
Ask HN: How can I learn computer security? - boniface316
I am taking some data science courses. Is there any link between data science and cyber security? and where can I learn cyber security stuff?
======
artie_effim
Cyber pro here - 5 years doing IV&V testing, 15 years as Fed, State and Local
contractor, now a firewall admin at a major U.S. uni. I got an NSA accredited
([https://www.nsa.gov/resources/educators/centers-academic-
exc...](https://www.nsa.gov/resources/educators/centers-academic-
excellence/cyber-defense/)) Master's in IT with a specialization in security.
While the degree got my foot in the door (I have a BA in Arts - but have been
messing around with computers since the early 80's - plus a lot of self taught
stuff) - I've found that a ton of side reading (anything related to the
subject - I spent a lot of time on the RFCs - that stuff I use every day)),
looking at PCAPs to understand the protocols and reading case studies are the
best way to hone the craft.

For a while I was doing Governance, Risk and Compliance (GRC) work, but have
always loved being a network security engineer, so I went back to that.

Also - I have a CISSP, which opens a lot of doors. I know that it is being
knocked a bit nowadays, and there are certainly a some who are test
knowledgeable but no hands-on, common sense experience. I still find it
valuable enough to maintain.

Set up a lab - 2-4 computers and a switch should do (you could virtualize
some/all of it) and work on all aspects of the TCP/IP stack if you're
interested in netsec.

If appsec is your thing, spend a lot of time looking at good and bad code,
plus reading on-line of good and bad appsec.

IF GRC is up your alley - read NIST 800-53, HIPPA, PCI-DSS, SANS Top 20 and
GDPR - to understand the full breadth of controls and risk mitigation.

As far as data science python and pandas are all over the industry, R not so
much. There is a big push for ML/AI work, but it might be snake-oil, time will
tell. I use a lot of python and pandas for log and flow analysis.

Also - learn Linux CLI; grep, sed and awk can save your butt in most
situations. Gray beard stuff will come later.

Good luck!

<edit - word choice>

~~~
elorant
While on the subject and since you're an expert in the field, there's
something that's nagging me. How good are you guys at programming? My feeling
is that most people in the infosec are average at best and only the elites are
good at it.

~~~
susam
I am not sure why you are getting downvoted. You have a very valid question.

There are many different kinds of security roles such as risk, compliance and
security reviews (very little programming), penetration testing (programming
and scripting to various degrees depending on the work) and security software
development (full-time programming).

How good one is at programming would of course usually depend on the
individual. In the rest of the software industry, there are all kinds of roles
(some of which involve programming and some do not) and the ones that do
involve programming have programmers of all kinds and calibre. It is no
different in computer security.

I have over 12 years of experience in this field now in various positions
where my various colleagues and I have written large security products in C,
C++ and Java, as well as smaller security solutions in Python and Go. Most of
the times programming is just a means to an end which is true for many other
fields as well. It is usually math, algorithms, crypto, protocols, etc. that
are more interesting and that we need to be well versed with along with being
skilled at programming. Also, I would like to share two of my earlier posts
around this subject:

\-
[https://news.ycombinator.com/item?id=14873475](https://news.ycombinator.com/item?id=14873475)
(about demand and job prospects in security software development)

\-
[https://news.ycombinator.com/item?id=12545851](https://news.ycombinator.com/item?id=12545851)
(about math and software development in the computer security field)

~~~
watwut
I haven't downvoted, but "How good are you guys at programming? My feeling is
that most people in the infosec are average at best and only the elites are
good at it." sounds trollish to me. Designed to elicit emotional response from
people as they will try to defend security people.

------
santiagobasulto
Let me tell you one thing, it's going to be tough. Cyber security is one of
the fields of IT that requires the most deep knowledge of how computers and
networks work. So, be aware of that. It's like, when someone is asking how to
build a game, and the first answer is: learn a lot about Math and Physics.
This is the same thing.

Recommended path:

1\. CS Basics (concepts) Conceptually understand how computers work, how
interpreters work, compilers etc. You're probably past this point.

2.Low level programming Basically C, but pay attention to the OS APIs (posix,
win32). Make sure you understand the fundamentals of memory management,
procedures, threading, etc. You need a lot of C knowledge.

3\. Networking [0] You basically need to know by heart all the TCP protocol. I
have a friend who's incredibly successful working in security and he knows
each bit in each packet in a TCP connection. He can just recite it. Once you
know about networks, start throwing code at them. See if you can push the
wrong bits to a switch, or if you can access some other processes network
stack, etc.

4\. Web standards Basically, how the web works. Once you're past that: Apache
and Nginx. You have to know them in depth.

5\. Known threats and vunerabilities In this process you'll know that there
are many exploited issues that have been resolved. But you should study from
them. For example, Heartbleed. Would you have the knowledge to find
Heartbleed? You should also practice with every other security threat known
like XSS, SQL Injection, etc.

[0] depending the security field, you might not need so advanced networking
knowledge, this is just a general recommendation.

This is just my recommendation, I'm more of a purist, and I have a lot of
respect for cybersecurity people.

Source: +10 years programming, I have a good friend making A LOT of money as a
private security contractor and we speak about this all the time.

