News Stay informed about the latest enterprise technology news and product updates.

How to learn IT security in your spare time

When considering how to learn IT security, never underestimate the power of a few minutes of downtime.

Two thoughts come to mind when I think of boredom: "The devil finds work for idle hands," and "war consists of days of excruciating boredom mixed with seconds of pure horror."

Everyone from Fortune 500s to basement-dwelling malcontents roam the digital highways, and some seek to harm poorly guarded networks.

Don't get the connection? Don't worry, stay with me.

Apply these seemingly incongruous ideas to savvy software people fighting workplace boredom, and you'll quickly see how periodic downtime can supply the devil with ample idle hands.

I, for one, experience this from time to time in the lulls that periodically creep into my workdays. In my early days on a Unix network (way back in the 1980s), I used those lulls scuttling from machine to machine, searching for logons, what was in that/etc/passwd file and learning how to write directly to another guy's screen.

All of this experimentation and self-taught knowledge didn't make me an expert, just an enthusiast. Even if it did make me somewhat of an expert, I didn't have much opportunity to use my newfound skills. The Internet was a friendly place back then, leaving me, and those like me, bored.

Fast-forward to 2003. The Internet is no longer a small, implicitly trusted community of government and academic institutions. Everyone from Fortune 500s to basement-dwelling malcontents roam the digital highways, and some seek to harm poorly guarded networks.

Who is there to guard the battlements of my company's binary castle? Me.

I'm no better prepared than when I was 20 years before on that Unix network. So where did I start? From the bottom.

First, I put WinProxy on my system connected to a cable modem. Then I added BlackICE Defender, which details the insistent pings of script-kiddies probing my network. Hmm, watching these graphics is more interesting than reading hundreds of pages of patents (anyone's cure for insomnia). I go from being bored to being fascinated.

With plenty of time on my hands, I could download tools for retaliating against--uh, investigating--the perpetrators. I started downloading: NeoTrace, Sam Spade, NetScan Tools, Port Detective, etc. I started NeoTrace. It grabbed an address I'd snagged from BlackICE, and worked its way back through the Internet to a point of origin. Yes! Now what?

Was this address, found by NeoTrace, the home of a wrongdoer? Or was it just a firewall for another network? No way to know--it was just a name. I couldn't just go charging in after some shadow user. Or could I?

After cooling off, I installed a hardware firewall and router. Then I started reading and skimming books: Secrets & Lies, Hacking Exposed (the 400th edition, or whatever they're up to now), the Anti-Hacker Toolkit and so on.

Whoa! Launch my own "investigation" across the Internet, and I could make someone mad. A few well-placed words from some offended ISP could sink me. But the world of the 'Net is deeply polluted with such traffic, all the time--and some of it is aimed at me.

I called my ISP and told them about the attempted intrusions. "Are the addresses ours?" the ISP contact asked.

"Well, some are, and some aren't," I said.

"OK, just give us the addresses from our own domain. We can't do anything about the others."

"You mean the rest is up to me?" I asked.


"Bored now," I wanted to say, echoing Willow, the witch on "Buffy, the Vampire Slayer," just before she turns someone to ashes.

Maybe it was time for some real digging. My toolkit has some fine and dangerous tools. But that would make me a reflection of the guy who'd been snooping my system. I'm not a professional hacker. I'm an IT patents expert. I'm doing what I wanted to do when I grew up. Shouldn't I leave such investigations to the pros?

Hmm, time to close my bristling toolbox and address the basics: upgrade my router software, check my passwords, and get back to that stack of patent applications and reviews on my desk.

The best advice I can give any bored IT professional: accept the boredom and skip the pure horror part.

Dana W. Paxson researches and writes patent applications for a law firm, studies physics and writes science fiction.

This was last published in June 2003

Dig Deeper on Information security certifications, training and jobs