Getting started in Infosec

On Wednesday April 10th, Misec Lasning held a panel to discuss getting into infosec. Four members of the infosec community shared their stories and advice. I was honored to be on the panel with three others; Kyle Andrus, Melissa Terwilliger, and Brian Martinez. Check out the recorded presentation below to see everyone’s answers!

Transitioning from other disciplines to infosec, how should it be done?

There is no wrong way to get into infosec. Melissa, one of the other presenters said this well. I didn’t have to transition far, I was a developer at first and moved to application security. She’s worked with people from a large range of backgrounds. Infosec covers a wide range of fields as the image shows below.

What’s more important, technical proficiency or soft skills like emotional and social awareness?

A consistent answer across the panel for this question is that technical skills can be learned on the job, soft skills are important to have a good base on. Being able to communicate with your coworkers, explain a plan, rephrase something that didn’t make sense the first time is invaluable. There’s also written communication. Writing proficient emails, reports, and documentation is very important as well.

If you’ve been to a security conference, you’ve probably heard the golden rule “Don’t be a dick”. That stands true in the professional world as well. Empathy and treating people well is key. Security teams working with their users need to be able to express why controls and restrictions need to be in place. We’re all on the same team, to better secure our assets, it’s not security vs usability.

Handling stress and being able to get through work is also important. Security can be a fast paced, high stress world. Preventing burn out and keeping your wits will keep everything running smoothly.

After landing your first infosec job, how can you find a path forward?

When people ask me how to learn about hacking or how to get into infosec, I tell them to research the basics and listen to all the stories you can, learn what the differences are in the domains from the image above. Once you land a job, whether that’s an analyst position or a developer, there’s ways to improve security from that position. Strive to be an innovator and never stop learning. Share your intentions with your manager, one good way to ensure that can happen is by setting up One on One meetings.

Consider speaking at conferences and at local meetups. Networking at events like these can be inspirational and huge for helping you find next steps on your career path. Also, being able to speak well on a topic is proof that you really understand a topic.

Certifications, are they required?

I made a joke at the panel saying yes, certifications are a requirement. However that’s not really the case. Someone with “alphabet soup” after their name (a term for people with many certifications after their name written on every opportunity to be seen) isn’t any more valuable than someone who can show resolve and the willingness to learn.

Certifications and training exist as a method for people who want to learn more and challenge themselves. I should also point out, not all courses are created equal. Some positions require certain certs, so depending on the path you choose, some training may be required. I recommend you chase the training that will lead you down the career path you want.

What are some ways people in the security industry are making a difference in the world?

A common goal for the industry, no matter what domain is chosen, is to protect individuals and companies. For example, Lesley Carhart recently shared concerns of apartment managers using smart locks and the risk of using technology like that. The security industry really boils down to asset protection, whether that be people or their property. We’re all trying to make the world a safer place.

What is one piece of information you would give to someone starting out?

Start a blog. Record your progress, share what you learn. Blogging is a great way to remember what projects you’ve been a part of while providing a record of your achievements and contributions.

A blog is also a great way to manage your own website, at a small scale, you get to experience setting up and securing a web server, balancing accessibility with security, and dealing with project management to keep a content schedule.

What are some good resources for people who want to dive deeper?

First off, the best thing you can do is grow your network, get connected with local professionals around you. The best way to do this is to find a local group like #misec in Michigan. If that’s not possible, conferences are also a great start. Go to them; a few of my favorites are Defcon, Shmoocon, and especially Grrcon. Tickets can be out of your price range, so consider volunteering and splitting a hotel room with friends. Infosec Twitter is also an amazing resource, a lot of great people in the community are very active online.

There’s a few podcasts/webinars I listen to, but there’s many more that could interest you too, look around and start listening now. Also check out if these groups have a Slack or Discord setup, that’s a great way to get in touch with active members of the community

• Exploring Information Security (Tim De Block)
• Brakeing Down Security
• Thugcrowd
• Misec streamed presentations

I’m a developer turned AppSec engineer/Pentester. So I’ll list the free products that got me started, I hope you’ll take a look at these if that’s the path you want to take as well.

• OWASP
  • Top 10 Vulnerabilities
  • Broken Web App
  • Juice shop
• Vulnhub
• Metasploit
  • Metasploit unleashed
  • Metasploitable
  • (My guide into install as VMs)
• Professor Messer / CompTIA Security+ study material
• Hack The Box

What are some common misconceptions about infosec? How can we combat these problems?

You will hear the terms red and blue to describe different parts of security. Despite what the movies say, professional red teamers are not out to destroy their clients and get all the money. Everyone involved in security has the aim of protecting their clients, some build defenses while others verify those defenses actually work as intended.

Also, no we won’t hack your exe’s Facebook account. Not only is that illegal, that’s probably not even a skill most people in infosec would know how to do. Facebook has been around long enough that their system’s have been pretty well tested over the years.

To avoid these stereotypes, I think the best step is an extension of user education. Share with people that ask and correct those politely that say something incorrect about your position or career.

What is the biggest challenge you face in your position at the moment?

Knowledge and Experience is my personal challenge. I constantly feel like there’s more I need to know before I can do something. The longer I’m in the the field, the more I realize I just need to swing for the fences when I have the opportunity in front of me.

One of my major career goals is to get to the point where I can help my company at live training events. I want to be able to help those like me who have the desire to become hackers but aren’t really sure how.

**Uploaded late: Turns out I never hit publish, sorry all!