Getting Into Security24 Jan 2018
I might break a lot of minds with this first statement –
Security can be your first career. But this isn’t the norm, and you have the responsibility to pave your own path.
There are an incredible amount of ‘how to get into infosec’ resources out there. I’ve explained my own story, given it for others to integrate into their own talks about it, and read countless pleas from those who are lost.
There’s a reason for it. There is no path. We are finding some right now. It’s an incredibly daunting, but also awesome time for security noobies, and we are building a new future. I am on the frontlines, middle of the crossroads. I bust into the scene when it was a kindling mega-industry, and now it’s at the forefront of most people’s minds. Incredible times!
I’m gonna repeat this little bit again – You have the responsibility to pave your path in information security. You’ll wander through the roads of many others. We’re paving over them, but can’t stamp them out. Today’s conversations have been raging for 20+ years and require a lot of context and knowledge if we want to contribute to them.
One thing we know is that there is a ‘talent shortage’, cybercrime isn’t going anywhere, and people are having a hard time finding their path ‘in’. I’d like to say there’s a solution. A workshop, certification, bootcamp, etc. but the reality is that it’s way too big of an issue for it to all be addressed in any one way. Enter the entropic world of ‘beginning’ security.
Security is a dangerous term. It speaks for a LOT. It means infrastructure, development, psychology, technology, science. Any human interest can expose an avenue in enriching a deeper security program. You have to understand complex ecosystems. Both highly technical, but maintaining a grounded reality in how systems are (ab)used by end users, what business priorities are, and making tough decisions surrounding risk exposure.
If you are unable to accomplish meaningful thought regarding the above tasks, I’d assert you will have a difficult time getting into security. You likely need more experience. It may be possible to go a strictly technical route, and it can certainly be fruitful for many people. I find that after so long as a bug bounty hunter, or pentester (separate from red teamer, IMO), people realize they hit a wall in those accompanying skills and lose satisfaction in their careers – you’ll hear the term ‘soft skills’ a LOT from those who help build up career newbies.
Exposure is everything. If you haven’t been the user of a system, or been supporting them, it’s likely impossible to know their mindset. If you haven’t administered a Windows environment it’s hard to know what its logs mean. If you haven’t worked as part of a development team, it’s hard to have a grounded reality in how bugs become present, backdoors don’t get removed, etc. This doesn’t justify the problems in the first place, but you can’t create solutions without understanding the problems.
On the point of exposure, I am constantly asked what I’ve done to learn what (little) I realistically know. And my answer is… stuff. I’m not oblivious to the good fortune I’ve had with getting some of the strange jobs I’ve had. To give an idea of the exposure I’ve had, I’ll describe my professional journey.
My Professional Journey
First job ever was a bagger for a grocery store. I actually really enjoyed this experience, and got to see functions in lots of different departments over my 1.5 years doing it. I’m a HUGE fan of systems development, and seeing how people work within them. Grocery stores are an amalgamation of independent workshops that all have to work together. Produce and dairy are extremely different departments with their own management, workforce, inventory systems but there’s always crossover and cooperation with it and, say, the deli – a whole other independant workshop.
By the time I had left high school, I had an opportunity to assist a mentor of mine. He had taken over IT operations for a small law firm, and needed some help during the daytime as this was a side gig. This was my first exposure to a computing environment outside of a home PC. It was active directory, Exchange, phones, computers, laptops, etc. While only for 10-15 employees, I got a ton of exposure and was left to my own devices when I probably shouldn’t have been… but I made it through without bringing the company down!
Life kicked in at that point and I needed something real. I went through a couple call center jobs for the next year or so. As much as I despised the work, I appreciate the exposure. This was a massive volume, highly technical, gigantic moving machine. It is crazy impressive these systems are boiled down to the point that anybody off the street can be trained to point, click, and navigate through what are extremely complex tasks. As soul-sucking as the work is, from a technical perspective, call centers are crazy impressive systems to me.
