In my Web Programming class at Tufts, students are exposed to web security near the end of the semester. For the last assignment in the class, each student performs a security audit of the another student’s web application (the previous assignment in the class). The deliverable is a report that must contain at least three security and privacy findings. Here is an example report: https://tuftsdev.github.com/WebProgramming/assignments/security-gjoseph/report.html. For many students, this is their first exposure to information security, and many find the topic fascinating. Over the years, I have received many emails from former students asking how to learn more about information security. A few anedotes:
“As you may know, I am a senior. That means that I will not be able to take your security course before I graduate. What resources do you recommend using to learn security then? Are there ways that I could direct my hacking efforts so that my learning takes on some sort of coherent structure?
“Also I hadn’t really done any security stuff besides what we did in [your Web Programming class] but this summer I participated in [a security hackathon] and afterwards got a few offers to work on cyber security projects so I think I am going to try it out next time I intern. Do you have any suggestions for online resources?”
There is an abyss of information security resources and tools available, mostly free, online. Reading and literature can only do so much. Information security requires hands-on practice. A significant part of information security is violating confidentiality, integrity, and availability (CIA) –the definition of what information security is, and violating software invariants and correctness.
For a general overview of information security, a comprehensive book (free) is Ross Anderson’s “Security Engineering” available at http://www.cl.cam.ac.uk/~rja14/book.html. I also recommend the Kevin Mitnick’s “The Art of Deception”. The idea of “thinking like a bad guy” is very important in information security, a mindset that most people (especially software developers and Computer Scientists) are not exposed to. “The Art of Deception” has many telling stories of Kevin’s infamous deeds back in the days –from Kevin himself. To comprehend the scope of the information security problem and the history of fails, watch James Mickens’ “Not Even Close: The State of Computer Security”, watch Dan Geer’s Black Hat 2014 keynote, and read some history of L0pht in the Washington Post.
Let’s move on to hands-on practice. In the summer of 2015, I mentored Lokesh Pidawekar for his talk “How I Learnt Hacking in High School” at the BSides Las Vegas Security Conference. His presentation slides are available at http://www.slideshare.net/lokeshpidawekar/how-i-learnt-hacking-in-high-school-bsideslv-2015. The presentation addresses why would someone want to learn this stuff, what is necessary for hands-on practice, and disclaimers.
Currently, Kali Linux is the platform of choice for many information practitioners. It contains almost all the necessary tools. One of the worst things anyone learning information security can do is to fire up Metasploit or other tools without any idea what’s going on. Refrain from using tools until you have an understanding of what some of the security vulnerabilities are. A good way to understand what some of the security vulnerabilities are is to have vulnerable platforms and software. A good example of a vulnerable platform is Rapid 7’s Metasploitable. It is a deliberately vulnerable Linux virtual machine that requires at least VMware Player (VMware Workstation or VMware Fusion also works). Having a hypervisor (e.g., VMware, QEMU, Parallels, VirtualBox) is extremely valuable to hands-on learning as it generally isolates vulnerable software from your host operating system (unless file sharing between host and guest is enabled). Eventually, I recommend building use your own servers and containers (i.e. a lab) to host vulnerable software. One reason why I recommend this is so you can practice building a distributed system and how to do it right –or wrong. It goes without saying that these vulnerable virtual machines, servers, and containers must not be exposed to an untrusted network. I have a vulnerable Raspberry Pi web server at home that has a vulnerable version of WordPress, Damn Vulnerable Web Application (DVWA), and OWASP Mutillidae that I can always hit on. I also created a Docker image of the Capture The Flags (CTF) game for my Security class in fall 2014 –you can attack that as well.
Now that you have a vulnerable platform to attack and play with, delve into understading what some of the security vulnerabilities are. On all the top vulnerabilities lists (e.g., SANS Top 25, OWASP Top 10), Cross Site Scripting (XSS) and SQL Injection (SQLi) are on the top of the lists. They were among the top vulnerabilities over decade ago, and they are still among the top vulnerabilities today (sad, isn’t it?). The vulnerable platforms listed above have many XSS and SQLi opportunities as well as vulnerable software exposed on many different ports. There are also many weak user accounts on the platforms. Therefore, Cross Site Scripting, SQL injection, port scanning, and password cracking are good topics to learn first. Once you have a good understanding of those topics, then you can use tools like xsser, sqlmap, nmap, hydra, and john on Kali Linux. Equally important is to understand why the vulnerabilties exist on the platforms (they are all open source), how to fix them, and learn how to not make those mistakes as a software developer.
Putting together a hacking lab to learn information security demonstrates your profound interest in information security. Many people also agree that is even more valuable than security certification(s). However, learning on your own can only do so much. It is important to find and learn from great people. Despite some recent drama in the information security, there are many great people in the field. Go to local meetups and security conferences such as BSides. I am frequently asked how I got into information security. In 2004 when I was working as a web developer, my workplace paid me to go to the USENIX Annual Conference which was held in Boston, including taking two training courses. One of the training courses I took was on software security, taught by Gary McGraw. I also went to two security and privacy-focused panels that featured luminaries in the field including Gary McGraw and Dan Geer. They propelled my interest in security and provided much inspiration, and I cannot thank them enough for getting me started. Over the years, I have learned a tremendous amount from them, and from countless others in the field. It is a very small field: everyone practically knows each other. Your friends and peers will give you more opportunities than you can imagine. During the last five years, I’ve done a lot of talks and mentoring in the field to give back and also to prepare the next generation to get into the field.
I hope this is valuable advice for those who are interested on learning more about information security. If you would like to go further and make information security your career, read Lesley Carhart’s “Starting an InfoSec Career”.