Diving into the Deep, Dark Waters of Information Security
Graduation day is quickly approaching. In three weeks, a six year academic journey will come to an end for me. But my journey into Information Security, and the subsequent sub-disciplines of the field, certainly didn’t begin with university, and will not end with it. Along the way, I’ve come across some truly remarkable – and highly useful – resources. Resources that I’ve used not only in the academic environment, but also in professional, and personal, environments. This post aims to pass on those resources to you, and help you navigate the dark, deep waters of Information Security, as you take your first dive into the field.
These books are listed in no particular order, other than topical categorization.
- Penetration Testing, by Georgia Weidman.
- The Hacker Playbook 2, by Peter Kim.
- Metasploit: The Penetration Tester’s Guide, by Dave Kennedy, Jim O’Gorman, Devon Kearns, and Mati Aharoni.
- A Bug Hunter’s Diary, by Tobias Klein.
- RTFM – Red Team Field Manual, by Ben Clark.
- Defensive Security Handbook, by Amanda Berlin, and Lee Brotherston.
- The Web Application Hacker’s Handbook, by Dafydd Stuttard, and Marcus Pinto.
- Threat Modeling: Designing for Security, by Adam Shostack.
- Android Security Internals, by Nikolay Elenkov.
- Wireshark 101: Essential Skills for Network Analysis, by Laura Chappell.
- Counter Hack Reloaded, by Edward Skoudis.
- Kali Linux Revealed, by Raphael Hertzog, Jim O’Gorman, and Mati Aharoni.
Digital Forensics, Incident Response, & Malware Analysis
- EnCase Computer Forensics: The Official ECE Study Guide, by Steve Bunting.
- Electronic Crime Scene Investigation: A Guide for First Responders (2nd Ed.), by the U.S. Department of Justice.
- Incident Response and Computer Forensics, by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
- The Art of Memory Forensics, by Michael Ligh, Andrew Case, Jamie Levy, and Aaron Walters.
- Windows Registry Forensics, by Harlan Carvey.
- Windows Forensics Analysis, by Harlan Carvey.
- Practical Malware Analysis, by Michael Sikorski, and Andrew Honig.
- Practical Reverse Engineering, by Bruce Dang, Alex Gazet, and Elias Bachaalany.
- Practical Packet Analysis, by Chris Sanders.
Software Engineering & Security
I am only going to cover Python, C++, Java, and Go, as these are the languages I am fluent in and/or have studied.
- Black Hat Python, by Justin Seitz.
- Grey Hat Python, by Justin Seitz.
- Violent Python, by T.J. O’Connor.
- Learning Python, by Mark Lutz.
- Learn Python the Hard Way, Zed Shaw.
- Automate the Boring Stuff with Python, by Al Sweigart.
- The C++ Programming Language, by Bjarne Stroustrup. (Yes, that Bjarne Stroustrup. The creator of C++. There is no better C++ book than this, and I’ve read many, as C++ is my primary language. Highly, highly recommended.)
- Introduction to Java Programming, Comprehensive (10th ed.), by Y. Daniel Liang.
- Java: How to Program (10th ed.), by Paul Deitel.
- The Go Programming Language, by Alan Donovan, and Brian Kernighan.
Intelligence & Criminal Justice
A select group of individuals will also enjoy these readings as well.
- Psychology of Intelligence Analysis, by Richards Heurer.
- Routledge Companion to Intelligence Studies, by Routledge.
- Allen Dulles’ 73 Rules of Spycraft, by Allen Dulles.
- Criminal Psychology: A Manual for Judges, Practitioners, and Students, by Hans Gross.
- Unmasking the Social Engineer, by Paul Kelly.
- The Art of War for Security Managers, by Scott Watson. (Side note, check out The Art of War by Sun Tzu, as well. Oh, and The Thirty Six Stratagems.)
- The Art of Invisibility, by Kevin Mitnick.
- The Art of Human Hacking, by Christopher Hadnagy.
- Operating Systems: Internals and Design Principles (8th Ed.), by William Stallings.
- An Introduction to Mathematical Cryptography, by Jeffrey Hoffstein.
- Cryptographic Engineering, by Niels Ferguson.
- The Confidence Game, by Maria Konnikova.
- Steal this Computer Book, by Wallace Wang. (Please don’t actually steal it.)
- The Linux Bible, by Christopher Negus.
- The Linux Command Line, by William Shotts Jr.
Resource Centers & Online Reading
In addition to the textbooks listed above, there are many great resource centers, and online outlets, for Information Security content. Like the textbooks, these are listed in no specific order.
- The Information Security Reading Room
- The Internet Storm Center
- SANS’ DFIR Blog
- SANS’ Penetration Testing Blog
- SANS’ Newsletters
- The NIST Computer Security Resource Center
- NIST’s Special Publications
- NIST’s Drafts for Public Comment
- Krebs on Security
- Dark Readings
- Ars Technica
- Network World
- SC Magazine
- Lenny Zeltser’s Blog – Excellent Malware Analysis blog.
