Tuesday, November 21, 2006

No Shortcuts to Security Knowledge

Today I received a curious email. At first I thought it was spam, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 subject line was "RE: Help!", and I don't send emails with that subject line. Here is an excerpt:

I cannot afford nor have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to take a full collage course on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 topic of network security but I would like to be as knowlageable about it as yourself and be able to protect my computer and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs regarding this matter. If I was willing to pay you would you take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time to teach me what you know and/or point me in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 direction I would need to learn what you know about network security? Please advise what course I would need to take to accomplish your skill of network security?

In my opinion, it seems like this question seeks to learn some sort of "hidden truth" that I might possess, and acquire it in record time. The reality is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are really no shortcuts to learning as complex a topic as digital security. I have been professionally involved with this topic for almost ten years, yet I consider myself halfway to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of skill and proficiency I would prefer to possess. In anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ten years I'll probably still be halfway cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threats and vulnerabilities and assets will have continued to evolve!

If you want to "know what I know," a good place to start is by reading one or more of my books. I recommend starting with Tao, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n continuing with Extrusion and finishing with Forensics. Chapter 13 from Tao explicitly addresses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue of security analyst training and development.

My company research page lists over a dozen documents I've written, and this blog is a record of almost four years of thoughts on digital security.

For books outside of my own, my top ten books of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last ten years contains some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best books on digital security. My reading page shows books I recommend in five categories. I also show cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 books waiting to be read on my shelf, but I wouldn't consider an appearance cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re to be an endorsement unless I offer a favorable Amazon.com review. Please note my recommended lists do not include books from 2006 (and maybe 2005), but I plan to write a "best of" list at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of this year. I'll update cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 recommendations lists if I have time.

In addition to reading, I highly recommend becoming familiar with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security tools listed by Fyodor. It also helps to specialize (at least in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beginning) in one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 five categories I show on my reading page.

I tend to split my time between Weapons and Tactics and Telecommunications, although I plan to continue developing my Scripting and Programming skills. I do some System Administration by building and operating network sensors and supporting systems (like databases), but I am not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 sort of sys admin who supports users. I try to stay out of devoted Management and Policy work, although I try not to be ignorant.

I could probably say a lot more on this topic, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bottom line is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are no shortcuts to security knowledge. I hope this free post has been helpful.

11 comments:

Anonymous said...

I'm a student, who's 20 years old and sometimes feel cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way. Everywhere I look I see (security)professionals who know so much in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world of IT among ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r things and wish I knew half as much as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. I take a step back though, come to grips with reality and tell myself... "I'm only 20, when I'm older and have been in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry(and learning as much as I can) as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se guys... hopefully I will possess that same level of knowledge."

Knowledge and wisdom come with experience, would anyone disagree with that?

Anonymous said...

Don't be so easily fooled by cockyness, marcin. If security professionals knew as much as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y pretend, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y wouldn't be necessary.

Anonymous said...

Here's a link to an excellent article: "Teach Yourself Programming in Ten Years" at http://www.norvig.com/21-days.html

I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 conclusions reached in this article are good, and apply equally well to computer security. And while no one can be a wizard in a few days, weeks, or months, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only way to start is at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beginning.

It also helps to read this blog, Marcus Ranum's stuff, and "Inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Security Mind: Making cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Tough Decisions" by Kevin Day. They represent some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 strategic thinking that many new security practitioners miss out on. (Just curious - have you read cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Kevin Day book Richard? If so, what'd you think?)

- Chris

Richard Bejtlich said...

Hi Chris,

Great references -- I haven't read "Mind" eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r.

Anonymous said...

no way my friend said that he knew everything about security from reading SANS

(sorry i couldn't resist)

C.S.Lee said...

I'm late comer when comes to computing, I started learning it when I were 22, instead of headless I decided to concentrate on network security after one and half year of learning computing. I suffered a period where I can't understand those network intrusion/detection books/materials since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y looks too technical to me and come to realize that foundation is very important. I start learning network protocols(RFC and steven's book), *nixes based system(luckily I got free training from college) and writing shell scripts when I need to ease my task. I do use security tools that are listed in insecure.org to learn how security tools work. I would say I'm lucky enough to meet awesome guys in #snort-gui to stimulate my moods of learning network security in more in depth way since I realize I'm not as good as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. But you should think that taking network security as career path can be tough unless you have passion in it and won't lost it some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r days. It requires lots of reading and understanding, you will have to keep yourself update and love what you are doing. Your skills will evolve over time when you have more experiences in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry.

It's never ending process, find me which network security expert that stop learning unless cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y decide not to involve in network security field anymore.

P/S: By cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way I don't think Richard is cheaper than any college that offering you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security courses, his time is precious :P

Cheers

Anonymous said...

Richard i appreciate your book reviews can you help me about what are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 3 best penetration testing books availabe on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market today?

social media agencies said...
This comment has been removed by a blog administrator.
Richard Bejtlich said...

Anonymous,

I like

Professional Web Application Penetration Testing
Hacking Exposed, 5th Ed

Outside of those two I'm not sure!

Anonymous said...

The attitude irritates me. "Teach me everything I need to know." Some people! Start by taking an ethics course!

Anonymous said...

Aside from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 level of tech needed to be a professional security gal/guy, anyone considering such a career should also think long and hard if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are willing to deal with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 real life consequences of such a career.

If you fly solo as a consultant, you better be able to sell your services and also live thru cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 months when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are just no contracts.

If you decide to go corporate, beware of two major areas of career risk: 1) whichever department you end up in (network team, risk management, etc) an unwritten part of your job description is you are going to be hated and you may be signing up to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fall guy. The politics around infosec/netsec in any large organization get ugly real fast. 2) be prepared to be redundant. lots of companies are folding opsec into network teams and network teams are VERY vulnerable to outsourcing.

Of course YMMV, but this is my decade plus worth of observations.