Becoming a Security Researcher
November 10, 2016 10:55 AM Subscribe
How do I get into the IT Security area? Not just superfluous knowledge based on a certification, but a genuine Security professional.
I have been thinking about moving into the IT security area, but even with the host of tutorials online, it is difficult to get a straight line. What courses, books, online content etc can help me achieve this?
I am not in the US currently and will be out for a couple of more years.
What I would like to be able to do:
1. Specialize in a couple of areas, like Mobile and IoT Applications and devices, where I can analyze them to uncover potential security threats
2. Use this knowledge to "test" them before they are released, thus providing me with a source of income
3. Go beyond using some tools and then relying on them to do #2
For example, I would like to do what these 2 guys did - found a flaw in the OAuth2 Protocol that is used by mobile apps to authenticate you (login with your facebook or Google account) - ">Link here to article
OR
Detect the virus that is stealing patient data for older Medical devices that are connected to the network
OR help organizations design effect application security mechanisms, audit them etc
I have been thinking about moving into the IT security area, but even with the host of tutorials online, it is difficult to get a straight line. What courses, books, online content etc can help me achieve this?
I am not in the US currently and will be out for a couple of more years.
What I would like to be able to do:
1. Specialize in a couple of areas, like Mobile and IoT Applications and devices, where I can analyze them to uncover potential security threats
2. Use this knowledge to "test" them before they are released, thus providing me with a source of income
3. Go beyond using some tools and then relying on them to do #2
For example, I would like to do what these 2 guys did - found a flaw in the OAuth2 Protocol that is used by mobile apps to authenticate you (login with your facebook or Google account) - ">Link here to article
OR
Detect the virus that is stealing patient data for older Medical devices that are connected to the network
OR help organizations design effect application security mechanisms, audit them etc
Best answer: Where are you starting from? Can you set up a system to replicate the OAuth2 exploit? Can you write applications for mobile devices? If I gave you a smart thermostat, could you reprogram it to react based on the temperature at times square?
If you aren't relatively technical already now, it might behoove you to move in the direction of becoming moreso. Many of the security exploits that are possible now are based on software being written at a high level, without thinking about what is being exposed at the low-level. So you need to know what's going on under the hood.
If you want to focus on an area like mobile, one place to start might be learning how to root devices. Not just installing a rootkit and pressing the button, but doing (as manually as possible) the steps to get root access. Then doing it on another similar device without following step-by-step instructions. Once the device is rooted, could you make it look like it wasn't? How do you cover your tracks?
posted by sparklemotion at 11:25 AM on November 10, 2016 [2 favorites]
If you aren't relatively technical already now, it might behoove you to move in the direction of becoming moreso. Many of the security exploits that are possible now are based on software being written at a high level, without thinking about what is being exposed at the low-level. So you need to know what's going on under the hood.
If you want to focus on an area like mobile, one place to start might be learning how to root devices. Not just installing a rootkit and pressing the button, but doing (as manually as possible) the steps to get root access. Then doing it on another similar device without following step-by-step instructions. Once the device is rooted, could you make it look like it wasn't? How do you cover your tracks?
posted by sparklemotion at 11:25 AM on November 10, 2016 [2 favorites]
What is your current IT specialty -- sysadmin or networking or programming or...? You will need one good foundation to start from, and then dig deep into one or two more.
Open-source software is obvious because you can read the stuff, but it also means that a lot of the simple problems have been nabbed already. So look for areas where your skills (packet capture & analysis, scripting, whatever) can be used on novel targets. Internet of Things is, indeed, pretty wide open today.
Or take a well-known topic (XSS, maybe) and apply it to a new target set (IoT control panels, say) and see what comes up.
posted by wenestvedt at 12:58 PM on November 10, 2016
Open-source software is obvious because you can read the stuff, but it also means that a lot of the simple problems have been nabbed already. So look for areas where your skills (packet capture & analysis, scripting, whatever) can be used on novel targets. Internet of Things is, indeed, pretty wide open today.
Or take a well-known topic (XSS, maybe) and apply it to a new target set (IoT control panels, say) and see what comes up.
posted by wenestvedt at 12:58 PM on November 10, 2016
Best answer: thus providing me with a source of income
To over simplify there's perhaps two tracks to actually make money in security, a corporate job which is very much keeping up to date and working the checklists and the hacker, the SANS group will have classes, conferences and checklists. The hackers are not actually making money "finding a bug", a token bounty but it's more for status, which some are able to leverage into consulting gigs, which is great, but consulting has it's own issues.
As for learning, dig into IRC channels, it'll take time and keeping a bunch of screens running 24/7 for when a good discussion occurs (log, log, log) - not just bug/sec but the there are good language an os channels. I'd poke around to see if there are slack channels but it's kinda corporate. There are some good forums on reddit and I expect some invite only if you're a good participant in the public discussions.
posted by sammyo at 2:50 PM on November 10, 2016
To over simplify there's perhaps two tracks to actually make money in security, a corporate job which is very much keeping up to date and working the checklists and the hacker, the SANS group will have classes, conferences and checklists. The hackers are not actually making money "finding a bug", a token bounty but it's more for status, which some are able to leverage into consulting gigs, which is great, but consulting has it's own issues.
