As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options
Cyber Security Tutorials/Short Courses/ Learning Material Recommendations Needed
tokumei
Registered User regular
Registered User regular
Changing my area of IT to cyber security/networking. Are there any specially learning materials/ short courses people in these areas would recommend? I am a little short on cash right now so things like tutorial books that aren't highly expensive would be super useful.
tokumei on
0
Posts
Knows some shit about cybersecurity.
And as far as network security, are you looking to get involved in firewalls, IDP/IDS and the like? Or something else like forensics, pen testing, etc?
I did web dev and design but the field has been horrible and I'm looking to switch to a different area to have better employment prospects.
To be honest I would like to try to cover all of what you mentioned. The more I can learn the better.
If I had to rate myself I would say I have intermediate knowledge with networking.
My one warning is that the field does come with a lot of "MAKE OUR STUFF SECURE! (But not in a way that inconveniences anyone)" from management. So be prepared to implement the Awesome Security Plan Of Your Dreams and then get a ton of directives to set up exceptions and punch holes in it because Sales still relies on their home-grown contacts application from the mid-90s and it doesn't work on anything past Windows 2000, etc.
Am not bitter or anything.
I would argue that the CISSP is pretty exclusively for management and I know plenty of people, myself included, where seeing it on an entry level security person's resume would be cause for concern, similar to how somebody who has all the hot buzzwords and no experience iffy. If it were me I would grill that person extra hard to make sure they weren't conning me, although it's a pretty divisive cert in general (as well as the organization behind it) and I know some people that flat out won't hire CISSPs. Security+ is okay but more IT people get it that are trying to demonstrate security knowledge than security people.
I would focus on something like the OSCP or the GPEN. Demonstrates that you know how to think like a criminal pretty adequately.
With your background I would suggest Web Application Security as your easiest route into the business, which, as luck would have it, is what I cut my teeth on and spent 4/6 years doing security on.
Buy these books. These books are your Bibles:
WAHH v.2; Everything you need to know to get started hacking web applications, written by the guy who makes the most widely used web application proxy. This edition is a little old but honestly networking and infra has changed more than appsec in the past ten years.
Web Application Obfuscation;This is what you will spend 90% of your time doing after finding a vulnerability, there are a ton of ways to dupe a website into accepting content it shouldn't and this book covered basically all of them at the time it was written. This is one of the most rapidly changing parts of appsec but understanding how encodings work is critical and this book will give you a lot of context with which to experiment with more cutting edge techniques.
SQL Injection Attacks and Defense; SQL Injection has definitely become less prevalent in the time I've been doing security, but it's also where most the sexiest money-shot attacks are. What is covered in the WAHH is not enough, especially if you're fucking around with Blind SQLi. This book is also super good for SQL DBAs.
I hit agree but only for the second half. See my post for thoughts on certs.
Can confirm personally that Security is where optimism goes to die. It's also high stress work for people in the field, having the fate of a company resting on you never fucking up, not even getting into when your work makes real violent real bad guys start threatening you. It takes a certain cynicism and cavalier attitude not to be beaten down, and there are a lot of people who aren't able to make it work without picking up a substance abuse problem.
That said the pay is pretty fantastic and it's easier to get into than a lot of things because the field is still in its infancy as a discrete discipline from IT.
Lots of other good advice here already, but I wanted to give my perspective there.
I'm thinking about getting it as I'm currently hunting for a job that will put me on a management track. Still slightly hesitant because I haven't been in a position with direct reports outside of volunteering at Security Conferences, mostly because I'm worried it'll make some asshole freeze me out of candidacy for position I'd be otherwise qualified for.
Heh, that's actually good news for me; I've only done Security+ but I work with a couple of CISSPs who act like the cert is God's gift. Now I get to stop wondering if it's worth doing it myself.
One more thing for the OP since he used the word "uni" and that is usually a sign of a Brit: A LOT of large British companies have outsourced their security to India (Usually Tata or IBM Managed Services or HP), including some companies you would not expect to be using outsourcing. Obviously I think it's a pretty cool field to be in regardless, but still something to research before you dump a lot of time into study.
It's good for getting past HR and impressing clients that don't know better. I've never known a CISSP who was worth a damn as a security practitioner that wasn't pretty disparaging towards the cert. It is good for giving you a common vernacular if you'll be dealing with executives and auditors a lot, not a whole lot else. If you're taking the CISSP and any of the actual security content is new to you you've made a mistake.
Those guys are tools, for real.
OSCP will at least convey that you know something. That said, no cert trumps resume experience and taking the talk, except insofar as getting past recruiting.
Will do
Forgot about that
Aussie
Yeah, certs are basically resume fodder. Assuming you actually do know your stuff, I haven't met a single person that's thought the cert itself was really worth more than making you marketable to people that don't really know what it is you actually do.
CISSP is your target if you want into this kind of work. Security+ will be a good starting place but that's it.
http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-857-network-and-computer-security-spring-2014/
http://ocw.mit.edu/courses/electrical-engineering-and-computer-science/6-858-computer-systems-security-fall-2014/
sec+ is sort of "you might not break things"
CISSIP is "you can interface outside of the department"
OSCP is "your peers might actually care about this one"
I host a podcast about movies.
Put GPEN in that last category too.
CISSP has negative connotations to a lot of more old time practitioners though so I would definitely caution against getting that as a newbie.
Nah, usually IS people start out in one facet of IT or another pretty much by necessity. You don't have to, but rule of thumb is 3-5 years experience in something related first.
Frankly, all of that is probably well out of your grasp. Fortunately, there are other certifications in the field, that aren't so bad (Sec+, N+, SANS). Like playing a sport, you must learn your fundamentals before you sally off to win the world cup. You'll find those fundamentals in the Security+/Network+ books, or any of the low level SANS courses on Introduction to Security and the like (if they have a course local to you via SANS, take it, but it ain't cheap). You'll learn security and non-security concepts - Least Privilege, OSI Model, Cryptography, a little SDLC. All things that any security pro should keep in their back pocket of knowledge.
On a whim, and given your background, Application Security might be something you can look into. Admittedly, i'm not the most well read on it, but AppSec is clutch to web development and websites. AppSec keeps sites from being hacked, and interjects sanity and security into front end/back end development. Having a background in it already helps - you just need to be smart on the security elements. I'm not an AppSec professional, sadly, so that's the limit of my advice, but it's as sound as an idea as any.