Cybersecurity - want to learn, need advice

[keylanbelle]

Hiiii i want to get into cybersecurity and although i have watched some videos and read some articles, i am still not sure where to start and what to learn x-x

Need advice from people who know stuff / work in the field! I know some basic stuff about IT & good at using my windows, but nothing more. Where do i start and what is the best way of learning? I feel like just reading text won't get me a lot of actual knowledge and i will forget it quickly

[arcus]

It's a wide field. What draws you to it? Are you curious to learn for personal security reasons? Do you want a career out of it?

[Tuffy!]

If you forget about the things you read about cybersecurity, is this really the field you want to expand/work in?

I mean I forget about everything that I read if it doesn't drive me mad or enlightens me in some way or the other. But things I'm really interested in, info about those topics is stored in my memory almost automatically 

[poesu]

There's a good book called Extreme Privacy by Michael Bazzell. As the title suggests, it mostly assumes you want to disappear from the face of the internet, so I'm not sure if it's good for beginners.

The most important thing to learn is that cybersecurity is a journey and a mindset! It's not a checklist. Don't beat yourself up and be extremely patient and slow (unless you're currently in danger). Try learning one thing at a time. For example, you can set a goal for this week or month to switch to FOSS instead of Google/Microslop that spy on you. Not to shamelessly self-advertise, but I have a page that lists programmes I use on a daily basis (security/privacy-focused ones are mostly in the deGoogling section).

I can't really point you to some articles/videos and whatnot, because my knowledge of cybersecurity comes from like thousands of sources. You learn one thing here, another thing there.

What will keep you remembering stuff is continuous practice. Let's say, you stuff all your passwords using a secure password manager like Bitwarden. If you do that and never open it again, continuing either coming up with weak passwords that you can remember or saving them in insecure places, of course, that's not good. You need to grow a habit of using a secure vault and generating crazy, random passwords and storing them in that vault. So if you read something, do it immediately/ASAP.

I can also suggest regularly being around people who care about the issue. Aside from giving you advice, they'll help you foster the mindset you need to keep going. For me these are just my friends. I don't have specific recommendations for this, maybe there're some Mastodon instances dedicated to the topic.

Soooo yeeaaah, very broad question. Maybe you have some specific needs so I can give you specific tips?

[lakes]

Some tips:

• Use a dedicated password manager instead of the one in your browser or the same password every website. An offline encrypted password manager is less likely to be hacked, which is why people recommend Keepass & its many variations. But a cloud-based password manager can also be encrypted & makes it easier to sync passwords between devices. If you do use a cloud-based password manager, avoid LastPass as it's had multiple data breaches.
• It's debated whether open source or proprietary software are more secure. But most people who take security seriously use open source software where they can. The argument for proprietary software is "security through obscurity" which means theoretically security vulnerabilities are less likely to be exploited because they aren't as well known, but usually it just means that the security bug will require additional hacking to find. Open source code lets developers not affiliated with the program audit the code which makes bugs easier to fix, especially if the unaffiliated developer decides to contribute, but the bugs are also more known about it & thus easier to exploit.
• Open source software is also less likely to sell your data than proprietary software. But it isn't always a guarantee.
• Use a firewall.
• Use a ad/tracker/content blocker. Ad blockers often come with built-in malware filters, ignoring the malware you can get from clicking on ads.
• There are also DNS & VPN providers that offer malware filtering like Mullvad VPN, Mullvad DNS & Libre DNS. DNS just means Domain Name System and looks up domain names to tie them to an IP address. You can change your DNS from your local ISP by going into your browser settings, using a program like NextDNS, or on Linux, configuring your Network Manager.

[Shay]

I major in it and I'd suggest starting in IT if looking for a career (looking at places like reddit for career advice), for hands on work with tools I'd say try participating in Capture-the-flag challenges will really help learning offensive tools and stuff like forensics and reverse engineering. Other than that I also would take advantage of stuff like TryHackMe's free tier to get a taste of learning stuff and HackTheBox too! There's tons of things in the vast world of cyber so find what fits best whether offensive, defensive, engineering, etc! 

