2006-03-24
It was almost two years ago now that I wrote the SecurityFocus article on TCP/IP skills required for security analysts. That article offered advice on how one can seek employment in the security field through education, training, and a strong focus on TCP/IP. The idea came about from all of the questions this author has been asked on the subject.
There is often a lot of uncertainty as to what one should study to further one’s career in the network security world. Much as I mentioned previously, it can be a daunting task. What was laid out as core skills required for a fully competent security analyst are in reality, but a baseline. From that foundation of skills learnt, and honed over time can you begin to think about acquiring more advanced skills.
The purpose of this article is to guide network security analysts towards learning the advanced skillset required to help further their careers. We'll look at two key pillars of knowledge, protocols and programming, and why they're so both so important in the security field.
Two pillars of knowledge
In this author’s opinion, there is perhaps a basic truth about network security and obtaining the skills required to practice it. Network security really boils down to understanding two key pillars: protocols (starting with TCP/IP), and programming. Everything else can generally fall within those two broad categories. That includes everything from web application security to exploit development, and many things in between. While we all understand that the base unit of computer-to-computer communications is the packet, there is still a tremendous amount of knowledge required to understand what is behind that small packet.That very small packet incorporates a great amount of networking knowledge to understand and be able to parse effectively. Contained in that very packet is a good deal of information. What is required of you as an analyst, though, is the knowledge of protocols in order to extract the relevant information. Not all of the TCP/IP protocol world evolves around the four core protocols of TCP, UDP, IP, and ICMP. A good amount of other protocols reside at the application layer. It's also good to not only understand how protocols work, but also understand some of the design considerations that went it them. For example, knowing such things as why there are only 16 bits assigned to a port, and its relevance to the actual protocol will help give an analyst a far deeper insight into his daily work.
TCP/IP is a good start, but what about the other pillar of network security knowledge? The strong silent partner of the security field is programming. While there is a lot to be said for understanding networking and protocols, they are all related to the programs that use them. It is therefore with an understanding of programming and the ability to actually program that a far more profound knowledge of network security will come.
It could be argued that one need not program to be good at network security. However the point remains that to obtain an advanced skill set, you will have no choice but to pick up programming to make it to the next level.
Learning advanced skills
Network security analysts have all come to realize that there is one inevitable conclusion. We must learn how to program to take our skills to next level. Talented security researches like Mike Sues, Dave Aitel, and HD Moore are all very proficient at programming. But what actual languages should one learn? That is a relatively easy question to answer. Most every application or operating system in existence today is (or has been) written in either C or C++, and some have parts of it done in Assembly.Now that you know you need to learn some high level programming languages like C and C++ you have to decide which you pick up first. There is no real definitive answer to that one. Most universities and colleges will teach you object oriented programming first, as embodied by C++ or Java. Gone are the days where C was the introductory language.
It can largely be agreed upon, though, that having the ability to code in C and C++ is a de-facto standard in the programming world. There are not too many heavyweight applications written in Java, in reality. Quite a few talented programmers that I know actually shudder at the thought of using Java for anything. Bottom line is that once you have learned how to program in one high level language it will be that much easier to pick up another one. There is a great deal more to programming then simply sitting down and banging out some code. A great deal of thought must go into what you want first, particularly when considering security, and the whole process can be mapped to what is called the Programming Lifecycle. Though the whole cycle may not be applicable to, say, exploit development there are steps to be followed when programming.
Let's apply this to the real world of security. As a network security professional you may be required to conduct a web application security test of a custom program. To do so effectively, you would need to have some additional skills beyond those of a typical analyst. Reverse engineering comes to mind readily as one such skill. Once you have reverse engineered an executable and identified any weakness, you then need to code the exploit for it.
It's not realistic to foresee a network analyst or security researcher coding an enterprise-class software project - but to conduct a security test of it, you will definitely have to write some code. That is a given. It would be highly recommended, then, to take formal training in the field prior to self teaching yourself via a book. One of the biggest downfalls when it comes to learning how to program is jumping ahead. You need to take a methodical approach when learning this subject matter, and a formal process forces you to do this. Few methods are better then going to a true "brick and mortar" learning institution such as your local college or university.
Reverse engineering and assembly
We've looked at the need for programming skills. That is stated because having the ability to program will in turn allow you to pick up other esoteric skills. If you are subscribed to some of the Securityfocus mailing lists then you have no doubt read or heard about people doing some reverse engineering of executables. This is done in order to try and find hidden flaws in the program itself without having access to the original code - as is often the case with closed-source applications.
