Breaking Into The IT Security Industry For Fun And Profit

image credit (with permission): Matthew Michael Stits

Have you ever taken part in a Capture the Flag (CTF) hacking event?

CTF is an intense and at times wholly frustrating experience. Some of the qualities you need include a technical and/or tactical bent, a puzzle solving mindset, competitive tendencies, mental and physical stamina and a mini fridge stuffed with Red Bull.

Every year at Defcon, the CTF contest takes place over a 2 day period. For many this won’t be news - what is new is that a rare opportunity has just opened up. You and your friends have a chance to be the group running the CTF. That’s right, you could be the team that designs, develops, deploys and runs the contest in Vegas.

All things must change, and after years of hard work and consistent advances Kenshoto has decided that it is time to let someone else have a chance to run CTF. We will forever miss their crazy videos and clever configurations. After taking it to the next level, creating a spectator sport out of geeks sitting at their keyboards 0wning machines, and helping CTF gain fabulous recognition around the world, Kenshoto has officially retired as the organizer and hosts of DEFCON’s CTF. The contest is not over, merely in transition to the next keepers of the flame. This is the opportunity you and your crew, company, or government have been waiting for!

You too can pour your heart, countless thousands of hours into planning, producing, and executing the world’s most famous contest of hacking skills. All of the contests at DEFCON are run by volunteers, and CTF is no different.

My intent is to make a game that’s fun for its participants. Kenshoto did a fabulous job of allowing CTF to be a team and spectators sport through scoring visualizations, commentators, game updates. They took it to a new level in one area, and you can take it to another. The heart of hacking has many facets!

CTF is made of many parts from the actual teams, the organizers, observers, third party supporters, the press, con attendees wanting in on some action, and those newbies wondering WTF.

If you have ever participated in a CTF and found yourself disagreeing with the way it was run or walking away with lots of nifty ideas for how you’d run one, now’s your chance to put those ideas into action at Defcon in Vegas. Find out more at the Defcon 17 blog. Deadline for submitting your concept is the 28th February.

What If I’m Not Ready To Lead

Now, if you’ve never participated in a CTF contest and you enjoy attack and defense then I highly recommend you consider taking part in one. It doesn’t have to be Defcon, although that would give you an unforgettable experience that few can claim.

I see CTF as an excellent opportunity to learn more about yourself. You can’t beat the cut and thrust of a live, competitive event to help you discover your strengths and weaknesses and to experiment with different tactics. If you play in a team you stand to get even more from it as you learn from your peers (and they learn from you). What you learn may surprise you. Everyone brings something unique to the table and you may find some of your assumptions about the caliber of other players challenged (for better or worse). Oh, and don’t think you have to an uber-hacker to take part - you don’t. Sometimes our feelings of pride or perfectionism stop us from taking part in the very things that we stand to gain the most from. As they saying goes: ‘Get over it’ :P.

The Side Benefit of CTF That Few People Talk About

Oh, and did I mention the benefit CTF has on your CV/resume?

To a hiring manager faced with inexperienced candidates applying for an entry level penetration testing position, it demonstrates you have experience dealing with emotions frequently accompanying a pen-test. Reading tech books and RFCs is vital, practicing your hands on skills on your home test lab is beneficial, attending conferences to learn new techniques is great but the real winner is demonstrating you can apply what you learn in the face of real-world constraints.

Your CTF experiences are a great talking point for the interview - especially if you are fresh out of college and have little real world experience to point to. Besides, any hiring manager worth their salt is going to give you a hands-on technical challenge as part of the recruitment process. Does that sound stressful? It should do - its not just your technical skills that are under scrutiny. It’s your ability to assess a situation, make decisions and act on them within a timeframe you may feel is insufficient and with less information than you’d ideally like. In other words, its a lot like real world penetration tests (and Incident Response!).

Participating in CTF gives you an edge on those candidates that have never had their back to the wall trying to answer 3 questions: Which target? What tactic? Which tool/exploit? That is when you lean on your CTF experience and help them decide that your name belongs on their shortlist.

When I was starting out, I had a bunch of questions about life in the IT security industry but no-one with real Infosec experience to turn to. I simply didn’t have the connections back then, nor a trusted advisor/mentor. Looking back, the downside was I took some longer paths than necessary in the learn/fail cycle. The upside is that ultimately I learned to do that quite quickly (failing cheaply and quickly is a desirable trait).

What Is Your Question?

