IMCAFS

 Home

talk about getting started with information security

Posted by fierce at 2020-03-16
all

Last Monday in the release of "computer and network security book list recommendation", hblf's circle of friends gave me a certain touch, "how to enter information security" this question reminds me of some interesting things, so I took the time to write my own answers.

I think it needs to be divided into three parts to answer this question: what does information security include? What does information security include? How do you learn?

No.1

What does information security include

Personally, I think I can only answer the incomplete question as much as I can. First of all, let's take a look at Zhihu. What are the relevant questions about "how to enter information security"?

1. How can hackers learn?

https://www.zhihu.com/question/20607351/answer/275661602

2. How to learn network security?

https://www.zhihu.com/question/23636333/answer/25347723

3. Who can give a learning route of network security?

https://www.zhihu.com/question/67598183/answer/342185737

4. How much money do I earn? Do I want to change my career?

https://www.zhihu.com/question/24781420/answer/36325633

Because of the space, you can search and check by yourself (please smile when you are finished), and then we will look at the frequently asked questions in QQ:

Master, if I want to learn how to dig a hole, can I take it with me? In fact, in the face of this type of problem, I would like to say: "I take you", but the truth is that I am too fat to get up. How to take you.

Cousin, I want to change the score of the educational administration system. Or, I want to hack XXX website? Do you know it's against the law? Do you want to see more Internet security laws if you have nothing to do?

Old classmate, can you steal a QQ for me? I can't steal it! Aren't you engaged in information security? I am! Then you can't steal it? I

Of course, there is also the most excessive: you help me repair a computer, my computer card is not good, it must be poisoned. Have a look, elder sister doesn't bring this kind of play. Shall we change the computer 10 years ago?

Back to the main point, information security is a very wide range of subjects. In essence, most of the contemporary information security problems are derived from the information age, and are mainly reflected in the computer field. Let's start with a few cases:

Example 1: if you want to be a "hacker", you really don't need to know the computer field. For example: in speed and passion 5, Gail gado gets the fingerprint of the black boss. If you are beautiful, you can also.  

Let's take another example: 12306 user data disclosure event in 2014, Yanzhao ⻔ event of apple in 2014, JD data disclosure event in 2017, etc.

Let's look at the security in the computer field. In this part, I analyze the current direction of security employment. First of all, I have provided a picture of security jobs in China

The figure contains the general content of information security in the field of computer. If you are going this way, you can understand the specific responsibilities of these posts.

Of course, many companies are copying job description now, and they don't even know what kind of Security Engineer they need. If you meet such an enterprise, don't go!

Some reliable JD query websites are recommended (alphabetically):

Alibaba recruitment website

https://job.alibaba.com/zhaopin/positionList.htm?keyWord=JXU1Qjg5JXU1MTY4

Meituan recruitment website

https://zhaopin.meituan.com/job-list?keywords=%E5%AE%89%E5%85%A8&pageNo=1

Tencent recruitment website

https://careers.tencent.com/search.html?keyword=%E5%AE%89%E5%85%A8

After understanding the needs of these positions, you also realize the importance of information security.

No.2

What is the introduction

Skill maturity model: Master -- > proficient -- > proficient -- > share. The basic requirement for any job is to master it. I heard a short passage a few days ago: "I can write proficiently on my resume after college graduation, and I will find that I can only write and master it later." this passage fed back to another one: "continuous learning".

For information security, how do you enter? For example:

For safety testing:

You should be skilled in using different types of security testing tools such as Web, API, APP, small programs, official account, etc., such as BurpSuite, Drozer, SQLMap, Astra, etc.

You need to understand the vulnerabilities of OWASP top 10, business logic vulnerabilities, etc.

You need to have a complete set of penetration testing methodology: including what your test points include and focus on when dealing with different systems.

Think about how to automate your skills.

...

A word summed up into ⻔: for the direction of your study or specialization, if you have your own understanding and thinking, you can enter ⻔ (is it too high to enter ⻔).

No.3

How do you learn

The best tool to learn about information security is search engine.

3.1 reading: the ten thousand feet tall building rises on the ground

The first kind of books (Basic Books): computer operating system (at least you should be familiar with Linux), computer network, programming language (choose what you like). Recommendation: "computer and network security book list recommendation"

The second kind of books (Professional Books): choose your direction and find books according to the direction.

The third kind of book (technical blog): when you have a professional direction and need to go deep in the professional direction, you need to not only read books, but also combine some technical blogs, official website documents and even some papers to learn.

