Getting Into Cyber Security

I was asked by a college student, “How can I get into cyber security?”

No matter how many people you ask, I’ve found that most advice tends to follow the same 4 themes: 1) Learn to code 2) Understand how systems work 3) Combine those skills to build something cool 4) Stay relevant

Learn to code

It doesn’t matter which tech field you land in, you need to learn how to code.

There are plenty of ways to do this. Coding challenges? Projects? Coding games?

Find what works for you.

Here are a few resources to get started:
https://www.reddit.com/r/learnprogramming/wiki/faq#wiki_getting_started
https://www.coderbyte.com/
https://www.codewars.com/
https://edabit.com/
https://www.reddit.com/r/dailyprogrammer/

Understand how systems work

Where will your code run?
How do you manage that system?
How does your code interact with other systems?
Do you know the difference between TCP/IP and HTTP?
Linux? Windows? Cloud? Know when it makes sense to use each.

Places to start:
https://www.reddit.com/r/sysadmin/wiki/learn
https://www.youtube.com/watch?v=e5DEVa9eSN0

Create a web page and deploy it somewhere. Enrich it with external API’s. Debug it with devtools.

Combine those skills to build something cool

So you did some coding challenges. You built a few VM’s, serverless functions, and containers. You followed a tutorial and have code deployed.

Now what? What tangible evidence do you have to show for the hours you put in to learn all of that?

Go beyond HelloWorld, coding exercises, and tutorials. Build something that you’re proud of.

Working on a project is the best way to learn. Plus, you’ll have an app to show off at the end!

“That’s a lot of fundamentals, can I dive straight into security?”

Security is a specialty, just like civil engineering, patent law, or oral surgery.

Having a strong foundation will pay off in the long run. As much as I hate the analogy, it’s like building a house. Without a solid foundation, you’re bound to run into issues.

Security is not as silo’d off as some may think. Sometimes we’ll wear the software developer hat. Other times, it’ll be the operations engineer hat. After that, it could be the data scientist hat. Having a diverse skill set built on top of a solid foundation will pay dividends.

Even within the security specialty, there are a ton of different areas you can work in. Blue team? Red Team? Forensics? Law? Hardware? Software? Cloud? The list goes on.

Research what interests you. Find out what’s valuable to that niche. Make yourself valuable.

“Where can I get hands on experience or exposure?”

• Participate in CTF’s
• Learn on HackTheBox.eu
• Add security to your home network
• Help improve Open Source security software
• Join a security community (local and/or online)
• Watch YouTube videos from popular conferences

“I want security resources to learn from”

There are more resources out there than I can keep up with, but here are some of my favorites:

• Be engaged with a security community!
• https://www.reddit.com/r/netsec/wiki/start
• https://krebsonsecurity.com/
• https://packetstormsecurity.com/
• Smashing Security
• Darknet Diaries
• Kingpin
• The Cuckoo’s Egg
• DEFCON on YouTube

A Note About Obsolescence

The tech field changes at a rapid pace, and you will certainly be left behind if you can’t keep up.

This may scare some people, but if you are naturally curious and learn with purpose, you will be fine.

For example, I started my career as a Linux sysadmin back when RHEL 6 was the new hotness. I learned a ton about it and even earned the RHCE!

A few years later, RHEL 7 became the new hotness and it introduced a pretty big change. init was deprecated for systemd.

I could have grumped with the old guard about how difficult that made our jobs, but I opted to embrace that change. The ethos of what init and systemd do are pretty much the same, but there are a lot of the syntax changes.

Do I keep all of my knowledge about init at the forefront my my memory? Nope. systemd is more relevant today.

So do I regret spending all of that time learning init on RHEL 6? Not at all.

You can easily look up stuff like syntax. You shouldn’t have to start from zero when familiar tech changes. Build on what you know.

Even now with containers and serverless functions, traditionally managed servers are starting to take a back seat. It doesn’t mean that learning sysadmin stuff isn’t important anymore though.

What we know as sysadmin work today may not be the sysadmin work of tomorrow.

That goes for any specialty in tech, including security.

Stay hungry

Don’t be afraid to pick up the new hotness. But also, be mindful of when it’s time to stash away stale information.

Expand your knowledge quickly. Build things. Stay hungry.