paul, Larry, John, Carlos and gang at www.pauldotcom.com to get in the spirit of things. And when you tell someone you are new to the field, and you have a legitimate question that they can help with, don’t let their lack of social skills get in the way. If they won’t help you, find some of us that aren’t worried about impressing the clique and we’ll help you. I got my OWN lunch table. And you’re invited. Unless you have, like, body odor or something. Then you’re not.

Categories: Information Security Tags:
  1. October 21st, 2009 at 19:56 | #1

    Awesome post. I really appreciate you taking the time to write this post. I really don’t have much to add other than, Shack isn’t the only one out there sitting at the everyone table.

  2. The n00b
    October 21st, 2009 at 20:17 | #2

    As someone who is striving to get into the information security field I really do appreciate any advice more experienced people can give me. So far, I would say this blog post is the most helpful that I’ve seen yet.

    I really don’t know how much more clear it can be. Thank you and everyone else out there who do take the time to help us out. With the time and assistance you give me now, I hope to be able to repay you and everyone else who gave me a kick in the pants in the future.

  3. iamnowonmai
    October 21st, 2009 at 20:20 | #3

    I find most places have basically two rules: Can you get the job done; and can you get along with everyone else? I don’t care about what they majored in 20 years ago in college. I care about what they have done. What they can do now, and what there vision of the future is. It’s not like you have to be born with 11 fingers to be a security analyst. Heck if I can do a (passable) job then there is hope for all.

  4. October 21st, 2009 at 20:29 | #4

    I agree, totally solid post. Without the help of mentors and colleagues I’d be less than nowhere. Also, being passionate about it is often something that can take you a long way.

    Don’t know something? if you show enthusiasm to learn it, show someone your excited about the topic, they’ll often take you under their wing.

    Additionally SANS GSEC was an excellent precursor to starting in the field.

  5. October 21st, 2009 at 21:07 | #5

    thank you so much for this post. i saw it linked off of @secureideas’ twitter feed, and as someone who is trying to learn all she can and eventually work in the information security field, this is very timely career advice.

  6. October 21st, 2009 at 21:28 | #6

    Great post! As a know-nothing-noob, I’ve seen some of the highschool mentality. But I’d have to say that I’ve experienced a rather open armed welcome. The key for me has been admitting my noobness. Show your desire to learn, and offer your help on projects/blogs. The “1337 h4xor” attitude will get you nowhere. From my short time around, I’ve found that you get back more than you put in… but you have to put something in first.

  7. October 22nd, 2009 at 02:28 | #7

    One of the best practical advise i have come across recently; i was incredulously surprised to note that my approach was similar when i wanted to get into computer security (as it was widely called that time) years back. But priorities changed and i am still a n00b; somehow i managed to get a GSEC cert… however i still read a lot on the subject.

    Sometimes i wonder what if i had met people/pro’s like you at that time maybe things would have been different now…

  8. Mike
    October 22nd, 2009 at 03:31 | #8

    Instantly bookmarked. I may be a n00b, but apparently there are worse out there than me (and I thought I was the worst!). Thanks for the awesome post. I’m always looking for advice on this and it seems that though there isn’t much out there, what there is all holds similar views. Thanks mubix for linking this!

    PS. I’d never even heard of GSEC…yeah, I’m that n00b.


  9. October 22nd, 2009 at 05:06 | #9

    Great post! Thanks for taking the time to write it.

  10. October 22nd, 2009 at 05:39 | #10

    What he said.

    This pretty much mirrors my own path. Help Desk-> SysAdmin-> DBA/Developer-> InfoSec. Along the way I encountered security incidents in several of these positions, which ultimately lead me to the field. Being able to talk to system administrators, DBAs and developers in their language and know where they are coming from is invaluable.

  11. October 22nd, 2009 at 05:41 | #11

    …and take part in your local security community! One of the few things Shack forgot to mention is community. As the PoC for the Atlanta DEFCON Group (dc404, come join us on the 3rd Saturday of every month!) and a former board member with GaISSA, I can assure you that knowing people in the know will lead to knowing more. Make a point of hanging around smart people who are willing to lead you, tutor you, direct you, or quite simply, pay you! 🙂

    By way of example, DC404 is now over 6 years old, and although it started as a handful of my friends hanging out with me at a local coffee shop, we now consistently have topical presentations, regular monthly attendance of 20 – 30, with at least 25% of each month’s attendees being new to the group, new to the industry and/or both. We welcome, encourage, and appreciate the involvement of those who aspire to become security professionals, and hope that all of you, whether in Atlanta or elsewhere, will find your local community and get involved!

