“Advise for the young”
I just received this:
To Alec Muffett,
I’m a 19yr Australia male, and interested in taking up a career in
I.T. Security.
What i would like to know from you is do you have any recommendation
as to where to begin to learn about I.T security. I have read your
site and it’s one of the better sites I have been to in terms of
knowledge.
I have experience with wireless setups, Linux, novell, windows,and
more. I have been working with computers for the past four years. I
started at a computer shop and now work at a High school (Secondary
College) now into my seconde year fixing computer problems, managing
users with Novell and also helped with the deployment and management
of a wireless network.
I would like to know where a good place would be to start for a I.T
security career.
Your help would be much appreciated
Yours Sincerely,
Matthew Fava
So: Hi Matthew, it’s a fair question, and one that I get asked quite a
lot, so I will try to give the best answer that I can, based on my
personal experience.
Regarding security, I sort-of fell into it; the story of the
writing of Crack is documented
elsewhere,
and the backplot to my getting a job in the field is essentially one
of just being interested in the topic.
No joke.
The way to become a security expert real fast is:
- To have an honest interest in the subject.
- Read around the topic, lots; books, magazines, web-sites and
forums. Read voraciously. Focus on specific aspects that may
interest you.
- Experiment at home with security software and setting-up and
penetrating your own defenses, learn how the tools work and what
they’re doing; write your own tools, publish them as open-source, and
refine them.
and finally and most important…
- when friends and students and colleagues and cow-orkers ask a
question about security, don’t say “i don’t know”, but instead say:
that’s really interesting, i’ll go find out the answer and get
back to you.
…and then go do it; research the problem, dig into Google, find
half a dozen solutions, try to understand the problem and
technologies, weigh-up your own conclusion and solution, and
importantly write it up in a short e-mail and send it to the
questioner.
This latter gives you an ASCII copy which you can keep forever and
recycle next time someone asks you the same/a similar question. If
you can’t decide/find an answer, don’t bullshit, but get back to the
person telling them what you’ve tried, that you’ve failed, and that
you’ll keep trying. Stay open-minded and stick to rational
discussions without getting emotive. This goes doubly for responding
to the mail-lists you’ll be reading.
In my glib moments I have been known to shorten this all to: the
way to become a security expert is just to be one - which without
context is less than helpful, but it is the essence. There is no
secret ceremony, no one-foot-in-a-bucket-of-porridge
swear-on-a-dead-goat masonic ritual to becoming a security geek;
there’s nothing more than the being interested in security
aspect, combined with the being a helpful, expert type of
person.
Regards being an “Effective” IT geek, you have gotten one tip
(”write-up your answers and archive them for reuse”) above; to that I
would recommend watching Danny O’Brien’s
Lifehacks
video, which provides marvelous hints on how to be as lazy as
possible by keeping things simple and keeping/reusing every script and
tool you ever write.
Thirdly, there is the implicit question in your e-mail, along the
lines of “How do I get a job?”
That’s a harder one. I reckon that any IT job can be turned into a
security job, but system administration is a good starting place. The
usual suspects - IT Hardware, Software, Consulting; ISPs and Telcos
are generally the best breeding grounds.
I did five years sysadmin for two employers when starting out, but had
established my security bonafides in the first three years, and
arrived at Sun with a reputation fully-founded. Nowadays the market
is bigger, and you’ll have to try harder.
Putting yourself through a certification like CISSP might help to
fast-track your career, but I advise you to not treat the
certification manual as gospel. Make up your own mind.
If someone says that The maximum number of TCP connections per
second you should permit is 300, ask: Why not 299? Or 301? Or
600?; you’ll often find that they are unthinkingly reciting dogma
or even just pulling figures out of their arse. It goes on. Be
aware. The certification examiner may want a specific figure to show
you’re memorised their book, but real life doesn’t work like that.
Oh, and I recommend you read this book:
[www.amazon.co.uk] - it’s nothing to
do with security, but a good exposition of how to treat life in the
manner of a security person.
source: “Advise for the young”
