Security 101
Fundamental Information Security Domains
The domains below represent (generally) foundational knowledge areas for infosec professionals. You certainly do not need to be an expert in each of the security disciplines, but knowing as much as you can in each will ensure you are well-rounded information security generalist.
- Security Fundamentals (e.g confidentiality/integrity/availability, risk management, least privilege, access control, defense-in-depth, etc…)
- Scripting/Programming (e.g. Python, Ruby, Powershell, Bash, Java, C, C#, etc…)
- OS Fundamentals (e.g. Linux, Windows, MacOS etc…)
- Networking (e.g. TCP/IP, Networking Protocols, Routing/Switching, etc…)
- Web Applications (e.g. HTTP, PHP, HTML, JavaScript, REST, SQL, etc…)
Resources
Learning to Google for things is probably the most valuable piece of advise for better understanding OSINT.
Where to Learn Stuff
There are plenty of online training/learning sites. Below are some of my favorites. Check out this post for a more comprehensive list!
- Awesome Free Training List - This individual has been maintaining a pretty fantastic list of free resources, everything from training to podcasts.
- Stack Overflow - Can’t figure something out, stack’s got your back.
- YouTube - Believe it or not, tons of great instructional videos here.
- Cybrary - Free IT training.
- edX - Free online courses across a variety of disciplines.
- Pluralsight - Paid online video training but has a vast library of courses.
- Microsoft Virtual Academy - Free training from Microsoft.
- NIST Special Publications - Computer Security Resources from NIST (take a look at SP 800-53). Can be dry reading, but it will help you talk the talk.
- NIST CSF - The Cyber Security Framework. More reading from NIST.
Stay Up To Date
Infosec is a fast-moving field. Keeping up to date on everything going on is a large part of being a successful infosec practitioner. The resources below can help you keep track of it all…
To get you started, here is a [curated list of feeds] I follow (subreddits, blogs and twitter accounts). I try to keep it up to date.
Learn to Code
Coding is SUPER important for security professionals. So go learn some!
- Github - Create an account, create code, share code and contribute to others code!
- W3Schools - Learn the web and how to develop.
- CodeSignal - Coding challenges, brought to you!
- Codeacademy - Free site to learn coding.
- Python.org - Official Python site.
- Official Python Tutorial - Python tutorial from python.org.
- Ruby - Official Ruby site.
- Rubyfu - Enhance your Ruby-fu.
- Bash Scripting Tutorials - Bash scripting tutorials.
- Free eBooks from Github - Free eBooks from Github.
OS Fundamentals
You’re likely going to be using one or more OS’es to secure the same or other OS’es. In other words, you should probably learn about OS stuff.
- Windows Tutorials - Learn about Windows
- Windows Active Directory Tutorials - Learn about Windows AD and it’s security
- Powershell - Do everything in Windows, from the CLI!
- Ubuntu - Popular open source workstation-class Linux distribution.
- Kali Linux - Download Kali, learn security tools, learn Linux.
- SS64 Command Line References - Assorted command line references.
Networking
Packets. Segments. Datagrams. Data. It moves from place to place and knowing how that happens is pretty useful.
- Nmap - Available in the Kali distribution - Learn network scanning and a little TCP/IP while you’re at it!
Web Applications
The Internet. Ever heard of it? It’s full of web apps!
- OWASP - First stop for all things web-app security.
- RFC 2616 - HTTP/1.1 - Learn more about HTTP/1.1.
Penetration Testing
Fancy yourself a Mr. Robot-type?
- VulnHub - Test your might against vulnerable VMs developed by the community.
- Metasploit Unleashed - Hacking tutorial by the guys at offsec.
Certifications
Certs. Love ‘em or hate ‘em, they can be helpful.
- CompTIA Security+ - Entry level certification but provides invaluable entry-level knowledge to the field of infosec.
- SANS - Fantastic cybersecurity training but very expensive.
- OSCP - Practical penetration testing training (and highly regarded certification in the industry).
- CISSP - Need to improve resume? This cert can often help.
- eLearnSecurity - Practical, hands-on infosec training. They have a great catalog of courses.
Cloud
The cloud is just someone else’s computer right? Well if you’re putting stuff on someone else’s computer you should probably learn to secure it even better.
- AWS - Heard of the cloud? AWS can give you your own chunk of the cloud to play in.
- Azure - Microsoft is also in the cloud game.
- Google Cloud - Not to be outdone, Google. Also in the cloud.
Infosec Podcasts
- Getting Into Infosec - This is my favorite podcast recommendation for newcomers to the field.
- Black Hills Information Security - A great podcast with lots of technical stuff.
- StormCast - Podcast from SANS with daily information security news.
- Brakeing Down Security
- Security Weekly
- Defensive Security
- The Southern Fried Security Podcast
- OWASP Podcast
- Security Now!
- Purple Squad Security
Other Getting Into Infosec Guides
Don’t take it from me! Check out some of these other guides.
- How to Build a Cybersecurity Career - A prescriptive guide from Daniel Miessler.
- Getting Started In Information Security - Thoughts on getting into the field from Endgame.
- How to Get Into Cybersecurity Regardless of Your Background - A guide for all, from Springboard.
- Infosec Newbie - A collection of resources, courtesy of mubix.
- How to Get Into Information Security - A guide from the guys and gals over at Black Hills Information Security
- Getting Started in Cybersecurity with a Non-Technical Background - A guide from the one and only SANS.
Conclusion
Thanks for reading! I hope the guide was useful in some way. I’d also like to reiterate that this is by no means an exhaustive how-to, nor does it represent the best or clearest path to a successful career in infosec. I only hope it can act as a compass for those who are interested.