Let’s talk security

I am going to regret not using this title in a future blog post where I tell companies they need to spend more money, and give half of that money to me, won’t I? Oh well.

A long time ago, when I was just starting my IT career, my dad walked up to my desk and gave me a book. “We need you to build a website”, he said. I protested. I had never build a real website before. I’d dabbled in HTML and PHP a bit during my network administrator training at VDAB, but that’s it.

I was told to do it anyway, and so I did. While building the website I had a lot to learn. About Joomla, web hosting and much more. I thought it would be a good idea to make some notes on my free WordPress blog, things that I wanted to remember. While the “remembering” part didn’t always stick, it at least helped me understand the topic I was working on. Turns out, other people also found these notes useful – but that’s a story I already told many times before.

I learned that it’s easier for me to learn new concepts by “teaching others”. When I try to explain others, I try to break the concept down in small pieces which I present. When I’m learning for myself, I have the bad habit of just nodding and thinking “Ah, yes, I’ll be fine with remembering this complex multi-faceted topics.”

Narrator: “He wasn’t fine.”

I was reminded of this at the start of the year, when I was asked to teach a class on the OSI model to some colleagues. I was uniquely qualified because the class organizer thought I understood the OSI model well and because I was the only one who she felt comfortable with to ask. But it meant I had to study the source material again, to make sure the students understood. As a result, I broke down the module and the OSI model started to make more sense to myself as well.

If you are still reading, you might wonder how any of this is related to security.

Somewhere in 2020 I was asked if I was interested in a new job challenge. My employer was looking for people who wanted to learn to become ethical hackers. Apparently a bunch of people were sent on an expensive course before and nothing came off it, so they were looking for new candidates. I said that I wasn’t sure if I was capable, but that I was “willing to give it it a try” (Yeah, I’m always way too honest, sue me).

We didn’t really have a “plan” so my learning path was a bit chaotic. I started following some of the CEH courses and realized that I was on the wrong path, and we then pivoted to the eJPT course and exam – which I passed. I then made the huge mistake of taking on the OSCP with a colleague while we both really weren’t experienced enough. The best way to describe that experience is “interesting” and “absolutely confidence destroying”. I should have done more research because my confidence was nuked after the exam. I didn’t do much for a while – I was busy developing stuff – and then got back on track with the Comptia Pentest+. That’s also a tough nut to crack, but it teaches some very strong fundamentals on the non-hacking side of things which will be very useful whether I ever become a full pentester or “just” work in infosec.

During this entire journey I haven’t written a single thing about security. I am not even sure if I ever even blogged about the eJPT which is the first certificate I’ve claimed in years.

Considering that I find it easier to learn when I’m also teaching, that sounds bad, right? The reason behind it is because I felt completely unqualified from the start. Infosec is a big field with a lot of topics and I know so little, so what could I possibly be writing that people don’t already know? What would I be talking about? “How to fail the OSCP in the most epic way possible?” . I felt there was nothing I could write that would help other people.

But it’s not about other people, is it? When I am not using the “teaching” method to learn things, I notice that I struggle with making concepts my own. I also feel that Infosec has been something I was just “reading” about instead of a field I was working in because I wasn’t creating content about it.

To address that, I’m going to stop listening to myself and start “talking” about security by creating articles and content. Will they be the most advanced? No. Will they make me look smart or elevate me to the level of a guru? Also no, probably the opposite. Are they going to help other people? I doubt that I’ll be doing something that hasn’t been done before. But none of that is the point of doing it. I want to “teach” to learn better myself.

Besides, do I have to justify myself? There’s already a whole lot of junk content out there ranging from poorly written write-ups of exams to clickbait articles. Not to mention the articles that are supposd to “inform” people, but which can only be understood if you have been working in Infosec for thirty years or longer.

I’m not saying anything I am going to create is much better. Again, not the point. But if these people are so confident to publish things that I can’t finish reading, why wouldn’t I do the same?

So yeah, I’m going to start creating security content. As always, it might be all over the place. I’ll be doing it for myself. If someone happens to read it and thinks “this is neat”, then that is a nice added bonus. See you in the dangerzone.

Steven out.

%d bloggers like this: