Starting in InfoSec - 101- 5 mins
This blog post is written as a list of tips and notes on starting the field of Information Security from the beginning.
How to Start into the field of information security?
I would like to become a bug bounty hunter, ethical hacker, web-app tester, or to have better knowledge in security testing. How to start?
The following are tips and points should be followed when getting into the field of Information Security in general, and security testing in specific.
1. Start on the base of programming
It’s required to start from the very beginning when it comes to web-application testing. Without a good base, it’s very difficult to go further.
I recommend having a good base in scripting languages: PHP, Shell, then choose Python, Ruby, Node.JS or similar scripting languages.
Also, HTML/CSS/JS will be important for web security. Learning it in a good level would be important in order understand web, and further, to write web exploits and code.
This will give you a very good base on understanding the nature of applications, and how it could be developed. This will also help you in being capable of writing testing scripts or code that you would need in actual security testing.
You should at least reach a level that you are capable of performing ideas that you have in mind. It takes time to learn, but it’s really vital.
2. Have a good knowledge in Linux/Unix
This will help you in learning how to interact with your machine, and how to get the most of it when performing tests.
3. Understand networking basics
Learning networking is very important. It should give you knowledge on how to approach a target in testing. Also, it will help you build blocks in the relation of the application and the server.
You should understand popular services and protocols, and how it works. Also, be able of knowing how to debug issues.
4. Basic knowledge of System Administration
Basic knowledge of system administration is very useful. It will help you understand how things work, and based on that, you would have an idea about common issues that can be used to break things.
5. Learning common web-application security vulnerabilities
After finishing the above, you can start in learning the common web-application security vulnerabilities. How to find it, how does it occur, and how to exploit it. Take each vulnerability and read a sample vulnerable code for it, (assuming you reached a good level in learning programming), and then see how to protect from it.
There are vulnerable applications that can help you in it. https://vulnhub.com/
is a great resource for getting vulnerable virtual machines. (What’s a virtual machine? You should have this covered in previous sections).
6. Practice, Practice, and Practice
Nothing comes easily. Information security is not an industry of a 9-5 jobs. If you didn’t dedicate yourself for it, it will be difficult to improve. Put a good amount of efforts into learning and practicing.
7. English is world’s language of communication. Learn it to learn to read resources.
There is no doubt that English is today’s language of communication.
If you understand English, you would be able to access and understand a large amount of English resources. The majority of information security resources online are in English. English is a universal language, it’s required in almost anything in it. Do your best in learning it well.
8. Read, Read, and Read
I remember watching a TedX talk that gives an important and catchy quote, “Readers are Leaders”.
The more you read, the more you learn, the more you understand better, the more you improve.
It all start with reading. There are a large amount of resources online that you can benefit from.
8. There is no Bullet-Proof Resource or Advise that will make you a good hacker
Information security is not a thing that you can learn from a single resource or place. Knowledge on the field is something that is obtained through hard work and practice.
9. Practice in CTFs and Bug Bounty Programs
After working on all the topics above, it would be a good time to start with CTFs and Bug Programs. These programs help you in getting practical knowledge of information security. It’s fun, and very helpful.
This a summary of what I have in mind in starting in the information security field. It’s not bullet-proof, but it will hopefully get you in a good level if followed right.