Breaking Into Infosec

23 September 2018

Information security has a touch of mystical aura around it, even today. A question I get asked a lot by people I meet is “how do you even get into that?”. Generally, this is following questions like “isn’t that illegal?” until I explain exactly what goes on, how permission is obtained, and how scoping happens.

Over the years, in tandem with a couple of penetration testers who I talk to regularly, I’ve been able to put together a list. I should preface this with the fact that this is exclusively a set of opinions, and everybody on the planet has more of those than they have taken breaths, including me.

1. Drive (not the movie)

Information security is one of those industries where if you don’t really like it, you honestly won’t enjoy it in the medium to long term. There’s plenty of careers like it, where you can’t simply “fake it until you make it” under the impression that if you smile long and hard enough, the smile will become genuine. Working in information security, as a proper penetration tester, can be draining work. It’s not just throwing packets at machines until they break then skipping away gleefully yelling how you are number one. There is a serious balance that needs to be struck between “handling business requirements and client expectations” and “packet boats”. Without striking that balance you become - at best - a loose cannon consultant. No serious business wants a loose cannon consultant.

Infosec consulting involves handling scopes, client expectations, business-as-usual activities while you test, understanding context and landscape, recommending solutions, and assisting your clients with implementation strategies for those solutions. It’s not all hoodie and terminal. In fact, perhaps only 50% of it really is hoodie and terminal, and that isn’t the bit that is important to the clients.

2. Communication is key

Equally important, though, are communication skills. If you can’t communicate, don’t like to communicate, or have trouble understanding that you cannot take things personally because the domain admin account you compromised got locked, or you locked up four servers and now the client is upset, you will really struggle. Your job is to enter environments that systems, networks, and operations engineers have meticulously set up, spending hundreds (if not thousands) of hours of (probably unpaid) overtime to meet business requirements, find the cracks they missed filling in, and then deliver a huge report to their managers.

Even in context, that can be extremely demoralising to the “blue team” where you essentially swan in, point out all the bad things about their work, then swan right back out. Being able to effectively communicate is paramount. Being able to assist clients in fixing these issues, providing recommendations and working on remediation plans, is extremely important. Python can come later. You need to know to care about the right things, and that your job is to help, not hinder.

3. Degree requirements for information security are questionable

As of writing, I’m unaware of a single university that can produce a degree containing significant information security oriented content that is current and correct. This isn’t a fault of the universities, it’s the fact that the entire landscape moves so quickly. Techniques change far more rapidly than any other industry. A screw is a screw and has been a screw for as long as anyone can remember. Engineering fundamentals change extremely slowly because society as a whole pretty much relies on them to not change. Information security is an incredibly young industry, and has the “luxury” of not underpinning the entirety of human civilisation, so it can opt for the agilistic approach of moving fast and breaking literature on the subject as new technologies come in and replace old ones.

Yes, many things in information security are still the same as they were when people could whistle into phones, but the actual goal posts move so rapidly that news wires publishing “are security professionals moving fast enough to beat cyber criminals” every three months don’t even have to repeat the content.

4. Self-directed learning is almost required

As a consequence of point 3, self-directed learning is kind-of a must. Sure you can read the tweets from thought leaders about how they’ve never turned a computer on at home in their entire life and instead use candles and handwrite in their journals but realistically, to learn, you need to spend significant time on your practical skills and your ability to identify patterns and potential problem areas.

CTFs are a type of competition that are designed to essentially teach you how to break into systems by replicating things that professionals see in the wild. Sites like VulnHub host virtual machine images of intentionally-vulnerable systems for you to break into, and HackTheBox does the same but even hosts them for you. LeetCode is a hosted practical programming language learning environment. These resources are free and extremely easy to begin with.

5. Deep technical skills don’t matter (to a degree)

You don’t need to be able to write a thesis on MIPS assembly for a junior role. Penetration testing skills can be taught. What can’t be taught is passion. What is more important than these skills, in my eyes, is problem-solving skills. If you’re good at solving technical problems - chipping away at things until you understand the bigger picture - your penetration testing skills can be taught and refined over a period of time by shadowing or being coached by seniors. Companies aren’t realistically looking to hire a junior information security consultant and expect them to whip out expertise in x64asm to reverse some binaries. Understanding concepts, tools, and protocol basics (which can be learned via the internet and some playing around, as per point 4) is honestly enough to get started out.

Being able to program is a plus (and probably the first one you would want to work on), but being able to use hack a quick script together to automate something, use pre-existing tools (and modify them slightly, if variables are hard-coded) and read their help documentation would be a requirement. Being able to read packet dumps and infer basics of network flows is a plus, but being able to understand the basics about them (e.g., where the domain controller and router are on the network you’re in) would be a requirement. Everything has a high level and a low level understanding, and for those starting out you don’t need to run neck-deep into everything. That comes with experience and time.

6. Certifications aren’t questionable

Despite the fact that universities haven’t worked out how to move faster than light yet, some certifying bodies hold a considerable amount of weight. This is mostly down to how rigorous their course and examinations are.

One you may see mentioned a lot is the OSCP - Offensive Security Certified Professional. Bearers of the OSCP (which are numerous, it’s not a rare certification to have in the industry) have demonstrated they understand the fundamental pieces that make up penetration testing - including reporting. Your examination is graded on your ability to penetrate environments and your ability to report those findings. This is often considered a baseline certification. From an employer perspective if you can do this, you can perform the basics of penetration testing and you aren’t learning from complete zero when you get hired. It offers a platform from which your understanding of almost anything in information security will grow.

More academically, SANS is heavily recommended. More specifically, SANS 560 (and, later on, SANS 660) for courses following along the lines of the OSCP. These courses come in the form of a six day “boot camp”-esque environment where you learn over days one to five, and have a practical CTF on day six.