Getting Started or Published in the Security Field

I get asked a lot how to get started in the computer security field and how to become an author. I figured I would try to cover both questions in one article. This will probably be a “living document” with things being added or changed as time goes on. If you any questions, please let me know.

Learn the Craft

As with the normal IT field, the security field changes almost every day, so it is good to constantly be a student. There are a lot of outlets to learn from:

  • Local security groups have regular meetings
  • SANS classes are a great place to build your career, they also have free webinars
  • Pentester’s Academy, Cybrary
  • Youtube – Irongeek’s channel is awesome!
  • There are tons of technical books & classes available from publishers like Packt, O’Reilly, etc.
  • Capture the Flag practice sites & competitions
  • Magazines, like Hakin9, Pentest Magazine, etc.
  • There are also numerous Security Certifications you can pursue
  • Technical Schools, Colleges
  • Google is your friend!

As mentioned earlier, most security professionals have a blog, or video channel, check them out. For example, City College of San Francisco Security Professor Sam Bowne offers a lot of his class material to the public.

Follow & Network

Find people in the field that do what you want to do and follow their social media accounts, check out their books, blogs, watch their training or conference videos. Get connected with local security groups – there are multiple groups available, ISSA & OWASP are just a couple.  The security groups are normally very open to new comers and those willing to learn.

Many (not all) security leaders are willing to help people new to the field if they ask good questions. But realize they are very busy and may not answer if you ask a question that you could have easily Googled.

Start a Blog

Write about what you like, what you are learning, what interests you. On my blog I simply wrote about the new things that I was learning as I explored cyber security. It wasn’t long before I had a very popular security news site contact me and ask me to write regular posts for them.

From there I was contacted by a top security magazine and asked to write articles for them. After I wrote for them for a while, I was asked to join their “beta test” team, a group of individuals that tech review articles and classes for the publisher. Around the same time, I was contacted by a book publisher and asked to be on their tech review team.

Even though I am pretty busy now with writing my own books and training material I am still on the tech review team for both publishers. It is a great opportunity to help out people new to the field and provides a great chance to meet & network with other like-minded security professionals.

Get Real-world Experience

I am all for people moving from other IT jobs into the security field. I think the previous experience dealing with hardware, software and people really helps. I started in the IT field ages ago and worked up through the ranks. I think I have held or performed about every IT job possible, lol.

Things have changed a lot in the security field since then. It is pretty well formed now, and with the proper education/ experience it is possible to get an entry level security job. When I started in security everything was new and pretty fluid.

I was one of our city’s first Microsoft MCSE’s. I learned everything I could about server security and support. Later, I dived into Ethical Hacking after the IT field started going through some changes in NY. Even though I was well versed in networking, servers, Linux, and corporate IT security, many of the techniques were very foreign to me, and eye opening.

I’ll never forget the day that I had an interview with one of the top server support companies in an adjacent city. It was when I was trying to explain what ARP attacks were to their top server guy, and the “what in the world are you talking about” look on his face, that I realized that there was a huge need for Ethical Hacking training.

I have performed security research and consulting now for years and really enjoy it. It is kind of funny, having military knowledge, being a weightlifter & martial artist, along with a security trainer has really opened up some very interesting client opportunities for me. I would really advise – be yourself!

Write for a Magazine

If you have been established in the field for some time, and want to try to take the jump from a blogger or trainer to published author, go for it! If you have never published before I would highly recommend approaching a magazine publisher first.

Magazines like Hakin9 are always looking for new authors, and it is a great way to “test the water” to see how your articles are received. It is also great for marketing as it will put your material in front of a lot of people worldwide.

When you submit an article for publishing it is reviewed by their tech review team, and you are given feedback as to whether the article is a fit for publishing. The article tech review process will also provide you with invaluable feedback on any technical issues or improvements needed with the article. If you are turned down, take to heart the review feedback, make changes and try again!

Write a Book!

Writing for a book publisher is similar, but a more involved process. Usually the publishers are looking for specific themed books to be written, so they want authors with that experience, and will want you to write along with their topic. Some book publishers have tight deadlines, so you should be prepared to invest a lot of time into working with the publisher. The publisher will normally have a specific format that they want you to use, and as you complete each chapter, it will be submitted to a tech review team for feedback.

Use great pictures! A picture is worth a thousand words – Screenshots are always helpful, use large high contrast fonts (bold white text on black works great), and make sure the picture clearly shows what you are trying to do and that the text is easy to read. For example, don’t use a screenshot of the entire desktop when just a snip of the terminal line will do.

For technical procedures, write down every step that you do to produce the desired results. When done, go back over the procedure just using what you have written down to make sure it includes all of the steps and more importantly, that it actually works!  😊

Use layman, non-technical terms as often as possible. The best teachers can break down very technical procedures into common language that is easily understood. Still interested in writing for a book publisher? Reach out to them! Packt & NoStarch Press have “write for us” type webpages, or you can try the “contact us” links on the other publisher’s websites.

Self-Publishing

What if you want to write a book, but don’t want to write on a topic provided to you by a publisher? Services like Amazon’s Kindle Direct Publishing allows you to be your own publisher.

Self-publishing is a great option, but I will warn you from experience, it is a huge time sink – be prepared to set a lot of life aside to get this done. Book publishers provide you with a pre-existing format, editing & art services, and marketing. If you self-publish you will be doing all of this yourself, or will be paying for someone to do some or all of the steps for you.

Get a good editor, better yet, get three! I have been blessed with the help of an exceptional main editor. You have to love someone with multiple Doctorate degrees. Everything I write is run by him, and his input has been invaluable over the years. It is good though to have multiple people review your chapters for both technical and grammar issues.

Just remember, no matter what, mistakes will always make it through to the final book, so have a plan to deal with corrections. An errata/updates website for the book is always a good idea.

Plan your book covers – you will need graphics and a good layout for your book covers. Hire a graphics designer or do this yourself if you have the appropriate skills. But the book covers are usually something that are overlooked in self-publishing, until the last minute. It is good to work on them early and get them squared away, you can always tweak them later.

As you write, you will have self-doubts, and want to give up, this is normal, and usually the strongest when you start, at the mid-point and in the final crunch period. Believe in yourself and persevere, you will thank yourself when you are finished!

Advertisements

New Book Overview: “Basic Security Testing with Kali Linux, 3rd Edition”

My newest book, a cover to cover update of my Basic Kali book is now available! After numerous requests for an update, the new “Basic Security Testing with Kali Linux, 3rd Edition” is here!

What was intended to be a quick version change update, turned into a 6-month overhaul. It is amazing how much can change in the security world in 2 years. All chapters have been revamped, with a lot of new material added. The latest book is also 50 pages longer than the previous version!

What’s New:

  • The entire book was updated to Kali Linux 2018
  • All tools & tutorials updated
  • Obsolete tools removed
  • Many new tools added
  • Password Cracking section expanded
  • Kali on RPi chapter totally revamped
  • Kali NetHunter chapter added

Table of Contents List:

I was going to use Metasploitable3 for the Windows target in this book, but with the install complexity (and install issues) of Ms3, I decided to stay with Windows 7. I also occasionally use Windows 10 as a test target and Server 2016 is mentioned a few times as well. I will most likely use Ms3 for the upcoming advanced book. Metasploitable2 is still used for some of the Linux tutorials, as it is very easy for new users to use and follow.

The Basic Kali book is used by Universities, Training Centers, and in Ethical Hacking classes worldwide. It is also used as a training aid for multiple US Government Agencies. I have also been told numerous times that my Kali series is excellent prep material for the OSCP certification. The book is now in its third revision, with major changes made from user feedback and requests.

I have been completely shocked and humbled by the popularity of a book that was originally written as an extension of my blog posts and has evolved into a worldwide basic training guide for the exceptional Kali Linux ethical hacking platform. This continuing project would have never been possible without the flood of support and feedback from the infosec community. I am very excited to present this new version to the community and look forward to hearing your feedback and comments.

Check it out on Amazon.com.

Thank you so much for your continued support!

DerbyCon 2011 Security Conference Videos Posted

If you were like me and were not able to attend the first Debycon, titled, “Derbycon 2011“, we really missed out on some great stuff. Held September 30th to October 2nd in Louisville, Kentucky, the con sponsored top notch speakers and covered some amazing security information.

Thank goodness for Adrian Crenshaw. Adrian is in the process of posting the videos of the presentation on his website Irongeek.com. Below is the intro video:

Just a huge thank you to Adrian, Dave, Martin and the gang for putting this con on, and providing the videos for us who couldn’t make it.

They are planning a DerbyCon 2 for next year, so check it out!

Backtrack Metasploit Megaprimer on SecurityTube.net

The Metasploit Framework included with the Backtrack series is am amazing platform for penetration and security testing. The capabilities are just stunning. The problem is the learning curve can be kind of steep, especially for new users.

There are many video training tutorials out there and Offensive Security even offers the free “Metasploit Unleashed” training which is very good. But it would be nice to have a comprehensive video series that starts with the very basics of Metasploit and leads you through the entire platform to the more advanced features.

Look no further than Vivek Ramachandran’s “Metasploit Megaprimer” video series. Vivek has created a huge training session on Metasploit spanning almost 20 videos. The training is top notch, and very easy to follow.

Some of the topics covered include:

  • Meterpreter Basics and Using Stdapi
  • Meterpreter Extensions
  • Database Integration
  • Post Exploitation Kung Fu
  • Post Exploitation Privelege Escalation
  • Backdoors, Pivoting, Port Forwarding and much, much, more!

I had the absolute honor of working with Vivek as a technical editor on his just released book “BackTrack 5 Wireless Penetration Testing Beginner’s Guide“. He is one of the top security experts of India, has spoken at numerous security conferences, and runs the very popular website “SecurityTube”.

Vivek has an amazing ability to take very complex ideas and breaking them down into very easy to understand lessons. If you are new to Metasploit, or want to learn more about it, check out the Metasploit Megaprimer. It will be time well spent!