My Non-Linear Journey Into Information Security

Photo by Joanna Kosinska on Unsplash

My Non-Linear Journey Into Information Security

Evan Ottinger's photo
Evan Ottinger
·

12 min read

Recently, I've been asked by several people about my journey into the field of Information Security. Most of the time, it seems that those that ask are looking for a tip or piece of information that they do not already have--some sort of secret to unlocking an exciting and lucrative career. Unfortunately, I feel obligated dispel any rumors that such secrets exist. What I can provide, however, is a summary of my journey into InfoSec, as unglamorous as it may be.

Like many in the industry, I fell in love with computers at a young age. My family first purchased a computer and access to AOL through dial-up internet when I was about five or six years old. In those days, data protection laws for children were more permissive and there were several services available to occupy children on the internet.

When I was in the eight-to-ten age range, I decided I wanted to learn how to program. A local band director that I knew from extra-curricular activities recommend HTML for Dummies which I soon purchased at Barnes & Noble.

From there, I started building static websites using HTML. Back then, it was cool to use frames and in-line styles. Nobody was looking over my shoulder judging. I just built pages until I eventually got bored. I never really progressed from here until middle school when I decided to learn Python. I hated math at the time and grew frustrated with the number of formulas we were expected to memorize to calculate the area and volume of random objects. I decided then to write a calculator in Python, which simplified my homework but was unfortunately of no use to me on exams.

And this is sort of where my young interest in software development ended. In high school, I had vague notions that I wanted to be a software developer professionally. I had aspirations of living in a bespoke modern house on my own with a top-of-the-line custom PC. In my head, that life seemed glamorous. However, I was also an avid French horn player. In the end, I received a full scholarship to the University of North Florida because of my musical ability. I foolishly decided to declare two majors--music performance and computer science. Somehow, nobody tried to talk me out of this.

If you're not aware, music performance programs are very demanding. It's not uncommon for students to be registered for 6-7 classes per semester--some of which earning them 0 or 1 credit hour, but still require a large time-commitment from the student. Since you're reading this, I will assume that you understand how demanding a computer science program could be--particularly for someone such as myself who is weak in math and natural sciences.

I wound up failing Intro to Computer Science three times. I became burned out as a musician. I dropped my music major and, after being told that I was ineligible for the computer science program at the university any longer, changed my major to a business focused information technology program. A few weeks into the new program, I was informed by the university that I had been placed on academic suspension due to my grades. I lost my scholarship and access to student loans. I was ineligible for grants. At that point, I made the decision to drop out.

I worked full-time as a valet attendant with the intent of joining the Air Force. I earned anywhere from $10-30 an hour, but the pay was tip-driven and inconsistent. It was also physically demanding and resulted in me developing tendinitis in my left knee. Unable to run, I was ineligible to work shifts. I found a seasonal job at a local software firm as a phone support specialist.

After months of trying to navigate entry to the Air Force, my dad convinced me to speak with a Marine recruiter named Abe. Within a week, I had been to MEPS and had signed my initial enlistment contract to become a Marine. I originally signed an open contract, but was given the opportunity to take the Defense Language Aptitude Battery (DLAB). I scored high enough on the DLAB to be able to qualify for any language that the Defense Language Institute (DLI) had to offer. As a result, I signed a contract to be a cryptologic linguist.

It was a few more months before I shipped to boot camp. The relevance of the next four months is of little consequence to my path into InfoSec, but it was there that I learned discipline and grit. After basic rifleman training, I attended DLI where I studied the Levantine dialect of Arabic.

The course was 64 weeks, 6-7 hours a day of class, with 1-3 hours of homework each evening, in addition to military duties and physical training requirements. I quickly realized that raw intellect is not enough to pass that program. The penalty for failing the class, at least in the Marines, was typically an unpleasant reassignment to some occupational specialty that needed warm bodies. That external sense of doom pushed me to learn how to study.

My efforts and the discipline earned in the military paid off. I wasn't the best student, but I did successfully navigate a grueling year and a half (and was amongst three of the 21 students in my course to pass). I learned how to learn and was now confident in my ability to tackle challenging academic pursuits. This, more than anything, has shaped my ability to work in InfoSec.

Over the next few years, I finished my training and went to work in the fleet. As part of my work, I found myself managing small teams that included one or two systems administrators that were trained to run our information systems in the field. I felt obligated to learn at least somewhat what their responsibilities included--especially because they often were not allowed to sleep until their work was done. So I side-saddled with them and watched them work. They answered my questions and I lent them an extra pair of hands for tasks like running cables and whatever operational maintenance they needed help with. This rekindled my interested in computers. Military training exercises got me interested in adversarial emulation.

When the time came to start thinking about my life after the military, I asked one of my system administrator friends for their recommendation in what path I should pursue in IT. They told me that "the money is in security right now." I also still possessed an interest in software development. In the end, I decided to file voluntary early release packet for the purpose of higher education. Once approved, this packet allowed me to have my orders on my contract changed to be able to exit the military two months early in time to start a civilian education program. Because of this, I was able to start a computer information systems program in January 2018 instead of having to wait for the summer or fall semesters after the end of my contract.

During my meeting with my advisor, I was given the opportunity to pick from systems development or information security concentrations, or a double concentration in both. I opted for the double concentration as it offered both of the skill sets that I was interested in. My goal was to get a job in IT security, but I knew that realistically I would have a better opportunity of becoming a software developer and transitioning into InfoSec later.

