Hacker to Security Pro! On the Shoulders of #InfoSec Giants

February 19th 2017
Author profile picture

@securitystreakAndrew Douma

Free stock photo, credit Unsplash.com

I want to do my part to demystify IT Security — to exclaim to the world that it is not rocket science! It turns out the trick is just to start. Start anywhere.

“If I have seen further, it is by standing on the shoulders of giants.” — Sir Isaac Newton

This article is for every aspiring cyber-security aficionado out there who stand on the shoulders of giants, on giants, on giants. You too can be a giant in your niche of the cyber security field!

www.securitystreak.com

About the Author

Andrew Douma is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and engineers high-assurance systems in the Cloud.

You can connect with him on GoodReads, LinkedIn, Medium, and Twitter.

More stories by Andrew

Buying a professional penetration testing laptop for 2017 | Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code| Antivirus in 2017: Why? Which? How? | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | Securing an Android Phone or Tablet (LineageOS) | Password (IN)SANITY: Intelligent Password Policy & Best Practices

Early Beginnings

I fondly remember the day I convinced my mom to pay for my first “hacker book” from the bookstore. She had already bankrolled an addiction for Sam’s 24 Hour series by age 16 —but this book was next-level!

Once home, she facetiously told me: “Never get caught. We are financially responsible for you till you are 18!”. Knowing her now as an adult, I am certain it was followed up by a longer discussion about social responsibility, ethics, actions and unintended consequences.

The information security community as we know it today was still in its infancy when I started my journey in the late 90s. At best, it consisted of tight-lipped groups of computer scientists and unskilled skiddies (myself included) exchanging information on private message boards.

The written word enables economical transfer of the author’s knowledge to the reader‘s mind.

With time, more IT professionals entrusted their experience to paper and Google became a thing. Books replaced the ‘inaccurate’ and repetitive forum posts as my source of knowledge.

Learn how to Learn

A valuable lesson to learn is how you can keep up an accelerated pace without experiencing burnout.

“Most people overestimate what they can do in 1 year and underestimate what they can do in a decade.”
Bill Gates

The Learning how to learn: Powerful mental tools to help you master tough subjects course by Dr. Barbara Oakley was a catalyst for this.

Though the summary below is no substitute for the course itself:

It turns out the trick is just to start. Start anywhere.

Initially, you will feel a lot of anxiety and discomfort when tackling a tough topic — feelings my brain actively fights by switching my focus to strategic plans, client threat models, Internet puppies or Netflix shows.

A lot of Information Security Fundamentals can be tedious to master.

In the long term, much like dieting, the discomfort goes away and satisfaction returns in its place. Learning can be a positive experience!

You will learn about different thinking modes. Letting your thoughts wander (diffused-mode) and concentrating on things (focused-mode) at the right time.

It teaches you the importance of taking the time to rest after your studies, then coming back to them and recalling what you learned. You simply can’t cram knowledge into your brain all day and expect it to stick. Make remembering easier by using the free flashcard app Anki.

Research shows that revisiting and practicing what you learn a few days later is the best way to create and strengthen the synaptic connections.

Daily physical exercise and maintaining a vibrant social life helps your brain produce needed neurons. Sleep hygiene is equally important, as brains sweep themselves clean of toxins during sleep. It is even better to sleep right after your studies to fully benefit from your brain in diffused mode.

A few examples of what you will learn:

Chunking, memory recall, the illusion of competence, procrastination, routines, memory techniques, deliberate practice, perseverance, taking responsibility and effective test taking are a few of the topics you will add to your mental toolkit as you proceed on your journey.

“Frankly, though, I think most people can learn a lot more than they think they can. They sell themselves short without trying.
One bit of advice: it is important to view knowledge as sort of a semantic tree — make sure you understand the fundamental principles, ie the trunk and big branches, before you get into the details/leaves or there is nothing for them to hang on to.
Elon Musk

What works for me may not do well by you, but I submerge myself in a particular domain for six months — and use the knowledge gained for every project.

You will never finish exploring the mysteries of any Science. Focus on the underlying fundamentals and get ready for the future!

“A wise man knows, he knows nothing at all”

I aspire to maintain a 6-day a week learning routine (~1250 hours/year). Books, blogs, wikis, podcasts, video courses and plenty of practice with hands-on Virtual Machine & VPN labs.

For myself, this involves tackling that challenging 700+ page book while distracting my body with the gym’s elliptical. I have had reasonable success reading a few pages at a time on my Kobo H2O in between “recall” laps in the pool.

Having different tutors repeat the same fundamental principles in their own way has proven to be very helpful in making them stick. Building out a Wiki/knowledge-base of those lessons for later review has been a game changer — especially looking back over time.

Security Engineering — Building dependable distributed systems

To break something you need to be able to find the weaknesses, to find the flaws, and know where the mistakes are made.

