How to get started in infosec?

I am keeping here a a list of all articles I find on "getting started in infosec" and try to summarize their content in one list. This is not really meant to be public, it is just for me to centralize all this information.

So here is my understanding and summarization of all the articles I read on "how to get started in infosec?".

All your base are belong to your success

It is really important that you know your fundamentals, your basics of Computer Science. That is, you need to know about programming, about networking and about adminstration. It is important that you know at least one programming language very well, and its standard library as well. You need to know about networking, you have to know about TCP/IP, about routing, VLAN, VPN, and ports number. Last but not least, you need to know how to administrate a server, be it Linux, *BSD, Windows, IOS, CentOS, etc. You need to know how to setup a webserver, a firewall, and so on.

Think right, think through

You need the right mindset. Thinking from a security standpoint means that you are always challenging the assumptions of the system you are studying. What if X is not true? What if I knew this? What don't I know?

Security is about finding flaws in your thinking and in other people thinking.

Practice makes perfect

You need to practice your skills and for that you need to build a lab. This lab allows you to replicate experiments and conduct your own security projects.

You don't exist if you don't show

You need to share your projects and to communicate what you are doing to others, be it at conferences or on the Internet.

You don't exist if you don't speak

You need to get involved in the community, you need to build a network of acquaintance. Go to your local group, go to conferences, meet people.

You won't be doing this for long if you don't have damn good reason(s)

You need to know why you are doing this. Why do you want to work in infosec? Is it because of the challenge? Of the money? To help people? Find your reasons. Also, you need to know what you want to do. What are your objectives, what do you want to achieve by working in this field.

Start slow, but start now!

You can't know it all at once, pick a subject that will help you reach your goals and learn and do what you need to achieve it. Build on your skills and network.

And that's pretty much it. It looks like a lot of work (and it is), but this should be very rewarding (money-wise, fame-wise and, more importantly, fun-wise).

Resources

So you want to work in security (but are too lazy to read Parisa's excellent essay)

By lcamtuf, the author of "The Tangled Web : A Guide to Securing Modern Web Application".

  1. Always question the assumptions that make systems work. « What if assumption X is not true? »
  2. It's a protoscience, nothing holds true forever.
  3. Be humble, challenge your knowledge, be honest with the people you're protecting.
  4. You're not better than the others, no better than the other software engineers.

So, you want to work in security?

By Parisa Tabriz.

  1. There is no perfect path or curriculum.
  2. Different skills and tasks are required (offensive, defensive, monitoring).
  3. Programming is about building softwares using layers of abstraction, security is finding the flaws in the assumptions in those abstractions.
  4. You need to understand how people work and how they use the softwares.
  5. Practice a lot, in work, in a club, by yourself.
  6. Write code.
  7. Break code with debugger, fuzzer, your brain, etc.
  8. Share your knowledge with others in blogs and in conferences.
  9. Practice your communication, you need to be able to teach non-technical people the security issues that affect them.
  10. Expect to work hard, and to fail often.
  11. (Try to) Be optimistic, do not let all the flaws and issues affect your motivation to improve the whole situation.
  12. Ask for help.

Getting into Security Engineering

https://noncombatant.org/2016/06/20/get-into-security-engineering/

  1. Know your reasons. Why do you want to work in this field :
    • intellectual challenges
    • you want to help people
    • you want the money
  2. Get started right now!
  3. Alternate between security engineering and software engineering, they're both engineering tasks.
  4. Doubt abstractions and dependencies. A software engineer build something that works, a security engineer is worried until s/he knows a few ways in which it doesn't work.
  5. Abstractions are lossy and vulnerable. Find the tensions between the abstraction and the layer it abstracts.
  6. You need some skills :
    1. Foundations
      • 1 programming language in depth
      • it's standard library in depth
      • networking in depth
      • 1 OS in depth
    2. Progressing
      • master more languages
      • contribute to its implementation
      • learn about cryptography
      • learn about hardware engineering
      • lean about programming language theory
      • Branch out into platform security engineering (changing platforms, and developing new platforms, to better serve application security needs)
      • Study distributed systems theory
      • Learn about perfomance engineering
      • Learn about experience design, bad applications are badly used and are security problems.
  7. A reading list
    • Saltzer and Schroeder’s The Protection Of Information In Computer Systems is a foundational text.
    • For web security, I recommend The Tangled Web by Michal Zalewski. Zalewski also has another excellent book, Silence On The Wire, about techniques for passive surveillance in a variety of domains. Zalewski is also the author of American Fuzzy Lop, an excellent fuzzer.
    • Cryptography Engineering by Ferguson, Schneier, and Kohno is a good introduction to applied cryptography.
    • For understanding C and doing reverse engineering, you’ll want a good assembly language book, such as Art Of Assembly Language by Hyde.
    • Ross Anderson’s excellent omnibus, Security Engineering, is available online and on paper.
    • Another great book is The Art Of Software Security Assessment by Dowd, McDonald, and Schuh.
    • There are many also good blogs and magazines. A random sampling might include the Project Zero blog, PoC||GTFO, Joanna Rutkowska’s blog, and Matthew Green’s blog.

