In this first-remote 2021, infosec career rollercoaster thrills and charms like it was never before. However, to move in this direction as a junior specialist, you need to gain some new skills and a brand new line of thought. Cossack Labs’ senior security engineers are sharing advice about this path.
These basic principles and rules will help you drive through your infosec career safe and sound right from the start. Ready, steady, go! 🚀
📚 Hard skills 📚
Learning security can be as hard as doing it. “Eat the elephant one bite at a time, play the long game and move steadily and constantly”, they say. This universal principle works in infosec as well.
You need a lot of small steps and a plan. Here are the elements of planning which can add brilliance to your infosec career to-do list.
1️⃣ Understand how computers work
First things first: what distinguishes a good junior engineer from a bad one is knowing the basics.
Start upgrading yourself in computer science: 101 courses on computers, OS, network technologies, Linux/Windows administering, and programming will do nicely. With advanced computer skills, you will move faster and smoothly into the next stage.
If you prefer books, get your copy of Security Engineering by Ross Anderson or read its chapters available online for free. This really huge book is both useful and entertaining, so why not let yourself get into a new profession with fun but not blood, sweat, and tears.
2️⃣ Broaden the security horizon
Awareness is one of the main weak points of most entry-level specialists in information security.
Tune in security vibes. Get an answer to a question “what do appsec and fire extinguishers have in common?”. Read through OWASP Top Ten, OWASP ASVS, OWASP MASVS, OWASP SAMM. Have fun with tasks like OWASP juice shop and move on.
The effective and time-saving way of systemising the knowledge is to take entry-level courses with certification, like CompTIA Security+, ISC2 SSCP, GIAC Security essentials. They will help to get acquainted with the industry, its terms, notions, and concepts.
Skills that you obtain at this stage will work for both if you get deeper in infosec or quit it.
3️⃣ Select your team 🔴🔵
At this point, it's high time to decide which team you are in.
Do you want to attack weak spots in systems, application or infrastructure security? Alternatively, you can play for defence, analyze risks and threat models, and implement effective security measures.
Understanding in what proportion you are interested in a red/blue teaming is already a huge guideline for further development.
🔴 Red teamers look for weaknesses and vulnerabilities, testing the security of applications, infrastructures and systems. The work of the red team is to "touch, twist and wobble until it breaks," with varying degrees of consistency.
It’s easier becoming a decent red teamer, all other things being equal than becoming a good defender because the feedback loop from your work is an order of magnitude shorter—"it’s either worked or failed."
In an offensive security specialist's journey, the Offensive Security Certified Professional (OSCP) course can be your first infosec mountaineering equipment in a collection.
🔵 Blue teamers analyze risks and threats, design and implement security measures. This work involves system thinking, the ability to represent complex processes at different levels of the technological stack, see the "big picture" and be able to dig into details.
Note, that defence is a harder, longer, and more complicated process where you have to pay attention to lots of details and keep a broad view simultaneously. Occasionally, it will demand some red skills as well. To succeed on this path, you need to work hard, solve more tasks, and gain extensive experience in as many projects as possible.
4️⃣ Look for an internship
Some specialities, like data security, require a very specific knowledge set—like understanding cryptography, crypto attack and defences, and building crypto-based systems.
As in Cossack Labs we build software for data security, all our engineers understand crypto. Recently we started running a closed crypto R&D internship🎓 program, and plan to make it public soon.
Quite an obvious tip: check out our updates not to miss an opportunity!
At the moment, our first interns are going through intensive crypto studies seasoned with lots of Rust programming. They learn building and attacking crypto primitives, dealing with cryptographic libraries, studying cutting edge crypto, like zk-SNARKs, doing research and presenting their discoveries, and getting used to working in a team. Our cryptographers, software and security engineers support them during the whole program.
For a beginner security engineer, an internship can be a skyrocket to a pro. We highly recommend searching for such an opportunity!
👩💼 Soft skills 👨💼
Infosec is not all about tools, it’s about people. This discovery will lead you to study psychology and people's behaviour. You will find astonishing things about “them” and yourself as well.
Soon, you might start feeling sad and annoyed about people, their risk management misfits and poor decision-making.
Get prepared one day to meet a strange infosec personality aspect: high criticism of others combined with protectiveness and “toxicity”. The more you learn, the more mistakes and flaws you will see in people close and far from you.
Technically, this is your job. Predictably, later, this toxicity can fire back to you.
Imagine this “Day by day you search for vulnerabilities and really find them, try to mitigate successfully or not, and have to address sudden security incidents as well. One day you win, another—not quite so.” This situation plays out over and over again and this is frustrating.
Apart from purely technical issues, it’s worth paying attention to your personal mental health and well-being.
Run smarter, not harder. Sports, physical activities, enough rest and healthy sleep, contrary to expectations, can help you stay more productive in infosec.
Every long way can be a little shorter, eh?
If it’s in your style, here are some tricks:
❇️ Practice lab. Either in the red or blue team, you need practice on a playground. From a $5 virtual server to a mini data centre in your basement—practice makes perfect.
❇️ Credentials. Don’t miss capture-the-flag contests and public playgrounds (for example, HackTheBox, Root Me, Cryptopals, CryptoHack). Some playgrounds have public scoreboards which might help you to get a job.
❇️ Certificates. Security certificates are a controversial topic as they don't represent the knowledge, but they might let your CV come through filters.
❇️ Internship. As we mentioned above, find an internship in a company that does things that excite you—and apply.
❇️ Conferences, talks, and blogs. Pandemic made taking part in major security events much easier. You can pick up the cherries and get info from the stable at NoNameCon, DefCon, RSA, security tracks at InfoQ.
❇️ Podcasts: Defensive Security, Risky Business, Security weekly.
❇️ Follow infosec engineers: @vixentael, @julepka, @9gunpi, and @CossackLabs.
Constant learning is a common thing in IT in general, and in infosec in particular. Here you are to agree with the ever-changing technology stack and life-long learning approach.
So, get ready to run really fast to stay still. Continuous and often radical challenges in this industry is a rule and they demand to comply and grow with it.🕊️