Wednesday, May 27, 2015

Answers on how to get started in Security

I got hit up on twitter and email about how to get started in security by someone.  The question was pretty generic and since I didn't even receive a thanks back from the guy I'm sharing it with everyone else/archiving it in case I'm asked again in the future.

The question:
I want to become proficient at pentesting on computers and phones. I have a running version of Kali Linux on my computer and am using the "Kali Linux Cookbook" as a reference. What book or online tutorials would you recommend for me to use in order to get better? 

A few things I think you should do to get started.

1. Get rid of Kali. It is a shortcut to learning to have all these tools already there.  You'll learn way more by figuring out what tool you need for a job/task (feel free to use the index of tools in Kali which is readily available) and installing the tool yourself.  Ubuntu is the most supported hacker tool wise but there are other distros. Pick whatever suits you.  Use a VM so you can undo stuff if you break your distro but that's pretty rare these days. Most things apt-get install or  compile from source on ubuntu without issues.

2. You are in luck these days as there are tons and tons of resources available to learn infosec.

-Books I'd start with ( buy or torrent depending on ability)

  • The latest Hacking Exposed book. The methodology it teaches is still relevant today and its a 10,000 ft view of different hacking areas
  • Pick a basics of pentesting book (or a few)  to start with I've stopped reading the basics books but any of them should wet your appetite.

Some examples (more netsec):

Some examples (webappsec)

Some examples (social engineering)

Some examples (Physsec/redteam)

Lots more here, the list is a bit dated i'll try to update it this week but it IS sorted by category

Exploit dev

  • Tons and tons of books/resources.  Unless you are really really interested in writing exploits I wouldn't start here. Understanding the above will give you more opportunities for jobs in the business, writing exploits and automating tasks will come naturally as you progress

3.  Pick a scripting language to work on

  • python is probably most supported/popular
  • ruby is what metasploit is written in, so there is value in learning that
  • javascipt/node.js will be useful going forward as well

4. Online CTFs

5. Training
Lots out there, plenty is torrentable or pay for it if you feel like it/can (you should if you can afford it -- those people work hard on it).  With the amount of resources you should be able to learn the basics without paying a dime and seek out mentors or ask questions over email/twitter for topics you are stuck on.

Second Question:
Also, what steps did you initially take to become proficient at computer security?

-I was a computer science major in college so I came out knowing some of the basics. My job in the military was communications and I ended up doing a lot of layer 2/layer 3 stuff along with MCSE type tasks.  Its going to be important for you to learn, if you don't already know, A+ type material and Network+/basic CCNA type materials.  Hacking is all about exploiting the mistakes someone made setting things up, abusing protocols, but a lot of finding/identifying/exploiting misconfigurations. This is a lot easier if you understand how to do these basic configurations.

Aside from that, start practicing, reading blogs/twitter, watching talks that interest you. I'd start with a basic ones but also stuff advanced/over your head. Getting your mind blown occasionally helps let you know there really is no limit to the stuff you can do, what you can learn, etc. has pretty much everything and more content than you will ever be able to consume plus lots of free courses.

That's what I have for starters as you asked a pretty generic question, so hope that helps




Anonymous said...

Great to know! How often you would say you spend on your computer just playing around and trying new stuff?

Anonymous said...

For all the beginner in Pentester, thank you :-)

Anonymous said...

Thank you, really helpful. One more question, I'm in my early forties and thinking of getting into this stuff, really fascinated and interested, I'm more than a little computer savvy and have taught myself more than a little computer programming over the years. Would you say it's too late to get into infosec or should I just go for it?

Thanks again!

Anonymous said...


I keep hearing how the Infosec field has a shortage of folks and how welcoming they are to people coming into the field. Bahhh Humbug. I have nearly 20 years of IT experience across several platforms and have been in varied positions over those years even performing Infosec-related duties. And when I decide to leverage that experience and migrate to Infosec, specifically Penetration Testing, all I hear how I don't have any "direct experience." So all those talks boasting of a welcoming community I now see are bogus. Don't believe the hype as they say.

Anonymous said...

Thanks for putting this all together. I have a group of college students who have been coming to me for advice and this is a great place for me to point them to, and I may "acquire" some of your content to put into my reply emails for new advice seekers.


CG said...

glad it helped Rob.