Getting Started in InfoSec
Want to get started in infosec but don't know how? Check out this beginners guide to the essential knowledge, the right mindset and some fantastic resources.
The tricky part of getting started in infosec is deciding between the many avenues and paths to explore, so in this article I will try to highlight a few different ways for you to get started. First of all, you need to have a genuine interest in cybersecurity, it doesn't matter whether you are passionate about attacking or defending, that basic infosec interest and curiosity needs to exist within you for you to start.
It's the same with almost any new job in any new industry, except in infosec there are a million more things to learn and the landscape evolves and changes dynamically over relatively short spaces of time. Infosec is a fast paced industry!
Let's take a step back from security. It is essential to understand networking! I recommend taking a look at CompTIA Network+ certification, as it will give you a solid foundation into networking, an understanding of protocols, and how things talk to each other, but if you starting with no IT experience then start with CompTIA A+ as this is the fundamentals of IT then go on to Network+.
There are various resources on the web, YouTube 'Professor Messer'. He goes through the A+ and the N+ as well as a study group. There are sites like Udemy and Pluralsight that will have these courses. Udemy is great and cheap; add the courses you want to the wish list and wait till their promotions are on which is all the time and purchase it for £10 each course. Pluralsight is a monthly subscription of around $30 a month, but can access all the content on their platform. The best part about Udemy is there is no expiration date on the course, so you can take as long as you want to complete the course. Also, Linux is very important to learn as most of the tools out there are developed for Linux/Unix, but we will go through this in a separate blog all about Linux, virtualization and commands to get your self started in Linux. An essential skill to learn is scripting; Bash and Python are good for the basics, python is slow but very easy to learn; I will probably touch on it in the Linux blog.
As some of us are more prone to reading books then google search a network + N10-007 book, try to refrain yourself from downloading free PDFs as most of the free PDFs have malware hidden inside (hence why they are free). Same with the A+ have a google search and look for the CompTIA books; "Mike Meyers" has a great series of books or the complete study guide which are sold on Amazon and other book markets.
These would be my recommendation before getting into security, learning about IT servers & components and Networking which are all covered in CompTIA A+ & N+ now we have covered the core fundamentals before getting into security let us get back into it.
Hackers Mind State
Let us go into a hackers mind state, you want to hack into a network and steal data, the data could be PII (personally identifiable information), trade secrets or to discredit the company or whatever it is to be the mission. You need to infiltrate, extract and remain undetected. The best weapon for a hacker is time! Planing out attacks, writing malware, testing the plan over and over again until they are 100% confident they can infiltrate the network.
These assaults are consistently attacking networks on a daily basis if you take a look at FireEye's threat map you will see a consistent amount of attacks being taken around the world and these are just attempted attacks on the network, we have to look at social engineering, insider threats, web application attacks and so much more. The good news is the cybersecurity industry is growing with now more men and women entering in the security world making the world a safer place but on the other hand the hackers are also growing and getting smarter.
On we go forth
So now we know what we are up against and still want to go forth to protect the realm I would recommend at looking into the core basics of security and a great course to take for this is CompTIA Security+, this will break down the fundamentals of security ranging from threats, attacks, technologies, risk management to cryptography & PKI. The security+ will give you a solid understanding into security if you deciding to get into cybersecurity analyst or pen testing or whatever it may be, this will be your first step into infosec.
Again there are various resources out there on the internet to get started with security+, our good friend 'Professor Messer' on YouTube or his website has great security+ content, study groups and pop quizzes. Content on platforms like Udemy and Pluralsight is great for visual learning or Google search for CompTIA Security+ books and there will be a variety of books to buy, again 'Mike Meyers' is a good book or the study guide has in-depth content. Another good platform is Cybrary, they have plenty of training to get where you want to go and another thing with cybrary is there are labs to get you a hands-on experience ranging from all aspects of cybersecurity, there is a free version but to get the full experience you would need to get the pro version which I believe is a yearly subscription, which in my opinion is worth it.
Once you have understood the basics at this time I am sure you have an idea in what direction you want to go forward, if it be pen testing, cybersecurity analyst, digital forensics, web application tester, hardware testing and the list goes on, you now have a solid understanding and foundation in security and networking.
