This is a little bit of a long post. Here’s the TL;DR
- There are at least three groups of people where it appears that a percentage of each group lacks a basic understanding of IT. These groups are: Individuals getting into infosec, recent colleges grads and compliance auditors
- My suggestion is to generate a common ground of IT knowledge all infosec professionals should know, no matter what infosec career they choose
- I suggest this common ground have three categories: Computing, Operating Systems and Networking. In each category, there will be certain knowledge you must know and skills you must have.
- I hope my suggestion will start many more discussions so that at some point there is a general consensus, one driven by the industry not by a company.
One of the questions I, and many others, are often asked is “How do I get into Information Security?” and over the past few years, there have been several excellent blog posts and talks covering that very topic (see the links at the bottom of this post or this link to a compilation on ForgottenSec github). However, I recently had a situation where an individual asked me this question and I realized that none of those blogs or talks could help him… yet. The reason those resources could not help him was because they all assumed the person interested in information security already had experience in IT. This person did not.
Now, as you know, not having any experience in IT is not an impediment to becoming a great infosec worker. Most of us learned IT along the way. Some people were self driven, always trying to figure out how things worked or how to make THIS work to get THAT to work. I took a different path as I was a 9-5er who was blessed enough to get some great training and have good jobs until I was bitten by the bug… now I’m as driven as any; going to cons, writing a blog, giving talks, etc. But I realized my advice to this individual was going to have to take a different approach. He was interested in learning, but I could not just have him start running nmap or playing with metasploit since he didn’t even understand TCP/IP. I first had to come up with what I thought were the prerequisites he needed to enter into the infosec field.
While I was working on this list, Shmoocon was going on and I had a chance to bounce my thoughts off several individuals at that con. Several of them pointed out another group of individuals that would benefit from this list of prerequisites: Recent graduates of colleges who had a received a cybersecurity degree of one type or another. They pointed out that many of this grads have a good understanding of what security is, but not about how it works technically. This concern was confirmed in a recent discussion on one of the SANS email lists where multiple infosec professionals talked about the challenges they were having hiring recent graduates that met the technical requirements needed to perform entry level jobs. These grads understood policy and concepts, but they couldn’t actually look at packets or even in one case, recognize a hard drive visually.
So now I had two categories of people who need some kind of baseline IT knowledge. While I was researching this article, I thought of another type of person who would benefit from that baseline; the compliance auditor. We’ve all run into the issue where we need to work with a policy or compliance auditor who only understands the checklist or the theory written into the policy. This inevitably leads to conflict when a technical solution is implemented that meets the purpose of the policy, but is unorthodox and the auditor rejects it because it doesn’t match what is written. Or the opposite, when the auditor accepts a solution because it meets what is written, but the solution doesn’t actually protect what the policy says it is supposed to protect. An auditor who has a fundamental IT understanding underneath the security knowledge would do much better in these situations.
So I looked at some certifications, some job descriptions, some course requirements, and had some discussions to get an idea of what was expected of new infosec professionals from different groups. I then began to compile a list of what I thought was common ground among all these sources. Thinking about this common ground reminded me of something. (stay with me on this) In the past, I’ve heard some people compare the maturing of our industry to how medicine matured over then centuries in training and practice and standards. While I don’t think you can take that comparison too far, I will use this one analogy: We should have a “med school” requirement. That is, there should be a certain set of skills and knowledge every infosec practitioner should learn first, regardless of the career field they enter. So when the pentester talks to the compliance auditor talks to the forensic expert, they may each have specialized abilities, but there is a common foundation they all understand. How should this common set should be formed? Well like everything else, through lots of discussion, arguments, more discussions and practical observations. Will we need some kind of industry wide board like the AMA that makes a final decision or will the masses come to some kind of general agreement? I don’t know. Please, though, let’s not have some company come up with their own certification and try to sell that to us. Will those that are self driven learn far more that this common knowledge set? Sure. Will is ensure that every infosec person is competent? No. But I hope that it is a start and what I do know is that whatever we come up with needs to be flexible as it probably should change at least every year. I think as we work to mature this field and we look for ways to bring massive amounts of people in to fill all the open positions, we need to standardize knowledge and skills.
So, here are my suggestions for the things that I suggest are the common foundational skills and knowledge needed for someone to enter into infosec. This baseline knowledge enables a person to understand the underlying architecture of how the Internet works. These are the thing that experience infosec professionals know inherently, that new people should know. And therefore, these are also the skills and knowledge someone who is non-technical needs to attain so they can start learning infosec.
A person needs to have skills and knowledge in the following three areas: Computing, Operating Systems, and Networking. Note that while there will be overlap between areas, I’ve tried to create a layered approach to the levels. So, for example, while Network Drives may be a form of storage, I’ve left that out of the Computing section and put it into the Networking section.
All about the computer, what it is, how it works and what forms it takes (desktops to IoT and everywhere else)
A person needs to know:
- How a computer works
- Input devices (keyboards, scanners, etc)
- Storage (RAM, Hard Disks, USB, CD/DVD, etc)
- BIOS, hard drive boot sector, booting, etc
- How a computer program runs
- High level language vs machine language
- How instructions are loaded, executed and output delivered
A person should be able to:
- Point out major components of a computer
- Do a hard reboot, soft reboot, get into the BIOS, change boot order
A person should know about the places computers are going into and what form factors they may take.
All about the software that makes the hardware work
A person needs to know:
- Different types of OSs (Windows, Linux/Unix, OS X at least)
- Purpose of kernel and “user space”
- Purpose of drivers, applications, daemons/services,
- Purpose of accounts, groups, and their access levels (root, administrator, user, guest) and how to create new groups with new levels of access.
- Purpose of objects and their permissions
- How users, groups and their access levels interact with objects and their set permissions
- Logging, what gets logged and why
- Firmware, software, etc
- Difference between authentication and authorization
A person needs to be able to:
- Install an OS
- Create users, files, folders and set permissions for different levels of access and abilities
- Install applications and set different levels of permissions for use
- Enable logging and read and understand logs and be able to diagnose basic problems
- Use the command line and gui for common commands
All about how computers talk to one another, how data gets transferred and how things are controlled remotely
A person needs to know:
- OSI model and the protocols that go with each layer
- How the Internet works (addressing, routing, subnets, DNS, 3-way handshake, how data is transferred, ….)
- What the following are, how they work and what they are used for:
- Email server
- Routers/Switches and permeations of this group
- Web Servers
- What network traffic looks like and what the packets look like in a traffic analyzer
- how client/server methodology works
- Windows networking
- *NIX networking
- Network Authentication and RADIUS
- Remote access (RDP, telnet, ssh, scp, ftp….)
- How accounts and groups are created and managed on a networking vs stand alone
- How objects are created and managed on a network vs stand alone
- How applications work on a network vs stand alone
- How object and application permissions interact with users and groups and their access level on a network vs stand alone
- Understand how computers and networks use binary, hexadecimal and decimal numbers
- On a windows server: Understand windows GPO, Security policies, user accounts, user groups, event logs
- On a Linux server: user/group, iptables
A person should to be able to:
- Capture, identify and read network traffic (using wireshark or equivalent)
- Install *NIX and configure different users into different groups for ssh remote access
- Install Windows Server and configure basic policies
- Understand logs and perform basic troubleshooting of network activity
- Create users and groups on different platforms and configure remote access
- Perform basic network troubleshooting (ping, traceroute, netstat, ps/tasklist, etc)
I know I forgot some things. I know I left out other things. The point is to continue the discussion.
So what have I left and and why do you think those things should be included?
Are the other people who have compiled and published their own list of common knowledge and skills? Other collections that have been proposed as a standard?
Or is this concept wrong to begin with?
Let me know your thoughts. If you have other links, I’ll post those on my page and I hope others will post my link on their page so these discussions can continue.
NOTE: I gave a 20 minute presentation on this topic at Shmoocon Epilogue in January. This post is an expansion on what I talked about then. If you want the slides, however, they are here.