InfoSec is very much a hands on field as you have to know a little bit about a lot of different things. I don’t suggest taking classes (a lot of them are just snake oil) as there are so many different resources online that are minimal cost and which give you a lab environment to test in. I’ll outline all the ones I use and trust below. All of this is assuming you have basic knowledge of how computer and networks operate. If you can’t explain what happens (at a highish level) when your computer makes a request to https://google.com, I suggest you take the CompTIA Network+ and CompTIA Security+ prior to deep diving into security. If you know how things work (definitely relative 😃), or feel comfortable with your knowledge, skip those two. InfoSec is not a hold-my-hand field. You will fail at things and not understand why. I fail at things and do not understand why. Following a very popular phrase in the InfoSec world, simply, Try Harder. You must get your hands dirty to really succeed in InfoSec. I highly suggest you all open an account in AWS and making your labs there. If you don’t know how AWS works, there are a plethora of resources on how to do it. Or, sign up and poke around, you’ll get it. At the end of the day, you have to be able to find the answer, if you don’t know it. On to the good stuff, next section is about what types of jobs there are in InfoSec (and what is required), followed by learning resources, and finally, a way to keep up to date with news.
Jobs, Positions, and Certs Breaking into security is very difficult. Unfortunately, many people spend years trying to get into it. This is because nearly every security job requires previous experience in security. However, you can do some things that will greatly increase your chances. The first thing I would do is identify what type of security truly interests you. Below are some of the types of security positions. And with all these positions, having strong analytical skills is a must. • InfoSec/SOC Analyst o Job requires looking at security software alerts and triaging them. Basically the front man for security alerts and incidents. Definitely should have a good understanding of a lot of different topics (pen testing, incident response, etc). Being able to correlate incidents and alerts is key to this position. • InfoSec Engineer o Builds/deploys security systems and tools for the analyst to use. Has a deep understanding of how things function and how they are architected. • InfoSec Software Engineer (sometimes just called software engineers if the parent org is a security company) o A programmer that specializes in security software. If you like programming, I suggest this, there is a huge market for it. • Forensics o A highly technical position that really requires a lot of knowledge about attacks and how they work. As well as understanding how to handle and gather evidence and do attribution/correlation. • Penetration Tester/Red Team o Penetration testing is basically a hacker that is paid by companies to attempt to break into them. Or an internal person that vets applications in the same way. For example, I pen test all of our web apps (and vendors) before we allow them to run code in our environment. o Red teaming is an extension of pen testing where a team of pen testers have very (months/years) long engagements where they emulate a real APT (advance persistent threat) actor. • Incident Response/SOC Analyst/Blue Team o Responding to events from security tools and gathering intel on events. • Malware Analyst/Reverse Engineering o Person who dissects malware for AV companies trying to learn more about it. If you like debugging apps and assembler, this is the spot for you.
Each company is fairly different and there is no set way on what types of positions company hire. The more intro positions are analyst spots or Jr pen testers. A great way to get into information security is to get into a help desk spot where you are constantly fixing things. This exponentially helps your knowledge of “how things work.” You definitely can jump right into a InfoSec position, however, it would be really helpful to have some good certs to back up your experience. To expand on this, here are some Certs that are good (beware, there are a TON of crap certs that are marketed well): • CompTIA Network+ o Great introduction and shows you have an understanding of “how things work” • CompTIA Security+ o Great introduction to security. • CEH o To be frank, I hate recommending this cert… Even though I have it. It’s multiple choice and very simple. I was thoroughly disappointed with it. • OSCP o This is the “gold standard” of penetration testing certs. No multiple choice here. You have 24 hours to hack into various machines in their lab environment. Then, you have to write a report about it. There are no limits on what you are allowed to use. They encourage (and you kind of have to) you to use any resource you need (ie, Google). People fail multiple times before they pass it. The course and test are about $1200, but a retest is only $60. As you can see, they expect you to fail. • OSCE o Big brother to the OSCP, extremely hard cert. 48 hour lab, focusing on exploitation development and bypassing DEP, ASLR, and other endpoint protections. • SANS Certs o SANS is an organization that offers masters in cyber security (super expensive) and that has probably the highest quality certs available. They have courses in every different aspect of security. This comes at a price though. The courses are only taught in person (group setting, they have them multiple different locations a year), simulcast (live feed), or by online material (pre-recorded classes). They start at $6,000. Normally, companies pay for SANS certs, however, you are more than welcome to fork over that amount. o Here is their “roadmap” https://sans.org/roadmap
With the CompTIA and CEH, you can buy the official book and pass relatively easily. The OSCP/E and SANS course material are only through the companies. If you are going to go for one of the first three certs, again, I highly recommend you learn how things work by building stuff out in AWS. It’s cheap and you can’t mess anything up (or if you do, shut it all down and restart 😃). On to the learning resources.
