Cybersecurity is the area of knowledge about protecting computers, the networks they use to communicate and the information they process from malicious damage or disruption.
The work that can be done if you work in cybersecurity can be classified in different ways. One classification is related to how we approach the target systems. If we attack them as if we were real attackers with the objective of identifying security vulnerabilities, we say we work on the offensive side of security or red team. If we work protecting the systems against attacks, we say we work in the defensive side of security or blue team. You may think that any good security professional should cultivate both sides of the profession, and you will be right, but it is frequent to start on one side. During our professional life is frequent to change from one to the other and improve in both.
Offenssive skills and defensive skills are different and therefore, you learn them differently. However, it is important say that each reinforces the other: if you learn defensive skills you will be better in the red team. If you are good in the read team, that will help you when you need to work on the defensive side.
If you want to learn cybersecurity be ready to spend a lot of time studying. Be mindful that in cybersecurity you are either trying to the security that someone has created (if you are in the red team) or tying to increase the security of a system against other people that are actively trying to circumvent it (if you are in the blue team). This means that you have to be a really good player to play this game. For that, you need to know the theory behind the practice. Without the theory you will learn very slowly and you will rely on ideas and superstitions more than in facts. What theory you should learn to work in cybersecurity?
First of all, I would recommend you to start learning networking. How the networks, and specially how Internet works, is the foundation of everything. The basics of networking are still very present in the most modern technologies and architectures.
In order to learn networking I would recommend you the book TCP/IP Illustrated. It is a classic, but it has the foundation you need to learn how networking works.
I would also recommend to learn programming. I don’t think anyone could be a cybersecurity professional without knowing how to program. If you don’t know any language, I would recommend that you learn Python. Python is an easy language to learn, with a clean and consistent syntax, and that will allow you to understand the basics of imperative and object oriented programming languages at the same time it will give you the capability of creating your own scripts for automation of tasks.
You will also need to learn how web applications work. Web applications are almost everywhere. You need to understand how web applications work and their architectures. Nowdays, web applications are rarely developed in any programming language from scratch. Different programming languages have their own frameworks to develop applications which provide a lot of the functionality needed. It’s important to know what web development frameworks can provide from a security point of view. If you have learned Python, you may want to learn Django for that. Django is a web application development framework based in Python.
While you learn Python, I would recommend that you try to write scripts and tools based on the TCP/IP Illustrated book. That way you will be relating two knowledge areas and learning both of them at the same time. Trying to program what you learn is a fantastic pattern for learning cybersecurity.
Another major block that you will need to learn is Linux. Again, I don’t think anyone can be a good cybersecurity professional without learning Linux. Many of the tools you may need while working on cybersecurity, specially if you work in the red team, work only (or better) in Linux. Another reason to learn Linux is that it is the most frequent operative system you will see while working on cloud systems.
Any person with a strong foundation on networking, programming and Linux will already be a good professional in cybersecurity because an important part of being a good cybersecurity expert is knowing well how technology works. However, there is also specialized knowledge you may want to learn.
In order to learn cybersecurity I recommend that you study the OWASP documentation, especially the OWASP Testing Guide. Also I recommend that you study the book “The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws“. While you study these documents try to understand everything and try to program your own scripts in your favourite programming language.
The next step I recommend is that you start playing wargames. They are a kind of hacking challenges. Each of them is focused in one area of knowledge. I especially recommend you the ones in OverTheWire. Start with one and go level after level trying to find the solution. Search for informtion, read, study and try what you need to solve each challenge.
You can start playing CTFs (Capture the Flag) and bug bounties. A CTF is a kind of contest where there are a list of hacking challenges and you compete, individually or in a team, against other prople to solve more challenges. They are usually done during the weekends and you can consult CTFtime.org to know when they will happen and how to register and participate. I recommend that you play CTFs because they will give you the mental agility of finding solutions and learning new technologies. CTFs do not represent the reality, but they usually are very up to date on new technologies.
Bug bounties are real information technology systems that companies allow you to hack. That way you can learn. In bug bounties, I don’t recommend that you jump from one to another trying to just find bugs and gain some money. That is cool, but it probably should not be the objective in order to be a cybersecurity professional in the long term. The objective should be learning. Therefore, my recommendation is that you join a bug bounty program about a software you are interested in and you start learning about it as much as you can at the same time you look for bugs. Some of the best bug bounty hunters only play one bug bounty program and they get very specialized on it. You can find bug bounty programs and how to participate in Bugcrowd and HackerOne.
Other sources of information
With the sources provided above and deliberate learning anyone have more than enough to be great cybersecurity professional. After a point, it is less about having access to more information and more about understanding the information we already have and try and apply it in practice. However, it is always interesting to be learning continuosly and also know about the latest news in the cybersecurity world. There are some good sources of information about that.
Social networks
Twitter was in the past a really good source of new information about cybersecurity. Some people called it “Cybersecurity Twitter”. However, with the increase in ads and restrictions to the use of the API and other changes, many of the security professionals that use to share information in Twitter have left. Know, there is a growing community of cybersecurity professionals in Mastodon, especially around the Infosec.Exchange server. I would suggest that you install Mastodon or another client like Megalodon, register in Infosec.Exchange server and start following people that talk about cybersecurity. You can follow me at https://infosec.exchange/@florenciocano.
Youtube
I don’t like to learn cybersecurity in Youtube, without some exceptions. I don’t like it because it is usually much more slower than reading about the same topic. However, I like to watch in Youtube prentations in CONs and also to learn of concepts that are better understood with diagrams and visual explanations.
I have only watched some of their videos, but I have read that LiveOverflow has great content.
Certifications
If someone has many certifications does not mean that person is a big cybersecurity expert the same way, someone without any certification does not mean doesn’t know about cybersecurity. However, certifications are a good way to show to your potential employer that you are really interested in cybersecurity. Also, if you pay attention, all certifications will teach you something. Beyond trying to get the certification itself, try to learn.
I would say that the most well respected cybersecurity certifications is the OSCP. It is very technical and very offensive.
From a security professional point of view, CISA and CISM from ISACA will give you a great view of what is really needed to progress in the cybersecurity field beyond entry positions.
I would also recommend that you learn about Information Security Management Systems and especially about the standard ISO 27001. This will give you a good overview of what a company should implement and maintain to improve their security posture.
Your first cybersecurity position
When you land on your first cybersecurity position, focus on that position and learn as much as possible. Try to apply what you have learned and continue learning. When you are in a cybersecurity position you have access to real challenges, real technologies and specific risks. The cybersecurity field is wide and every engagement is different and you always have to learn. It is about continuous learning. That’s why having the basics well studied is so important.