~~~
godelmachine
May I ask how much you friend makes, on an average?

~~~
Hextinium
I had a teacher who's brother worked in security, his bonus for the year was 6
figures IIRC. His salary was 300k but this was a while ago (5+ years).

------
altharaz
"Is there any link between data science and cyber security?"

Data Science might be useful if you want to work in Security Information
Management or in malware analysis: big companies try to identify "weird
behavior" in their networks, based on "normal behavior" records.

"Where can I learn cyber security stuff?"

Well, that depends on the stuff you are interested in...

You should focus at first on learning "system administration" and at least a
programming language like Python or Ruby. Network protocols would also be a
bonus.

Then, if you want to learn "offensive techniques" or "penetration testing", I
suggest that you try websites like RootMe [https://www.root-
me.org/?lang=en](https://www.root-me.org/?lang=en) or Cryptopals
cryptopals.com.

Once you'll have resolved by yourself some of these challenges, you'll be able
to try the "industrialized approach" of penetration testing. For this, this
book is quite cool:
[https://www.nostarch.com/pentesting](https://www.nostarch.com/pentesting).

If you're more interested in "defensive techniques", you have tons of
resources online.

For instance:

Secure Coding Best Practices: \-
[https://www.owasp.org/index.php/OWASP_Secure_Coding_Practice...](https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-
_Quick_Reference_Guide) \- [https://security.berkeley.edu/secure-coding-
practice-guideli...](https://security.berkeley.edu/secure-coding-practice-
guidelines)

=> These documents will help you to understand what are the main risks in your
apps

For "general" cybersecurity: \- ISO27001 standard \- The NIST Cybersecurity
Framework [https://www.nist.gov/cybersecurity-
framework](https://www.nist.gov/cybersecurity-framework) \- PCI/DSS \-
[https://www.us-cert.gov/](https://www.us-cert.gov/)

=> These documents will help you to understand what are the main risks in an
organization based on their assets.

------
indigochill
Security fundamentally is just "the art and science of how things work".
Breaches in security are caused by malicious actors finding vulnerabilities in
trusted systems, such as when Chinese webcams shipped with default credentials
which made it trivial for the Mirai botnet to take them over and acquire so
many devices that it could DDoS Dyn.

Towards that end, just about anything you learn can be applied in some way
towards security. The conventional recommendations others have made will get
your foot in the door, but ultimately security is a lifestyle of never-ending
learning and imaginative reasoning about systems.

So to directly answer your questions, yes, there are links between data
science and security (others have mentioned its use in things like malware
research, but going the other way it's also important to store your data
securely to prevent theft, destruction, or tampering) and you can learn
something about information security pretty much anywhere in-depth information
about computers is taught. Which information is relevant to your interests
will just depend on which aspect of security is of interest to you.

~~~
thephyber
> Breaches in security are caused by malicious actors finding vulnerabilities
> in trusted systems

Alex Stamos, the CISO of Facebook, likened the causes of security breaches to
a pyramid. The bottom of the pyramid, where the vast majority of security
breaches happen (perhaps 80%), are caused by basic fraud: shared passwords,
phishing, asking the user to do something like self-XSS. Of the remainder,
perhaps 80% of security breaches are done through the more common, more
mundane attacks like unpatched vulnerabilities or misconfigurations. It's only
a fraction of a fraction of a percent of attacks that are done using zero-day
vulns.

As much as what you said is relevant for security, I would argue that
engineers think that security is more of an engineering problem set than it
is.

------
emiliobumachar
I highly recommend the online Cybersecurity Specialization of the University
of Maryland on Coursera.

(disclaimer: I didn't pass the Capstone project, and never got around to
trying it again)

Back then it was free if you didn't need a certificate, may still be.

[https://www.coursera.org/specializations/cyber-
security](https://www.coursera.org/specializations/cyber-security)

------
aknoob
The very first thing that you need to do is to pick a software stack, ideally
opensource and then learn how that software-stack works bottom up. Learning
how a linux application works might be a good starting point if you are
totally new.

There are multiple layers involved here and really understanding each one
would take time.

