Free stock photo, credit Unsplash.com — to exclaim to the world that it is not rocket science! I want to do my part to demystify IT Security It turns out the trick is just to start. Start anywhere. “If I have seen further, it is by standing on the shoulders of giants.” — Sir Isaac Newton who stand on the shoulders of giants, on giants, on giants. You too can be a giant in your niche of the cyber security field! This article is for every aspiring cyber-security aficionado out there www.securitystreak.com About the Author is a vendor-neutral IT Security Professional. He performs professional audits, penetration tests, and risk assessments. He designs secure networks and Andrew Douma engineers high-assurance systems in the Cloud. You can connect with him on GoodReads , LinkedIn , Medium , and Twitter . More stories by Andrew Password (IN)SANITY: Buying a professional penetration testing laptop for 2017 | Evaluating QubesOS as a Penetration Testing Platform | Finding the right exploit code | Antivirus in 2017: Why? Which? How? | Penetration Testers’ Guide to Windows 10 Privacy & Security | Full Disk Encryption with VeraCrypt | Securing an Android Phone or Tablet (LineageOS) | Intelligent Password Policy & Best Practices Early Beginnings I fondly remember the day I convinced my mom to pay for my first “hacker book” from the bookstore. She had already bankrolled an addiction for by age 16 — Sam’s 24 Hour series but this book was next-level! Once home, she facetiously told me: . Knowing her now as an adult, “Never get caught. We are financially responsible for you till you are 18!” I am certain it was followed up by a longer discussion about social responsibility, ethics, actions and unintended consequences. The information security community as we know it today was still in its infancy when I started my journey in the late 90s. At best, it consisted of tight-lipped groups of computer scientists and unskilled (myself included) exchanging information on skiddies private message boards. The written word enables economical transfer of the author’s knowledge to the reader‘s mind. With time, more IT professionals entrusted their experience to paper and became a thing. Books replaced the ‘inaccurate’ and repetitive forum posts as my source of knowledge. Google Learn how to Learn A valuable lesson to learn is how you can keep up an accelerated pace without experiencing burnout. “Most people overestimate what they can do in 1 year and underestimate what they can do in a decade.” — Bill Gates The course by was a catalyst for this. Learning how to learn: Powerful mental tools to help you master tough subjects Dr. Barbara Oakley It is and also available in , and available on Coursera for free, Chinese Portuguese Spanish. The book “ ” is heavily endorsed throughout this course. A mind for numbers It is not actually about math. A recent addition to this genre is the book Learn Better. Though the summary below is no substitute for the course itself: It turns out the trick is just to start. Start anywhere. — by switching my focus to strategic plans, client threat models, Internet puppies or Netflix shows. Initially, you will feel a lot of anxiety and discomfort when tackling a tough topic feelings my brain actively fights A lot of Information Security Fundamentals can be tedious to master. They recommend applying the to get you started. Pomodoro Technique Consider adding to your routine. distraction blockers like Freedom.to Learning can be a positive experience! In the long term, much like dieting, the discomfort goes away and satisfaction returns in its place. You will learn about different thinking modes. Letting your thoughts wander and concentrating on things at the right time. (diffused-mode) (focused-mode) It teaches you the importance of taking the time to then coming back to them and You simply can’t cram knowledge into your brain all day and expect it to stick. Make remembering easier by using the free rest after your studies, recalling what you learned. flashcard app Anki. Research shows that revisiting and practicing what you learn a few days later is the best way to create and strengthen the synaptic connections. and maintaining a helps your brain produce , as of toxins during sleep. It is even better to sleep right after your studies to in diffused mode. Daily physical exercise vibrant social life needed neurons. Sleep hygiene is equally important brains sweep themselves clean fully benefit from your brain A few examples of what you will learn: memory recall, , routines, perseverance, taking responsibility and are a few of the topics you will as you proceed on your journey. , Chunking the illusion of competence, procrastination , memory techniques , deliberate practice effective test taking add to your mental toolkit “Frankly, though, I think most people can learn a lot more than they think they can. They sell themselves short without trying. it is important to view knowledge as sort of a semantic tree — , ie the trunk and big branches, /leaves or there is nothing for them to hang on to. One bit of advice: make sure you understand the fundamental principles before you get into the details ” — Elon Musk What works for me may not do well by you, but — and use the knowledge gained for every project. I