- ZDNet: Zero Day
Also, another excellent outlet to keep your eye on is Humble Bundle. Humble Bundle is a fantastic place to get great content, whilst supporting charities that you care about. They do not always have IT/CS/IAS-oriented books up, but they do on occasion. So make sure you keep a watchful eye out.
The Information Security Community
Who to Follow on Twitter *
The Information Security community is vast, with plenty of people who are worth keeping your eye on. Learning from other people – experts, in the industry – can be one of the most beneficial approaches that one can take, when first getting their feet wet in this field. Whilst there are simply far too many brilliant minds to list, I’m going to highly recommend 25 individuals from within the Information Security field who you should probably be following on Twitter. I’m honored to call many of these people my “Hacker Family” and friends. Again, these are in no particular order.
- Jayson E. Street. (@jaysonstreet). Information Security Ranger.
- Graham Cluley. (@gcluley). Award-winning Computer Security Expert.
- Ryan Dewhurst. (@ethicalhack3r). Founder of Dewhurst Security, and Damn Vulnerable Web App.
- Gal Shpantzer. (@Shpantzer). Information Security and Risk Management Advisor.
- Peiter C. Zatko. (@dotMudge). Google: Advanced Technology & Projects Division.
- Dave Kennedy. (@hackingdave). Founder of TrustedSec and Binary Defense.
- Swift on Security. (@SwiftOnSecurity). Information Security-oriented Parody Account.
- Parisa Tabriz. (@laparisa). Browser Boss at Google Chrome. Security Princess at Google.
- Jeramiah Grossman. (@jeremiahg). Chief of Security Strategy at SentinelOne.
- Eric Conrad. (@eric_conrad). Senior Instructor at SANS. Lead Author of The CISSP Study Guide.
- Amanda Berlin. (@InfoSystir). Co-Host of Brakesec. Author of Defensive Security Handbook.
- Katie Moussouris. (@k8em0). Founder of Luta Security. Bug Bounty Hunter.
- Eugene Kaspersky. (@e_kaspersky). Chairman and CEO of Kaspersky Lab.
- Georgia Weidman. (@georgiaweidman). Founder of Bulb Security and Shevirah Inc.
- Ron Gula. (@RonGula). Founder of Tenable Network Security.
- Bill Brenner. (@BillBrenner70). Information Security Scribe at Sophos.
- Bruce Schneier. (@schneierblog). Cryptographer, Privacy Specialist, and Information Security Writer.
- Lenny Zeltser. (@lennyzeltser). The Yoda of Malware Analysis.
- Jennifer Leggio. (@mediaphyter). Writer for ZDNet: Zero Day. CMO at Flashpoint Intelligence.
- Brian Krebs. (@briankrebs). Investigative Journalist. Author of Spam Nation.
- Bill Gardner. (@oncee). Information Security Author and Assistant Prof. at Marshall U.
- Paul Asadoorian. (@securityweekly). Founder & CEO of Security Weekly.
- Tarah Wheeler. (@tarah). Sr. Director of Engineering & Security Czar at Symantec.
- Jack Daniel. (@jack_daniel). Security Expert. Speaker. Co-Founder of Security BSides.
- Kelly Lum. (@aloria). Security Engineer at Tumblr. Professor at NYU.
* “For 70% meaningless rambling, and 30% infosec.” Lmao. Thanks for the quote, Amanda.
Conventions and Conferences
If stalking your favorite Information Security expert on Twitter isn’t enough for you – and let’s be honest, it never is – you need to consider security conventions and conferences. (Side note, don’t actually stalk them. Some of them know martial arts.) Whilst Twitter offers an incredible amount of insight, it, alone, is not enough. You need to immerse yourself in the culture, and the community. Rub elbows with the experts. Stay current on the bleeding edge content as it is delivered in keynote speeches. It’s all about networking – and not the fun kind of networking that involves protocols and Man-In-The-Middle attacks. These are the reasons to attend the following conferences:
- When: July 27th – 30th, 2017. Where: Caesar’s Palace, Las Vegas. How much: $260 at the door.
- Black Hat
- When: July 22nd – 27th. Where: Mandalay Bay, Las Vegas. How much: $695 for the main conference.
- Already happened this year. 🙁 Look into next year’s information on their site.
- Information varies by location. See: Security BSides Front Page.
- When: Sept. 20th – 24th. Where: Hyatt, Louisville, Kentucky.
- Already over for the year.
