How I got into InfoSec

I WAS BORN HERE.

Okay, no really, everyone has a different story for how they got into this field, here’s mine. If you don’t want to hear my kid stories, skip on down to Career 😉

Nostalgic

I’m going to go way back in time, to when I was roughly 6 years old. My oldest brother (6 years older than me) showed me how to write PRINT statements in QBasic. He obviously could do a lot of cool things with QBasic, but I could change the colour of print statements. I remember him trying to show me FOR loops, but I just copied his work. On a side note, I think it’s important people look at other people’s code to learn how to code better. I don’t mean in an academic setting, but in general. Outside of that, I played a lot of video games and spent time changing the art on the tiles in Wolfenstein 3D. I remember tweaking the batch file we used as a menu on our bootup screen in DOS. If you wanted to start windows, play wolf3d, look at images in cshell, it’d let you know what the alias was to run it.

When I was 8, I remember my parents’ family computer (an ol’ IBM PS/2) had died and though my dad tried to fix it, it was just collecting dust. My other brother and I decided to take it apart and see if we could fix it. We took out the harddrive, the RAM, the powersupply. I remember running around the house, holding parts up, yelling “THIS IS THE BRAIN!” and “THIS IS THE HEART!” I had no idea what I was talking about, but they were pretty good guesses. When we put it back together, the machine booted again! It was a magical feeling.

Fast forward to when I was 13. AIM chatrooms! Back then, we’d all have little bots to bump each other off and mess around with people. That group of people (and a group of computer nerds on Myspace) eventually got me into IRC, where we moved from quakenet to dalnet and then landed on freenode, where I am today (/whois Kate-o).

When I was 15, my parents let me go to the Central Michigan University (CMU)’s surplus sale. At the sale, I bought a 75Mhz machine for $5, and a monitor to go with it, also for $5. My middle brother got a 133Mhz machine and we decided to network them so we could play Starcraft together. My machine didn’t even recognize the CD, so I remember putting the CD into my brother’s computer and installing it over the network. I remember tweaking the Windows registry settings on that computer and customizing it so much that I was reformatting it every week. (I still have my old Starcraft CD key memorized!) My parents also let me take a couple computer classes at the high school career center, I got to take both programming (my focus was Java and Visual Basic 6) and networking courses, where I learned how to make cables and stuff. The high school even let me be a teacher’s assistant for a Dreamweaver class, it was then I learned that it’s easier to troubleshoot if you switch to the HTML tab and look at the actual code for answers.

My brothers both went to school at CMU, so when I was 17, I remember going with one of my brothers to a Philosophy meetup group called Socrates Cafe where I met a handful of people. Two of which mentioned that they’re into computers and they had to learn how to use IRC for work. I asked what server/channel they’re on and they pointed me to Freenode. When I got home, I joined their channel and started harassing a group of people who all worked at CMU in the Computer Science department and these people later became some of my best friends, including Martin.

Eventually, I got a tour of their network research lab. At this point, I was working as a teller for a small financial franchise and I was ready to leave. I had the opportunity to work in the lab, but I had to wait until I was an actual student and approved for workstudy. On my days off, I’d meet up with Martin and Tongen for lunch and they’d tell me amazing stories about DEFCON, their research and cool stuff in the field.

Career

When I got to college, I’d say 90% of my waking hours was working in the research lab or going to class. The university hosts career fairs on a regular basis, so when I was 20, a few of us decided we were going to go, represent the lab and see who could get the most interviews out of the meetup. I was just about to take over as manager of the research lab but ended up taking an internship as a SOX auditor at a utility company over the Summer that paid more. With the money I made, I saved up enough to finally go to DEFCON. Keep in mind, I was paying my own way through college, etc.

While working as a SOX auditor, I was able to find enough flaws and automate some of the UNIX audit that I was hired back as an intern for the server team. I learned what I could administering systems there, then shared my next internship with the storage team. I was hired in full time as SCADA support, and moved into network security and vulnerability management where I stayed for a few more years.

Throughout all of this, I started attending, volunteering and running several security conferences. I even started teaching a few network security and pentesting courses at a local college. At GRRCon, I met my current employer.

Recap / Q&A

Q: Do I need a degree to get into Infosec? A: No, but it does help in many ways, whether meeting people, having that piece of paper, or ability to get into a career fair.

Q: Should I get a degree in Infosec? A: Having any degree helps a lot. Personally, I preferred studying Computer Science and Information Technology (concentration in networking) because you can apply security concepts to any field. There’s definitely a debate going on about how much understanding of computer functionality is really needed to get into the security field, but there are so many avenues into security, that I wouldn’t worry about it.

Q: How do I get involved in security conferences? A: Now that security conferences have grown and become more localized, getting involved locally is so much easier. There’s nothing wrong with laying cable for a few years if you can get to know a bunch of people. Feel free to reach out and I can point you in a direction in your area.

Q: What sort of books can I read about the field? A: Depends on what you’re interested in. I was given a great Christmas gift through the Hacker Secret Santa that I think is a useful first set:

1) The Cuckoo’s Egg by Clifford Stoll

2) The Hacker Crack Down by Bruce Sterling

3) Cyberpunk by Katie Hafner and John Markoff

4) Crypto by Steven Levy

For other books, it depends which subfield you’re getting into.

Q: Do you have to have talent to get into this field? A: No. I think my experience is a testament that all you have to do is have interest and set goals and you’ll be fine.