
Ask HN: Resources to Start as a Cyber Security Professional - dirtylowprofile
I would like to explore and start my career as a Cyber Security Professional but as I dig online the resources are kinda old.<p>What books do you recommend for beginners?
What are the topics to be focused on? Malware? Pen Testing? Basic TCP&#x2F;IP?
======
sansnomme
Depends on what you want to do. If you are good with people, I suggest
Information Assurance. It's basically consulting combined with cyber security.
Most SMEs only require advice on basic network security, password management,
how to avoid phishing attacks, social engineering attacks and ransomware, how
to handle crises after being hacked etc. Checklists will get you a long way.
Leave the reverse engineering of malware etc. to people with more interest and
time. It is a more narrow field, takes a lot of additional effort and requires
a fair bit of talent. If you are just going into cybersecurity for money,
stick with IA. I know this is not a popular opinion on HN, but your average
SME won't be able to do information security properly (remember, your average
consumer believes in using an anti-virus to clean out a infected machine, when
the correct thing to do is a complete wipe and reinstallation). Easier get
them to offload most of their productivity tools to SaaSes and buy plenty of
insurance than try to force FANG-level access control protocols on them.

~~~
SE_Student
> Leave the reverse engineering of malware etc. to people with more interest
> and time.

...

> (remember, your average consumer believes in using an anti-virus to clean
> out a infected machine, when the correct thing to do is a complete wipe and
> reinstallation). Easier get them to offload most of their productivity tools
> to SaaSes and buy plenty of insurance than try to force FANG-level access
> control protocols on them.

this is a very bad advice.

~~~
sansnomme
Not really, do you honestly want people to be hosting their own email servers?
Stuff like networked filesystems and NAS over VPN requires a tremendous amount
of work to properly secure. Better give the money to a *aas company than to
waste it on incompetent IT departments. Especially since a lot of companies
consider IT to be a cost center instead of a source of value. Idealism is nice
and all but most companies won't care enough and data protection laws don't
magically make the problem go away. More pragmatic to simply outsource
security to more qualified technical companies instead of trying to do it
yourself. Also, low level OS/assembly level domain knowledge isn't as useful
for non-technical, SMEs. There's not much a company can do when you tell them
their 30 year old in-house CAD software written in Fortran 77 parses file in
an insecure way after fuzzing it. Their original programmer is long gone. They
are not going to rewrite it anytime soon. Sticking it in a VM may be their
best option. You are not there to engineer a malware to break their systems.
You are their to tell them what's wrong and how to fix it in the cheapest way
possible. Threats from phishing, ransomware, and poorly implemented BYOD
policies are a lot more dangerous to most companies.

------
runjake
Offensive Security is a great option. For pen testing specifically:
[https://www.offensive-security.com/information-security-
trai...](https://www.offensive-security.com/information-security-
training/penetration-testing-training-kali-linux/)

You should know stuff like basic TCP/IP _before_ you hop into any technical
side of security.

------
souprock
The really serious way:

Go to Carnegie Mellon. While getting a BS in CS, be active in a student group
called Plaid Parliament of Pwning. Finally, send me some sort of resume.

~~~
SE_Student
putting aside CMU (a lot of people wouldn't be able to get into it), what
would you recommend for someone getting a Software Engineering degree to get
into low level security ?

~~~
souprock
Pick a school that uses a low-level language. C is great. Java, Python,
Javascript, and Scheme are all bad.

Take the courses that involve writing compilers and operating systems.

Do a project that involves writing an emulator, perhaps for one of the things
DD-WRT runs on. You could start from MAME or Qemu, or do the whole thing from
nothing.

Write a boot sector for the demo scene. For example, recently somebody wrote a
PAC-MAN clone to run in 512 bytes.

Solve a DEFCON CTF problem. They are difficult puzzles, so try several. Learn
to use Ghidra (free) or a similar tool. Freeware and demo versions are
available for IDA Pro, Hopper Disassembler, and Binary Ninja.

~~~
SE_Student
Thank you very much for taking the time to reply on my question.

I'd love to hear about more lowlevel security projects I can do, as I feel
that would help me learn the most.

------
professorTuring
Tons of resources here: [https://github.com/trimstray/the-book-of-secret-
knowledge](https://github.com/trimstray/the-book-of-secret-knowledge)

Best courses froms Sans here: [https://www.sans.org/](https://www.sans.org/)

Old doesn't mean outdated, old is usually foundation. Do you want to learn or
next-next-hack?

------
colechristensen
I would suggest YouTube videos of security conference talks

~~~
rootsudo
Good luck with that. :D

------
sbahra
overthewire.org

