WARNING: this is a *huge* info-dump; think of it as a class syllabus. you're meant to absorb this information over the course of many moons, like a college degree except FREE. Section 1 and 2 you can start right away; try and integrate those into your somewhat-daily life to help build a brain stew that gets perpetually yummier. Save Section 3 stuff to try and tackle *at least* once every week or two; making a few hours of uninterrupted time to carve some brain grooves doing the real deal. In a few months, you'll notice concepts starting to stick together more clearly and you’ll have madly employable skills.
you’re thinking about dipping your toes into the world of infosec? GREAT. I used to draw cartoons for a living, but 80 hour weeks with 40 hours of dismal pay did not bode well for my mental health and future happiness. Financial stability is one of the greatest gifts I’ve ever been given, and we can give it to ourselves thanks to the wealth of resources out there.
The top three things I think you need to mash into your brain in whatever-works-for-you amounts:
DAILY INFOSEC MATERIAL
if you want to "get" stuff, you're going to have to listen, read, and learn from material you might not "get" yet. Constant exposure keeps your brain brewing in the background thinking about the things you've been shoveling into it, plus, it's FASCINATING to learn about!
STUDYING COMPUTER FUNDAMENTALS
this is your traditional sort of classwork/homework kinda workwork, but you gotta know this to actually understand how all of the systems involved in computing interact. It’s interlocking, logical systems of turtles all the way down; finding out how they work together can be fun!
PROJECTS AND ACTIVITIES (scaled for emphasis)
it can feel incredibly good to ingest knowledge all the time, but if you're not creating, doing, or breaking something and problem solving your way out of or through it, it's not going to stick. the connections your brain makes while DOING the things you've just talked or read about are going to make you valuable to a company who is hiring you to DO THINGS, not just know about things.
making yummy infosec stew
Infosec enthusiasts have a very active and supportive community on Twitter. As security professionals are naturally very curious types, everyone shares the curious things they've discovered, chats about the curious things they are working on, or laughs at the curious nature of the infosec business, and curiosity is infectious.
One can generate an endless stream of daily infosec nourishment with a few steps:
Follow some cool people; follow the people they retweet; follow streams of replies and hashtags down unexpected paths. Some of my favorites:
@swiftonsecurity . Taylor Swift as a security professional, also a genius and one of the most respected infosec twitterheads
@xanda . insightful threat intelligence researcher
@malwareunicorn . brilliant malware analyst; she also draws well and is hilarious
@hackerfantastic . shares a ton of great content from the community
@JaneScott_ . always retweets some of the best content, and starts great threads
@gcluley . one of the OG security people
@tarah . Splunk's Sr Threat+Vuln management person, Splunk is like my favorite and she is like my hero
It will feel like learning another language; if you don’t know what a word means or a system someone refers to does then Ask Jeeves and find out!
Blogs are another great source as they can dive deeper into topics with more than 280 characters. I use feedly.com to ingest all of my favorite blogs into one interface.
Krebs on Security - Brian Krebs is a sharp journalist who covers cybercrime from many angles; his book Spam Nation is a thrilling page turner which describes how criminal organizations make money from spam email.
Schneier on Security . Bruce Schneier started his career as a cryptographer, so his writing can get a bit more technical, but he is also a great writer and renaissance techfella.
Tao Security . Richard Bejtlich wrote the great book "The Practice of Network Security Monitoring" - which contains step by step instructions for setting up a security stack with Security Onion, a Linux distribution built for just that purpose. This is his blog!
Securosis . This security company posts some great content on the bleeding edge of modern infosec business practices. Sounds like gobbledegook at first, but may point you in the direction of a topic you'd like to explore!
The Hacker News . A smorgasbord of stories from all over the web, covering all the latest security goings on.
Podcasts are GREAT for driving/cleaning/something-normally-mindless, and make that mindless time interesting. Some of the ones my friends know and love:
Twitter isn't the only place that security folks hang out; one site I've found I like the style of is https://www.peerlyst.com; the idea is for security professionals to connect, write articles, and build their brand.
I love the articles here, as they are written from a variety of individuals at different skill levels, who are willing to share their struggles with understanding the material and how they approached solving the problem. Just by signing up and picking some tags to follow, you will get a digest of articles every week to peruse!
This is a hodgepodge, but if you're going to be wasting an hour or two on reddit anyways might as well get some infosec articles in your feed!
that stuff is more like building your exposure to concepts and the world itself where you *will* be, ONE DAY, but you are going to have to take time to learn fundamentals. I recommend treating this stuff like a college-level class you have to study for to pass: take notes while you listen to the lecture, then type up organized outlines from your notes. When you have your data this way, you can organize flashcards for SPACED REPETITION LEARNING (google it), which is amazing and awesome and makes your brain store stuff long-term; also, this is a chance for you to practice TYPING and gettin' them words per minute up in the *dozens*.
The certifications I recommend for people with ZERO previous IT experience are CompTIA's A+, Network+, and Security+. A+ covers compsci fundamentals and troubleshooting, Network+ = networking fundamentals, and Security+ is an overview of the modern security program and how it functions. because these certification attempts cost money you could ALSO just learn everything you need for the A+ and Network+ certifications and make sure you actually KNOW IT then pass the Sec+, as this is bare minimum for most HR departments.
