How to start a career in information security

Hello! My name is Ivan, I am a cybersecurity engineer in a fairly large company and the author of the course “Information security specialist: web pentest”. I have been in this field for about six years. Now I am involved in application security testing, architecture and implementation of security solutions, project design and much more, including pentests.

In this article I’ll tell you about the most difficult stage in information security—the start. I will describe what you should think about before going into this area. I’ll tell you about common mistakes made by beginners and the basics: skills and knowledge. I’ll also share a starter pack for self-immersion into context and learning: from podcasts to books.

Understand that this is truly your sphere

First, a little about the terms. Information security is the protection of data in both digital and paper form. Specialists of this profile fight both external and internal threats. Cybersecurity is mainly about threats from outside, primarily from Internet networks. Therefore, you need to take into account some features of the profession.

Systematicity. It is not enough to think about one profile. Any information security specialist, if he wants to build a successful career and keep up with threat trends, must constantly learn new things and immerse himself in interdisciplinary knowledge. For example, a web pentester. On the one hand, he must know and be able to exploit vulnerabilities: XSS, MITM and others. Understand architecture, work with tools, know (this is not necessary for a novice specialist) the features of scripting programming languages. And also use social engineering and OSINT skills.

The ability to think like an attacker. The main thing you need to understand about cybersecurity is that information security specialists are always one step behind hackers. We are building protection, thinking about how and where they can get into our systems. But it is hackers who are the first to find previously unknown loopholes. They are also called “zero-day vulnerabilities” or “0-day vulnerabilities”. That is, these are problems when the company has zero days left to solve them. If a specialist thinks like an attacker: a pentester – to concentrate on how to hack systems, an analyst – to look for possible ways to bypass the protection, an architect – to put himself in the place of a hacker who has entered the system – there will be a greater chance of building an effective defense and quickly responding to an attack.

Ability to work with big data: carefully and meticulously. For example, information security auditors must divide a company into dozens, if not hundreds, of hacking opportunities, analyze each, and give specific channels an assessment and recommendations for improvement. Forensics build a chain of events from a variety of channels, looking for the criminal based on bits of data from dozens of sources.

And a little more about controversial issues.

No, I work with people who did not receive a technical education at the university and came to information security without any technical background.

Ideally, yes, but this is not at all necessary in the early stages of your career. But it’s great if you can write in one scripting language: Python, PHP or JavaScript. Tower – if you can do several.

Yes, but it’s much more complicated. There is a lot of information, it is scattered, and rarely updated. This is the advantage of education: they immediately give you what you need.

Select direction

There are more than 30 specializations in information security. Each has its own characteristics, its own approach to solving problems, and its own goals. We will list a few of the most popular ones.

1. IT Security Analyst — collects and processes information about possible threats. Based on the results of his work, a company’s defense strategy is built.

2. Information Security Architect — creates and implements an information security system in the company. If the analyst prepares materials for the strategy, the architect executes it.

3. Pentester – legal hacker. Hacks customer’s information security systems with his full approval. In fact, this is the closest possible scenario to a real attack.

4. Forensic — a specialist who connects if a hacker attack is successful. It determines the timing, circumstances and consequences of attacks. These people often work with law enforcement, especially when state-owned enterprises were targeted.

5. Bug hunter — looks for errors on various resources, and receives a reward for detection. For example, if you find a vulnerability in “Government Services”, “Feedback Platform”, ESIA, GIS EBS, you can receive from Ministry of Digital Development from 100 to 300 thousand rubles.

6. Security Operation Center (SOC) Specialist) – responds to incidents in real time and reflects attacks using event analysis.

In the field of information security, people often move from one discipline to another. Some people start as a SOC specialist and eventually move on to pentesting. Analysts become architects, pentesters become bug hunters. In infobez there is strong flexibility in terms of horizontal careers. And, of course, you can follow the management path: start as a junior specialist, grow through the grades, and then go to technical lead.

Start basic and specialized training

Whatever profile you choose, you need to start with Computer Science: operating systems, protocols, understanding of the web technology stack, Internet devices and basic network protocols. A legend among free education – Harvard course CS50. There are also courses on Coursera, Khan Academy.

After this, you should dive into more specialized knowledge, depending on what specialization you choose. But it’s also worth knowing everywhere about key vulnerabilities, the basics of DevSecOps – secure development, as well as OWASP – open project to ensure application security. There are important materials here: from tops of common vulnerabilities to webinars (all in English). Their recommendations are highly valued by independent auditors, so it is worth constantly listening to what the fund says and writes about. For example, guide on how to test applications.

