The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.

Cyber Security Tutorials/Short Courses/ Learning Material Recommendations Needed

tokumeitokumei Registered User regular
edited July 2016 in Help / Advice Forum
Changing my area of IT to cyber security/networking. Are there any specially learning materials/ short courses people in these areas would recommend? I am a little short on cash right now so things like tutorial books that aren't highly expensive would be super useful.

tokumei on

Posts

  • tokumeitokumei Registered User regular
    How about network security if we narrow it down?

  • TofystedethTofystedeth Registered User regular
    @Giggles_Funsworth
    Knows some shit about cybersecurity.

    steam_sig.png
  • EclecticGrooveEclecticGroove Registered User regular
    What kind of IT work do you do currently?
    And as far as network security, are you looking to get involved in firewalls, IDP/IDS and the like? Or something else like forensics, pen testing, etc?

  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    There's a ton of good books, especially by Syngress and No Starch Press. Definitely need more information about what you specifically want to do to narrow it down. What things do you already know? Do you want to break things, or make systems less susceptible to attack? Etc.

  • tokumeitokumei Registered User regular
    edited July 2016
    What kind of IT work do you do currently?
    And as far as network security, are you looking to get involved in firewalls, IDP/IDS and the like? Or something else like forensics, pen testing, etc?

    I did web dev and design but the field has been horrible and I'm looking to switch to a different area to have better employment prospects.
    To be honest I would like to try to cover all of what you mentioned. The more I can learn the better.

    tokumei on
  • tokumeitokumei Registered User regular
    edited July 2016
    tokumei wrote: »
    What kind of IT work do you do currently?
    And as far as network security, are you looking to get involved in firewalls, IDP/IDS and the like? Or something else like forensics, pen testing, etc?

    I did web dev and design but the field has been horrible and I'm looking to switch to a different area to have better employment prospects.
    To be honest I would like to try to cover all of what you mentioned. The more I can learn the better.

    If I had to rate myself I would say I have intermediate knowledge with networking.

    tokumei on
  • baudattitudebaudattitude Registered User regular
    The two big certifications are CISSP and CompTIA Security+ so looking up study guides for either would be a good place to start. Security+ is pretty comprehensive and goes into stuff like physical security, fire suppression, social engineering education in addition to all of the How To Firewall stuff.

    My one warning is that the field does come with a lot of "MAKE OUR STUFF SECURE! (But not in a way that inconveniences anyone)" from management. So be prepared to implement the Awesome Security Plan Of Your Dreams and then get a ton of directives to set up exceptions and punch holes in it because Sales still relies on their home-grown contacts application from the mid-90s and it doesn't work on anything past Windows 2000, etc.

    Am not bitter or anything.

  • tokumeitokumei Registered User regular
    edited July 2016
    I am doing a post grad at uni starting in the semester coming up. The certs are kinda pricey for me right now and at least a I'll be able to defer my uni fees thanks to HCES-HELP until I have a job.

    tokumei on
  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    The two big certifications are CISSP and CompTIA Security+ so looking up study guides for either would be a good place to start. Security+ is pretty comprehensive and goes into stuff like physical security, fire suppression, social engineering education in addition to all of the How To Firewall stuff.

    My one warning is that the field does come with a lot of "MAKE OUR STUFF SECURE! (But not in a way that inconveniences anyone)" from management. So be prepared to implement the Awesome Security Plan Of Your Dreams and then get a ton of directives to set up exceptions and punch holes in it because Sales still relies on their home-grown contacts application from the mid-90s and it doesn't work on anything past Windows 2000, etc.

    Am not bitter or anything.

    I would argue that the CISSP is pretty exclusively for management and I know plenty of people, myself included, where seeing it on an entry level security person's resume would be cause for concern, similar to how somebody who has all the hot buzzwords and no experience iffy. If it were me I would grill that person extra hard to make sure they weren't conning me, although it's a pretty divisive cert in general (as well as the organization behind it) and I know some people that flat out won't hire CISSPs. Security+ is okay but more IT people get it that are trying to demonstrate security knowledge than security people.

    I would focus on something like the OSCP or the GPEN. Demonstrates that you know how to think like a criminal pretty adequately.

    With your background I would suggest Web Application Security as your easiest route into the business, which, as luck would have it, is what I cut my teeth on and spent 4/6 years doing security on.

    Buy these books. These books are your Bibles:

    WAHH v.2; Everything you need to know to get started hacking web applications, written by the guy who makes the most widely used web application proxy. This edition is a little old but honestly networking and infra has changed more than appsec in the past ten years.