If you have a question about some aspect of working as an IT security professional, send it in and I’ll reply right here on the blog. I’ve been in this industry for 10 years and am happy to share my learning/experience. To understand a little about my background, check my about page.

As guidance, the question should be short and to the point with enough context that I can give you a meaningful answer. By context I mean a few sentences about your situation - enough that I can have a good shot at giving you an answer.

My promise to you is that if you send in a reasonable, well thought out question, I *will* post a reply right here on this blog. Plus I’ll leave comments open on the blog post so other readers can chip in and give their perspective. I won’t publish your email address and will scrub any other personal identifiers except your first name.

What’s a good question?

Simple: anything that helps someone else answer their question

Yeah baby, this is all spreading good karma…

Send your questions to: craig.balding@gmail.com

P.S I’m treating this as a 28 day experiment - I’ll extend the experiment if people find this useful.

image credit: coscurro

I stumbled across a great video on a blog post from the SOURCE Boston conference.

Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. This is even more true in an economy that isn’t necessarily thriving. We’re going to talk about the important skills, traits and knowledge that a security pro needs to build a long-term and successful career – not just the usual stuff (like “get certified”), but the real-world knowledge that teaches you how to have the job that keeps you challenged, growing and well-compensated.

If you are even thinking about a role in Information Security or wandering about your next step in the industry - this in-depth talk by Lee Kushner and Mike Murray is for you.

How do you keep yourself special? Share in the comments…

photo credit: нσвσ

1. Be A Security Cool Cat: Place penguin stickers on every surface in your cubicle. Stick at least 3 on the dual boot company issued laptop (that hasn’t had a kernel upgrade in 6 months). Use BlackHat stickers for bonus points.
2. Be An Undercover Open Source Evangelist: Unfailingly, recommend open source solutions as more secure. Be sure to quote ‘more eyes, less vulnerabilities’. Recite frequently . Always forward security advisories about commercial products to your boss.
3. Walk the Tech Talk: Learn at Least 10 Bash Keyboard Shortcuts. Treat this as a party trick. Perform rapidly in sequence whenever anyone watches your screen. Giggle and pass the keyboard over and say ‘Your turn!’.
4. Be All Knowing, Jedi Warrior!: Say ‘Trust but verify’ whenever you are asked a question you do not understand. Make it clear in meetings that you trust no-one and “verify” solely through a Google/Secunia search.
5. Impress with a Penetration Test!: Download Metasploit, spend 7 hours modifying the web interface: create custom graphics and hack up the CSS files. Start Metasploit running before you leave for the day. Use Camtasia to capture all screen activity so you can review in the morning. If all went well upload to YouTube and link out via facebook.
6. Practice Defense In Depth’: When you are asked ‘What is the Risk?’, grin inanely and say ‘I’ll tell you after I break out the vulnerability scanners’. Run at least 3 vulnerability scanners to get ‘defense in depth’.
7. Latest *Is* Greatest!: Clipboard stealing attacks are *always* a bigger issue than the CISCO infrastructure with default passwords (how did they get there?!).
8. Educate The Great Unwashed with a Deep Dive Security Awareness Program. Educate end-users about Cross Site Scripting and SQL injection attacks. Don’t invite the outsourced developers - they already know this stuff and have deadlines to meet.
9. Impress Your Peers - Perfect the RFC Shoutout: Pick at least 10 common protocols and learn the associated RFC numbers. Intimidate IT colleagues by shouting out the RFC numbers whenever they mention the protocol.
10. Start A Security Blog: What Can I Say?

image credit: Lady Pain

When you picture the future, what do you see yourself doing? If you find the subject of IT security fascinating, you may be considering a career as an IT Security Professional. To help you decide, here are 10 myths about life as an IT Security Professional.

Continue reading →

7 years ago, a Cambridge Professor called Ross Anderson published a book called ‘Security Engineering’.

Up until that time, it wasn’t often you would hear anyone talk about ‘Security Engineering’ - let alone find an entire book written on the subject.

As soon as the book came out, it made a real and lasting impression on the security community.

Richard Bejtlich summed it up with his review on Amazon:

This book changes everything. “Security Engineering” is the new must-read book for any serious information security professional. In fact, it may be required reading for anyone concerned with engineering of any sort. Ross Anderson’s ability to blend technology, history, and policy makes “Security Engineering” a landmark work.

Ross has now finished a major update and the new edition is just hitting the stores. Security Wannabe caught up with him to find out more about Security Engineering 2.0. We managed to cover a lot of ground in 8 questions…
Continue reading →

Today, there are more IT security books in the shops than ever before.