I will be focusing more on pen testing / ethical hacking but before I get there lets touch on Cyber Security Analyst (Blue team) the defensive side of the network, There are courses and certs that can be taken for this and to start on this path would be the CompTIA CySA+ which is an advanced course / cert that will give you a greater understanding in Cyber Security Analyst, looking at SIEM systems, syslogs, threats, vulnerability management, responses and much more.
Also EC-Council has great courses, certs and labs to work on if you want a hands-on approach, I would recommend starting at C|ND (Certified Network Defender) then going on to ECSA (EC-Council Certified Security Analyst) this will give you a greater understanding into Cyber Security Analyst and once you work up experience then could start looking into consultant and management roles..etc, then working up with certs like CISSP / CISM and ITIL certification and whatever else you choose to move on too. Only thing is that EC-Council is pricey so maybe search for training courses on google that will give you a good price for the course and exam.
Moving on with Pen Testing / Ethical Hacking (Red teaming) this is where we look into the offensive side of security starting with physical testing where a team would go out and test the employees and the physical defence that is in place which could consist of social engineering employees, lock picking, looking for anyways in like tailgating and when once inside to try and infiltrate the network without being caught and I have known teams to be successful most of the time and there are so many stories out there about how testers would go inside the office and get employees to start doing group exercises and attending their group meetings...etc. This is a great way to test employees and create awareness within the workplace to stop social engineering.
Pen Testing short for Penetration testing is a process for penetrating the network which is exploiting vulnerabilities as every network will have a vulnerability, where the pen testers job is to find it and report it (You will spend most time writing reports). After CompTIA Security+ I recommend looking into E|CH (Ethical Certified Hacker) by EC-Council to give you a greater understanding into how a hacker thinks and known exploits, malware, vulnerabilities..etc, moving from E|CH if you want to go all the way with EC-Council you would have to do the ECSA (EC-Council Certified Security Analyst) then finish off with L|PT (Licensed Penetration Tester) but going this route through EC-Council is expensive and I have not known companies asking for L|PT.
The only course I would recommend is C|EH just to get that extra knowledge and a hands-on too there labs. Another Course / Cert to look at that is on par with the basics of pen testing is CompTIA PenTest+, there are plenty of training videos on Udemy which will go through the course then take the exam from CompTIA.
Depending on your location I would then recommend going for CREST / OSCP after C|EH / PenTest+, These are the certs that companies look for; CREST being UK based and OSCP being worldwide but they have now combined the two together. I wouldn't worry about CREST / OSCP just yet, once you have security+ and C|EH I would recommend in doing beginner CTFs like Pico, Overthewire, WeChall and VulnHub then work your self up to HTB (Hack The Box) where HTB will give you plenty of experience to get you well prepared for your future in Pen Testing or Web Application Testing and the bigger certs like OSCP / CREST.
This is just a general understanding into how to get into infosec and this is my recommendation into getting there, I'm sure there are so many paths to go down and many certs that other testers would recommend and they are all equally the same as long as you have a good understanding into Cyber Security but with a general understanding you will start developing ideas in what you want and what route to go down.
Seek and you shall find...
You will not be the only person looking for answers or looking at "how to get into infosec" there is a whole infosec community and most of us are (friendly & helpful). If you have not already got yourself twitter then that would be a first place to look for an infosec community. Then there is discord which has so many servers that you can join up to and get involved in the chats there and ask for guidance.
Also download the 'meetup' app and see what the local meetups are in your area most of them are free to go to meet new people, a great place to network and find peers who are on the same journey as you.
There are infosec conferences, google your local BSides which I recommend everyone who is interested in infosec to attend, they are free and community-based, meeting vendors and great knowledgeable people giving talks and tips.
This guide will give you a good start into where you want to get too and I hope this helps you in any way, My next blog will be 'Working in infosec' until then if you have any questions I'm on twitter.
- CompTIA A+
- CompTIA Network+
- CompTIA Security+
- CompTTA CySA+
- CompTIA PenTest+
- Professor Messer
- Professor Messer(Youtube)