What does it take to get started in information security? Can you teach yourself security?
This field requires you to understand how PCs, mobile devices, applications, servers, protocols, and networks operate. It helps to have a lot of curiosity and a good sense of where trouble lurks. And don’t forget Unix/Linux (more on that later).
I started as a PC support guy, became a server administrator, managed a network, and then became a security analyst. For me, it was a natural progression, but that’s the “old school” way of doing it. Security training was scarce, and there were few to no institutions offering training specific to that area. Also, the internet was still growing, and there were few security websites or blogs to learn from.
These days, employers are looking for a degree in Information Systems or Computer Science, advanced training in specific areas, and security certifications. If you’re starting out, I’d get that degree and advanced training if you can. Most certifications require a few years of actual experience, so pick certs up later–don’t be a paper-certified person who really doesn’t understand the subject–none of the ones I’ve ever met (or had to train) ever amounted to anything.
One thing that some security people lack is a solid background in IT, the daily grind of slugging it out with OSes, users, and problems over a few years. No college or certification can provide that, so don’t be afraid to start on the help desk or break/fix team.
So what if degrees or advanced training isn’t an option, or you just want to learn more about the field or a specific area? Lots of good, free options abound. Here’s a few (I’ll continue to add to this list):
> Free online CISSP webinars from ISC2 that describe how to become a CISSP and preview the main points of each of the 10 domains (11 webcasts). New Links added 12/17/14
> Free online CISSP training from Shon Harris – not enough to pass the test, but a great start (free registration required).
> Free online CISSP test of 100 questions (free registration required).
> Free CISSP review materials (see link at bottom of page) and 2 free practice tests, one with 100 questions and another with 250 questions, the same as the actual CISSP exam (see links to exams and answers under the “Baseline Exam” and “Final Exam” headings). Check out other free training recommended by blogger SecurityMonkey here. New Links added 11/24/14
> Security Monkey – great blog regarding all aspects of security; may be a bit advanced for some, but good information AND entertaining.
If you only do one thing, I’d recommend Gibson’s podcasts, but you’ll need a goooood chunk of time (at last count there were over 350 podcasts). Don’t be overwhelmed, just look through the list and pick the ones you’re interested in.
> SANS Handler’s Diary – a daily analysis about current Internet attacks/scans, vulnerabilities, vendor updates, various security topics, and more.
> Good online magazines that provide insight to the types of issues that security professionals deal with:
> Forum (free registration required): www.ethicalhacker.net – a forum where security pros discuss and debate the latest issue and share information.
> Unix/Linux – There’s a lot more to life that Windows. A background in Unix/Linux is necessary, so you might as well get started. Many versions of Linux (called distros or distributions) exist, you just need to pick one and play with it. Check out How to pick a Linux Distro.
Linux basics are pretty much the same across all distros. If you’re not sure where to start, start with Ubuntu. Most distros can be downloaded as live CDs, which means they boot and run from a CD, and it won’t change how your PC currently works.
The other cool thing about Linux is that it does not have high hardware requirements and will run on old boxes that you might already have. And no OS license is required!
> Learn to code. Python is a good place to start. You don’t need to learn coding immediately, just keep it in mind for the future. As you learn more about security, you’ll understand why coding is required.
> See my Links page.
This is a short list, but these resources will lead you to other resources.
Any other suggestions from others in the experienced crowd?