    Web Application Obfuscation;This is what you will spend 90% of your time doing after finding a vulnerability, there are a ton of ways to dupe a website into accepting content it shouldn't and this book covered basically all of them at the time it was written. This is one of the most rapidly changing parts of appsec but understanding how encodings work is critical and this book will give you a lot of context with which to experiment with more cutting edge techniques.

    SQL Injection Attacks and Defense; SQL Injection has definitely become less prevalent in the time I've been doing security, but it's also where most the sexiest money-shot attacks are. What is covered in the WAHH is not enough, especially if you're fucking around with Blind SQLi. This book is also super good for SQL DBAs.

  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    The two big certifications are CISSP and CompTIA Security+ so looking up study guides for either would be a good place to start. Security+ is pretty comprehensive and goes into stuff like physical security, fire suppression, social engineering education in addition to all of the How To Firewall stuff.

    My one warning is that the field does come with a lot of "MAKE OUR STUFF SECURE! (But not in a way that inconveniences anyone)" from management. So be prepared to implement the Awesome Security Plan Of Your Dreams and then get a ton of directives to set up exceptions and punch holes in it because Sales still relies on their home-grown contacts application from the mid-90s and it doesn't work on anything past Windows 2000, etc.

    Am not bitter or anything.

    I hit agree but only for the second half. See my post for thoughts on certs.

    Can confirm personally that Security is where optimism goes to die. It's also high stress work for people in the field, having the fate of a company resting on you never fucking up, not even getting into when your work makes real violent real bad guys start threatening you. It takes a certain cynicism and cavalier attitude not to be beaten down, and there are a lot of people who aren't able to make it work without picking up a substance abuse problem.

    That said the pay is pretty fantastic and it's easier to get into than a lot of things because the field is still in its infancy as a discrete discipline from IT.

  • SixSix Caches Tweets in the mainframe cyberhex Registered User regular
    I have a CISSP and all it really means is that you know a little bit about a lot of stuff. A lot of the material isn't nearly as relevant any more but they continue to slow iterate and evolve it. Like other high level certs, it also requires continuing education in the field, which has a bit of value. It's worth it for me because it gives me a little more credibility when meeting with CISOs and CIOs or presenting to large security audiences, but it's not something that holds anywhere near as much value for engineers or other practitioners.

    Lots of other good advice here already, but I wanted to give my perspective there.

    can you feel the struggle within?
  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    Six wrote: »
    I have a CISSP and all it really means is that you know a little bit about a lot of stuff. A lot of the material isn't nearly as relevant any more but they continue to slow iterate and evolve it. Like other high level certs, it also requires continuing education in the field, which has a bit of value. It's worth it for me because it gives me a little more credibility when meeting with CISOs and CIOs or presenting to large security audiences, but it's not something that holds anywhere near as much value for engineers or other practitioners.

    Lots of other good advice here already, but I wanted to give my perspective there.

    I'm thinking about getting it as I'm currently hunting for a job that will put me on a management track. Still slightly hesitant because I haven't been in a position with direct reports outside of volunteering at Security Conferences, mostly because I'm worried it'll make some asshole freeze me out of candidacy for position I'd be otherwise qualified for.

  • baudattitudebaudattitude Registered User regular
    The two big certifications are CISSP and CompTIA Security+ so looking up study guides for either would be a good place to start. Security+ is pretty comprehensive and goes into stuff like physical security, fire suppression, social engineering education in addition to all of the How To Firewall stuff.

    My one warning is that the field does come with a lot of "MAKE OUR STUFF SECURE! (But not in a way that inconveniences anyone)" from management. So be prepared to implement the Awesome Security Plan Of Your Dreams and then get a ton of directives to set up exceptions and punch holes in it because Sales still relies on their home-grown contacts application from the mid-90s and it doesn't work on anything past Windows 2000, etc.

    Am not bitter or anything.

    I would argue that the CISSP is pretty exclusively for management and I know plenty of people, myself included, where seeing it on an entry level security person's resume would be cause for concern, similar to how somebody who has all the hot buzzwords and no experience iffy. If it were me I would grill that person extra hard to make sure they weren't conning me, although it's a pretty divisive cert in general (as well as the organization behind it) and I know some people that flat out won't hire CISSPs. Security+ is okay but more IT people get it that are trying to demonstrate security knowledge than security people.

    Heh, that's actually good news for me; I've only done Security+ but I work with a couple of CISSPs who act like the cert is God's gift. Now I get to stop wondering if it's worth doing it myself. :)

    One more thing for the OP since he used the word "uni" and that is usually a sign of a Brit: A LOT of large British companies have outsourced their security to India (Usually Tata or IBM Managed Services or HP), including some companies you would not expect to be using outsourcing. Obviously I think it's a pretty cool field to be in regardless, but still something to research before you dump a lot of time into study.

