Getting Started or Published in the Security Field

I get asked a lot how to get started in the computer security field and how to become an author. I figured I would try to cover both questions in one article. This will probably be a “living document” with things being added or changed as time goes on. If you any questions, please let me know.

Learn the Craft

As with the normal IT field, the security field changes almost every day, so it is good to constantly be a student. There are a lot of outlets to learn from:

  • Local security groups have regular meetings
  • SANS classes are a great place to build your career, they also have free webinars
  • Pentester’s Academy, Cybrary
  • Youtube – Irongeek’s channel is awesome!
  • There are tons of technical books & classes available from publishers like Packt, O’Reilly, etc.
  • Capture the Flag practice sites & competitions
  • Magazines, like Hakin9, Pentest Magazine, etc.
  • There are also numerous Security Certifications you can pursue
  • Technical Schools, Colleges
  • Google is your friend!

As mentioned earlier, most security professionals have a blog, or video channel, check them out. For example, City College of San Francisco Security Professor Sam Bowne offers a lot of his class material to the public.

Follow & Network

Find people in the field that do what you want to do and follow their social media accounts, check out their books, blogs, watch their training or conference videos. Get connected with local security groups – there are multiple groups available, ISSA & OWASP are just a couple.  The security groups are normally very open to new comers and those willing to learn.

Many (not all) security leaders are willing to help people new to the field if they ask good questions. But realize they are very busy and may not answer if you ask a question that you could have easily Googled.

Start a Blog

Write about what you like, what you are learning, what interests you. On my blog I simply wrote about the new things that I was learning as I explored cyber security. It wasn’t long before I had a very popular security news site contact me and ask me to write regular posts for them.

From there I was contacted by a top security magazine and asked to write articles for them. After I wrote for them for a while, I was asked to join their “beta test” team, a group of individuals that tech review articles and classes for the publisher. Around the same time, I was contacted by a book publisher and asked to be on their tech review team.

Even though I am pretty busy now with writing my own books and training material I am still on the tech review team for both publishers. It is a great opportunity to help out people new to the field and provides a great chance to meet & network with other like-minded security professionals.

Get Real-world Experience

I am all for people moving from other IT jobs into the security field. I think the previous experience dealing with hardware, software and people really helps. I started in the IT field ages ago and worked up through the ranks. I think I have held or performed about every IT job possible, lol.

Things have changed a lot in the security field since then. It is pretty well formed now, and with the proper education/ experience it is possible to get an entry level security job. When I started in security everything was new and pretty fluid.

I was one of our city’s first Microsoft MCSE’s. I learned everything I could about server security and support. Later, I dived into Ethical Hacking after the IT field started going through some changes in NY. Even though I was well versed in networking, servers, Linux, and corporate IT security, many of the techniques were very foreign to me, and eye opening.

I’ll never forget the day that I had an interview with one of the top server support companies in an adjacent city. It was when I was trying to explain what ARP attacks were to their top server guy, and the “what in the world are you talking about” look on his face, that I realized that there was a huge need for Ethical Hacking training.

I have performed security research and consulting now for years and really enjoy it. It is kind of funny, having military knowledge, being a weightlifter & martial artist, along with a security trainer has really opened up some very interesting client opportunities for me. I would really advise – be yourself!

Write for a Magazine

If you have been established in the field for some time, and want to try to take the jump from a blogger or trainer to published author, go for it! If you have never published before I would highly recommend approaching a magazine publisher first.

Magazines like Hakin9 are always looking for new authors, and it is a great way to “test the water” to see how your articles are received. It is also great for marketing as it will put your material in front of a lot of people worldwide.

When you submit an article for publishing it is reviewed by their tech review team, and you are given feedback as to whether the article is a fit for publishing. The article tech review process will also provide you with invaluable feedback on any technical issues or improvements needed with the article. If you are turned down, take to heart the review feedback, make changes and try again!

Write a Book!