submerge myself in a particular domain for six months You will never finish exploring the mysteries of any Science. Focus on the underlying fundamentals and get ready for the future! “A wise man knows, he knows nothing at all” (~1250 hours/year). Books, blogs, wikis, podcasts, video courses and I aspire to maintain a 6-day a week learning routine plenty of practice with hands-on Virtual Machine & VPN labs. For myself, this involves tackling that challenging 700+ page book while distracting my body with the gym’s elliptical. I have had reasonable success reading a few pages at a time on in between “recall” laps in the pool. my Kobo H2O Having different tutors repeat the same fundamental principles in their own way has proven to be very helpful in making them stick. Building out a Wiki/knowledge-base of those lessons for later review has been a game changer — especially looking back over time. Security Engineering — Building dependable distributed systems you need to be able to find the weaknesses, to find the flaws, and know where the mistakes are made. To break something knowing how all the pieces interact within the bigger picture: A hackers’ edge comes from Book Cover, credits Prof. Ross J. Anderson this is the only book in recent memory that I have read cover to cover twice over. wrote its 2nd edition in 2008 — and they still use it for 3 courses at the University of Cambridge to this day. but don’t worry, the last 100 are referenced sources. Available for free online Professor Ross Anderson It is over 1000 pages, “Security engineering is about building systems to remain dependable in the face of malice, error, or mischance.” — Ross Anderson It attempts to define what Security Engineering is and touches on , human interaction & psychology. It provides an excellent and explains key digital and offline security concepts. Security UX Security Theater, introduction to Cryptography The author has real world experience, discusses a history of thrilling case studies, security successes, and failures — across multiple industries (aviation, banking, commercial, military, nuclear, etc). This book gives you the opportunity to learn spot and avoid classic security mistakes — mistakes, which are so commonly repeated during the design and implementation phases of any IT project. Operating Systems — Three Easy Pieces As the son of a (loving) father, who deemed his son too social for “Computer School” — I have managed to get ahead in security with a surprising lack of coding skills. I never learned a programming language in an academic setting. Despite reading several books on the subject, I previously failed to get excited about coding. It remained a until I received some tools that speed up your daily routines — and read a book about Operating Systems (OS) fundamentals. mental hindrance good advice: Start by programming , it enabled me to for every line of code I write inside the CPU’s registers, memory management unit (MMU) and how protocols are interacting with my hard drive/network. Coding is far more engaging now! As a visual/spatial thinker picture what happens Operating Systems is written by and her husband, from the University of Wisconsin-Madison. It served as a personal challenge to put the ‘learning how to learn’ lessons into practice. Available for free online, Professor Andrea Arpaci-Dusseau Professor Remzi Arpaci-Dusseau Buy it via Goodreads. Book Cover, credit Profs. Arpaci-Dusseau Though no substitute for reading the book itself: Abstractions are fundamental to everything in computer science. Abstraction makes it possible to write a complex program by dividing it into small and understandable pieces. It allows you to write a program in a high-level language like C/C++ without thinking about assembly, to write in assembly without thinking about logic gates, and to build a processor out of logic gates, without thinking too much about transistors. A modern Operating System aims to provide high performance in an energy efficient way, with a high degree of reliability while protecting itself and programs through isolation. Every OS takes its physical resources, such as a Central Processing Unit (CPU), memory, and hard drive, and virtualizes them. It has to handle tough and tricky issues related to concurrency and store files persistently. Three easy pieces: Virtualization, Concurrency, Persistence Often an OS has to deal with misbehaving programs. Those that are either malicious by design or have bugs and by accident attempt to do something that they should not. Even seemingly simple things, such as updating a persistent storage device, gets complicated because you have to care what happens if the process crashes while writing data to disk. Distributed systems are complex and cool. Protocols, the exact bits that exchange between machines, can affect everything, including how systems respond to failure and how well they scale. I can highly recommend this and the website. For those starting from absolute zero, watch this and read either or teachyourselfcs.com — ops-class program Beginners.re Crash Course by PBS on YouTube Code by Charles Petzold Computer Systems: A Programmer’s Perspective. Publishers I spend , but in all honesty, it has always been hit and miss. too much money on books Some