Here are some suggestions for reading: first, check the chapter catalog of the whole book, get the general information through the chapter catalog, find the chapters that you are interested in or need to read deeply (this method is applicable to the situation that the chapters before and after are not closely related, or some chapters are already familiar with).

3.2 practice: the paper can bring you light at the end

When you practice enough, you will find that your skills are improving at a high speed. In practice, please keep in mind the network security law.

How to practice:

Build various vulnerability learning projects (DVWA, OWASP series, pentesterlab, vulhub);

Build various CMS environments for security testing and code auditing;

Build an intranet environment to simulate the penetration process (the Metasploit magic training camp of Mr. Zhuge Jianwei is attached with the penetration range);

SRC and crowdsourcing platform: you can mine SRC and crowdsourcing platform, which may need some foundation, but if you look at the online articles more, you will get some ideas. I'll put a few articles here (please follow the network security law to mine SRC or vulnerabilities in the crowd testing platform)

How does Xiaobai learn to dig holes

https://www.secpulse.com/archives/55634.html 

Small solution of SRC vulnerability mining

http://www.mottoin.com/detail/864.html 

Where to start SRC journey

https://security.ele.me/blog-detail.html?id=1 

Using skills of SRC vulnerability mining

https://xz.aliyun.com/t/6155 

Synthesis [some SRC mining techniques collected]

https://www.ctolib.com/Wh0ale-SRC-experience.ht ml

Enter the enterprise for practice: as long as you are willing to learn in the enterprise, I believe there are still many scenarios available for you to practice.

3.3 summary: refining process and results

Whether it's reading or practice, you need to summarize. The summary of reading will help you to refine the knowledge points in the book; the summary of practice will help you to review and step less in the future.

The best two ways to summarize are:

Draw mind map: mind map is more suitable for combing their own thinking points.

Write summary documents: complete records can be the extension of mind map, the whole process of your penetration or promotion of the project, or some of your own insights. Documents can also be used for subsequent sharing.

3.4 sharing: cognitive self authenticity

Before you write about sharing, you must be prepared mentally: because when the level of attention reaches a certain level, people may have different opinions on your sharing, I have also met. Be sure to remember: writing an article is for others to spray, and no one spray shows that the writing is not good enough, so what about being sprayed? Extract the key points from others to spray you, and verify whether you have not done well, so as to improve yourself. If it's a pure spray, do you want a dog to bite you?

Share your thoughts, whether they are blogs, official account or other forms. This is not only a technical improvement for you, but also a comprehensive improvement for yourself. At the same time, it can help you understand the degree of self-control.

Example 1: Infiltration Technology Learning

The first is tool use learning, as well as penetration of technical knowledge points, most of which come from blog articles and books.  

Secondly, environment building. Please remember that unauthorized scanning, testing and attacking of the system are illegal. If you want to learn, build a virtual machine environment by yourself. Don't be afraid of trouble. In the process of building the whole environment, you can also improve your skills.  

Then it's the penetration test. Forget about those things in the process of your building. Simulate the attack of hackers. When attacking, you must not limit your own thinking (when infiltrating, the thinking is to be obscene and changeable).  

Finally, write the article: first, record the process of building your environment this time, and second, record the process of your penetration. What technology did you use to penetrate, whether the penetration was successful, and what method did you use if it was successful, and why do you need to reflect if it was not successful?

Example 2: safety protection of Party A

Understand the goal: understand what you want to protect? Data, business system, host or other.  

Research: understand the technologies, tools, systems, strategies, etc. you need to use.

Simulation test: simulate the technology you know. If the company has a test environment for you, you can test in the parts of the edge business. If not, you can make an environment yourself.  

Test report: the means used in this test, the effect achieved, whether it can be optimized, existing risks and other issues need to be considered.  

Production promotion: if your test report is allowed to be promoted under the evaluation of all parties, then you can start to promote it. Remember the promotion strategy: "surrounding the city in the countryside, a single spark can start a prairie fire".

Finally, the conclusion is as follows: information security has been paid more and more attention in recent 10 years, and many colleges and universities have carried out relevant majors and courses. Whether you are from a technical school or not. Remember a point: learning without thinking is useless, thinking without learning is perilous.

Don't be afraid of difficulties. Learning is a happy process. If you are not happy, you can't turn learning into happiness. It's not suitable for you to give up safety.  

Don't be afraid of trouble. Keep learning. There will always be another difficulty waiting for you to overcome.

The whole cow -- from my study.

Share an immature knowledge system about information security: (friends who want to get mind map can add me: lzero2012)

© 2023