Level 3 -- The Amateur
Mic Merritt
AI Security Innovator | Offensive Security Leader | Educator | The Cyber Hammer ??
Finally! Here we are at the next step in our learning journey with Level 3 -- The Amateur. At this point, you must have completed all of the training from the previous two levels. You CANNOT start here. This is not the first article and if you attempt to jump in at level 3, I can promise you that you will be frustrated if you haven't yet built your foundation. So please, visit the other two articles and work through that training first. You won't ever regret obtaining training and building your knowledge and skills. Don't take shortcuts!
Level 1 -- Noob:
Level 2 -- Beginner:
Level 3 -- The Amateur
So far in the series, you've learned digital basics, operating systems, got hands-on with Linux, mastered Windows Command Line, jumped into virtual machines and built your own home lab, explored system administration, learned about networking and dug into packets with WireShark and tcpdump, and started working through TryHackMe rooms. At this point, you should have a solid understanding of various technical fundamentals related mostly to information technology. You have completed a little over 400 hours of training, secured your first role in the IT realm and even have a couple of certs under your belt too, especially CompTIA Security+. If none of this is true or you're confused here, you might have skipped a couple of steps and need to backtrack to levels 1 and 2, see the above links.
For everyone else, it's time to move into more cybersecurity focused content. The goal for Level 3 - Amateur is to prepare you specifically for cybersecurity related work roles. This means you will be combining your training and knowledge with hands-on skills and experience.
Do realize, you are never going to be done learning. There is always something more to learn, new technology, new guidance, new regulatory requirements, and changes to how we do things as the field grows and matures. Plus, you might need to revisit things you've learned previously, either to expand into unexplored aspects of those areas or to refresh your skills and knowledge. Getting into the mindset of continuous and constant learning is important if you want to keep growing your career in the fields of IT or Cybersecurity.
That said, it's absolutely critical you create a balance between your studies and everything else in your life. It's important to keep studying, learning, and practicing your skills -- but you also need to sleep, eat properly and exercise, spend time with family, and maybe even spend time doing nothing at all. You can bookmark this article to come back to it anytime, there's no need to rush through it. When you're ready -- the learning will still be here.
TRAINING
So, let's start with the next bit of training we need to hold the Amateur title.
1) Cryptography Basics
We use cryptography to protect information on digital systems. Thus, you need to understand some of the protocols and algorithms involved. We're going to stick with the basics here focusing on stream and block ciphers, message integrity, and basic methods of key exchange including Public Key Infrastructure (PKI).
a) Book. First, you'll want to download a copy of the book -- "A Graduate Course in Applied Cryptography" by Dan Boneh and Victor Shoup. Don't let this title scare you, we're going to stick with the basics, but having this book available can be helpful to you as you keep learning throughout your career.
Get it here: https://toc.cryptobook.us/
b) Course 1. Our first course is an "Introduction to Applied Cryptography". This course is a non-mathematical introduction and doesn't go very deep into cryptography. It's enough to get you curious and to start thinking about how we use cryptography in everyday applications. Enroll here: https://www.coursera.org/learn/introduction-to-applied-cryptography
c) Course 2. Our second course in cryptography is a bit more in-depth and focuses more on the theoretical side of cryptography. This one is paired to the book you downloaded, or the first part of the book, because we're not going in that deep!
Enroll here: https://www.coursera.org/learn/crypto
2) Web Application Security
Look, web applications are everywhere. You're using one right now! Every single one of these web applications is potentially vulnerable to attack. Data has value and that means web application security is crucial. Now, you could certainly follow this web application security training down deep into the weeds and eventually find yourself working as a web application penetration tester in a couple of years. For now though, we're just going to get some basics down, learn about web application vulnerabilities, and how we can test and protect web applications.
a) PortSwigger. My absolute favorite place to learn about web application security is at PortSwigger, the creators of the BurpSuite tool. Not only is their training free, well put together, and easy to follow, but they went ahead and built in some labs along the way too. You'll need to sign-up for an account and then start working through the Web Security Academy learning path. Your goal is to work through the server-side and client-side topics and all 52 apprentice level labs, which will earn you the apprentice title. Though, feel free to continue on to the practitioner content if you're enjoying the material and some of you might even want to challenge the Burp Suite Certified Practitioner exam! It's just $99, but it is quite the challenge, so definitely take your time learning the material first!
b) OWASP Top Ten. You will also want to check out the OWASP Top Ten direct from the source. You learned a bunch about this already as you were working through the PortSwigger material, but checking out the project is a good idea. You don't need to memorize the Top 10 list, though you certainly could do so. Instead, you want to get familiar with this website. Look at the scores, impacts, and CWE mappings.
c) OWASP Cheat Sheet Series. The last thing I'll suggest in this section, is the OWASP Cheat Sheet Series. This is a collection of information on specific application security topics in easy to read, markdown format and the project includes GitHub repository. If you've enjoyed exploring web application security, you'll love this additional content.
