Starting out in Security

Security is an extremely wide topic that touches basically every single technology out there starting out can be pretty dauting and it's oftentimes unclear what knowledge is required.

I've seen a lot of people asking the same question on matrix.

Where do I start?

Instead of responding to every single person individually I thought it would be beneficial to give people new into IT (and security) a starting point to introduce them to resources and the right mindset which distinguishes a good security / IT person from a LARPER.

IT OR SECURITY

I usually recommend people to get a job as a sysadmin or helpdesk before they consider moving to security.
This might seem weird but the amount of knowledge that you can get by helping people and building systems which translates 1:1 into security is amazing.

I worked for some years in a sysadmin role where I also did first and second level support. While this was usually pretty boring work it showed me what impact my actions had.

  • Setup a new GPO to restrict service accounts from interactive logon?
    • Phone starts ringing and users complaining that business processes stopped working.
  • Disabled SMBv1 on Servers?
    • ERP stopped working.

If you have the opportunity to start in security right away, take it! If you don't consider to start working in one of the two mentioned spaces.

Just don't stop learning.

EVER!

Mindset

Having the right mindset is probably the most important thing. This is not only related to security but IT in general.
Back when I started out I was reading a lot of E-Zines. Although many of the issues are already a little old, don't discount them! Age does not matter much in terms of security vulnerabilities and how to protect resources.

For example: We've seen PoD(Ping of death) coming back multiple times across different releases and the core technologies don't change that often.

Teaching somebody with the right mindset is easier then somebody that already knows the basics but is unmotivated and thinks he's all knowing.

READ EVERYTHING

EVERYTHING is related to security.
There are no technologies that don't need protection (or can't be attacked).
This includes forcing yourself to read boring articles and even horribly translated whitepapers and Microsoft KB pages.

Stuff that might appear useless will at the start come in handy!

CORE TECHNOLOGIES

Learn the core technologies.

PROGRAMING & SCRIPTING

I'm in the strong opinion that somebody that works in Security should know their way around languages.

It doesn't matter what language that you start out with but here are some ideas:

I usually recommend people to start with python as it's the easiest language to quickly get satisfying results and go from there. If you decide later to pick up a more low-level language like C feel free to do so.

Once you've learned a language it usually gets significantly easier to adapt to another.
Exercism is a great resource to learn new languages. Give it a try!

OS "SPECIFIC"

I keep this in quotations marks since they aren't really OS specific.
You should learn Windows: Powershell and Linux: bash.
They will help you to quickly develop ugly scripts and interact with remote systems (in terms of powershell).

DOMAIN SPECIFIC LANGUAGES (DSL)

While not necessarily a scripting or programming language knowing certain DSL is crucial.
This includes:

  • SED - String manipulation
  • SQL - Database interactions
  • AWK - You don't need to be a god. Just learn how to print different columns ;)

Other "languages"

  • Markdown - Used for writing manuals & documents
  • YAML - Human readable file format
  • JSON - Same as YAML but more targeted at machines
  • HTML - I know w3schools had some contraversy but it's fine now.
  • CSS - Apply formatting to HTML

KNOW HOW TO ASK QUESTIONS

You shouldn't be afraid to not know every single thing but ask the right questions.

Bad

Sup guys I want to hack my friends machine (with his permission) how do I do that?

Good

Sup guys I want to hack my friends machine (with his permission). I found this tool and tried to run it but it returns an error code.

[11/18/2022 08:06:29] [e(0)] core: NoMethodError : undefined method `+' for nil:NilClass ...

I tried to google for that error and found a github issue but I don't know how to proceed.

  • Don't be annoying. (Nobody owns you their time)
  • Don't expect an answer right away.
  • Don't expect spoon feeding.
  • Include what you already tried

Security is hard. Security is a team effort. You are not alone!

DON'T BE A ZEALOT

You might be wrong.
Even new people can bring interesting perspectives to discussions or help you figuring stuff out. Don't discount someones opinion just because of their age or inexperience.

This includes OS fanatics as well. The times I've read:

Hurr Windows is insecure. Use GNU/Linux. All hackers use it!!111

is astonishing.

While I agree that knowing GNU/Linux is an important part of security, most big company infrastructures run on Windows.

BE OS AGNOSTIC!

I wouldn't recommend to just jump straight into GNU/Linux. Use WSL2 and get comfortable with the CLI.

If you feel secure enough try running Ubuntu in a virtual machine.

It's kinda funny that people think that the common GNU/Linux distributions are more secure than Windows 10/11. The main reason behind this is historically and usage based (No 2022/2023 isn't the year of the Linux desktop) as well as the horrible defaults that Microsoft ships Windows with.

TRY TO IMPROVE

Try to not be a script kiddie.

  • Understand what impact the tools and commands you run have. Don't just fire off random metasploit modules against targets without knowing what they actually do.
  • Write your own NSE modules even if it means just rewriting something that already exists.
  • Don't be afraid of making mistakes but take something away from them.
  • No point in running a command which fails without trying to figure out why it failed.

CTFs

While I hold the opinion that CTF don't necessarily translates all the skills to the real-world. It teaches you the right mindset and common found issues so it's worth the time to do some.

As for a beginner I would recommend starting out with OverTheWire - Bandit which also teaches you bash and some common GNU tools. HackTheBox also has some great starting machines.

REDISCOVER THE WHEEL

Only because something already exists doesn't mean that you can't rediscover it.
Building already existing tools in your own vision (and maybe in a different language) can be a great way to learn a lot of valuable knowledge.

FOSTER THE COMMUNITY

Try to be a part of the community. It doesn't matter if you're new or inexperienced. Try to learn and engage! Nobody started out as a wizard.

BUILD A FOOTPRINT

You won't believe how much this impacts recruiting decisions. If I see somebody that applied to a job with a personal mail domain be sure that I'll check out their DNS records.

  • Create a Github account and upload your creations!
  • Publish a blog or a personal website

TLDR; GIVE ME RESOURCES

i4