Overview of the lesson
Is hacking like in the movies? How do I start? What do I need to know? What skills should I have? These are questions that each of us had when we started. This lesson aims to provide you with a high-level overview of the security industry and give you actionable steps that you can take to start building your career in information security.
What you'll learn
So you decided to start a career in information security, but have no idea where to start and what to learn. No worries, we’ve all been there. There are tons of resources, hacking tools, and research papers, but still, breaking into information security is harder than ever. This is why we’ve created uphack.io. This platform will help you learn — from the ground up — everything you need to know to become an ethical hacker. In this second lesson, we analyse this industry from a top-down perspective.
|Objective||To get a better understanding of the information security industry and the required skills for becoming an ethical hacker.|
First of all, it is essential to understand that there is no magic receipt on how to become an ethical hacker. Success in this industry is a combination of soft skills, personality traits, and technical knowledge. Don’t believe me? Check out #MyWeirdPathToInfoSec hashtag on Twitter, and you will see that no two paths are the same. The odds are that your journey will not be like ours, or anyone else’s. So, instead of focusing on the path you need to choose, we give you a framework of thinking about your career in information security. The information in this lesson should provide you with a broad understanding of this industry and offer you some useful tips on how to start.
What is the first thing that comes to your mind when you think of a hacker? A hoodied, shady-looking guy in a dark basement where the only source of light is his at least three monitors glowing some green binary code?
If you think hacking is like what you saw in the movies or stock photos, well...I’m sorry to disappoint you. It is not — not even close. In reality, you work in a friendly office, spend much of the time writing reports,
staring at a screen visually analysing things and trying to understand what’s going on behind the scenes, rather than randomly typing tens of commands per second into a command-line terminal. However, that doesn’t mean working as an ethical hacker isn’t rewarding. It is, but it might just not be that glamorous.
Being a successful ethical hacker isn’t all about technical knowledge. While being smart, passionate, and technically skilled can help, your ability to think differently from others is what really stands you out from the crowd. Your job as an ethical hacker is to understand how systems work, where their vulnerabilities are, and how a hacker can benefit from those weaknesses. If you can think both like an attacker and a defender at the same time, then you are probably a good fit for the information security industry. Everything else can be learned. Hence, let’s start with the soft skills.
The most important soft skill for an ethical hacker is creativity and being able to switch between different thinking modes, based on a given circumstance. For instance, code review requires you to think analytically, while testing an upload file feature leans towards a more creative approach. Different situations call for different thinking methods. Below are just a few types of thinking used in ethical hacking:
Being a skilled thinker means that you continuously ask questions and analyze the information you receive. This way, you can come up with new ideas and unusual testing scenarios that can make the difference between success and failure. For every single feature, e.g., reset password, there are hundreds of possible test cases that can lead to a vulnerability. Your job is to find that working path.
Before diving into technical stuff, try to improve your creativity by doing lateral thinking puzzles. In the beginning, you may feel like the most uncreative person in the world, but no worries. Creativity is a capability that you can learn and a skill that you can develop with practice.
Also, try to build your own toolbox of mental models and start using them. Here are some excellent resources to help you:
Revamping your thinking process is not an easy task. However, if you want to become a skilled ethical hacker, this is something you should master.
Of course, you don’t have to know all the concepts from above to start hacking. In fact, you don’t have to know any of them, but learning the basics of the other disciplines would improve your problem-solving skills and lead to a more in-depth understanding of ethical hacking. It’s all about increasing the chances of finding cool vulnerabilities.
In addition to thinking skills, an ethical hacker should also possess excellent communication skills, both oral and written. In your day-to-day job, you encounter many situations where you need to explain various technical concepts to peopleyour colleagues, managers, clients, etc. that don’t necessarily have a technical background. For instance, you may need to explain to a client why using outdated software may have catastrophic security implications. Or, you may find yourself in a situation in which you need to tell how to fix a particular vulnerability to a developer that has no idea what that is. Not to mention that you have to write summary reports of your findings for each security audit you perform.
If you are not able to communicate clearly, you will be significantly less effective in your job.
When it comes to technical skills, whether you are at the beginning of the journey or you already work in the industry but want to improve your knowledge, the rule is simple: learn the basics. Experts in security are people who invested a significant amount of time into understanding the basics and how to apply those concepts.
I know - it isn't fun, but necessary. Most people avoid this as it requires too much effort. However, working as an ethical hacker without knowing the basics is like flying a plane in the fog. In good weather conditions, a pilot can fly a plane just by using visual cues from the outside of the cockpit. But if you can’t see through the cockpit window, you must use the instrument panel. Instrument flying poses significant limitations as you can only fly pre-defined routes.
