So You Wanna Be a (Security) Superstar?
Dec. 30, 2009 11:23 AM
Written by Rick Deacon
Recently I've been faced with a very difficult type of question... and it isn't even technical. No, it's not the typical 'How do you find a buffer overflow?' or 'Can you write me code entirely in assembly... in 20 minutes?'... it's much more difficult to answer. It's answer, to many people, may be the 'key' they are looking for in this industry. The question is very often phrased as "So what did it take for you to get where you are?" or "How do I get into the security industry?" and even sometimes "How do I become a hacker?"
There are many different approaches to this subject, and I firmly believe there only a few ways to truly succeed in security or IT in general. A lot of people assume four years of school is going to land you your dream job, where you're a hacker in your own peaceful office behind a wall of 6 monitors watching packet captures fly by on one screen while simultaneously watching The Matrix on the other and texting your girlfriend(s) about which restaurant you're renting out tonight. That may work for some but that doesn't always happen. In fact, most of the time it doesn't. That same sort of mentality is what I see currently when people are picking their majors/careers, which mind you, is a decision which usually affects you the rest of your life. Many people tell me about how they know "a little" about computers but they're going to learn the rest of what they need no problem... that's what school is for, right? Wrong. From my experience, it takes a lot more than just four years of school to get ahead, especially in security. It takes a mindset that pushes and drives you to understand what's going on an intricate level. Taking a test and naming pieces of hardware off of a computer isn't going to get you very far. Certification courses and advanced networking courses are always going to help you learn and ARE necessary, but they're not going to teach you about the mental anguish you're going to endure when you to try apply the concepts, and for some reason unbeknownst to man, the darn thing just won't work. On that note... if you somehow think this won't ever happen to you, think again :). This applies even more so to information security because the knowledge that penetration testers, hackers, system administrators and developers have is far more than just what you learn in a book or from taking a quiz. It's a conglomeration of experimentation and research on your OWN time mixed with the drive to understand the inner workings of things that no normal human being should want to know. Falling into this sort of field very rarely happens and the security mindset and mentality isn't something that can always be taught.
The whole concept and topic of teaching and learning on this subject is a whole blog in and of itself... but essentially you can never stop learning in this field. If you're not "with it" on what's going around in your industry or community, you might as well forget it. You won't ever get anywhere having a mundane view of what's going on. The security industry is dynamic. Visit any Full Disclosure mailing list or website and see how much is updated on a daily basis... it's somewhat ridiculous.
In the defense of all certification and course instructors out there, there is always something to learn. Sometimes the best way to learn is behind a desk listening to someone, whether it be a teacher or just someone who knows something you don't.
So back on direct topic here... what should someone do when they want to be part of this industry? Always be learning, always be listening and always be aware. Be learning about what's new and out there and by that I don't mean just read an article. if it's a new application... setup a personal 'testing' network and try it out. If it's a new vulnerability, setup a virtual machine and go hack yourself. Be listening to what people of intelligence have to say when it comes to the manner. If they know more than you, don't try to act like a know it all. It won't get you anywhere. Be aware, most importantly. Be aware of what's going on in the industry. A great place to do this is Twitter. You'd be surprised what can be learned by following some influential and smart people on Twitter. (Like @hurricanelabs and @rickdeaconx for example. ;))
Obviously there is not going to be a magic silver bullet. It's always going to take work and no one is going to give you the answer to solve all questions. Do what you love, and if you don't love to do it... don't bother. Especially in IT.
Read the original blog entry...