Writing for a book publisher is similar, but a more involved process. Usually the publishers are looking for specific themed books to be written, so they want authors with that experience, and will want you to write along with their topic. Some book publishers have tight deadlines, so you should be prepared to invest a lot of time into working with the publisher. The publisher will normally have a specific format that they want you to use, and as you complete each chapter, it will be submitted to a tech review team for feedback.

Use great pictures! A picture is worth a thousand words – Screenshots are always helpful, use large high contrast fonts (bold white text on black works great), and make sure the picture clearly shows what you are trying to do and that the text is easy to read. For example, don’t use a screenshot of the entire desktop when just a snip of the terminal line will do.

For technical procedures, write down every step that you do to produce the desired results. When done, go back over the procedure just using what you have written down to make sure it includes all of the steps and more importantly, that it actually works!  😊

Use layman, non-technical terms as often as possible. The best teachers can break down very technical procedures into common language that is easily understood. Still interested in writing for a book publisher? Reach out to them! Packt & NoStarch Press have “write for us” type webpages, or you can try the “contact us” links on the other publisher’s websites.

Self-Publishing

What if you want to write a book, but don’t want to write on a topic provided to you by a publisher? Services like Amazon’s Kindle Direct Publishing allows you to be your own publisher.

Self-publishing is a great option, but I will warn you from experience, it is a huge time sink – be prepared to set a lot of life aside to get this done. Book publishers provide you with a pre-existing format, editing & art services, and marketing. If you self-publish you will be doing all of this yourself, or will be paying for someone to do some or all of the steps for you.

Get a good editor, better yet, get three! I have been blessed with the help of an exceptional main editor. You have to love someone with multiple Doctorate degrees. Everything I write is run by him, and his input has been invaluable over the years. It is good though to have multiple people review your chapters for both technical and grammar issues.

Just remember, no matter what, mistakes will always make it through to the final book, so have a plan to deal with corrections. An errata/updates website for the book is always a good idea.

Plan your book covers – you will need graphics and a good layout for your book covers. Hire a graphics designer or do this yourself if you have the appropriate skills. But the book covers are usually something that are overlooked in self-publishing, until the last minute. It is good to work on them early and get them squared away, you can always tweak them later.

As you write, you will have self-doubts, and want to give up, this is normal, and usually the strongest when you start, at the mid-point and in the final crunch period. Believe in yourself and persevere, you will thank yourself when you are finished!

Advertisements

Upcoming free Security Webinars – March 23, 2011

A couple interesting webinars are coming up ( All information from presenters website):

For today, a must see is:
Pen Testing Perfect Storm Part VI “We Love Cisco!

Guest Speakers: Ed Skoudis, Joshua Wright, and Kevin Johnson
Date: Wednesday, March 23, 2011
Time: 2PM EDT / 11AM PDT (GMT -4:00, New York)

About this webcast:
During this webcast, security swashbucklers Ed Skoudis, Joshua Wright and Kevin Johnson will return with more penetration testing madness and demonstrate techniques that you can use to proactively assess the security of Cisco networking equipment throughout your organization. 

You’ll learn how to…

  • Use XSS vulns and Project Yokoso to discover Cisco-centric management interfaces
  • Abuse web interfaces for infrastructure control
  • Leverage SNMP-to-telnet access escalation for switch pwnage
  • Conduct privlege escalation with switch mirror ports
  • Engaged in VLAN hopping for fun and profit
  • Set up your own virtual routing lab for practice and testing

Avoiding Data Breach Catastrophe – Beyond 2 Factor Authentication

Join the FS-ISAC and Voltage for a complimentary webcast:
WHEN: Wednesday, March 30, 2011
TIME: 11:00 am EDT / 8:00 am PDT

Recent data breaches at public and private corporations have shown that reliance on perimeter level security is not sufficient – once hackers find a way in they are able to collect data unimpeded. A breach at a notable security company has resulted in potential risks to customers using two-factor authentication however data protection that relies on secrecy or obscurity may not be a good approach.  This session will examine potential risks and suggest strategies for pro-actively protecting data in all its forms inside the enterprise.

And finally Upcoming SANS webinars:

March 23, 2011:
Analyst Webcast: Managing Insiders (Contractors, Vendors, and Employees) in SCADA Environments
Sponsored By: ArcSight, an HP Company, Industrial Defender , waterfall security
March 24, 2011:
Web 2.0 Security: Same old but different
Sponsored By: SonicWall
April 07, 2011:
Improve firewall security odds: Prevent misconfigurations and compliance concerns by automating firewall audits
Sponsored By: Skybox Security, Inc.
April 13, 2011:
Internet Storm Center Threat UpdateISC Webcast
Sponsored By: Core Security Technologies
April 14, 2011:
Analyst Webcast: Addressing the Top 20 Critical Security Controls with SIEM
Sponsored By: ArcSight, an HP Company

Upcoming free SANS Security Webinars

From SANS Newsletter:

WEBCAST 1

 A Taste of SANS Security 660 – Exploit-Writing in a Modern World (Part III of III)
WHEN: Tuesday, March 15, 2011 at 1:00 PM ET (1700 UTC/GMT)
FEATURING: Stephen Sims

https://www.sans.org/webcasts/taste-security-660-exploit-writing-modern-world-part-iii-iii-94038
Sponsored By Core Security http://www.coresecurity.com/

 In part III of this webcast series Security 660 lead-author Stephen Sims will explain and demonstrate techniques used to discover and exploit bugs in Linux and Windows. Days four, five, and six in SANS SEC660 dive deep into discovering and writing exploits, accounting for modern OS controls such as data execution prevention (DEP), address space layout randomization (ASLR), stack/heap canaries, and many others. A senior penetration tester is often the final line of defense before deeming a technology or solution as reasonably secure and acceptable for deployment.  Product security testing is a growing practice, and the skill-level of both the competition and the bad guys is growing every day. If an exploit module in Core Impact or Metasploit fails, is it due to an OS control? Can it be defeated? Don’t let the bad guys answer it for you! 

Visit us on part III of this webcast trilogy on Tuesday March 15 (The Ides of March) to jump-start your skills for discovering bugs and exploiting vulnerabilities, and to get a sampling of the topics covered in SANS SEC660. 

WEBCAST 2 

Legal Practices and Expectations for Data Security and Investigations
WHEN: Friday, March 18, 2011 at 1:00 PM ET (1700 UTC/GMT)
FEATURING: Ben Wright

https://www.sans.org/webcasts/legal-practices-expectations-data-security-investigations-94369
Legal practices and expectations for electronic data are changing.

Lawmakers around the world are enacting demanding new laws for security, at a time when the threats to enterprise data (hackers, corporate spies, disgruntled employees) are rising and emerging technologies like cloud computing shift the playing field. E-data are becoming central to the resolution of lawsuits, internal investigations and law enforcement actions. As a consequence, all enterprises face a growing need for a more professional and sophisticated IT security team. In this webcast, Mr.  Wright will survey the big trends in data law and interpret what they mean for the modern enterprise

WEBCAST 3 

Managing Insiders (Contractors, Vendors and Employees) in SCADA Environments
WHEN: Wednesday, March 23, 2011 at 1:00 PM ET (1700 UTC/GMT)
FEATURING: Jonathan Pollet, Matthew E. Luallen, Lior Frenkel, Walter Sikora, & Ansh Patnaik

https://www.sans.org/webcasts/managing-insiders-contractors-vendors-employees-scada-environments-94378
Sponsored By: ArcSight, an HP Company http://www.arcsight.com/, Industrial Defender http://www.industrialdefender.com/, and Waterfall Security http://www.waterfallsecurity.com/ 

This webcast will include discussion around the policies and controls needed to protect against insider threat specific to utility control networks, including access controls, application controls/whitelisting, end point controls, centralized logging, and security information event management. Key insight will be gained from security professionals involved in auditing SCADA and other utility control systems. 