publishers will allow anyone to publish, and at times I am missing a prerequisite skill necessary to take advantage of the content. That said, I have never had a complaint about a book published by: Jones & Bartlett Learning Manning NoStarch (a brand) Sybex Wiley Syngress (especially the Advanced Topics in Information Security series) Value for money wise, books offer a lot (even mediocre ones). I heavily research the author before purchasing any new releases. Nowadays, I only buy the relevant classics for new domains I am trying to master. Big shout out to eBook the free Community series from Peerlyst! Mind Maps & Cheatsheets Mastering any Computer Science domain relies on your ability to improve your existing mental model. Books and courseware offer insight into someone else’s. LAN Attack Flow Diagram, absolutely all credit @noperik Developing that conceptual understanding of what is happening is more useful than trying to interpret a specific piece of code. This process often results in useful , , and Awesome-Awesome Lists Mind Maps Cheatsheets. A few worth mentioning: AdSecurity.org | DSInternals.com | Dome9 Cloud Security | The Grey Corner | Hackipedia | HTML5Sec.org | HighOn.Coffee | JustHackerThings | NetSparker SQLi | Sakurity Oauth | Offensive CounterIntelligence | OWASP | PentestMonkey | PwnWiki.io | Pentest.guru | Sans Cheatsheets | SecurePlanet Cheat Sheets | SQLInjectionWiki | WS-Attacks.org | etc. Capture those Flags! Without deliberate practice, the knowledge we gain will not stick. “Stop learning by watching the game, start learning by playing it.” “ having heard it is not as good as having seen it; knowing it is not as good as putting it into practice.” Not having heard something is not as good as having heard it; having seen it is not as good as knowing it; ― Xun Kuang and taken the time to create vulnerable systems and sites you can legally hack: InfoSec giants have written CTF field guides | | Binary-Auditing | Challenges.re | CrackMes.de | Corelan.be | Exploit-Exercises | Flaws.cloud | FuzzySecurity | Hack.me | HackSplaining | MCIR | Metasploitable3 | MicroCorruption Mutillidae Security Shephard | VulnHub | WebGoat | WebSecurityDojo | QueQuero | etc. Tackle these from offensive & defensive systems: | | | | | | | | | | | | Alpine BlackArch BackBox Bugtraq Kali LionSec Mercenary REMnux RITA Santoku SecurityOnion SIFT Whonix Once you feel comfortable, try your luck with and earn some hacker-lab money! This rabbit hole I will leave for you to explore. a reputable bug-bounty programs Hackerlab You now have an excuse to spend money on your hackerlab: with good hardware support for virtualization. Buy any laptop Pick and your favorite dom0 OS download some virtual boxes. I prefer it with Follow @da_667 ’s guide to hypervisors , OPNsense. as and run ’s Install Kali a guest VM @g0tmi1k configuration script. you can use from sources such as , , , and to speed things up. Start attacking those vulnerable machines! Depending on your threat model, prebuilt VMs Bitnami OSBoxes Trend Sigma VMware Optionally, buy a for WiFi work: <$15 and the for Software Defined Radio: <$25. recently released a ! Panda Wireless PAU06 RTL-SDR Blog dongle @michaelossmann free course in Software Defined Radio (SDR) Information Security Domains (coding theory & methods, algorithms & data structures, etc) , engineering, & etc). The domain of Computer Science ranges from theoretical to the applied domains (architecture security crypto, , there is a wealth of information for you to take in, just keep building out those mental models and deliberately practice with new tools. If you are committed to becoming a security professional Remember, the trick is to start somewhere! Full credit to Calvin & Hobbes The skills you need to acquire come from hours of tedious, challenging and at times boring work. Everyone wants to be a “hacker” — few have the perseverance to gain the cross-domain expertise needed to become an “IT Security professional”. Remember: Combine the scientific method with your awesome Google-fu and enjoy hacking life. You are likely to pick up a smorgasbord of “Purple” skills as needed, regardless of job title. “ Experience is something you do not get until just after you need it. ” Languages of the world Being Frisian — known for their and f —a people war horses ierljeppen located in the Netherlands — English is my 3rd language. Thanks to my mom (speech therapist), , my friendly 78-year-old high school English teacher (who mostly had us read classic literature out loud), I was able to achieve bilingual proficiency early on. Cartoon Network Language tree, full credit sssscomic.com Not every (far more) skilled hacker is going to have perfect fluency. from all over: Costa Rica, Hong Kong, Italy, India, Romania, and Sudan — in Europe and the United States. I have met exceptional talent most of whom are at a disadvantage Their written and spoken word may leave room for improvement, but they might give your organization the edge it needs to ensure its future. There is a vast untapped talent pool out there. Keep this in mind next time you are handling a bug-bounty/report or interviewing a candidate. Security/Risk Frameworks & Methodologies I am hardly the only one aiming to contribute to the field of IT