To start your training, I *highly suggest* you dive into the joy of reading Julia Evans' *AMAZING* zine on networking. It's aimed for people getting into programming, but her attitude embodies a really healthy relationship to learning, approaching tough problems, and getting better at stuff:
Okay, good. Yes. NOW:
You can learn everything you need to study for these exams from Professor Messer's free YouTube videos:
Who is clearly a lovely human being; hopefully making lots of money for this free content. Another site that has a ton of free mini-courses on various topics is:
If you're able to shell out $35, you should absolutely definitely go through my friend Ryan Chapman's material. He is a hilarious and lovely human being who made a great intro course on Incident Response, which is the mindset and overall function of what a Security Operations Center (SOC) does via modern 24/7/365 Network Security Monitoring.
Regardless of whether you sign up for his class, DEFINITELY read his free articles:
Which shares some perspective on what it takes to get these gigs. His Intro to Incident Response material is on PluralSight, which is $35 a month, but gives access to a bunch of great-but-not-as-good-as-Ryan's content:
actually doing stuff
THIS IS THE MOST IMPORTANT PIECE ; gathering knowledge from your studies is necessary to know the thing, but doing the thing is how you’re going to become a professional paid to do — not just know about — the thing. It’s the difference between studying for your driving exam and actually driving a car.
The activities here depend on how familiar you just so happen to be with computers, but always keep moving forward and trying things you’ve never done before. As long as you keep practicing, you’ll learn in leaps and bounds.
To me the coolest part about computers is how we use them to do things faster, thanks to their crazy fast computer brains. That means the better we’re able to interface with them, the more stuff we can have them do for us! If you’re just starting out, here is a progression of activities that exemplify how you can get more done with less:
typing games / exercises - increasing your WPM means you can get more work done at a keyboard. this is something that if you practice with games and goals, you'll generally get more practice the rest of the time you use a computer.
learning keyboard shortcuts for programs you use - keyboard shortcuts can increase productivity and replace repetitive tasks. Email, word processors, and browsers are a great place to start, as you’ll be using them often and can save thousands of hours in the long run.
setting up AutoHotKey - possibilities truly endless; create keyboard shortcuts for scripts/automation/typing out emoticons (/¯◡ ‿ ◡)/¯ - https://duckduckgo.com/?q=best+autohotkey+scripts&t=ffab&ia=web
setting up a virtual machine - once you set it up, you can play with Linux or Mac or Windows on a Windows, Mac, or Linux machine; it’s MAGIC. also there are lots of security related Linux distributions for collecting open source tools like Kali for penetration testing, digital forensics with SIFT , blowing up malware inside of Remnux, or crafting security infrastructure with Security Onion.
setting up Docker - docker is like virtual machines but... they're containers. containers are basically disposable, iterative, and efficient as HECK VMs, as they run with the bare minimum of connected drivers and services to make a single service or tool run in a virtual Linux environment. modern cloud hardware infrastructure companies like AWS and Google Cloud Project basically have a shit ton of containers running on beefy servers that can spin up hundreds of these things and provide always-on, self-healing, scalable virtual hardware... which they lease to people for cheaper than running and maintaining their own server infrastructure. and make bajillions of dollars.
FYI, if you utilize Docker directly within Windows, it will prevent you from utilizing VirtualBox or VMware and force you to use Windows Hyper-V; you can install Docker inside of a Linux VM to work around this.
After tackling these tasks, or if you feel you are ready, it’s time to begin The Great Work.
BUILDING A HOME LAB
This is where you’ll be cutting the edge of your own skills and learning what people will pay money for you to do! Your lab is your she-shed, your man-cave, your non-binary library, and it starts with the laptop or desktop you’re using right now. The more tools you install, virtual machine images you build, and systems you configure, the more your lab can do for you. Eventually, you can expand beyond one machine and get some additional hardware running things inside of your network permanently, or you could use someone else’s and set things up in the cloud.
Home Video/Audio with Plex or Kodi
Digital Forensics with SIFT
Windows Identity/Access Management with Windows Server 2019 Evaluation
Penetration Testing with Kali
Vulnerable Web Services with Metasploitable or OWASP Broken Web Apps
Malware Reverse-Engineering with Remnux
Forensics / Penetration Testing with FLARE (Windows)
Network Security Monitoring with SecurityOnion
Malware Sandbox with Cuckoo
Log Analysis with Splunk
Remote Live Forensics with Google Rapid Response (GRR)
Pick whatever sounds interesting + not overwhelming to you and just start FIGURING IT OUT!
Reading how others have solved CTFs and forensics challenges will help give you a better idea of how the pros solve problems… but don’t just read! Read, but take notes on what programs they're using and why they need to use them for each step of the challenge, then process; you'll get far more out of this experience figuring out why you need to do X to do Y to get Z. When your lab is farther along, you can download the files and use all the same tools to find all of the same answers!
Some great challenge writeups to look into:
You don’t just have to read about the pros doing all the fun stuff, you can do it too! Here are a few entry-level challenges to get you started:
http://overthewire.org/wargames/ - great introductory material to get you used to the command-line, then performing really wild terminal tricks to crack questions and solve problems!
Bravo for making it this far.
This is my best distillation of what needs to get into your brain to get into this career. I've seen people gobble this up in a few months and others take their time over the course of a year or two; regardless, one day it can make you lots of money in a field that will be one of the last to be automated before the reign of machines!