Greeting all,
I am a teacher but I have a friend who is starting up a security company and wants me on board. She is confident that I will be able to get the necessary certs, CISA being what she has told me. It would basically be red team work, she says. I’m definitely interested in pursuing this but my tech knowledge is, while not minimal, very scatter-shot in nature.
I have set up and used Ubuntu, Mint, Bodhi, Whonix and TAILS. I get old laptops from friends and set them up (usually w Bodhi) and give them to students who need them. I’m a DLN listener but don’t always understand everything I hear but usually can Google up an explanation of it is something that catches my interest. I do the same with other tech podcasts (Cyberlaw and Privacy/OSINT mainly, and defcon talks).
So my question is where should I start to get a more systematic knowledge of security? I have set up Kali on a USB as well as in a VM, and I’m like “now what?”
Any and all thoughts and advice are appreciated!
1 Like
To be honest, security professionals are expected to have a very sound, deep IT background or knowledge. There’s really no such thing as an entry-level security position.
I think several of the CompTIA certs cover specific areas that a security professional should know cold, including Network+ and Security+. Those two provide a very solid foundation from which to build a security program of study. I am Security+ and CySA+ certified. CySA+ is blue team related, so you don’t need that one. I believe that CompTIA does have a Pentesting related cert and I’m sure that would have good red team content.
I’m not familiar with the content or the prerequisites for the CISA cert, I think Net+, Sec+, and the pen testing cert would be an excellent way build a solid foundation toward preparing yourself for the CISA cert.
1 Like
Immerse yourself in the culture, forums, content creators, ect. Build a mini-homelab so you can apply the things you’ve learned from formal education and other people.
Try to get a clear picture of what your company’s customers will want from you and what their infrastructure may look like as this may radically change how you prioritize personal projects and education.
Don’t be afraid to make lots of mistakes in how you progress, just get on with it. Get comfortable with feelings of inferiority and total honesty because you’ll need them always even at the top.
There’s a famous Judo master named Miyamoto Musashi who once said,
“If you know the way broadly you will see it in all things.”
Just get out there and learn as much as you can.
1 Like
Thanks so much, those two CompTIA certs were actually what I was thinking about.
I think of it as if I’ve been camping out in the IT space but I would like to build a foundation under myself.
Cheers
Thanks for the encouragement!
Very well worded.
You WILL need a home lab for this. Not having the experience of a network engineer or at least a couple of years of IT experience is going to mean learning a lot of new things for the first time and a lot of memorization.
If you can get your hands on a managed switch that supports VLANs and a real router, you can learn about the challenges with multiple VLANs, how to provide DHCP to clients in each VLAN, the security gained from segmentation, and this sets the stage for adding a firewall. This type of environment is the beginning of what you would see in a corporate environment. Don’t skimp on the firewall either, get a good one. I use OPNsense. All of this is just on the network side.
For security, the first thing to learn is how packets move through a network (I know, this is part of the network portion, but it is the basis for security). Next is to learn how applications communicate (IP and port numbers). Net+ and Sec+ will cover this. Next, get into NMAP and learn how to scan a network for live devices and what OS they are running. From there, I would suggest picking a couple of good security tools like Nessus or Geenboone’s OpenVAS. These are vulnerability scanning tools. Once you get comfortable with that move to pentesting and learn to use tools like Metasploit. These are all practical skills to learn, there is a huge amount of learning to go with this, like policies and procedures, NIST, what CVE means and how to read the scoring. Try to keep things as simple as possible as cyber security can get very complex. In the end all of cyber security is about two things: Identifying and mitigating risk. It’s all about risk.
Mike Myers has one of the best Net+ books, plus he has a very good course on Udemy for Net+ and Sec+. For Sec+, I used Darrill Gibson’s book and Mike’s Udemy course.
Download the exam objectives and build your self-study from there.
Good luck and post questions here (or PM me if you want). I’d be more than happy to assist you with Net+ and Sec+. Security auditing is beyond my expertise, though.
I am following a similar path. I’m not so interested in a certification, and I wanted to find an “alternative” to the standard 9-5 career path. I decided to focus on real world experience instead of returning to university for continued education (as well as avoiding that impeding debt.) I started a sabbatical to focus on independent ethical security research on web security and bug bounties.
This is crazy, but I am able to support my sabbatical financially. I also picked up my old Network Admin/Engineer role at a WISP part time to keep some income rolling in as I focus on studying. Unfortunate, I encountered a major health hurdle that has slowed me down for a few months.
I did create a discord channel in order to keep track of the mass amount of resources available for free or relatively cheap yet retains a descent educational quality. I am also looking for anyone with similar interests, or mentors that may be interested helping out security fledglings. Although my current focus is on web security, the educational resources are in fact shallow in the web subject because they are broadly for security certificate training.
Feel free to message me or respond here if you would like to join the discord to sift through the resources I have been able to compile. That invite also extends to the entire DLN community for anyone interested in security and web testing.
If you’re not already familiar with OWASP and WAF (web app firewall), add those to your list to study.
Also, I recommend LinkedIn if you don’t already have an account. It’s littered with ads these days, but is still a good way to network with others that have similar interests. I’m sure you can find a web security focus group on there as well.
It’s critical to learn the standard procedures, fundamentals, detection mechanisms for when/if those measures fail, ect. If nothing else the meme goes, “No one ever lost their job by doing everything by the book.”
But there’s also that gaping hole of expecting the unexpected and a lot of breaches are surprisingly “simple”… like fluff testing to exploit how a Web Server interprets form inputs, waiting around till someone else publishes a vulnerability that hasn’t been patched upstream yet, leaving a “memory stick” on the secretary’s desk or just walking into the server room and the all-time-best: security measures that don’t respect human nature so employees make mistakes or circumvent them.
It’s a real mess but it’s so rewarding to pursue!
Cool to hear you working on this, you should do an announcement thread or post a link unless you want to keep entrance selective.
Personally I haaate Discord with a burning passion or i’d be there. I couldn’t talk to a lot of the community until DLN made the Matrix bridge (thank yooouuuu Michael <3). If you ever make a wiki i’d love to check it out, alternatively you could cross-post information to a thread here and you’d get a wider audience, help, interaction, ect.
1 Like
Thank you all so much for these comments, I’m going through and making a to do list today, and looking into the books mentioned. After listening to dln a lot, I knew the community would be nice, but I had no idea how cool y’all would be. I’ll be dming a couple of you soon as well.
Thanks again!
Sorry for the high-jack, but I, too, left discord. I’m using Guilded now.
Now, back to our regularly scheduled programming.
1 Like