But what IT Security books can make a real difference to an aspiring Security Wannabe?

These are my Seminal 7…

Photo Credit: tanakawho

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage

The book that ignited my passion for IT security. Clifford Stoll stalks the wily hacker Markus Hess in a true edge of the seat thriller. Computer security books boring? Then you haven’t read this one.  Be prepared to read in one sitting!

TCP/IP Illustrated, Volume 1: The Protocols (Addison-Wesley Professional Computing Series)

I remember the day I read that the author of this book - Richard Stevens - had passed away. I was shocked and saddened. This may sound strange as I’d never met him, nor had any correspondence with him. The reason is simple: through his writing, he had an uncanny ability to meet you where you were and take you on what feels like a personally guided tour of TCP/IP. Simply put, this is essential reading. I’ve read some great networking books since, but none that give you the feeling that the author wrote the book just for you. A revered classic.

Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition

The so-called bible of Crypto. With good reason too: Bruce Schneier provides a seriously comprehensive introduction to cryptography. Refreshingly, he starts at the ground floor - you don’t need a degree in maths to benefit from this tomb - its very accessible. Digest this and you will learn about the most important crypto protocols and algorithms in existence today. I still reference this book at least once a month - I’ve owned it for about 5 years now. How many books can you say that about?

Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition

Ross Anderson teaches us how to avoid repeating the mistakes of those that went before us. Another author with real passion for the subject, his intelligence and pragmatism shine through. This book will introduce you to IT security as an engineering discipline. Don’t let those last two words put you off - Anderson is a master at telling you what you need to know, when you need it. The book itself underlines why effective security design is all about “the human element”. Fascinating case studies that will make you thank your lucky stars you don’t have to design security for prepayment meters or ATMs.  Want to read online?  Click here.  Aside from the book, I highly recommend his papers on the Economics of Information Security.

Hacking: The Art of Exploitation, 2nd Edition

The majority of the security books on my bookshelf are pretty thick. Thick books give an air of authority - “wow, this must be a very serious book by a very knowledgeable author, if I read this, I will breathe in the knowledge of the gods and impress anyone willing to listen to me for long enough”. The author of this book - Jon Erickson - somehow manages to pack an incredible amount of content into less tree than most (he even manages to get root on the cover!). You will learn techniques that shave hours off exploit development time.  A great introduction to blowing (precise) holes in software.

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities

The holy trinity of Software Vulnerability Researchers deliver a mammoth treatise on why my eyes would bleed if I had to do what they do all day. This book will change the way you see software security auditing. If it doesn’t, you probably need to read it more carefully. This should be mandatory reading for people that get paid to do software vulnerability research. For more, check the Taossa blog.

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks

Michal Zalewski is refreshing because (a) he does his own thing (b) those ‘own things’ tend to be interesting and (c) he enjoys the subtle/obscure/funny. And he can write! For a non-native English speaker he writes with great charm and wit. Reading this book is like stepping into the Matrix - everything we take for granted can be unwoven, refactored and turned inside out. Buy this book and read it cover to cover then go check out his lair, where he shares his ongoing digital experiments.

###

What security books would you recommend to an aspiring Security Wannabe and why?  Tell us in the comments…

Photo Credit: kk+

I, Craig Balding, Am A Former Security Wannabe.

Well..that’s not entirely true.

The truth is that you never really stop being a security wannabe - no matter how others perceive you. Its simply that if you keep moving forward, you become less of a wannabe than the people moving slower than you :-).

In the course of my security journey I have been privileged to meet and work with some of the smartest security people across the globe.

From reverse engineers at the cutting edge, to digital crime fighters of the highest caliber. All of these people shared one thing in common - at some point, they too were a ’security wannabe’.

The Questions This Blog Will Try To Address

• How do you make the transition from security wannabe to paid security security wannabe?
• What skills/experience do you need to pick up along the way?
• Are there ‘fun’ jobs in the IT security industry? What “cool stuff” do people get to do? What is a typical day like for someone employed as a ‘your-future-job-role’
• How do you do some of the things you do? (e.g. Incident Response, Penetration Testing)

If digital security sounds exciting to you, or you’re already an aspiring security wannabe then you are at the right place!

Or if you’ve always been told that security is just about ‘passwords’ and ‘antivirus’ then let me show you behind the curtain.

Finally, if you - like me - claim to be a former security wannabe…welcome home ;-).

Enjoy the blog,

Craig

P.S Something you want to see? Leave a comment or email me.