Ask HN: How can I learn computer security?

181 pointsby boniface316over 7 years ago

I am taking some data science courses. Is there any link between data science and cyber security? and where can I learn cyber security stuff?

30 comments

artie_effimover 7 years ago

Cyber pro here - 5 years doing IV&V testing, 15 years as Fed, State and Local contractor, now a firewall admin at a major U.S. uni. I got an NSA accredited (<a href="https://www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense/" rel="nofollow">https://www.nsa.gov/resources/educators/centers-academic-exc...</a>) Master's in IT with a specialization in security. While the degree got my foot in the door (I have a BA in Arts - but have been messing around with computers since the early 80's - plus a lot of self taught stuff) - I've found that a ton of side reading (anything related to the subject - I spent a lot of time on the RFCs - that stuff I use every day)), looking at PCAPs to understand the protocols and reading case studies are the best way to hone the craft.For a while I was doing Governance, Risk and Compliance (GRC) work, but have always loved being a network security engineer, so I went back to that.Also - I have a CISSP, which opens a lot of doors. I know that it is being knocked a bit nowadays, and there are certainly a some who are test knowledgeable but no hands-on, common sense experience. I still find it valuable enough to maintain.Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.If appsec is your thing, spend a lot of time looking at good and bad code, plus reading on-line of good and bad appsec.IF GRC is up your alley - read NIST 800-53, HIPPA, PCI-DSS, SANS Top 20 and GDPR - to understand the full breadth of controls and risk mitigation.As far as data science python and pandas are all over the industry, R not so much. There is a big push for ML/AI work, but it might be snake-oil, time will tell. I use a lot of python and pandas for log and flow analysis.Also - learn Linux CLI; grep, sed and awk can save your butt in most situations. Gray beard stuff will come later.Good luck!<edit - word choice>

评论 #15986996 未加载

评论 #15987552 未加载

评论 #15988043 未加载

评论 #15988096 未加载

santiagobasultoover 7 years ago

Let me tell you one thing, it's going to be tough. Cyber security is one of the fields of IT that requires the most deep knowledge of how computers and networks work. So, be aware of that. It's like, when someone is asking how to build a game, and the first answer is: learn a lot about Math and Physics. This is the same thing.Recommended path:1. CS Basics (concepts) Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.2.Low level programming Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.3. Networking [0] You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it. Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.4. Web standards Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.5. Known threats and vunerabilities In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed? You should also practice with every other security threat known like XSS, SQL Injection, etc.[0] depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.

评论 #15993688 未加载

评论 #15988074 未加载

altharazover 7 years ago

"Is there any link between data science and cyber security?"Data Science might be useful if you want to work in Security Information Management or in malware analysis: big companies try to identify "weird behavior" in their networks, based on "normal behavior" records."Where can I learn cyber security stuff?"Well, that depends on the stuff you are interested in...You should focus at first on learning "system administration" and at least a programming language like Python or Ruby. Network protocols would also be a bonus.Then, if you want to learn "offensive techniques" or "penetration testing", I suggest that you try websites like RootMe <a href="https://www.root-me.org/?lang=en" rel="nofollow">https://www.root-me.org/?lang=en</a> or Cryptopals cryptopals.com.Once you'll have resolved by yourself some of these challenges, you'll be able to try the "industrialized approach" of penetration testing. For this, this book is quite cool: <a href="https://www.nostarch.com/pentesting" rel="nofollow">https://www.nostarch.com/pentesting</a>.If you're more interested in "defensive techniques", you have tons of resources online.For instance:Secure Coding Best Practices: - <a href="https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide" rel="nofollow">https://www.owasp.org/index.php/OWASP_Secure_Coding_Practice...</a> - <a href="https://security.berkeley.edu/secure-coding-practice-guidelines" rel="nofollow">https://security.berkeley.edu/secure-coding-practice-guideli...</a>=> These documents will help you to understand what are the main risks in your appsFor "general" cybersecurity: - ISO27001 standard - The NIST Cybersecurity Framework <a href="https://www.nist.gov/cybersecurity-framework" rel="nofollow">https://www.nist.gov/cybersecurity-framework</a> - PCI/DSS - <a href="https://www.us-cert.gov/" rel="nofollow">https://www.us-cert.gov/</a>=> These documents will help you to understand what are the main risks in an organization based on their assets.