  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    The two big certifications are CISSP and CompTIA Security+ so looking up study guides for either would be a good place to start. Security+ is pretty comprehensive and goes into stuff like physical security, fire suppression, social engineering education in addition to all of the How To Firewall stuff.

    My one warning is that the field does come with a lot of "MAKE OUR STUFF SECURE! (But not in a way that inconveniences anyone)" from management. So be prepared to implement the Awesome Security Plan Of Your Dreams and then get a ton of directives to set up exceptions and punch holes in it because Sales still relies on their home-grown contacts application from the mid-90s and it doesn't work on anything past Windows 2000, etc.

    Am not bitter or anything.

    I would argue that the CISSP is pretty exclusively for management and I know plenty of people, myself included, where seeing it on an entry level security person's resume would be cause for concern, similar to how somebody who has all the hot buzzwords and no experience iffy. If it were me I would grill that person extra hard to make sure they weren't conning me, although it's a pretty divisive cert in general (as well as the organization behind it) and I know some people that flat out won't hire CISSPs. Security+ is okay but more IT people get it that are trying to demonstrate security knowledge than security people.

    Heh, that's actually good news for me; I've only done Security+ but I work with a couple of CISSPs who act like the cert is God's gift. Now I get to stop wondering if it's worth doing it myself. :)

    One more thing for the OP since he used the word "uni" and that is usually a sign of a Brit: A LOT of large British companies have outsourced their security to India (Usually Tata or IBM Managed Services or HP), including some companies you would not expect to be using outsourcing. Obviously I think it's a pretty cool field to be in regardless, but still something to research before you dump a lot of time into study.

    It's good for getting past HR and impressing clients that don't know better. I've never known a CISSP who was worth a damn as a security practitioner that wasn't pretty disparaging towards the cert. It is good for giving you a common vernacular if you'll be dealing with executives and auditors a lot, not a whole lot else. If you're taking the CISSP and any of the actual security content is new to you you've made a mistake.

    Those guys are tools, for real.

  • DarkewolfeDarkewolfe Registered User regular
    edited July 2016
    The main reason to get the CISSP is if you're doing federal work, because then you don't have to constantly be figuring out whether you've got the certs for a particular role, since CISSP is the top tier. It definitely doesn't convey anything about your skill set other than, "can pass a multiple choice test," though. I honestly didn't think anyone outside federal contracting ever got it.

    OSCP will at least convey that you know something. That said, no cert trumps resume experience and taking the talk, except insofar as getting past recruiting.

    Darkewolfe on
    What is this I don't even.
  • RadiationRadiation Registered User regular
    Also check out the free or cheaper stuff on Udemy, pretty decent things out there.

    PSN: jfrofl
  • tokumeitokumei Registered User regular
    edited July 2016
    Buy these books. These books are your Bibles:

    WAHH v.2; Everything you need to know to get started hacking web applications, written by the guy who makes the most widely used web application proxy. This edition is a little old but honestly networking and infra has changed more than appsec in the past ten years.

    Web Application Obfuscation;This is what you will spend 90% of your time doing after finding a vulnerability, there are a ton of ways to dupe a website into accepting content it shouldn't and this book covered basically all of them at the time it was written. This is one of the most rapidly changing parts of appsec but understanding how encodings work is critical and this book will give you a lot of context with which to experiment with more cutting edge techniques.

    SQL Injection Attacks and Defense; SQL Injection has definitely become less prevalent in the time I've been doing security, but it's also where most the sexiest money-shot attacks are. What is covered in the WAHH is not enough, especially if you're fucking around with Blind SQLi. This book is also super good for SQL DBAs.

    Will do

    tokumei on
  • tokumeitokumei Registered User regular
    Radiation wrote: »
    Also check out the free or cheaper stuff on Udemy, pretty decent things out there.

    Forgot about that

  • tokumeitokumei Registered User regular

    One more thing for the OP since he used the word "uni" and that is usually a sign of a Brit

    Aussie :)

  • EclecticGrooveEclecticGroove Registered User regular
    Six wrote: »
    I have a CISSP and all it really means is that you know a little bit about a lot of stuff. A lot of the material isn't nearly as relevant any more but they continue to slow iterate and evolve it. Like other high level certs, it also requires continuing education in the field, which has a bit of value. It's worth it for me because it gives me a little more credibility when meeting with CISOs and CIOs or presenting to large security audiences, but it's not something that holds anywhere near as much value for engineers or other practitioners.

    Lots of other good advice here already, but I wanted to give my perspective there.

