Tuesday, May 3, 2011

Guest Post: Brandon Tansey "Practical Lessons"

Guest blogger Brandon Tansey is back this week to tell us about his experience as a mentee. He also has some suggestions for thing to do with your mentor, including setting up an at-home hacklab, and getting involved in the Security Community.

It's important to be clear that my last post isn't to say that practical lessons aren't great in a mentor/mentored relationship. My discussion with Marisa also included some thoughts I had on the practical aspects of working with a mentor. There were two main points I looked to get across: work with more than one mentee per mentor, and to focus on helping a mentee make the jump from methodology to practice.

As I mentioned, my experience with Dan began when he started giving presentations at the group on campus. After each meeting he would come back to my apartment and work more closely with people who were interested. The setup we have is great! We're fortunate enough to have a Poweredge 2650 humming away in our apartment. We use it to virtualize all sorts of targets and services (ex: PFSense) and to practice taking down some machines. We used a mix of standard virtualized desktops/servers and some premade target distributions (Damn Vulnerable Linux, Damn Vulnerable Webapp, Metasploitable, etc) to bang on. Our setup makes having people over to practice easy, but having a big, loud server isn't the only way to safely practice on live targets. A desktop virtualization program like VirtualBox can be just as good! Boot up a VM with Metasploitable (or whatever you'd like to attack) and you've already got your own mini-hacklab!

Some nights there were more people coming over than others, however there were two of us that made it week after week without fail. There was myself, and there was a junior networking major at Wentworth named Ian Abreu(@Ian_Abreu). Every week (and often in between) we'd meet up to work on something. Working as a trio was great; it allowed the dynamic to become less teacher/student like and more like a group of people working together. Everyone had something to bring to the group.

I understand that not all mentors are able to devote the amount of time that Dan did. The trio is even better in these situations. Having multiple mentees in a group allows for dialogue even when the mentor is busy between talks. The mentees can help each other grow both their passion and technical ability.

The other comment I had for Marisa was one that may have been more specific to my experiences, however I wouldn't be the least bit surprised to find that other students feel the same way. The comment I made was that it's incredibly handy for a mentor to help a mentee make the jump from methodology to practice.

Before meeting Dan I had done quite a bit of reading. I think the most well-known book I read was Hacking Exposed. The book was an incredible way to learn principles. I feel that the main issue I face, however, isn't the principles. I personally had a hard time starting the jump from reading to doing. I felt that I could describe quite a few techniques and how they worked, but if you asked me how to actually do them I'd be stumped. Technology in general moves quickly, however InfoSec seems to move especially fast. It's because of this that a lot of the reading material out there is far outdated by the time people get to reading it. If I was to redo the last year's mentoring experiences, that is probably the one thing I'd change. I think it would've been incredibly handy to slowly step through a particular methodology and really learn how each step translates from theoretical to practical.

There is one final tip that I feel is incredibly important to stress. Regardless of whether or not the pairing is local, getting mentees involved with the InfoSec community somehow is one of the best things you can do for them. Get them on twitter (or to start following the InfoSec crowd), get them on the mailing lists, if possible get them to local meetups and introduce them to people! The InfoSec community is a small one full of incredibly intelligent people. In my experience, many of these people are incredibly open (if not eager) to help people willing to take the time to learn. It is much easier to meet these people when you approach them with someone they already know! The best thing I personally got out of SOURCE was all of the incredible people I met, and I feel that was a direct result of volunteering for the conference which I did through the people I had already met at the local meetups!

Overall, I'm incredibly glad I was able to find a mentor to work with. I'm not Dan, however I feel that Ian and I were able to give him something through working with him as well. I'd personally consider the InfoSecMentors Project a success for simply putting together a few mentors and mentees. Fortunately they're only limited by the amount of people that express interest! I really do advise you give it a try. You'll be incredibly glad you did regardless of which side of the relationship you sign up for!

You can find Brandon Tansey on his new blog at The Wormhole, on his Twitter feed, or on LinkedIn.