One of the most asked questions we have gotten since we started PaulDotCom is: "How do I get started in information security?". This is a great question, and the following guide will get you started:
- Be curious - The first and most important characteristic you need to succeed in information security is curiosity. I have to say that I started by being curious. I was 7 years old and I took a class on how to use an Apple IIe computer (back then you had to write programs to make the computer do anything). I remember sitting in front of the Apple IIe (my parents eventually bought one) and staring at the glowing screen and the green flashing cursor, just wondering what I could make it do. I watched the movie "War Games" and wanted a modem so bad, but my parents forbid it, saying that I would cause global thermo-nuclear war (I told them I only wanted to play chess, but they didn't believe me). I guess that's part of your homework, go back and watch two of the best hacker movies on the planet, "War Games" and "Sneakers".
- Work in information technology - Most people I encounter who want to get into information security want to know, "How do I become a hacker?". I don't think its something that you become, I think its something that you are, coupled with something that you are shaped into. The best information security professionals are those that have been "In The Trenches", working as a help desk technician, systems administrator, or network engineer. Working in these positions will gain you an understanding of how things work, which lays the foundation to learn how to break them and make them do things they were not intended to do.
- Setup a home network/lab - First, setup a home lab. VMware makes free versions of their software, and there are thousands of pre-configured virtual hosts available on their web site. Don't just focus on setting up security tools either, try to setup a file server using Samba and lock it down (for example). This exercise can provide valuable experience. For example, I was on an interview once for one of my first UNIX systems administrator jobs and they asked me if I had experience with NFS. I said, "Sure do! I run it at home." They looked puzzled at first, but when I could answer all their technical questions about NFS, they, well, hired me. I also brought pictures of my computers at home to the interview. Now, I don't recommend that, but its one of those funny interview stories and it happened to work for me. However, it could have very easily had the opposite effect.
- Get involved with local groups - This is a great place to meet people in the field, exchange ideas, and ask questions. Its important to network as this is most likely how you will get a job in the field! Local groups in my area, for example, include 2600, defcon (DC401), Linux user groups, and several others. Also, there may be a "Hacker Space" in your area as well, so be certain to find one and participate in it. If there is no group of any kind in your area, then create one!
- Go to conferences - Defcon is one of the larget conferences on the West Coast, and Shmoocon is a popular conference on the East Coast. This is another great place to network and there are several smaller conferences all across the country (such as NOTACON). SANS is a great place to learn and network, but most starting out in the field may not have an employer who will pay for training. There are many options, such as SANS @home online training or becoming a facilitator for SANS.
- Read blogs & listen to podcasts/webcasts - There is so much information on the web about our field that it is overwhelming. While you may specialize on certain systems or technologies, you need to have some level of understanding in all areas on technology. Keeping up with all this can be a full-time job in and of itself. My suggestion is to use an RSS news reader and subscribe to as many technology and security related resources as possible. Need some help getting started? You can download all the feeds from here and import them into your RSS news reader. Podcasts are free, and iPods are very cheap now, so you should be listening to podcasts. Of course we produce our own weekly show called PaulDotCom Security Weekly, and this thread in our forum discusses many of the other great podcasts on the net. Webcasts are free ways to get good information, and are available from SANS, Whitehat World, and many others.
- Take training classes and get certification - We've talked about SANS already, and there are several other places to get great training. Backtrack is a great security live CD distribution (also a great place to start for beginners) and its associated training classes have gotten great reviews. Don't shy from certification, but don't spend too much time getting certifications to pad the resume. Strike a balance - get a few certifications and see where it takes you, then spend some time and resources getting real-world experience. Get involved with an open-source project - even if you may not feel like you have the technical chops to participate in many open source projects. That's okay, if you are good at writing documentation and/or testing, you can be a valuable resource. This tack gets you familiar with the technology and gets you networked in the field.
- Socially Network - Not only are social networks fun to hack, but they are one of the best ways to network in the field. Twitter has become a great tool for this, and even has the "Security Twits" group consisting of security people using Twitter. They have meetups at various conferences. Facebook and LinkedIN can also be valuable networking tools to help you meet people and find a job.
- Write about stuff - A great addition to your resume are publications. Find a topic that you like and write something on it and submit it to various magazines and online resources to get published. This is looked upon favorably by employers, and gives them writing samples as well. Also, have a blog. Blog about stuff that you do, what you think about security, etc... If you keep it focused on security, you'll be in good shape. If you start blogging about farm animals and creamed corn, it may not be as useful. For examples of some of the things we have written, you can check out the papers page. For examples of presentations, see the presentations page.
- Manage a machine that gets hacked - I know this sounds strange, but many people we interview say they got their start when their machine got hacked. This is not to say that you would let a machine get hacked (be careful if you plan to do this and setup honeypots/honeynets), but this can provide valuable experience and further motivate you to explore the field of information security.
I want to thank the members of the PaulDotCom mailing list for sharing their ideas and thoughts on this subject. You can read the full thread in the archives that inspired this post.