Nobody enters a new profession as an expert. The information security industry is so lucrative right now that schools are now implementing Information Security programs. As some of you may know, I am currently 22 years old and about to graduate college with a degree in Information Security. I will be the very first to say that after 4 years in a program tailored to security, I have learned nothing that will ever directly apply to a job in Information Security. You may ask “How is that possible?”. The answer is simple. These degrees don’t teach you skills that you will use in the field, they teach you how to think critically, problem solve and most importantly, they teach you how to learn.
I am going through the same process that thousands of students (and others) are going through. Information Security is scary, overwhelming and fast paced. As someone entering the industry (especially if you are young), you have A LOT of catch up to do. Not only do you have to learn and understand current attacker methodology and techniques, you have to learn past methodologies and techniques as well. Combine this with the need to learn scripting, programming, networking, protocols, etc. and you will find yourself stressed out and overwhelmed. I have encountered this first hand and am even going through it as I write this and because of that, I want to give a few tips to those either entering the industry or thinking about entering the industry.
1. Passion is essential
“If you love what you do, you’ll never have to work a day in your life”
This says it all. Learning concepts isn’t hard when you want to learn it. Same goes for applying those concepts. If you have passion toward information security, you are miles ahead of the majority of other folks in the industry. There are a lot of people that do this job because of the money. I can honestly say that I would remain in the information security/offensive security industry if it paid minimum wage. The job is easy if you love it.
2. Never Stop Learning
Concepts, technology and methodology will always be changing. Not only do you have to learn the past, but you have to learn the present and the future. Be a sponge and absorb every little bit of information that you can.
3. Learn the basics
First, learn the basics of computers, networking and programming. If you have a genuine passion for computers, this will be easy. I recommend getting a job doing helpdesk or general systems administration. For example: I started working the helpdesk at a small company my sophomore year in college. All I did was fix monitors, printers and basic networking issues. After two years, I got a new job working the helpdesk and doing sysadmin work for a larger company. This gave me the opportunity to branch out and learn how a corporate network is setup and functions. I was able to learn the ins and outs of a domain and how it operates. With the basic understanding of how things work, you can then branch out into how to break them. Without this basic understanding, it will be hard to operate with an offensive (or defensive) mindset.
4. Dive in
From my experience, the only way to learn is to just jump in the deep end. Get in the weeds of things going on, even if you don’t understand it. The security industry is excellent at mentoring, so find few people and stick by them. Most of the security professionals understand that by investing in you, they will help bring up an additional professional in an industry that is in desperate need of passionate professionals.
As I stated above, get in the weeds of things, even if you don’t understand it. There are TONS of open source projects and tools out there. Find some that interest you and try to contribute. Or, even better, start your own research. Contribute to the community by completing and sharing some of your own work. For example: When I first started, I had a massive interest in client side attacks. I started researching different client side attacks and in 2013, I found an old article from 2003 about malicious Microsoft Office macros. I decided to dive into that and started to do work geared towards using VBA macros in client side attacks.
6. Start a blog
This is something I cannot stress enough. By starting a blog, you are creating a portfolio of all your work. This is something other students and professionals can reference. Employers also like it as it details all of your work. This goes with tip 5. As you do your own research/work, write about it. Not only will you be contributing to the community but you will also be building up a portfolio.
7. Keep your head up
As I previously mentioned, the security industry is awesome about mentoring. I should also note that there are also people that find joy in tearing you and your work down. As you learn and grow, realize that you are not an expert in everything and you are human. Humans make mistakes, so you will too. When that happens, chalk it up as a learning experience. Don’t get discouraged or angry. The industry revolves around learning, no matter how brilliant you are. For example: I did some research with Alternate Data Streams and using them with PowerShell and VBScript to obtain persistence on a compromised host. I did as much research as I could, wrote some code, published it and wrote a blog post. I was just entering into technology when Windows XP was phasing out so I had no experience with Alternate Data Streams. All I had was what I read and the code I wrote. When I published my blog post, I made the mistake of claiming this method of persistence as “Fileless”. As soon as I shared my post, I got torn apart by forensic and Incident Response professionals. They bashed me since Alternate Data Streams are not fileless, as I claimed them to be in my post. To be honest, I felt dumb and was tempted to just delete the post all together. This will happen to anyone that contributes, I promise. Instead of getting discouraged, I remained professional, fixed my blog post and thanked those who jumped at the opportunity to smack me in the face. I’m glad they did because now, I know that Alternate Data Streams are not fileless. I took that as an opportunity to learn from those who are smarter than me. Again, just keep learning.
8. Remember where you came from
As you grow as a student and professional, you will likely become an expert in the field at some point. When this happens, don’t turn into a gigantic asshole. As I previously mentioned, the security industry is awesome about mentoring but there are also people who will sit and wait for the opportunity to bring you down. A lot of people see those new to the industry as “n00bs”, “dumb” and “inexperienced” and in turn, won’t give them the time of day. When someone comes to you with a question, no matter how dumb, answer them. They are asking you for a reason and being an asshole about it helps nobody. You were in that spot once so when someone approaches you (or “sticks with you”, as mentioned in tip 4), take them in and give them guidance. I have started to see that the security industry is kind of like High School. There are different groups with different attitudes. Someone just entering the industry feels exactly like the first day of high school. They just want a friend. If you invest in someone, you will help grow them into a professional. This cycle repeats, so they will then hopefully do the same thing for the next rookie, etc.
