Diving into the Deep, Dark Waters of Information Security

Graduation day is quickly approaching. In three weeks, a six year academic journey will come to an end for me. But my journey into Information Security, and the subsequent sub-disciplines of the field, certainly didn’t begin with university, and will not end with it. Along the way, I’ve come across some truly remarkable – and highly useful – resources. Resources that I’ve used not only in the academic environment, but also in professional, and personal, environments. This post aims to pass on those resources to you, and help you navigate the dark, deep waters of Information Security, as you take your first dive into the field.


Reading List

These books are listed in no particular order, other than topical categorization.

Information Security
Digital Forensics, Incident Response, & Malware Analysis
Software Engineering & Security

I am only going to cover Python, C++, Java, and Go, as these are the languages I am fluent in and/or have studied.

Python
C++
  • The C++ Programming Language, by Bjarne Stroustrup. (Yes, that Bjarne Stroustrup. The creator of C++. There is no better C++ book than this, and I’ve read many, as C++ is my primary language. Highly, highly recommended.)
Java
Golang
Programming Methodology
Intelligence & Criminal Justice

A select group of individuals will also enjoy these readings as well.

General Reading

Resource Centers & Online Reading

In addition to the textbooks listed above, there are many great resource centers, and online outlets, for Information Security content. Like the textbooks, these are listed in no specific order.

Resource Centers
SANS
NIST
OWASP
Worthwhile Reading

Also, another excellent outlet to keep your eye on is Humble Bundle. Humble Bundle is a fantastic place to get great content, whilst supporting charities that you care about. They do not always have IT/CS/IAS-oriented books up, but they do on occasion. So make sure you keep a watchful eye out.


The Information Security Community

 

Who to Follow on Twitter *

The Information Security community is vast, with plenty of people who are worth keeping your eye on. Learning from other people – experts, in the industry – can be one of the most beneficial approaches that one can take, when first getting their feet wet in this field. Whilst there are simply far too many brilliant minds to list, I’m going to highly recommend 25 individuals from within the Information Security field who you should probably be following on Twitter. I’m honored to call many of these people my “Hacker Family” and friends. Again, these are in no particular order.

  • Jayson E. Street. (@jaysonstreet). Information Security Ranger.
  • Graham Cluley. (@gcluley). Award-winning Computer Security Expert.
  • Ryan Dewhurst. (@ethicalhack3r). Founder of Dewhurst Security, and Damn Vulnerable Web App.
  • Gal Shpantzer. (@Shpantzer). Information Security and Risk Management Advisor.
  • Peiter C. Zatko. (@dotMudge). Google: Advanced Technology & Projects Division.
  • Dave Kennedy. (@hackingdave). Founder of TrustedSec and Binary Defense.
  • Swift on Security. (@SwiftOnSecurity). Information Security-oriented Parody Account.
  • Parisa Tabriz. (@laparisa). Browser Boss at Google Chrome. Security Princess at Google.
  • Jeramiah Grossman. (@jeremiahg). Chief of Security Strategy at SentinelOne.
  • Eric Conrad. (@eric_conrad). Senior Instructor at SANS. Lead Author of The CISSP Study Guide.
  • Amanda Berlin. (@InfoSystir). Co-Host of Brakesec. Author of Defensive Security Handbook.
  • Katie Moussouris. (@k8em0). Founder of Luta Security. Bug Bounty Hunter.
  • Eugene Kaspersky. (@e_kaspersky). Chairman and CEO of Kaspersky Lab.
  • Georgia Weidman. (@georgiaweidman). Founder of Bulb Security and Shevirah Inc.
  • Ron Gula. (@RonGula). Founder of Tenable Network Security.
  • Bill Brenner. (@BillBrenner70). Information Security Scribe at Sophos.
  • Bruce Schneier. (@schneierblog). Cryptographer, Privacy Specialist, and Information Security Writer.
  • Lenny Zeltser. (@lennyzeltser). The Yoda of Malware Analysis.
  • Jennifer Leggio. (@mediaphyter). Writer for ZDNet: Zero Day. CMO at Flashpoint Intelligence.
  • Brian Krebs. (@briankrebs). Investigative Journalist. Author of Spam Nation.
  • Bill Gardner. (@oncee). Information Security Author and Assistant Prof. at Marshall U.
  • Paul Asadoorian. (@securityweekly). Founder & CEO of Security Weekly.
  • Tarah Wheeler. (@tarah). Sr. Director of Engineering & Security Czar at Symantec.
  • Jack Daniel. (@jack_daniel). Security Expert. Speaker. Co-Founder of Security BSides.
  • Kelly Lum. (@aloria). Security Engineer at Tumblr. Professor at NYU.

* “For 70% meaningless rambling, and 30% infosec.” Lmao. Thanks for the quote, Amanda.


Conventions and Conferences

If stalking your favorite Information Security expert on Twitter isn’t enough for you – and let’s be honest, it never is – you need to consider security conventions and conferences. (Side note, don’t actually stalk them. Some of them know martial arts.) Whilst Twitter offers an incredible amount of insight, it, alone, is not enough. You need to immerse yourself in the culture, and the community. Rub elbows with the experts. Stay current on the bleeding edge content as it is delivered in keynote speeches. It’s all about networking – and not the fun kind of networking that involves protocols and Man-In-The-Middle attacks. These are the reasons to attend the following conferences:

  • DEFCON
    • When: July 27th – 30th, 2017. Where: Caesar’s Palace, Las Vegas. How much: $260 at the door.
  • Black Hat
    • When: July 22nd – 27th. Where: Mandalay Bay, Las Vegas. How much: $695 for the main conference.
  • ShmooCon
    • Already happened this year. 🙁 Look into next year’s information on their site.
  • BSides
  • DerbyCon
    • When: Sept. 20th – 24th. Where: Hyatt, Louisville, Kentucky.
  • RSA
    • Already over for the year.

A Word on Certifications and Academic Degrees

When it comes to Information Technology, Computer Science, and Information Security, there are a lot of certifications that can be earned. There are also whole handfuls of various academic degrees that can be earned. Every company, and position, will be different… but many positions may require certifications, or college degrees. I, personally, dove into both. I earned my Bachelor of Science in Information Security, and along the way I earned several certifications, before moving into my Master of Science in Information Security. The best thing you can do is research the job title you’re going for, then check several different job postings for that sort of position at various companies, to determine what sort of academic background the industry is requesting. I am going to list a few of the major Information Security certifications, but you can also reach out to me on Facebook or Twitter if you need a little guidance traversing the certifications and degrees for this industry.

OSCP & OSCE

I’m going to start out with OSCP and OSCE, by Offensive Security. Straight up, these certifications are at the very top, in my opinion. Unfortunately, they’re not as commonly requested by HR as many of the other certifications, but these certifications are unique. They’re unique in-so-far that they are far more hands-on than the other certifications; many of which require nothing more than a written exam, and a little bit of research. The OSCP certifications are not easy; the official motto is “Try Harder” if that tells you anything. But the sense of accomplishment you’ll gain after completing one of these certifications is second to none. In Offensive Security’s own words:

The Offensive Security Certified Professional (OSCP) is the companion certification for our Penetration Testing with Kali Linux training course and is the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.

Even their music is good:

The Offsec OSCP song from Offensive Security on Vimeo.

CEH

Another popular industry certification is the Certified Ethical Hacker (or CEH).

A Certified Ethical Hacker is a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a target system(s). The CEH credential certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective.

 

CISSP

Many people continue to push forward, to earn their Certified Information Systems Security Professional (CISSP) by (ISC)².

The vendor-neutral CISSP certification is the ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organizations from growing sophisticated attacks.

 

CompTIA

CompTIA has several certifications that are great for entry-level people looking to add filler to their resumes. Additionally, CompTIA developed an “IT Certification Road Map” (.pdf) to help people plan their way through the certification tracks.

Cisco Certifications

Unlike some of the other certifications mentioned here, the Cisco certifications are, obviously, vendor-specific. Yet, they’re a very popular certification choice for people working with networking technologies, and network security. The Cisco Certification Page lists 28 certifications, with varying focal points in the networking field – a handful of which are Security-oriented. Their latest certification, added in late 2016, is the CCNA Cyber Operations Certification. In their words:

Today’s organizations are challenged with rapidly detecting cybersecurity breaches and effectively responding to security incidents. Teams of people in Security Operations Centers (SOC’s) keep a vigilant eye on security systems, protecting their organizations by detecting and responding to cybersecurity threats. CCNA Cyber Ops prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.


Getting it Right

As with all fields, practice makes perfect. Information Security is no different – and fortunately, there is no shortage of exercises, examples, samples, and platforms that are designed specifically for people looking for additional practice. If you take anything away from this entire blog post, it should be this: Hands-on, practical experience is the most important thing you can have in this field. In order to get that practical experience, you’re going to have to get your hands a little dirty. If, for instance, you’re looking to learn more about Malware Analysis, you’re going to want to set up a sterile analysis environment, so you can perform static and dynamic analysis on malware samples and see how that malware works behind the scenes. Let’s take a look at some platforms, operating systems, and tools that will be extremely valuable to gaining additional hands-on experience.

Operating Systems

These are some of the environments I’ve used academically and professionally. You’re going to want to grab some Windows and Linux distros, as well; to test on. PowerShell on Windows, for instance. Or shell scripting (pick your favorite Linux flavor.)

  • Kali Linux. Penetration Testing Platform. (Old teaser trailer below, but you get the gist.)

Kali 2.0 Teaser – Kali Sana! from Offensive Security on Vimeo.

  • REMnux. Malware Analysis Platform.

REMnux® is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

 

Practice Platforms, Courses, and Vuln DBs.
Useful/Favorite Tools (you should consider mastering some of these.)
Additional Research Concepts
  • Fuzzing
  • Code Review/Analysis
  • Enumeration
  • Attack Lifecycle (generic)
    • Reconnaissance/Enumeration/OSINT
    • Preliminary System Compromise
    • Privilege Escalation
    • Data Exfiltration, and Internal Reconnaissance
    • Persistence/Maintenance
    • Attack Completion

In the Reading List section above, I listed some language-based textbooks. If you haven’t already, you should strongly consider learning a programming language. Personally, I picked up with C++ when I was 14. Assembly is also useful to know, from a forensics/reversing standpoint. If you’re new to software engineering, and you don’t have much of a need for constant programming, I highly recommend Python. I’ve found that Python is an excellent language for beginners (I’m a Python Zealot), and has many, many, many applications in Information Security. From scripting, to data manipulation, and digital forensics… Python is worth looking into.


One Last Thing

Okay, so this section is completely optional. Maybe you can walk the walk… but can you rap the rap?! I just want to quickly pay homage to some of the Nerdcore artists that got me through some intense projects, late nights, and long flights. If you haven’t heard of Nerdcore, go Google it… we’ll wait. Chances are, you’re going to stumble across Nerdcore at some point in your Information Security career (and those chances increase rapidly if you attend conventions.) So if you haven’t yet, let me have the honor of introducing you to it.

Shout Outs
  • Dual Core
  • YTCracker
  • MC Frontalot
  • Former Fat Boys
  • Beefy

Much love, guys.

Tyler
Written by Tyler