So there was some minor drama at this year’s hacker summer camp (Defcon, BSidesLV, Blackhat). It appears to have been around a possible con from the group @InfosecN00bs (#n00bsec). You can read the full blog post on what went down here.
Essentially this started out as a group of “n00bs” trying to break into InfoSec. If you dig around they are not the first group of this type but what is interesting is they tried to start a crowd funding campaign to pay for certain members to attend the big cons. Well it was a big scam apparently, but we won’t go into that. This whole thing got me thinking and it is one of those topics that grinds my gears!
What is it to be a n00b in InfoSec? Well in truth, there really shouldn’t be too many. Infosec is not an entry level career. Many of us in the industry did not start here. We stumbled, fell, or accidentally opened the wrong door. But before all that we worked the help desks, built servers, created web sites, and told users to “turn it off and on again!” We started our journey learning how to do all these things. Some of us did them well enough to realize that these systems had flaws. At that point we decided to switch those gears into a security focused career. I still laugh at the fact that someone is paying me double to tell them the same things I told them years ago as a Sys Admin.
So what I am trying to get at is, that although we may have been new to the InfoSec industry, we were hardly inexperienced. We had a good deal of base knowledge to work off of. That is what is important when it comes to experience. Now for those entering the scene today, there is a wealth of information available. Many of the pros are willing to help new folks along, but they will not be there to hold your hand. You will need to work a bit. Do your own research, study the topics, and make your way out to the local community events. You don’t need to head right to Defcon, but maybe try a local Security BSides event or a meetup activity. This is not a career for those looking for a handout or in it just for the money. It is for those who will throw up a learning lab at home or a virtual lab on AWS just to try things out.
And some final thoughts… You are ultimately on your own when it comes to building your skills. But when you get stuck and google has failed you, reach out and someone will point you in the right direction. You can also reference my previous post to get a list of places to start. If a pro offers you guidance, accept it and thank them, maybe buy them a beer if you see them at a Con. But don’t get pissed if you try to pump them for more than they are willing to provide. They don’t have lots of free time to devote to mentoring. Rather why not follow them on social media or subscribe to their podcast or blog.
Go out there and learn n00bs! 😀
- Install Kali
- Pwn all the things
- Collect big paycheck!
So what I really want to accomplish with this post is to provide a series of sources to help you get going in your infosec career. I had a much longer post going on about building a good base of other technical skills and such but lets just get to the meat of it.
- Codecademy – Offers a number of free courses with added features if you upgrade to a pro subscription. Great place to learn Python and Ruby.
- Udacity – Much wider selection of programming courses, possibly better place to start for you App Sec types.
- Microsoft Virtual Academy – Yes, even MS has a ton of free training resources. Powershell to .NET C#!
- PluralSight – 30 bucks a month and a free trial. They cover a wide variety of topics from CISSP to OWASP Top 10 for .NET with Troy Hunt.
- ITProTV – Covers a wide variety of content spanning IT, probably a good place to start if you need to build up those base skills. A bit pricier than PluralSight but has a stronger focus on IT in general. Also you can probably find a discount code if you listen to Paul’s Security Weekly.
- Security Weekly – They have expanded beyond the initial Security Weekly podcast to cover Enterprise, Startups, and Securing your digital life. Listen to them all or pick and choose! The team is great and you can’t go wrong, they will get you asking “What is the problem we are trying to solve??”
- Risky Business – Covers the weekly security news from an Aussie perspective and includes special segments and interviews.
- Southern Fried Security – Weekly-ish topical security discussions from the south.
- SANS Internet Storm Center (ISC) – a quick 5-7 minute daily micro-cast covering security highlights.
Twitter – Pretty much start with the people who host the above podcasts and the ones followed by our twitter account. It is a great place to start interacting with the active security community.
Conferences / Meetups
- Security BSides – Spawned out of rejected CFPs from Blackhat 2009, Security BSides has evolved into a global series of events put on by local security communities. This is a great place to get your feet wet and the cost is free to minimal.
- DerbyCon – 5 day con down in Louisville, KY. One of my personal favorites if you can fly and afford the hotel. If you are in a reasonable distance you can also drive. They have 2 days of training sessions before the actual conference. It is a more intimate conference compared to the likes of DEF CON. They also include nightly activities and a CTF that has something for all skill levels. When you are there make sure to stop by the hardware hacking and lockpick villages!
- CircleCity Con – I can’t speak on this one but the organizers are a great bunch. If you can get to Indianapolis in June, check this one out!
- Thotcon – another small con, it already happened this year but put it on your calendar for next year if you are going to be in the Chicago area.
- DEFCON – Can’t mention the others without mentioning this one. Without Blackhat and DEFCON we would not have the community that we have now. I have yet to attend either of these but it is on the bucket list.
- Meetups – Google search for local groups in your area. Check around at Maker and Hacker spaces.
So that is it for now, hopefully you found this useful. If you have other resources you come across feel free to message me on twitter and I will post an updated list. Good luck and remember, if you are looking for your first official security gig, don’t be afraid to apply even if you think you are not qualified. The smart employers may look past the lack of skills if you can demonstrate the right mindset for this work.