After the last few security cons some fellow security folks and myself noted a lot of questions and opportunities for entry-level discussion around security, and in retrospect it makes sense. There are a LOT of new faces in security, and for good reasons. Events are now hosting virtual options with tons of content, the fee for entry isn’t as high, and so the opportunity to be involved is more attractive even if you can’t make it in-person. Along with this program shift has been a notable change in general population exposure to the challenges and important work happening in the field with events like the 2016 and 2020 elections, the SolarWinds hack, and the onslaught of ransomware campaigns.

In contrast to these discussion opportunities with new faces, when I speak to fellow security workers I find agreement that the amount of medium available today for aspiring talent is enormous. There are books on most topics that aren’t bleeding edge, and even more individual or group published blogs on variations of those topics that enable someone to lean into a new skill set nearly on-demand.

In light of these contrasting experiences I asked myself; “Then why are there so many new people struggling to find answers to entry-level questions?”.

So I took some time to look at recent talks, blogs, and books with the perspective of a fresh set of eyes, and what I found in reviewing them is that they largely assume some body of knowledge in security or technology. This isn’t surprising because it’s easy to understand why. Every author cannot build or be expected to build ground level knowledge for every reader. However, it does reflect that the state of cybersecurity currently is not really friendly as an entry-level topic. Even the most complete instruction manuals for building a home lab or setting up a firewall with full walk-throughs on command-line options and tools don’t really imbue the core knowledge of what the tools actually do, or how they work outside the context of a specific tasks.

In my mind, the problem is two-fold;

1. People don’t know or feel confident of the right path. We’ve gone from tribal knowledge in the 1990s to information overload in the 2020s. The field is so broad, and so complicated that finding a starting point to “get into security” can be overwhelming.
2. As stated, much of the security content created today assumes some level of technical or security knowledge on the part of the reader, or approaches topics of learning as a lesson plan where the author focuses on extreme details without expanding context. These are great for established people, but challenging for new people.

When faced with learning new things, I believe there’s a common concern: How do I connect the things I know to the thing I want to know? In my experience, what has helped me is thinking of knowledge like a tree.

Picture this: Our core life knowledge - gravity, light, earth, wind, water, drink, eat, sleep - this is the trunk. Language, math, using tools - these are strong branches. Calculus, changing engine oil, literature, cooking - these are smaller branches with many leaves of specific knowledge. Much of what we employ regularly in cybersecurity belongs in the small branches and leaves of the tree, and what it takes to get from things I know to thing I want to know is growing the branches toward those things stronger. When reading something completely alien, one way to establish what branches are weak is to decompile ideas into root elements. For something like riding a bike this is relatively simple: We need to understand gravity, momentum, balance, pedaling, steering, and braking but the concept is still the same. Understanding the intermediate paths to concepts in cybersecurity may be a little more challenging, but starting with identifying the root elements you don’t understand will give you a path for learning. I’ll offer my experience as an example of how this can happen, even if it wasn’t entirely purposeful.

Early on in my career I recall spending time thinking through very similar concern. My knowledge then was based on windows and some light website coding, and I had some exposure to security concepts through helping friends and family maintain (remove adware) or upgrade their computers. I got my start in IT helpdesk deploying physical systems. I then learned how to write some basic scripts to make setups easier. I began helping our desktop admin automate system imaging and eventually got pretty good at troubleshooting a slew of enduser problems like driver problems, software compatibility, and general networking issues. Around this time I spent a bit of time learning about networking, and eventually joined the a security team to help manage anti-virus because I had already been helping maintain it in helpdesk. Anti-virus administration isn’t a fast-paced business however, so I started helping the firewall team write and deploy policy in the lab and dev environments. But I was not happy just configuring firewall and AV to specifications. I wanted to understand why the policies were good or bad, or why it was important to always block these ports between those applications. So I kept asking myself;

• How do I learn more quickly?
• How do I gain the experience to feel confident about making security decisions?

After a year of firewall, I had come a long way. My linux experience (previously none) was now reasonable. I purchased some Raspberry Pis for home to learn in my own time, and I found myself reading the ISC2 SSCP manual one day. It was during that reading that it really began to click for me. I began to see the difference between the “field of cybersecurity" and “practicing cybersecurity”. While the book ultimately taught me very little about being secure or securing systems, it did provide insight into what security is to a business and the overall goals of implementing security concepts in designs. It was that realization that changed my mindset from “learning how to do security” to “learning how to think securely”. It pushed me to learn base concepts like least privilege, application of the CIA triad, how encryption works, how authentication schemes work, and then ultimately how to incorporate those concepts into designs. Once I started down that path I began deconstructing designs from my work environment. This allowed me to attach these new pieces of knowledge onto something tangible, and even analyze aspects of these designs I had previously overlooked.

What I hope to achieve with this site is something very similar for others;

• To provide information as tools for people to empower themselves in finding and build knowledge toward thinking securely (security based thinking, if you will).
• To conceptualize ideas in a way that is approachable, flexible, and useful so that those ideas can be expanded upon in self-driven learning. Finding a project that enables you to learn naturally is one of the easiest and most genuine ways to learn something new, and so learning something interesting to you individually is important.
• The segments should absolutely not be considered a directive, but rather a direction where you are to expand upon something and not implement it outright. The information here will be about practical security concepts, likely piecemeal or incomplete in nature, and are not intended to be all-encompassing. Learning the “extra bits” on top of concepts is a journey that is difficult to prescribe to another person, as learning styles are diverse.

Lastly, one very common act I see in security writings is that we (writers) impose our own assumptions or opinions into our findings, recommendations, and writings. This, I believe, is an artifact of being seeked for council within cybersecurity, and is not a flaw but rather a feature. Security practitioners learn one way or another to express opinions on matters they are at least partially responsible for or else to abstain is to agree to the outcome. I will do my best to not impose my opinion into my writing, but will honestly rather likely fail. Do note again: most things posted here will not be ’the best possible solution’ because the absolutely secure solutions for things generally require understanding a lot of nuance about that solution, which is not something people learning a concept can genuinely consume before they understand context.

Hopefully some things here may be useful. If not, thanks for stopping by all the same.