Next would come understanding browsers, browser although it is an app, it is a
world in itself. How an http request flows through a browser, how an http
response is rendered, what are various layers involved. TCP/IP stack to
physical layer, wifi/usb. It is extremely vast and very interesting.

And once you have gained enough experience , you will be able to clearly see
the similarities and differences between various software stacks, both bottom-
up and top-down, right from hardware level to your application's code and vice
versa. And then reasoning about security of the stack at various layers would
become straightforward.

In terms of conferences, I find
Blackhat([http://www.blackhat.com/](http://www.blackhat.com/)) Conference is a
very good source of keeping oneself up to date with world of security(
including applying Data Science to Security)

------
stoneridge
[http://mooc.fi/courses/2017/cybersecurity](http://mooc.fi/courses/2017/cybersecurity)

"Cyber Security Base with F-Secure is a course series by University of
Helsinki in collaboration with F‑Secure Cyber Security Academy that focuses on
building core knowledge and abilities related to the work of a cyber security
professional. The course series is free and open for anyone to attend."

------
vog
If you want to get a really deep understanding, study computer science (e.g.
bachelor/master) [1], then specialize by taking all security courses that are
offered. Not only will you get a deep understanding of the topic, you will
build on solid fundamentals, as well as have people (professors, assistants,
trainers) who you can ask anything.

[1] Of course, you can this only freely in a country that remotely cares about
the education of its citizens (e.g. most European countries, where you can go
to university for a hew hundred Euros per year). Otherwise, the risk of a huge
debt is probably not worth it.

~~~
justaman
I went to a mid level business school in the Midwest. Their IT program had a
few segments. One was security. The difference was basically just one course
on pen testing. I learned more about security in the CS courses they didnt
recommend I take.

You don't need college, what you need is a desire to learn everyday.

~~~
vog
_> what you need is a desire to learn everyday_

This is true, but in my opinion this advice misses the point.

Of course, if you are older and finally developed this skill, you don't need
anything more. However, the questioner seems to be on the beginning of this
journey.

Recommending "just learn everyday" is like telling fat people to exercise and
not to eat too much. Of course that's true, but misses the point: How to get
there?

Having people around you who motivate you to learn, who know and acknowledge
what you are doing, and who are willing (and paid for) to help you if you get
stuck - this is exactly what young and/or inexperienced people need, and a
very good starting point until they are finally able to get along with the
internet and nobody's assistance anymore.

------
kalimatas
[https://www.hacksplaining.com/](https://www.hacksplaining.com/)

~~~
Zhyl
This is on of my favourites.

* It is neatly packaged, wonderful UX and a little sweetening of humour that makes it palatable to the layman

* It gives code examples that provide a little bit more in-depth exploration for the enthusiastic or aspirational novice

* It has a nice structure such that single exploits can be shared. For example, after a client of ours was hacked via a SQL injection on their website, we were able to show them the SQL injection exercises to demystify the topic a little bit and to make it seem less intimidating

* It's a great go-to starter. When I go to schools for careers fairs, I always give this link out to kids who are interested in security work.

------
hackermailman
This is a good course

[https://www.cs.cmu.edu/~213/schedule.html](https://www.cs.cmu.edu/~213/schedule.html)

Buy the 3rd version book (used) and then try the labs as you go through the
lecture vids/chapters
[http://csapp.cs.cmu.edu/3e/labs.html](http://csapp.cs.cmu.edu/3e/labs.html)
but avoid the 'global edition' as it's filled with errata, or just know there
is mistakes.

You will learn assembly/C and also Return Oriented Programming, stack
protections and how they work, buffer overflow attacks, implicit casting
grenades, cache optimization, how the linker works, ect. Then you sign up for
that old Matasano CTF
[https://microcorruption.com/login](https://microcorruption.com/login)

When you complete it apply to NCC Group who I believe now owns
microcorruption. Start at the bottom, work your way into a policy/advisory
role somewhere else after gaining experience and applying for certs
[https://ciso.eccouncil.org/](https://ciso.eccouncil.org/) Having data science
experience is likely helpful since you can produce shiny presentations that
board rooms like to see when you become their CISO

------
trapspring
If you are a veteran or a federal employee, the Dept. of homeland security
offers free online courses in network security. The program is very networking
specific and you'd have to pay for any certification testing yourself, but the
courses will help take you a good chunk of the way in terms of prep and
learning. [https://fedvte.usalearning.gov/](https://fedvte.usalearning.gov/)

------
cschmidt
Since no one has mentioned it yet, Capture the Flag contests (CTF's) can be a
good way to get into security. They are online contests featuring a series of
security related puzzles.

They are hosted by lots of different groups at different levels. There are
CTF's aimed from high school through the DEFCON CTF. This is a directory:
[https://ctftime.org/](https://ctftime.org/)

------
urahara
I'm using Cybrary, it is a free and open source for learning cyber security:
[https://www.cybrary.it/](https://www.cybrary.it/)

------
twoquestions
One question I have along with the very good question from the OP, do larger
companies and governments actually _care_ about security, or are they more
interested in doing the proper dance and checking the right boxes to not be
held responsible when they're hacked?

It seems irrational to want to learn how to secure systems when their owners
don't care about it (and won't pay to secure them) if the risk can be
transferred to other parties. I'm sure there's a few organizations that care
if their data are stolen, but by and large it's a cost center, and treated
accordingly in my experience.

