Getting Started in Infosec

If you’re new to infosec, trying to get into infosec, or have no idea what infosec is but want to learn, you’ve come to the right place!

First of all, welcome! I’m Casey, and I’m a cybersecurity engineer. I’m so happy you’re here to learn more about infosec. It’s an awesome field with awesome people, and there’s so much to learn.

Second of all, I realize I’ve said the word infosec enough to bring my allotment down to zero for the rest of the post. I apologize. You will be hearing (well, reading) it more. And if you’re wondering what infosec stands for, it’s information security.

Depending on whether you’re new to tech as a whole, or interested in transitioning to infosec from another part of tech, there are different approaches you can take to growing an infosec skillset (and mindset!). This post will share a variety of topics you should start studying, and depending on your experience, you may be already be familiar with some of them.

Let’s get to it!

1. Pick an area to focus on.#

While I’m writing this as a single step here, it’s really more of a process. You may very well go through the following steps and loop back around as you decide what does and doesn’t interest you.

So what areas are there? So many! Application security, secure coding, static code analysis, network security, pentetration testing, red teaming, blue teaming, system administration & hardening, cloud security, containerization and virtualization security- the list goes on. If you aren’t familiar with these domains, check back for a future blog post where we explore what these different jobs entail. Consider whether you want to focus on programming-based security, infrastructure (systems and networks) protection, testing infrastructure security, or pipeline & integration security (operational environment support).

Generally speaking, being good at writing secure software requires being well-versed in languages so that you know best practices, and being good at protecting infrastructures requires understanding how to build them well. You learn how to break (as well as fix) things when you know what they aren’t meant or built to handle.

If you want to do something related to secure coding:

  • Choose a language to learn really well. You don’t need to learn every language at once. If you choose a popular language, your skillset will be in demand just by getting to know that once language fluently. Once you get to know that language, you can start growing your repertoire.
  • Choose a static code analysis tool to learn. There are many out there- Parasoft, Klocwork, Coverity, CodeSonar; choose one that works for a language you know and start using it.
  • Learn about software vulnerabilities (from a general perspective) and examples of malware that depend on them. This will help you understand why this area of work is so important.
  • Learn about supply chain attacks. Understand how software can be used as an entry point for attackers.

If you want to defend and/or test infrastructure:

  • Choose an OS to learn- Linux, MacOS, or Windows. Watch system administration videos and lectures about how the OS functions and understand how to configure it as if you were a sys admin (system administrator). If you don’t know where to start, choose whichever OS you’re most familiar with.
  • Learn the command line. This will be Bash for Linux and MacOS. It will be different for Windows, unless you use a Bash Shell. Learn how to navigate the command line, which is more commonly used (compared to GUIs- Graphical User Interface) in security due to ease of access and manipulation around the system.
  • Learn a text editor. If you’ve been around my twitter at all, you’ll know I’m a vim fan (and even have a whole blog post about it!). You may have heard of vi, which is just the older version of vim. Other popular options include emacs and nano. The purpose of a text editor is to make file creation and manipulation quick and easy.
  • Learn networking basics. While you don’t need to dive into an entire networking course immediately, find introductory videos and resources to learn networking fundamentals.

If you want to configure, defend, and/or test deployment environments:

  • Learn a text editor (see above).
  • Learn YAML, a popular configuration language.
  • Learn what virtualization and containerization both are. Hardware can support a lot more than a single OS with the help of newer technology.
  • Learn Docker and Kubernetes, or another type of container engine and orchestrator respectively.
  • Learn about the cloud. This will probably involve learning about AWS (Amazon Web Services), a largely popular cloud provider.
  • Know that this may be a difficult jump without starting with either of the previous two options, depending on your background.

3. Learn those skills.#

The hardest part of all of this will be making your decisions about the above options and then actually getting started. The skills will come with time and effort- you’re in charge of putting forth that time and effort. But don’t worry, there are so many people who will cheer you on and help you when you need it.

Luckily, there are so many resources- including free ones!- available online that it isn’t difficult to find what you need. I have a resources page here with all sorts of starting points. YouTube has amazing content on just about anything you could want to learn, and Twitter has all kinds of experts and people who will want to help.

If you start your learning process and decide that skill isn’t of interest to you anymore, try something else! There are so many options that you may very well dislike some things and love others.

4. Connect with other people in tech.#

If you drown yourself with new content without having a community around you, it will be easy to give up when it gets frustrating. And it will get frustrating. But it will also be fun, new, and exciting. One of the best ways to stay motivated and encouraged is by having others around you. Twitter, Discord, Twitch (yes, hackers and coders stream), and attending conferences (which there are now many virtual options for!) are some great options for building that community.

5. Be patient with yourself and don’t compare yourself.#

It’s so, so, so easy to fall into the comparison game here in tech. People who have spent their whole careers in tech have seen the internet rise from nothingness, meaning they’ve watched and experienced the evolution of technology for decades. Everyone has different experiences. One of the coolest parts about tech is the diversity of backgrounds people have. While some have degrees in tech fields, others have gone through bootcamps, worked their way up through varying types of IT and tech-adjacent positions, or switched from entirely different careers. If that’s you, awesome! Welcome, we need you!

The only thing you can control is your own learning process. Set realistic goals for yourself and don’t give up. You’re not alone; everyone is tech has to continuously learn because it’s such a fast-growing field. Learning how to learn is the most important part of the process.

I hope you have found this useful in setting a path for growing your infosec skillset. I plan to have more follow-on posts related to growing skillsets in infosec, so be sure to look out for those. If you have questions, please reach out to me on Twitter.