Thoughts on the Information Security Skill Set
As mentioned in an earlier blog article we moved our office infrastructure to a new location. Once you use a space for more than a decade things inevitably pile up. So I had to sort through hardware, software (on optical storage hardware and floppy disks), lecture notes from a previous life, ancient project documentation, and notes on ideas for a brighter future. Most things were thrown away (i.e. responsibly recycled), some stuff could be saved by enthusiasts (for example the two old Amigas that were sitting in the basement). All of the things we had to move had a purpose once. The main purpose was to get familiar with technology, accumulate knowledge, and understand how things work. This is essentially the hacker mindset, also found among scientists. Given the many presentations at past DeepSec conferences, the workshops, the many hours spent with bad documentation and even worse code, there is a simple question. What do you need to know to work in information security?
I want to give you an example for illustration. During the past weeks I had to write a summary about the state of affairs regarding Transport Level Security (TLS) for email transport. If you have 20+ years actual experience as a postmaster, running MTAs and routing email, and you haven’t stopped looking at new protocols or standards, then you know all you need. Nevertheless it took days to get the document done. Written correctly, it featured almost 100 sources for everything mentioned. The introduction alone was the biggest part. You have to understand all the parts involved – Internet protocols such as DNS (which includes DNSSEC and DANE), the SMTP family, SSL/TLS obviously, but also local considerations such as storage and the intermediate end points of the message chain, cryptography (X.509, algorithms and friends), and more stuff I leave out here. After that you can get to the point and describe the current state of affairs. This says a lot about the skills necessary for a „simple“ thing as email transport. Yet you are right in the middle of information security, because even as a system administrator you are responsible for doing the best you can to protect the content your systems are transporting. End-to-end encryption is still missing in this picture.
Modern society is run and requires an army of specialists. The days in science where a researcher could know everything in all fields were probably more than 300 years ago (my teachers taught me that Gottfried Wilhelm Leibniz was the last human who could do this. They might have been wrong about this though, it’s hard to measure what people really know and what they don’t). Information security is no different. Security tests and implementations are done in teams. Learning is done in groups. Knowing a single skill set is not enough. Having worked in three different fields for some time (i.e. longer than a year) is a good start. Sysadmin’s often say: „Rome wasn’t burnt in one day.“ 😈 It’s true. 🙃 People new to information security often don’t know where to start. Well, the fact is that you have to start more than once, and you have to keep going. This is exactly why we support the Rookie Track at BSidesLondon for years. You need to be around a group of people who will share their experience and give you insights into what you can do next. Make sure never to start from unfamiliar ground. If you are interested in secure communication, then you have to know about communication in general first (you might even want to forget about digital ways to communicate to get a good start, most things don’t change when being turned digital).
The DeepSec schedule will be published in three weeks. We work hard to give you the diversity you need, topic-wise and human-wise, to get a good start in and to continue with your information security path. If you have a knack for teaching, think about submitting a presentation with these thoughts in the back of your mind. If you want to aquire a knack for teaching, please submit too. You have to start somewhere, and in information security you will never start without helping hands.