Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Learning Computer Security

Learning Computer Security

About This Guide

This is an opinionated guide to learning about computer security (independently of a university or training program), starting with the absolute basics (suitable for someone without any exposure to or knowledge of computer security) and moving into progressively more difficult subject matter.

It seems that most people don't realize how much information is actually available on the internet. People love to share (especially geeks) and everything you need to become well versed in computer security is already available to you (and mostly for free). However, sometimes knowing where to start is the hardest part - which is the problem that this guide is intended to address. Therefore, this guide can accuratley be described as a 'guide to guides', with additional recommendations on effective learning and execises, based on my own experiences.

Many of the free resources are the best resources and this guide focuses on them. It is intended to provided a comprehensive plan for learning about computer security as inexpensively as possible. However it's not completely free. As the guide moves onto more complicated materials, more 'non-free' resources are referenced, as they become some of the best available sources of information.

The introductory & intermediate sections contain materials & recommendations that I considered to be fundamental knowledge for any computer security discipline. They are oritiented towards more 'practical' knowledge and hands-on learning than the latter sections, which delve more deeply into the necessary theory (but are also accompanied by recommendations how to get practical experience).

One of the things I realized while writing this was that by the time someone got to the advanced & expert sections, this guide will be of little use as they'll know enough about computer security to know what they need to study on their own. Those sections are intended more of us a 'look-ahead' for a novices, to give them some exposure of what they're getting themselves into.

Getting Started

Computer Security

Some intresting articles on getting started in computer security:

Learning Effectively

Learning computer security is a huge endevour. There is lots of research on 'optimal learning' techniques.

Time Management

Because there are so many materials to study, I recommend taking advantage of your 'dead-time.' With some basic tools, you can study at the doctor's office, while waiting in the car, on breaks at work, etc.

The basic requirement is a reading device. A used kindle can be picked up off craigslists for as little as 25$. A brand new kindle fire (which you can read books on and play training videos) is currently 99$ brand new off amazon.

If you can, get a device and preload it with the books and videos referenced below. Keep it with you at all times and get accustomed to studying whenever an opportunity presents itself.

If you find that you have lots of 'dead-time', then a good addition to your 'portable training kit' would be a small-form-factor notebook running linux. These can be had for as little as 50$ off craigslist. A slightly more expensive option (but with much better hardware) would be to get a new chromebook & install linux on it.

Practice

Hands-on experience is the cornerstone of learning computer security. This can come in many forms. This guide provides the several recomendations as effective ways to gain this experience:

  • The introductory section focuses on getting familiar with virtual machines and windows-alternative operating systems to accomplish this task.
  • The intermediate section provides several suggestions for various tasks that build on this knowledge.
  • The advanced and expert sections focus on gaining this experience through ctf challenges.

Introductory Level Learning

The introductory learning section focuses on exposure to alternative operating systems & learning about fundamental networking technologies. These are required skillsets for any discipline in computer security.

Before we move onto any advanced concepts, we first need to get familiar with virtualization, the some windows-alternative operating systems, and basic networking concepts. This can take quite a bit of time and there are no 'definitive' goals, which can be frustating for goal-oriented minds.

Desktop Virtualization

Get comfortable with 'virtual machines.' You're going to need to work on lots of systems - playing with internals, breaking them, setting up labs etc. Desktop virtualization is one of the most resource-efficient way to make this happen. The following are some resources on getting this process started.

Networking Lab with Virtual Machines

Networking is about 'how computers commmunicate' and to get hands on experience, we need to have multiple computers at our disposal that can be reconfigured quickly. The most effective way to do this is with light-weight virtual machines. I recommend having a desktop or laptop with at least 8GB of memory (16GB preferred) and a solid state drive (128GB+) that will run virtualbox. The solid state drive will greatly improve the performance of this sytem when working with multiple virtual machines.

We can leverage very minimal operating systems with minimal amounts of RAM on our host system to run lots of these simultaneously and construct virtual networking labs.

I recommend experimenting with openwrt. OpenWRT is a lightweight linux distrubtion customized to run on networking hardware. However, we also run OpenWRT in virualbox relatively easily with minimal resources, to get some more in-depth hands-on-experience with networking fundamentals. A guide to running OpenWRt in virtualbox is available here.

Cloud Virtualization

I recommend setting up a 5$/month virtual server using digitalocean. This provides a basic introduction to command-line only access to an operating-system as well as a test bed for playing with server configuration. Be aware that this server is "on the internet" anyone can get to it and without the proper knowledge of how to secure it, it will be vulnerable and potentially get compromised. Until you are comfortable in your knowledge of linux and how to secure a server, I would not store any data on this machine that you wouldn't hand out freely to anyone. This machine, like any other virtual machine, can be rebuilt easily and on demand, which is ideal for learning on.

DigitalOcean provides various tutorials that are practical in nature and provide some immediate, hands-on exposure to the basics. Some good starting materials are:

Man Pages

One of the most important tasks to learn at this point is how to find information. Take care to become very familiar with the linux man page documentation. Learn how to search the documentation and how to find the information you're looking for - this will be one of the most valuable resources at your disposal.

Remember to read the following:

man man
man apropos

Reference Materials


Intermediate Level Learning

The intermediate section delves deeper into more funadamentals, heavily focused on the linux operating system, additional tools, and basic scripting (programming in high-level languages), which is an essential skillset for any any discipline in computer security.

Things To Do

  • Study & monitor your shell server logs. Figure out how to identify malicious traffic and ensure that it's being blocked.
  • Setup a cloud server and secure it.
  • Setup a command-line irc client on your cloud server and run it in a persistent shell. Familiarize yourself with irc.
  • Setup a command-line mail client on your server.
  • Setup pgp with your command-line mail client.
  • Use your shell server to tunnel traffic through an SSH proxy.

Reference Materials


Advanced Level Subjects

The advanced materials branch into advanced level subject areas. Typically, a career in computer security will require only passing knowledge from all these areas, with an in-depth knowledge of those areas specifically related to a particular career field.

Challenges

The following two 'challenges' are security related and require 'thinking outside the box'. I consider them to be a good introduction to computer security.

Subjects

Networking

The Linux Operating System

The Windows Operating System

Open-Source Software Development Tools

Assembly Language

Computer Architecture

Network Security

Web Application Security


Expert Level Subjects

These materials dive deeply into the most advanced topics in computer security.

Challenges

Subjects

Computer Forensics

Cryptography

Exploitation & Vulnerabilities

Reverse Engineering

Advanced Python

Penetration Testing

Malware Analysis


External References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.