Things Get Strange
Now begins a strange string of experiences. At this point, IT was still the most interesting technical field of interest to me. Science, construction, heavy industry just hadn’t found a way to appeal. IT was it for me! Being sick of the grind, I paved a way into IT. I had expressed my interest in social circles, and got a call from a brother’s buddy. He was doing some contract IT gigs with a buddy of his, and they were getting a bit more serious. They needed an office manager.
So there I was. In the middle of a podunk IT shop in some random, poorly traveled mall. The company owner was a technician himself, with anywhere between 5-10 other technicians working in an IT contracting platform to find work. I ended up being responsible for managing their work by finding, negotiating, accepting, and designating contracts. They were out replacing CRT monitors in cook rooms, running cables to 5th floors of buildings, wiring up new door sensors, etc. They were making good money, and I was getting just that much more insight into what the real world of IT consists of.
These guys were idiots when it came to technology, all respect to them. I was training them on how to do their job regarding technical subjects as some kid locked away in a repair shop. My skills were greater than this, but I wouldn’t say I deserved more. I also made some REALLY cool Minecraft buildings in my time there!
Somehow Know Some Things, See Some Places
So, how did I even get to this point? I’m honestly not sure. I’ve always just screwed around with things. I’ve never been a huge fan of coding, I never see myself becoming a programmer. But I’ve done a bit of it. I had set up simple service servers, or hosted a website. I was pretty handy with fixing my own stuff, and could understand systems pretty well. That’s basically it. I wasn’t writing programs, connecting legacy equipment, setting up full services, none of that stuff. I had taken a Linux+ course in high school, and a Network+ class. With both, I had at least some level of requisite knowledge before starting the classes.
I had no bragging rights. I had never created a cool program, or built a service. There’s technical ability in youth that blows my mind – look at the Minecraft host debacle. Those are all kids! It’s awesome, and scary! You can do better than me. You can have accomplished, and seen more, than I ever had by this point. I’m truly an idiot in so many ways.
But I’ve always been good at generally figuring out systems and finding a way to provide value in effort. Hands-on, I was hardly doing technical work outside of some laptop repair, or walking technicians through stuff on the phone. It was largely administrative. Creating spreadsheets, finding programs to track time and work, verifying payroll and staying on top of the techs to make sure reputation was upheld. Those are all things I would probably never think about without having had to do it myself.
And that’s a reality. People are having to do this stuff every day, without really knowing how. And it’s hard. It really, really is. No matter the platform or program, it will always take a level of simply ‘figuring stuff out’.
This became extremely obvious at my next gig. Eventually I got tired of the work, and I had a falling out with the owner. There was little integrity in what he was doing with his workers and I had no faith he would treat me better. I found an extremely odd gig taking a 6-month contract going around to State Farm offices and doing very basic tech work. It was replacing a server, the user PCs, a printer, as well as setting up a new NAS device. That was it!
I got to travel all over the state and work with agents who lived in the middle of the city, to rural cowboys with a tiny office in the corner of their basement who know all their clients by name, and see them daily. It was a TON of diversity but they all got the EXACT same systems, to a tee. This was very eye-opening and again, a wonderful exposure to the world!
Eventually the contract ended, and a decent paycheck for fun work came to a close. I got hired at a MSP (Managed Services Provider) doing entry level engineering/admin work. They focused on small government, educational, and medical clients. There was some interesting HIPAA stuff (I built a custom music streaming server for a client), but overall standard IT work. I only worked here for 4 months before being viciously thrown under the bus and voted off the island.
Browsing local job posting sites, I came across another odd opportunity. I interviewed for a customer service position at a local technology services company. They specialized in providing wireless equipment to large organizations, ISPs, ski resorts, etc. but also managed the business center for a local ski lodge and had developed a CCTV system for a remote mountain estate. I never answered a single phone call or email as a customer service worker.
Somehow I was immediately dumped into doing… engineering stuff? To be honest, the vast majority of my days were filled with me reading Reddit, forums, blogs, etc. because it was such a poorly run show. But, again, wow, the exposure! I did everything! I broke into that CCTV server since they lost the root password, and mapped out a diagram of their security cameras.