~~~
wepple
It’s a spectrum. There are companies that absolutely care with every fiber of
their being, and those that couldn’t care less.

Now that “cyber” is a thing that can lead to a CEO losing their head, most
companies are roughly in the middle somewhere. Sure, there will be a fall-guy
and finger pointing, but it’s better to at least not be completely negligent.

“If the risk can be transferred to other parties” - that’s pontentially a
business avenue OP wants to pursue. AcmeCorp can buy OPs shiny
datascienceDefender(tm) network monitor.

A lot of tech-first companies (and don’t forget, some legacy companies are
desperately trying to become these) care a massive amount about security, so
there is definitely volume of work with people who genuinely want to improve
the state.

------
brudgers
Probably the most serious route to serious cyber-security training is via a
military rating. At the state level the stakes and threats are highest.

------
lrvick
Get involved in an active community full of security professionals and learn
hands-on helping to secure open source projects.

There is no replacement for mentorship and getting your hands dirty with real
world systems.

I will now shamelessly plug the community I learned the most from:
[https://hashbang.sh](https://hashbang.sh)

------
ajr0
yes.

Data Science can be applied in many different ways, (somewhat) Recently
LightCyber was acquired by PANW [0] and I believe that if you are in data
science that may be something that tickles your itch.

if I may give advice, asking a more specific question to a search engine may
also get you ona path with additional information. 'cyber security' is a
pretty large umbrella and much of it may bore you while only a small handful
is interesting... so try to be more specific rather than say 'stuff'

[0] [https://www.paloaltonetworks.com/products/secure-the-
network...](https://www.paloaltonetworks.com/products/secure-the-
network/lightcyber-behavioral-analytics.html)

------
perlgeek
What do you want to learn? Network security? Application security? Secrets
management? Security operations?

I'm sure there are fields where data science is useful, like anomaly
detection, malware classification etc.

------
sectossaccount
Just created this account so that I could comment, and stay (reasonably)
anonymous. I'm the CTO of a reasonably well known security company, for what
it's worth - and I've been doing this for a little over two decades in a few
countries.

This first misnomer, is that there's one security thing. There are several.
The offensive security folks (penetration testers) are far different than the
advisory folks (think PCI, HIPAA). Vulnerability scanning, SOC (Security
Operations Centers), secure development, and more - it's a wide field. The
first thing to ask yourself is "what does security mean to me, and what do I
want to do with it".

Give the first part of your question, I'll assume you're interested in
software-based security (development) as opposed to infrastructure (network
security, physical security, systems security), or the offensive side.

On the other hand, if you just want to 'get into security' \- then learn a
little bit about networking, and go find a job as a 'Network Operations
Engineer' or 'Security Operations Specialist'. These are fairly low-level jobs
in the security industry, that can serve as entry points, and help you learn
about the other parts of the industry in depth, whilst getting paid.

Echoing what @santigobalsuto and others have mentioned.

1\. CS - Understand how software works, not just how to code, but how things
happen on machines. What are CPU registers? Write some assembly - nearly every
single week my staff uses assembly to test an exploit. It's one hell of a lot
easier to make a good developer a decent security professional than the other
way around - just trust me on this.

2\. Take philosophy and propositional logic courses - Good security folks are
terrific critical thinkers. They learn to understand what risk means, and how
to contextualize it for an organization. In other words the approach to risk
and tolerance is completely different for Home Depot than it is for Evernote.

3\. Learn Software Testing (not Quality Assurance). Combining this with
critical thinking means you can start to pick apart software, even networks,
from varying vantage points. If you combine this with your CS knowledge, it
can really help you understand how to attack an application, or an
organization.

4\. Build lab out of cheap, garbage hardware. For about $300-500 you can get 4
servers on Kijiji that can be used to run OpenStack and VMWare. Get a physical
switch, ideally something with a TAP port (but you can replice with VMWare
easily enough). Create VMs, play with things like Security Onion, create and
destroy networks - use traffic generators... have a great time.