How to Break Into Security, Miller Edition

By Charlie Miller.

  • Government agencies provide good training, but you don't have much to show because it's classified.
  • Government agencies don't pay as much as private companies.
  • Know your tools and be able to use them without thinking about them (fuzzer, debugger, valgrind, etc.)
  • Certifications aren't as important as a portfolio. If a company wants you and you don't have the required certifications, you can pass them when needed.
  • Be passionate, would you still be doing this job if you didn't had too (being a millionnaire).

How to Break Into Security, comments

By Richard Steven Hack. (comment1, comment2)

  1. Download everything on security from alt.binaries.ebooks.technical
  2. Download all SANS and CEH courses from Bittorrent.
  3. Download as many talks from infosec conferences and watch them. You'll see the good, the bad and the ugly. Especially anything by Joe McCray and Jason Street.
  4. Download every security tool you can find and run it. Make an inventory of the tools in an organized way, with notes so that you can use it when you need to.
  5. Think about security.
  6. Think about what you want to accomplish in the field, what kind of companies you would like to work for, those that you don't want to work for.
  7. Finally, remember what Robert Ringer said in one of his books. Don’t work your way up the ladder. Leapfrog it and start operating on any level you want. Just be prepared to be knocked back down the ladder if you’re not really able to operate there.

By Ryker E (comment1)

  1. Read and watch online courses securitytube.com, /r/netsec, etc.
  2. Read books such as 1597496553. WAHHv2, owasp testing guide, CISSP study guide for good overview of different security areas
  3. Attend local, national and international infosec meetups. (DefCon groups, ISSA, OWASP, Derbycon, defcon/blackhat, BSides, etc.)
  4. Find the what interest you in infosec and target your knowledge to it.

How to Break Into Security, Richard Bejtlich

By Richard Bejtlich.

Build a lab to experiment with a lot of tools. That's it.

How to Break Into Security, Jeremiah Grossman

By Jeremiah Grossman.

  1. Find a niche that you want to know about, you can't do everything, at least you can't do everything right.
  2. Find area in your current job where you can do security related stuff.
  3. Web applications security, finding 0day, working for governments are are in which infosec skills are required and in demand.
  4. Much, if not all current exploits aren't new techniques, they're all old techniques based on new 0day. The methods aren't new, only the way to use them.
  5. Finding 0day is probably a larget part of the future of infosec.
  6. Practice, either with hackme-like sites or applications, or by looking for bugs in bug-bounty programs.
  7. Attend infosec conferences.

How to Break Into Security, Bruce Schneier

By Bruce Schneier.

