Information Security Careers Cheatsheet
These are my views on careers in information security careers based on the experience I've had and your mileage may vary. The information below will be most appropriate if you live in New York City, you're interested in application security, pentesting, or reversing, and you are early on in your career in information security.
- Learn from a Book
- Learn from a Course
- Capture the Flag and War Games
- Meet People
- Friends of the Class
As far as I can tell, there are five major employers in the infosec industry (not counting academia). This section is going to be expanded in a future post.
- The Government
- Non-Tech Fortune 500s (mostly finance)
- Big Tech Vendors (mostly West coast)
- Big Consulting (mostly non-technical)
- Small Consulting (mostly awesome)
The industry you work in will determine the major problems you have to solve. For example, the emphasis in finance is to reduce risk at the lowest cost to the business (opportunities for large-scale automation). On the other hand, consulting often means selling people on the idea that X is actually a vulnerability and researching to find new ones.
I primarily split up infosec jobs into internal network security, product security, and consulting. I further break down these classes of jobs into the following roles:
- Application Security (code audits/app assessments)
- Attacker (offensive)
- Incident Handler
- Network Security Engineer
- Penetration Tester
- Reverse Engineer
- Security Architect
The roles above each require a different, highly specialized body of knowledge. This website is a great resource for application security and penetration testing, but you should find other resources if you are interested in a different role.
Learn from a Book
Fortunately, there are dozens of good books written about each topic inside information security. Dino Dai Zovi has an excellent reading list, as does Tom Ptacek, and Richard Bejtlich has recommendations from another perspective (bonus: Richard's book reviews are usually spot-on). I would personally recommend looking at:
- Gray Hat Hacking (the textbook for this course)
- The Myths of Security (a quick read that covers larger issues)
- Hacking: The Next Generation (a quick read that covers the latest in web security and then some),
- and any book from O'Reilly on a scripting language of your choice.
If you're not sure what you're looking for, then you should browse the selection offered by O'Reilly. They are probably the most consistent and high-quality book publisher in this industry.
Don't forget that reading the book alone won't give you any additional skills beyond the conversational. You need to practice or create something based on what you read to really gain value and understanding from it.
Learn from a Course
If you're looking for something more hands-on and directed, there are lots of university courses about information security available online. I listed some of the best ones that have course materials available below (ordered by institution name). The RPI course is the most similar to this one and Hovav gets points for the best academic reading list, but every course on this list is fantastic.
|Computer Security||Paxson and Wagner||Berkeley|
|Software Security||David Brumley||CMU|
|Hacking Exposed||Rohyt Belani||CMU|
|Software Security Assessment||Gregory Ose||DePaul|
|Intro to Web Application Security||Edward Z. Yang||MIT IAP 2009|
|Intro to Software Exploitation||Nathan Rittenhouse||MIT IAP 2009|
|Advanced Vulnerability Assessment||Chris Eagle||NPS|
|Secure Software Principles||various, see website||RPI|
|Web Programming and Security||unknown||Stanford|
|Computer and Network Security||unknown||Stanford|
|Advanced Topics in Security||Giovanni Vigna||UCSB|
|Computer Security (Graduate)||Hovav Shacham||UCSD|
|UNIX Security Holes||DJB||unknown|
|Binary Auditing and Reverse Code Engineering||Thorsten Schneider||University of Bielefeld|
|Malware Analysis and Antivirus Technologies (alternate)||unknown||University of Helsinki|
|System Security and Malicious Code Analysis||Zhiqiang Lin||UT Dallas|
|Software Security||Michael Hicks||UMD|
The easiest shortcut to finding a university with a dedicated security program is to look through the NSA Centers of Academic Excellence (NSA-COE) institution list. This certification has become watered down as more universities have obtained it and it might help to focus your search on those that have obtained the newer COE-R certification. Remember, certifications are only a guideline. You should look into the actual programs at each university instead of basing your decision on a certification alone.
