Hacker News new | comments | show | ask | jobs | submit login
Ask HN: How can I learn computer security?
181 points by boniface316 11 months ago | hide | past | web | favorite | 55 comments
I am taking some data science courses. Is there any link between data science and cyber security? and where can I learn cyber security stuff?



Cyber pro here - 5 years doing IV&V testing, 15 years as Fed, State and Local contractor, now a firewall admin at a major U.S. uni. I got an NSA accredited (https://www.nsa.gov/resources/educators/centers-academic-exc...) Master's in IT with a specialization in security. While the degree got my foot in the door (I have a BA in Arts - but have been messing around with computers since the early 80's - plus a lot of self taught stuff) - I've found that a ton of side reading (anything related to the subject - I spent a lot of time on the RFCs - that stuff I use every day)), looking at PCAPs to understand the protocols and reading case studies are the best way to hone the craft.

For a while I was doing Governance, Risk and Compliance (GRC) work, but have always loved being a network security engineer, so I went back to that.

Also - I have a CISSP, which opens a lot of doors. I know that it is being knocked a bit nowadays, and there are certainly a some who are test knowledgeable but no hands-on, common sense experience. I still find it valuable enough to maintain.

Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.

If appsec is your thing, spend a lot of time looking at good and bad code, plus reading on-line of good and bad appsec.

IF GRC is up your alley - read NIST 800-53, HIPPA, PCI-DSS, SANS Top 20 and GDPR - to understand the full breadth of controls and risk mitigation.

As far as data science python and pandas are all over the industry, R not so much. There is a big push for ML/AI work, but it might be snake-oil, time will tell. I use a lot of python and pandas for log and flow analysis.

Also - learn Linux CLI; grep, sed and awk can save your butt in most situations. Gray beard stuff will come later.

Good luck!

<edit - word choice>


> Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.

I would like to add onto this, if you cannot virtualize this and you do not have extra computers try using raspberry pi's. You can fully customize them to act as computers (with all different operating systems), servers, super computers, routers, etc.

Its an inexpensive and practical option compared to buying expensive equipment.


While on the subject and since you're an expert in the field, there's something that's nagging me. How good are you guys at programming? My feeling is that most people in the infosec are average at best and only the elites are good at it.


I am not sure why you are getting downvoted. You have a very valid question.

There are many different kinds of security roles such as risk, compliance and security reviews (very little programming), penetration testing (programming and scripting to various degrees depending on the work) and security software development (full-time programming).

How good one is at programming would of course usually depend on the individual. In the rest of the software industry, there are all kinds of roles (some of which involve programming and some do not) and the ones that do involve programming have programmers of all kinds and calibre. It is no different in computer security.

I have over 12 years of experience in this field now in various positions where my various colleagues and I have written large security products in C, C++ and Java, as well as smaller security solutions in Python and Go. Most of the times programming is just a means to an end which is true for many other fields as well. It is usually math, algorithms, crypto, protocols, etc. that are more interesting and that we need to be well versed with along with being skilled at programming. Also, I would like to share two of my earlier posts around this subject:

- https://news.ycombinator.com/item?id=14873475 (about demand and job prospects in security software development)

- https://news.ycombinator.com/item?id=12545851 (about math and software development in the computer security field)


I haven't downvoted, but "How good are you guys at programming? My feeling is that most people in the infosec are average at best and only the elites are good at it." sounds trollish to me. Designed to elicit emotional response from people as they will try to defend security people.


I’m a mid level security architect (governance, risk, compliance) and I’m a below average developer, coming from DevOps/infrastructure before. In my security roles, no development or software engineering skills are required.

I might work on improving eventually, it's just not a priority. Any upward trajectory now is going to be from experience and soft skills.


pretty bad - hack it together with docs and stack exchange really. I did manage to deploy an app with a django, nginx, gunicorn stack which doesn't crash, so there's that. But as far as good coding skills, I don't really have any - but I'm learning as I go. I also have full management support for this, which is nice, but very rare. I more so play around with pandas and matplotlib to get what I need - pretty much just a step above shell scripting.


I think it's pretty risky to try to categorize all infosec people into one ranking.. But I will say most folks I bump into are not writing code for maintainability, or necessarily efficiency. Most of us stick with GEMO (good enough move on). thst being said, there are always outliers


Question for cyber pros:

If you are storing sensitive info such as username/password to a TRADING PLATFORM (because the bank -- in this case OZforex -- doesn't have an API that lets you access it without them) what regulations do you need to meet in the USA and Europe? How does one even begin to find this out?

