You are Not Learning Alone: a Structured Guide for Cybersecurity Beginners

Joining the cybersecurity field as an outsider without a technical background was a transformative journey for me. What immediately captivated me about the industry was its relentless pace and the exhilarating challenge it constantly presented. Interacting with professionals in the field, I was heartened by their overwhelming support for newcomers who genuinely exhibited the will to learn. However, I quickly found a prevailing sentiment: there's a general expectation for newcomers to be independent self-learners. This could be a daunting expectation, especially considering that many potential beginners in cybersecurity aren't inherently self-learners. While innate curiosity is undoubtedly a valuable trait, it's essential to recognize that many individuals, even those with immense potential, need a structured framework to move their initial steps into this vast domain.

In the last few years, significant progress has been made in filling the talent gap in the industry. However, as of 2023, according to the ISC2 Cybersecurity Workforce Study, there were 440,000 new jobs created in cybersecurity globally (an 8.7% increase year over year), but a staggering 4 million positions remained unfilled (a 12.6% increase year over year). This enormous gap results from the disconnect between employers' needs for experienced professionals and the real-world shortage of such expertise

The solution to this talent crunch lies in focusing on the early stages of potential cybersecurity professionals' careers, particularly young students. As a community, it's imperative that we equip the youth with the tools they need to explore cybersecurity as a viable career option. The key is to offer structured, practical, and accessible learning paths. Below are some steps and examples of how to do so.

Study Frameworks Like NIST-NICE

The NIST-NICE framework categorizes cybersecurity work into seven high-level categories: Analyze, Collect and Operate, Investigate, Operate and Maintain, Oversee and Govern, Protect and Defend, and Securely Provision. Each category is further divided into specialty areas and work roles, providing a comprehensive roadmap for career progression.

Table 1: NICE Framework Work Role Categories

This table showcases the broad spectrum of roles within the cybersecurity landscape. By understanding these categories, beginners can better position themselves for a more tailored and informed career trajectory.

For a comprehensive understanding of the NIST-NICE framework and to access a myriad of resources tailored for beginners, one can visit the NICE's Getting Started Resource Center.

The goal is to explore various facets of cybersecurity and determine where passion intersects with proficiency. Since cybersecurity is a dynamic field, there's always room for an individual to pivot, learn, and evolve.

Become Friends with Real Hackers

The cybersecurity community is exceptionally supportive of newcomers. Even seasoned professionals are often open to sharing tips and advice and are incredibly accessible to beginners. The secret to meeting these people is to attend live events.

Real-time interactions at in-person events offer spontaneous questions, discussions, and the possibility for deeper understanding. It’s not just about soaking in knowledge; it's also about networking. These venues are prime opportunities for establishing meaningful connections, potentially leading to mentorships, job placements, or even collaborative projects. Furthermore, many such gatherings have live challenges or hands-on workshops where attendees can put theory into practice, often under the guidance of an expert.

Here's why attending in-person events can be so beneficial for a cybersecurity enthusiast:

• Skill Demonstrations: Directly engage in challenges or workshops, honing skills in real time.
• Staying Updated: Cybersecurity is ever-evolving. Engage in fresh, cutting-edge discussions that might not have reached the wider online community yet.
• Moral Support: Share experiences and challenges with peers. It's comforting and motivating to know others face similar challenges.

When it comes to venues, some platforms and organizations stand out:

• OWASP (Open Web Application Security Project): Renowned for its insights into web vulnerabilities, its global chapters regularly hold meetings and workshops.
• BSides: These community-driven events offer a cozier, more intimate setting for discussions and learning.
• DEF CON: One of the hacker conventions, it is an excellent place for someone keen on diving deep into hacking and cybersecurity.
  

When planning to attend, here are a few tips:

• Engage Actively: Don't just be a passive participant. Engage, ask, discuss!
• Prepare: Go through the event's schedule, note down sessions of interest, and research the speakers.
• Follow-up:Did you connect with someone interesting? Drop them a thank-you note or a simple message post-event. It could be the start of a valuable relationship.
  

So, if you're aiming to deepen your cybersecurity knowledge and network, attending such events could be the stepping stones to your next big opportunity.

Participate in CTF Challenges and Hackathons

Capture The Flag (CTF) challenges are competitions where participants solve cybersecurity puzzles ranging from cryptography to web application vulnerabilities. These challenges offer beginners a practical, hands-on experience in solving real-world cybersecurity problems. For example, the DEF CON CTF event annually attracts a global audience and has puzzles suitable for all skill levels.

Engaging in CTF challenges directly correlates with several areas outlined in the NIST-NICE framework:

• Analyze (AN): Deciphering cryptographic puzzles in CTFs sharpens skills pertinent to the Analyze category, where one evaluates incoming cybersecurity information.

• Protect and Defend (PR): Addressing vulnerabilities during a CTF strengthens a participant's capabilities in identifying, analyzing, and mitigating threats to IT systems, aligning closely with the Protect and Defend category.

• Investigate (IN): Some CTFs involve forensic challenges, aligning with the Investigate category, where one examines cybersecurity events or crimes related to IT systems.

• Securely Provision (SP): Tackling challenges where participants must secure or harden systems mirrors the Securely Provision category, emphasizing the design and creation of secure IT systems.

  
  

By immersing oneself in CTFs, beginners not only gain valuable hands-on experience but also better understand the different roles and areas they might be interested in as per the NICE framework. It provides a tangible, engaging way to explore and deepen specific cybersecurity competencies.

Join Bug Bounty Campaigns

In a bug bounty campaign, companies incentivize ethical hackers to find and report vulnerabilities in their systems. This practice is becoming increasingly prevalent among leading technology companies, realizing the value of the global pool of independent security researchers. For instance, tech giants like Google, Facebook, Apple, Microsoft, and Twitter have all rolled out their own bug bounty programs, encouraging ethical hackers to identify and responsibly disclose potential security flaws in their platforms. By offering these campaigns, these organizations not only enhance the security of their systems but also foster a symbiotic relationship with the cybersecurity community. For example:

• Google's Vulnerability Reward Program (VRP) rewards researchers who uncover security vulnerabilities in Google's products and services. Their reward amounts can range from $100 to over $30,000, depending on the severity of the flaw and the product affected. In some exceptional cases, even higher rewards have been granted. Google's VRP has been instrumental in ensuring the security of products such as Google Chrome, Android, and Google Cloud Platform.
  
• Apple's Security Bounty Program invites security researchers to find vulnerabilities across iOS, macOS, and other Apple software. The payouts can be quite substantial, with rewards for the most critical issues reaching up to $1 million. This reflects Apple's commitment to user privacy and security.
  

Platforms like Bugcrowd, Hackerone, and Intigrity have also streamlined the process, acting as intermediaries connecting ethical hackers with organizations, including those that might not have independent programs like Google or Apple. Once a vulnerability is identified and reported through these platforms or directly to the companies with established programs, it undergoes a verification process. If validated, the researcher could receive a financial reward, recognition, or both.

Focus on Practical-led Training

For beginners, there are web browser-based labs. These labs allow users to practice in a controlled environment directly within their browsers. While convenient and easy to access, these platforms might not fully replicate the complexities and intricacies of real-world systems. They are good introductory tools, but as users progress in their cybersecurity journey, they might find them less challenging.

On the other hand, there are virtualized environments that require VPN access. These platforms offer environments that are almost identical to actual company infrastructures. The virtualized scenarios are meticulously crafted to emulate real-world networks, servers, and workstations. As users connect via VPN, they feel as if they are truly inside an operational network, providing a level of authenticity that web browser-based labs might lack. This type of environment allows for a deeper exploration of tools, tactics, and procedures, effectively training the participant to tackle genuine cybersecurity threats. The rigorous training in these environments ensures that participants are job-ready and fully prepared to address the multifaceted challenges they might face in their cybersecurity careers.

By experiencing both types of training, candidates can appreciate the gradient of complexity in cybersecurity challenges and better hone their skills to be effective professionals.

Here is a list of free or affordable practical cybersecurity training resources for beginners:

• OverTheWire: Provides a series of war games designed to teach the principles of security from the basics to advanced concepts. It's a great starting point for beginners wanting to learn Linux commands and simple penetration testing techniques.

  
  

• Root Me: This platform offers more than 300 challenges across different domains to help users improve their hacking skills. It provides a hands-on approach to learning about network security, web application security, and more.

  
  

• PortSwigger Academy: Developed by the creators of the Burp Suite, this academy offers free hands-on web security training. It covers a wide array of topics from basic to advanced web vulnerabilities.

  
  

• PWNX.io: Provides a beginners-friendly courses paired with VPN-based real-world training experience, emulating genuine cybersecurity scenarios.

  
  

• PWN.college: A platform designed primarily for students to learn about cybersecurity. It offers educational modules tailored to different skill levels.

  
  

• TryHackMe: An online platform that aids learning in cybersecurity through hands-on virtual labs. Its gamified challenges range from the very basics to more advanced, catering to users of all skill levels.

  
  

• Hack The Box: A platform that provides various cybersecurity labs and challenges. While it does cater to users of all skill levels, some of the challenges can be very advanced, making it ideal for those looking to progress beyond the basics.

  
  

• TCM Security: TCM Security offers self-paced cybersecurity courses that cover topics such as penetration testing, security training, and compliance. Additionally, they provide certifications that are increasingly gaining reputation in the industry.

The resources mentioned above represent just a snapshot of the many tools and platforms that have gained attention and appreciation within the cybersecurity community. The realm of cybersecurity training is vast, and the list of valuable resources extends far beyond what's provided here. Additionally, there are numerous open-source projects and other content available online that can be instrumental in enhancing one's learning journey.