Cheat Sheet Series: https://cheatsheetseries.owasp.org/index.html
3) Mobile Device Security
Mobile device security has to do with protecting sensitive information stored or transmitted on the devices we can carry around with us. Since there are a ton of potential threats to these devices, it's important to know more.
a) ISC2 Members, Option 1. If you're an ISC2 member, I'll recommend the "Mobile Security from Every Angle" course as a great option to learn more about mobile security. Note, you do have to be a member of ISC2 to take this course for free, but it does come with 2 CPEs as well, so totally worth it! Enroll here:
b) Non-ISC2 Members, Option 2. Not a ISC2 member, or just want to learn more. LinkedIn Learning has a great course on Mobile Device Management from Ryan Spence you can check out here:
Cybersecurity Frameworks
Cybersecurity frameworks refer to structured sets of guidelines, best practices, and standards designed to help organizations manage and mitigate cybersecurity risks. These frameworks provide a common language and approach for assessing, implementing, and maintaining security controls. Understanding cybersecurity frameworks is essential for building a strong foundation in cybersecurity. I'm certainly not going to cover all of the available frameworks, but here's a few you need to learn about to earn the Amateur title.
4) The NIST Cybersecurity Framework
The NIST Cybersecurity Framework is a living document that is refined, improved, and evolved over time to keep up with changes in technology, threats, and industry best practices. It provides a comprehensive set of guidelines for you and your organization to manage and reduce cybersecurity risks.
a) Quick Start Guide. Use this to get a general overview of the five key functions of the framework (Identify, Protect, Detect, Respond, and Recover):
b) Online Learning. Next, check out some of the online learning links. It won't take you long to browse through all 6 of these and you'll have a good understanding when you're done.
c) Get A Copy. Finally, download a copy. Spend some time looking through the five functions, specifically reading through the different categories and subcategories. You'll see references to CIS, COBIT, ISA, IOS/IEC, and other NIST documents that you can take a look at too.
d) NIST SP 800-53. Before you move on, I also recommend taking a look at NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations. NIST SP 800-53 provides a catalog of security and privacy controls, along with guidance for selecting and implementing them based on your organization's risk management and compliance requirements. Super helpful for understanding why we implement controls to protect our systems and something every Amateur should be aware of, especially if you're thinking about roles in Governance, Risk Management, and Compliance (GRC).
5) ISO/IEC 27001 Information Security Management Systems
The ISO/IEC 27001 is another well known cybersecurity framework around the world. In fact, outside of the US, you might see ISO/IEC 27001 more often used as it includes options for third-party audit and certification. The ISO/IEC 27001 framework is a good choice for operationally mature organizations, but if you're just starting to develop your cybersecurity plan, NIST guidelines are a better place to start as they are free and ISO/IEC 27001 requires a financial investment.
a) ISO/IEC 27001 Training. For that reason, we won't be able to look at the document itself, but instead here's a video overview of what's inside ISO/IEC 27001:
6) Risk Assessment Methodologies
Risk assessment methodologies are systematic approaches used to identify, analyze, and evaluate potential risks in your organization's information systems, networks, and applications. These methodologies help organizations prioritize their security efforts and allocate resources effectively to minimize risk. As an Amateur, you need a strong foundation in cybersecurity and understanding risk assessment methodologies is part of that knowledge even if you don't work directly in a GRC related role, you will still need to be aware of risk so you can help develop effective strategies to protect your organization's assets and information.
Key aspects of risk assessment methodologies include:
a) Cybersecurity Risk Management Training. To learn a bit more, here's a free course that covers the risk analysis process, including qualitative and quantitative risk assessment methods and risk mitigation.
b) NIST SP 800-30. Next, you'll want to take a look at the NIST SP 800-30 Guide for Conducting Risk Assessments.
PROVING YOUR SKILLS
Now, I want to shift your focus to gaining practical skills. Of course, you've already started this by working through TryHackMe rooms and building your own home lab, but we need to take it a step further. So let's talk about some additional ways to get hands-on, practical experience.
7) Capture the Flag (CTF)
These are games in which teams (or individuals) seek to collect "flags" which are secretly hidden at the other end of a vulnerability you need to exploit or in some type of puzzle or problem you need to solve. There are two main ways to play, jeopardy style and attack-defense style. But there certainly are a wide variety of CTFs available these days and tons of challenges that might fall into categories like programming, forensics, cryptography, web exploitation, reverse engineering, and more. If you remember, I already introduced you to a CTF, called OverTheWire back in Level 1. Are you ready for more?
a) CTF Time. My favorite place to find an upcoming CTF is on CTF Time. It's literally just a list of upcoming CTFs with dates/times and names that you can search through. Find one you like and sign-up.
b) CTF Wiki. Not a CTF, but instead a Wiki that can support you on your quest to conquer more CTFs. Of course, over time you will want to build your own notes, but this is a great resource to get you started:
8) Projects
One of the biggest problems you might encounter in your job hunt is showing experience. Most companies want experience, but not all companies demand that experience be from a formal "paid" position. So, it's helpful to think outside the box a little bit and consider volunteer activities and projects. You can absolutely show your experience through projects and it's one of those things that you want to add to your resume! But, you do have to actually do the project.
