Schneier on Security
A blog covering security and security technology.
« Commercial Espionage Virus |
| Naming Pets »
July 5, 2012
So You Want to Be a Security Expert
I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.
First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don't have to be a coder to be a security expert.
In general, though, I have three pieces of advice to anyone who wants to learn computer security.
- Study. Studying can take many forms. It can be classwork, either at universities or at training conferences like SANS and Offensive Security. (These are good self-starter resources.) It can be reading; there are a lot of excellent books out there -- and blogs -- that teach different aspects of computer security out there. Don't limit yourself to computer science, either. You can learn a lot by studying other areas of security, and soft sciences like economics, psychology, and sociology.
- Do. Computer security is fundamentally a practitioner's art, and that requires practice. This means using what you've learned to configure security systems, design new security systems, and -- yes -- break existing security systems. This is why many courses have strong hands-on components; you won't learn much without it.
- Show. It doesn't matter what you know or what you can do if you can't demonstrate it to someone who might want to hire you. This doesn't just mean sounding good in an interview. It means sounding good on mailing lists and in blog comments. You can show your expertise by making podcasts and writing your own blog. You can teach seminars at your local user group meetings. You can write papers for conferences, or books.
I am a fan of security certifications, which can often demonstrate all of these things to a potential employer quickly and easily.
I've really said nothing here that isn't also true for a gazillion other areas of study, but security also requires a particular mindset -- one I consider essential for success in this field. I'm not sure it can be taught, but it certainly can be encouraged. "This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems." This is especially true if you want to design security systems and not just implement them. Remember Schneier's Law: "Any person can invent a security system so clever that she or he can't think of how to break it." The only way your designs are going to be trusted is if you've made a name for yourself breaking other people's designs.
One final word about cryptography. Modern cryptography is particularly hard to learn. In addition to everything above, it requires graduate-level knowledge in mathematics. And, as in computer security in general, your prowess is demonstrated by what you can break. The field has progressed a lot since I wrote this guide and self-study cryptanalysis course a dozen years ago, but they're not bad places to start.
This essay originally appeared on "Krebs on Security," the second in a series of answers to the question. This is the first. There will be more.
Posted on July 5, 2012 at 6:17 AM
• 44 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Can't get I.T. security certifications without I.T. security industry experience, can't get I.T. security industry experience without I.T. security certifications. My IT Security degree is pointless by itself, no one giving certifications seems to care about experience if it's not professional experience.
Funny how this is. The advice is good and applies to virtually anything you want to master. Learn, do, show. That is the easy part and the hard part. So is doing it consistently over months or years. No magic bullet.
So You Want to Be a Security Expert
Hmm is there any such animal?
Seriously the field of endevor is so broad including knowledge of building / fire codes and other areas of health and safety just for simple "physical security" over and above knowing about locks, bars, safes etc.
Then there is electrical / wiring codes and basic telephony for just instaling burglar alarms. A bit more electrical / electronic knowledge for installing simple alarms and very very basic CCTV. Oh and you also need a working knowledge of AirCon etc for kitting out security centers.
Then you need to have EmSec knowledge for red/green wiring, sheilding techniques and a good understanding of radio theory as pertaining to "near field" EM radiation. Then there is the knowledge required of acoustics as well.
And that might give you sufficient knowledge to be a competent instalation technician.
I won't bother going into all the asspects of analog and digital engineering design as pertains to "communications and computers".
I've spent years doing this sort of thing including the design of security equipment in all aspects.
And although I've got the beard to promote envy in the "most senior of Deans" and the obligitory "badger" in it as a "badge of longevity of office" I'd by know means call myself an expert by any means.
As for most "certificates" I've a downer on them because they are usually indicators of a "faux market" created because of the laziness of others such as Human Resources. The main trouble with them is the way they are often "tested" which gives rise to courses designed to "pass the test" not give the candidates the real bredth and depth required to be even the mosst basic of practicioners.
I also prefer to see degree level or above training in a subject such as physics or other branches of science and engineering (though not computer Sci). Further playing a musical instrument to performance and above level is very desirable. Oh and having spent a couple or more years doing "testing" of just about any kind will add polish to the C.V.
If you are going to be any good you need to have a particular mind set for detail at a very very deep level. And importantly an innate sense of curiosity about the world around you from an early age.