Specialized forums and websites, which I will detail in the next paragraph, can be invaluable in discovering reviews or feedback from other community members. This feedback provides insights into the quality of new resources that are constantly being released.

Leverage Social Media and Forums to Find a Mentor

In the vast realm of cybersecurity, guidance from someone experienced can make all the difference. Platforms like LinkedIn can be particularly beneficial, not just for networking, but also for identifying potential mentors. By carefully reviewing profiles, joining relevant groups, and actively participating in discussions, you can showcase your eagerness and catch the attention of experienced professionals willing to guide newcomers.

Discord, a platform initially created for gamers, has burgeoned into a hub for various professional communities.

Specialized forums and websites further amplify the opportunity:

• Reddit’s Cybersecurity Communities: Platforms like Reddit's Cybersecurity and Netsec subreddits are teeming with professionals and enthusiasts discussing the latest in security trends, challenges, and solutions. The Netsecstudents subreddit is particularly designed for students and beginners, fostering a nurturing space for queries and guidance.

• Wilders Security Forums: Dive deep into discussions about online privacy, security, and data protection on Wilders Security Forums. The vast range of threads and posts signifies a dedicated community, making it an invaluable resource for all cybersecurity-related topics.

• MalwareTips and Antionline Forums: Websites like MalwareTips and Antionline are vibrant communities where one can engage in in-depth discussions on various facets of security, from malware threats to network safety.

• Bleeping Computer and Spiceworks Community: Forums such as Bleeping Computer and the Spiceworks Security Forum are dedicated to comprehensive security-related discussions, from firewalls and VPNs to password managers and malware attacks.

• Hacklido: A unique platform, Hacklido is where the brightest hackers come together to share knowledge, experiences, and guidance. It's a rich source of practical insights and real-world examples.

  
  

By actively engaging in these forums and communities, not only can one expand their knowledge but also build meaningful connections. As you participate and contribute, the chances of meeting potential mentors who recognize your passion and dedication increase significantly. Remember, mentorship in cybersecurity is not just about learning the ropes; it's about guidance, feedback, and understanding the nuances of the rapidly evolving world of digital protection.

Make Use of Free Tools

As you embark on your cybersecurity journey, it's essential to familiarize yourself with the plethora of free tools available. These tools, widely recognized and utilized by professionals in the field, can significantly augment your learning experience:

• Wireshark:

  • Description: An open-source packet analyzer, Wireshark allows users to see what's happening on their network at a microscopic level. It's widely used for network troubleshooting, analysis, software, and communications protocol development, and education.
  • Resource: The tool comes with a range of official documentation and guides to help newcomers grasp its functionalities.

• OWASP ZAP (Zed Attack Proxy):

  • Description: Developed by OWASP (Open Web Application Security Project), ZAP is a free, open-source web application security scanner. It helps find security vulnerabilities in web applications while you are developing and testing them.
  • Resource: New users can benefit from the tool's official documentation and various community-contributed guides.

• Metasploit Community Edition:

  • Description: Part of the Metasploit Project, this edition is a free-of-charge penetration testing tool that helps verify vulnerabilities and manage security assessments. It aids in the discovery, analysis, and exploitation of vulnerabilities.
  • Resource: Metasploit provides a plethora of tutorials and user guides for various functionalities.

• Snort:

  • Description: As an open-source network intrusion prevention system (NIPS) and intrusion detection system (IDS), Snort is adept at performing real-time traffic analysis and packet logging.
  • Resource: Beginners can find extensive documentation and a community of users on the Snort official website.

• OpenVAS (Open Vulnerability Assessment System):

  • Description: OpenVAS is a full-featured vulnerability scanner that comes with numerous tests and offers updates for the latest vulnerabilities. It assists in identifying issues in systems and applications.
  • Resource: The OpenVAS community provides a comprehensive set of documentation to support new users in understanding and maximizing the tool's capabilities.

• Kali Linux:

  • Description: Kali Linux is a Debian-based Linux distribution that's geared towards advanced penetration testing and security auditing. It comes pre-installed with hundreds of integrated security tools, making it a staple in the cybersecurity community.
  • Resource: For those new to Kali, the official documentation offers comprehensive guidance, ranging from installation to utilizing its vast array of tools.

  
  

Harnessing the capabilities of these tools not only gives beginners a practical understanding of various cybersecurity domains but also provides a hands-on approach to combating potential threats. Remember to explore the associated documentation and tutorials for each tool, as they often hold a wealth of knowledge and best practices.

Untapped Potential and the Need for Guidance

While there are self-learners who manage to connect the dots on their own, a vast number of budding talents are not yet part of the cybersecurity ecosystem, mainly because they lack initial guidance. By providing targeted and practical guidance, we can help pave the way for a new generation of cybersecurity professionals ready to take on the challenges and opportunities that this rapidly evolving field has to offer.

Structured learning can be achieved in various ways, and this guide aims to offer an alternative perspective, coming from a non-traditional cybersecurity professional who had the unique opportunity to learn from genuine hackers.