Thursday, January 17, 2013

How To Become an Infosec Expert, Part I

I recently put a post on my personal blog seeking applicants for a position with the VRT, working directly with me on public-facing issues (such as writing for this blog, talking to customers, etc.). Since the skill set involved there is subtly, but importantly, different from a traditional analyst position - those folks can be very successful at what they do without ever talking to anyone outside the team, except perhaps peers in the research space - I left the technical qualifications for an entry-level position somewhat open, with the idea being that a person with the right attitude and technical aptitude could be brought up to speed quickly on the finer points of the technical side of the job.

I got a slew of fascinating responses, with people whose technical backgrounds varied wildly (customer support, database administrators, programmers, small business owners, people who play with Metasploit in their spare time but have a non-technical day job, etc.). Invariably, though, these people were enthusiastic, apparently rapid learners, and eager to break into the space.

While I wish I had the time and the budget to hire them all and let the best rise to the top as they faced the trial by fire that is joining the VRT at entry level, obviously I can't. Given my personal career background, however - I spent a brief stint out of high school writing for the Sacramento Bee, parlayed my lifelong exposure to computers into some OK tech jobs when I realized that writing for traditional newspapers is a losing economic proposition these days, and ended up in this awesome job I have today largely because of a combination of good luck and the assistance of others who were willing to mentor me along the way - I've decided to do the next-best thing, and start a mentoring program for these eager young minds I had to disappoint with this round of hiring. Since there are plenty of people beyond those who responded to that particular job posting who are interested in the same sort of mentoring, I'm going to use this blog to put together a series of posts on the things you'll need to learn to break into the modern information security industry.

Obviously, these posts won't be 100% comprehensive, and they'll be a bit skewed towards the skill set that would be helpful for a job with the VRT specifically. Even with that caveat, though, I feel like a set of lessons will be helpful, especially when provided for free on a geographically neutral basis.

That all said, today's lesson is actually a reading assignment, to help get people up to speed on the mindset necessary to be a malware analyst / vulnerability researcher / etc. In much the same way that summer reading for a class back in school helps put the class on the same page, having at least a familiarity with some of the classic texts of information security will help start this process.

Thanks to helpful people on the Internet and some of my colleagues on the VRT, I've complied a list of some of the best works in the field. Many are free (I've created a zip file of all of the free content on my personal site for ease of portability, in case people want to, say, read things on a long airplane flight) and reasonably short. If you like the idea of this series of posts, and you're starting out, don't try to read them all in a sitting; your brain will hurt and you won't learn anything. Pick some that look especially interesting, give them a whirl, and then in a week or so read a few more. There is no "right order" to read them in. If you're already an established pro in the space, and want to suggest other titles, please do so in the comment section on this thread.

A Note on the Confinement Problem, Butler Lampson
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Mark Dowd
Ceremony Design and Analysis, Carl Ellison
Computer Security in the Real World, Butler Lampson
The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage, Cliff Stoll
End-to-End Arguments in System Design, J. H. Satlzer, D. P. Reed, D. D. Clark
Expert C Programming: Deep C Secrets, Peter van der Linden
Hacking: The Art of Exploitation, Jon Erickson
History and Timeline of UNIX, collaboration
The Jargon File, Collaboration
Practical Cryptography, Neil Ferguson, Bruce Schneier
The Protection of Information in Computer Systems, Jerome Saltzer, Michael Schroeder
Reflections on Trusting Trust, Ken Thompson
RFPolicy, Collaboration
Security Engineering, Ross Anderson
Smashing the Stack for Fun and Profit, Aleph One
With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988, Mark Eichin and Jon Rochlis

Additionally, there are some more large, somewhat textbook-style works that those new to the space should consider adding to their personal bookshelves:

The Art of Computer Virus Research and Defense, Peter Szor
The IDA Pro Book, Chris Eagle
Practical Malware Analysis, Michael Sikorski, Andrew Honig
Reversing: Secrets of Reverse Engineering, Eldad Eilam
TCP/IP Illustrated Volume 1, W. Richard Stevens (note: 1st edition, not the 2nd)
Windows Internals, 6th Edition, Russinovich et al
UNIX Power Tools, Tim O'Reilly et al

The next post in this series is likely to be a practical exercise; how soon it arrives will depend on the level of interest generated by this post. If you like this concept and want to see more, be sure to re-tweet and/or leave a note in the comments, so I can properly gauge response.


  1. Great reading list. I'll be looking for your next instalments!

  2. Great post. and Awesome on your part to help those out.


  3. I will sure along with your posts as well. Thanks!

  4. Definitely interested in this, as I'm trying to get more experience in vulnerability research. I have good experience elsewhere in infosec, but this area is still mysterious to me. Looking forward to the coming posts.

  5. Thank you, colleagues, for the such interesting approach. Although, I'm more closer to the technical pre-sales and technical writing activities - let's see what I can attain here and how it can be close to me.

  6. Thanks for the reading list but most of all, kudos on having the awareness and greater interest in the community to actually take the time to begin putting together a mentoring program of sorts.

    Really happy I found your post.

  7. Interesting list, think I've read a 3rd of the titles either partially or fully over the last 25 years, a few I'm marking down for future reading. Hope to see the practical in the somewhat near future. As an analyst/integrator currently I can see how it is not the same as an Infosec Expert.

  8. Dont let this thread die. There are lots of young people out there now that think this area is some kind of magic. I'd add some new media to the list like Security Now by Steve Gibson, Crypto-Gram by Bruce Schneier and also Applied Cryptography by the same.

  9. Could you please explain why you specifically recommend the 1st edition of "TCP/IP Illustrated Volume 1, W. Richard Stevens" ?

  10. The Art of Computer Virus Research and Defense, Peter Szor

    Reversing: Secrets of Reverse Engineering, Eldad Eilam

    These are both published in 2005 making them 7 years old. Does anyone know of some more recent texts that cover the same information?


Post a Comment