I created a PBX system to replace the phone system for a real estate office. Afterwards, I was roped into an 8-weekend project completely redoing the entire network for said office. There was also a contract to manage remote gateways for digital billboard companies, and we were responsible for uptime. So I got to mess around with Icinga (WHAT A NIGHTMARE OMG), and climbed a few of the billboards to mess around with their electronics. That was awesome! I met a guy who ran a wireless ISP and learned a TON with him, basically all of my early hands-on Linux was with him.
One interesting note about this workplace is that it happened to be a feeder for 2 of the best IT guys I know in the area. They hadn’t worked alongside each other, but very nearly did so, and both turned out to be amazing parts of the community. The company was in the grips of a death rattle when I was working there (extremely poor management, and a little bad luck), but it was an incredible shop in its legacy. I was given too much responsibility, but tried my best, and will always be thankful for the opportunity.
Experiencing The Boring World
Last but not least on my pathway here, is the QA work! A local company completely develops their own home automation gear – from the hardware on the controllers, to the drivers that bring in 3rd party devices. It was an INCREDIBLY interesting organization as it included absolutely everything from top-tier networks and technology in their backend, to supporting the users in their homes being able to simply turn on/off their lights at a switch.
There was a web services department, hardware QA, software QA, product QA, software development, in-house hardware engineering, marketing, sales, a full external training department, customer service, and dealer support. Each piece of technology was siloed. 1 group would work on the drivers for A/V gear, the other for lights and switches. One controlled all the media management, metadata lookup, all that fun stuff. But that had to tie into the backend of the service delivery, where web services came in. I got to work a dual role between deep in Linux and the product itself, and being a QA resource for web services.
Web services, as a term, meant absolutely nothing to me. The entire time I worked there, I was googling the definition to make sure I understood what in the hell was going on. I hate ‘developers’. There were maybe 2 developers on that whole team – the rest were coders. They took no satisfaction in the systems, understanding the underlying tech. They wrote their own code and pushed it, everything else be damned. That was a demoralizing aspect, but a true exposure of reality – people don’t have the will/time/ability to care about all of this stuff, and it’s okay! But don’t call yourself a developer… ugh. Rant for a different time!
One significant aspect of that team I got to deeply understand was TURN. These are systems that go into people’s homes. The systems are installed by dealers, using whatever infrastructure the end customer ultimately has at their home. Dealers, at the end of the day, are chasing a buck and can’t be relied to truly do things in the best interest of the customer – such as configuring firewalls.
This I appreciated. Instead of relying on the techs to be able to configure the network properly, they bypassed it. These systems were super capable and obviously, people aren’t always home. There was a significant need to access them remotely to toggle lights, set a thermostat, configure a note, check on cameras, etc. So no firewall rules necessary! You traverse it. By the home controller setting up an initial connection with the company’s backend, there was a permanent channel that enabled poking the home equipment directly without having random holes in a firewall.
It was an extremely complex and awesome system. I still don’t understand most of it, but got to sit in a cube with the programmers a few times and see how they operate. I got to read & understand a full RFC, configure AWS buckets, work with programmers, see the development process and work in a gigantic, international corporation. Lots, and lots of reality experienced there. PQA was pretty straight forward – pushing buttons everyday, poking around Linux, running test cases. It was largely boring work, but I got to see the underbelly of a beast! Super cool!
And that gets us to today! Phew!
Outside of my professional experience, there is another significant aspect into breaking into the security field.
In 2013, after years of looking bright-eyed at my infosec friends, I made the decision that security was the field for me. I had just attended DEF CON 21, and gone to a BSidesSLC. I was enchanted! I had never felt like I met a family of people until I got to go wild with a bunch of hackers. I belonged. It was comfortable, fun, and inspiring like nothing else!
I recall attending a talk at DC21 and not even knowing what SSH was. Shortly after, I was thrust into my opportunity building servers and systems. I learned real quick drinking from a firehose, and being left to my own devices! And I was still thirsty.
