I am currently unemployed (been looking for almost a year with no luck) instead of doing nothing I thought I might learn something new. I work on some coding projects for fun in the meantime because I love doing it. I went to school for computer engineering but I’ve always been interested in cybersecurity/infoSec I think its a good skill to have. I’ve been looking at courses that give you certification but I have no money (see unemployment). I’ve been mostly self taught anyways so I was wondering if you guys have come across any good books on the subject. A book you used as part of a university course you took or a book that helped you. I also feel like those courses with certificates barely teach you anything (especially the free ones). They feel like a bunch of checklists. I want to learn so I feel like a good book will help.
I have a part time job right now so I’m thinking I learn by myself then get enough money to get “officially certified” and move into cybersecurity cause software engineering only isn’t doing me any good in this economy.
Security Engineering by Ross Anderson (RIP) is wonderful, and online.
You can find plenty of free sec+ study materials to get you started. It is basic, yes, but real cyber security comes from understanding systems, protocols, and best practices and honestly I’m not sure there’s a good book that can give you that. I could be wrong, we’ll see other posts if they show up, but starting with sec+ material and then reading deeper on things would be my recommendation.
Understanding active directory, Linux permissions and file structure, VPNs, firewalls, different security appliances, hashing, crypto methods/algorithms, handshakes, transmission protocols, VMs, cloud architectures, backup strategies, social engineering, etc - it all plays a part. You could find a number of books and resources about any of those things.
Certs like LPI Linux essentials is pretty good if you’re unfamiliar with Linux basics, that’s another one to look into where you can find free study material.
I guess what I’m saying is that cyber security is REALLY complicated and will always be tailored to the threats, the assets you’re trying to protect, available budget, and systems used. It’s why certs are the industry standard of recognition, because there’s really not a good way to gauge competency unless you’re assessed by another competent person in the field. And you may be AWESOME with an active directory setup but be lost in Linux, or need to work with embedded systems, but be weak in other areas because you’ve never worked with it, so certs kind of level the field so you can be at least aware of stuff if you’ve never worked with it.
I would not consider myself an expert in the field but this is my perspective. You can learn for the next 10 years for free and by just experimenting on old hardware and with VMs and a robust LAN.
The cyber landscape is so, so complex. There’s an endless number of options and potential vulnerabilities. Defense in depth can’t really be taught from a single book, but by identifying areas you’d like to learn more about can take you as far down the rabbit hole as you like.
This is what I’ve been trying to explain to my college age kids once they realized (in the past 12 months, mainly) their computer science degrees will not be worth what they think by the time they earn them. They understand that much at least, but are convinced cybersecurity will become the domain of AI as well. I have tried to explain AI is nowhere near sophisticated enough for this in it’s current iteration.
I disagree with you about the degree, actually. A degree in compsci is a baseline in the tech industry, like certs. Not really on the security side, more on development. It depends on what they want to do and where they’re willing to move to, luck, etc for them to be successful. Overall bachelor’s degrees have gotten less valuable in general and compsci is not what it used to be, but it’s still a good foundation. Pair it with some CompTIA or CCNA certs and they’re off to the races if they want to be versatile, or they can go deeper into some code/architecture based stuff if they want to stay in development.
The domain of AI isn’t cybersecurity, it’s data collection and data analysis. AI in its current form is laid on the foundation of massive quantities of data. Collecting, sorting, and cataloguing all of that in useful/indexable ways is the cornerstone of machine learning (AI).
It’s hard to say where AI is going to take us in the next 10 years, but if your kids stay AI literate they should be pretty good. I hate Google but they have some of the best AI training on the market right now, so as much as I hate to recommend them as a source I have to be pragmatic and mention it if you’re going to recommend something to your kids for their success.
I don’t really agree with your assessment of where AI currently is at. It sounds like you’re probably underestimating the current capabilities. The problem right now is we don’t know how to control it, not that it’s not capable enough. On top of that the pace of acceleration is insane so even if you’re on the mark and I’m not, the field will have shifted so far in 2-3 years that your position will no longer be correct and mine will be then. But, I do agree that cybersecurity isn’t really “the next domain” of AI, even if it’s integral to it like it is with all computer stuff.
I don’t think they’d go wrong getting into security, it’s not going anywhere any time soon. If anything it’s going to continually grow with technical advancements and expansion of application.
ah okay so there there are sub fields you can specialize in but not one thing you can learn that with apply in everywhere. I guess that’s why its been a bit hard to find cohesive material to look at. Everyhwere I tried to look was trying to teach me different things.
Sec+ resources are a good recommendation though, because it lays down the groundwork and fundamentals that you can then build on once you decide on the domain you want to specialize in.
I think everything you learn will for the most part apply everywhere, there’s just no singular definitive source for everything. It’s like saying you want to learn politics, or you want to learn construction, or you want to learn math. The field is so wide that you can’t just get a single book about everything.
You definitely can specialize in sub fields though. My favorite areas are network architecture/security and social engineering. My primary skills lie in disaster planning and recovery though, because I migrated from a different industry where I applied pretty much the exact same thought methodology.
For offensive cyber security a good way to just jump in is the free hack the box machines. I took detailed notes on them then published those notes on my website, which I was told later was what sold my first pentesting employer on me versus other candidates.
Other than that, yeah free sec+ stuff is a good entry point.
Oh also black hills information security has post what you can online trainings. The company is ran by a former sans instructor, the quality is really good.
black hills looks great I will definitely be checking them out! what is your website? (if you want to share it)
Theres a bunch of free ctfs that help step you through different areas. They often start easy and work their way up to give you a series of challenges and help you learn.
The “All-in-One” exam guide for CRISC is a good starting point. Probably substantial enough to sit the exam if you want the ISACA cert, but definitely enough to give you a baseline of knowledge to pick somewhere to delve deeper if you’re looking to specialize in something you can find a job in.
