First things first, this is a new area of study for you so you’re going to spend the next several days, weeks, months and years flailing around in the dark. You’ll make mistakes and feel like an idiot, you’ll get lost, you’ll get scared and discouraged and feel overwhelmed and want to give up. But you won’t. Cos I’m here to help.
Well, when I say me, I really mean the community. There are lots of people out there willing to help, whether you’re a basement goblin like me whose idea of reaching out is to watch some YouTube videos (I really really will try harder) or whether you love nothing more than working the room as a wannabe celebrity conference speaker, there is help out there. All the experts started off exactly where you are right now.
Second things second, infosec is a big field. Really big. You have no idea how big. And because you have no idea how big it is you’re probably sitting there thinking you’re going to be an ‘infosec guy’. I was. For about a half a day. Then I got lost.
I’ve spent a lot of time in the mountains and the most important thing when you find yourself lost is, as one of my old Mountain Rescue colleagues used to say
Don’t just do something, stand there!
Geoff
Stop moving and work out where you are. Catalogue your resources. Study the lie of the land. Orient yourself in the landscape. Focus on where you want to get to. Plan a route to get there. Break your route down into sections starting and finishing at defined waypoints. Then, and only then, follow your route. But never forget that
Everone has a plan; until they get punched in the mouth.
Mike Tyson
Check your progress as you reach your waypoints. Take note of new features that reveal themselves as you change your location. Update your plans as required. Did you discover that you’re more into sitting by waterfalls than exploring woodlands? Bin some waypoints and add some new ones. And remember that the way to climb a mountain is to keep putting one foot in front of the other until the up runs out.
So metaphors are all fine and dandy, but what do you actually need to do?
Step 1. Work out where you are. Have you got some fundamental computing skills under your belt? Ever built a computer or a network? Have you written some code? Do you know how to take good notes? Are you good at writing? Are you good at studying for exams? Are you old and fat and comfortable and slow, wise and wily and grizzled and strong? Or are you young and smart and hungry and sharp, green and flighty and pressured and foolish? Got kids or a spouse or a job or financial commitments or hobbies? None of these things are show stoppers. All of these things should influence your route and your destination. Be very aware at this stage of the Dunning-Kruger Effect.
There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.
Donald Rumsfeld
Step 2. Study the lie of the land. I said infosec is big, and it is. So break it down. Get a sense of its constituent parts and how they fit together. I’ve done this, and I found it a bit tricky to be honest. Mainly because I started off knowing nothing about it. There’s a lot of terminology. And there are an awful lot of resources – don’t fall prey to the paradox of choice. The good news is, I’ve done this. You can have my results. Save you the effort.
Step 3. Come up with some waypoints. Not too many to start with. And make sure they’re not too far away. Get some idea of how to reach mastery and then start small and grow. Breadth first (maybe read one book on a wide variety of topics) or depth first (read all the books on a single topic)? Do you want to get a basic overview of networking or do you want to become the world’s foremost expert in the timing of ARP cache refreshes chosen by various router manufacturers? Neither is a bad choice, even for a beginner. I do though, have a few suggested prerequisites which seem to be widely regarded as things you should get squared away before digging into infosec specifically.
Step 4. String your route together. How do your chosen waypoints connect to each other? You do know that you can only do one thing at a time right? Identify dependencies and visit your waypoints in order. Having said that, learning is not exactly like walking. There’s nothing to stop you switching between topics or projects if you get stuck or temporarily lose motivation. You can insta-warp from one location to another. Just try not to do it too much.
Step 5. Start walking. You’ll find all sorts of exciting and interesting things along the way.
- Go slow to go fast. Make things hard enough so you have to work for deep understanding. This will make things go quicker in the long run.
- Don’t google. Try to find out yourself using the tools available to you. That way you learn your tools and you don’t end up solving your problems through voodoo incantations and copy-pasta Stack Overflow commands.
- Learn to ask good questions when you need to.
- De-noise everything. When there’s too much noise you can’t hear the signal.
- Collect raw data and throw away the expected. What remains challenges your theories. Remember, though it could be ‘spurious emissions from space’, it’s far more likely that you just made a mistake.
- Mine shafts and rabbit holes are easy to fall into though so be on the lookout for going too deep. If it’s not in service of your current route, maybe just make a note to come back and explore at a later date. Might be easier and more illuminating once you’ve got a torch.
Step 6. Take photos and write your travelogue as you go. It’s crucial to keep good lab notes. Sketch that mountain vista so you can revisit it without having to do all the walking again. But make copious and detailed notes on the route you took to get there in case you do need to re-walk that route. Bear in mind though that a lot of routes have been walked and written about before. There’s nothing wrong with using other people’s hard earned wisdom. Prefer linking to copying. Annotate with your own personal viewpoints or observations – the weather and light will be different when you visit and even the landscape itself may have changed. And don’t take anything as gospel – this is the hacker mentaility.
Step 7. Bask in the glorious vistas you discover but don’t linger on the summit too long – it gets cold at night. Achieving a goal only changes your life for a moment. Goals are good for setting a direction but putting one foot in front of the other is the only way to make progress – your outcomes are nothing more than a lagging measure of your habits.
Step 8. Sit in the pub with a pint. Re-read your diary. Look at your photos. Refresh your recollections. Spaced repetition is your friend when it comes to extracting the most memories from your days of hard walking.
Step 9. Go for a walk. As in close your browser tabs, put the keyboard down, shut the books, grab a flask of tea and some hobnobs and actually go out in the sunshine for a walk in the hills. Get lost a bit maybe.