9. Get yourself out there
Go to conferences and hang out with people. This is even more important when you are trying to get into the industry. By going to conferences, you can talk to people that you may see as an idol. Almost everyone will sit down with you and talk, because they understand the concept of not being an asshole. Those are the people you need to stick by. Example: I started my journey into information security in 2013. I knew nothing and I knew nobody. I had a small presence on Twitter where I just followed some security guys, but that was it. I couldn’t afford to go to a conference, so I didn’t. I made a comment on Twitter one day about wanting to go to DerbyCon sometime and was met with open arms. Tickets were sold out, but someone offered to sell me their ticket. I was thrilled, but couldn’t afford to buy the ticket or hotel, so I politely declined. A few minutes later, that same person decided to just give me their ticket. They didn’t know me or what I was about, but they gave me their ticket anyway. I told my parents that I was going to this conference and that I would be sleeping in my car. Luckily, they decided to pay for the hotel. I ended up going to DerbyCon in 2013 and had the time of my life. I met some awesome people, made some amazing friends and saw some awesome talks. Going to the conference, I knew nobody. After the conference, I felt like a part of the family.
10. Stay humble
There is not a single person that is an expert in everything. There will always be someone smarter than you in certain areas. Put your ego aside and accept that you are not the smartest expert in the field. The moment that your ego gets in the way is the moment that you stop learning and fall behind. Share your knowledge and expertise with others and take in the knowledge and expertise of others. Sharing is caring.
All I can say is stay true to yourself, contribute, get your name out there and never stop learning. When given the opportunity, share your experiences and knowledge with those who want to learn. Ask questions, learn and get in the weeds. The last thing the industry needs is a “professional” who runs Nessus and puts their logo on the report. 🙂
And most importantly, keep a good attitude and have fun! 😀
4 thoughts on “10 Tips for Aspiring Security Professionals”
Know this, You are already doing more than most security “professionals”. Individuals who use applications rather than understand how they work or even care about what goes into writing/creating them.
This was an inspiring post. Packed with passion coming from a 22yr old. Reminds me of the days when I was 22.
So first, I really appreciate this post.
So, If i were to start gathering information and get into infosec, where would you recommend I start from.
To give you a fair idea, I have an IT background. After school I quickly jumped into Soc-Media marketing & sales, a headless approach to pursue a career into soc-media & app distribution, and pitching (marketing & sales).
Since a few months, Im starting to hate soc-media. Its pretty much getting on to me, for reasons – im dis-interested in peopels life’s and promoting cr@p.. lol. I dont care if it generates likes or f@rts. Im bored.
Also an instance of a colleague’s android device gettting compromised got me intrigued about security related approach to that vastly super-saturated soc-media industry. So, since these few months Ive gathered information, to use and operate Kali and MSF. However, Like you mentioned, like most people Im stuck, with just using and toying with tools. I believe at this point I need to understand how things work, perhaps create things (seems far fetched right)
Illustrating my present scenario, I did stumble upon your Macro-Vbs generator, 3 days ago. and Did manage to create that vbs project workbook. however, the moment its created, its detected by my outdated av on windows 8.1 running in a vbox.
So I realised, I need to encode it.. but since 3 days im struggling to get my hands on a script to encod/dcode a vbs using bs64/ancii (anything), which does not break the code and automates the pshell execution. it also happens to be a challenge, a point to prove a project
(yes, since I left school Ive even forgotten abt these concepts)..
So how do i get this to work?
and above all, where do dive in? What do i begin learning now?
im in the process of charting down a 10 step approach to (learning enough, just to enter this industry)
So far, i have a) figured to use kali + some tools b) have set up virtual lab with laptops and bunch of phones and tabs c) figured stuff about setting up networks d) fig’d concepts of using tools like msf, veil etc, e) in the process of figuring out post-exp f) reporting and stuff
what next ?
So far, Ive thoroughly enjoyed your blog. good stuff. keep it goin !
(Im aware its a long post, its 4am, and im outta coffee..)
First off, thanks for reading…i’m glad you have found it useful!
Moving into infosec can be a challenge, especially when moving from another career field. Challenging as it may be, it is definitely doable. Being successful will require a ton of passion and time. It sounds like you are doing it 100% right. The most you can do is jump in the deep. The more you immerse yourself into different topics, the easier things get. As long as you retain a mentality of always learning, you will have no problems what so ever.
As far as the vbs file getting nabbed my AV, there are a few ways to obfuscate it. The art of AV evasion is mostly trial and error…you change aspects of the file & test it until it works and AV doesn’t grab it. Another way to get around it is to modify whatever payload you want to use and adapt it to powershell. The more you remain in memory and off disk, the less chance you will have of getting nabbed by AV.
If you have the time and funds, I would highly recommend taking Offensive Security’s OSCP course. This course teaches the basics of pentesting and it takes an approach of teaching people who have limited experience/knowledge in the field. It also provides you a wealthy lab range with many vulnerable boxes. Setting up a lab and playing in it is useful at first, but it is hard to learn more advanced concepts in an environment you have extensive knowledge of. The OSCP labs will provide a nice range (that you come in with no knowledge of) and let you hack away at it.
I would also maybe dig a bit into scripting (powershell,vbs,python,bash, etc). The best advice I can give is to love what you do, do it often and act as a sponge. Learn as much as you can and never, ever stop learning.
If the OSCP is a bit far fetched (I would do it as long as you are able to pay for it), you can download some vulnerable vms from vulnhub.com. That site will give you vulnerable VMs that you can hack at.
If you have questions or need advice, you can reach out to me directly by shooting me an email at: