Never Stop Learning

Let's start with a simple question to ask yourself before you read the rest "how can I be better and more flexible?" even when we think we know what we need to do the job it does not mean we cannot advance more and improve in the work we do. For me being complacent means giving up. For a very long time when people ask me what they should learn to start in security as their profession I often ask what is their current experience and most of the time my first answer to learn:

  • System Administration
  • Network Administration

The logic of the advice for me it is a simple one, how can you secure or break something if you do not know how it works? To me it seems simple but I have found not many see it that way. The main reason for the difference of opinion is the work then reward loop that many people are accustomed to, they are accustomed to a short loop where with some small steps and a little info I get a quick reward, some want to get she'll and that is the goal, it is not understand how it work. This fast reward loop can be seen in all professions and in many facets of life. One book many find weird that I recommend is Talent is Overrated by Geoff Colvin, the book covers what many successful people did to get where they are and how they stay there. The lessons in the book are simple ones they got there by constantly training and changing they're training/practice as they adapted, they never focused on what they already knew they where good at but on what they where not, they practiced constantly and consciously focus that the steps they practice are done with purpose. On sports in easy to visualize, in business they focus on constant learning and research on their ever evolving fields so as to stay ahead and current. In security we must do the same. So my recommendations are simple:

  • Build a lab that mimics a real network as much as you can
    • Servers with functional services that are used by client systems.
  • Maintain and manage the lab as if it where a real one.
  • Learn to secure it.
  • Apply security and monitor it.
  • Practice enumeration in it.
  • Practice attack on it.
  • Monitor what signs you leave behinds in the hosts, in other words try to catch your self and be very critical of your self on it.

This will teach you how to secure and make you a better attacker, you will know what to recommend to customers if you do a pentest to detect and block attacks.

Another recommendation is to practice often and form a habits of following a procedure you evaluate after each practice and engagement and modify and change it as you learn experience. The procedure should be a living thing that will never be finished or complete since technology, tactics and strategy evolve. A very smart Army officer trained in unconventional warfare once said something that stuck with me, he said "Our military is always trained to fight the last war we had not the next one" in other words they trained based on the last experience and do not evolve quickly, unconventional units learned this fast and they evolve fasts that is why they are more successful, so being the misfit that does not comply with the norm and it is always changing is a proven good thing.

To keep learning I recommend:

  • Read a book at least every month, Oreilly and Manning Publishing are always having 50% discounts on their books, if you are short in time is great and go with audio books since you can read while you do other things.
  • Look in to CBTs CBTNuggets, and Pluralsight offer yearly basic subscriptions or a modest price for access to one course if you are a visual learner.
  • Teach, blog and/or present, any combination or any one single one of those but do get in the habit of transmitting knowledge because it first helps build the community and second it help to see the information and process it in ways that will give you new insight on it.
  • Control the ego, never feel like you mastered something or know more than the rest, when you do you become complacent and you loose.
  • Learn what you are most passionate of first then move to improve it and cover the gaps so as to start motivated and stay motivated.

As Steve Jobs one said in his Stanford Address: "Stay hungry. Stay foolish"