Expanding capability horizons : Homelabs and beyond

Career in Information Security

A introduction to career options in information security domain along with other advices useful for people starting into information security.

This was first delivered @ c0c0n 2023 career village

youtube Video

AI Generated Summary

This talk focuses on the importance of cross-skilling in information security through hands-on experience with home labs, addressing the empathy gap between different roles in the industry.

Key Topics Discussed

The Information Security Landscape Problem:

• Too many branches and subcategories in infosec landscape
• People specialize in one area: Defender, Attacker, Developer, Ops, Security
• Never pay attention to what other people are doing
• Results in lack of empathy and understanding

Common Empathy Gaps:

• Security professional to developer: “Just patch it, what’s the big deal?”
• Developer to security professional: “Just pentest it, 3 hours is more than enough”
• Developer to Ops: “It works on my machine, why isn’t it working at your end?”
• Ops reality: AWS scaling isn’t instant - regions have CPU thresholds, quota extensions take hours/days
• These problems stem from not understanding work culture, work profile, and how others handle work

The Solution: Cross-Skilling Through Home Labs

• Self-learning to bridge the gap
• Ops person can try security and development
• Developer can try Ops and security
• Don’t need to be full-fledged, but experience the whole journey:
  • Take nothing → Build software → Deploy software → Perform tests → Validate → Get attacked → Secure yourself
• Empathy angle is necessary and needed - missing most of the time
• Anyone in product security or cross-functional interactions would agree people lack empathy

Why Home Labs Now:

• Cost reduction: Hardware available for ₹5,000 (fresh or secondhand)
• Free cloud resources: Oracle Cloud offers 1 ARM VM free for lifetime
• Automation: Readymade templates (Ansible, Terraform scripts) - just change variables and run
• Reduced friction: Earlier required manual configuration, now automated
• Firsthand experience builds confidence and provides background
• Understanding why “patch is easy” becomes “I can’t immediately upgrade” when your server goes down

What You Can Do in Home Labs:

• Host your own servers (WordPress, Joomla, containerized applications)
• HTTP server, DNS server, firewalls
• Pi-hole: DNS-based advertisement/malware blocking (25% of DNS traffic blocked daily)
• NAS: Local cloud, backup data (don’t need Google Cloud for everything)
• Network isolation: IoT devices on separate router
• VPN network: Tailscale/Headscale for accessing devices globally
• Password manager: Self-hosted (after LastPass hacks, people want to own their data)

Hardware vs Cloud:

• Hardware needed for: Pi-hole (portable/small hardware, can run on laptop), NAS (physically at location)
• Cloud works for: Websites (still counts as your lab if you maintain it)
• Free resources: free-for-dev URL lists free services from Oracle, IBM, Amazon, Azure

Upskilling Requirements:

• Need to understand how other systems work
• Plenty of online resources available
• Search for setup guides (Nginx, web servers)
• Get detailed documentation, Terraform/Ansible/shell scripts
• Follow guides, change variables, get setup done

Maintenance Challenges:

1. Software Upgrades:

• Problem: Corporate world never achieved good inventory
• Solution: Start with smaller environment, maintain your own inventory
  • Excel sheet, software, or text field
  • Know what hardware/software is in use
• RSS/Email feeds: Subscribe to update notifications
  • Example: ASUS router → ASUS Merlin custom firmware → RSS feed → Email notification → Trigger to update
• Perform periodic updates: Knowing update is available is half the story, actually doing it is the other half

2. Hardware Issues:

• Hardware failures exist even in cloud (AWS sends message: “We lost your VM due to hardware failure”)
• SMART data: For hard disks, tells you if failure is occurring
• Be cautious about noises: Loud fans, clicking noises = potential hardware failure
• Example: NAS purchased 2014, first hard disk failure 2021 (7 years constant read/write)
• Spares: Don’t recommend keeping spares (consumer grade failures rare, warranty replacements, Amazon/Flipkart delivery in hours/days)
• BCP/DR process: If server/NAS is down, have way to recover data

3. Backup Strategy (3-2-1 Rule):

• Three copies of data
• Two different media types
• One offsite copy
• Example: Laptop copy → Cloud → Local hard disk (Time Machine)
• Protects against: Media type failure, location failure (fire)

