So I don’t think I’ve ever done a rant blog post, and to be fair there is no real reason behind this I just started thinking about it on the way into work (which is about a 10 minute drive). Shall we begin??
DISCLAIMER: I apologise in advance for any bad language used during this rant or the excessive use of “”.
A couple of weeks ago I had reason to tell someone (over email) a little about myself in an attempt to “sell” myself. It’s not something I like doing but sometimes you just have to. It made me realise that during the last 18 months that I’ve been “trying to get into Security” that I’ve actually achieved a lot so I hope this rant will help people who are in the same situation as me.
Community is King???
This time 2 years ago I would spend most of my downtime playing computer games, call it a lack of motivation, laziness or whatever but that’s what I did, then with some gentle pushing from my nearest and dearest I decided to start using my time to learn and develop. When you start with the goal of “breaking into Security” many people point out that the key to success is “the community” and it’s true but that can be the hardest challenge. If you don’t work in Security then some people will tell you it’s just a hobby and maybe they are right or maybe that’s just bollocks, it’s for you to decide and ultimately turn it into anything you want.
I’ll let you into a secret, I started this blog for 2 reasons, the first was to keep a record of what I’ve done and allow me to pat myself on the back for the number of visitors I get, the second was because I wanted to get noticed, I hoped that over time people would read my blog, follow me on twitter and allow me into their circle of InfoSec friends and maybe if I was lucky I might end up with a job out of it. Then I realised something, and some people might disagree but its my blog not yours..
“You don’t have to work in Security, to be in Security”
Not really groundbreaking is it but it’s important because well it’s the point of this post. Over the last 18 months I’ve done a fair few bits and pieces for “the community” I’ve met some awesome people, done some awesome things and have even more awesome things on the horizon and 98% of that was from the community. If people tell me Security is just my hobby my first reaction is to tell them to “do one” because I have hobbies and they don’t consume the amount of time I put into projects, blogging, helping with events. Hobbies don’t consume your time like this does, they don’t push you to go further, learn more, make yourself better and give you that feeling that you can make a difference. This isn’t a hobby, it’s not my career either but doesn’t make it any less, its part of who I am and always will be.
So if you are just starting in Security and find yourself a little unmotivated because you can’t find that dream Security job or you are finding the community a bit “cliquey” here are my top tips:
1. Write it and they will come – Remember that awesome blog post (not this one) you read about the latest exploitation technique? Or that tool you used? Someone took the time to write that and then out of the goodness of their heart gave it away for free to YOU. Don’t you think it would be nice to repay the favour?? Seriously if you just start writing code, making videos or writing articles people will find them, share them and slowly over time you will find yourself more involved in the community than you ever expected.
2. Twitter isn’t just about your latest bowel movement – Follow people on twitter, it’s a good way to find people who post all that useful stuff you read. Interact with them by all means but remember this.
To start with they will probably ignore you, won’t follow you and generally see you as noise on their timelines, but give it time and slowly you will get there. I get more followers from Twitter from blog posts/code release than just by talking to people, and just accept that some people are very picky about following back or even replying back if you mention them in Tweets.
3. You’re never alone – In the UK there aren’t a lot of conferences, CTF events and only limited events, if there isn’t anything in your area then start something, you want to be part of the community then sometimes you have to make it happen. If you want to organise a monthly Security focused meeting in your area then do it, don’t let people tell you can’t, because well you can. Even if only 1 other person turns up that’s 1 person you didn’t know who shares the same interests as you (unless it’s your mum).
4. It’s up to you – If you want to make Security just a hobby, then that’s fine. If you want to make it a career that’s awesome but it’s up to you to decide and more importantly it’s up to you to make it happen. Don’t let other people label what your passions, dreams or ambitions are, they are yours and no one elses.
OK that’s the rant over with. Thanks for listening.
The Cyber Nomad 
That didn’t come across as a rant; but an encouragement.
