No Shortcuts to Security Knowledge
Today I received a curious email. At first I thought it was spam, since the subject line was "RE: Help!", and I don't send emails with that subject line. Here is an excerpt:
I cannot afford nor have the time to take a full collage course on the topic of network security but I would like to be as knowlageable about it as yourself and be able to protect my computer and others regarding this matter. If I was willing to pay you would you take the time to teach me what you know and/or point me in the direction I would need to learn what you know about network security? Please advise what course I would need to take to accomplish your skill of network security?
In my opinion, it seems like this question seeks to learn some sort of "hidden truth" that I might possess, and acquire it in record time. The reality is that there are really no shortcuts to learning as complex a topic as digital security. I have been professionally involved with this topic for almost ten years, yet I consider myself halfway to the level of skill and proficiency I would prefer to possess. In another ten years I'll probably still be halfway there, since the threats and vulnerabilities and assets will have continued to evolve!
If you want to "know what I know," a good place to start is by reading one or more of my books. I recommend starting with Tao, then continuing with Extrusion and finishing with Forensics. Chapter 13 from Tao explicitly addresses the issue of security analyst training and development.
My company research page lists over a dozen documents I've written, and this blog is a record of almost four years of thoughts on digital security.
For books outside of my own, my top ten books of the last ten years contains some of the best books on digital security. My reading page shows books I recommend in five categories. I also show the books waiting to be read on my shelf, but I wouldn't consider an appearance there to be an endorsement unless I offer a favorable Amazon.com review. Please note my recommended lists do not include books from 2006 (and maybe 2005), but I plan to write a "best of" list at the end of this year. I'll update the recommendations lists if I have time.
In addition to reading, I highly recommend becoming familiar with the majority of the security tools listed by Fyodor. It also helps to specialize (at least in the beginning) in one of the five categories I show on my reading page.
I tend to split my time between Weapons and Tactics and Telecommunications, although I plan to continue developing my Scripting and Programming skills. I do some System Administration by building and operating network sensors and supporting systems (like databases), but I am not the sort of sys admin who supports users. I try to stay out of devoted Management and Policy work, although I try not to be ignorant.
I could probably say a lot more on this topic, but the bottom line is that there are no shortcuts to security knowledge. I hope this free post has been helpful.
I cannot afford nor have the time to take a full collage course on the topic of network security but I would like to be as knowlageable about it as yourself and be able to protect my computer and others regarding this matter. If I was willing to pay you would you take the time to teach me what you know and/or point me in the direction I would need to learn what you know about network security? Please advise what course I would need to take to accomplish your skill of network security?
In my opinion, it seems like this question seeks to learn some sort of "hidden truth" that I might possess, and acquire it in record time. The reality is that there are really no shortcuts to learning as complex a topic as digital security. I have been professionally involved with this topic for almost ten years, yet I consider myself halfway to the level of skill and proficiency I would prefer to possess. In another ten years I'll probably still be halfway there, since the threats and vulnerabilities and assets will have continued to evolve!
If you want to "know what I know," a good place to start is by reading one or more of my books. I recommend starting with Tao, then continuing with Extrusion and finishing with Forensics. Chapter 13 from Tao explicitly addresses the issue of security analyst training and development.
My company research page lists over a dozen documents I've written, and this blog is a record of almost four years of thoughts on digital security.
For books outside of my own, my top ten books of the last ten years contains some of the best books on digital security. My reading page shows books I recommend in five categories. I also show the books waiting to be read on my shelf, but I wouldn't consider an appearance there to be an endorsement unless I offer a favorable Amazon.com review. Please note my recommended lists do not include books from 2006 (and maybe 2005), but I plan to write a "best of" list at the end of this year. I'll update the recommendations lists if I have time.
In addition to reading, I highly recommend becoming familiar with the majority of the security tools listed by Fyodor. It also helps to specialize (at least in the beginning) in one of the five categories I show on my reading page.
I tend to split my time between Weapons and Tactics and Telecommunications, although I plan to continue developing my Scripting and Programming skills. I do some System Administration by building and operating network sensors and supporting systems (like databases), but I am not the sort of sys admin who supports users. I try to stay out of devoted Management and Policy work, although I try not to be ignorant.
I could probably say a lot more on this topic, but the bottom line is that there are no shortcuts to security knowledge. I hope this free post has been helpful.
Comments
Knowledge and wisdom come with experience, would anyone disagree with that?
I think the conclusions reached in this article are good, and apply equally well to computer security. And while no one can be a wizard in a few days, weeks, or months, the only way to start is at the beginning.
It also helps to read this blog, Marcus Ranum's stuff, and "Inside the Security Mind: Making the Tough Decisions" by Kevin Day. They represent some of the strategic thinking that many new security practitioners miss out on. (Just curious - have you read the Kevin Day book Richard? If so, what'd you think?)
- Chris
Great references -- I haven't read "Mind" either.
(sorry i couldn't resist)
It's never ending process, find me which network security expert that stop learning unless they decide not to involve in network security field anymore.
P/S: By the way I don't think Richard is cheaper than any college that offering you the security courses, his time is precious :P
Cheers
I like
Professional Web Application Penetration Testing
Hacking Exposed, 5th Ed
Outside of those two I'm not sure!
If you fly solo as a consultant, you better be able to sell your services and also live thru the months when there are just no contracts.
If you decide to go corporate, beware of two major areas of career risk: 1) whichever department you end up in (network team, risk management, etc) an unwritten part of your job description is you are going to be hated and you may be signing up to be the fall guy. The politics around infosec/netsec in any large organization get ugly real fast. 2) be prepared to be redundant. lots of companies are folding opsec into network teams and network teams are VERY vulnerable to outsourcing.
Of course YMMV, but this is my decade plus worth of observations.