New to Infosec? Some Humble Advice

At the time of me writing this post, I have been genuinely interested in Infosec for about 2 years now. Along the way, I’ve learned a great deal of knowledge that both excites and terrifies me.

Every now and then, I have people coming to me asking for advice, mentorship, and general guidance. Often I get some really great questions. Other times, they’re pretty miserable and can be found with the simplest of Google searches. So below, I’d like to highlight some of the best things a new Infosec nerd can do.

Got a question? Consider going to Google and exhausting all efforts in finding an answer

In utilizing Google thoroughly, not only are you potentially saving someone else’s time, but you’re also increasing your Open Source Intelligence (OSINT) skills. Seriously — you are. And this is absolutely a real skill that everyone needs to be good at, especially if you’d like to become a Penetration Tester / Red Teamer. If you can think of the question in your head and effectively find the answer even if it takes a little while, you’re helping yourself and gaining knowledge on that topic. With this, that’s not to say that you should shy away from asking questions either. Let’s examine examples of both situations:

So what sort of questions should you Google?

  • How much is the OSCP?
  • Sir, how do I get on hack the box?
  • What are some good cybersecurity resources?

What sort of questions should you ask others?

  • Hey so-and-so, I really liked your video/post/article on $topic. I noticed you used theharvester to gather emails. Is there a reason you choose this over any other tools to gather emails?
  • Hello, I am currently seeking an internship and would really like to better my chances at landing this job. Would you mind taking the time to review my resume? (Love this one when people are polite, especially if they take constructive criticism well).
  • My dream job is to become a Penetration Tester, but I’m not sure what the best path is for me to take. Would you recommend I get X certification, or Y certification?

Notice the questions above that I think are okay to ask others. They display a level of thought behind them, they are not completely easy to answer with Googling, and they can spark a productive conversation on both ends.

The type of people who ask the questions that you should Google are what we call “Sirs” over on a Discord I am very active on. These people will not take the time to look for answers to easy questions, and they can be quite frustrating when you genuinely want to help people.

Follow up — Helping others & giving back

So you’re starting to learn things and ask good questions. Now that you’re becoming an active member in the community and bettering yourself, consider helping others! I find the best way to teach myself something, is to teach others and answer questions I know well often.

I try to answer at least 10 Infosec related questions a day. I often exceed this daily quota with ease by being active on a Discord and a couple Slack channels. This keeps my brain engaged and reinforces knowledge I know, but also feels good because I was once in that position where I was A) really stuck on something, or B) really wanted to know more about a certain topic.

I recently had the pleasure to write a letter of recommendation for a young man who was very deserving of a sponsorship for the OSCP exam. What made this recommendation so easy to write for me, was the fact that I actively observe him participating and helping out in a large community of people trying to learn. I absolutely love when I see other people helping others out in their journey.

Some other ways to give back:

So maybe you’re already helping people out but feel like you could do just a little bit more. Consider volunteering at a local BSides or local security conference. This is an amazing way to help the hard workers who organize these types of events, as well as network with other great people.

Participate in a local meetup. This one was challenging for me. I looked locally for meetups in my area, and didn’t really see any that caught my interest. So I asked around with people in the area if they knew of any local meetups, and the general consensus was that there weren’t any ones that were very good or active. So I started one. This has been the single most rewarding experience for me so far since I have become an Infosec enthusiast and if you have the opportunity to host one, you should.

I have met some extremely smart folks because of the meetup. It is incredibly humbling to me when people say how much they enjoy the meetups and how it has helped them.

If you can’t or don’t want to start one, then try to find one and see if there is any opportunities to help out with it, or give a talk / presentation. You have no idea how much people appreciate it.

Avoiding bad mentors / toxic people

I don’t know what it is with some people in this field, but man is it a pet peeve of mine when I see how some people respond to folks just starting out. I don’t understand the elitism that comes with certain titles, certifications, and positions — but it’s a great way to make me turn around and avoid them.

If you are asking good questions and you genuinely believe you can’t answer those questions by searching and someone comes back and says “Google it”, “Try Harder”, or some other snarky comment — just avoid them.

Make sure to not take the words of someone holding a certification like OSCP / OSCE / etc. as absolute truth. I work with several people who are Penetration Testers without the OSCP and they are absolutely great at their job. I also know and see a lot of people with their OSCP who give horrible advice.

Some great things you can do for yourself now

Start a blog.
Not because you want a lot of people to follow you and get some sort of fame. Do it so you have a place where you can organize your thoughts, display your hard work you put into teaching yourself new skills, and use it as a place where you can look back and reference something you may have forgotten about. A blog will be a great place for you to show potential employers what you know, and will maybe help other people with something they’re struggling on. Additionally, you can start practicing some real world skills such as hardening a website / server and working on your writing skills (you’ll be expected to write reports in the future).

Create a LinkedIn account.
A LinkedIn account is a great way to network with like-minded people and professionals in the industry. Additionally, you’ll be able to track your progress in the field and gain some motivation when you see others succeed on your timeline.

Create a homelab.
This is a good one. I have my homelab on my resume every single time I’ve applied anywhere, and quite often it has been a leading topic of discussion in interviews. I’ll talk about my hardware, what hypervisor I have running, what I use it for, and why it benefits me as a Security Professional. A homelab can be extremely elaborate, but also very simple. I personally have a Dell R710 server that I bought off a user at r/homelabs on Reddit. But a homelab could simply be an old desktop computer that you have lying around that you throw some VMs on and practice with. I am currently not in a position where I interview people and make hiring decisions, but one day I hope to and if I see someone who has a homelab and can talk in detail about it and how it helps them, that shows me that they take time off of work to grow.

Be an active member in the community.
This can be accomplished in several ways. But I’m talking Slack channels, Discords, local meetups, local security conferences, etc. etc. Being active will keep you aware on current topics, trends, and discussions in the field, and will also make you a better professional because you’re staying informed. So stay active.

Take time to do security related projects.
Projects will introduce new skills to you and will keep you sharp. A project can be your blog, running pi-hole on a Raspberry Pi, segmenting your home network to be more secure, creating a drop box, writing a new tool, etc. This another great thing you can add to your resume as well!

Conclusion

Staying active and sharp is the key to being a successful Infosec professional / enthusiast. Choosing what you do with your time out of work or school is critical to achieve the dreams you desire, and will make you a better person. I think its absolutely important to always try and help others when you can, but also seek out wisdom from those smarter and more experienced than you.

If you have any questions / comments regarding this article, please find me on LinkedIn, Discord, or Slack.