I recently began on the path to cyber-security enlightenment because I needed a constructive hobby, but it becomes a time vampire. I think that’s because the more you learn. the more you realise you don’t know, and the hungrier you become. It’s quite odd. I’m quite embarrassed by how ignorant I am, but can’t let that deter me. I remind myself that surely everybody was in my place at one time.
I think, for me, in terms of “the community” it’s about having those experienced folk pointing me in the right direction and giving tips and so on. I’ve had to figure out literally every step of the way so far, with loads of wrong turns and dead ends, which I know could be avoided with “mentor” type folk. But then again, why should I expect folk to freely give of their precious, hard-earned, time and knowledge.
I have no idea where this “hobby” will lead. If I’m honest, in the back of my mind, I hoped that sometime in the future I might become skilled enough to make something of it, but we’ll see.
I’ll stop rambling there, but thanks for the post.
Hi Stuart, thanks for taking the time to read the post and comment on it (doesn’t happen that often..).. 🙂
So I am by no means an expert but I would be more than happy to help you with some direction, I won’t use the term “mentor” but that sort of thing. Failing that if you can tell me what sort of area you are interested in I may know someone who might be able to help?
It’s an open offer so just let me know.
Adam
Oh man, that’s kind of you.
I wrote a short blog post on “Where I’m at” a week ago.
I want to know if I’m on the right track with learning Metasploit, Ruby Programming and OWASP’s Broken Web Apps. I’ve just begun reading the 1000 page “Wireshark” book which is heavy going for a noobie, especially as it’s akin to putting everything under an electron microscope.
I wonder if I’m on the right track, or have bitten off too much and should specialise, or if I’m missing something vital, or this is about right for my stage.
It’s difficult for me to know.
So first off there is no right or wrong answer, method, approach it’s whatever is best for you. I will tell you a couple of things I did that might help.
1. Now this is the tricky part, try and work out what you want to get good at, i.e. pen testing, web application, malware, forensics. If like me you don’t know (no shame in that) then I would suggest some of the following (again remember this is just me).
A coding language, I picked Python, you’ve picked Ruby. No shame in that go with what you like I find that I learn better by doing than reading so start writing code for things that already exist, such as a port scanner, little things like that will help in other areas.
General offensive security techniques – Metasploit is good, download the Metasploitable VM and work through that. There are guides online of how to get access. The key is enumerate, enumerate, enumerate, then ATTACK!! 🙂
Networking – So unless you want to be a CCIE don’t get too hung up. Wireshark is good, 1000 pages is overkill I would suspect for you at this stage. Learn how to use Wireshark and try and focus on learning the common ports, and traffic types. A good way is just to run Wireshark on your machine for a while and then have a look at the output. Don’t expect to understand it all at once.
2. Create a training plan, work out all the stuff you don’t know and then create a plan to help you focus. Somewhere in the depths of this blog is a post about it.. Now that being said I wrote a training plan and then ignored it, but the point is that it helped me work out my weak areas.
3. HAVE FUN!!
4. See number 3
Honestly if you aren’t enjoying it then you will eventually give in. Don’t get tied down to one area, I’ve gone through offensive, wireless, web, forensics, coding and then back again. Each area will teach you things that you can reuse.
I’m happy to talk more over email if you want.
Adam
I’m in that same position whereby I don’t know what I should specialise in. I suspect that would help, but I do love to have a look at everything. I haven’t touched forensics or malware, but am keen to know more about them (especially forensics)
I never knew there was a Metasploit VM out there. Will get on and download that!
Love the idea of coding something simple in Ruby, I’ll look at port scanners. You are right, there is only so much you can learn by reading without actually building something.
And your comment re having “fun” is poignant to me. I got to the stage last week where it just felt like an impossible mountain to overcome and I lost the fun of it and so took a week off. I’m one of those folk who have to enjoy something or I lose interest.
I do love the way you’ve bounced around the different specialities.
Stuart
haha what a rant’ found what you had to say very interesting and making ME to actually do something to get into the IT security. Thanks for the kick in the butt to get my act together. The community is just as hard to break into here in South Africa. Will not let that deter me.