Eliminate common mistakes made by beginners

Study everything at once. There is no mistake if you start immersing yourself in different specialties to find yours. But if you find it, dive straight into specialized training. If you choose a pentest, study vulnerabilities and their exploitation, and not forensics and information security audit.

Rely only on theory. Without practice, any learning has little meaning. There may be two options here: either look for an internship in companies, or practice on various CTF platforms – resources that provide training on finding vulnerabilities, hacking and other tasks. By the way, this can already be called interview experience. The employer will understand that you not only read, but also did something with your hands. Popular in Russia RuCTFin the world – Def Con, Google CTF.

Get a certificate

Any employer wants to be sure that they are hiring a good specialist. If you do not have practical experience and a full-fledged university education, certificates will help. Obtaining them, however, is also not easy: you need to seriously prepare for them, and passing them on the territory of the Russian Federation is problematic. But even if you don’t take the exam, study the materials and guides, as they are compiled according to international standards.

C.E.H. (Certified Ethical Hacker) – proves that you know where to look for vulnerabilities in systems and know how to detect them.

CISSP (Certified Information Security Systems Professional) – proves that you have knowledge and skills in IT security.

In Russia, these certificates are also valued, but employers may also be looking at candidates with training certificates from Russian companies, for example, a course in web pentest from Yandex Praktikum.

Explore additional materials

We divided them into two large blocks: context and training. Context is needed so that you make cybersecurity part of your routine: reading channels, listening to podcasts, and watching videos. Training is already for pumping up hard skills.

Understand the context

Podcasts

• “Querti» from Red Barn – a podcast with a low entry threshold. In it, the presenters discuss the most basic information security things. In the first two seasons, the information is completely for beginners. In the third – more about the information security career.

• “Change your password“from Kaspersky Lab – a documentary and practical podcast in which company experts discuss cybersecurity investigations and help understand new threats.

• “Scheme“from T-Zh is a podcast that analyzes fraud schemes. Cybersecurity is an area where psychology is important. This project will tell you how attackers deceive even savvy users.

Telegram channels

• Kraken — there is no news in this channel (at least for now). But texts of various formats about cybersecurity are published: from guides, instructions and checklists to descriptions of various attacks and vulnerabilities. This channel is for beginners.

• SecurityLab.ru from Positive Technologies – news from the world of cybersecurity. The editors collect on the resource the latest research on threats from around the world and notable cases.

• Hacker.ru — alma mater of the first cybersecurity specialists in the Russian Federation. This is a telegram channel of a famous magazine that has been published since 1999. Here, too, there are mainly news from the information security world, a selection of reports and studies. If you want to understand how the cybersecurity industry has developed in our country, read magazine archive. It’s free.

Start self-education

YouTube channels

• John Hammond Channel — more than 1,400 videos about training, vulnerabilities, and practical cybersecurity skills. Unfortunately, most of the videos do not have Russian subtitles, but for people who want to develop in the information security field, this should not be a problem. English is the language of all modern solutions, platforms and tools.

• LiveOverflow – channel of amateur researcher Fabian Fessler. There are quite detailed guides on techniques and practical tasks in cybersecurity. Namely tasks, not real cases.

Books

• Michael Howard and David LeBlanc – “Protected code” The book that Bill Gates forces his subordinates to read. It contains tips and tricks for protecting applications at all stages of software creation – from design to writing reliable code. The book contains a lot about threat modeling, containment hazards, maintaining secrecy in applications, and analyzing source code for potential threats.

• Ben Rothke – Navigating the Cybersecurity Career Path. A book that will help beginners (and not only) specialists understand how to build a career in information security.

• Defensive Security Handbook: Best Practices for Securing Infrastructure – more than 600 pages of specific instructions for solving cybersecurity problems in companies. From password management to vulnerability scans and pentests.

Develop professional skills and career

Cybersecurity is an area where there is always something new to learn; there is no ceiling on knowledge. The more you immerse yourself in different disciplines, the more valuable a specialist you will become. Information security is not much different from other types of work: the first offer template works here:

Training → Practice → Certification → Internship/Cases → Resume → Feedback → First offer

I advise you to immerse yourself in the context at first, focus on learning and practice. Get to real work as quickly as possible. And the most important thing is not to stop.