security. Here is a list of organizations that are tirelessly working to improve industry & regulatory standards: (DoD) (CIS) (NCSC) (DoD) (NIAP) (NIST) (NSA) Australian Department of Defense | Center for Internet Security | Microsoft | U.K. National Cyber Security Centre | U.S. Department of Defense | U.S. National Information Assurance Partnership | U.S. National Institute of Standards and Technology | U.S. National Security Agency You should also be aware of the following initiatives: (DRI) (COSO/RIMS) (FedRAMP) (ITAF) (NESCOR) Open Source (OSSTMM) (SABSA) ASIS International | Disaster Recovery Institute | Enterprise Risk Management Framework | Federal Risk & Authorization Management Framework | Common Security Framework ( HITRUST ) | Information Technology Assurance Framework | National Electronic Sector Cybersecurity Organization Resource | Open Web Application Security Project (OWASP): Vulnerabilities | Testing Process | FAQ | Guidelines | Cheatsheet | Guides | Code Review | OpenSAMM Software Assurance Maturity Model | Security Testing Methodology Manual | Online Trust Alliance (OTA) | Penetration Testing Execution Standards (PTES) | Sherwood Applied Business Security Architecture | TOGAF Open Group Architecture Framework an Again, hardly exhaustive list. E-Learning Though we all might wish we have the time and money to go to courses like these, there is plenty of quality courseware available for free: & (MegaPrimers) Cybrary.it | HackAllTheThings! | Massive Open Online Courses MOOC-list | MIT Open CourseWare | OpenLearning | OpenSecurityTraining.info | ProfessorMesser.com | RPISEC | SecurityTube.net | University of Maryland College Park You are about to enter the world of for-profit cyber-training business models. Spend your money wisely. WARNING: , , and eLearnSecurity. I am curious about and and have positive things to say about: I value the lab-based training provided by PentesterLab Offensive Security HackDojo CTF365 CyberTraining365 | INE | InfiniteSkills | IPExpert | GIAC SANS | OpSecX | PentesterAcademy | PluralSight | SecurityTube Training | University of Stanford Center for Professional Development A great resource is the NICCS Education & Training Catalog. Course materials and exams written by German/Russian authors are presumably audited by the Italian company, but & exams can at times leave you lost in translation. I recommend to only pick one recently updated course: or . eLearnSecurity’s courses PTP MASPT and limited-time lab exams are a rite of passage within the Penetration Testing community — but a common critique is that the materials are outdated. at least is essentially an training. Offensive Security’s courseware WiFu v3 Aircrack-NG I am not a fan of Udemy, InfoSec Institute, nor EC-Council. I think it is safe to add the line: “ ” before the title of any course. Mastering a domain takes both education and experience. Intro to… University Degrees Until recently, you could graduate in Computer Science and never have sat through a class on IT security — let alone have the ability to graduate with a specific Cyber Security specialization. For those aspiring students: CyberDegrees | HackEducate | NSA/DHS Center of Academic Excellence | OnlineEducation | SANS Technology Institute As always, a ” search engine is your “friend. Certifications Certifications by are well respected within the Penetration Testing community. are a requirement for anyone in the United Kingdom /EU— and they are expanding internationally. Offensive Security CREST certifications Challenge any SANS GIAC cert or . With vendors doling out CPE credits to sit through their webinars, my main objection against has dissipated — though their experience requirements are stiff. I have also heard good things about for $1250 pay $6000 + $690 the ISC2 business model Mile2 certs. offers great introduction level certification. ($600) is “a mile wide and an inch deep” — ridiculed by the tech-savvy and cherished by HR. CISA and offer a solid introduction to technical IT audits and Risk Management practices. CompTIA CISSP GSNA Mini-certs by and technical certifications by , , and serve as proof of much needed practical skills and should not be underestimated. and offers their own product-centric certifications. Cybrary.it SecurityTube PentesterAcademy eLearnSecurity Enterprise vendors service providers Personally, I value absorbing the knowledge from the courseware and putting it into practice asap above obtaining the certification. Mostly motivated by the economics of time and money. I did sign up today for and considering pursuing this year. That said, 90-days of OSCP TOGAF9 Join the community! Discover a welcoming InfoSec community and Visit in and get involved! on Twitter LinkedIn. local events your country and sign up for the and Stay open to new ideas and give back to the community when you can. Join Peerlyst SANS DFIR GPWN mailing lists. You will not become a real expert inside of class nor on the job. Try things out, write some code, and break some systems. Read, read, and read more! Start today! Do you have any advice? Corrections or additions? Please do not hesitate to reply! Feel free to share your experiences, advice, and questions in private or through the comments section. Click the ♡ to recommend this article.