A Word on Certifications and Academic Degrees
When it comes to Information Technology, Computer Science, and Information Security, there are a lot of certifications that can be earned. There are also whole handfuls of various academic degrees that can be earned. Every company, and position, will be different… but many positions may require certifications, or college degrees. I, personally, dove into both. I earned my Bachelor of Science in Information Security, and along the way I earned several certifications, before moving into my Master of Science in Information Security. The best thing you can do is research the job title you’re going for, then check several different job postings for that sort of position at various companies, to determine what sort of academic background the industry is requesting. I am going to list a few of the major Information Security certifications, but you can also reach out to me on Facebook or Twitter if you need a little guidance traversing the certifications and degrees for this industry.
OSCP & OSCE
I’m going to start out with OSCP and OSCE, by Offensive Security. Straight up, these certifications are at the very top, in my opinion. Unfortunately, they’re not as commonly requested by HR as many of the other certifications, but these certifications are unique. They’re unique in-so-far that they are far more hands-on than the other certifications; many of which require nothing more than a written exam, and a little bit of research. The OSCP certifications are not easy; the official motto is “Try Harder” if that tells you anything. But the sense of accomplishment you’ll gain after completing one of these certifications is second to none. In Offensive Security’s own words:
The Offensive Security Certified Professional (OSCP) is the companion certification for our Penetration Testing with Kali Linux training course and is the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.
Even their music is good:
A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.
Many people continue to push forward, to earn their Certified Information Systems Security Professional (CISSP) by (ISC)².
The vendor-neutral CISSP certification is the ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks.
CompTIA has several certifications that are great for entry-level people looking to add filler to their resumes. Additionally, CompTIA developed an “IT Certification Road Map” (.pdf) to help people plan their way through the certification tracks.
Unlike some of the other certifications mentioned here, the Cisco certifications are, obviously, vendor-specific. Yet, they’re a very popular certification choice for people working with networking technologies, and network security. The Cisco Certification Page lists 28 certifications, with varying focal points in the networking field – a handful of which are Security-oriented. Their latest certification, added in late 2016, is the CCNA Cyber Operations Certification. In their words:
Today’s organizations are challenged with rapidly detecting cybersecurity breaches and effectively responding to security incidents. Teams of people in Security Operations Centers (SOC’s) keep a vigilant eye on security systems, protecting their organizations by detecting and responding to cybersecurity threats. CCNA Cyber Ops prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.
Getting it Right
As with all fields, practice makes perfect. Information Security is no different – and fortunately, there is no shortage of exercises, examples, samples, and platforms that are designed specifically for people looking for additional practice. If you take anything away from this entire blog post, it should be this: Hands-on, practical experience is the most important thing you can have in this field. In order to get that practical experience, you’re going to have to get your hands a little dirty. If, for instance, you’re looking to learn more about Malware Analysis, you’re going to want to set up a sterile analysis environment, so you can perform static and dynamic analysis on malware samples and see how that malware works behind the scenes. Let’s take a look at some platforms, operating systems, and tools that will be extremely valuable to gaining additional hands-on experience.
These are some of the environments I’ve used academically and professionally. You’re going to want to grab some Windows and Linux distros, as well; to test on. PowerShell on Windows, for instance. Or shell scripting (pick your favorite Linux flavor.)
- Kali Linux. Penetration Testing Platform. (Old teaser trailer below, but you get the gist.)
- REMnux. Malware Analysis Platform.
REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.
Practice Platforms, Courses, and Vuln DBs.
- Damn Vulnerable Web Application
- OWASP WebGoat
- OWASP Vicnum
- Stanford SecuriBench
- Google’s Gruyere
- Introductory Intel x86
- The XSS Game
Useful/Favorite Tools (you should consider mastering some of these.)
- Social Engineering Toolkit (SET)
- IDA Pro
Additional Research Concepts
- Code Review/Analysis
- Attack Lifecycle (generic)
- Preliminary System Compromise
- Privilege Escalation
- Data Exfiltration, and Internal Reconnaissance
- Attack Completion
In the Reading List section above, I listed some language-based textbooks. If you haven’t already, you should strongly consider learning a programming language. Personally, I picked up with C++ when I was 14. Assembly is also useful to know, from a forensics/reversing standpoint. If you’re new to software engineering, and you don’t have much of a need for constant programming, I highly recommend Python. I’ve found that Python is an excellent language for beginners (I’m a Python Zealot), and has many, many, many applications in Information Security. From scripting, to data manipulation, and digital forensics… Python is worth looking into.
One Last Thing
Okay, so this section is completely optional. Maybe you can walk the walk… but can you rap the rap?! I just want to quickly pay homage to some of the Nerdcore artists that got me through some intense projects, late nights, and long flights. If you haven’t heard of Nerdcore, go Google it… we’ll wait. Chances are, you’re going to stumble across Nerdcore at some point in your Information Security career (and those chances increase rapidly if you attend conventions.) So if you haven’t yet, let me have the honor of introducing you to it.
- Dual Core
- MC Frontalot
- Former Fat Boys
Much love, guys.