Learning New Tricks

I recently presented a short version of my “No-NOC Networking” talk to a room full of managers C-level executives, policy makers, and technical evangelists. These are not the people in a network operation center (NOC), but it did include people who manage the people in the NOCs. For this presentation, I lowered the technical level to someone who hasn’t taken a basic networking class in years. The talk was very positively received.

Most of the questions were exactly as I expected, like “Where can I get your software?” and “What were those Linux commands to turn off scanner responses?” (The answer to both is at the Nuzzle web site). But there were also a few people who had the same kind of unexpected request: Where can I learn more?

They weren’t asking about learning more ways to deter network attackers. Rather, they were asking about where they could learn more about security in general. A few people confided that they weren’t sure if they were too old to learn.

Full stop: You are never too old to learn about security. Whether you are looking for a late-in-life occupational change or just a new hobby, you can always learn this as a new skill.

Where to Start?

I often hear people talking about starting with a certification, like CISSP, CEH (certified ethical hacker), or some of the SANS courses. However, I think that’s like diving into the deep end of the pool. (As an aside: this isn’t a recommendation for any of these certifications. As someone who tracks down cyber bad guys for a living, I’ve seen more unethical behavior from people with CEH credentials than any other group!)

Before you get too deep or start paying for some kind of education, start by finding out what you like. There isn’t just one kind of “computer security”. What’s your interest? Here’s a short sample of different cyber areas:
Cryptography (great for math and puzzle people)
Network security
Policy
Reverse-engineering
Social engineering
Red team (offense)
Blue team (defense)
Hardware and IoT (internet of things)
Software (fuzzing is fun!)
Physical security, including lock-picking
Anonymity and privacy
AI and counter-AI (yes, there’s a security element)
This is far from everything. Most of these categories include forensics (detection) and anti-forensics (avoiding detection).

Don’t know which one to choose? Try them all and find what you like! (Personally, I like the weird stuff, like file format forensics and packet-level network forensics. But I’ve also worked with everything else in this list.)

Groupies

Besides trying to learn on your own, there are tons of conferences. Most weeks have multiple conferences worldwide. While conferences usually require paid admission, a few are free or even online.

There are also tons of meet-up groups. Many of these groups are part of larger organizations. For example:
The Open Worldwide Application Security Project (OWASP) started with a focus on web-security best practices. However, it has evolved. Today, it mostly focuses on policies and processes for securing generalized applications. The organization has individual satellite chapters that hold monthly meetings all over the world.

DEF CON is a huge hacker conference that is held once a year. However, it has spawned lots of smaller “DEF CON groups” that meet monthly. Most are identified by their telephone area code. For example, Denver is area code 303, so their local DEF CON group is “DC303“. Unlike OWASP, the DC groups usually have topics that span the entire spectrum — software, hardware, social engineering, etc. Often, they include live demonstrations and how-to information. Some of these groups meet in person, while others are online.

If you’re new to DC groups and you don’t like one topic, then wait a minute and there will be a different topic. The only warning: the content can be extremely detailed and discussions may quickly go over your head.
Most of these groups are friendly, helpful, and welcoming to new people. Also, most of them look down on using technology for evil, malicious, or illegal purposes. You’re not going to learn how to compromise your ex’s Facebook account or how to steal money from an online transaction.

Can’t find a local group? Try using Meetup. Search for your city and the “Technology” category. In Fort Collins (where I am), we have “Women Who Code”, “Fort Collins Internet Professionals” (FCIP), Northern Colorado Hackers (NoCo Hackers), a couple of Python developer groups, web developer groups, and more. And keep in mind, Fort Collins isn’t a “big city”; big cities have even more groups. Unless you’re out in the middle of nowhere (sorry, Casper, Wyoming), there’s probably something nearby.

Hands On

Beyond groups, many organizations offer various games where you can try tools, techniques, and methods in a controlled and safe environment. (I liken it to how cats sharpen their claws.) The games often include different skill levels, from newborn novice to guru expert. In my opinion, the real-world problems are nowhere near as difficult as the harder games.

So how can you find these games?

If you ask in any of the social groups (OWASP, DC, etc.) then someone is bound to provide some suggestions. But even without group participation, there are lots of ‘capture the flag’ (CTF) opportunities out there. These include challenges and puzzles that award points for completion. Some are meant for individuals, while others permit teams. (Often, teams are looking for new members. It’s usually easy to find a team that will take on a new person.) Some of the better-known CTFs include:
CTF101: The challenges include forensics, cryptography, and more.

PicoCTF (login required) and Hacker101 CTF (login required) includes practice levels, challenges, and competitions.

The National Cyber League and Try Hack Me both provide more formal learning environments.
If you really enjoy these CTF games, then there are competitive teams. Many of the larger conferences have CTF contests with prizes for the winners.

Personally, I find game play to be a great way to teach and test knowledge. At my FotoForensics service, I include a few ‘Challenges‘ (Tutorials → Training → Challenges) where people can try to evaluate pictures in a controlled environment.

New Tricks for Old Dogs

Just as there are different security focuses, there are also different ways to learn. Regardless of whether you prefer self-paced, hands-on, one-on-one, or a classroom environment, there are plenty of options. After you find your interest and get a taste of the technologies, then you can start focusing on formal certifications and professional education… or you can be an informed amateur.

Most companies, universities, and news outlets focus on cybersecurity as a career. (OMG! 650,000 cyber jobs are now vacant!) However, it doesn’t have to be a career. These topics have benefits even in small amounts. With a little practice, you will start noticing fraud and scams, identifying poor security practices, and distinguishing the real threats from hype. The fundamentals used to include reading, writing, and arithmetic. Then it expanded to some computer literacy. Today, a little computer security knowledge is becoming a fundamental requirement. It’s time to start learning!