indigochillover 7 years ago

Security fundamentally is just "the art and science of how things work". Breaches in security are caused by malicious actors finding vulnerabilities in trusted systems, such as when Chinese webcams shipped with default credentials which made it trivial for the Mirai botnet to take them over and acquire so many devices that it could DDoS Dyn.Towards that end, just about anything you learn can be applied in some way towards security. The conventional recommendations others have made will get your foot in the door, but ultimately security is a lifestyle of never-ending learning and imaginative reasoning about systems.So to directly answer your questions, yes, there are links between data science and security (others have mentioned its use in things like malware research, but going the other way it's also important to store your data securely to prevent theft, destruction, or tampering) and you can learn something about information security pretty much anywhere in-depth information about computers is taught. Which information is relevant to your interests will just depend on which aspect of security is of interest to you.

评论 #16057201 未加载

emiliobumacharover 7 years ago

I highly recommend the online Cybersecurity Specialization of the University of Maryland on Coursera.(disclaimer: I didn't pass the Capstone project, and never got around to trying it again)Back then it was free if you didn't need a certificate, may still be.<a href="https://www.coursera.org/specializations/cyber-security" rel="nofollow">https://www.coursera.org/specializations/cyber-security</a>

aknoobover 7 years ago

The very first thing that you need to do is to pick a software stack, ideally opensource and then learn how that software-stack works bottom up. Learning how a linux application works might be a good starting point if you are totally new.There are multiple layers involved here and really understanding each one would take time.Next would come understanding browsers, browser although it is an app, it is a world in itself. How an http request flows through a browser, how an http response is rendered, what are various layers involved. TCP/IP stack to physical layer, wifi/usb. It is extremely vast and very interesting.And once you have gained enough experience , you will be able to clearly see the similarities and differences between various software stacks, both bottom-up and top-down, right from hardware level to your application's code and vice versa. And then reasoning about security of the stack at various layers would become straightforward.In terms of conferences, I find Blackhat(<a href="http://www.blackhat.com/" rel="nofollow">http://www.blackhat.com/</a>) Conference is a very good source of keeping oneself up to date with world of security( including applying Data Science to Security)

stoneridgeover 7 years ago

<a href="http://mooc.fi/courses/2017/cybersecurity" rel="nofollow">http://mooc.fi/courses/2017/cybersecurity</a>"Cyber Security Base with F-Secure is a course series by University of Helsinki in collaboration with F‑Secure Cyber Security Academy that focuses on building core knowledge and abilities related to the work of a cyber security professional. The course series is free and open for anyone to attend."

vogover 7 years ago

If you want to get a really deep understanding, study computer science (e.g. bachelor/master) [1], then specialize by taking all security courses that are offered. Not only will you get a deep understanding of the topic, you will build on solid fundamentals, as well as have people (professors, assistants, trainers) who you can ask anything.[1] Of course, you can this only freely in a country that remotely cares about the education of its citizens (e.g. most European countries, where you can go to university for a hew hundred Euros per year). Otherwise, the risk of a huge debt is probably not worth it.

