SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 39: 5 Ways to Work Towards New Security Skills

Posted on June 1, 2017
  • Teach yourself with books and Internet research.
  • Take advantage of the availability of school courses.
  • Attend security conferences to learn from pros in the field.
  • Enroll in a training seminar to gain more practical skills.
  • Network, collaborate, and practice.

Do you ever wonder what it takes to break into the world of computer security and defense? With digital safety more important now than ever, it’s a growing and vital field. Learning how systems work and how to make them safer can be rewarding as both a career and as a hobby. Whether you want to learn more or you know someone, like one of your kids, who wants to explore an interest more deeply, there’s plenty you can try. In this edition of The Checklist, we’re looking at how anyone with the passion and drive can start the journey towards greater computer security skills, or even becoming a computer security professional. Maybe you just want to learn more so you can better protect your Mac? Getting to know this field will help keep you and your family safe! So, let’s get right into it — where do you start?

Teach yourself with books and Internet research.

A common trait among many in the security sector is a passion for learning. That motivation is evident in the amount of time people spend through individual learning. We’ll talk about the value of formal education in a moment, but for now, we’ll focus on methods for self-teaching.

The good news: there’s no shortage of ways to learn. If you’re a visual learner who likes to follow along with an instructor, you’ll find plenty of individuals offering video tutorials on the web. If you prefer to hold a book in your hands, many publishers have extensive lines of high-quality textbooks. The best approach will take advantage of all the available resources, but where you start is up to you.

Begin with the basics. If you have no background in this area, you’ll want to spend some time considering what area of security you want to dive into. Typically you’ll spend a lot of time learning the “ins and outs” of computer systems, digital security, and the foundation for it all: programming. Understanding at least one (if not many) programming languages is essential for this field, even if you specialize in networking or database security. How can you get your hands dirty looking for vulnerabilities or designing your own secure systems if you don’t understand the methods (and languages) used by hackers? A good beginner’s language these days is Python — in fact, we’ve recently seen Mac malware that uses Python scripting. Even just understanding and knowing AppleScript will set you on your path. Over time, you’ll want to graduate to more complex languages. Any level of familiarity can help you push towards your goals.

One publisher we’d encourage our listeners to look at is NoStarch Press. They have an impressively vast array of texts for beginners and advanced users alike. In fact, if you visit the site, you’ll see they have a whole category of books devoted to Python, including everything from a “Python for Kids” book to black hat hacking techniques for Python. The NoStarch catalog includes plenty of other programming books as well as titles directly related to hacking and computer security itself. Immerse yourself in these texts and think critically about what they tell you.

Speaking of publishers — Syngress is another one to note. They also have plenty of books with a specific focus on security, as well as tailored learning paths to help you find your way in a particular specialization. When you want to dig deeper into security topics, this is a good way to go. New books come out frequently with updated information and expanded topics. Something like the “Handbook of System Safety and Security” would provide solid information. Don’t worry if you can’t understand everything right away, or if you’re confused — that just gives you the opportunity to experiment and ask around for help.

We’d also be remiss if we didn’t mention 2600 Magazine. For lovers of periodicals, this magazine bills itself as the “Hacker Quarterly.” Founded all the way back in 1984, it has a real pedigree when it comes to “hacking.” You can learn a lot just by reading about what others are doing – in fact you’ll see where people go well beyond just programming, working with hardware systems, network systems, and other areas! We’ll talk more about 2600 a little later — they also host opportunities for you to meet and learn from others.

Okay, we’ve talked a lot about print media, but let’s not forget the Internet. There’s something for every skill level here too, with the benefit that much of it is completely free. If you like to listen to others to help you learn, check out video tutorials on YouTube. There are videos on everything from Python to Java to Swift and more. It’s almost like attending a lecture — with a key difference. If you don’t like the teaching style, you can move on to another video that’s more your speed and skill level.

How-to websites are also an option. When you’re learning, and you don’t understand something, there’s a simple option: ask Google! You can look up sample code to see what you’re trying to do or explore analyses of older vulnerabilities posted by other security researchers. Want to give yourself a challenge? Look through publicly available code to find flaws or errors. Googlers recently undertook a project where they analyzed open source projects and uncovered more than a thousand previously unknown flaws. Google said 25% of those could have been used to exploit system security — so take a critical eye towards free examples, too.

Got questions? Web forums are still a popular place to chat and gather for hackers and security experts alike. When you run into an issue you can’t resolve, ask someone more experienced. There are options far beyond traditional forums today, too. Sites like Reddit have thriving programming, hacking, and digital security communities. It’s only to your benefit to join these communities and become a part of the conversation.

Take advantage of the availability of school courses.

Learning on your own is a good start, but you might want something more structured. If you hope to make a career out of it, then you’ll want to involve at least some formal education and certification. Tens of thousands of new people enter into college CompSci programs every year. The ability to learn about programming (and all its related concerns) is available even to middle- and high-schoolers today.

In other words, if you want to learn from someone with real experience, you have tons of options. Now, you might already be worrying about tuition when you hear about class-based learning, but don’t be too concerned — you don’t need to pursue a complete four-year degree or postgraduate work to understand security. That path isn’t right for everyone, but other education pathways might be.

For those listening because you hope to encourage a child to pursue their passions in this area, we’d recommend you to encourage them to look for these opportunities early. Taking classes in middle and high school does more than provide them with a bedrock of understanding from which to expand. It exposes them to the ideas of their peers and the challenges of the instructor. Starting early helps create a foundation of thought, learning to ask questions, think differently about problems, which become essential down the road. The more effort they place into learning and developing their skills now, the better off they’ll be later.

If higher education is your goal, now is a good time to get in the game: lots of universities not only offer computer science but more granular topics as well. Networking, systems administration, cryptography, and security — you’ll find some schools have them all. The professors leading these courses often have a wealth of experience to share with their students. In some places, you may be able to audit a course without enrolling in a degree program. There are many options that local and national colleges provide you these days!

Trade schools and community colleges offer less long-term and fully-committed opportunities to learn with structure. Your education can benefit from these just as much as a traditional university, and they can be less expensive. Sometimes, these courses are a good starting point for those who don’t want to try learning on your own. Even here you gain the benefit of the ability to ask questions and receive feedback on your work. If you go down this road, be an inquisitive student. Security principles aren’t something learned by simply memorization; it’s all about seeing the big picture while also understanding how to probe the finer details of software, systems, and networks

Another advantage of these institutions? Many of them offer certification programs that don’t require the completion of years of study. Instead, they need completion of specialized courses. You can likely find a short course program geared specifically towards cyber security. Accumulating certifications does more than bolstering your own credentials. Besides expanding your knowledge, it allows you to challenge yourself.

Good security is hard, and developing those practices isn’t as easy as it might seem. It requires that we think just like a malicious hacker might, but how do you put yourself in their shoes? Learning how to attack and defend systems through these educational opportunities can give you insight that will be valuable as you go deeper into a security career. You’ll need to take the time to not only learn how things work but to think about what that really means – and where any weak points might exist. We can’t protect against threat vectors we don’t notice, but you can bet there is a hacker out there who will.

Of course, nothing says you must commit to a formal education so deeply. Even if you don’t want to certify yourself or pursue a degree, you just want to learn more to protect your Mac, you’ll still derive a lot of value from taking a few classes. The longer format provides time to develop and practice your new skills. When you need to learn a new, complex topic, classroom learning is often efficient and effective.

Attend security conferences to learn from pros in the field.

As you develop skills and knowledge, you’ll naturally start to consume more information from within the industry. Besides reading the news, you need to keep up on what the newest innovations are and the ways people are pushing the field forward. In fact, you’ve already started doing this by listening to our podcast! At this stage, why not think about dipping your toes into the actual “scene”? If you used forums to help develop your skills, you might have a head start here — and reading periodicals like 2600 can provide opportunities to make inroads.

Generally speaking, there’s no better way to dive in and immerse yourself than by attending a trade show. Some call themselves “hacker conventions” while others take a more business-like approach to hosting a more formalized show. Both are an excellent way to learn about groundbreaking developments in security and hacking, meet people in the industry, and more. You can have plenty of fun at these events, even when their actual purpose is a serious discussion.

The biggest, and perhaps the most famous hacker convention, is the annual DEF CON conference. Running since 1993, it was originally just a gathering of friends from an old bulletin board system. Today, it’s the most-attended hacker gathering around the world and commands a huge audience every year in Las Vegas. DEF CON is where individuals and teams unveil cutting-edge exploits and new research. As “meetings of the minds” go, this is a big one! Attending a show like this one can be a big step in your journey.

There’s plenty to do: attend a talk, walk the floor, or join in the many legal hacking activities. Be aware: it is a hacker conference, after all. If you bring a laptop or phone, be extra cautious about how you use it. Anything can be a target in an environment like this. One group even maintains a display streaming information captured over the unsecured wi-fi network to demonstrate the need for proper precautions. But common sense precautions will help keep you safe – there are so many amazing opportunities at a convention like this! One thing is true: hackers love to show off what they know – so at something like DEF CON you’ll find so many people who want to teach you something new! What if you want something a little less intense but with all the benefits of demonstrations and lectures?

There are many, many other conventions and gatherings besides just DEF CON. Other popular venues include Toorcon which take place in San Diego, and Shmoocon in Washington, D.C. Toorcon is a more formal gathering for computer security experts; here you’ll find informational seminars and even training where you can go hands-on with techniques new to you. We’ll get to these training sessions soon — but you’ll find them at most big trade shows. Shmoocon, as its fun name might indicate, also throws in plenty of games and competitions during the weekend of the conference. 

2600 Magazine hosts the Hackers on Planet Earth conference, or HOPE, in New York. It typically happens every 2 years. HOPE is perhaps best known for featuring an exciting array of guest speakers, in addition to the usual 24-hour buzz of convention activity. This event is quite expansive and covers a lot of topics, so it’s an ideal choice for those who want to check out more than one conference space. On the whole, these events and many others offer novices and professionals the same valuable experience.

If you attend one of these events, you’ll have the opportunity to listen and learn from some of the best during the talks they’ll give. With that said, it is the people who are most important – not the shiny gadgets or new exploits. Don’t be shy: chat with strangers and make some friends. Show your desire to learn and you’ll find yourself pulled into some wonderful conversations with truly fascinating people. Networking with people at conventions and conferences provides you with more opportunities even further down the road.

Enroll in a training seminar to gain more practical skills.

Okay, let’s go back to a topic now that we’ve talked about a couple of times already. Attending trade shows and having a blast is excellent, but let’s not forget that we’re here to improve and get better. With that in mind, organized learning doesn’t always take place in the college classroom or in front of your computer. As we just discussed, many security conferences host training seminars during the event. Others may run different workshops throughout the entire year. There are also training opportunities that occur independently of major conferences and conventions.

No matter which type you choose, these are also a valuable tool for any student of security. While they do often have a cost associated with them, saving up to participate in some seminars is a worthwhile endeavor. Let’s explore why that is and how you can take advantage of what they offer.

The way it works is simple, especially when it’s at a conference. You pay for entrance to the course (or simply an additional amount on top of the fee for your conference badge). Most often, these fees also include the course materials you’ll need to use throughout the training seminar. The big advantage to learning from a seminar is the smaller format. Conferences are large, loud, and can feel chaotic. In the relative peace of the seminar room, maybe only 20-30 people in size, you can drill down and focus on learning new things.

Seminar topics can be very broad or very specific, depending on who offers the course. One excellent example of cybersecurity training available to everyone is the SANS Institute. SANS offers hundreds of training seminars around the US and the world every year in addition to several big SANS conferences. You could even use this as your jumping off point — SANS has a “security essentials” course designed to bring people up to speed quickly. 

The flexibility and wide-reaching subject availability of SANS means it’s a reliable option for many pros too. These aren’t just classes in theory. They are intensive and in-depth with the goal of equipping students with real, practical skills. Since these seminars usually run for about three days, it’s easy to fit them in to an otherwise busy life, too. SANS offers a variety of certifications as well. So, if you didn’t feel like enrolling in a community college to seek out a certificate, seminars may be the way to go!

Training at actual conferences offers many similar benefits. Consider the LayerOne security conference in Los Angeles; in addition to the weekend of speakers and events, they host training too. This year, one of the options is called “hands on hacking.” It’s a chance to learn from an actual industry penetration tester — that’s someone who tries to break into private networks to aid companies in developing more robust security solutions. The course includes time spent engaging in a “capture the flag” environment.
Here, you’ll have to use accumulated skills and new knowledge from the course to navigate a digital landscape, compromising systems, and then re-securing them, as you go. The goal, of course, is to reach a “flag” hidden behind layers of security.

Sound exciting? It is, and it’s a lot of fun. Not all training events take quite such an unusual tack to the subject matter, but that just means you have plenty of variety from which to choose. With courses to match just about every skill, it’s as good an option for getting started as it is for moving into deeper and more complex subject material. You’ll continue to meet interesting people, too, and that means more opportunities to pick up helpful tricks and broaden your horizons. Explore the training available in your local area — it’s too good a learning opportunity to pass up if you can afford the fees.

Network, collaborate, and practice.

It’s important that you don’t allow your education to stagnate as you pursue this passion. The digital world moves fast, and malware authors seem to move faster than anyone else. Learning the best practices and assessing how to meet challenges head-on doesn’t always happen in the classroom or at a conference. At times, you will gain the most benefit by putting your knowledge to use. Whether that means educating others about what you’ve learned or beginning a security-related project is up to you.

All this learning isn’t useful if you don’t do anything with it, though. Once you’ve built a solid base of understanding and you’ve immersed yourself in other aspects of network and computer security, go another step forward. Make things and break things – just not the law! Learning what you’re capable of requires trial and error. While you won’t be breaching a bank’s security, you can develop practical understandings of how malware authors work to defeat our defenses. Even simply securing your home network, then probing it for new issues, testing the security that you have built, is extremely useful!

You don’t have to do this alone, either. Collaboration and the sharing of information freely is a cornerstone within the modern hacking and security communities. There are ways to meet up with fellow enthusiasts to discuss, learn, and work outside of the large, major social events. There are smaller meet-ups that happen all the time. One good example is, once again, linked back to 2600 Magazine. Known as 2600 meetings, these are semi-informal gatherings of hackers around the world. They usually occur in the early evening on the first Friday of every month.

Your local group will probably have its own agenda for meetings – or there might not be an agenda at all. It can just be an opportunity to stand around, relax, and talk shop after a long week. Others might work on developing software or try out a new idea to see if a particular hack might work. It’s an opportunity to gather and talk, and that alone is a valuable experience.

DEF CON Groups follow a similar concept, and it’s easy to discover online whether a local group has meetings near you. Joining one of these groups, or starting up a discussion meeting on your own, exposes you to new viewpoints and possibilities. It provides an opportunity to begin collaborative projects that could lead to something bigger – even if it’s just a new technique you didn’t know before. It’s your opportunity to take everything you’ve learned throughout your other efforts and put it to the test. What better way than in a group of your peers?

No one is going to become an expert overnight – It’s a complex field, and it will take some time to immerse yourself and build your skills. If you’re learning solo, or trying to figure out a pathway for your child, though, persistence is key. Think of computer security as a giant puzzle full of problems to solve and embrace the challenge. Whether you pursue a formal education or you teach yourself the new skills you want to develop, we hope you’ll enjoy the journey into this important sector. One final note: Don’t be afraid to get involved! Going hands-on is critical to your experience in computer security.

Problems? Questions? Security concerns? If you have anything to ask us, send us an email at!

Join our mailing list for the latest security news and deals