It just so happens that with DC21, there was a resurgence in life for DC801. We had a (small) hackerspace (801 Labs), were meeting up regularly, and I got to engrain myself in the local community just a bit more. Eventually that space moved to its current location, where to this day I return regularly for motivation and experience!
I would not be where I am today without this hackerspace. Even though it’s gone through its own transformation through the years, and its community has shifted, I relish every opportunity I’ve gotten from it.
One member got an amazing opportunity due to this community involvement. The offer was to come into a brand new security-focused startup, and architect out basically everything from scratch. He was only really known to the owners due to his outreach in the community, his reputation, appearing on panels, other cooperation with local security usergroups, etc.
At the end of 2015 I decided it was time to put serious effort into hopping over to security as a career. I had interviewed for a SOC intern position at a local company, and was given an offer for it. This would have been awesome! Except…
I got lucky. That member from the last section who got the opportunity to build out the company? He has been a friend of mine for years now, and of course, we met through DEF CON and the hackerspace. Said opportunity left him with the need to bring on someone to assist him with this monumental task. He sent me a message in IRC basically saying ‘DUDE ARE YOU READING CHAT?!?’’ because he had put out a general “Hey anyone looking for security work?” message in our channel, and thought I would have jumped all over it.
Of course the 1 day I’m not idling in IRC incessantly. Argh. Well, I give him a call. I got a phone interview with him and the bosses, with an offer to come down the next Friday and meet at a rent-a-boardroom type business park. 2 years later, we’ve built out a 5-man SOC and he’s a devoted security engineer/architect developing solutions. We grew the company over 10-fold in that time, and learned a WHOLE lot.
And here we are today. I consider myself a tier 2 security analyst worth his salt, getting to work directly with logs and PCAPs all day to find bad stuff going on. We’re helping to define a whole new arena of cybersecurity services (MDR - Managed Detection & Response), making a meaningful impact to help protect businesses of all shapes and sizes from security issues. I knew absolutely none of this before starting.
What wasn’t necessary was a grizzled security veteran (we had my buddy for that!), but someone that can take complex issues and break them down into bite-sized pieces that you can manage to. We started with log analysis, and quickly picked up network threat sensors for an additional data set. We’ve worked with partners to create custom SIEM solutions, and helped other companies mature their product offering.
We’re in an incredibly interesting time! There are absolutely core problems to IT security that do not have realistic market solutions. Network monitoring is a mess and complicated/expensive, no company is doing heuristics well, there’s a million different endpoint solutions with SIEM a constant nightmare due to the nature of logs.
But this is reality! This is what every organization faces, big or small. And there’s a place for smart, devoted people willing to tackle complex issues. It is the upcoming generation of security practitioners that will be finding valid solutions to a ton of issues. And that upcoming wave needs to be diverse, and capable at all degrees – from people, to process, to technical.
At no time will you hear me upholding myself as smart – the name Dumby wasn’t given to me by someone who understood the meaning of dumb (they were 2 years old), but it was oddly fitting. I don’t really know more about any 1 topic than my peers, but I’m able to take a little bit of everything and find helpful ways to apply those bits. Constantly evolving, and learning. I try to consume news of all sorts, curate my own social media feeds for technical data, and building up networks I can lean on when I need more expertise than my dumb self can provide.
And so far, it’s worked wonderfully! That gets us to today, where this story ends. One day I’ll find an intra-passion, uncovering a path to becoming SME on a particular technology or esoteric area of the industry, but this is not that time. I’ve continued down my path as a ‘Jack of all Trades’, and constantly amazed by the wide and terrible world of IT. There’s a small chance I might be getting pulled into the arena of data analytics, which is daunting and awesome!
I want to thank you for reading this piece. I hope it helped expose some pieces of the puzzle that may be missing in your own life. I am always available on Twitter to bullshit more, maybe say something useful, provide advice.
Follow me at https://twitter.com/uncl3dumby