A Letter to Beginning Infosec Enthusiasts

By Daniel Miessler on January 11th, 2008: Tagged as Information Security

[ Originally posted to the DSLR Security Forum ]

Fellow security enthusiasts, at some point in your lives (hopefully, at least) there will come a time when you realize that security isn’t about the latest and greatest Windows security tool. It’s not about antivirus, it’s not about personal firewalls, and it’s not about any other tool either. There are basics that are universal across all operating systems and systems. It is these basics that you must learn to stay ahead of the game.

The Basics

Eric Cole of SANS (now Dr. Cole) has a great set of four key principles he talks about. If you master these you will be well on your way to breaking free of the constant Windows-based ratrace of installing tool on top of tool ad infinitum:

  1. Know Thy System
  2. Least Privilege
  3. Defense in Depth
  4. Prevention is Ideal, But Detection is a Must

First off, if you’re obsessed with security, stop playing with tools and learn about operating systems and programming. You are wasting your time becoming a master of front-ends for concepts rather than learning the concepts themselves. Know thy system. This is the single most important thing you can do to become more secure.

Second, use the minimum amount of access that you can. Use a regular user in Linux and Windows, and configure your applications to do the same. It’s not a product or OS specific thing — it’s a philosophy that will save your butt.

Thirdly, use different types of protection, not just a bunch of the same kind. And no, this doesn’t mean loading up 15 windows security apps in different spaces — that’s missing the point. Learn your OS, harden your applications, take notice of where you browse and what you open, THEN add a few basic defense tools on top of that. That’s layering for a home environment.

Finally, have a way to know if something bad has happened. This comes back to number 1 — knowing what normal is. Consider monitoring your outbound traffic for anomalies using an IDS of some sort. You’re not going to be able to stop everything, but have a way to know when do step in something.

Recommendations

  • Learn your OS
  • Keep your OS and applications patched. Religiously.
  • Branch out into other OSs if you’ve only used Windows
  • Learn the command line in every OS you use
  • Install and get friendly with VMware
  • Read major security news feeds, such as Astalavista, HackInTheBox, etc.
  • Follow the main security experts. See what they’re talking about.
  • In Windows, install one AV, one firewall, and one anti-adware/spyware tool. Don’t get silly about it.
  • Regularly back up your data and important configuration settings using a redundant solution.
  • Realize that being unsafe in a wealthy suburb is far more safe than being “secure” in a Baghdad hotspot. In other words, you’re not going to be safe clicking on random crap regardless of what off the shelf security tool you’re running.
  • Remember that advanced malware writers have every security tool you do. Don’t you think they tested to make sure it wasn’t detectable before they started sending it out? Your best bet is to not interact with it in the first place.

Look, I started on this site in 99′ — 8 years ago — and I went through this whole tool-based phase just like many of you are doing. There’s nothing wrong with it; it’s part of the learning process and I did it myself. But at some point you have to expand your perspective if you want to move to the next level. I’m just trying to save you some time by pointing this out.

I went from this tool-based approach I started with to a principles-based, tool-agnostic approach and it’s yielded me a very fulfilling career in information security. I’ve worked with government, the banking industry, fortune 500 companies — both as a part of the internal team and as a consultant. This was made possible ONLY as a result of being open to security as a discipline rather than as something $foo solution provides.

Trust me. Get away from the tools and focus on the concepts. Expand. Read. Watch. Learn. This is the path to being a more well-rounded and highly skilled security enthusiast/professional.

Kind regards,

-Daniel Miessler

  • http://rick.thedunnams.com/ Rick

    this is a good post and very well put. This is the difference between a script kiddie and a pro

  • http://rick.thedunnams.com Rick

    this is a good post and very well put. This is the difference between a script kiddie and a pro

  • Eamon

    Thanks, good post.

    One of the things that bothers me about Windows System Admin training, is that you really don’t get to know the real OS.

    I started scripting WMI for tasks and fixes last year and it really opened up a new world, you actually get to see how it all works. I think that if they want to make something like A+ certification count they should put WMI Scripting in the curriculum, as well as hacking the registry. If you can’t do that, it’s a lot harder for you.

  • Eamon

    Thanks, good post.

    One of the things that bothers me about Windows System Admin training, is that you really don’t get to know the real OS.

    I started scripting WMI for tasks and fixes last year and it really opened up a new world, you actually get to see how it all works. I think that if they want to make something like A+ certification count they should put WMI Scripting in the curriculum, as well as hacking the registry. If you can’t do that, it’s a lot harder for you.

  • MD

    Nice post, I’m still very new to the IT/Security game and articles like this make for great reading.

  • MD

    Nice post, I’m still very new to the IT/Security game and articles like this make for great reading.


Top

Popular

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

Arguments

Projects

Collections

Twitter

What I'm Reading

Favorite Books and Essays

Top Blog Categories

Inputs