LiveOverflow — Youtube Channel

Some years ago, I picked up a book called Hacking, The Art of Exploitation by Jon Erickson. It was a great read, and I highly recommend everyone pick it up. If there was an “essential” guide to introductory hacking, this would likely be it. However, I personally consider myself a visual learner, and some topics took additional reinforcement.

Then, I stumbled across a YouTube channel called LiveOverflow, and was blown away by how informative it was. It filled in countless gaps of my own knowledge on exploits and exploit development. I highly recommend the “Binary Hacking” playlist, which covers introductory topics such as C programming fundamentals, compiler basics, the setup of a suitable Linux box, and installation of exploitable VMs. From there, it builds out into topics for those interested in jumping into CTFs or building exploits from scratch.

The videos are meticulously assembled, and each step is well covered to not get you too far lost — but just enough to keep you interested.

Back in the day, when hacking ezines were the way to get knowledge of such topics, I think we would have killed to have a video series this comprehensive and n00b friendly. IRC channels would have been flooded with downloads of these warez.

Inside the Machine by Jon Stokes — Book

Despite being a visual learner, the need to read books and whitepapers in this industry is required.

Where LiveOverflow and Hacking, The Art of Exploitation focus on the hacking part, Inside the Machine picks up on the fundamentals of computing. It is absolutely essential for anyone doing any operational cybersecurity task to understand how a computer works at its most basic level. The book itself is not inherently targeted at security, but as stated above, you will have to step outside of your safe zone to excel.

I picked this book up earlier this year at Shmoocon 2018 when visiting the No Starch Press booth. As I was passing by, I glimpsed at the back to get a feel of the subject matter discussed within, was instantly intrigued, and emphatically threw my money down on the table.

In retrospect, it was a great decision. Admittedly, I had always struggled with understanding registers, assembly language, and low level topics involving computer architecture. This book filled those cracks well, and I can honestly say that I wish this book was available when I was getting started.

The Hacker Playbook by Peter Kim — Book Series

If pentesting or red-teaming is where you want to be, purchase The Hacker Playbook immediately.

When I first got started in pentesting, I had a ton of trouble taking the various techniques involved in reconnaissance, lateral movement, and post-exploitation and effectively structuring them into what would be considered a valid offensive test. The first edition of this book solved that problem rather quickly, and because of that I cannot recommend any book on the topic more than this one.

Additional books like the Web Application Hacker’s Handbook and Metasploit — A Penetration Tester’s Guide are phenomenal as well, but tend to serve a more specific purpose than The Hacker Playbook. Peter Kim did an outstanding job taking all of the relevant areas of a penetration test and structuring them in an easy-to-digest book, which later served as a reference guide when I felt stuck during an engagement.

The book became a mainstay in my library, sees constant re-use, and remains the most dog-eared book I have. Furthermore, he periodically releases updated content to keep up with trends in the pentesting realm, and came out with the third edition not long ago.

Serious Cryptography by Jean-Philippe Aumasson — Book

Another No Starch Press release, and the book I most wish existed when I got started, Serious Cryptography is a book that covers cryptography from A to Z. It fills that need for a something on the topic that does not lean too far into the mathematics, while still not being too high level to be of any value. If you have a difficult time approaching mathematics, this book will still be of value to you.

Each chapter of this book addresses a different topic within cryptography, beginning with foundational topics such as what a pseudo-random number generator is, the difference between symmetric and asymmetric encryption, onward through the relevant algorithms used in the field, and further into what protocols implement the algorithms and why. There is immense value from this book for all individuals in cybersecurity, whether you are an engineer, tester, analyst, or responder.

At this point in the article, you may be noticing a trend in that many of the books I recommend are published by No Starch Press. Their books have time and time again proven to be well put together, and I have yet to pick up a book from them that I did not derive value from.

CCNA - The Complete Course by Lazaro Diaz on Udemy — Video Series

I don’t know where the question came from, but I have seen it countless times… people asking if those in cybersecurity NEED to understand how TCP/IP networks function. Rarely do I get so enthusiastic about a question, but in my opinion the answer is YES, you DO need to know this.

