Starting in Security

I wanted to start this site off by walking through my journey of getting into security. Most of my life I have been around computers. Around the age of 13, I started building my own computers. A couple years later, my older brother started getting me into Linux. It was about that time I was introduced to my first hacking experience with Hack This Site.

All of this was very overwhelming to me at the time. If you are trying to learn security, don’t be discouraged by lack of quick progress. The world of security is vast and requires knowledge in many areas in order to be “great”. In truth, very few are great within the security space. Most of the “greats” are simply very good at a single or handful of practices within security. If you are new to or trying to get into security, my advice would be to find something you are passionate about and pursue it as much as you are able to. Starting out, that may mean many detours to get your base knowledge built up, but that will make you better in more areas. Some of the best security practitioners come from system administration, networking, or programming backgrounds.

Continuing on in my journey, I had a professor covering CompTIA’s A+ computer technician certification in one of my early courses of my major. This particular professor happened to be a penetration tester by day, and would provide tidbits of security perspectives into the lectures. Things that made you think, such as, “Sure downloading a pirated copy of Windows may give you the operating system, but what else did they include in that version?” By the end of the course, I was convinced I needed to dive deeper into security. I started making good progress towards my degree and I got a job at a helpdesk for a large company. This taught me a lot about corporate IT. Working on a helpdesk gives you a great amount of knowledge of and provides an entry point into a company. It is hugely beneficial in learning how things operate (both tools and processes), which is invaluable for security professionals.

After working at the helpdesk I was able to transition within the company to a couple different roles where I was taught a lot about development processes, security, and disparities between ”IT” and ”Security”. I gained insight that there was too little knowledge of software development on the security teams and too little security knowledge within development teams. This may have changed in recent years, but most software development courses and programs include little to no security training or secure coding practices. Rather than working together to secure the company, security teams are often seen as a hindrance to getting work done. That and security is typically an afterthought when using or developing new tools. When the world runs on software, not having solid understanding of tools, processes, and coding is a huge gap and makes securing the company very difficult. If you can’t explain to a developer or business owner why the vulnerability is a problem, how can they trust your assessment? If they talk about safeguards you don’t understand, how can you be sure the safeguards work? Unless you have a very strong voice from a CISO, security practitioners need to work together with the other teams in the company and build up relationships with those teams to improve the security posture.

I next moved into a consulting startup company, which was hugely beneficial for learning many different processes and tools across various organizations. Working for a startup allowed me help out with security tools and policies as well as on software development. I was also able to gain the understanding that security needs to align with company objectives. I used to think that security needed to be done so that no vulnerabilities existed. However, if it costs $200,000 to secure a system that only saves the company $100,000 of risk, that doesn’t make sense for the company financially. There are some cases where the security findings still need to be resolved despite the company’s profits, and I wish it was more on the side of my original thinking. Perhaps one day we can find a way to reduce costs or improve practices to make security more attainable in those hard to reach areas.

If you are new to security, don’t discount your knowledge or experience just because it’s not directly tied to security. If you are looking for some useful tools to improve your knowledge or skills, I can recommend a few that have helped me though my career. I am not receiving any compensation from the tools I recommend - they are simply things that have helped me. This hacking website provides walkthrough guides to teach you about security: TryHackMe. TryHackMe has a paid version that gives access to additional resources, but most of my learning has come from the free paths. A great resource for learning development is Codecademy. Again, this site has a premium version to give more practical uses for reinforcing your skills, but I have found the free version to be adequate. Keep in mind that these provide a good baseline but additional practice is needed. Hack the Box is another great tool that is a bit more advanced than the others. You actually have to hack the site in order to register. Please keep in mind that hacking is illegal unless explicit permission is given to allow you to hack a resource. OWASP provides a list of top 10 most exploited vulnerabilities. If you can gain an understanding of the vulnerabilities on OWASP’s list, you should be able to help secure most systems.

There are so many different tools that can be used to learn security and I will try to cover those in another blog post down the road. In the meantime, stay safe out there, and keep learning.