Hackitect (3 Part Series)
This article I decided to write as a prequel for the forthcoming series of articles from the Hackitect world. This start will be a bit soft.
I decided to write this beast as a prequel for the forthcoming series of articles from the Hackitect world. First I will start a little untraditionally. The main objective of this chapter is to motivate young talented people for IT slash cyber security. You can go in many directions. You may be risk managers, SOC experts, auditors, consultants, penetration testers, or even security architects. And not to restrict and hold more roles at the same time, such as Ethical Hacker and Architect. Do you think that is not possible?
I never liked when they were boxing me or trying to put me in my corporate charts. Do not let it happen either. Everyone has to find the right way to use and define their talent. The times when work started and ends when the corpo-roles are long gone. Hackitect is actually a role on the boundary between ethical hacking, SSDLC (safe application development), and architect. Of course, it could be varied, but it is important that the role is not limited to I am a specialist on X. The path of Hackitect means mainly the desire to discover and to constantly learn new things and not to limit the technoogy or instrument. At the same time, Hackitect must retain such knowledge to understand how technology works and was able to dive into great detail and then back to a hi-level look. A long and difficult journey. Sometimes it may seem unattainable. Generally for architects, without hands-on they get completely out of reality. An architect who delivers a solution in the form of pictures full of boxes in an unrealistic design is not an architect, but a pseudo-artist. Again, HANDS ON is ARCHI ON.
First read about Information security management system and demming cycle. You will ideally need to start Udemy courses (they have good courses about pentesting) and explore standards such as OWASP (SAMM, ASVS, Coding guidelines). A good tutorial can also be the study of tools in KALI Linux. A great source of how to get started with penetration testing is to install and launch WebGoat. If you only want penetration tests, it is good to read OSSTM (manual) and OWASP testing guide. For architectural understanding, you need to know what architecture is and then study frameworks like TOGAF or SABSA (https://sabsa.org/). If you want to be very modern and work under agility do not hurt to dive into the devsecops studio (http://www.devsecops.org/). If you are interested in cloud security, You cannot miss AWS well achitected Framework and Cloud security alliance whitepaper. There are many other think to study – forensics, identities, cryptography, networking, mobile apps and infinite others. You need to understand, that applications and infrastrucure are two sides of one coin. Don't forget that, when you will study. Explore all the things around which are supporting security (service management, development, configuration management, CI/CD and many other interesting pokemons to gather). If you are enough brave, check the zero trust architecture.
Ok it's chaotic so let's make it simple:
- Code like crazy and try to create your on repo on Github ( the strong ones can open source thier code animals)
- Without research it will not work.
- You read like crazy and then read and study again.
- Test the tools and evaluate them.
- Plan and make things very simple in small steps.
- Dont cry when you dont understand. Cry when you dont have anything to discover.
- A high level of ethics must be the first priority.
- Learn how systems attack attackers and how systems build (analysis and synthesis).
- If you are a trainee, find a mentor.
- If you are more experienced professionals, find a coach.
- Be humble, choosing to work in cybersecurity is not an easy way.
- Determine your hackitect areas and follow the small steps.
- Higher goals such as obtaining CISSP, CEH, GWAPT, CSSP, CSLP, CRISC, SABSA, TOGAF, OSCP, CCSP and others are excellent. It is important to equip yourself with patience and determination. Because IT security is not a job, it's part of your mission.
The more you discover on your hackitect journey, the more you find out that you cannot understand everything. You will never be able to hold SIEM, secure development, Cloud, MDM, Microsoft & Linux ecosystem, opensource solutions, Ethical hacking, etc. With this you need to rejoice and learn to live. Somewhere I read a very good quotation. In order to become masters you have to be a beginner. It's a thousand times. Do not be afraid to fail, because you will only learn. Personally, I can say that every 3 years, I feel like I've forgotten everything and started out again. It's a tax on the rapid development of technology.
It is a difficult task to learn a high level of abstraction for explaining to people outside of IT. Learn how to work as a bussines man and learn how to sell it to business units in your company. High-level design capability takes years of practice. Important is also forgotten about enginnering itself and occasionally make your hands dirty to work to not miss the contact with reality of weekdays. Do not let the stereotype of a hi-level viewpoint to conceal the mind of a child engineer in you. Engineering and research is part of architectural work.
Everyone will promise you possible and impossible. It is true, that no one can give you more than I can promise you. Do not believe the promises. Visions are great when they are at least a bit reachable. If there are very illusionary, put your jetppack on and fly to another nice place. Your own work will not be better without your own innovations and actions. If you will have mentor, doesn’t mean, that he is your teacher. He guides you and points you to right direction. The only person who moves you forward will be you alone. No one will give you AI based on blockchain computed by drones. Realistically build with your own work and build the future as you like it. Many managers and even more experts speak more than they act. Learn to recognize the right partners for your worklife.
IT security is hard to find good and big teams. We worked on very interesting projects which made me think. Technologically, we have solved cutting edge technology. I was too close to touch the real futuristic products but I was not able to reach them. I realize, that I am alone in the team and there is noone who is my area. And there is the major point. There is an important need for talented people who can make the ideas become real! Without team mates, it is not possible to complete the hackitect journey. Learning each other is a critical factor of success. Being alone, just sucks.
Don't hurry up!! Plan effective your gold precious time. Think about learning and enjoy it. If you will hurry too much you can lose contact with reality and start to be lost. Effective time plaining with proper benefits for your Hackitect path is critical element. If you have time, you have time for yourself and critical thinking. If you get information, evaluate if the information is true and relevant. Very important in these days. Try to simplify. Not try, make things simple. As one of my friends is saying: "I am simple man, i like simple solutions!".
I planned this topic make more personal. However i decided to leave few bullets for next time.
Next time I am planning for you article about open source security animal ZOO.