Thursday, July 14, 2016

How to break into information security

I'm including an email reply I just sent to another grad from ECPI, my alma mater. Please note that a degree isn't a requirement to get into infosec. The person who emailed me is a recent college grad.

It's not easy getting directly into an IT security job after college without having related experience. The two most common routes to security that I see are experienced developers or experienced system administrators. The reason is because it helps to be an experienced developer to be able to spot code flaws, or to have experience in how systems are supposed to be configured in order to spot vulnerabilities due to mis-configurations.

My recommendations:

Get the Security+ certification if you don't already have it. My security team at CHKD has a desktop support tech that moved onto the team only after getting Security+ certified. Also there are many DoD/Contractor jobs in this area and they require a minimum of Security+ to get hired.

I recommend getting a job as a systems administrator and making it known to your employer that you are interested in security so that if there are any related tasks you can take on or lateral movement onto a security team is available then they'll think of you. Once you have documented job experience on your resume related to security then it will be easier to move into security. Last year when I started applying for security jobs I had a LOT of general IT experience, but I listed all of the security related stuff on my resume and left off everything else. Working as a system administrator you'll most likely get job experience working with firewalls and other security technology that you can put on your resume that will help you when you apply for security jobs. If you can't get into a security job right away, keep pushing towards security in whatever IT job you can get.

Decide on what specifically you want to do in IT security. The network security field has a lot of specialties. Check out Lesley Carhart's blog posts on "Starting an Infosec Career". My reasoning is that there are different paths and certifications depending on what you want to do. Her blog posts talk about what each job is like and how the people quoted in the article got into those jobs.

Other things you can do that will show enthusiasm to prospective employers:

  • Start a blog about security.
  • Join a security related meetup group. I run one (757 White Hat Hackers) and I attend meetups at another local security group. Both groups have people in attendance that are trying to break into security. Our meetings are a great way to meet others, ask questions, and network.
  • Use virtualization software like VMware Workstation Player or VirtualBox (both are free) and do security related labs in your spare time and blog about it. My VMware lab has a virtual firewall (pfsense) and various Windows and Linux servers that are vulnerable to various exploits and I use it to practice a lot in my spare time.
  • In your virtual lab, download vulnerable virtual machines from and work on hacking them. Blog about them and post your walkthrough's and include how to secure the same systems that you hacked (legally in your virtual lab of course). If you work on virtual machines and don't know what to do with them, read other people's walkthroughs until you get the idea.

Go to security conferences, like the smaller regional BSides conferences and volunteer ahead of time. You'll meet a lot of people in infosec that way and they encourage volunteers and one of those people you meet may give you a break. If you're a volunteer you usually get in for free.

If you want to get into penetration testing, look into Offensive Security's Pentesting with Kali course and the certification, OSCP. I earned the OSCP and OSWP certs last year before I got my current job. Even though this job wanted someone with a CISSP cert, which I don't have, they were impressed with my OSCP cert and it helped. Even if you don't have job experience, if you have OSCP cert then that proves that you can "hack it" because there's no question and answer multiple choice test. It's all hands on hacking in a lab environment. There are companies that hire people to be penetration testers without experience if you have OSCP cert, but be prepared to relocate for those jobs. After you have enough experience in pentesting you can usually work remotely from anywhere, but as a newb they will want you to work onsite.

Learn how to write code and how to break it. If you can discover and publish a CVE in your name it could make you famous in the industry.

Get a github account and start publishing code and you can also contribute to other people's open source projects. I've published some Python scripts on my github account, some of it related to security, and I've also contributed to other people's code. Python is a good place to start as most infosec jobs will expect you to be able to write Python and PowerShell code.

Get involved in CTF's, Capture the Flag events where you hack into vulnerable systems as well as defend your own sytem during CTF challenges. You can do them remotely from home as well as attend CTF's at security conferences.

All of those things I've mentioned above are what employers look for in a candidate because it's not just about what you know or have done, it's also about showing enthusiasm and drive.

Check out infosec forums on Reddit, but make sure you search other posts and read the sidebar guidelines before you ask questions. People get a little harsh when you ask the same questions that hundreds of others have already asked and you didn't bother to search and read first.

Best of luck and feel free to stay in touch and ask questions.