    I'm thinking about getting it as I'm currently hunting for a job that will put me on a management track. Still slightly hesitant because I haven't been in a position with direct reports outside of volunteering at Security Conferences, mostly because I'm worried it'll make some asshole freeze me out of candidacy for position I'd be otherwise qualified for.

    Yeah, certs are basically resume fodder. Assuming you actually do know your stuff, I haven't met a single person that's thought the cert itself was really worth more than making you marketable to people that don't really know what it is you actually do.

  • spool32spool32 Contrary Library Registered User, Transition Team regular
    The two big certifications are CISSP and CompTIA Security+ so looking up study guides for either would be a good place to start. Security+ is pretty comprehensive and goes into stuff like physical security, fire suppression, social engineering education in addition to all of the How To Firewall stuff.

    My one warning is that the field does come with a lot of "MAKE OUR STUFF SECURE! (But not in a way that inconveniences anyone)" from management. So be prepared to implement the Awesome Security Plan Of Your Dreams and then get a ton of directives to set up exceptions and punch holes in it because Sales still relies on their home-grown contacts application from the mid-90s and it doesn't work on anything past Windows 2000, etc.

    Am not bitter or anything.

    CISSP is your target if you want into this kind of work. Security+ will be a good starting place but that's it.

  • CambiataCambiata Commander Shepard The likes of which even GAWD has never seenRegistered User regular
    "excuse my French
    But fuck you — no, fuck y'all, that's as blunt as it gets"
    - Kendrick Lamar, "The Blacker the Berry"
  • tokumeitokumei Registered User regular
    Thanks for the advice guys to be honest web dev has been a nightmare and I really need to find a better area of employment rather then web.

  • JohnnyCacheJohnnyCache Starting Defense Place at the tableRegistered User regular
    the breakdown I'm getting
    sec+ is sort of "you might not break things"
    CISSIP is "you can interface outside of the department"
    OSCP is "your peers might actually care about this one"

  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    the breakdown I'm getting
    sec+ is sort of "you might not break things"
    CISSIP is "you can interface outside of the department"
    OSCP is "your peers might actually care about this one"

    Put GPEN in that last category too.

    CISSP has negative connotations to a lot of more old time practitioners though so I would definitely caution against getting that as a newbie.

  • tokumeitokumei Registered User regular
    edited July 2016
    Welp shit I let go from my contracting job as a web dev. Cunts didn't even call they just emailed me. This why I have grown to hate web dev. No one wants to train the newbies or thy have flooded the field with crap/cheap programmers from the Philippines or India that only produce horrifically buggy pieces of shit.

    tokumei on
  • tokumeitokumei Registered User regular
    edited July 2016
    Just one last thing it is too late to change my focus of IT to security? The one thing hanging over my head is the idea of me wasting more time studying and still having poor job prospects at the end of it.

    tokumei on
  • Giggles_FunsworthGiggles_Funsworth Blight on Discourse Bay Area SprawlRegistered User regular
    tokumei wrote: »
    Just one last thing it is too late to change my focus of IT to security? The one thing habging over my head is the idea of me wasting more time studying and still having poor job prospects at the end of it.

    Nah, usually IS people start out in one facet of IT or another pretty much by necessity. You don't have to, but rule of thumb is 3-5 years experience in something related first.

  • 3lwap03lwap0 Registered User regular
    I can tell you that based on what i'm reading, that a CISSP is probably out of reach for you. You need documented security career experience before you can sit for the test (they do spot checks/audits to verify). CISSP's are for board rooms and managerial potions - it arms with you just enough technical knowledge and vocabulary to interface with the security engineers, and enough of the same to talk to senior leadership. The OSCP is a brutal test - and only the most skilled can usually pass it. It's meant to be hard - and if you have it on your resume, you'll get calls from recruiters non-stop. It's not for the timid or unskilled however.

    Frankly, all of that is probably well out of your grasp. Fortunately, there are other certifications in the field, that aren't so bad (Sec+, N+, SANS). Like playing a sport, you must learn your fundamentals before you sally off to win the world cup. You'll find those fundamentals in the Security+/Network+ books, or any of the low level SANS courses on Introduction to Security and the like (if they have a course local to you via SANS, take it, but it ain't cheap). You'll learn security and non-security concepts - Least Privilege, OSI Model, Cryptography, a little SDLC. All things that any security pro should keep in their back pocket of knowledge.

    On a whim, and given your background, Application Security might be something you can look into. Admittedly, i'm not the most well read on it, but AppSec is clutch to web development and websites. AppSec keeps sites from being hacked, and interjects sanity and security into front end/back end development. Having a background in it already helps - you just need to be smart on the security elements. I'm not an AppSec professional, sadly, so that's the limit of my advice, but it's as sound as an idea as any.

Sign In or Register to comment.