When it comes to projects, you can choose a wide variety of things. I'll highlight a handful to get you thinking, but I want you to remember that the focus should be on what you learned during the project. Capturing what went right and what went wrong, taking notes, creating a walkthrough, or otherwise capturing your how and why as you work through a project is what an employer will value. Anyone can install a tool in their home lab and walk through the features. What's more interesting is the reasons you might have chosen that particular tool, comparisons to other tools that do something similar, showing how to use the tool to do something different or unusual, or putting a couple of tools together to get a different result. Here's a few project ideas:
a) Vulnerable VMs. Use pre-built vulnerable virtual machines (VMs) to practice identifying and exploiting vulnerabilities in your home lab. Check out Metasploitable, WebGoat, or OWASP Juice Shop.
VulnHub - https://www.vulnhub.com/
WebGoat - https://owasp.org/www-project-webgoat/
OWASP Juice Shop - https://owasp.org/www-project-juice-shop/
b) Security Assessments. Perform security assessments on our home lab using OpenVas, Nessus, or Qualys to see potential vulnerabilities and then practice writing a remediation plan.
c) Network Devices. Setup a firewall or IDS on your home lab. You can use IPtables or pfSense and an IDS like Snort to monitor and protect your network. Try out different settings and build an implementation plan.
d) Password Security. Try out some different password security and password cracking tools in your home lab. Research hashing with salting (and peppering) and try implementing a secure password storage system using a library like bcrypt or scrypt.
CERTIFICATIONS
As always, you may not need a certification. But since I know many of you desire to have "proof" for the things you're learning, here's two that are appropriate for The Amateur level.
a) PNPT. Since I haven't mentioned TCM Security at all yet, this seems like a great time to do so. No, I'm not saying you need to head toward training in penetration testing, but knowing how to break things often helps us better understand how to secure them. Plus, this is just good training. Don't have the cash for the cert, check out the course, Practical Ethical Hacking instead or any of the other lower cost training options.
The PNPT Cert: https://certifications.tcm-sec.com/pnpt/
The Academy: https://academy.tcm-sec.com/
b) CySA+. If you completed CompTIA Security+, then it makes sense to take a look at this one next. It's focused on threat response, incident detection, and continuous security monitoring and aligns well to SOC Analyst related roles, which might be one of your first cybersecurity focused positions.
EMPLOYMENT
At this point, you have knowledge and skills that will align to most starting roles in cybersecurity. Keep in mind though, that if you do not yet have IT experience, you might need to get some of that first before you can be competitive against others applying for cybersecurity positions. It is certainly competitive out there and companies are always looking for direct experience with the tools and concepts you've learned about. Your experience doesn't always have to be formal job related experience though and many amateurs have found that by capturing their hands-on labs and projects they can stand out more in the hiring process. Job titles you could search for include:
CONGRATULATIONS
At this point, you've completed all of the foundational training you need to work in the field of cybersecurity. Congratulations -- you have earned the title AMATEUR. You should be incredibly proud of the work you've put in and the time you've spent learning and gaining new skills. The Amateur level is the final step in your learning journey before you seek out paid positions as a cybersecurity professional. Next up is Apprentice.?
If you're wondering, what's the difference between Amateur and Apprentice and why did Mic write this series this way. I focused on Noob, Beginner, and Amateur as stepping stones for someone truly new, learning cybersecurity, passionate about the subject, and pursuing it professionally as a career.?
While, in Level 4 -- The Apprentice, I intend to focus on a trainee, someone in the trade, working toward increased mastery and experience. Level 4, will focus on deepening your skills, expanding your career, and otherwise pursuing more advanced positions. So, it's critical that you find your first working role, if you haven't already. Note, there's no time limit on how long you can be an Amateur.?
You might remain at Level 3 - Amateur for a few years while finishing your degree program, preparing for your career transition, or while strengthening your skills in a more traditional IT position before moving into a cybersecurity focused role. You can keep adding on to your learning with YouTube videos, improve your skills on TryHackMe, or go back and pursue certifications we've talked about in previous levels. There's no rules here, right, I made up these levels :-)
What's next? Level 4 -- The APPRENTICE (coming soon)
Cyber Security Analyst | CISSP | CySA+ | Sec+ | Veteran
1 年Mic, This is fantastic! Incredibly thorough. I appreciate you putting this series together!
CTO & Co-Founder at PhishCloud Inc.
1 年Career growth in cybersecurity isn't easy, but with determination and hard work, it's possible to succeed. ?? #nevergiveup?
Information Security Analyst | Third-Party Risk | GRC | The KEY Mentor | USAF Veteran
1 年Super insightful stuff! Thanks so much for taking time to put this together. I wish this was around when I was first starting out. Definitely saving this when I need to go back and revisit basics. Jesse Heil - Transitioning USMC, Jerry Arciaga - Transitioning Army, Chance Brown - Tagging if you’ve not seen this info before. Definitely worth taking some time to read and take action on.