5\. Read about standards - it helps to understand what NIST is for, what CVEs
are, CWEs, OVAL. Explore a few vulnerabilities (CVEs), and understand what
they are, why they matter, how they apply. Then grab a copy of Nexpose
Community Edition, and scan your lab - play around.

6\. Rebuild your lab, iterating on what you've learned above.

~~~
amorphous
Thanks for your reply. I asked above already, could you explain what to study
or what certs to get to follow the path of "advisory folks (think PCI, HIPAA)"

~~~
thephyber
Not the gp, but I also work in security (not in management).

"What are the best information security certifications?" @ Quora[1]. The
problem is that it's a massive list. Even if you pick a short list / subset of
this list, it's far too much work to get started.

Honestly, I would join/start a club at your school or in your neighborhood.
Find people with similar interests. Work together on a single certification.
Start small and target a single subset of "cybersecurity".

Honestly, I would start by trimming down the list by filtering out what you
aren't close to achieving yet. If a cert requires access to Cisco hardware or
assembly language programming skills, there is no point in working on one of
those certs first.

[1] [https://www.quora.com/What-are-the-best-information-
security...](https://www.quora.com/What-are-the-best-information-security-
certifications)

------
wepple
OP: you’ll find you got a lot of very vague, broad, range of answers. I think
it might help if you try to find a subset of security that you’re interested
in or would like to tackle.

It’s very hard these days to be a complete and effective generalist in
security, let alone be good at a range of security stuff while also being
great at data science.

I’d consider focusing on appsec for a year, get a job attacking or defending
apps for a year, and then you’ll have a basic understanding of the problem
space.

------
lvh
That’s a short question with a complicated answer. I’m traveling right now,
but you should shoot me an email and I’ll help you get started. Address in HN
profile.

------
video-host
Check out
[https://pentesterlab.com/bootcamp/](https://pentesterlab.com/bootcamp/)

------
redsec
In addition to great ressources people are sharing, Security+ and CSA+ from
CompTIA can be great certification (vendor neutral and inexpensive).

------
grajaganDev
If you are interested in web pentesting, learn to hack Webgoat and DVWA. From
there go after live sites via a bug bounty platform (I like Bugcrowd.)

It is hard to overstate the value of the chance to test (and demonstrate) your
skills against a live production site.

------
Fundlab
[https://www.edx.org/micromasters/ritx-
cybersecurity](https://www.edx.org/micromasters/ritx-cybersecurity)

------
godelmachine
Would anyone please revert a name of a book that may probably help here?

------
_spoonman
Is the OSCP certification worth it?

~~~
wepple
It depends. If you’re expecting it to land you a job, no. If you’re trying to
add to your arsenal of skills, maybe (arguably you could self teach a lot of
it and save your money). If you’re trying to get past HR in some big company
who use it’s metric, yeah sure. It also depends on what you want to do - I
gather it’s useful for netpens but useless if you want to do appsec, which is
a huge chunk of pentest work. What are your end goals?

~~~
_spoonman
No goals per se...just kind of interested in the field and would be doing it
for personal interest. I've found tons of sites that offer lab environments
and downloadable VM's that allow you to practice exploits so maybe that would
be a cheaper way to go in the beginning.

~~~
wepple
Yeah totally do that then. And get a copy of burp and hack some web stuff.
Have a crack at bug bounties to test your chops.

------
vectorEQ
low level programming / radio. try not to cry ;)

------
CodesInChaos
Start by forgetting the word _cyber_.

~~~
throwawayReply
This is bad advice.

There's a reason that cyber is used, because you need something to
disambiguate it from all the other kinds of security.

Imagine you're a policy person at the pentagon (or equivalent), if someone
talks about security then that doesn't narrow it down to all the other kinds
of security going on there.

You could use "info sec" but there are agencies who deal with a lot of
_information_ which doesn't necessarily mean this space either. They've been
dealing with information security since their inception most of which I
suspect is focused around people and not machines.

Cyber security makes it clear to those people what you're talking about.

To someone who works in SV and spends all day with developers the context is
other way around, and in that context cyber sounds asinine and if you talk
about security someone immediately knows it's security in your space.

That's my guess at why you tend to see 'info-sec' in the private space and
'cyber security' in the public space.

------
digitalzombie
> Is there any link between data science and cyber security?

There's... a company around LA area that does cyber and data science. I would
think they apply data science to logs and such to figure out abnormality.
Likewise if you count email spam detection as a cyber security thing.

For cyber security, take Network+ or just grab a Network+ book. I believe
that's where you should start first in cyber security.

