Thoughts On Being Asked “How Do I Get Into INFOSEC?”
So You Want To Get Into INFOSEC Huh?
I got a request through a friend for a friend of that friends kid to talk to him about how to get into INFOSEC the other day. Now usually I am a curmudgeon (as you all know and love) and am loathe to be some sort of big brother of INFOSEC to anyone but in this case I said ok cuz I am just that nice. After some email wrangling we finally got together today (scant minutes ago actually) and now feel an obligatory blog post on the subject of getting into the business coming on …And there it is …Feel the burn…
So after agreeing to a time to meet I began to wonder just what I would say to this kid as to how to get into the business. For that matter I really wondered if I should encourage him at all to get into INFOSEC in the first place. My mind started to ponder why I was in it still and just how if at all it was rewarding given all that I have seen and still deal with on a daily basis. Often times my daily job sends me in to apoplectic fits that you all see in my blog posts and on twitter screeds of 140 characters at a clip so I imagine all of you out there might not think that I enjoy my work on average. On the whole though I would say that I do enjoy my work but I would caution anyone looking to get into this business to take a deep look at their abilities and their coping mechanisms before they took the plunge.
My conversation with this guy (in his 30’s) covered a range of things but I mainly focused on just how technical he was if at all and what he thought he wanted out of pursuing a career in INFOSEC. It turned out that he was not that technical and had only just started taking a course at the local community college on Python. It was at that opening moment that I knew this kid would have a long road ahead of him and made that as abundantly clear as I could without being a complete and utter bastard. Basically, in your 30’s and without any technical background you will have quite the uphill battle to become proficient not only in the technologies but also the applications of security to those technologies. So I had to scale back a bit and impress upon him that he needed to learn quite a bit to start and that maybe he should just look for a gig in desktop support first after some time in with school.
At the end of the conversation I had laid out all of the issues for him up to the point of the level of frustration we all have in this business from end users to C levels that don’t listen. Soup to nuts I laid it bare and in the end did in fact say that one needed to take up drinking to cope on average. I told him that the allure of the movies is great but in reality there is a lot more drudgery and that he should expect to spend a lot of time studying, practicing, playing, and generally hacking even to get a gig as a vulnerability scanner or a Sox auditor. This at least would be my ideal for anyone looking to get involved in true security work but unfortunately we all see too many people out there running a Nessus scan and passing a canned report to a client as BAU.
Despite all of this I do not think I dissuaded to disabused him of his desires and will be sending him some tutorials and links to sites/books for him to begin the great RTFM of security. I guess time will tell if he can eventually land a gig and be a productive INFOSEC wonk. Until then, I guess I am a sort of tough love big INFOSEC brother..
I hope he can handle the tough love…
So here are my thoughts about all of this for those who also are asking the question of how to get into and staying in INFOSEC.
- You have to be fascinated with the subject matter.. This is not just a job, like any career you have to love what you do otherwise why bother?
- You have to be technically capable of understanding a great deal of technologies if you aren’t and are not interested don’t bother
- You have to have an innate offensive mindset to be a good INFOSEC professional (if you aren’t thinking like the adversary you will lose the battle and the war)
- To be a good defensive INFOSEC professional you have to have the offensive mindset as well (once again, think like the adversary or lose the war)
- You have to be able to study things and be readily able to take the initiative to look things up
- You have to be a tinkerer always playing with things
- Overall you need to have initiative because even if you take a course it will not prepare you for everything
- Don’t be just another fool with a tool, you need to go outside the box and once again play with things and understand them.. Then abuse them
- Don’t expect to be an uber l33t haxx0r just because you hit start on Metasploit
- Be diligent and do a good job no matter the scale of the project.. Half assed is just that and will end in epic fail
- Nowadays you can get a CISSP and get a job.. This does not make you a good INFOSEC practitioner though
- It is easier today to locate actual classes on security and hacking so avail yourselves of them ON TOP OF playing at home
Expectations and Realities
- Expect and be able to handle clients in a professional way
- Expect and be able to handle small scopes and reticence on the part of clients to fix vulnerabilities you show them as they might break their businesses to do so
- Expect that all end users are not usually cluefull in the ways of computing and will easily click on your malware/phish email (offense)
- Expect that all end users are not usually cluefull and will click on malware/phishing emails and thus start an incident that YOU will have to clean up (defense)
- Expect to be told “No” a lot
- Expect fits of rage and bile because the executives will not want to follow the security measures that you tell them they need to as policy
- Expect to have to socially engineer said C level executives to have a modicum of security by tricking them into secure behaviors
- Expect that your employers will not fund your going to conferences
- Expect your security budgets to be secondary in concern if not tertiary to the C level executives until they get pwnd hard and in the news
- Expect human nature to be the primary cause of your security incidents and failures in the enterprise (problem between keyboard and chair)
- Expect long hours
- Expect to be travelling 100% of the time if you are in a pentest position
- Expect that 3am call when your enterprise has been compromised and expect to get up, log in, and begin IR
- Expect that your network is already compromised
- Accept that you will never know everything and should always be willing to learn
- Expect and accept the blank stares you will get from EU’s and C levels when you explain to them the security ramifications of things you discover
- Expect and accept the blank stares you will get from EU’s and C Levels when you tell them that they have to comply with policy and process
- Expect that you will have to at some point not only audit but also create policies and procedures for someone somewhere
- Accept this previous fact as just that and get past being an elitist wanna be pentester and do a good job at the policy side of things too
- Accept that there is more to life than pentesting
- Every day you have to unplug and have a real life outside of INFOSEC with other interests than just pwnage
- Expect to be well rounded and a human being able to converse with others outside of the hacking/INFOSEC world
- Expect to be frustrated every god damned day and be able to handle that without going insane
- Expect that you will fail no matter how hard you try and that failure is not the end of all things
Well.. I think I ran out of steam there but you catch the drift right? It takes a certain kind of person to be a good INFOSEC professional just as much as it takes work. Do it if you love it… Otherwise what’s the point?