That’s great! But where to start?
Cyber Security: The final frontier…
Since there have been a few requests, here is a (short?) guide I whipped together in regards to starting out in Information Security. (Or, Cyber Security, whatever you want to call it.)
The information here is applicable to many different positions, but best fits a security engineer, network security admin, or analyst-type position. Like IT in general, Cyber Security, in of itself, has many, many, many different avenues and opportunities to explore.
Albeit, this is fairly basic and caters to an entry level approach that assumes you know a fairly basic level of IT knowledge.
The way to navigate this guide is to use it as a starting point or a framework of the basic knowledge and expectations a Security Analyst, for example, may be expected to know.
From the ground up, you’ll need to know basic networking, protocols, guiding principles, security frameworks, what’s expected in auditing, have an idea of the threat landscape, know the difference between what’s normal and not, as well as have a familiarity with different security tools and solution sets.
Note: I acknowledge that not [EVERYTHING] is covered here. This is more of a springboard to get a better understanding of what is needed to start. The idea is for this to act as a study guide and start from the beginning and work your way up. The provided links have more fleshed out context.
I also didn’t touch on pentesting, really. (Because it *can* be considered entry level, but I think that’s a different conversation.) So, there’s that, in case anyone was wondering why it isn’t included.
———————————————
Information Security is defined as “the state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this.” That said, one of the most foundational aspects hinges on knowing the difference between what’s “normal” and what’s not. In order to know that, one must first know the process in which data is transmitted and exchanged.
The OSI/TCP Model
-OSI Model: https://en.wikipedia.org/wiki/OSI_model
-TCP Model: https://www.geeksforgeeks.org/tcp-ip-model/
-Wireshark: https://www.wireshark.org/download.html
-NMap: https://nmap.org/
The OSI Model gives you an idea of how information is transmitted and the process in which it occurs down to the most physical level. Most organizations seem to prefer the TCP Model, though it just depends on preference. Wireshark is a tool where you can get “packet captures” in order to analyze data transfers from within your network whereas NMap acts as a free utility for network discovery and security auditing.Using these pieces to get a topology can help you better understand the blueprint in which you’re working with. Furthermore, having a general idea of what ports are used and for what purpose is another key component of security on a foundational level.
Common Ports and Their Uses:
https://www.examcollection.com/certification-training/network-plus-overview-of-common-tcp-and-udp-default-ports.html
———————————————
Information Security Principles
-Guiding Principles: https://resources.infosecinstitute.com/guiding-principles-in-information-security/#gref
-Information Security Defined: https://www.csoonline.com/article/3513899/what-is-information-security-definition-principles-and-jobs.html#:~:text=Information%20security%20principles,confidentiality%2C%20integrity%2C%20and%20availability.&text=Passwords%2C%20encryption%2C%20authentication%2C%20and,techniques%20designed%20to%20ensure%20confidentiality.
Anywhere you look, you’ll see that Information Security is based on 3 principles:
-Confidentiality
-Integrity
-Availability
As mentioned in one of the above articles and at the beginning of this document, Information Security is often used interchangeably with “Cyber Security.” Though, Information Security is a specific discipline under the “Cyber Security” umbrella.
———————————————
Information Security Frameworks
-NIST Framework: https://www.nist.gov/cyberframework
-CIS Controls: https://www.sans.org/critical-security-controls
-CMMC: https://securityboulevard.com/2020/01/understanding-cybersecurity-maturity-model-certification-cmmc/#:~:text=The%20CMMC%20is%20a%20certification,Controlled%20Unclassified%20Information%20(CUI)
Information Security and its principles adhere to certain frameworks and maturity models. Not all organizations will be at the same place in terms of a maturity model. These models help distinguish where a business is at and how they can better themselves in terms of optimum protections without sacrificing performance. Such frameworks account for the different departments, various policies and procedures (or lack thereof), physical and digital aspects of security, asset management, user education, audit readiness, and much, much more.
———————————————
Auditing, Compliance, and Governance
-Auditing Basics: https://www.dnsstuff.com/it-security-audit
-Types of Audits: https://www.accountingtools.com/articles/types-of-audits.html
-List of Compliance Regulations: https://www.tcdi.com/information-security-compliance-which-regulations/
-What is IT Governance: https://cio-wiki.org/wiki/IT_Governance#:~:text=IT%20Governance%20(Information%20Technology%20Governance)%20is%20a%20process%20used%20to,IT%20Governance%20is%20a%20process
Part of your job as an Information Security Professional often revolves around the practice of “passing an audit” or following “compliance.” You have to ensure that the business you work for is adhering to a certain set of standards required by law. This might be HIPAA if you’re in healthcare, PCI DSS if your company takes payments, or a combination of different audit/compliance standards. A big piece of this boils down to policy and procedures. (As mentioned earlier.)
Your organization must have a set of policies and procedures that cover certain areas based on your regulatory compliance.
A policy is a guiding principle used to set direction in an organization. For example, you may want to have a policy at a bank about not bringing (unauthorized) external equipment in and plugging it into your network. Furthermore, there also should be a policy detailing what is considered authorized and what isn’t. That way, there things are clearly defined and cannot be argued.