This is for a client of mine. I realize in Europe you'll of course need the GDPR. But besides that, I tried for example to find out whether they need PCI-DSS level 4 but was told by an auditing firm that since they aren't storing CREDIT CARD info then PCI doesn't apply. I am not convinced. But there has to be SOME regulation to protect this data, no?

I would aprpeciate any info, or if there is a way to speak offline (email you?) let me know.


I'm interested in GRC - could you explain what else to study or what certs to get to go that route? Thanks


I don't have any other recommendations for studying, but as someone who made the transition from IT to GRC, I can offer some advice about getting practical experience.

A Big Four firm is a good place to get started in a GRC career. You'll get pretty broad exposure to the field, and you'll have the opportunity to develop expertise in specific GRC domains.

If you're already working in a regulated industry (especially for a publicly traded company), you may be able to move into a GRC position at your present company. Compliance, internal audit, third party risk management, business continuity/resiliency and disaster recovery are common areas that fall under the broad GRC umbrella.

I worked in various IT roles at a financial services company, and I was able to move into a risk analyst role, then I went to a Big Four firm, and I'm now back in industry.

As far as certs go, CRISC, CISA and CISSP are the most common I've seen among GRC folks, although most of the people I've worked with didn't have any of them.


Let me tell you one thing, it's going to be tough. Cyber security is one of the fields of IT that requires the most deep knowledge of how computers and networks work. So, be aware of that. It's like, when someone is asking how to build a game, and the first answer is: learn a lot about Math and Physics. This is the same thing.

Recommended path:

1. CS Basics (concepts) Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.

2.Low level programming Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.

3. Networking [0] You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it. Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.

4. Web standards Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.

5. Known threats and vunerabilities In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed? You should also practice with every other security threat known like XSS, SQL Injection, etc.

[0] depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.

This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.

Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.


> Let me tell you one thing, it's going to be tough. Cyber security is one of the fields of IT that requires the most deep knowledge of how computers and networks work. So, be aware of that. It's like, when someone is asking how to build a game, and the first answer is: learn a lot about Math and Physics. This is the same thing.

> Recommended path:

> 1. CS Basics (concepts) Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.

> 2.Low level programming Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.

> 3. Networking [0] You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it. Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.

> 4. Web standards Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.

> 5. Known threats and vunerabilities In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed? You should also practice with every other security threat known like XSS, SQL Injection, etc.

> [0] depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.

> This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.

> Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.

Great answer. Look at an offensive security certified professional course for a basic affordable course that covers all of the above.


May I ask how much you friend makes, on an average?


I had a teacher who's brother worked in security, his bonus for the year was 6 figures IIRC. His salary was 300k but this was a while ago (5+ years).


"Is there any link between data science and cyber security?"

Data Science might be useful if you want to work in Security Information Management or in malware analysis: big companies try to identify "weird behavior" in their networks, based on "normal behavior" records.

"Where can I learn cyber security stuff?"

Well, that depends on the stuff you are interested in...

You should focus at first on learning "system administration" and at least a programming language like Python or Ruby. Network protocols would also be a bonus.

Then, if you want to learn "offensive techniques" or "penetration testing", I suggest that you try websites like RootMe https://www.root-me.org/?lang=en or Cryptopals cryptopals.com.

Once you'll have resolved by yourself some of these challenges, you'll be able to try the "industrialized approach" of penetration testing. For this, this book is quite cool: https://www.nostarch.com/pentesting.

If you're more interested in "defensive techniques", you have tons of resources online.

For instance:

Secure Coding Best Practices: - https://www.owasp.org/index.php/OWASP_Secure_Coding_Practice... - https://security.berkeley.edu/secure-coding-practice-guideli...

=> These documents will help you to understand what are the main risks in your apps

For "general" cybersecurity: - ISO27001 standard - The NIST Cybersecurity Framework https://www.nist.gov/cybersecurity-framework - PCI/DSS - https://www.us-cert.gov/

=> These documents will help you to understand what are the main risks in an organization based on their assets.


Security fundamentally is just "the art and science of how things work". Breaches in security are caused by malicious actors finding vulnerabilities in trusted systems, such as when Chinese webcams shipped with default credentials which made it trivial for the Mirai botnet to take them over and acquire so many devices that it could DDoS Dyn.

Towards that end, just about anything you learn can be applied in some way towards security. The conventional recommendations others have made will get your foot in the door, but ultimately security is a lifestyle of never-ending learning and imaginative reasoning about systems.

So to directly answer your questions, yes, there are links between data science and security (others have mentioned its use in things like malware research, but going the other way it's also important to store your data securely to prevent theft, destruction, or tampering) and you can learn something about information security pretty much anywhere in-depth information about computers is taught. Which information is relevant to your interests will just depend on which aspect of security is of interest to you.