评论 #15987705 未加载

kalimatasover 7 years ago

<a href="https://www.hacksplaining.com/" rel="nofollow">https://www.hacksplaining.com/</a>

评论 #15987117 未加载

hackermailmanover 7 years ago

This is a good course<a href="https://www.cs.cmu.edu/~213/schedule.html" rel="nofollow">https://www.cs.cmu.edu/~213/schedule.html</a>Buy the 3rd version book (used) and then try the labs as you go through the lecture vids/chapters <a href="http://csapp.cs.cmu.edu/3e/labs.html" rel="nofollow">http://csapp.cs.cmu.edu/3e/labs.html</a> but avoid the 'global edition' as it's filled with errata, or just know there is mistakes.You will learn assembly/C and also Return Oriented Programming, stack protections and how they work, buffer overflow attacks, implicit casting grenades, cache optimization, how the linker works, ect. Then you sign up for that old Matasano CTF <a href="https://microcorruption.com/login" rel="nofollow">https://microcorruption.com/login</a>When you complete it apply to NCC Group who I believe now owns microcorruption. Start at the bottom, work your way into a policy/advisory role somewhere else after gaining experience and applying for certs <a href="https://ciso.eccouncil.org/" rel="nofollow">https://ciso.eccouncil.org/</a> Having data science experience is likely helpful since you can produce shiny presentations that board rooms like to see when you become their CISO

trapspringover 7 years ago

If you are a veteran or a federal employee, the Dept. of homeland security offers free online courses in network security. The program is very networking specific and you'd have to pay for any certification testing yourself, but the courses will help take you a good chunk of the way in terms of prep and learning. <a href="https://fedvte.usalearning.gov/" rel="nofollow">https://fedvte.usalearning.gov/</a>

cschmidtover 7 years ago

Since no one has mentioned it yet, Capture the Flag contests (CTF's) can be a good way to get into security. They are online contests featuring a series of security related puzzles.They are hosted by lots of different groups at different levels. There are CTF's aimed from high school through the DEFCON CTF. This is a directory: <a href="https://ctftime.org/" rel="nofollow">https://ctftime.org/</a>

uraharaover 7 years ago

I'm using Cybrary, it is a free and open source for learning cyber security: <a href="https://www.cybrary.it/" rel="nofollow">https://www.cybrary.it/</a>

twoquestionsover 7 years ago

One question I have along with the very good question from the OP, do larger companies and governments actually care about security, or are they more interested in doing the proper dance and checking the right boxes to not be held responsible when they're hacked?It seems irrational to want to learn how to secure systems when their owners don't care about it (and won't pay to secure them) if the risk can be transferred to other parties. I'm sure there's a few organizations that care if their data are stolen, but by and large it's a cost center, and treated accordingly in my experience.

评论 #15988235 未加载

评论 #15988233 未加载

brudgersover 7 years ago

Probably the most serious route to serious cyber-security training is via a military rating. At the state level the stakes and threats are highest.

lrvickover 7 years ago

Get involved in an active community full of security professionals and learn hands-on helping to secure open source projects.There is no replacement for mentorship and getting your hands dirty with real world systems.I will now shamelessly plug the community I learned the most from: <a href="https://hashbang.sh" rel="nofollow">https://hashbang.sh</a>

ajr0over 7 years ago

yes.Data Science can be applied in many different ways, (somewhat) Recently LightCyber was acquired by PANW [0] and I believe that if you are in data science that may be something that tickles your itch.if I may give advice, asking a more specific question to a search engine may also get you ona path with additional information. 'cyber security' is a pretty large umbrella and much of it may bore you while only a small handful is interesting... so try to be more specific rather than say 'stuff'[0] <a href="https://www.paloaltonetworks.com/products/secure-the-network/lightcyber-behavioral-analytics.html" rel="nofollow">https://www.paloaltonetworks.com/products/secure-the-network...</a>

perlgeekover 7 years ago

What do you want to learn? Network security? Application security? Secrets management? Security operations?I'm sure there are fields where data science is useful, like anomaly detection, malware classification etc.