    (And oh yeah.. hey Shack, when are /you/ gonna make it out to a DC404 meeting? 😉

  12. admin
    October 22nd, 2009 at 10:59 | #12

    @Taylor Banks
    Ouch! I DO need to get to those. I’ll try to make one of the next ones, travel permitting. 🙂

  13. anon
    October 22nd, 2009 at 18:43 | #13

    Many people have lamented the fact that there is no guidance for n00bs, however I think FX had a much better point of view and conclusion “From a purely technological point of view, it might make sense to require prerequisites. But if a young and dedicated candidate wants to hack .NET or Java, asking him to learn C and C++ buffer overflow exploitation and shell codes from Aleph1 to today is extremely counterproductive.” – http://www.phenoelit.net/extinction.html

    Which pretty much sums up my view of all the guidance you gave. I never want to admin an IDS, in fact I wish that industry would just go burn, same with AV, nor do I ever want to deal with forensics (my view of disk forensics is: don’t touch disk, and if you have to, root the damn thing and clean up after yourself), this doesn’t mean the security industry has no place for me, it just means that I’m going to be hacking things, rather than defending them.

    I doubt anyone who this is relevant to will get this far, but this list is really only useful if you want to be an admin of some sort. If you want to pen test, what you probably mean is you want to hack things and not be on the wrong side of the law, in that case go learn to hack things, if you’re not going to hack IDS’, don’t learn about them, if you’re not going to hack cisco gear, don’t learn IOS, if you’re not going to hack windows, etc.

    IMO, unless you want to be a generalist (read: admin) pick a target, learn it well, figure out how to hack it, rinse, repeat, until you run out of ideas or get bored of the target.

    Having said that, you’re spot on about just learning “security” is a waste of time. I came to security by way of developer land, but this doesn’t mean that anyone else needs to, but if you want to hack code, you’re going to have to be able to read it, if you want to hack networks, you’re going to have to know how they work and how to generate packets.

    Either that, or you’re going to end up like one of the many corporate Backtrack/nessus/metasploit kiddies out there. There’s a place for people like that, but it’s not a nice place.

    /rant off

    Also, the one piece of advice I’d give to anyone who wants to break things that has served me well is: once you’ve got a target, and are fairly comfortable with known attack strategies and things at that layer, look a level below. If you want to write overflows, learn the OS (and to some extent CPU architecture) you’re targeting better (and I won’t mean learn to use it, learn how it works), if you want to hack webapps, learn the language they’re sitting on (and, again, how it works internally). You will find more ways to attack things this way, because you can bet that none of the devs have done this.

  14. admin
    October 22nd, 2009 at 19:05 | #14

    What if people don’t want to attack things though? Or care about coding? Your view is tainted, I think – you obviously have disdain for “admins” and “corporate … kiddies”, but we need people with solid skills for defense more than anything else. In fact, I’ll take a few dedicated, motivated and alert “kiddies” of this sort over the next pwn20wn media glory hound any day. Your point is valid for someone who knows right off the bat that they want to “hack things”, but that’s a small group. The profession of information security is about a lot more than people that just want to hack things, in my opinion, and they often need guidance on how to get started with a solid base level of knowledge. That’s the intent of the post.

  15. anon
    October 22nd, 2009 at 21:36 | #15

    I don’t have disdain for admins, I simply don’t want to be one (corporate kiddies I have a lot of disdain for, if you can only run tools, you can, and probably should, be automated away), IDS/IPS I have disdain for, since they suck so much you’re only going to catch stupid attackers (AV is the same).

    Ok, my view is tainted, but (correct me if I’m wrong) defense seems very similar, find out how to break it, then figure out how to fix it, rinse, repeat. You want to secure a router? Figure out what kind of attacks there are against routers and networks, then solve them.

    Either that or you’re pretty much zombie feeding off the brains of others.
    Nothing wrong with getting up to speed, but after that you need to think for yourself, or someone else will and they will have your data.

    Your advice seems pretty arbitrary to me (as most “advice to newbies” posts are), and that I take issue with, if you’re going to be admining a unix/juniper network, why do you need windows/IOS skills?

    I may not be the best person to be giving advice to n00bs who want to be admins, but, I have to say, if you ask someone a question, and they give you an answer, think about it a little, try out the code they sent you, or whatever before telling them you want an easier explanation.(I had this happen, lets say 30 mins ago, it just pissed me off and caused me to /block the person)

    You’re right that the “pwn20wn media glory hound” wouldn’t make a good admin (maybe even a poor pen tester, after all, vuln discovery && exploit dev != pen testing, but you probably would want him, or someone with similar talents, on your product team if your goal is to stamp our vulns or develop exploit mitigations), but they don’t want to be admins either, having said that, the kiddie, while he may admin your network just fine, isn’t going to make it secure.

    P.P.S. Do you actually see many people who want to get into infosec to be sysadmins? I’m actually curious here…it seems kind of an odd wish.

  16. November 20th, 2009 at 11:56 | #16

    We just watched your Red Team/Blue Team video in my CS Infosec class. Great stuff, great blog, and minus a rearrangement of the l and the e, great last name. They call me “Shack,” too.

Comments are closed.