> Breaches in security are caused by malicious actors finding vulnerabilities in trusted systems

Alex Stamos, the CISO of Facebook, likened the causes of security breaches to a pyramid. The bottom of the pyramid, where the vast majority of security breaches happen (perhaps 80%), are caused by basic fraud: shared passwords, phishing, asking the user to do something like self-XSS. Of the remainder, perhaps 80% of security breaches are done through the more common, more mundane attacks like unpatched vulnerabilities or misconfigurations. It's only a fraction of a fraction of a percent of attacks that are done using zero-day vulns.

As much as what you said is relevant for security, I would argue that engineers think that security is more of an engineering problem set than it is.


I highly recommend the online Cybersecurity Specialization of the University of Maryland on Coursera.

(disclaimer: I didn't pass the Capstone project, and never got around to trying it again)

Back then it was free if you didn't need a certificate, may still be.

https://www.coursera.org/specializations/cyber-security


The very first thing that you need to do is to pick a software stack, ideally opensource and then learn how that software-stack works bottom up. Learning how a linux application works might be a good starting point if you are totally new.

There are multiple layers involved here and really understanding each one would take time.

Next would come understanding browsers, browser although it is an app, it is a world in itself. How an http request flows through a browser, how an http response is rendered, what are various layers involved. TCP/IP stack to physical layer, wifi/usb. It is extremely vast and very interesting.

And once you have gained enough experience , you will be able to clearly see the similarities and differences between various software stacks, both bottom-up and top-down, right from hardware level to your application's code and vice versa. And then reasoning about security of the stack at various layers would become straightforward.

In terms of conferences, I find Blackhat(http://www.blackhat.com/) Conference is a very good source of keeping oneself up to date with world of security( including applying Data Science to Security)


http://mooc.fi/courses/2017/cybersecurity

"Cyber Security Base with F-Secure is a course series by University of Helsinki in collaboration with F‑Secure Cyber Security Academy that focuses on building core knowledge and abilities related to the work of a cyber security professional. The course series is free and open for anyone to attend."


If you want to get a really deep understanding, study computer science (e.g. bachelor/master) [1], then specialize by taking all security courses that are offered. Not only will you get a deep understanding of the topic, you will build on solid fundamentals, as well as have people (professors, assistants, trainers) who you can ask anything.

[1] Of course, you can this only freely in a country that remotely cares about the education of its citizens (e.g. most European countries, where you can go to university for a hew hundred Euros per year). Otherwise, the risk of a huge debt is probably not worth it.


I went to a mid level business school in the Midwest. Their IT program had a few segments. One was security. The difference was basically just one course on pen testing. I learned more about security in the CS courses they didnt recommend I take.

You don't need college, what you need is a desire to learn everyday.


> what you need is a desire to learn everyday

This is true, but in my opinion this advice misses the point.

Of course, if you are older and finally developed this skill, you don't need anything more. However, the questioner seems to be on the beginning of this journey.

Recommending "just learn everyday" is like telling fat people to exercise and not to eat too much. Of course that's true, but misses the point: How to get there?

Having people around you who motivate you to learn, who know and acknowledge what you are doing, and who are willing (and paid for) to help you if you get stuck - this is exactly what young and/or inexperienced people need, and a very good starting point until they are finally able to get along with the internet and nobody's assistance anymore.



This is on of my favourites.

* It is neatly packaged, wonderful UX and a little sweetening of humour that makes it palatable to the layman

* It gives code examples that provide a little bit more in-depth exploration for the enthusiastic or aspirational novice

* It has a nice structure such that single exploits can be shared. For example, after a client of ours was hacked via a SQL injection on their website, we were able to show them the SQL injection exercises to demystify the topic a little bit and to make it seem less intimidating

* It's a great go-to starter. When I go to schools for careers fairs, I always give this link out to kids who are interested in security work.


This is a good course

https://www.cs.cmu.edu/~213/schedule.html

Buy the 3rd version book (used) and then try the labs as you go through the lecture vids/chapters http://csapp.cs.cmu.edu/3e/labs.html but avoid the 'global edition' as it's filled with errata, or just know there is mistakes.

You will learn assembly/C and also Return Oriented Programming, stack protections and how they work, buffer overflow attacks, implicit casting grenades, cache optimization, how the linker works, ect. Then you sign up for that old Matasano CTF https://microcorruption.com/login

When you complete it apply to NCC Group who I believe now owns microcorruption. Start at the bottom, work your way into a policy/advisory role somewhere else after gaining experience and applying for certs https://ciso.eccouncil.org/ Having data science experience is likely helpful since you can produce shiny presentations that board rooms like to see when you become their CISO


If you are a veteran or a federal employee, the Dept. of homeland security offers free online courses in network security. The program is very networking specific and you'd have to pay for any certification testing yourself, but the courses will help take you a good chunk of the way in terms of prep and learning. https://fedvte.usalearning.gov/


Since no one has mentioned it yet, Capture the Flag contests (CTF's) can be a good way to get into security. They are online contests featuring a series of security related puzzles.

They are hosted by lots of different groups at different levels. There are CTF's aimed from high school through the DEFCON CTF. This is a directory: https://ctftime.org/


I'm using Cybrary, it is a free and open source for learning cyber security: https://www.cybrary.it/


One question I have along with the very good question from the OP, do larger companies and governments actually care about security, or are they more interested in doing the proper dance and checking the right boxes to not be held responsible when they're hacked?

It seems irrational to want to learn how to secure systems when their owners don't care about it (and won't pay to secure them) if the risk can be transferred to other parties. I'm sure there's a few organizations that care if their data are stolen, but by and large it's a cost center, and treated accordingly in my experience.


It’s a spectrum. There are companies that absolutely care with every fiber of their being, and those that couldn’t care less.

Now that “cyber” is a thing that can lead to a CEO losing their head, most companies are roughly in the middle somewhere. Sure, there will be a fall-guy and finger pointing, but it’s better to at least not be completely negligent.

“If the risk can be transferred to other parties” - that’s pontentially a business avenue OP wants to pursue. AcmeCorp can buy OPs shiny datascienceDefender(tm) network monitor.

A lot of tech-first companies (and don’t forget, some legacy companies are desperately trying to become these) care a massive amount about security, so there is definitely volume of work with people who genuinely want to improve the state.


If the incentive systems are designed correctly, maybe the dancing and box-checking can result in a near-optimal state. I think most of us here share the notion that hardening systems up-front is the most cost-effective way in the long run, but that companies tend not to do so due to a myopic view of security as a short-term expense rather than a long-term investment.

I read a post with an interesting idea recently: entities are currently treating customer data a an asset, whereas they should be treating it as a liability. If the regulatory incentives are set up such that customer data is a liability, companies will find it most efficient to buy insurance. And no successful insurance company will offer coverage without performing their due diligence. If the hardening itself is not the cost center, but rather the insurance premiums, then then end result may be companies doing infosec the right way, just because it's the most cost-effective thing to do.


Probably the most serious route to serious cyber-security training is via a military rating. At the state level the stakes and threats are highest.


Get involved in an active community full of security professionals and learn hands-on helping to secure open source projects.

There is no replacement for mentorship and getting your hands dirty with real world systems.

I will now shamelessly plug the community I learned the most from: https://hashbang.sh


yes.

Data Science can be applied in many different ways, (somewhat) Recently LightCyber was acquired by PANW [0] and I believe that if you are in data science that may be something that tickles your itch.

if I may give advice, asking a more specific question to a search engine may also get you ona path with additional information. 'cyber security' is a pretty large umbrella and much of it may bore you while only a small handful is interesting... so try to be more specific rather than say 'stuff'

[0] https://www.paloaltonetworks.com/products/secure-the-network...


What do you want to learn? Network security? Application security? Secrets management? Security operations?

I'm sure there are fields where data science is useful, like anomaly detection, malware classification etc.


Just created this account so that I could comment, and stay (reasonably) anonymous. I'm the CTO of a reasonably well known security company, for what it's worth - and I've been doing this for a little over two decades in a few countries.

This first misnomer, is that there's one security thing. There are several. The offensive security folks (penetration testers) are far different than the advisory folks (think PCI, HIPAA). Vulnerability scanning, SOC (Security Operations Centers), secure development, and more - it's a wide field. The first thing to ask yourself is "what does security mean to me, and what do I want to do with it".

Give the first part of your question, I'll assume you're interested in software-based security (development) as opposed to infrastructure (network security, physical security, systems security), or the offensive side.

On the other hand, if you just want to 'get into security' - then learn a little bit about networking, and go find a job as a 'Network Operations Engineer' or 'Security Operations Specialist'. These are fairly low-level jobs in the security industry, that can serve as entry points, and help you learn about the other parts of the industry in depth, whilst getting paid.

Echoing what @santigobalsuto and others have mentioned.

1. CS - Understand how software works, not just how to code, but how things happen on machines. What are CPU registers? Write some assembly - nearly every single week my staff uses assembly to test an exploit. It's one hell of a lot easier to make a good developer a decent security professional than the other way around - just trust me on this.