sectossaccountover 7 years ago

Just created this account so that I could comment, and stay (reasonably) anonymous. I'm the CTO of a reasonably well known security company, for what it's worth - and I've been doing this for a little over two decades in a few countries.This first misnomer, is that there's one security thing. There are several. The offensive security folks (penetration testers) are far different than the advisory folks (think PCI, HIPAA). Vulnerability scanning, SOC (Security Operations Centers), secure development, and more - it's a wide field. The first thing to ask yourself is "what does security mean to me, and what do I want to do with it".Give the first part of your question, I'll assume you're interested in software-based security (development) as opposed to infrastructure (network security, physical security, systems security), or the offensive side.On the other hand, if you just want to 'get into security' - then learn a little bit about networking, and go find a job as a 'Network Operations Engineer' or 'Security Operations Specialist'. These are fairly low-level jobs in the security industry, that can serve as entry points, and help you learn about the other parts of the industry in depth, whilst getting paid.Echoing what @santigobalsuto and others have mentioned.1. CS - Understand how software works, not just how to code, but how things happen on machines. What are CPU registers? Write some assembly - nearly every single week my staff uses assembly to test an exploit. It's one hell of a lot easier to make a good developer a decent security professional than the other way around - just trust me on this.2. Take philosophy and propositional logic courses - Good security folks are terrific critical thinkers. They learn to understand what risk means, and how to contextualize it for an organization. In other words the approach to risk and tolerance is completely different for Home Depot than it is for Evernote.3. Learn Software Testing (not Quality Assurance). Combining this with critical thinking means you can start to pick apart software, even networks, from varying vantage points. If you combine this with your CS knowledge, it can really help you understand how to attack an application, or an organization.4. Build lab out of cheap, garbage hardware. For about $300-500 you can get 4 servers on Kijiji that can be used to run OpenStack and VMWare. Get a physical switch, ideally something with a TAP port (but you can replice with VMWare easily enough). Create VMs, play with things like Security Onion, create and destroy networks - use traffic generators... have a great time.5. Read about standards - it helps to understand what NIST is for, what CVEs are, CWEs, OVAL. Explore a few vulnerabilities (CVEs), and understand what they are, why they matter, how they apply. Then grab a copy of Nexpose Community Edition, and scan your lab - play around.6. Rebuild your lab, iterating on what you've learned above.

评论 #15988111 未加载

weppleover 7 years ago

OP: you’ll find you got a lot of very vague, broad, range of answers. I think it might help if you try to find a subset of security that you’re interested in or would like to tackle.It’s very hard these days to be a complete and effective generalist in security, let alone be good at a range of security stuff while also being great at data science.I’d consider focusing on appsec for a year, get a job attacking or defending apps for a year, and then you’ll have a basic understanding of the problem space.

lvhover 7 years ago

That’s a short question with a complicated answer. I’m traveling right now, but you should shoot me an email and I’ll help you get started. Address in HN profile.

video-hostover 7 years ago

Check out <a href="https://pentesterlab.com/bootcamp/" rel="nofollow">https://pentesterlab.com/bootcamp/</a>

redsecover 7 years ago

In addition to great ressources people are sharing, Security+ and CSA+ from CompTIA can be great certification (vendor neutral and inexpensive).

grajaganDevover 7 years ago

If you are interested in web pentesting, learn to hack Webgoat and DVWA. From there go after live sites via a bug bounty platform (I like Bugcrowd.)It is hard to overstate the value of the chance to test (and demonstrate) your skills against a live production site.

Fundlabover 7 years ago

<a href="https://www.edx.org/micromasters/ritx-cybersecurity" rel="nofollow">https://www.edx.org/micromasters/ritx-cybersecurity</a>

godelmachineover 7 years ago

Would anyone please revert a name of a book that may probably help here?

_spoonmanover 7 years ago

Is the OSCP certification worth it?

评论 #15988175 未加载

vectorEQover 7 years ago

low level programming / radio. try not to cry ;)

CodesInChaosover 7 years ago

Start by forgetting the word cyber.

评论 #15987049 未加载

digitalzombieover 7 years ago

> Is there any link between data science and cyber security?There's... a company around LA area that does cyber and data science. I would think they apply data science to logs and such to figure out abnormality. Likewise if you count email spam detection as a cyber security thing.For cyber security, take Network+ or just grab a Network+ book. I believe that's where you should start first in cyber security.