How to handle "I want to be a security guy" with an easy assignment
As the manager of a security team I'm often approached by technologists who are interested in information security. Their reasons range from a long term interest in the subject to those who simply want a change of pace, or think that the grass may just be greener in infosec.
Over the years I've developed a simple list of things that I tell people who express an interest:
- Get a copy of Hacking Exposed. Anything recent will do, and a good alternative is Counterhack Reloaded.
- Skim the book, and read anything that catches your eye. Don't try to read it cover to cover, unless you really find that you want to.
- Come back and talk to me once you've done that, and we'll talk about what you found interesting.
Once you have an interested candidate, the conversation or conversations that you can have next are far more interesting. Hopefully, you've read the book yourself, as you'll be answering questions, and often providing references to deeper resources on the topics that interest them. Favorite resources for follow-up activities include:
- OWASP - particularly WebGoat and Multilldae
- Investigation of vulnerability scanners like Nikto and Nessus and
- Exploration of tools like Metasploit and the BeEF browser exploitation framework using DVL or a similar vulnerable OS
- SANS courses like SANS 401 and 501
1 comment:
Good stuff, dude.
Post a Comment