A lot of people have a lot of different opinions about college, but I got a lot out of it. Did it prepare me for the job? No, not necessarily. But I leaned into my studies, took a job at a help desk, and graduated with a 3.97 GPA. I was able to internalize a lot of fundamental knowledge that I still rely on in my day-to-day work. I also participated in the inaugural SANS Cyber FastTrack competition in 2019. Of the original 13,000 participants, I was one of one-hundred students to be awarded a scholarship to SANS for the upper-division undergraduate certificate in Applied Cybersecurity. This competition, more than anything, paved the way for me to get into InfoSec.

After completing my undergrad, and while still working at the help desk, I realized that while I had a degree I still possessed a number of knowledge gaps. I decided to fill these gaps as best and as quickly as possible, prior to starting my studies at SANS. As a result, I earned A+, Network+, and CySA+ in a period of a few weeks (to add to Security+ from my undergraduate program). Then, during my SANS program, I earned GSEC and GCIH prior to moving into a software engineering role as a junior developer. Later that year, I completed GPEN. During my studies, I also took part in various CTFs, such as the SANS / TraceLabs OSINT for Good CTF (my team placed third) and the National Cyber League (placing in the 99th percentile).

At this point, I felt like I was ready to start applying to be a junior penetration tester. I was wrong. I only earned one interview at one company and was beat out by a peer who was simply better than me at hacking. Fortunately for me, as I was not satisfied with my current employment, the recruiter from the company I originally interviewed to be a penetration tester for encouraged me to apply for a software development role. Ultimately, I was offered the position, along with a considerable boost in pay and fully-remote work (compared to a hybrid week-in, week-out schedule at my first software job due to COVID).

This new role was considerably harder than anything I had done before. I burned midnight oil and performed what DevOps would refer to (negatively) as "heroics" to meet a demanding timeline on my first project. Once that was complete, I moved on to another project with the company. The timeline for this application was much more reasonable, but the scope of the work was still large and required a fair amount of R&D, as well as a few late-night debug sessions with a teammate or two during the integration phase. As this was, by nature, a cybersecurity consultancy, the tools that I helped build were cybersecurity related and allowed me to further learn about offensive and defensive operations and automation.

In my off hours, I continued studying penetration testing. I added the PNPT to my alphabet soup of certifications (happily with the early adopter logo for being one of the first 100 to complete the task). It was also during this time that I learned and began to value the magic of networking. When I completed Practical Ethical Hacking by Heath Adams (aka the Cyber Mentor), I noticed that his tool--Breach Parse--had a few open issues. One issue was opened by Heath. I decided to go ahead and implement it and open my first PR for an open source project. A few weeks later, Heath merged it and I officially became a contributor.

This apparently put me on his radar as he followed me on Twitter shortly thereafter. At some point, I slid into his DMs and we began talking casually every once in a while. One night, several whiskies deep, Heath had posted that he was looking for a web developer to help him implement dark mode on the TCM Academy. I once again slid into his DMs and ultimately said something to the effect of "eh, fuck it. I'll implement the dark mode if you want me to." He asked me my rate and I said whatever he thought was fair--I'd never freelanced before.

So for the next several weeks, I spent my spare evenings implementing dark mode. For the unaware, TCM Academy relies on Teachable as its content management system. Teachable allows customers to write custom code in a few select areas of their school. Heath and I both expected this to require maybe 10 hours of work--simply write a CSS stylesheet for darkmode, then create a toggle button to turn it on and off. It wound up taking considerably more effort than originally anticipated, for several reasons, but I'll suffice it to say that my study of offensive payloads absolutely paid off in this situation (I execute my custom code by abusing the onerror attribute of an image tag, and then used the JavaScript to remove the image from the DOM after executing). Heath will jokingly tell you this was my interview.

Months later, I decided to open an LLC in case I took any more freelance positions. Having an LLC allowed me to keep my business finances separate from my personal finances, as well as to shield me personally from liability in the event something went south with a client. As luck would have it, a few weeks later Heath once again posted on Twitter that he was looking for a 1099 Python developer to help him out. I once again slid into his DMs--he said "I thought you were web?". Again, he agreed to bring me on for contract work and again I spent my free evenings working in this capacity to help improve the exam infrastructure for the PNPT. He offered to bring me on as a full-time employee, but being in the middle of a project at my current role and content with my work-life balance and the atmosphere, I declined.

It wasn't until I wrapped up my second project with my employer and came up on my one year mark that I decided it was probably time to head to greener pastures. We ultimately had a disagreement about compensation and I got word that I was probably going to get pulled off of development so a more junior hire could maintain my code with less overhead costs. This was going to require me to travel, which I did not want to do. I asked Heath if the offer was still on the table and he once again invited me to come on board at TCM Security, where I currently work as a security engineer.

For me, this is the best of both worlds, because I get to continue relying on my hard won full-stack skill set. I'll also be able to sharpen my red team skills under the mentorship of Heath, Joe Helle, and Steve Amador as our operating tempo increases (and my current project is in production). The learning never ends, though. I've lately been spending my free cycles studying DevOps as well as AWS, and I just recently started a Master of Science program at SANS.

This concludes my journey into InfoSec. As I said, it's non-linear and, in my opinion, atypical. I don't have any magical insight or fundamental secrets to getting into the field. I would say that the takeaways, if any, are to be a lifelong student of the craft, discipline yourself to get your work done, dig deep and persevere during the process, and don't be afraid to reach out to people you respect within the industry to network. Ultimately, it's a lot easier to walk into a company through the side door than it is to go through security.

I don't think I would have done anything differently, but I would recommend that you tailor your education to the role that you ultimately want to find yourself in. At the end of the day, nobody really has cared that I got A+, Network+, CySA+, Pentest+, or even a degree. All that really mattered was that I was able to seize opportunities to demonstrate that I was capable and competent.

infosec#cybersecurityLearning Journey