Reprint: "Buying In" to the Information Security Industry
My first-ever piece of Internet content dating back to October 2011
Dear Reader, this was my first-ever piece of Internet content.
It was published in late 2011. I was 26 years old when I wrote this. I am reprinting it here, verbatim. Some of the research I've done recently into "swatting" attacks has been intersectional to gamer communities full of kids.
This is for them.
I'm writing this for all you kids out there; you know who you are. You're probably between ages 12 and 21.
You might be in elementary, middle, or high school. You may be home-schooled or a dropout. You might even be in college. The common element binding you all together is passion.
You're up late into the night, maybe writing scripts to automate scanning subnets with the latest greatest, possibly running some obscure Linux or BSD on old hardware you dug out of someone's trash, maybe digging into core dumps, maybe walking in open doors with your IRC buddies, maybe social engineering your way in and out of systems that give you some real-world advantage you wouldn't otherwise have. You love this stuff. It's so fun!
You know who you are. I used to be you. This guide is intended to seed new ideas; to help prime your mind for the fact that you will, indeed, be forced to "grow up" one day. Society will demand this of you; there is no escape, unless you are prepared to live your life by significantly unconventional means or are already wealthy enough by birth that you don't need to work to survive.
With that out of the way, the burgeoning information security industry needs YOU. It didn't immediately dawn on me that what I'd spent so much of my life dedicated to would become something I could make a living with. It took time and the examples of others around me to determine how to forge a career from what had only been an obsession/intense hobby.
We're lucky; cumulative advantage is on our side. You're growing of age, immersed in new technologies, at a time when "security" is a fairly new concept. Governments and companies are throwing money at these problems in the hopes they will go away, and will be doing so at an increasing pace for quite the foreseeable future.
That's where you come in.
There are several options, including:
Working in a company's security department;
Starting your own business and hiring others;
Working for yourself and becoming a consultant;
Working for the military or government, contracted or directly.
The best things about a career in infosec:
"Making a difference" - clichéed, yet generally true;
Landscape constantly shifting;
new attacks and defenses devised all the time;
Doing what you love and enjoying high financial rewards as a result.
How to get started without a lot of industry-related experience on your resume? Well, you can attend university. Do I recommend this? No. Waste of time and big waste of money, unless you're really not that sharp and need to get your party on for a few years. In that case, this guide is not intended for you.
Everything you need to learn about this industry you can pick up by reading and doing, essentially the same activities that brought you to your current skillet. Buy/download books. Watch how-to videos. Download podcasts. Use the university courses that are available online and free. Hang out at your local hackerspace.
Start your local hackerspace. Attend conferences and meetups. Start a local con or meetup. Find any hardware you can, and use it. Install and configure servers and operating systems. Run simulation labs to understand how Cisco networks operate. Create an entire enterprise network with VMWare.
Use every and any possible resource at your disposal to learn and become a resource yourself. When you've learned what you enjoy, look for jobs that you're interested in and think you'd fit well with and find out what industry certifications they value for those positions. Take them. Pass them. List them on your resume. Repeat.
Do you want to work defense or offense? You don't have to choose now, or ever, if you don't want to. Infosec professionals enjoy a high degree of flexibility. You may choose to specialize, or not. You may choose to teach at a school, or educate others at security conventions.
Conduct penetration tests for large or small companies. Help organizations figure out how security must mesh into the way they do business. Use your programming skills to evaluate code for flaws. The list of potential infosec-related work/activities is long and will only continue to grow.
However, a word of caution if you choose to dabble in gray/black-hat activities: if you are caught, it will be difficult for society to trust you, and you will find that locating gainful employment with these types of blemishes on your record will become pretty tough, unless you are lucky/smart enough to monetize the situation.
Needless to say, the Kevin Mitnicks of this world are far and few between, so I highly recommend you not tempt fate and keep your nose as clean as possible. We are entering an era of massive and brazen data breaches/theft. If you are (snitched on or discovered) and convicted, be assured that any judge you are unlucky enough to stand in front of will make an example out of you as deterrent for others. It's not worth it.
There really is an unbelievable amount of room to poke and prod, code, hack, and generally make things better and more interesting than before you arrived. There are so many ways to get your fix without doing something that could get you thrown in jail.
I'm talking to you, Anonymous, LulzSec, AntiSec, and every other young, brilliant mind out there. Don't be the person other inmates ask for email help… or worse.
Buy in, don't sell out.
Author's Note: This article was originally published on Infosec Island on October 23, 2011.