By the same token, if you don’t learn the basics, you will always be dependent on those who did. Need a tool to automate a boring part of your testing methodology? Well, wait until someone who knows programming will create one. Need a payload to bypass a security measure? Wait until someone who understands that restriction will release one. Flying in the fog will severely impact your creativity and efficiency.
Think about it the other way: if you invest time in learning the fundamentals, you’ll have an advantage over every other ethical hacker who didn’t bother to do so (and believe me, there are many out there). Did I convince you? Great! Now let’s find out what exactly you should learn.
We recommend you to start with the following areas:
This is the part that terrifies some of the people, mostly because of the countless myths they hear before stepping into it. First, it is necessary to understand that "you need to learn to code to be a good ethical hacker" is not equivalent to "you need to be able to write commercial-grade software to be a good ethical hacker". Penetration testing isn't a programming job. Most programming done in security can be resumed to:
You don't have to be a top-notch developer to do any of these. You just need a basic understanding of general programming concepts and to be able to write code in one or more scripting languages. We suggest you start with Python language. There are countless excellent courses and learning materials on this topic, just google it!
One of the first requirements of any technical information security role is a comprehensive understanding of networks and the underlying principlese.g., TCP/IP. But the Internet is, without doubt, the most extensive engineered system ever created by humankind, so how the hell can one learn or understand such an overwhelmingly large and complex system 🤯?
Don’t freak out — yet. You see, most of the underlying technologies used by today’s Internet were developed sometime in the 1960s. They are quite old but well documented. You don’t need to be able to set up a complicated corporate network or know every small detail of each protocol, but rather have a general understanding of the subject.
So, start with simple concepts:
All these and many others are explained in Computer Networking - A Top-Down Approach. I recommend you check it out. Here are a few more awesome resources that worth a bookmark:
The beauty of hacking is that no two systems are exactly the same. Each uses different technologies and unique configurations to achieve its purpose. As an ethical hacker, you deal with various systems, and often, an exploit that works flawlessly on a server may not work on an apparently similar server.
To overcome such situations without overcomplicating the process, you should have at least a basic understanding of the main operating systemsLinux, macOS and Microsoft Windows, how they work, and the differences between them. So make yourself a favor and get familiar with the following concepts:
You can find all this information in this course.
Information security is an industry where something always goes wrong. Whether it is a script that was working last time you checked, or you just triggered a vulnerability but have no idea what caused it, there will always be something that doesn't work the way you expect. There are no shortcuts in ethical hacking. You need to be persistent, hard-working, and always eager to learn.
It's easy to spot a good fit for information security just by analyzing a person's attitude. Do they want to learn as much as they possibly can? Are they willing to spend hours or even days to come up with a working strategy when reaching a dead-end situation? Do they have a keen passion for solving puzzles and an unbridled curiosity to go beyond the causes of a problem?
If the answer to the above questions is YES and we just described you, then you may be a good fit for a career in information security. Otherwise, you may find security more frustrating than fun.
One of the most common questions about how to become an ethical hacker is, "Can I find a job if I don't have a formal degree?"
Absolutely yes! While a university degree can be useful, it is not mandatory to get a job. And it all makes sense if you think about it. Since security is everyone's problem and companies are struggling to find enough talented people, what would be the logic to limit security roles only for people with degrees in computer science?
Many of the best security professionals are self-taught individuals who dropped out of formal education. Of course, we don't encourage you to drop school—we just say it's possible to work without a formal degree.
On the other side, "not mandatory" doesn't mean "it's useless". An information security degree can be a kickstart for your career. It won't make you a hacker, but it will provide you the basic technical skills we mentioned above. The fact that it forces you to learn those
not so fun boring, yet challenging concepts is a big advantage if you are not a very disciplined person and cannot do this on your own.
As a student, you can gain real-world experience through internships while working with experienced professionals. If you demonstrate that you are passionate about hacking, you may even get a full-time job offer there.
Similar to formal education, security certifications are good to have but not a must. They are a great way to learn the basics and acquire valuable experience for your resume. Here are a few recommendations:
Keep in mind that you have to provide yourself as the best option in the job market. Often, even the smallest differences between you and someone else can have a significant impact over a job decision. For instance, a person with interesting personal projects but no work experience wins over a person with no work experience an no personal project. A person without a degree, but with certifications wins over a person without a degree. And so on.