Courses / Security As a Career

How to Start Your Career in Information Security

Overview of the lesson

Is hacking like in the movies? How do I start? What do I need to know? What skills should I have? These are questions that each of us had when we started. This lesson aims to provide you with a high-level overview of the security industry and give you actionable steps that you can take to start building your career in information security.

What you'll learn

  • Hacking in movies vs. reality.
  • What are the skills required to get started.
  • Do I need to know to code?
  • Tips for getting started.

So you decided to start a career in information security, but have no idea where to start and what to learn. No worries, we’ve all been there. There are tons of resources, hacking tools, and research papers, but still, breaking into information security is harder than ever. This is why we’ve created uphack.io. This platform will help you learn — from the ground up — everything you need to know to become an ethical hacker. In this second lesson, we analyse this industry from a top-down perspective.

Prerequisites None.
Objective To get a better understanding of the information security industry and the required skills for becoming an ethical hacker.
TL;DR
  • There is no magic receipt on how to become an ethical hacker.
  • Success in this industry is a combination of soft skills, personality traits, and technical knowledge.
  • Being an ethical hacker is nothing like you saw in the movies. It is rewarding and fun, but not as glamorous as you may think.
  • Soft skills are more important than technical expertise, and your ability to think differently from others is what really stands you out from the crowd.
  • As an ethical hacker, you need to be able to switch between different thinking modes, based on a given circumstance.
  • When it comes to technical skills, the rule is simple: learn the basics.
  • Experts in security are people who invested a significant amount of time into understanding the basics and how to apply those concepts.
  • There are three main technical areas relevant to ethical hackers: networking, programming, and operating systems. Before getting into hacking, it would be great to spend some time learning the basics of these areas.
  • Programming terrifies newcomers. However, you don't need to be a top-notch developer. Instead, you should be able to write simple scripts to simplify your work. Penetration testing isn't a programming job.

First of all, it is essential to understand that there is no magic receipt on how to become an ethical hacker. Success in this industry is a combination of soft skills, personality traits, and technical knowledge. Don’t believe me? Check out #MyWeirdPathToInfoSec hashtag on Twitter, and you will see that no two paths are the same. The odds are that your journey will not be like ours, or anyone else’s. So, instead of focusing on the path you need to choose, we give you a framework of thinking about your career in information security. The information in this lesson should provide you with a broad understanding of this industry and offer you some useful tips on how to start.

Figure 1 — Expectations vs. Reality

Let's start with a reality check

What is the first thing that comes to your mind when you think of a hacker? A hoodied, shady-looking guy in a dark basement where the only source of light is his at least three monitors glowing some green binary code?

If you think hacking is like what you saw in the movies or stock photos, well...I’m sorry to disappoint you. It is not — not even close. In reality, you work in a friendly office, spend much of the time writing reports, staring at a screen visually analysing things and trying to understand what’s going on behind the scenes, rather than randomly typing tens of commands per second into a command-line terminal. However, that doesn’t mean working as an ethical hacker isn’t rewarding. It is, but it might just not be that glamorous.

What do you need to get started?

Being a successful ethical hacker isn’t all about technical knowledge. While being smart, passionate, and technically skilled can help, your ability to think differently from others is what really stands you out from the crowd. Your job as an ethical hacker is to understand how systems work, where their vulnerabilities are, and how a hacker can benefit from those weaknesses. If you can think both like an attacker and a defender at the same time, then you are probably a good fit for the information security industry. Everything else can be learned. Hence, let’s start with the soft skills.

Soft Skills

The most important soft skill for an ethical hacker is creativity and being able to switch between different thinking modes, based on a given circumstance. For instance, code review requires you to think analytically, while testing an upload file feature leans towards a more creative approach. Different situations call for different thinking methods. Below are just a few types of thinking used in ethical hacking:

  • Creative / Lateral Thinking
  • Critical Thinking
  • Analytical Thinking
  • Abstract Thinking
  • Holistic Thinking
  • Probabilistic Thinking (Bayesian Updating)

Being a skilled thinker means that you continuously ask questions and analyze the information you receive. This way, you can come up with new ideas and unusual testing scenarios that can make the difference between success and failure. For every single feature, e.g., reset password, there are hundreds of possible test cases that can lead to a vulnerability. Your job is to find that working path.

Before diving into technical stuff, try to improve your creativity by doing lateral thinking puzzles. In the beginning, you may feel like the most uncreative person in the world, but no worries. Creativity is a capability that you can learn and a skill that you can develop with practice.

Also, try to build your own toolbox of mental models and start using them. Here are some excellent resources to help you:

Revamping your thinking process is not an easy task. However, if you want to become a skilled ethical hacker, this is something you should master.

Of course, you don’t have to know all the concepts from above to start hacking. In fact, you don’t have to know any of them, but learning the basics of the other disciplines would improve your problem-solving skills and lead to a more in-depth understanding of ethical hacking. It’s all about increasing the chances of finding cool vulnerabilities.

In addition to thinking skills, an ethical hacker should also possess excellent communication skills, both oral and written. In your day-to-day job, you encounter many situations where you need to explain various technical concepts to peopleyour colleagues, managers, clients, etc. that don’t necessarily have a technical background. For instance, you may need to explain to a client why using outdated software may have catastrophic security implications. Or, you may find yourself in a situation in which you need to tell how to fix a particular vulnerability to a developer that has no idea what that is. Not to mention that you have to write summary reports of your findings for each security audit you perform.

If you are not able to communicate clearly, you will be significantly less effective in your job.

Technical skills

When it comes to technical skills, whether you are at the beginning of the journey or you already work in the industry but want to improve your knowledge, the rule is simple: learn the basics. Experts in security are people who invested a significant amount of time into understanding the basics and how to apply those concepts.

I know - it isn't fun, but necessary. Most people avoid this as it requires too much effort. However, working as an ethical hacker without knowing the basics is like flying a plane in the fog. In good weather conditions, a pilot can fly a plane just by using visual cues from the outside of the cockpit. But if you can’t see through the cockpit window, you must use the instrument panel. Instrument flying poses significant limitations as you can only fly pre-defined routes.

By the same token, if you don’t learn the basics, you will always be dependent on those who did. Need a tool to automate a boring part of your testing methodology? Well, wait until someone who knows programming will create one. Need a payload to bypass a security measure? Wait until someone who understands that restriction will release one. Flying in the fog will severely impact your creativity and efficiency.

Think about it the other way: if you invest time in learning the fundamentals, you’ll have an advantage over every other ethical hacker who didn’t bother to do so (and believe me, there are many out there). Did I convince you? Great! Now let’s find out what exactly you should learn.

We recommend you to start with the following areas:

Programming

This is the part that terrifies some of the people, mostly because of the countless myths they hear before stepping into it. First, it is necessary to understand that "you need to learn to code to be a good ethical hacker" is not equivalent to "you need to be able to write commercial-grade software to be a good ethical hacker". Penetration testing isn't a programming job. Most programming done in security can be resumed to:

  • writing simple scripts to automate tedious, repetitive tasks;
  • writing simple scripts to speed up the analysis of some information you just found;
  • writing simple scripts to demonstrate/exploit vulnerabilities;
  • reading code written by other people and understanding what's going on (to identify security vulnerabilities);

You don't have to be a top-notch developer to do any of these. You just need a basic understanding of general programming concepts and to be able to write code in one or more scripting languages. We suggest you start with Python language. There are countless excellent courses and learning materials on this topic, just google it!

Also, try to get familiar with web languages such as HTML and Javascript. Many web vulnerabilities discussed in the next courses require you to be able to read/write code in these languages.

Networking

One of the first requirements of any technical information security role is a comprehensive understanding of networks and the underlying principlese.g., TCP/IP. But the Internet is, without doubt, the most extensive engineered system ever created by humankind, so how the hell can one learn or understand such an overwhelmingly large and complex system 🤯?

Don’t freak out — yet. You see, most of the underlying technologies used by today’s Internet were developed sometime in the 1960s. They are quite old but well documented. You don’t need to be able to set up a complicated corporate network or know every small detail of each protocol, but rather have a general understanding of the subject.

So, start with simple concepts:

  • What is a network protocol?
  • What is an IP address? What’s the difference between IPv4 and IPv6?
  • What is a switch, and why do we need them? How about a router?
  • What is the OSI Model? Why is it important?
  • What is the difference between TCP and UDP?
  • What are HTTP, FTP, SMTP, DNS, SSH? Have you used any of them so far?

All these and many others are explained in Computer Networking - A Top-Down Approach. I recommend you check it out. Here are a few more awesome resources that worth a bookmark:


Operating Systems

The beauty of hacking is that no two systems are exactly the same. Each uses different technologies and unique configurations to achieve its purpose. As an ethical hacker, you deal with various systems, and often, an exploit that works flawlessly on a server may not work on an apparently similar server.

To overcome such situations without overcomplicating the process, you should have at least a basic understanding of the main operating systemsLinux, macOS and Microsoft Windows, how they work, and the differences between them. So make yourself a favor and get familiar with the following concepts:

  • Linux/Windows system principles
  • Linux/Windows file system
  • CLI vs. GUI
  • CLI basic commands
  • Users and permissions
  • Linux/Windows important files for security (e.g., /etc/passwd)
  • Process Management

You can find all this information in this course.

Personality traits

Information security is an industry where something always goes wrong. Whether it is a script that was working last time you checked, or you just triggered a vulnerability but have no idea what caused it, there will always be something that doesn't work the way you expect. There are no shortcuts in ethical hacking. You need to be persistent, hard-working, and always eager to learn.

It's easy to spot a good fit for information security just by analyzing a person's attitude. Do they want to learn as much as they possibly can? Are they willing to spend hours or even days to come up with a working strategy when reaching a dead-end situation? Do they have a keen passion for solving puzzles and an unbridled curiosity to go beyond the causes of a problem?

If the answer to the above questions is YES and we just described you, then you may be a good fit for a career in information security. Otherwise, you may find security more frustrating than fun.

Formal education

One of the most common questions about how to become an ethical hacker is, "Can I find a job if I don't have a formal degree?"

Absolutely yes! While a university degree can be useful, it is not mandatory to get a job. And it all makes sense if you think about it. Since security is everyone's problem and companies are struggling to find enough talented people, what would be the logic to limit security roles only for people with degrees in computer science?

Many of the best security professionals are self-taught individuals who dropped out of formal education. Of course, we don't encourage you to drop school—we just say it's possible to work without a formal degree.

On the other side, "not mandatory" doesn't mean "it's useless". An information security degree can be a kickstart for your career. It won't make you a hacker, but it will provide you the basic technical skills we mentioned above. The fact that it forces you to learn those not so fun boring, yet challenging concepts is a big advantage if you are not a very disciplined person and cannot do this on your own.

As a student, you can gain real-world experience through internships while working with experienced professionals. If you demonstrate that you are passionate about hacking, you may even get a full-time job offer there.

Note:
If you aim to work for large corporations or government bodies, then keep in mind that having a degree is still a mandatory requirement.

Certifications

Similar to formal education, security certifications are good to have but not a must. They are a great way to learn the basics and acquire valuable experience for your resume. Here are a few recommendations:

  • Offensive Security Certified Professional (OSCP)
  • Offensive Security Certified Expert (OSCE)
  • eLearnSecurity Certified Penetration Tester
  • SANS SEC560: Network Penetration Testing and Ethical Hacking

Keep in mind that you have to provide yourself as the best option in the job market. Often, even the smallest differences between you and someone else can have a significant impact over a job decision. For instance, a person with interesting personal projects but no work experience wins over a person with no work experience an no personal project. A person without a degree, but with certifications wins over a person without a degree. And so on.

Tips for starting

  1. Start a personal blog — This is probably the best advice we can give you. Start a blog and document your journey. One of the most efficient tools to consolidate the information that you just have learned is introspection. Reflect on what you’ve learned and try to explain it to other likeminded people on your blog. This will improve your understanding of that subject, your communication skills, and why not, your resume.
  2. Set goals — Straight from the beginning, you should set some achievable goals—something like milestones. They will help you to understand your evolution and focus on what is important. However, keep in mind that as you progress through your information security journey, your goals may change.
  3. Become a Google search master — Being an ethical hacking is not about memorising. You don’t need to know every small detail about each protocol, tool, or command. What really matters is to understand how to find that information when you need it. So whenever you don’t know something, google it! The chances are that other people had the same question.
  4. Learn how to learn — How do you learn? Maybe you understand better if you read a concept. Or perhaps if you watch a video about it. Whatever your learning style might be, it is imperative to have a framework—so check out The Feynman Technique.
  5. Got stuck? Don’t be afraid to seek help, but learn how to ask technical questions — Most people are happy to help newcomers, but the answer you get to a question mainly depends on the question itself. Raymond and Moen wrote an excellent guide on how to ask technical questions. Also, you can check LiveOverflow’s video on the same topic.
  6. Stay informed — You can find many experienced ethical hackers on social media where they share their experience and sometimes drop some knowledge. Here are a few people that you should follow to start building your feed: James Kettle (@albinowax), Jobert Abma (@jobertabma) , Vickie Li (@vickieli7), spaceraccoon (@spaceraccoonsec), Ice3man (@Ice3man543), Sam Curry (zlz) (@samwcyo), NahamSec (@NahamSec), d0nut (@d0nutptr), Ed (@EdOverflow), FD (@filedescriptor), Orange Tsai (@orange_8361), Alex Chapman (@ajxchapman), STÖK (@stokfredrik), zseano (@zseano), The Cyber Mentor (@thecybermentor), Gwendal Le Coguic (@gwendallecoguic), Somdev Sangwan (@s0md3v), Pentester Land (@PentesterLand), TomNomNom (@TomNomNom), Inti De Ceukelaire (@securinti), Patrik Fehrenbach (@ITSecurityguard), Patrik Hudak (@0xpatrik), LiveOverflow (@LiveOverflow), Yassine Aboukir (@Yassineaboukir), yaworsk (@yaworsk), Jason Haddix (@Jhaddix), ᴅᴀɴɪᴇʟ ᴍɪᴇssʟᴇʀ (@DanielMiessler), Frans Rosén (@fransrosen), Jack (@fin1te)
  7. Check out these fantastic blog posts on the same topic to get a better understanding of the industry
Next lessons View all
Security As a Career

Career Paths: Bug Bounty

For years, hackers were convicted for their activities and cataloged as criminals. Nowadays, they can legally hack some of the largest companies and get rewarded.

Read now
Demistifying the Web

What Are Web Applications?

Web applications are an important part of our lives. Just like cars, most of us use them without really understanding what’s going on behind the scenes...

Read now
Demistifying the Web

What Is a Server? What About a Web Server?

Not surprisingly, people tend to misuse the terms of “server” and “webserver”. Let’s find out once and for all, what is the difference between them.

Read now