A hackers’ edge comes from knowing how all the pieces interact within the bigger picture:

Book Cover, credits Prof. Ross J. Anderson

Available for free online this is the only book in recent memory that I have read cover to cover twice over. Professor Ross Anderson wrote its 2nd edition in 2008 — and they still use it for 3 courses at the University of Cambridge to this day. It is over 1000 pages, but don’t worry, the last 100 are referenced sources.

“Security engineering is about building systems to remain dependable in the face of malice, error, or mischance.” — Ross Anderson

It attempts to define what Security Engineering is and touches on Security UX, Security Theater, human interaction & psychology. It provides an excellent introduction to Cryptography and explains key digital and offline security concepts.

The author has real world experience, discusses a history of thrilling case studies, security successes, and failures — across multiple industries (aviation, banking, commercial, military, nuclear, etc).

This book gives you the opportunity to learn spot and avoid classic security mistakes — mistakes, which are so commonly repeated during the design and implementation phases of any IT project.

Operating Systems — Three Easy Pieces

I have managed to get ahead in security with a surprising lack of coding skills. As the son of a (loving) father, who deemed his son too social for “Computer School” — I never learned a programming language in an academic setting.

Despite reading several books on the subject, I previously failed to get excited about coding. It remained a mental hindrance until I received some good advice: Start by programming tools that speed up your daily routines — and read a book about Operating Systems (OS) fundamentals.

Coding is far more engaging now! As a visual/spatial thinker, it enabled me to picture what happens for every line of code I write inside the CPU’s registers, memory management unit (MMU) and how protocols are interacting with my hard drive/network.

Available for free online, Operating Systems is written by Professor Andrea Arpaci-Dusseau and her husband, Professor Remzi Arpaci-Dusseau from the University of Wisconsin-Madison. It served as a personal challenge to put the ‘learning how to learn’ lessons into practice. Buy it via Goodreads.

Book Cover, credit Profs. Arpaci-Dusseau

Though no substitute for reading the book itself:

Abstractions are fundamental to everything in computer science.

Abstraction makes it possible to write a complex program by dividing it into small and understandable pieces. It allows you to write a program in a high-level language like C/C++ without thinking about assembly, to write in assembly without thinking about logic gates, and to build a processor out of logic gates, without thinking too much about transistors.

A modern Operating System aims to provide high performance in an energy efficient way, with a high degree of reliability while protecting itself and programs through isolation. Every OS takes its physical resources, such as a Central Processing Unit (CPU), memory, and hard drive, and virtualizes them. It has to handle tough and tricky issues related to concurrency and store files persistently.

Three easy pieces: Virtualization, Concurrency, Persistence

Often an OS has to deal with misbehaving programs. Those that are either malicious by design or have bugs and by accident attempt to do something that they should not. Even seemingly simple things, such as updating a persistent storage device, gets complicated because you have to care what happens if the process crashes while writing data to disk.

Distributed systems are complex and cool. Protocols, the exact bits that exchange between machines, can affect everything, including how systems respond to failure and how well they scale.

I can highly recommend teachyourselfcs.com — this ops-class program and the Beginners.re website. For those starting from absolute zero, watch this Crash Course by PBS on YouTube and read either Code by Charles Petzold or Computer Systems: A Programmer’s Perspective.

Publishers

I spend too much money on books, but in all honesty, it has always been hit and miss. Some publishers will allow anyone to publish, and at times I am missing a prerequisite skill necessary to take advantage of the content.

That said, I have never had a complaint about a book published by:

Value for money wise, books offer a lot (even mediocre ones). Nowadays, I only buy the relevant classics for new domains I am trying to master. I heavily research the author before purchasing any new releases.

Big shout out to the free Community eBook series from Peerlyst!

Mind Maps & Cheatsheets

Mastering any Computer Science domain relies on your ability to improve your existing mental model. Books and courseware offer insight into someone else’s.

LAN Attack Flow Diagram, absolutely all credit @noperik

Developing that conceptual understanding of what is happening is more useful than trying to interpret a specific piece of code.

This process often results in useful Awesome-Awesome Lists, Mind Maps, and Cheatsheets.

A few worth mentioning:

Capture those Flags!

Without deliberate practice, the knowledge we gain will not stick. “Stop learning by watching the game, start learning by playing it.”

Not having heard something is not as good as having heard it; having heard it is not as good as having seen it; having seen it is not as good as knowing it; knowing it is not as good as putting it into practice.” 
Xun Kuang

InfoSec giants have written CTF field guides and taken the time to create vulnerable systems and sites you can legally hack:

Tackle these from offensive & defensive systems:

Once you feel comfortable, try your luck with a reputable bug-bounty programs and earn some hacker-lab money! This rabbit hole I will leave for you to explore.

Hackerlab

You now have an excuse to spend money on your hackerlab:

Start attacking those vulnerable machines! Depending on your threat model, you can use prebuilt VMs from sources such as Bitnami, OSBoxes, Trend Sigma, and VMware to speed things up.