A procedure is a series of steps to be followed as a consistent and repetitive approach to accomplish an end result. For example, having a document that outlines the steps in which a new (authorized) device must be set up. Arguably, some of these ideals can be boiled down to a concept called “IT Governance.” The objective of IT Governance is to ensure that these practices do not impact business value, but rather, enhance it.
———————————————
Understanding the Threat Landscape
-Cyber Threat Landscape: https://rapidscale.net/resources/blog/blog-post/cyber-threat-landscape
-What are the Most Common Attacks: https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html#~types-of-cyber-attacks
-MITRE ATT&CK: https://attack.mitre.org/
-Cyber Kill Chain: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
-OWASP Top Ten: https://owasp.org/www-project-top-ten/
In order to know what you’re protecting against… Well, it helps to know what you’re protecting against. (Lol.) If you don’t- it’s going to be quite difficult to pinpoint. There are many different types of attacks from various vectors and it’s imperative that you know how to detect and define these attacks.
Not only that, look up what phishing is, common malware and ransomware attacks, keep yourself up to date with breaches, and study on “social engineering” as a concept.
———————————————
Security Tools and Solution Sets
-Security Gateways (Aka “Firewalls”)
-Endpoint Protection (Aka “Anti-Virus”)
-Email Filtering
-Data Encryption
-Mobile Device Management
-Mobile Device Security
-Site to Site VPN
-Remote User Access VPN
-Security Scanning Tools
-Cloud IaaS, SaaS, and PaaS Protections
-IoT Security
-SCADA and ICS Security
-Workload Security (Serverless, Container Security)
-Phish Test Simulations
-User Education Programs
The list could go on and on, but you get the idea. Security is not only a set of solutions, but it is also a mindset. Ideally, you should have solutions or products to fill these gaps, but ultimately, an organization is only as strong as their “weakest user.” A healthy combination of these solution sets and an educational approach is needed.
These items, for some organizations, can also lend to your area of interest within security. Some businesses with larger security teams segment these responsibilities while others expect their team members to “wear many hats” and understand ALL of these. There is a high demand for security professionals, but an even higher demand for such professionals that know Cloud, IoT, and other more specific fields.
———————————————
Knowing Normal and Finding Evil
-Anomaly Detection: https://www.informationsecuritybuzz.com/articles/finding-unknown-threats-anomaly-detection/
-SANS Poster: https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf
Now, that you know the basics, you can focus on finding threats. Knowing Normal and Finding Evil requires a basic knowledge of infrastructure and what native programs should be running, although, it’s more dependent on troubleshooting tactics and critical analysis than it is anything else. Another segment of this delves into forensics, though, I won’t harp on that too much as it can be considered more advanced.
More on Forensics:
https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/digital-forensics
———————————————
Incident Response and SOC
-Incident Response Basics: https://searchsecurity.techtarget.com/definition/incident-response
-Incident Response Planning: https://www.securitymetrics.com/blog/6-phases-incident-response-plan
-What is a SOC: https://en.wikipedia.org/wiki/Security_operations_center
-SOC definition: https://en.wikipedia.org/wiki/Information_security_operations_center
Incident Response is the process of preparing for, detecting, mitigating, and responding to an incident. An incident is defined as a breach or attack of an organization’s security that affects its integrity or availability and/or the unauthorized or attempted access to a system or systems.
It’s important that the above information is understood because a large portion of Incident Response revolves around preventative measures, as well as what to do after (or if) an incident occurs. Additionally, the follow-up and post mortem components are key to building for a better tomorrow. A Security Operations Center, or SOC, is a centralized unit that deals with security issues on an organizational and technical level. Not all organizations have a SOC, though some verticals require it.
———————————————
Also, if you can get comfortable with Linux and Python, that’s a plus.
(It doesn’t have to be Kali, per se.)
-Getting Started with Kali Linux:
https://kali.training/lessons/2-getting-started-with-kali/
-Kali Linux Install:
https://www.kali.org/docs/installation/
-Getting Started with Python:
https://www.python.org/about/gettingstarted/
———————————————
There is a lot to know and learn, but these are all great places to start.
———————————————
Tips for applying:
-Always research the company you’re applying for. (Know their history, CEO, mission statement, breach history, etc.)
-Be up front about what you know or don’t know. (Don’t embellish too heavily.)
-Ask about any mentorship or junior-level programs they may have available.
-Be yourself! (Duh!)
-Familiarize with common security vendors or even try to
get insight to what the company uses prior to the interview. (Don’t weaponize any breach info, only use it tactfully or “as a matter of factly”- if applicable.)
-Acknowledge that you’re willing to learn and that “there’s always
more that you don’t know.”
-Set up a testing lab at home, if possible, and use your initiative to
your advantage. (Show them any projects or findings you’ve been working on, if
necessary.)
———————————————
Other suggestions:
-Find a mentor that’s willing to teach you
-Join Twitter and connect with Cyber Security Professionals
-Stay active on LinkedIn
-Pursue security certifications, if applicable
-Go to local (or remote) security conferences
-Subscribe to RSS Feeds and security news sites
-Contribute to the community by testing things and sharing results
-Learn and speak on topics
———————————————
Good luck!