2013-10-10

Breaking in (to the information security field)

Much has been written about how to get started in InfoSec. Last week, I happened across this excellent post with guidance for college students interested in security. The fact is, most of his points are relevant for anyone, student or not, that feels like security is their calling. Of particular note that you really need to love this field to make a career of it without getting burned out in the first few months.

Landing an internship is a good start. I've worked with some brilliant interns from high school and college, but internships are usually only available to students. Most security industry internships are not only paid, but paid quite well compared to many entry-level part-time jobs. Like most internships, you stand a pretty good chance of finding a job in the field if you excel at your work.

Brian Krebs has also sought advice from various high-profile folks in the industry. Most of their sentiments line up: Be curious. Learn. Tinker. Show it off. Crafting excellent write-ups shows potential employers that you're an effective communicator, and that you have the skill to really dig into and understand a topic. These traits matter through your entire career. Even now, with nearly half my life spent in the information security field, I still can't resist the urge to get my hands dirty in the lab. As for how to show off your findings and get involved with the community,  try setting up a blog, hanging out in /r/netsec and visiting local gatherings such as CitySec, ISACA, OWASP, yes, even 2600. If you get a chance, big security conferences can be a lot of fun, but I'd argue they're less useful for getting your foot in the door, and more useful for getting to know others in the field from all over the world.

It's worth reiterating how unfathomably broad the field of information security is. If you're looking to get started, it's best to pick one or two subjects to really focus on. Many of the "fun" topics make use of both offensive and defensive skills. You might need to Google some of the sub-topics, but to name a few I can arbitrarily think of off the top of my head:

  • Network Security (Firewalls, IDS/IPS, WAF and penetration testing)
  • Software Security (Fuzzing, OWASP Top 10, code review, malware analysis, vulnerability exploitation)
  • Endpoint security (Desktop security, FDE, Group policies,  NAC, anti-virus)
  • Cryptography (Implementation, design, analysis and cracking)
  • Disaster Recovery (data backup/restoration/replication, RAID, UPS, hot-sites)
  • Authentication, Authorization and Accounting (Passwords, tokens, logging)
  • Security architecture and policy design
  • Governance, Risk Management, Compliance, Legal and Regulatory matters (GRC)
  • Physical and Operational security (surveillance, risk assessment, lock picking, social engineering)