Wednesday, August 17, 2016

Hacking the Learning Process

Working in information security sometimes feels like drinking from the ocean through a fire hose. The more I learn, the more I feel like a newb and realize that I've only found the tip of the iceberg. It takes a lot of passion for the subject to keep studying and doing hands-on labs day after day without burning out.

The idea for this post came to me when I recently answered a Reddit post asking about how we learn about security. There's so much to learn that many people don't know where to start because it can be overwhelming. In my case I have a hard time staying on track once I start learning something because I keep finding another thread to pull and start unraveling the fabric of a related subject.

I'm going to share what's worked for me over the years that I've served in the military and worked in IT. Over 20 years ago I was an Undesignated Airman in the Navy, meaning I didn't have a formal training school for a rating (or MOS in other branches). In order to take the test for Aviation Electrician I had to digest a stack of books called the Navy Electrical and Electronic Training Series (NEETS) that was about a foot tall. Through the years I had to study an even larger stack of manuals to be advanced in rank. After the Navy, the study habits that I am going to outline here helped me to earn various IT and security certifications including OSCP, OSWP, CCNA, CCA, and Security+.

Start with a written plan. In the case of information security, there are so many things to learn that it's easy to feel overwhelmed. Think about your knowledge and skills gaps and write down your plan of study. If you're working on a certification, decide how long you think it will take to cover each section of the study guide and set an exam date. Book the exam right away. The sense of impending doom will help you to stay on track. If something comes up that delays taking the exam you can usually cancel or reschedule if you contact the testing center in advance.

While studying, find a quiet place where you can read out loud without bothering anyone. I've found that reading out loud leads to better memory retention, most likely because of the increase in neural connections required to speak it vs. only think it.

For memorization write out flash cards. Again, the extra step of writing it down seems to lead to better memory retention vs. only reading it silently. As you flip through the stack of flash cards, remove any cards from the stack that you can easily answer. This leave the more difficult cards that will be reviewed more often. Repeat the process of reviewing the stack, removing cards that you can easily answer until you have removed every card. Then repeat the process by reviewing the whole stack again.

For hands-on learning, write a lesson plan as if you're going to teach the subject to a complete beginner. Create a PowerPoint presentation with screenshots as well as any commands that need to be run to use for the next step. Finally, install screen cast software and record your screen and voice while giving your presentation. While you review the video it will be easy to spot where you had problems or things went awry. Work through the issues to refine your presentation and then create a new screen cast. When I'm working in VMware doing security labs to learn new things I like to put screenshots and commands to run in Microsoft OneNote and use those notes on a second screen to work through my screen casts. If you work in a role that presents to customers or groups, a screen cast or web cast can help you to refine your speech and visual presentation. Recording screen casts is something I've only recently starting doing in order to prepare presentations for a local security meetup group.

What are your tips to hack the learning process?