What’s the best way to get started learning about computer security?

Here is a question I answered on Quora.
First of all commitment. Learning anything well enough requires time, patience, dedication. Make sure you have all three.

The best learning often is by listening. As Kurt Wismer suggested, find a good community and get a start from there on. A reputed source is www.Sans.org – [Look under the Resources tab]. They have an excellent reading room. You might also want to search for forums. The learning that you will get from forums, perhaps cannot be matched anywhere else.

Observe, Google newbie/noob terms, read definitions and absorb all you can for a couple of weeks in forums. Learn to differentiate who is an expert and who is a troll. Avoid the “Me too!” (or nowadays +1) type posts.

If you are going to ask a question, make sure you have made the effort before, to try to find the answer before asking your question. Make your Question and your time count.

You would need to do a lot of reading. This is a must. So make sure you have a lot of ‘My-time’ available to you. The less the distractions, the better they are.

I will be brutally honest, you can torrent for a lot of these security books, there are literally 1000s of them.

You will need a small network and spare computers to practice on. Old machines will fair well, plus it also helps to have a machine powerful enough to run a VMware/Xen Server, so that you can run various OS in virtual environments.

An old Cisco router and preferably a managed Layer 2/3 switch will definitely help. An old machine to be made into a firewall (Linux) will also help.

Don’t try to recreate the lab as seen on Fringe! You can only work on a single keyboard at time.

Don’t be overwhelmed and try to do everything at once. First goal, it to be a ‘tiny’ Jack of all Trades, i.e. know about all the different niches/verticals within the Computer/Network Security umbrella.

Your proficiency in networking, switching and OS (Linux, Windows) will need to be polished for sure. We all assume that we know it all, but we don’t. There is no shame going over the basics all over again, for purposes of a refresher and to get some slipped concepts clear.

YouTube has quite a few 1000s tutorial on various aspects, facets and specific micro-niches pertaining to computer/network security. They come in helpful many-a-times. Same goes for basic learning, YouTube can come in really handy when you want a quick visual description of say “What is a Layer 2/3 switch?” – when you want someone to explain it to you in 2-5 minutes.

You would definitely need to be organized. Both with time (devote only so much to training, so much time for lab work and so much time towards reading). You would also need to be highly organized with the digital side. Book marking every website you come across on security is fine, but organize it, classify it and then save it. Don’t just go on a spree on collecting all the programs/apps, eBooks or white-papers if they will just be collecting digital dust in your computer. It is great to save them, but it is very easy to be overwhelmed and lose concentration/direction.

Mentors are the biggest assets. You definitely want to find them in your area of specialty. Follow them on Twitter, Facebook, on Forums, and try to interact with them. Give respect and you gain much more in return.

Needless to say, if opting for Computer/Network security, a great command over ethics is also required. Be sure to understand the ethics side of this field, as well as (if you can spend sometime on it) the legal aspects of this field and its repercussions, etc.

And since I have touched upon Ethics, I find it important to spell it out, do not do anything on a network/computer that you do not ownphysically (including the route to it). Just because you have a server co-located at a datacenter – the route and networking gearing to the server are not owned by you. Do not do anything that can spell trouble for you later on. In the security arena, there is a saying:

– When in doubt – Don’t!
– When in doubt – Ask!

Doing any sort of computer or network activity outside a network and computer system you physically own, can cause a lot of serious legal trouble for you. Oblivious to the laws would not be an excuse. So, please do not do anything silly/stupid or even ‘educational’ on public or semi-public networks.

Many people (specially professionals) delve into the security field, without understanding truly the time and patience it requires to be someone worthy to make a decent/significant living off it. Reputation building is also a very important criteria. Do keep that in mind.

Whatever area you do choose, many will be compelled by policies or perhaps even something as crude as ‘because everyone does it this way’ – – – they will require that you have some form of a professional qualification in your area of speciality. Certifications are immensely important (that is despite the fact that you agree with having a piece of paper or not, that says you are qualified). What matters is that the person who wants to write you a paycheck every month, deems certification an extremely important document.

You need to time, measure and pace yourself and your study towards a goal of certification. There is no shame in trying for an exam only not to pass it. This is not life or death. Its just a test. Practice, Practice, Practice, and try again. Certifications can get expensive, so you will need to take that into consideration.

Finishing off, I’d like to give you my experience of how much time it will take. To be professionally qualified, spending 3-4 hours a day and to build your reputation, have an association with mentors or other professional colleagues who can act as reference for you, etc. you are looking at 18-24 months.

Comments

comments

Leave a Reply

Your email address will not be published. Required fields are marked *