  1. There is a lot of subspecialities in infosec (making secure sotfwares, protecting softwares, hacking softwares or networks, cryptography, viruses development, policies, etc.)
  2. Study online courses
  3. Read books
    • Cryptography Engineering : Design Principles and Practical Applications
    • Security Engineering: A Guide to Building Dependable Distributed Systems 2nd Edition
    • The New School of Information Security 1st Edition
    • Crimeware: Understanding New Attacks and Defenses 1st Edition
    • The Mac Hacker's Handbook 1st Edition
    • The Giant Black Book of Computer Viruses Paperback – June, 1998
    • Secrets & Lies : Digital Security in a Networked World
    • The Hacking Exposed Series
    • Robust Control System Networks Hardcover – September 15, 2011
    • Managed Code Rootkits: Hooking into Runtime Environments Paperback – October 28, 2010
    • Intelligence: From Secrets To Policy, 4th Edition 4th Edition
    • The Hacker Crackdown: Law And Disorder On The Electronic Frontier Mass Market Paperback – November 1, 1993
    • Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide
    • The Rootkit Arsenal: Escape and Evasion: Escape and Evasion in the Dark Corners of the System Paperback – May 4, 2009
  4. Do. Practice as much as you can.
  5. Show. In your blog, on mailing list, in conferences, etc.
  6. Have the right mindset : engineering is about making things that work, security is about finding flaws in them.

How to Break Into Security, Thomas Ptacek

By Thomas Ptacek.

  1. It pays well, and the fun jobs are well paid.
  2. Appsec is the bigest field with the biggest interests.
  3. Practice with available tools such as Nessus. https://www.tenable.com/products/nessus-vulnerability-scanner
  4. Read The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition
  5. Install old wordpress version
  6. Grab https://www.owasp.org/index.php/WebScarab_Getting_Started or https://portswigger.net/burp/
  7. Find bugs in wordpress

How to build a successful Information Security career

By Daniel Miessler.

  1. Know your basics : Development, Networking, Adminstration
  2. Build your lab
  3. Have projects, show the world what they are.
  4. Have an online presence.
  5. Get some certifications (CISSP, CISA/CISM, SANS GSEC/GPEN/GWAPT)
  6. Network at conferences and local groups
  7. Find a mentor, offer to do some of their work for them
  8. Go to conferences (DerbyCon, ShmooCon, ThotCon, CactusCon, HouSecCon)
  9. Contribute to Open Source softwares
  10. Participate to conferences
  11. Mastering professionalism
  12. Understand the business
  13. Having a passion
  14. Become the guru

Starting an InfoSec Career – The Megamix

Fundamentals, Education, Fields and niches
https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/
Blue Team & Red Team careers
https://tisiphone.net/2015/11/08/starting-an-infosec-career-the-megamix-chapters-4-5/
Self-study options
https://tisiphone.net/2016/02/10/starting-an-infosec-career-the-megamix-chapter-6/
Landing the job
https://tisiphone.net/2016/08/26/starting-an-infosec-career-the-megamix-chapter-7/
  1. Get your fundamentals right : programming, networking and administration.
  2. Get certifications if you can afford them, but don't ruin yourself over them.
  3. Pick a team, learn your role, and switch!
  4. Get a lab
  5. Practice at CTF
  6. Build a network with conferences and local group
  7. Read books
    • Counter Hack Reloaded: A Step-by-Step Guide to Computer Attacks and Effective Defenses (2nd Edition)
    • Rtfm: Red Team Field Manual
    • Hacking: The Art of Exploitation, 2nd Edition
    • Windows Internals, Part 1 (6th Edition) (Developer Reference)
    • Social Engineering: The Art of Human Hacking
    • Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
    • The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers 60282nd Edition
  8. Follow blogs
    • There are an immense number of amazing security blogs out there, but a very short list of my favorites includes Dark Reading, Krebs on Security, McGrew Security, Graham Cluley, Naked Security, Lenny Zeltser, Troy Hunt, Andrew Hay, Threatpost, and Andy Ellis.

The chapter 4 and 5 describes different positions existing in infosec, in both blue team and red team. So far, the secure development seems to be the one I would like to pursue.

Interviewing InfoSec entrepreneur Lance Miller

By Lance Miller.

Not much interesting in it.

How to become a pentester

On corelan.

  1. Learn your fundamental.
  2. Get a network.
  3. Get your hands dirty (practice, do not hack without authorization).

Breaking into Security

https://digi.ninja/projects/breaking_in_part_1.php, https://digi.ninja/projects/breaking_in_part_2.php

  1. Know programming
  2. Certifications can help
  3. Go networking
  4. You need to be able to interact with people, and to write good report.
  5. Practice and study hard.
  6. You need passion, to keep it up.
  7. Don't be afraid to ask for help.

How To Become an Infosec Expert, Part I

List with a lot of links