I can see getting away with not understanding the fundamentals of cryptography, or the low level foundations of computer architecture, but TCP/IP networking is critical for every aspect of operational cybersecurity. I would even argue that an understanding of TCP/IP networks is essential for cybersecurity leadership positions, policy analysts, and technical writers.

“TCP/IP is how the Internet even exists! Quote me on it.”

To that end, the Cisco Certified Network Associate (CCNA) is a certification program offered by Cisco for individuals who want to advance their career in networking. It is typically considered among the most valuable of associate-level certifications by employers, and is always in demand.

While I don’t necessarily think that it is required that you take your CCNA (although it would be a great thing to have under your belt), the subject matter covered in its curriculum crosses between IPv4 and IPv6, the OSI Model, VPNs, routing protocols, subnetting, and tons of additional topics which make networks function… all of which you should be familiar with.

Of the available options I have explored, I have found that Lazaro Diaz’s course on Udemy is the most valuable resource to cover this content, and fortunately for us cheapskates is always on sale. This course, coupled with Packet Tracer (which is available for free on Cisco’s website) make for a winning formula.

Follow along, model some networks, and really get to know how communications work.

Automating the Boring Stuff with Python by Al Sweigart — Book

If you asked me if you need to know how to program to excel in cybersecurity, the answer I would tell you is “absolutely!”. How good do you have to be at programming? Well, that is a completely different question, and depends on which area you explore.

However, for those with no programming knowledge whatsoever, I would rank which languages to be familiar with in the following order:

Python C Assembly

I am sure this will meet much controversy, and I look forward to hearing your opinion in the comments!

Anyways, the reasoning behind why I rate it this way is because understanding fundamental data types and object-oriented principles is the most important part of knowing how to program. It does not matter which language you pick up! Once you get the basics down, you can adapt what you have learned into any other language.

Due to the initial learning curve, I would suggest Python as the first language. It is commonly used in proof-of-concepts, is used to build hacking tools, is lightweight and easy to understand, has immediate value for those even outside of cybersecurity, and does not intimidate with archaic syntax. Using Django, you can even build web applications with it! From there, you can adventure easily into more advanced languages.

My opinion on programming languages is that you will never truly learn them unless you have a practical purpose to use it, which is why Automate the Boring Stuff with Python is my recommendation. I also want to give a shout-out to Learn Python the Hard Way by Zed Shaw as being a fantastic introduction to the language, and covers the fundamentals even more comprehensively. If “Automate the Boring Stuff” isn’t right for you, pick this one up.

Pluralsight — Video Training Subscription

Remember again when I said that you will have to step outside of your realm in cybersecurity? Well, this means that you are going to inevitably have to pick up a topic and get an understanding of it quickly. Pluralsight, in my opinion, fills the requirement here. If you are an information junkie like I am, Pluralsight is like a reasonably priced, endless buffet of technical knowledge, and I highly recommend their services.

More times than I can count, I have jumped between subjects and lost interest before I knew what hit me. Fortunately, Pluralsight has done a stellar job at offering a huge catalogue of content that is condensed enough for busy professionals to digest in no time. Their 1.5 hour courses on topics of web application development, cloud computing, and machine learning have helped me get a jump start on where to go next on the endless learning journey.

Conclusion

If any one person tells you that they have the answer to how you can learn everything you need about cybersecurity, run hard and fast in the opposite direction. The area is showing no signs of slowing down, and likely will continue to grow for the foreseeable future. With that, I hope some of the resources listed here get you off on the right foot, and closer towards the career you have always wanted.

More so than any specific source of knowledge, know that what is most important is that you do not stand idly by and continually ask where to start. This is a deceptive form of procrastination. It gives off the impression that you are being productive by planning, while netting you a result of nothing.

Do not be afraid to get in over your head despite how insurmountable the first steps might seem. You will find your way eventually, but only as long as you do not wait for the ideal circumstance. Trust me, it will never come.