Dropsafe

by Alec Muffett

“Advise for the young”

I just received this:

To Alec Muffett,

I’m a 19yr Australia male, and interested in taking up a career in I.T. Security.

What i would like to know from you is do you have any recommendation as to where to begin to learn about I.T security. I have read your site and it’s one of the better sites I have been to in terms of knowledge.

I have experience with wireless setups, Linux, novell, windows,and more. I have been working with computers for the past four years. I started at a computer shop and now work at a High school (Secondary College) now into my seconde year fixing computer problems, managing users with Novell and also helped with the deployment and management of a wireless network.

I would like to know where a good place would be to start for a I.T security career.

Your help would be much appreciated

Yours Sincerely,
Matthew Fava

So: Hi Matthew, it’s a fair question, and one that I get asked quite a lot, so I will try to give the best answer that I can, based on my personal experience.

Regarding security, I sort-of fell into it; the story of the writing of Crack is documented elsewhere, and the backplot to my getting a job in the field is essentially one of just being interested in the topic.

No joke.

The way to become a security expert real fast is:

  1. To have an honest interest in the subject.

  2. Read around the topic, lots; books, magazines, web-sites and forums. Read voraciously. Focus on specific aspects that may interest you.

  3. Experiment at home with security software and setting-up and penetrating your own defenses, learn how the tools work and what they’re doing; write your own tools, publish them as open-source, and refine them.

    and finally and most important…

  4. when friends and students and colleagues and cow-orkers ask a question about security, don’t say “i don’t know”, but instead say:

    that’s really interesting, i’ll go find out the answer and get back to you.

    …and then go do it; research the problem, dig into Google, find half a dozen solutions, try to understand the problem and technologies, weigh-up your own conclusion and solution, and importantly write it up in a short e-mail and send it to the questioner.

    This latter gives you an ASCII copy which you can keep forever and recycle next time someone asks you the same/a similar question. If you can’t decide/find an answer, don’t bullshit, but get back to the person telling them what you’ve tried, that you’ve failed, and that you’ll keep trying. Stay open-minded and stick to rational discussions without getting emotive. This goes doubly for responding to the mail-lists you’ll be reading.

In my glib moments I have been known to shorten this all to: the way to become a security expert is just to be one – which without context is less than helpful, but it is the essence. There is no secret ceremony, no one-foot-in-a-bucket-of-porridge swear-on-a-dead-goat masonic ritual to becoming a security geek; there’s nothing more than the being interested in security aspect, combined with the being a helpful, expert type of person.

Regards being an “Effective” IT geek, you have gotten one tip (“write-up your answers and archive them for reuse”) above; to that I would recommend watching Danny O’Brien’s Lifehacks video, which provides marvelous hints on how to be as lazy as possible by keeping things simple and keeping/reusing every script and tool you ever write.

Thirdly, there is the implicit question in your e-mail, along the lines of “How do I get a job?”

That’s a harder one. I reckon that any IT job can be turned into a security job, but system administration is a good starting place. The usual suspects – IT Hardware, Software, Consulting; ISPs and Telcos are generally the best breeding grounds. I did five years sysadmin for two employers when starting out, but had established my security bonafides in the first three years, and arrived at Sun with a reputation fully-founded. Nowadays the market is bigger, and you’ll have to try harder.

Putting yourself through a certification like CISSP might help to fast-track your career, but I advise you to not treat the certification manual as gospel. Make up your own mind.

If someone says that The maximum number of TCP connections per second you should permit is 300, ask: Why not 299? Or 301? Or 600?; you’ll often find that they are unthinkingly reciting dogma or even just pulling figures out of their arse. It goes on. Be aware. The certification examiner may want a specific figure to show you’re memorised their book, but real life doesn’t work like that.

Oh, and I recommend you read this book: [www.amazon.co.uk] – it’s nothing to do with security, but a good exposition of how to treat life in the manner of a security person.

Comments

4 responses to ““Advise for the young””

  1. alecm
    re: Sites

    ps: there are booklists and websites, too; securityfocus.com is the one i cite and visit most, but nowadays i tend to get most of my info through other/private resources, or over beer, so they don’t replicate well i’m afraid.

    Reply
  2. Mark J Musante

    “There is no secret ceremony, no one-foot-in-a-bucket-of-porridge swear-on-a-dead-goat masonic ritual to becoming a security geek”

    Damn, I’ve ruined my best wellies for *naught*!

    Reply
  3. Tess
    re:

    That’s a damn fine post, and I’d add that I think your advice works for just about every mentally-focussed job or vocation – it’s absolutely the way I got into mine.

    It pains me to see the focus many people put on ‘the course’ or ‘the certification’ because in my experience the really successful people are those who learn and do because they love it, not because it impresses an employer. Also there’s nothing more annoying than being told something should be done a certain way, because it “says so” in this or that course/certification/whitepaper.

    Or maybe I’m just getting old and value experience over book-learnin’ 😉

    Reply
  4. Iang
    Play with Security Tools – GPG, SSH

    I’d suggest you get to know a few security projects. A couple of fine ones to play around with that expound on lots of challenging concepts are GPG and SSH. They are both small, relatively self contained, and very useful tools in their own rights. The tools will expose you to a lot of current security thinking far better than any book or class can.

    Once you learn how they work and how good they are, start working on how bad they are and how they don’t work! All security tools have huge gaping holes in them, and at this point you are faced with a lifetime decision: if you see the holes and feel comfortable about the critical side, you drift towards the technical side of computing. If you can’t see the holes or are uncomfortable about getting that deep or are just bored with it, you’ll drift towards the sales side.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts