Getting into InfoSec

From CorkSec / DC021353 Wiki
Jump to navigation Jump to search

By far one of the most common questions we hear during CorkSec meetups is "How do I get started in Security". Luckily there are many very useful resources out there for this, and we have even had talks specifically on this subject. The below was originally posted in 2017, but it largely holds true today

UPDATE: Jack wrote a newer version of this article in 2020 HERE


Musing, links and more - by Jack Baylor

Act 1: HELLO WORLD: Basics, information and presence

"So you wanna be an InfoSec rockstar, and live large? Zero days & fast cars?" - Cyprus Hill (if they chose to rap about information security rather than other topics)

But seriously, most people are here as they want to break into InfoSec from a pre-existing IT career. So, where to start? What's needed? What should you already be bringing to the table?

One thing that people look for when interviewing for junior / early career Infosec jobs is PASSION. . . the willingness to stay-up all night learning the new thing, to keep up and head of the curve. A lot of the tech can be taught, but the passion has to be already there. You want to be able to demonstrate that pre-existing passion.

First and foremost, : Learn the TCP/IP stack intimately, then learn to use Wireshark so you can analyse packets on the move

1. TCP/IP fundamentals: (http://www.steves-internet-guide.com/internet-protocol-suite-explained/)

2. TCP/IP overview in video form: (https://www.cybrary.it/video/osi-and-tcpip-models-overview/)

3. Wireshark 101: (https://lcuportal2.com/wireshark101.html)

4. How to use Wireshark: (https://www.hackingloops.com/how-to-use-wireshark/)

Knowledge is power. Leverage blogs, twitter and other services to keep your finger on the pulse of whats new in InfoSec.

1. https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

2. http://krebsonsecurity.com/category/how-to-break-into-security/

3. https://digitalguardian.com/blog/top-50-infosec-blogs-you-should-be-reading

I always recommend creating a twitter account *solely* for InfoSec related content. Add the key players, see what they're reporting or retweeting. Put your slant, reach out and talk to them. (Mine is @2wiredSecurity, and its enabled me to talk to my heroes, and helped me land my first job in IT Security. 2 years later, I still can't recommend this technique enough.)

Ok, so, you’re hooked up with the latest news, from some of the bigger mover and shakers. You’ve firing up your passion and solidifying the basics of networking that everything's built on… now what?

Time to roll up your sleeves and get to it!

Act 2: Stepping out into the world Blue Team? Red Team? What area suits me right now? The short answer is: whatever leverages your existing skills and interests. If you already know the underlying tech or foundations, learning the new stuff will be easier. If it sparks a flame in your heart, you won’t even notice those hours spent turning pages and booting up virtual machines fly by. So get out there and whet your appetite!

Blue Team: o Have a go at the OLEDUMP project to start yourself off on the Blue team (defense) here: https://dfir.it/blog/2015/06/17/analysts-handbook-analyzing-weaponized-documents/)

o Learn the basics of a scanner like Nessus to discover vulnerabilities on your network: (https://www.cybrary.it/skill-certification-course/nessus-fundamentals-certification-training-course)

o Or maybe just kick things off by getting to grips with OSSEC host intrusion detection system (HIDS) here: (https://www.pentestpartners.com/blog/diy-how-to-build-your-own-host-based-ids-hids-using-ossec/)

Red Team: o Start by learning to use Burp Suit (http://academy.ehacking.net/courses/burp-suite-web-penetration-testing)

o And BEEF (https://www.hackingloops.com/beef/)

o Have then a little go at the SQL injection course here: (http://zerofreak.blogspot.co.uk/p/sqli-tutorials.html)

Act 3: Mastering your trade:

You're going to start stockpiling some serious amounts of online resources, and developing an unhealthy personal library. This is natural. Don't fight it, embrace it. Just make sure you're filing system is on point from the start: bookmark ALL the things!

CYBRARY MegaDump inc books, videos and more: https://www.cybrary.it/0p3n/information-research-content-categorization/

BOOKS

Here are some of the "bibles" you need to get acquainted with for a generalist Infosec role: 1. "WireShark 101" http://www.amazon.com/Wireshark-101-Essential-Analysis-Solutions/dp/1893939723/

2. "The Art of Memory Forensics" http://www.amazon.com/Art-Memory-Forensics-Detecting-Paperback/dp/B00RI5ZKCI

3. "Practical Malware Analysis" http://www.amazon.com/Practical-Malware-Analysis-Dissecting-Malicious/dp/1593272901

4. "The Practice of Network Security Monitoring: Understanding Incident Detection and Response" http://www.amazon.com/Practice-Network-Security-Monitoring-Understanding/dp/1593275099

5. "The Tangled Web: A Guide to Securing Modern Web Applications"https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886

Certification

Ok, this is possibly the most controversial section. Some people will say:

o "certs don't mean anything, they can be basically bought by forking out a few thousand dollars, attending a bootcamp and passing the exam on the last day."

o "the proof of in the pudding is in the eating, and that it doesn't matter how many certifications you have if you've no real world experience."

o "In an ideal world, your experience should be all that people need to check"

My argument is that, simply we don't live in an ideal world. Your application is a response to a job vacancy written up by a HR staffer, if you're lucky, or a 3rd party recruiter with little to no understanding of what that role requires. Hence you see roles like "Junior Analyst required, must have CISSP". Thing is, you need 4-5 years of direct InfoSec experience before you can fully achieve the CISSP. . . . its like asking for someone with "Windows 10 Admin with 15+ years experience"...

Right, rant over. Heres the realities, as I see it.

Certifications offer a standardised way recruiters, HR interns and automated CV scanning software gauge if you're qualified to get an interview. After that point, its all about what you actually know, can do, and how you communicate. But lets concentrate on getting you to that point, and worry about the rest afterwards!

Remember, this is in no way a comprehensive list, nor is it listed in order of importance, difficulty or cost.

Beginner: o CompTIA Network+ o CompTIA Security+ o Mile2 C)PTE - Certified Penetration Testing Engineer o GIAC GSEC (GIAC Security Essentials Certification) o ISC2 SSCP (Security Systems Certified Professional)

Intermediate o Cisco CCNP Security o Palo Alto (various) o Juniper (various) o CompTIA CASP o Offensive Security OSCP (Penetration Testing using Kali Linux) o GIAC GWAPT (Web Application and Penetration Testing) o GIAC GCFA (Certified Forensic Analyst) o GIAC GREM (Reverse Malware Engineer) o GIAC GREM (Incident Handler)

Advanced (Management orientated) o ISC2 CISSP o ISC2 CAP o ISACA CISA o ISACA CISM

Here are two "certification path" guides, issued by two major certification issuers, CompTIA and SANS. Bear in mind that both of these are highly biased, as each is in the business of delivering training materials and certifications for profit, so read between the lines, and use the suggested skill-sets to roughly gauge your intended direction. There are far more certs out there than those listed here, and some are more difficult / popular / valuable than suggested, others are far far less. As the Romans used to say: "Caveat emptor!"

o SANS / GIAC: https://www.sans.org/media/security-training/roadmap.php

o CompTIA: https://certification.comptia.org/why-certify/roadmap

To be continued!

Links to other "Getting Started" guides: [1] and this list of courses

**** UPDATE - JACK ALSO GAVE A DETAILED TALK ON THIS SUBJECT AT CORKSEC 63 (SEP 2018) ****



Security Roles in Ireland - Bob

Once you have gotten your head around the learning side of Info Security, and obvious question is what jobs are out there? There are a couple of places to start with when looking for what are the major security companies in Ireland today, and here are some of the better ones:

1. Nice detailed list from UCD : [[2]]

2. Discussions of some of the companies in Cork [[3]]

3. CorkSecs own Meetup mailing list - subscribe to the mailing list as we regularly send out new roles as we become aware of them [[4]]


Security Events in Ireland - Bob

Security conferences are a great place to go and hear interesting talks, and to meet with others with similar interest. Here we list some of the main annual events in Ireland:

1. ZeroDayCon (Q2) [[5]]

2. Secure Computing Forum [[6]]

3. Irisscon (Q4) 1 day conference run every year by IRISSCERT. 100-150 attendees and good mix of talks. Also a good social gathering afterwards to meet others with similar interests [[7]]

4. Cyber Threat Summit (Q4) [[8]]