Optionally, buy a Panda Wireless PAU06 for WiFi work: <$15 and the RTL-SDR Blog dongle for Software Defined Radio: <$25. @michaelossmann recently released a free course in Software Defined Radio (SDR)!

Information Security Domains

The domain of Computer Science ranges from theoretical (coding theory & methods, algorithms & data structures, etc) to the applied domains (architecture, engineering, security & crypto, etc).

If you are committed to becoming a security professional, there is a wealth of information for you to take in, just keep building out those mental models and deliberately practice with new tools. Remember, the trick is to start somewhere!

Full credit to Calvin & Hobbes

Everyone wants to be a “hacker” — few have the perseverance to gain the cross-domain expertise needed to become an “IT Security professional”. The skills you need to acquire come from hours of tedious, challenging and at times boring work.

You are likely to pick up a smorgasbord of “Purple” skills as needed, regardless of job title. Remember:Experience is something you do not get until just after you need it.Combine the scientific method with your awesome Google-fu and enjoy hacking life.

Languages of the world

Being Frisian — known for their war horses and fierljeppen —a people located in the Netherlands — English is my 3rd language.

Thanks to my mom (speech therapist), Cartoon Network, my friendly 78-year-old high school English teacher (who mostly had us read classic literature out loud), I was able to achieve bilingual proficiency early on.

Language tree, full credit sssscomic.com

Not every (far more) skilled hacker is going to have perfect fluency. I have met exceptional talent from all over: Costa Rica, Hong Kong, Italy, India, Romania, and Sudan — most of whom are at a disadvantage in Europe and the United States.

Keep this in mind next time you are handling a bug-bounty/report or interviewing a candidate. Their written and spoken word may leave room for improvement, but they might give your organization the edge it needs to ensure its future. There is a vast untapped talent pool out there.

Security/Risk Frameworks & Methodologies

I am hardly the only one aiming to contribute to the field of IT security.

Here is a list of organizations that are tirelessly working to improve industry & regulatory standards:

You should also be aware of the following initiatives:

Again, hardly an exhaustive list.

E-Learning

Though we all might wish we have the time and money to go to courses like these, there is plenty of quality courseware available for free:

WARNING: You are about to enter the world of for-profit cyber-training business models. Spend your money wisely.

I value the lab-based training provided by PentesterLab, Offensive Security, and eLearnSecurity. I am curious about HackDojo and CTF365 and have positive things to say about:

A great resource is the NICCS Education & Training Catalog.

Course materials and exams written by German/Russian authors are presumably audited by the Italian company, but eLearnSecurity’s courses & exams can at times leave you lost in translation. I recommend to only pick one recently updated course: PTP or MASPT.

Offensive Security’s courseware and limited-time lab exams are a rite of passage within the Penetration Testing community — but a common critique is that the materials are outdated. WiFu v3 at least is essentially an Aircrack-NG training.

I think it is safe to add the line: “Intro to…” before the title of any course. Mastering a domain takes both education and experience. I am not a fan of Udemy, InfoSec Institute, nor EC-Council.

University Degrees

Until recently, you could graduate in Computer Science and never have sat through a class on IT security — let alone have the ability to graduate with a specific Cyber Security specialization.

For those aspiring students:

As always, a search engine is your “friend.

Certifications

Certifications by Offensive Security are well respected within the Penetration Testing community. CREST certifications are a requirement for anyone in the United Kingdom /EU— and they are expanding internationally.

Challenge any SANS GIAC cert for $1250 or pay $6000 + $690. With vendors doling out CPE credits to sit through their webinars, my main objection against the ISC2 business model has dissipated — though their experience requirements are stiff. I have also heard good things about Mile2 certs.

CompTIA offers great introduction level certification. CISSP ($600) is “a mile wide and an inch deep” — ridiculed by the tech-savvy and cherished by HR. CISA and GSNA offer a solid introduction to technical IT audits and Risk Management practices.

Mini-certs by Cybrary.it and technical certifications by SecurityTube, PentesterAcademy, and eLearnSecurity serve as proof of much needed practical skills and should not be underestimated. Enterprise vendors and service providers offers their own product-centric certifications.

Personally, I value absorbing the knowledge from the courseware and putting it into practice asap above obtaining the certification. Mostly motivated by the economics of time and money.

That said, I did sign up today for 90-days of OSCP and considering pursuing TOGAF9 this year.

Join the community!

Discover a welcoming InfoSec community on Twitter and LinkedIn. Visit local events in your country and get involved!

Join Peerlyst and sign up for the SANS DFIR and GPWN mailing lists. Stay open to new ideas and give back to the community when you can.

Read, read, and read more! You will not become a real expert inside of class nor on the job. Try things out, write some code, and break some systems. Start today!

Do you have any advice? Corrections or additions?

Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section.

Click the ♡ to recommend this article.

Comments

Tags

The Noonification banner

Subscribe to get your daily round-up of top tech stories!