Monday, October 10, 2011

How to handle "I want to be a security guy" with an easy assignment

As the manager of a security team I'm often approached by technologists who are interested in information security. Their reasons range from a long term interest in the subject to those who simply want a change of pace, or think that the grass may just be greener in infosec.

Over the years I've developed a simple list of things that I tell people who express an interest:

  1. Get a copy of Hacking Exposed. Anything recent will do, and a good alternative is Counterhack Reloaded.
  2. Skim the book, and read anything that catches your eye. Don't try to read it cover to cover, unless you really find that you want to.
  3. Come back and talk to me once you've done that, and we'll talk about what you found interesting.
It's a very simple process - but I've found it immensely valuable. Those who are really interested, and who will put the time into the effort will buy the book, and will come back with questions and comments. A certain percentage will get the book and will realize that information security isn't really what they want to do, or they will realize that they need or want to know more before they tackle a career in security. A final group are interested, but not enough to take the step to follow up.

Once you have an interested candidate, the conversation or conversations that you can have next are far more interesting. Hopefully, you've read the book yourself, as you'll be answering questions, and often providing references to deeper resources on the topics that interest them. Favorite resources for follow-up activities include:

  • OWASP - particularly WebGoat and Multilldae
  • Investigation of vulnerability scanners like Nikto and Nessus and
  • Exploration of tools like Metasploit and the BeEF browser exploitation framework using DVL or a similar vulnerable OS
  • SANS courses like SANS 401 and 501
A whole range of options exists once you start to have the conversation - but you're certain you're having the conversation with someone who is interested enough to follow up, and who has helped you identify what they'll have some passion for.