Starting Point Guide for Security Professional Wannabes

image3047

In 2014, several financial institutions and other large corporations — including Sony, Target, J.P. Morgan, Ebay and Home Depot — were hacked. These incidents prove that security breeches are not discriminative, and show that security weaknesses can lead to significant damages. Information Security is a $79.9 billion market and is expected to create a demand for 4.9 million professionals by 2017. This, and a 34% increase in security education and training, ranks Information Security Professional among the hottest jobs.

Because I receive so many questions regarding security and ethical hacking education for beginners, I curated a short but comprehensive list of free resources. This article is for those of you who need a starting point and some direction towards becoming an information security professional. Based on my experience, the resources mentioned below provide a useful starting point; however, they aren’t the only high quality resources out there, so feel free to share and comment.

If you’re a programmer or a system administrator, transitioning to a role in security will be much easier. A programming background inherently strengthens your ability to understand security tools, concepts, and common practices. A background in system administration will allow you to effectively build on your existing knowledge of network infrastructure and Internet protocols, and help you to better understand defensive strategies at the network layer.

If you don’t have a technical background, there’s no need to panic. You can still work towards a career in security. “Every security professional was a skiddie at the beginning” — a saying reminding us that we all started somewhere. Like anything else, security is a skill that is developed through hard work and dedication.

Finding Tools and Building Your Arsenal

Open source security auditing and penetration testing applications are your most valuable assets. When you need to find security tools, Google is your best friend; however, you can start here at SecTools. You can also find lots of open source tools on Github.

Check out these survey results to find out which tools others are using.

Setting up Your Training Environment

When practicing offensive and defensive security, never use your primary operating system. Instead, use a virtual machine. There are a number of desktop virtualization solutions available but we recommend Oracle’s VirtualBox because it’s free and cross-platform compatible.

The following video will show you how to create a Kali Linux virtual machine in VirtualBox:

Choosing Your Test Targets:

To practice offensive security, you need a target. There are a plenty of “Vulnerable by Design” machines out there but we recommend Metasploitable and HacmeBank. Metasploitable is Linux-based whereas HackmeBank is Windows-based.

If you have a Free Account on CTF365, you can access Metasploitable in the cloud to train your hacking skills. The advantage is that you don’t need to create a virtual machine or make configurations — we do everything for you. Another advantage is that, because it’s online, it simulates an authentic target and gives you a real life feel. Alternatively, you can find a variety of “Vulnerable by Design” machines at VulnHub.

The Book:

There are hundreds of security books, and some of them are even free; however, we recommend one book in particular to begin with — Metasploitable Unleashed. We recommend Metasploitable Unleashed because:

  • It’s written and published by one of the best, well known security training companies — Offensive Security.
  • It combines reading with practical experience and uses Metasploitable as a training lab.

Video Tutorials:

Chris Haralson’s YouTube channel is one of the best sources of high quality security training video tutorials. We recommend Chris’ channel because his videos are:

  • Clear, concise and well organized.
  • Detail oriented and noob proof.
  • 7 minutes in length average.
  • Reliable and accurate.

Chris created the following Metasploitable tutorial for CTF365 users:


Currently, there is no single institute or website that can take you from zero to hero. The Internet is littered with free InfoSec resources, but it’s up to you to find them. Just remember, not all of them are credible. Take this infamous example from NextGenHacker101 with over 1.4 millions views.

 

 Have anything to add or comment? Please do so.

About: CTF365 it’s a top notch Security Training Platform for the IT industry with a focus on Security Professionals, System Administrators and Web Developers that offers five stars services.

The Platform implements CTF concepts and leverages gamification mechanics to improve retention rates and speed up the learning/training curve.

 

 

Marius Corici

Lazy (energy efficient) entrepreneur: Thinking a lot to do less, preserving energy, providing simplicity.

You may also like...

1 Response

  1. April 27, 2015

    […] Because of the increasing complexity of the software, internet size (IoE – Internet of Everything) and types of attacks, information security trainings demand new standards over security training labs and the answers above prove that there is a need for better, sophisticated and close to real world security training labs. If you really want to learn and train over information security at a higher level, USB/CD delivery training labs are out of the question nowadays. USB/CD security labs are for entry level security professionals wannabes and there are plenty of free great resources. […]

Leave a Reply

Your email address will not be published. Required fields are marked *