WEBCAST 4 

Web 2.0 Security: Same Old But Different
WHEN: Thursday, March 24, 2011 at 1:00 PM ET (1700 UTC/GMT)
FEATURING: Johannes Ullrich & Eric Crutchlow

https://www.sans.org/webcasts/web-20-security-94323
Sponsored By: SONICWALL http://www.sonicwall.com/ 

Web browsers have become a lot more then engines to render images and html. Instead, web browsers now execute code and provide rich user interfaces to interact with web services, a technology frequently called “Web 2.0”. What we have not yet figured out is how this new web application paradigm changes how we need to secure these applications.

More code will be executed outside of the server fortress and more data will be exchanged between client and server. We will discuss some of the application security issues that have to be considered and how things have changed and not changed with Web 2.0. 

WEBCAST 5 

EMEA Audience Webcast: Improve Firewall Security Odds: Prevent Misconfigurations and Compliance Concerns by Automating Firewall Audits
WHEN: Thursday, April 07, 2011 at 9:00 AM ET (1300 UTC/GMT) SPECIAL TIME FOR EMEA AUDIENCE
FEATURING: Michelle Cobb, VP of Marketing, Skybox Security

https://www.sans.org/webcasts/improve-firewall-security-odds-prevent-misconfigurations-compliance-concerns-automating-fir-94274
Sponsored By: Skybox Security http://www.skyboxsecurity.com/ 

Are your firewalls configured to block threats and keep you in compliance?  Do you spend too much time analyzing firewall rule changes and access problems? Join Michelle Cobb, VP of Product Marketing at Skybox Security to learn what automated firewall analysis can do for your organization. 

WEBCAST 6 

Internet Storm Center: Threat Update
WHEN: Wednesday, April 13, 2011 at 1:00 PM ET (1700 UTC/GMT)
FEATURING: Johannes Ullrich

https://www.sans.org/webcasts/isc-threat-update-20110413-94083
Sponsored By: Core Security http://www.coresecurity.com/ 

This monthly webcast covers recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period. 

WEBCAST 7 

Analyst Webcast: Addressing the Top 20 Critical Security Controls with SIEM
WHEN: Thursday, April 14, 2011 at 1:00 PM ET (1700 UTC/GMT)
FEATURING: James Tarala and Ansh Patnaik

https://www.sans.org/webcasts/addressing-top-20-critical-security-controls-siem-94333
Sponsored By: ArcSight, and HP Company http://www.arcsight.com/ 

In this webcast, the SANS analyst responsible for co-developing the Top

20 guidelines (and current but minor guideline updates), will discuss the development of the Top 20 controls. He will also discuss how SIEM can be applied to some of the key security and compliance challenges government agencies are struggling with. 

Register for this webcast and be among the first to receive an advance copy of the associated whitepaper also written by James Tarala.

 

Rochester Security Summit – Emerging Threats 2010

Sorry everyone, I am in Upstate NY and didn’t even hear about this one till this morning.

It is a two day security conference in Rochester, NY taking place October 20 & 21st. Details from website:

The Rochester Chapter of the Information Systems Security Association (ISSA), in association with ISACA® Western New York Chapter and Rochester Chapter of the Open Web Application Security Project (OWASP),

Is pleased to announce that the 5th Annual Security Summit will be held Wednesday October 20 and Thursday October 21, 2010 at the Strathallan Hotel, Rochester NY. The conference will be held 8:00 AM to 5:00 PM each day. 

This year’s theme is “Emerging Threats 2010.” We are have a great line-up again this year! Our 2010 Keynote speaker will be Stephen Northcutt, Chief Executive Officer of The SANS Institute.

The Rochester Security site says that registration is now closed, but that a waiting list is available.