Oh and if you have Aspergers or other Autistic Spectrum Disorders, what ever you do don't let that put you off many of the best have very significant leanings in this direction. There are now many technical tools such as speech to text software with context sensitive spell correction etc. Look at these tools as being like an artificial limb. Some people are born with physical disabilities, but modern technology enables them to compeat at Olympic standard in nearly all sports. In this respect the aids to High Functioning Autistics alow them to compete not just with "Nuro Typical" practitioners but frequently to easily out perfom them.
Spot on! However, would be security specialists should understand that there are many, many other fields where there is higher income potential for a whole lot less work.
Effective software quality assurance folks have the mindset you describe for security professionals. The best of the SQA people do a lot of white-hat cracking. They mount all kinds of attacks on systems that the creators didn't imagine. For example, look at this description of the Netflix "chaos monkey" discipline.
I've tutored many on how to break into this field.
Generally I say, learn risk assessment, then about the various vulnerabilities, and finally the various common and less-common mitigations.
You can then walk through an interview and hold up your side of a discussion, and be useful to an organisation beyond the interview.
Hopefully in the end you'll also realise that it's all about people's behaviour.
Oh, and read 'Make Friends and Influence People' because you can't achieve much in any organisation by yourself, and though you don't want to be a spineless droid, you do want to learn to see other people's point of view, and tease out what motivates them.
Good summary. I would add, there are no shortcuts...Learn or know the "basics" and move up in knowledge. If you don't know how network/Osi in detail, how are you going to read packets. Yes, being a little snarky. ;)
Ah and do not forget to tell them its not like on TV or Movies. An incident can take hours and hours of reviewing logs to find the way in! Or days to find the forensic evidence on a hard drive or other locations. If you like to watch paint dry this is the field to get in!
ole still logging bin logging what color is grass anyway?
Keeping in mind the Navajo Code-Talkers, it seems to me that the entire concept of security requires lots and lots of up-to-the-moment native speakers of all languages likely to be used in any security situations.
Barring that, the bad guyz (who, in my opinion and after the latest episodes of cyberwarfare, probably speak an edgy combination of military Hebrew slang and use colloquial references to Israeli children's TV) are going to be able to communicate freely, with no decryption possible.
Everything that Bruce says, of course, is completely accurate - this is a broad field. Most of my knowledge has been gained the hard way, and a lot of it through lessons learned through initial failures and misfires. That is why the hands-on piece is so critical - everyone in this industry, like a lot of others, becomes more valuable by "earning their stripes". Those are the guys I want with me in the trenches.
Great post. In addition to helping people looking to get into this field, I think these resources are great for any average computer user looking to learn more about security. I, for example, have no intentions of becoming a cryptography expert (my math skills are limited to 2+2=potato), but I found that reading through material about cryptography has helped me better understand what all those pretty buttons in Truecrypt mean. Quite a bit can be learned by knowing where to find the answers.
"I am a fan of security certifications, which can often demonstrate all of these things to a potential employer quickly and easily."
They have been of no help to me in weeding out candidates. About four-fifths of those who walk in the door with the "most respected" certs just have the piece of paper and little retained knowledge or skills. A little bit of intensive self-study or going to a certification "boot camp" and they think they are hot commodities.
As far as helpful pieces of paper, there have been a few excellent candidates who graduated with advanced degrees from certain NSA Centers for Academic Excellence. (Some of the programs are better than others.) None of them put post-nominal certification letters after their names.
Along those lines, unless it's something like "PhD" , those letters make you look less impressive, not more.
For those still coming up in school looking at how to effectively orient their careers towards security, look into the same classes and skills that are required to get hired by a CPA firm doing audit work. Much like Bruce talks about here, financial auditing orients your mind toward looking at how things can fail.
While fulfilling that accounting coursework, specialize in IT in your own time and obtain IT certifications.
Large CPA firms also have Risk and Compliance departments that do specialized security consulting work. If you walk in the door with audit skills matched with IT knowledge and certifications, you will find open arms.
@dena. You almost owed me a keyboard. You should hear israeli teenagers speaking in a rapid clip coloq. in almost a valley girl type language. (showing my age) Hebrew speakers are the bad guys? I thought allies? ;)
@hiring. I understand. I don't put any letters after my name. Talk and then actually show them something. they get weeded out. I'm old school. deciphering binary LSB, LRC here. LOL
I do not agree with the affirmation "You don't have to be a coder to be a security expert.". Sadly, you will most likely remains a general security analyst used as a management resource if you don't know how to code. All security expert gray hairs dinosaurs I know are still able to code perl PoC.
Thanks for the HackThisSite mention!
Good article, but you neglected to discuss the proper size and grooming of a beard in order to reflect one's guru bonafides.
'Remember Schneier's Law: "Any person can invent a security system so clever that she or he can't think of how to break it."'
Actually, I failed that test. But I am unsure whether I now qualify or not?
[ @Winter, Where did you fail? Inventing the system or being able to break every system you designed? Makes a difference on answering whether you "qualify or not" :) ]
My question is, am I not smart enough to invent a system I cannot break. Or am I so smart, I can break every system I can invent?
(there is an old philosophical question somewhere in here)
I've hired a few IT-security-guys in the past. The best one was an ex-UK-Army Sergeant who'd used his end-of-service bonus to pay his way through law-school. He'd been involved in the 1980s Falklands expeditionary-force.
To be honest, he knew no programming-languages, and didn't know one end of a firewall or a cryptographic-algorithm from the other. But that's not security.
What he _was_ truly brilliant at was assessing and understanding the whole game-of-risk and identifying the kind of corporate-assets that really needed protecting.
Understanding algorithms doesn't help you when your facility is targeted by an Animal Liberation Front firebomber. Math-degrees mean nothing when you've got to give a credible, shareholder-value-preserving interview on nationwide TV. I'll take a clean-cut, world-weary, legally-competent and 'broad-spectrum' security-guy over the geek-type any day.
It's a match between you and yourself. I wonder who will win! Without further data, it's hard to answer an abstract question.
If you can't break the system, it still says nothing about it's security. Someone else may break it. If you can break it, I guess it's insecure ...
"Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail"
Engineers do stress testing also. If you are building a bridge you want to know how it can fail.
Only difference is they don't get accused of malevolent intentions.
There should never be a need to take one over the other. They are both so different and yet so necessary.
As Peter O'Toole said in Caligula, "One needs both, yes, to keep healthy."
I agree wholeheartedly with Anton... but only as far as "good engineering".
I've worked with many engineers designing assembly-line robotics, and whether or not you have a degree means little as to whether or not you truly understand how to design something with few to no failure modes. Not one of my designs ever failed in production (with hundreds of millions of cycles), yet my degreed coworkers had many redesigns to correct failures of their systems. Did I mention I have no such degree?
The difference? In addition to figuring out how to make something work, I try and figure out how things can break and fail. Most of those I worked with simply focused on making it work.
15 years ago I switched careers to support those engineers. 12 years ago I became a consultant. 8 years ago I was brought into the IT Security field because of my depth of Unix (Solaris & Linux) knowledge... and my brain still thinks the same way. I didn't realize until after the (IT Security) interviews that I've been very security focused for many years... I simply never thought about it in those terms until that point.
Why do I mention all of this?
To show that it's not necessarily a learned behavior, but more a personality trait that holds one's focus so deeply on something that they find faults where most others find none.
Also to show that certificates aren't really requisite to a security position. I have SCSA & SCNA certifications, as well as a third most have never heard of (as it was only available to people working in Sun VARs - weird), but none of those are security related.
I also have very little official programming training. I don't think of myself as a coder, though I do write many scripts (ksh & Python, among others) for automating my work, some of which are many thousands of lines. I can only *just* read C, however, which is why I don't consider myself a programmer. So I agree that you don't have to be a programmer to work in security... as long as you understand your limitations (and knowing what you *don't* know is sometimes pretty difficult). I have a counterpart who has a deep background in programming who I find invaluable, but interestingly enough, we almost always come to the exact same conclusion while using totally different approaches on an investigation. I believe this further reinforces that point.
Thank you for yet another very useful posting.
... I can only *just* read C, however, which is why I don't consider myself a programmer.
Don't worry most people I know off who write C code I would not consider to be programmers but "Code Cutters".
There is an old "in joke" about C,
"C is a WORN language"
Where for those who know WORN stands for "Write Once Read Never"... and this is apparently altogether more humorous beceause it's (alphabeticaly) "one up" on the more usefull "WORM".
If you are thinking WTF or some such, I'm not surprised as a joke it's marginaly less funny than the "Pieces of Seven" in joke. Or for that matter all the other "geek in jokes" used in TV SitComs.
Clive's comments about Autistic Spectrum Disorders are spot on. I have Asperger's, and find the whole field of IT security straightforward to get my head around (the mindset as well as the tools and techniques). I'd even go so far as to say that having ASD gives you a significant advantage in this field - rapid pattern matching skills are very useful.
Also: as to certifications being tools to get past the HR shield - this is very true. However Bruce has singled out the Offensive Security guys for a reason - the PWB course is gruelling, and the 'test' is a 24 hour live-fire penetration exercise. I rate it very highly. It also gets past the whole 'you must have IT security experience to get an IT security certification' nonsense.
It's not natural for engineers Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail.
I'm sorry if you had said "Artists, Artisans and craftsmen" I might have agreed with you.
The essense of real "engineering" is knowing "how things break and why". That is the first step in engineering is to find what the limits are on all the available components, and this data is obtained by first breaking them in very precise ways using very specialised equipment.
The history of the cartwheel is the essence of Artisanal "it's broken change the design a little untill it stops breaking" thinking, which by trial and error arived at an effective design over a couple of thousand years. It was this same sort of thinking that gave rise to early steam engines that burst their boilers and killed many people.
After the "English Parliament" (now British or UK) passed legislation that forced the "artificers and Artisans" to become engineers.
This in turn gave rise to the fields of science such as metallurgy, materials science, and more recently metrology. All of which when applied correctly means we can now "engineer" a "design" on paper and have high confidence it will work without change when built, and be efficient in it's design and operation (yes we get it wrong very occasionaly, but the study of such failure gives rise to the knowledge of how to design out what were previously unknown failure modes in future designs).
One of the reasons I hate the expression "Software Enginering" and frequently say so is the implication there is any aspect of "engineering" in the artisanal practcice of "code cutting" as carried out by far the majority of the worlds software programmers.
If indeed the average code cutter did practice the discipline of "engineering" then we would be unlikely to be suffering the "bug for every five lines of code" (or whatever it currently is) that makes the practice of "Computer Security" such a necessity in our modern world.
Racing-car engineering: if it broke it wasn't strong enough; if it didn't break it was too heavy.
Leads to the perfect realisation of a car that crumbles to dust as it crosses the finishing line (in first place).
So what would the corollory be: if it let them in it was too weak; if it kept them out it was too complex?
@Hiring: The letters I put after my name are actually an MD5 hash of the interviewer's mother's maiden name, name of their first pet, and name of their high school.
For those who are entering college, I suggest looking into which schools have good information assurance programs.
The NSA keeps a list of US schools that have "certified" programs. My personal favorite is at the Georgia Institute of Technology, where live a number of the bottnet hunting researchers. For those on the west coast, University of California at Santa Barbara also has some good classes and researchers.
Also, be sure to know whether you want to do IT security or software security. They are different fields with different career paths and skill sets.
When you graduate, be sure to ask about security engineering positions. I almost walked away from the career fair booth of my first employer because I didn't know they wanted to hire Software Security Engineers.
Here are a couple specific tips I'd give:
- Take a real psychology class. Your local community or city college probably has a survey/intro class for people who are interested in the topic but don't plan to get a degree. It's fun. You'll get practical demonstrations. You'll get to experiment on your classmates! >:-)
- The single biggest thing you can do to pick up the security mindset is learn how stage magic works. Seriously. It won't get you all the way there on its own, but it will give you valuable knowledge that is all but nonexistent in the science and engineering communities.
If you want to learn how to Reverse Engineer software, including many of the things mentioned herein, the US military offers two, free, self-study training courses -- see http://spi.dod.mil/re_training.htm
I'll offer my perspective as a former entertainment and profit oriented blackhat.
The first time I was on the internet I was 4(I played Bolo with one of my dad's coworkers, and Doom), and I've been interested in computer security since I was around 6 or 7. I earned a reputation for myself(Under a different nickname ;)) around 8 when I became involved in the SubSeven trojan community and got in to botnets. I skipped nearly all of middle school to sit on IRC hacking stuff, getting placed in juvinile detention twice for truancy(The first time for 3 days, and the second time 7 days). At 13 my actions and the FBI caught up with me and I went to juvi for 2 years. My restitution exceeded the profits from my actions, costing my parents their house, the lease on their new van, and their credit score, resulting in my mom being unable to work as a personal banker any longer. As terms of my probation(that I ignored) I was banned from using computers for an additional year after I was released, presumably for knowing too much for my own good.
I'm a different person now, 24 and greyhat. While I'm a great hacker(not to toot my own horn), I do not consider myself an "expert" despite how long I've been at it(there's just too much, and too many attack vectors to know) and what my employers and friends consider me. I can code, but I am not a coder, and IMO computer security is _not_ about being a coder(though you will only get so far...). The reason is that most hacks in the wild happen using someone else's code, or do not even require "code", but on the other hand sometimes you *need* to code in order to even talk to another computer - an example would be hopping VLANs from a VOIP tagged port to the primary VLAN with Scapy, or abusing source routing.
