Starting Point Guide for Security Professional Wannabes
In 2014, several financial institutions and other large corporations — including Sony, Target, J.P. Morgan, Ebay and Home Depot — were hacked. These incidents prove that security breeches are not discriminative, and show that security weaknesses can lead to significant damages. Information Security is a $79.9 billion market and is expected to create a demand for 4.9 million professionals by 2017. This, and a 34% increase in security education and training, ranks Information Security Professional among the hottest jobs.
Because I receive so many questions regarding security and ethical hacking education for beginners, I curated a short but comprehensive list of free resources. This article is for those of you who need a starting point and some direction towards becoming an information security professional. Based on my experience, the resources mentioned below provide a useful starting point; however, they aren’t the only high quality resources out there, so feel free to share and comment.
If you’re a programmer or a system administrator, transitioning to a role in security will be much easier. A programming background inherently strengthens your ability to understand security tools, concepts, and common practices. A background in system administration will allow you to effectively build on your existing knowledge of network infrastructure and Internet protocols, and help you to better understand defensive strategies at the network layer.
If you don’t have a technical background, there’s no need to panic. You can still work towards a career in security. “Every security professional was a skiddie at the beginning” — a saying reminding us that we all started somewhere. Like anything else, security is a skill that is developed through hard work and dedication.
Finding Tools and Building Your Arsenal
Open source security auditing and penetration testing applications are your most valuable assets. When you need to find security tools, Google is your best friend; however, you can start here at SecTools. You can also find lots of open source tools on Github.
Check out these survey results to find out which tools others are using.
Setting up Your Training Environment
When practicing offensive and defensive security, never use your primary operating system. Instead, use a virtual machine. There are a number of desktop virtualization solutions available but we recommend Oracle’s VirtualBox because it’s free and cross-platform compatible.
The following video will show you how to create a Kali Linux virtual machine in VirtualBox:
Choosing Your Test Targets:
To practice offensive security, you need a target. There are a plenty of “Vulnerable by Design” machines out there but we recommend Metasploitable and HacmeBank. Metasploitable is Linux-based whereas HackmeBank is Windows-based.
If you have a Free Account on CTF365, you can access Metasploitable in the cloud to train your hacking skills. The advantage is that you don’t need to create a virtual machine or make configurations — we do everything for you. Another advantage is that, because it’s online, it simulates an authentic target and gives you a real life feel. Alternatively, you can find a variety of “Vulnerable by Design” machines at VulnHub.
There are hundreds of security books, and some of them are even free; however, we recommend one book in particular to begin with — Metasploitable Unleashed. We recommend Metasploitable Unleashed because:
- It’s written and published by one of the best, well known security training companies — Offensive Security.
- It combines reading with practical experience and uses Metasploitable as a training lab.
Chris Haralson’s YouTube channel is one of the best sources of high quality security training video tutorials. We recommend Chris’ channel because his videos are:
- Clear, concise and well organized.
- Detail oriented and noob proof.
- 7 minutes in length average.
- Reliable and accurate.
Chris created the following Metasploitable tutorial for CTF365 users:
Currently, there is no single institute or website that can take you from zero to hero. The Internet is littered with free InfoSec resources, but it’s up to you to find them. Just remember, not all of them are credible. Take this infamous example from NextGenHacker101 with over 1.4 millions views.
About: CTF365 it’s a top notch Security Training Platform for the IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services.
The Platform implements CTF concepts and leverages gamification mechanics to improve retention rates and speed up the learning/training curve.