2. Take philosophy and propositional logic courses - Good security folks are terrific critical thinkers. They learn to understand what risk means, and how to contextualize it for an organization. In other words the approach to risk and tolerance is completely different for Home Depot than it is for Evernote.

3. Learn Software Testing (not Quality Assurance). Combining this with critical thinking means you can start to pick apart software, even networks, from varying vantage points. If you combine this with your CS knowledge, it can really help you understand how to attack an application, or an organization.

4. Build lab out of cheap, garbage hardware. For about $300-500 you can get 4 servers on Kijiji that can be used to run OpenStack and VMWare. Get a physical switch, ideally something with a TAP port (but you can replice with VMWare easily enough). Create VMs, play with things like Security Onion, create and destroy networks - use traffic generators... have a great time.

5. Read about standards - it helps to understand what NIST is for, what CVEs are, CWEs, OVAL. Explore a few vulnerabilities (CVEs), and understand what they are, why they matter, how they apply. Then grab a copy of Nexpose Community Edition, and scan your lab - play around.

6. Rebuild your lab, iterating on what you've learned above.


Thanks for your reply. I asked above already, could you explain what to study or what certs to get to follow the path of "advisory folks (think PCI, HIPAA)"


Not the gp, but I also work in security (not in management).

"What are the best information security certifications?" @ Quora[1]. The problem is that it's a massive list. Even if you pick a short list / subset of this list, it's far too much work to get started.

Honestly, I would join/start a club at your school or in your neighborhood. Find people with similar interests. Work together on a single certification. Start small and target a single subset of "cybersecurity".

Honestly, I would start by trimming down the list by filtering out what you aren't close to achieving yet. If a cert requires access to Cisco hardware or assembly language programming skills, there is no point in working on one of those certs first.

[1] https://www.quora.com/What-are-the-best-information-security...


OP: you’ll find you got a lot of very vague, broad, range of answers. I think it might help if you try to find a subset of security that you’re interested in or would like to tackle.

It’s very hard these days to be a complete and effective generalist in security, let alone be good at a range of security stuff while also being great at data science.

I’d consider focusing on appsec for a year, get a job attacking or defending apps for a year, and then you’ll have a basic understanding of the problem space.


That’s a short question with a complicated answer. I’m traveling right now, but you should shoot me an email and I’ll help you get started. Address in HN profile.



In addition to great ressources people are sharing, Security+ and CSA+ from CompTIA can be great certification (vendor neutral and inexpensive).


If you are interested in web pentesting, learn to hack Webgoat and DVWA. From there go after live sites via a bug bounty platform (I like Bugcrowd.)

It is hard to overstate the value of the chance to test (and demonstrate) your skills against a live production site.



Would anyone please revert a name of a book that may probably help here?


Is the OSCP certification worth it?


It depends. If you’re expecting it to land you a job, no. If you’re trying to add to your arsenal of skills, maybe (arguably you could self teach a lot of it and save your money). If you’re trying to get past HR in some big company who use it’s metric, yeah sure. It also depends on what you want to do - I gather it’s useful for netpens but useless if you want to do appsec, which is a huge chunk of pentest work. What are your end goals?


No goals per se...just kind of interested in the field and would be doing it for personal interest. I've found tons of sites that offer lab environments and downloadable VM's that allow you to practice exploits so maybe that would be a cheaper way to go in the beginning.


Yeah totally do that then. And get a copy of burp and hack some web stuff. Have a crack at bug bounties to test your chops.


low level programming / radio. try not to cry ;)


Start by forgetting the word cyber.


This is bad advice.

There's a reason that cyber is used, because you need something to disambiguate it from all the other kinds of security.

Imagine you're a policy person at the pentagon (or equivalent), if someone talks about security then that doesn't narrow it down to all the other kinds of security going on there.

You could use "info sec" but there are agencies who deal with a lot of information which doesn't necessarily mean this space either. They've been dealing with information security since their inception most of which I suspect is focused around people and not machines.

Cyber security makes it clear to those people what you're talking about.

To someone who works in SV and spends all day with developers the context is other way around, and in that context cyber sounds asinine and if you talk about security someone immediately knows it's security in your space.

That's my guess at why you tend to see 'info-sec' in the private space and 'cyber security' in the public space.


> Is there any link between data science and cyber security?

There's... a company around LA area that does cyber and data science. I would think they apply data science to logs and such to figure out abnormality. Likewise if you count email spam detection as a cyber security thing.

For cyber security, take Network+ or just grab a Network+ book. I believe that's where you should start first in cyber security.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: