Getting started in cybersecurity 2023
My recommendations to new folks, mentees, and several Lyft drivers in TL;DR or perhaps BLUF:
- Try some beginner courses and challenges to see some cybersecurity and to start building your skills
- Learn about the field, the work, the challenges … understand what you are getting into
- Get involved online, safely
- Find some individuals to follow, a community or two to join, and start looking for mentors
Here are a bunch of things I think you should put on your to-do list if you want to learn about cycbersecurity and possibly work in the field. Don’t have a list? Might be a good time to start one :)
1) Try some beginner courses, challenges, and puzzles
Requirements: a computer to study on, Wifi (or some kind of Internet access), and some time to study and hack. Headphones (or the like) if you don’t have a private study space are a good idea. I recommend a wired mouse with a wheel but some folks like trackpads.
For symbolic and technical reasons you should have a dedicated computer for your cybersecurity studies that no one is counting on for anything else. For most things an older laptop or a Chromebook are actually pretty good to get started and you may already have one or can get one. Once you get going you will want more and better gear, but for modern online courses and learning to find information online you just need something more comfortable to read, write, and study on than your phone.
Further, it doesn’t actually matter what system this machine is using (Windows, Linux, Mac, BSD), so long as you can get to websites and watch videos online. If you are into it you can learn all about your operating system, and how and why to change it … a bit later on :) Seriously, Chromebooks are worth a look here, but an old working laptop no one is using is what you need.
There are fantastic free, cheap, affordable and a few really expensive options available online and lots of material for beginners or folks new to cybersecurity, or just changing specialiations. Here are my current favourites and recommendations for practice and training, in opinionated order.
- Practice: TryHackMe, Over The Wire, PG/VulnHub, HackTheBox
- Courses: The Cyber Mentor, AntiSyphon, Applied Network Defense, SecureIdeas and OffSec
- online conferences and recorded talks; SANS has an entire annual summit for New2Cyber
- books once you have a topic or speciality in mind, for in depth and lasting understanding .. basically NoStarch Press laugh but also some others
- (later, with sponsors or scholarships) big national conferences, SANS, and/or graduate school
2) learn about the field, the work, the challenges
Understand what you are getting into and start looking for topics and areas that interest you
- Start reading / listening to security news. Here are some sources and podcasts I recommend to start:
- Resources on burnout and mental health concerns, check out https://www.mentalhealthhackers.org/:
- https://threathuntergirl.com/2023/03/15/disabling-survival-mode-my-burnout-recovery-story/ (2023)
- https://www.activeresponse.org/chronic-stress-and-a-life-how-stress-almost-killed-me/ (2019)
- https://www.technologyreview.com/2018/08/07/141139/cybersecuritys-insidious-new-threat-workforce-stress/ (2018)
3) get involved online, safely
Learn about, start using, and advocate digital privacy and safety techniques like multi-factor authentication, password management, updates, backups, … some starter resources
Get some or all of:
- a professional email address, an Internet domain, Authenticator app(s), a GitHub account, a blog, a professional social account, some Yubikeys, a second phone for work/school
4) find some individuals to follow, a community or two to join, and start looking for mentors
Follow good people
Here are three people I recommend everyone read to start their collection. There are lots and lots of good people in infosec/cybersecurity I can also recommend and you can find, but please start with these three.
- Leslie Carhart tisiphone.net @hacks4pancakes
- Chris Sanders chrissanders.org @chrissanders
- John Strand BHIS, AntiSyphon, Active Countermeasures @strandjs
- Tanya Janca https://wehackpurple.com/author/tanya/ @shehackspurple
- other instructors, speakers, authors, mentors you trust
- but not charlatans, ref: https://attrition.org/errata/charlatan/
Find communities to support you
Here are some communities I can recommend, and there are plenty more great ones I don’t know about:
- Blue Team Village: https://blueteamvillage.org/
- Atlanta Cybersecurity Engineers / local Defcon and 2600 groups, user groups and professional societies:
- DFIR Discord: https://github.com/Digital-Forensics-Discord-Server
https://www.dianainitiative.org/ https://blackgirlshack.org/ https://womenscyberjutsu.org/? …
- the chat channels and fora for the skills training / education / field you are interested in (OffSec, Antisyphon, TCM, AND, SANS etc)
much more of import
- About the field(s) and the work
- Always changing, frequently very challenging: face determined human adversaries using machines to do bad things
- Many specialties and sub-fields and more every year .. room for everyone who wants to put in the work
- Do you have to …
- Program, read binary, or be good at maths ? no, though it might help you
- build your own computers, play certain video games, wear hoodies, like hacker movies ? Nah, though all are popular :)
- finish college first ? Obviously not ( I still haven’t ), but it may help you landing work or a position
- You do have to …
- Learn to research topics online and more generally how to absorb knowledge and acquire skills
- Learn to ask good questions and help other people
- Communicate about everything to anyone in different forms and situations
- a few words about ethics, certifications, and licensure …
- Ethics are required. Professionalism is required.
- Certifications are optional and may help you in some quests / to get some jobs.
- Licensure is not a thing for us yet … unlike almost every other professional field cough.
- Others have said this better, links to writing and conference talks
- https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/comment-page-1/#comment-10636 (2015)
- My previous posts / talks: Your InfoSec Career (2019) , Breakin’ Into Infosec (2016), CISSP, PWK, OSCP, or getting started (2017)
- All the hacking and cybersecurity in TV and movies is basically garbage except Mr. Robot (OTOH no telly programme seems to get emergency medicine or law right).
This didn’t cover job hunting, hiring, interviews, college, remote work, regulations, wars, or any number of other worthy and important topics .. but it might help you get started. Feedback appreciated and questions welcome! Cheers, good hunting!