There are many ways to start something, but they all being with doing. IT security is no different, though it does provide a little more freedom in how you get started.
I have been in IT since the late 90’s and in IT Security since the early 2010’s. Most of that has been as an engineer, so my theories are a little skewed towards that arena. I love technology in general, too, and there isn’t much I can’t figure out how to do with a computer, which will also put a slight spin on my theories and advice. I am also based in the US, this can also influence my thoughts.
What’s the one must-have thing to get started?
I think one of the most important things you need when you get serious about exploring IT security is to have your own testing lab. Now this could be as simple as a VM (Virtual Machine) on your desktop or as complex as multi-system server room in your basement. The importance of being able to test and play around with concepts and ideas – or actual malware and viruses – is invaluable. IT Security is a field that is constantly changing and you have to be able to stay current with it.
What about Certifications? I heard they are super-important.
Certifications are hit or miss, to be honest. Many companies demand them, but plenty of them don’t require any. I currently only have three certs, and only one of them was requested by an employer. However, the study guides for them are a great source of information, and being to run through practice tests for yourself will show how well you understand what you are learning. But do not learn just the answer, strive to understand what the answer is.
Do I have to be a Linux nerd to do IT security?
Sure, that’s not a terrible idea, but in practical terms, get comfortable in Windows, Linux and MacOS environments equally. Most businesses will have a mix of them: Windows boxes for most administrative and production work, Macs for the advertising and marketing departments. Of the many companies I have worked for, all of them ran both Windows and Linux servers. Being deeply familiar with all the platforms allows you to recognize the differences between them and, from that, be able to secure them properly.
What are the “best practices” to learn first?
Learn about compliance rules! These determine which protocols and rules are going to be applicable to your work environment. SOX (Sarbanes-Oxley) is a law enacted in 2006 that says, “all publicly-traded companies are required to implement and report internal accounting controls to the SEC for compliance.” PCI-DSS (Payment Card Industry Data Security Standard) is especially important for any business that does, you know, business, particularly with the public, as it is meant to “ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.” Lastly, the GDPR (General Data Protection Regulation) is an EU regulation, but it can have a heavy impact on multinational companies or even just companies that sell overseas.
There are many other protocols and standards, but those are three of the biggest. Compliance drives a lot of businesses’ security programs, and knowing the policies can help you prepare for what the business needs and expects, but you’ll also have to craft actual security to fit into it. Since compliance regulations are normally only concerned with a very small part of the overall security landscape, they are often considered the “bare minimum to squeak by” in the eyes of companies (and budgeting departments in particular). There is a saying, “Being compliant is not ‘security’, but security is usually compliant.” Knowing your way around the compliance regulations helps to build a true security program.
Do I need to be a programmer?
Learning to script in something like Python or VBScript is crucial, yes. Many attacks use scripts to activate the malware payloads and knowing how to read them will help understand what is going on. Also, there are many APIs (Application Programming Interface) built by security companies that you could tie into with a simple script to parse out information relevant to your company/industry. Plus, to get out of boring, repetitive tasks and save a ton of time, either of those languages (or any of the dozens of others) will enable you to build automation scripts.
What about networking?
Ideally, you need to understand basic networking (the difference between a hub and a router, for instance) and the OSI (Open Systems Interconnection) model. A lot of security happens on the network and knowing where the attack vectors are will help you know what to protect. Is there a weakness in an application (Layer 7 in OSI)? A firewall will help. Is it an attack that is using spoofed IP addresses? You’ll need to look at the network layer protections.
Anything else I should know?
While this in by no means a definitive list, these are a few of the things I have found to be consistently important. When interviewing, I will always ask questions related to them. You can really tell how serious an IT security department is based on their priorities from this list.