As for learning, dig into IRC channels, it'll take time and keeping a bunch of screens running 24/7 for when a good discussion occurs (log, log, log) - not just bug/sec but the there are good language an os channels. I'd poke around to see if there are slack channels but it's kinda corporate. There are some good forums on reddit and I expect some invite only if you're a good participant in the public discussions.
posted by sammyo at 2:50 PM on November 10, 2016
Response by poster: I have 10+years of IT experience, primarily in Application S/W Testing with decent programming skills. I am doing some security testing work for the last couple of years, based on which I have been actively seeking out and learning about basic security topics.
@sparklemotion - Precisely, most of the exploits happen only when you dig deeper, as the surface tests don't show any vulnerabilities. What skills do you think would be relevant for me to start learning?
posted by theobserver at 11:16 PM on November 10, 2016
@sparklemotion - Precisely, most of the exploits happen only when you dig deeper, as the surface tests don't show any vulnerabilities. What skills do you think would be relevant for me to start learning?
posted by theobserver at 11:16 PM on November 10, 2016
Best answer: As wenestvedt said - you build a foundation and choose an area to specialize in. Sammyo linked sans - their course outlines are a great starting point.
https://www.sans.org/course/mobile-device-security-ethical-hacking
"This course is designed to give you the skills you need to understand the security strengths and weaknesses in Apple iOS, Android, and wearable devices including Apple Watch and Android Wear. With these skills, you will evaluate the security weaknesses of built-in and third party applications. You'll learn how to bypass platform encryption, and how to manipulate Android apps to circumvent obfuscation techniques. You'll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You'll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS devices, and you'll exploit lost or stolen devices to harvest sensitive mobile application data."
posted by anti social order at 2:34 PM on November 11, 2016 [2 favorites]
https://www.sans.org/course/mobile-device-security-ethical-hacking
"This course is designed to give you the skills you need to understand the security strengths and weaknesses in Apple iOS, Android, and wearable devices including Apple Watch and Android Wear. With these skills, you will evaluate the security weaknesses of built-in and third party applications. You'll learn how to bypass platform encryption, and how to manipulate Android apps to circumvent obfuscation techniques. You'll leverage automated and manual mobile application analysis tools to identify deficiencies in mobile app network traffic, file system storage, and inter-app communication channels. You'll safely work with mobile malware samples to understand the data exposure and access threats affecting Android and iOS devices, and you'll exploit lost or stolen devices to harvest sensitive mobile application data."
posted by anti social order at 2:34 PM on November 11, 2016 [2 favorites]
Response by poster: Thanks for the responses. I will leave this thread open for a couple of days more to see if there are more responses.
posted by theobserver at 12:59 AM on November 14, 2016
posted by theobserver at 12:59 AM on November 14, 2016
I thinkt he first step is as jfreg said above - look for local meetings in your area. This will be country specific but in the UK look for the "DC" meetings, OWASP, or to see the more "professional" side of the industry something like the BCS. Internationally there are numerous security conferences, so you should be able to find something close to you. This will help you get a feel for the kind of people in this field, and make useful networking connections too.
( as credentials I've been in IT / information / cyber security for fifteen years or so, and I'm happy to take personal messages from you if you've got specific questions, but my knowledge will be UK focused )
posted by DancingYear at 6:38 AM on November 15, 2016
( as credentials I've been in IT / information / cyber security for fifteen years or so, and I'm happy to take personal messages from you if you've got specific questions, but my knowledge will be UK focused )
posted by DancingYear at 6:38 AM on November 15, 2016
The SANS course that anti social order mentions, above, is written and taught by my friend Josh Wright.
If you have the cash, spending a week getting inside his head would be awesome. He takes great delight in finding the seams in things and prying them apart until the guts spill out. :7) That attitude/habit of mind is what you need (which it sounds like you have), plus some low-level knowledge of one or more protocols.
posted by wenestvedt at 9:40 AM on November 15, 2016
If you have the cash, spending a week getting inside his head would be awesome. He takes great delight in finding the seams in things and prying them apart until the guts spill out. :7) That attitude/habit of mind is what you need (which it sounds like you have), plus some low-level knowledge of one or more protocols.
posted by wenestvedt at 9:40 AM on November 15, 2016
« Older What to put in my apartment window to show... | Can I ask people if they voted for Trump before... Newer »
This thread is closed to new comments.
I recommend checking Meetup.com and OWASP.org for InfoSec meetups in your area, and looking for security "cons" in your area, as a starter. (If you want to memail me your location I may be able to provide some more pointers.).
When I'm home and on a PC instead of my phone, I will post more detailed info.
posted by jferg at 11:16 AM on November 10, 2016 [5 favorites]