Like many other people working in the field of information security in Pakistan, I also get tonnes of messages about “How to into this field”, “how to start”, “Where to start”, “Where to learn?”, “How to apply?”, “What skills do I need to start it?” and what not.
So I think this article will help many of you on getting started in the InfoSec field. Remember it’s up to your guts if you can manage this transition! If you know little about it, you will learn many new things but if you have seen someone doing it and you think you want to start that too, then note it down it isn’t that easy as it appears.
First, you will have to develop some real skill in computers, learn about networks and how the web works! Only then can you come and “join the party”.
I want to play sports; where should I start?
This vague, open-ended and very ambiguous question is very similar to someone asking how they should go about getting into information security. The first thing to realize is there is a huge range of information security fields, and within each of those huge fields is a lifetime’s worth of learning content. Just like picking a sport, there is no ‘best’, it’s simply sometimes area’s you may enjoy more than others. Off the top of my head, here are some example areas.
Some of these are more of a technical nature while others are more of a theoretical focus. I guarantee that whatever you like, there are others out there who will find it boring, just as you will find boring what they are interested in. Right now, I expect that if you’re reading this you, may know very little about any of these areas but what’s important is your willingness to learn and what type of motivation you have.
One trademark that is almost universal of people throughout the fields of hacking is their focus on independent, self-directed learning. Unfortunately, in some ways, security is still considered a ‘Dark Art’. I mean why would anyone want to know how to break into a computer system unless they were going to do so? As a result, plenty of people will show disdain or even outright hostility when you are asking about security related questions under the false (or perhaps sometimes true) assumption that it’s merely a ‘script kiddie’ looking to learn to hack systems instead of wanting to learn and use that knowledge for a good purpose. It’s also a fact that the ‘learning’ resources of information security are quite disjointed with no real central repository of learning material.
The point I want to highlight is this that if you wish to prosper and successfully enter into the information security, you should be prepared to jump in and find your way without waiting for someone to hold your hand and lead you down the right path. Google some of the above categories of information security listed above and see what sounds like fun. Despite what sometimes may seem like a constant battle to find the ‘best’ field to learn, or the ‘best’ resource, or the ‘best’ way to learn, more than often, it is time spent procrastinating wondering these questions rather than dedicating the time to actually learning. Look up a video on youtube for hacking examples — it’s ok if you don’t know what a lot of it means, but write down a list then google those terms. Use points of interest to spawn out with an ever increasing web of knowledge around the topics you’re interested in.
“Of course you need to have a full knowledge of the OSI layer before you begin. Yes, you need to read that 1000 page book on the TCP protocol. Yes, you need to be proficient in 5 programming languages (at least!) before you consider hacking. Can you compile your own Linux kernel from source code? No? Don’t bother learning hacking.”
Actually…. all that is full of rubbish, yet it’s one of the most common responses given to people looking to learn information security. There is one requirement to becoming a decent hacker — interest. The difference between a future hacker and a script kiddie isn’t knowledge, it’s the willingness to learn.
As long as you have a vague idea of how to use a computer, you’re at the starting point you can work with. Yes, even if you don’t have a solid understanding of how TCP works you should have that on your to-do list to look up when someone is talking about it in a hacking tutorial — but it’s ridiculous to think you need a ton of prerequisite knowledge before you’re allowed to start learning about topic’s you’re interested in. When you’re looking up how that logic puzzle works on a hacking site and it uses JavaScript, you’re going to learn how JavaScript works. When you read through how a buffer overflow works and it has a Python template, you’ll have to learn some basics of Python. No, you won’t get a job as a developer in those languages at the end of it but you’ll pick up the common ways to break the language.
“Ok, I get the hint — I need to learn things myself, but can you at least give me a starting point?”
Sure, there are a ton of great free or cheap resources out there to get started depending on what topic appeals to you. Here are some examples.
Web Application Security
Reverse Engineering / Malware Reversing
Network Security
Exploit Development
Other than that, Google, Google, and some more Google. I’ve left off some area’s such as forensics and compliance because personally I’m not interested in them so I haven’t gone looking for resources, I’m sure there are some fantastic ones out there.
Outside of the free resources, you can also begin to get certificates to make yourself more appealing to employers, but only if you wish to transition into the field as more of a career path. Some certifications I’d highly recommend would be the “Penetration Testing with Kali Linux” course from Offensive Security if you’re interested in network security. It’s easily one of the best learning experiences I’ve ever had in the field and taught me more in 60 days than I’d learned in a year on my own. Their “Cracking the Perimeter” is also a great course, focusing a little more on exploit development.
If you’re looking at developing your programming skills, things like SecurityTube’s “Python for Pentesters and Hackers” is a great foundation that will teach you how to do plenty of nifty things like building your own port scanners, password crackers etc. I don’t place a huge value into the certifications that they offer from an employment perspective, but I’d look at it more as a consolidated lump of knowledge and examples for sale which can still be valuable.
The “Certified Ethical Hacker” course is another commonly mentioned. Honestly, it’s typically looked down upon so I don’t think it’s necessarily worth the money — but if you need a formal course to learn things then it might be worth the money to you. A lot of these certifications and their value are discussed over at TheEthicalHacker.net’s forums located here.
“Just seeing if you can”
Hacking is all about gaining access to things that we’re not meant to. Creating an exploit, finding an SQL injection, cracking a password! It’s all designed to put us towards the goal of taking control of the box we’re attacking. I guarantee that almost every new hacker has started dreaming about “just seeing if they can” get access to that school website, “just seeing if they can” gain access to the neighbors WiFi network or sending their friend a trojan virus “just to see if they can” take control. Worse still you might end up visiting places like HackForums.net and seeing a lot of people trying to infect others with RATs, build botnets etc under the impression this is hacking, or sadly that this is the only way you can learn.
I need to emphasize that this is not the case. Any type of “just seeing if you can” type exercises can be replicated through the use of virtual machines, your own routers or even capture the flag / wargame competitions out there. Being realistic, even if you can access another person’s machine, what are you going to do with it? Are you really going to try and steal credit card details and make fraudulent transactions? Are you really going to steal passwords and be paranoid that your activity is going to be traced back to you for the sake of peeking at someone’s emails? There have been plenty of examples of newbies being charged, not realizing the seriousness of the crimes they are committing. If you went for a job with the FBI and they had a look through your post history, would you like them to read that post about you asking how to host a botnet? It’s a classic example of what’s on the internet, it’s forever, and if you really want a career in information security, you need that clean record to obtain any security clearances you’re going to need to do your job. Getting caught for stupid stuff just isn’t worth it.
So after a long ramble, what are the key points?
Have fun, sorry if it got preachy towards the end and enjoy pwning boxes! Information security is an awesome field and you’ll be learning something new every day that you’re involved in it. There is no right answer for getting into the field apart from jumping into it with both feet. Get wet, learn to tread water and stay afloat, one day you might even be able to swim a little!
Orignally published over here, this article has been edited by Rehan Ahmed.
Shaza Fatima Khawaja, Minister of State for IT and Telecom, made it clear on Thursday…
PayPal, the global payment processing company, announced on Friday that it had successfully resolved a…
LAHORE: Punjab government colleges have completed the recruitment of 7,354 teaching interns. The Higher Education…
The Pakistan Engineering Council (PEC) is launching a free six-week online training program on Generative…
The Pakistan Software Houses Association (P@SHA) has raised alarms about the severe impact of the…
WhatsApp is rolling out a new feature in its latest Android beta version, allowing users…