[Dan Q]

I've worked in cybersecurity and "adjacent" disciplines for ages; so long that any specific tips I could give would be useless, because my journey to this point is no longer the best journey for a newcomer.

(I'm not even sure it was the best journey for me... too many run-ins with the authorities when I was young and stupid...)

But here's my broad philosophical thinking. The best security engineers I know learned from an "offensive first" mindset. You can learn how to play defence, and you should - e.g. if you've got a Web focus, start with the last few OWASP Top 10s until you understand them deeply - but it's only by playing offence that you learn to develop a "hacker mentality" and begin to do the kind of thinking-outside-the-box that makes you the best cybersecurity expert you can be. It's the same, I guess, as how all the best programmers I know don't credit what they learned in the classroom or even at their job as the most-important to their development but what they learned for fun.

How do you build that? Start using things for what they're not designed for. Start taking things apart. Start breaking into things...

Learn to reverse-engineer software. Learn to exploit security vulnerabilities. Learn to pick locks. Learn to identify file types and protocols without knowing their extension or port, by examining their raw data. Learn to cheat at video games by editing the save games, then graduate to editing the values in RAM as-you-play. Learn to brute-force the bad password on an encrypted document. Learn to intercept network requests in tcpdump or Wireshark or Tshark. Learn to issue your own SSL certificates and tell an OS to trust them so you can decrypt traffic that goes through your computer. Learn to scan the ports of a remote system and work out what it's doing. Challenge yourself to feel the outside of a thing and work out how it must be constructed inside (did I mention picking locks? it's great discipline for the mind!).

But do it ethically. Don't break into anything you don't have permission to. The easiest way to do that is to make things yourself and them break them, but that's not always easy. Fortunately some folks nowadays make "break into me" kind-of puzzles: systems you're encouraged to hack.

And, all the way along, ask yourself: how could I have built this better? How could I have made this system so that somebody-like-me couldn't have broken into it. That's the offensive-security path to enlightenment.

Learn your history: start with e.g. Things Every Hacker Once Knew by Eric S. Raymond. Feel the era of The Conscience of a Hacker by The Mentor. Dig up a copy of Cuckoo's Egg by Clifford Stoll. Understand what Cory Doctorow is complaining about, even where you don't agree with him. Agree with what Bruce Schneier is concerned about, even where you don't understand him.

That's how you learn professional cybersecurity, in my mind. You break into things (ethically). You teach yourself how things work by taking them apart. And you work out how you'd build them differently, so that somebody like you couldn't have broken them in the first place.

[Rubbereon]

@lakes @poesu
I think the text and title of the post gives away that they meant actual cybersec, not just staying safe online. I think you misunderstood what op asked or just didn't read anything they said besides the title.



Anyway, if you are interested in cybersecurity, there are some tools you might wanna use, namely wireshark to check your packets and a sandbox utility like virtualbox or any.run to test software and figure out if it's malware.

Hold on, while I'm at it, I might as well compile a list of tools that might interest you if you wanna learn cybersec.

Wi-fi, packets and http stuff

• Wireshark
• Nmap
• Intercepter-NG
• NetworkMiner

Sandboxing and testing

• Virtualbox
• VMware
• Any.run
• https://github.com/kevoreilly/CAPEv2
• https://github.com/CERT-Polska/drakvuf-sandbox/

Fixing and repairing damaged filesystems

• System internals by Microsoft (if on windows)
• SystemRescue and Ddrescue (if on linux)

For testing webservers specifically

• ModSecurity
• Cloudflare radar
• Apache JMeter

Fyi these lists are non-exhaustive, there are many more security tools on the internet.

Also any tools hackers use are tools you will need to know if you wanna work in cybersecurity because the point is to check how to prevent them from working on someone's site, software or computer. For example, if let's say gmail is susceptible to dictionary attacks, then google might hire you to mitigate the risks, so in order to properly test how badly they are affected by those types of attacks you will have to perform them yourself to see and afterwards offer them fixes.

For obvious reasons I'm not gonna mention any of them by name, but you should come across them if you really are interested in cybersecurity.


Cybersecurity researchers also use websites that document exploits like cvedetails.com and cve.org. Those are not the only ones, there are many websites that document CVE's and you should probably bookmark a few of them.