As computers explicitly/literally interpret code, practical computer security is about enumerating the rules you are constrained by and finding the exception to the rule, sometimes even by providing the criteria that determines the rules. This can mean abusing a firewall exception for any packet coming in with a source port of 53/67/68, finding a file with insufficient file permissions, spotting an off by one error, a cast from int to char, or whatever, but the real key in offensively oriented computer security is to have a knowledge base at least a mile wide and an inch deep so that you can intuit the pieces that are missing from your puzzle. You need to be able to expect and seek out the unexpected behavior that others didn't. That unhandled logic error - whatever it may be - is your exploit vector, and it exists no matter what you are looking at(Even hello world programs can be vulnerable - IE string format vulnerabilities).
The Blue Team makes a horrible Red Team, and I believe this also comes down to mindset involved. When you're the Blue Team and you're looking for bugs, your end desire is for your software to be free of bugs. Because of this you are going to encounter confirmation bias once you whack-a-mole the low hanging fruit. This desire directly impedes the Red Team mindset, and contradicts the Red Team goal of exploiting your software.
Using all information available to you is vital, and aquiring information you're not supposed to have is even more important - security by obscurity is unfortunately viewed as a sound security concept by some. It isn't - there are people smarter than you, and secrets never stay secret if more than one person knows the secret. My advice is to read, setup some VM hosts to target with your friends, and start hacking. The security mindset - finding the exception to the rule - can only be learned by picking everything apart, and if you're any good it will eventually come to shape your thoughts and permiate your every day life.
In the end, don't consider "computer security" a career option. You really need to ENJOY computer security to be good at it, and you need to be lucky to get a legit job doing it. While there are professional penetration testers, it is very hard to convince someone to pay you to attempt to hack them, no matter your track record. You may be able to find a company that finds your skill set unique, but so far I have not - I do night time tech support/spam review for an anti-spam company, and I hate it. Even though I consider myself to be a moral person, you would not believe how hard it is for me to remain white hat - I *just* barely made 7 figures at age 12. That's more money than I've made in total if you combine all my income I've made since turning 18 and starting my professional career - probably more than I'll make in the next 10 years even! Plus, I've been unemployed twice in the past three years due to the economy. The temptation is a bitch.
i did not see the elearn security course mentioned here, seeing as it is the most affordable of all, and looks good on paper. Anyone know about the eCCPT certification?
Yes, certification is the key; But also these certifications are so costly. I so want to do the DIAC certification, but the costs make me backout everytime. Its too high for me, right now...... I think they should make these certifications affordable and not so high cost...
@Hiring: I had an MCSE (technically I still have it but its out-of-date; but at the time it was "the" cert to have), but I acquired it by taking a college course for each of the EIGHT tests in order to have hands-on experience with each; then got a "how to pass the test" book for each test after the first time I got an "A" in a class but failed the cert test because there is very little overlap between useful knowledge and knowledge required to pass the cert test.
I then went on to get CCNA #Cisco routers# but Cisco changed the curriculum 3/4 of the way thru and wanted me to start over, I realized certification was a treadmill that I could never get off of but my money could; so I stopped#.
The conundrum is compounded by the fact that things that are important to know are difficult to test for, and vice-versa; so instead of testing for something IMPORTANT, like figuring out WHEN you need to reload IOS they concentrate on trivia, like HOW to reload IOS, which is easy to find out once you know you need to.
I think Dilbert sums up certifications perfectly.
@Jacob: Allies? Ask the survivors of the Liberty.
MIT offers all their electrical eng and compsci courses for free online and if you now how can just access the 2012 lectures. Hey Bruce they still use your book as req reading in the crypto courses. Also should mention khanacadamy site if you need to brush up on precalculus and algebra
A lot could be discussed. But 40 yrs is a long time and much disputation. I'm not even sure we have even half the questions let alone answers to work from. It's enough to give me a headache. Flame is just the surface of the nation state capability and what has been deployed. Of course just supposition on my part.....;)honeypots....hmmm
Certifications are good for three things:
- they prove people can study to pass an exam,
- they provide a good excuse for a clueless manager as to why someone was hired, and
- they can be framed and hung on a wall to hide the cracks
I've seen a lot of good people who happened to have certifications; but a similarly large group of certified people who were hopeless ...
Nice comic strip. That's about accurate. I think that's why Schneier and others include the doing/showing parts. I have three words for someone who believes in a test based certification: Exam Cram Sites.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.