Once in university, take classes that force you to write code in large volumes to solve hard problems. IMHO the courses that focus on mainly theoretical or simulated problems provide limited value. Ask upper level students for recommendations if you can't identify the CS courses with programming from the CS courses done entirely on paper. The other way to frame this is to go to school for software development rather than computer science.
Capture the Flag and War Games
This topic was large enough that I split it off into its own article. I highly recommend playing in capture the flag and war games to acquire technical skills.
In any role, the majority of your time will be spent communicating with others, primarily through email and meetings and less by phone and IM. The role/employer you have will determine whether you speak more with internal infosec teams, non-security technologists, or business users. For example, expect to communicate more with external technologists if you do network security for a financial firm.
Tips for communicating well in a large organization:
- Learn to write clear, concise, and professional email.
- Learn to get things done and stay organized. Do not drop the ball.
- Learn the business that your company or client is in. If you can speak in terms of the business, your arguments a) to not do things b) to fix things and c) to do things that involve time and money will be much more persuasive.
- Learn how your company or client works, ie. key individuals, processes, or other motivators that factor into what gets things done.
If you are still attending a university, as with CS courses, take humanities courses that force you to write.
- CitySec - informal meetups without presentations, once monthly, occurs in most cities (NYSEC, google for others)
- OWASP - formal meetups with presentations about web security, usually quarterly (OWASP NY/NJ)
If you've never been to an infosec conference before, use the google calendar below to find a low-cost local one and go. There have been students of mine who think that attending a conference will be some kind of test and put off going to one for as long as possible. I promise I won't pop out of the bushes with a final exam and publish your scores afterward.
If you go to a conference, don't obsess over attending a talk during every time slot. The talks are just bait to lure all the smart hackers to one location for a weekend: you should meet the other attendees! If a particular talk was interesting and useful then you can and should talk to the speaker. This post by Shawn Moyer at the Defcon Speaker's Corner has more on this subject.
If you're working somewhere and are having trouble justifying conference attendance to your company, the Infosec Leaders blog has some helpful advice.
This industry requires specialized knowledge and skills and studying for a certification exam will not help you gain them. In fact, in many cases, it can be harmful because the time you spend studying for a test will distract you from doing anything else in this guide.
That said, there are inexpensive and vendor-neutral certifications that you can reasonably obtain with your current level of experience to help set apart your resume, like the Network+ and Security+ or even a NOP, but I would worry about certifications the least in your job search or professional development.
In general, the two best reasons to get certifications are:
- If you are being paid to get certified, through paid training and exams or sometimes through an automatic pay raise after you get the certification (common in the government).
- If your company or your client is forcing you to get certified. This is usually to help with a sales pitch, ie. "You should hire us because all of our staff are XYZ certified!"
- How to Break Into Security, Ptacek Edition
- VRT: How to Become an Infosec Expert, Part I
- Information Security Leaders Blog
- Advice for Computer Science College Students
- Kill Your Idols, Shawn Moyer's reflections on his first years at Defcon
- Reddit comments about this post
- Hacker News comments about this post
- Forensic Engineering: Is It For You?
- The answer to "Will you mentor me?" is .... no.
- My Canons of (ISC)2 Ethics, Not a CISSP, (ISC)2's Newest Cash Cow
- Why You Should Not Get a CISSP
- Don't call yourself a programmer, and other career advice
- So You Want to be a Malware Analyst
- Five pieces of advice for those new to the infosec industry
- How to Milk a Computer Science Education for Offensive Security Skills
Friends of the Class
- Attack Research
- Harris: Crucial Security
- Gotham Digital Science
- Intrepidus Group
- iSEC Partners
- Matasano Security
- TippingPoint DVLabs
- Vulnerability Research Labs
- zero(day)solutions / ThreatGrid
There are a number of internal security and product security teams that I've worked with in the past who I'm not sure would appreciate being called out like this. Needless to say, there are dozens of financials, healthcare, and technology companies in NYC that require information security to run their businesses and they shouldn't be hard to find.