Getting started in infosec

I recently participated in a discussion on a private mailing list about people who want to get started in information security. Of course it veered into standard territory about the value of certifications and such, but a few bits turned out interesting if not exactly ground-breaking.

What matters most: education and learning and experience. With very few exceptions, IT and infosec certifications mean very little to me. (And I personally have reached the point in my career that any job requiring one to get past HR is not a company where I want to work.)

Ugh to vendor / tool certifications. I’d rather hire somebody who knows (say) system forensics inside and out but has never used a given tool than somebody who knows how to run EnCase but doesn’t really grasp the underlying fundamentals. Similar with the RHCE - I don’t know that exam well, but I’d be concerned about whether somebody “knows Red Hat” or “knows Linux” (or, better, “knows Unix”). I’ve run into both types, of course: people who got a vendor cert because it helped them get a job but they really could have used any tool, and folks who claimed to know what’s up because they have a cert - but put them in front of, say, FTK or Debian and they’re lost. I mean, I don’t care if my mechanic “knows Craftsman” as long as they can fix my car.

A few certifications actually do say something good about the cert holder: CCIE, to a degree, and the older style SANS certs (now I think they’re called “Gold”?). Although I’d not pass somebody over for having a cert, I’d pass them over for overemphasizing it.

If an applicant for a junior DFIR gig hasn’t had the opportunity to go take an expensive SANS course or whatever but can demonstrate lots of initiative and self guided education, with some open source projects or a blog that shows their understanding and personal contributions from their own research, I will likely prefer them anyway.

So, if you want to get started cheap and don’t know how, you could start with things like:

Set up a home lab and do whatever interests you. Find some online CTFs (more on this soon). Do some social coding. Hang out at a local BSides or DEFCON group. There is no shortcut to success. You have to put in the time and effort.

And always remember: hack to learn, don’t learn to hack.