What should I learn to get into IT security?
Several people have asked me over the years some variation of "What should I learn if I want to do IT security work?" This is a hard question to answer without knowing your goals and interests. However, most people I talk to only have one very high-level goal: Get into security.
Here's what has been most beneficial for me on the technical side in no particular order.
- Operating systems: Not just windows versus UNIX. But, how they work. Learn about IPC, pipes, what really happens at boot times, how things get started at boot, etc. You can bet that attacks know how systems boot inside and out. It's called maintaining persistence. Also, Linux != unix. Yes, it is a unix variant. But, I have seen "Linux gurus" get totally lost when trying to show someone something on Solaris. Don't be that person. Learn at least on distro/flavor of Linux, BSD, and take a look at Solaris. They are different yet the same. Do not try to figure out the difference during an incident.
- Learn how to interpret logs: Seriously. Make for darn sure, you know where the logs are on every OS and application you touch. Look at the logs every day and after making any OS or application changes. How did that affect the logs. This may be the difference between an making a timely intrusion detection and an attacker having free reign on your network for months. I am amazed when something serious has gone wrong how many people reply, "I have not looked yet." when I asked them what's in the logs.
- Networking fundamentals: Beyond three-way handshake and default gateway. How do network connections make their way up each layer of the network stack on an OS, how does a given program bind a network port in order to accept connections, know subnet masking inside and out. Make for darn sure you can make sense of tcpdump output. Learn the structure of basic protocols: HTTP, DNS, SMTP, FTP, IRC, etc.
- At least two scripting languages: One portable like Perl or Python and know some unix shell type stuff (bash, csh, etc). Get cygwin and play with it if you have not already. Think tool building and quick and dirty text parsing.
- At least one compiled language: C is a good choice. C++ or C# would be a good second for any GUI stuff, but C will suffice. Visual Basic or similar if you must. Again, think tool building.
- Learn basic unix (and cygwin) utils like the back of your hand: sed, awk, grep, sort, uniq. These will save you one day while one of your coworkers is working on some fancy formula in Excel.
- Databases and Web Development: SQL. You'll need it for tool building if nothing else. Learn PHP while your on SQL. They go together like peas and carrots. PHP could easily be swapped out for AJAX, Ruby on Rails, etc. The point is learn what it takes to get that data out of the database and on the screen of someone across the network. This is literally where the money is. Think e-commerce, online banking, etc.
But, wait, Wyman. What about Firewalls, Intrusion Detection, Virtual Private Networks, Identity Management, Data Loss Prevention, Security Information and Event Managers, etc? I want to do security! They will come. Wax on, wax off. Trust me.
Build a foundation on what makes your computer and the Internet work. Only then are you adequately prepared to start defending it. Otherwise, you'll see something in your IDS and have no clue if that is normal or malicious. You do not have to be a guru at any of the items above, but be average in all of them and you're way, way ahead of the game.
I'd love to hear other thoughts and suggestions.