Learning Resources I’m going to list a lot of things that I use currently and in the past. This is by no means a full list of everything. These are, in my opinion, the top resources for learning hacking/security. I’ve also attached my bookmarks folder for additional resources I’ve found helpful.
• Books o Web hacking 101 book (great read with examples, this is a copy that I bought and uploaded to drive to share) – https://drive.google.com/file/d/0B3UiWsJrcvPyZmpTVTFoeVhYdGs/view?usp=sharing o ($) The “go-to” introduction book for hacking – https://nostarch.com/pentesting o ($) Hacker playbook 2 (Second edition, more up to date) – https://amzn.to/2NTDNok o ($) Hacker playbook 3 (Red team edition, more advanced attacks) – https://amzn.to/2DdM4PS o ($) Advanced Penetration Testing (very complex methods) – https://amzn.to/2ODGfwu o ($) Art of Exploitation (I would read this one last, old, but an overall good read) – https://amzn.to/2pm0FyM o ($) Anything published by NoStarch press. They have high quality InfoSec books with great material. Wide variety of material (not just hacking) including malware analysis and programming. https://nostarch.com/catalog/security o Two books that are on my desk are the RTFM and BTFM, both are like $10 and so worth it if you have a job in InfoSec RTFM (Red Team Field Manual) – https://amzn.to/2xzCMYq BTFM (Blue Team Field Manual) – https://amzn.to/2DcAWCP • Online learning material o (free and paid) Hack The Box (pen testing labs, you have to “hack” your way in) I use this almost daily. Insanely good resource for hands on labs. The paid membership is well worth it. – https://www.hackthebox.eu/ o (free and paid) Pentester Lab, Web application specific, excellent resource for learning web application attacks. I highly recommend the “Web for pentester” and “Web for pentester II” as they give detailed walkthroughs of each type of vulnerability and how to find it – https://pentesterlab.com/ https://pentesterlab.com/exercises/web_for_pentester https://pentesterlab.com/exercises/web_for_pentester_II o (free) VulnHub, people will post intentionally vulnerable isos. They range in difficulty. – https://www.vulnhub.com/ You have to launch these in a VM locally. o (paid) Virtual Hacking Labs (haven’t used as it’s a little pricy, but I’ve heard great things about it) – https://www.virtualhackinglabs.com/
There is a ton of material out there. I highly recommend starting with this list and expanding. To do a lot of these, you will need a linux VM. Either use virutalbox or vmware workstation (or AWS) to host your hacking box. I recommend using Kali Linux, it has nearly every tool you need pre-installed and it’s made/kept up to date by the company that makes the OSCP/OSCE… They know what they are doing.
Ways to Keep Up To Date Podcasts: * SANS ISC – Daily podcast reviewing news, very short 5 min – https://isc.sans.edu/podcast.html * Risky Business – Weekly podcast on Tuesday’s (sometimes specials during the week). Really good one reviewing news, 1 hour long – https://risky.biz Rally Sec – Decent, just started listening to this one Unsupervised Learning – Tech podcast covering all of tech news. I like this one a lot for general stuff.
Twitter (not even kidding), just go to my “people I follow” and if they have something to do with security in their name or bio, follow them. There are too many to name here. Seriously, it’s insane how great Twitter is for keeping up to date. I’ll find out about new threats days before they are officially reported on.
Conclusion That was a lot of stuff. I recommend taking a little bit to read it all again to thoroughly understand it all. After that, there is no real starting point, so just dive right in.