January 29, 2022 in Training by Ell Marquez8 minutes
“I want to be in the cybersecurity field like you!” I used to tell my friends
At the time, I had no idea I was about to embark upon one of the most challenging endeavors I've ever tackled, not because of the industry itself but because of the overwhelming amount of technology involved. Thankfully, I've been lucky enough to have a tribe of hackers willing to help me find my footing. From my first Infosec conference, this community has been the most welcoming group of people I've ever met, answering all of my questions and taking the time to sit down and walk me through exactly what they were talking about. Their generosity and willingness to lift others up and bring them along were significant parts of what sparked my interest in cybersecurity in the first place.
To thank my tribe and pay their efforts forward, I've started this blog series and invited you all to take this journey with me. The path may get rocky, and I'm sure to make missteps, but I'll share everything, bruises. If you take one thing away from this adventure, it's the idea that it's okay to be new to something, to admit that you don't know what you don't know, and to be willing to ask for help.
But what do you want to do?
When I'd tell my friends I wanted to be in cybersecurity, I didn't realize how wide open that statement was. It'd be like saying I wanted to pursue a career in medicine or education. Their answer was usually some form of, "great, but what do you want to do?" I soon realized that I didn't know enough to even know how to answer them. So, I reached out to the community, asking people what they did and how they got started. This ultimately became a large part of my work on Jupiter Extras. This is how I first encountered James Smith, a self-described back alley pentester, breaker of scripts, and Dungeons & Dragons enthusiast. Based on his description alone, he was definitely someone I needed to meet! During our time together, he mentored me on the importance of "mastering the basics," as it would provide a solid foundation for whichever path I decided to take. As an instructor told his team during his time in the special forces, "we look special because we master the basics."
The Five Pillars
Mastering the basics sounds great, but which basics? Even figuring out where to start can be overwhelming for someone just starting out. James broke it down into the following five pillars.
Pillar 1: General Computing
General Computing includes subjects such as threads, processes, process trees, and memory (RAM).
Pillar 2: Computer Networking
Computer Newtworking fundamentals like the OSI model, TCP/IP, subnetting, and VLANs. This pillar also contains what I consider more advanced topics, such as packet capturing and packet analysis.
Pillar 3: Scripting and Programming.
Here, James left open the choice of programming language, and I was thankful to see that he included BASH in this list. What can I say? I know a Python one-liner can do what I do in 20 lines of BASH, but I'm still proud I managed to write the script!
Now, I was starting to sweat a bit, as I wouldn't say I have a strong foundation in any of the previous three pillars, so I was glad to be able to breathe a sigh of relief when we got to Pillar 4.
Pillar 4: Linux and MacOS
Finally, a pillar where I had a strong foundation! I'll admit that I pushed back a bit here, arguing that the two operating systems, though both UNIX-based, should be separate pillars. His response? "The same could be argued for many subsections on the list." Landing on five pillars is a subjective choice, and I can craft the pillars that work best for me.
My joy was short lived as we moved on to pillar five.
Pillar 5: Windows
Gulp In my conference talk, Confessions of a SysAdmin I proudly stated, "I have never used Windows." After looking at Microsoft reporting that there are over 900 million Windows devices currently active, this pillar has helped me realize all I was saying was,"I've been tackling this field with one hand tied behind my back."
You might have noticed that none of these pillars directly relate to what many starting out in cybersecurity would consider part of the field. I mean, where's the hacking!? But when we stop and really look at the pillars, we can understand why they were chosen. After all, what would we be defending or attacking? Operating systems and networks, perhaps? And how would attacks be carried out or warded off? Would scripting play a role?
James has done an amazing job breaking down these pillars and providing a plethora of resources that can help you pave your own path. I highly encourage everyone to read about the five pillars on James' GitHub Then, take a few minutes to listen to our recent conversation on Jupiter Extraswhere we delve deeper into how to master the basics.
From Five Pillars to Three
Marcus J. Carey, an active member of the cybersecurity community and author of the Tribe of Hackers series, was also kind enough to offer his thoughts on mastering the basics. Marcus has a slightly different perspective as he likes to streamline things.
The three pillars he teaches are system administration, internetworking, and software development — "and they all work together in the long run."
Pillar 1: System Administration
System administration is critical, Marcus says, because, at the end of the day, that's where the data lives."Big picture, the core concepts of different operating systems are the same. Windows certainly is different from UNIX/Linux-based systems, but the core principles of securing them are the same. I tell people to learn the Windows world and learn a flavor of Linux." He also encourages people to learn scripting or at least understand it on both branches. On the Windows side, you should know command line scripting, such as batch files, and advanced concepts like PowerShell. On UNIX/Linux, learn scripting and Python, as those are most used by system administrators. "Attackers 'live off the land', ...they use built-in tools and programs for their nefarious purposes." explains Marcus. Mastering those tools will help you understand their vulnerabilities and better prepare you to defend them from attacks.
Pillar 2: Internetworking
"Security professionals should have a great understanding of how systems connect over the local network and internet," Marcus continues. "Most targeted attacks are going to be over the internet, which means if you don't understand the internet, you aren't going to be the most prolific attacker or defender." I see this as similar to my earlier reluctance toward Windows. You have to be deeply familiar with the space where attacks occur, or else you won't be able to do much good.
Pillar 3: Software Development
Marcus' third pillar is software development. "It's important to understand because software manages, stores, and transmits all the data we are trying to protect. So you must know system administration to secure software. You must also understand internetworking so you ensure that the data is transmitted securely." Also, when security professionals and attackers write scripts and tools, they are actually developing software. Competence in software development also allows us to help test and secure software. Ultimately, Marcus sees all three pillars "in sort of a triad or pyramid" of what a security professional should strive to master.
>Going On An Adventure
So what did I do with my newfound knowledge? Simple — I put aside my dreams of being just like my hacker family and, in true hacker spirit, build my own path instead, one foundational stone at a time. Gone are the days of proudly announcing I've never used Windows. In fact, I'm writing this on a Windows machine and even went so far as presenting on the same device at the South California Linux Expo (SCaLE). I was pleasantly surprised that no one booed or jeered. Actually, everyone was quite supportive of my journey. I'm studying for my Security+ certification* to learn to navigate the alphabet soup of acronyms utilized in the security community. I've also joined a free Network+ study group that Marcus is leading — and he's also extended an invitation to all of you. While the Network+ cert isn't my top priority right now, the knowledge is a foundational stone I wish to have. If you're searching for the best way to start your journey but are unsure this is the best place to start, that's okay! Everyone travels their own path, and experience that has been the most enjoyable part of joining the cybersecurity community (or, as I call them, my hacker family).
* I did get my Security+ certification shortly after the publishing of this artical.
This blog was initially written for and published by Linux Academy; however, it has been modified to better emphasize essential takeaways.