Personal Setup Example:

Network Setup:

• ASUS router with ASUS Merlin firmware: Configured network travels with router
  • Plug into any ISP, DHCP connection, network remains as configured
  • Saves time when moving locations
• Pi-hole on Raspberry Pi: Blocks 25% of DNS traffic (advertisements, malware)
• Two NAS devices: Store photographs, videos, audios, backups
• Tailscale VPN: Proprietary (open source alternative: Headscale)
  • All devices on single network when connected
  • Access devices globally
• Personal server: 40 cores, 128 GB RAM, two processors
  • Cost: ₹80,000-90,000 (bought from data center discards - 6-year-old enterprise grade rack mount)
  • Hosts containers, VMs, self-hosted LLM model (trained on personal knowledge management data)

Cloud Setup:

• Server hosting static sites
• Nginx server
• Fediverse/Mastodon-compatible ActivityPub software (social.anantshri.info)
  • Own social network, own data
  • If entire fediverse gone, data remains

Backup Architecture:

• Web server (static sites + ActivityPub) → Tarsnap
• Mac machine → Google Drive/OneDrive → Time Machine + Cloud
• Obsidian (PKM) → Synology NAS → Backblaze + iDrive (two separate copies - critical data)
• iPhone → Synology + iCloud
• Pixel device → Synology
• Tailscale enables automatic sync: Photos clicked → Automatically synced to NAS

Automation Example:

• Data flow: LinkedIn, Twitter, public websites, ebook highlights, personal books, research papers
• All piped into Obsidian system
• Obsidian backed up via Synology and other places
• Fun and dopamine hit: Constantly working on automation, enjoying the process

Holistic Growth from Home Labs:

• Networking understanding: Classless IPs, different classes, subnetting schemes
• Server management: Set up own servers
• Backup and recovery: Understand 3-2-1 rule, deploy logic
• Network monitoring: Pi-hole monitors DNS traffic, can set up other monitoring agents
• Software deployment and maintenance: Experience corporate tools in simple local version
• Automation capabilities: Key capability to develop
  • Move from individual doing certain number of things → Someone able to do more than 1-2 people’s job
  • “If you are capable of automating stuff, you are in the position where you have moved away from being an individual who can do certain number of things to someone who is able to do more than one or two people’s job”

Q&A Insights:

Power Consumption:

• Rack mount server: 750W rating, generally runs at ~100W
• Smaller devices (Intel NUC, Raspberry Pi, Orange Pi): Very minimal power consumption (few watts)

Fire Hazards:

• Need air flow around devices
• One rack mount server on desk is fine (ensure air flow, fans take care of it)
• Unless running at 100% capability constantly → Need external fan/cooling
• Raise from ground so air flow not blocked

Key Insights:

• “Empathy angle is a very needed angle” - missing most of the time
• Home labs provide firsthand experience that builds confidence
• Automation capability is key differentiator
• Corporate world problems can be experienced in simple local environment
• 3-2-1 backup rule is essential
• Hardware failures are rare but need to be prepared
• Free cloud resources make starting easier than ever

Important Tools and Resources Mentioned:

• Pi-hole - DNS-based ad/malware blocking
• Tailscale/Headscale - VPN networking
• Ansible/Terraform - Automation scripts
• free-for-dev - List of free cloud resources
• ASUS Merlin - Custom router firmware with RSS feeds
• Obsidian - Personal Knowledge Management
• Synology NAS - Network attached storage
• Tarsnap, Backblaze, iDrive - Backup services

Actionable Takeaways:

1. Start with home lab to build cross-skilling and empathy
2. Use free cloud resources (Oracle Cloud free ARM VM) or cheap hardware (₹5,000)
3. Automate everything - use Ansible/Terraform scripts
4. Implement 3-2-1 backup strategy
5. Subscribe to RSS/email feeds for software updates
6. Monitor SMART data for hardware health
7. Start with smaller environment, maintain inventory
8. Experience full journey: Build → Deploy → Test → Get Attacked → Secure
9. Develop automation capabilities - key differentiator
10. Use home lab to understand corporate tools before deployment