People I know outside of work usually know that I work in cybersecurity so I get a lot of questions about computers and security issues. These tend to include lots of questions about viruses and cybercriminals and other consumer-oriented topics. But, an inquiry that has become a lot more frequent as of late has been, “My son/daughter/niece/nephew is good with computers. What should they do if they wanted to look at getting into a career in computer security?” The first time I got the question, I Googled around a bit and put together a list of links with some commentary and emailed them over. As I’ve received the question more and more, I’ve added to that list of links and commentary. For this blog post, I thought I’d clean it up – grammar does tend to drift a bit when you Frankenstein together an email over multiple iterations – and add some additional thoughts. So – below is a somewhat nicer version of what I’ve been sending out, published in the hopes that it might be useful to someone. And also because the next time someone asks me about this I can just send them a link to a nice clean blog post rather than cutting and pasting together another reply.
So – you think you might be interested in a career in computer security. That’s great! There are a lot of different roles available, the field is always changing, and it tends to pay pretty well. Below are some links to free resources that might be helpful.
Learning to code is a great fundamental skill. I don’t know if I’m at the point where I would say that everyone in security needs to be able to code, but for a lot of roles in security – especially getting started – having some coding ability is going to provide a serious leg up against other individuals who don’t have any coding capabilities. There are a lot of online resources that teach coding. Python is a great starting language for new programmers. You may want to check out CodeAcademy’s Python course:
Khan Academy also has computer programming resources:
A lot of careers in security deal with the testing of web applications and computer networks. One important thing to note – using tools or techniques on systems where you don’t have permission is a great way to get in pretty serious trouble with the law, so I’ve also included links to demonstration systems that can safely be used for testing.
For testing the security of networks, a great freely-available tool is the Open Vulnerability Assessment Scanner:
You can point this scanner at a target machine or a target network and it will look for misconfigurations or software with known vulnerabilities running. There are other scanners out there (Nexpose, Nessus, Qualys, etc) but OpenVAS is free so it’s a good way to get started.
Once you’ve identified problems with a scanner like OpenVAS, you can potentially exploit the problems that have been identified and take over the target systems using the freely-available tool Metasploit:
Again – there are commercial programs that do this as well, but Metasploit is really popular and free with lots of documentation and a great user community.
For a target system to do testing against, the folks at Rapid7 make an intentionally-vulnerable virtual machine called Metasploitable available (https://information.rapid7.com/metasploitable-download.html). You can download this to run on your laptop and it acts like a vulnerable system that can be tested and exploited. Obviously this is preferable to breaking into machines out on the Internet which, again, can get you into serious trouble with the law.
A great primer on web application security is the OWASP Top 10:
This is a list of the most common and damaging problems found in web applications.
For actually testing web applications, there’s a freely-available scanner called OWASP ZAP:
For target systems to test, look at the OWASP Broken Web Applications Project:
This provides a set of known-vulnerable web applications that can be used for testing and training. Kind of like the Metasploitable virtual machine I mentioned above, but for web applications.
A recent trend in the security industry is that companies will allow folks to test their stuff – within certain parameters – and then pay researchers when they find and report vulnerabilities. If you find that you like this sort of testing, you could actually get paid to do freelance testing work. A couple of high-profile programs include Facebook’s:
Also there are a couple of groups who help smaller companies run their bug bounty programs such as HackerOne:
Again – those testing programs all have different rules about what is in and out of bounds and how they want issues communicated to them, but that can be a good way to get paid to train at security testing stuff and to build a bit of a resume and reputation in the community.
For perspective, these resources are testing-centric and also skew toward application security. That shouldn’t be surprising because that is my background. Another resource I point people toward is the book Tribe of Hackers. This has chapters written by 70 security professionals – me included – that talk about their backgrounds, how they got into security, and how they view the field. It isn’t so much of a direct learning resource as it is a guidebook to how rich the field of computer security is and how the people in it have widely varied backgrounds.
Hopefully these links can provide you a starting point for exploring the computer security field.
[Starting line image from https://commons.wikimedia.org/wiki/File:Starting_line_(Unsplash).jpg]