Breaking into the security field

Brian Krebs is running a series on how to break into the Computer Security field. These are in response to inquiries that he receives and that these types of posts of his are very popular.  So, he went and started talking to people who are well known in the industry on what they suggest people do in order to break into it.

• Brian Krebs talks to Thomas Ptacek, founder of Matasano Security
• Brian Krebs talks to Bruce Schneier

I enjoyed Schneier’s interview (and Ptacek’s, too). Schneier gives the following advice to a fledgling security professional:

1. Study hard – This doesn’t have to be classwork, although that is important.  Read books and blogs, but not just about security.  Economics, psychology and sociology are important, too.

2. Do it – You’ve got to practice at it.  Try to break existing security systems (but do it legally).

3. Show others – Take part in mailing lists.  Write blogs.  Create podcasts.  Be visible.

I agree with these comments above.  I broke into this business by answering an ad in the newspaper for a spam analyst.  A year later the company I worked for (Frontbridge) was acquired by Microsoft.

Yet I always had an interest in security.  When I first joined Frontbridge I hated spam.  I had crafted rules in Outlook to stop it in my personal mail but I knew that they weren’t good enough.  Had I had Perl regexes back then, I would have had a lot greater success.  I’m still doing spam fighting all these years later.

Schneier closes with the following:

One final word about cryptography. Modern cryptography is particularly hard to learn. In addition to everything above, it requires graduate-level knowledge in mathematics. And, as in computer security in general, your prowess is demonstrated by what you can break. The field has progressed a lot since I wrote this guide and self-study cryptanalysis course a dozen years ago, but they’re not bad places to start.

When I was in university, I took Computer Engineering instead of Computer Science.  That means I had a greater focus on hardware rather than software, and cryptography was not an elective.  That’s too bad and I wish it were (looking back on it now; at the time I didn’t care that much).

However, in my last year of study, I took a Telecommunications course that was possibly my favorite course of all time.  In it, there was a section on Cryptography and I enjoyed it a lot.  I wish I still had the notes.  But in it we learned about encryption algorithms, how the government enforced DES encryption at only 56 bites and caused people to think that they had a secret back door, asymmetric and symmetric hashes, relatively prime numbers and public/private key encryption.  It’s because of that class that I understand the technology behind DKIM, and even basic security protocols like TLS, HTTPS, and DNSSEC.

Microsoft has some internal courses about encryption and it’s similar to what I remember from that university class (Bob talking to Alice).  Every time I’ve done a refresher course I’ve always found it interesting.

While I enjoy fighting spam and have done so for a number of years, the two things that I haven’t gotten to work much with are encryption and vulnerabilities (e.g., SQL injections).  Doing penetration testing, and especially augmenting that social engineering, is a fascinating field of study.  I think using mathematics to reverse engineer and break encryption algorithms is neat because it would mean that all those calculus, differential equations and complex numbers I took in school would come in handy in real life.  If I ever left spam fighting, I’d probably look into those fields, or maybe doing something else with statistics (my favorite mathematical field).

I particularly agree with the part about writing a blog as it serves multiple purposes:

1. When you write things down, you understand it better.  When I wrote my series on backscatter several years ago, I understood it far more after writing it than I did before.  Same with SPF and DKIM.

2. Writing is a difficult skill.  The more you do it, the better you get.  You might be a brilliant engineer but you need to be able to communicate it with others.

Anyhow, it’s good stuff coming from Krebs.