How to get started with IT security – Gábor Pék, CTO
Gábor Pék (CTO, Avatao)
It was during my highschool years that I was first bitten by the IT security bug. The challenge was clear to me. There was no internet connection during breaks between our IT classes, so my classmates and I had to find a solution to this problem. Fortunately, we found a proxy server in the school network that could be used as a gateway to funnel our traffic to the world-wide-web. After solving this problem that had been nagging at us, we were hooked, and dug deeper into the realm of hackers. The more we learned, the more impossible it was to stop our pursuit of this “forbidden” knowledge. My heart and my gut instinct were telling me the same thing: this is something I truly enjoy. I craved more, I wanted to go deeper and deeper in the software stack, so I bought some books about assembly programming languages in order to have full control over the hardware side of things.
Yes! Finally, this is what I’d been missing! I started writing real code and I was thrilled to show off the magic tricks crafted from my hands in school. It was so great to demonstrate that you can draw graphics on a 80×25 DOS command line interface. The sweet feeling of success. I was so obsessed that I spent almost all of my time at home in front of a Belinea 85Hz CRT screen writing low-level code, trying to understand malware, and learning about hacking, Linux, Unix and all the hacker-friendly operating systems. Only later did I realize that this initial experiences were not just anomalies in my life. IT security became my hobby, my work, and my passion.
There are two main roads in IT security to bootstrap from: the offensive way and the defensive way. I took the former route, though at the time I didn’t know there were any other options. The urge to break things apart and dissect code was so compelling that I simply followed this call and grasped at anything I could to help me along the path.
The offensive way
One of the most important human elements of the offensive way is curiosity. When someone is eager to find out how something works, they are more likely to discover treasure that wouldn’t be seen otherwise. Curiosity is the fuel that allows you to investigate the unknown. Based on my experience, the best way to acquire knowledge is to combine theory and practice as you go. Without theoretical foundations, it is difficult to build up a holistic understanding later on, and a lack of practice will always keep you from applying your knowledge in real use cases.
1. Set your goal and build your map
As a first step, define a clear goal; for instance, “I would like to be the best malware researcher in my family/county/country/world in X years.” Write down the goal and take the first step by creating a map that you can use as a GPS. A good start can be your very first book about your favourite topic, such as the Art of Computer Virus Research and Defense from Péter Szőr in malware research. Alternatively, enroll in an online course, for example on Udemy. That will give you similar foundations. You will always be modifying and updating your map, but the point is to have something in your hand that gives you certain guiding principles.
2. Get your hands dirty (a.k.a. the cold start)
Once you know the terminology and some basics, let’s put it into practice. Don’t wait, not even for a minute. Set up your very first sandbox (e.g. Cuckoo), download an open-source sample (e.g. Diamorphine) and check out how it works. Simply by running your very first malware you will learn a great deal about operating systems, virtualization, exploitation techniques, cryptography, and more.
3. Get curious: Ask your questions (a.k.a. the breadth-first search)
The most important thing is to keep asking questions. Sticking with the topic of malware, you may ask yourself.
- Is it a known sample? Let’s upload it to virustotal.
- What does it do? Download binary analysers like IDA or BinaryNinja and check if there are known software components (e.g., hash functions, libraries) being reused.
- What programming language is it? Well, this is a good opportunity to learn about Assembly, compilers, and binaries.
- What type of malware is it? A rootkit or something else?
- How does it spread? Via a memory corruption error, or a vulnerable website?
4. Specialize (a.k.a the depth-first search)
As you can see, the more questions you raise, the more topics with peak your interest. Choose one and delve into it. The more time you invest into a topic, the more specialized you will be, and one day you will reach your goal. But you still need to always remember that learning is an infinite game.
5. Review and redefine
I am sure there will be moments when you feel the winds of change blowing. When it happens, simply stop and review what you’ve learnt so far. You can even refer back to your map and check whether you need to change the topic or just pick another field of interests you. This way you can build up a nice knowledge base with a holistic overview and hands-on experience.
The defensive way
The defensive way is mainly for builders, and developers are the ones who typically choose this option. On this path you generally start building up a solid knowledge base in programming languages and software engineering because your call is to create something new. Unfortunately, security is rarely part of the curriculum, so it comes as no surprise that most of the software we create lacks security considerations. In many cases, hotfixes and patches are the only things keeping our systems alive. This is why the defensive way requires more flexibility and caution on our end; we need to handle both legacy and modern systems simultaneously. Just like the offensive way, there is no point in only learning theory without practical application at the same time. Still, you need to spend much more time building up the right security mindset, since the security fixes you will implement have to be resilient in the long run as well. Hackers hunt for the weakest links, so as a developer, you have to always think of your software and infrastructure as a whole entity to defend. Here are my suggestions to move forward.
1. Set your goal and build your map
Similar to the offensive way, you need to find guide rails (e.g., OWASP top 10) to set off. The only difference is the preliminary knowledge you’ve already acquired to build infrastructure and to design and write code. As a result, you tend to align your goal to your existing skills. For example, if you are a Python developer about to create secure code in Python, your mantra could be: “I will protect all my software against the OWASP top 10 vulnerabilities within X months time”
2. Get your principles right
Most security issues are rooted in a handful of problems (e.g., improper input validation, bad memory and life-cycle management, or user input from untrusted sources). To handle all these issues you need to take a step back and learn how to address the more general probleml. You should think like a hacker. Their goal is simple: To get control over your application. As your software interacts with the world via inputs that may come from different sources, you have to make sure that nothing can go wrong in the process. To do this, I highly suggest learning principles like cryptography, memory management, network security, API security, and operating systems.
3. Learn from your enemy
Security principles help you build a holistic approach for your defense. However, it is essential to also understand the tricks that hackers typically explout to misuse your application and system. So it is high time to learn from the other side as well. Here are some ideas:
- Check out what CTFs look like and play with platforms like Hack The Box
- Try out hacker frameworks such as Kali Linux or Parrot OS
- Study hacking from books and online courses
4. Get your hands dirty (Learn from your enemy)
Here are some practical tips on how to move forward. Of course, it is up to you and what your fields of interest are:
- Threat modeling is a great technique to design architecture and write software with security in mind. Tools like IriusRisk can help you automate your job a lot.
- Play with security learning platforms like Avatao or OWASP Juice Shop.
- Try out code scanners like Snyk or Sonatype.
5. Review and redefine
Similar to the offensive way, sometimes you have to stop and look around. These pauses help you assess whether you are following your original goals or doing something completely different. If you feel that it is time to have new goals and a new map, don’t hesitate to change your plan. The whole point is to enjoy your journey, as new discoveries only come from new experiences.
Obstacle is the way
No matter which path you take, it’s 100% guaranteed that you will face many obstacles along your path. Yet it is up to you how to respond to these challenges. Yes, you will lack the necessary knowledge and the tools, and you will always be missing some information you need to move forward. However, these impediments should only inspire you to solve problems in a creative way that no one has thought of before. You should have faith in yourself, because this inner trust will help you get up again after falling down. Security is not black box at all, you just need to find your own call and do your best to follow it. One day, you will see that everything you learnt was not only a gift to solve problems better and faster, but also opened many doors to see yourself from an entirely new perspective.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 6 minutes To build an enterprise security program, one has to go back to the well-known fundamentals of organizational change: People, Process, and Technology (originates from Harold Leavitt’s “Applied Organization Change in Industry”, 1964).
Reading Time: 8 minutes If you are working on Java projects you might have heard about other languages that run on the JVM, like Clojure, Kotlin, or Scala. Programmers like to try new things out but is it worth it to pick one of them over Java?