Cyber pro here - 5 years doing IV&V testing, 15 years as Fed, State and Local contractor, now a firewall admin at a major U.S. uni. I got an NSA accredited (https://www.nsa.gov/resources/educators/centers-academic-exc...) Master's in IT with a specialization in security. While the degree got my foot in the door (I have a BA in Arts - but have been messing around with computers since the early 80's - plus a lot of self taught stuff) - I've found that a ton of side reading (anything related to the subject - I spent a lot of time on the RFCs - that stuff I use every day)), looking at PCAPs to understand the protocols and reading case studies are the best way to hone the craft.
For a while I was doing Governance, Risk and Compliance (GRC) work, but have always loved being a network security engineer, so I went back to that.
Also - I have a CISSP, which opens a lot of doors. I know that it is being knocked a bit nowadays, and there are certainly a some who are test knowledgeable but no hands-on, common sense experience. I still find it valuable enough to maintain.
Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.
If appsec is your thing, spend a lot of time looking at good and bad code, plus reading on-line of good and bad appsec.
IF GRC is up your alley - read NIST 800-53, HIPPA, PCI-DSS, SANS Top 20 and GDPR - to understand the full breadth of controls and risk mitigation.
As far as data science python and pandas are all over the industry, R not so much. There is a big push for ML/AI work, but it might be snake-oil, time will tell. I use a lot of python and pandas for log and flow analysis.
Also - learn Linux CLI; grep, sed and awk can save your butt in most situations. Gray beard stuff will come later.
While on the subject and since you're an expert in the field, there's something that's nagging me. How good are you guys at programming? My feeling is that most people in the infosec are average at best and only the elites are good at it.
> Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.
I would like to add onto this, if you cannot virtualize this and you do not have extra computers try using raspberry pi's. You can fully customize them to act as computers (with all different operating systems), servers, super computers, routers, etc.
Its an inexpensive and practical option compared to buying expensive equipment.
If you are storing sensitive info such as username/password to a TRADING PLATFORM (because the bank -- in this case OZforex -- doesn't have an API that lets you access it without them) what regulations do you need to meet in the USA and Europe? How does one even begin to find this out?
This is for a client of mine. I realize in Europe you'll of course need the GDPR. But besides that, I tried for example to find out whether they need PCI-DSS level 4 but was told by an auditing firm that since they aren't storing CREDIT CARD info then PCI doesn't apply. I am not convinced. But there has to be SOME regulation to protect this data, no?
I would aprpeciate any info, or if there is a way to speak offline (email you?) let me know.
Let me tell you one thing, it's going to be tough. Cyber security is one of the fields of IT that requires the most deep knowledge of how computers and networks work. So, be aware of that. It's like, when someone is asking how to build a game, and the first answer is: learn a lot about Math and Physics. This is the same thing.
Recommended path:
1. CS Basics (concepts)
Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.
2.Low level programming
Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.
3. Networking [0]
You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it.
Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.
4. Web standards
Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.
5. Known threats and vunerabilities
In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed?
You should also practice with every other security threat known like XSS, SQL Injection, etc.
[0] depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.
This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.
Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.
> Let me tell you one thing, it's going to be tough. Cyber security is one of the fields of IT that requires the most deep knowledge of how computers and networks work. So, be aware of that. It's like, when someone is asking how to build a game, and the first answer is: learn a lot about Math and Physics. This is the same thing.
> Recommended path:
> 1. CS Basics (concepts) Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.
> 2.Low level programming Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.
> 3. Networking [0] You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it. Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.
> 4. Web standards Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.
> 5. Known threats and vunerabilities In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed? You should also practice with every other security threat known like XSS, SQL Injection, etc.
> [0] depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.
> This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.
> Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.
Great answer. Look at an offensive security certified professional course for a basic affordable course that covers all of the above.
"Is there any link between data science and cyber security?"
Data Science might be useful if you want to work in Security Information Management or in malware analysis: big companies try to identify "weird behavior" in their networks, based on "normal behavior" records.
"Where can I learn cyber security stuff?"
Well, that depends on the stuff you are interested in...
You should focus at first on learning "system administration" and at least a programming language like Python or Ruby. Network protocols would also be a bonus.
Then, if you want to learn "offensive techniques" or "penetration testing", I suggest that you try websites like RootMe https://www.root-me.org/?lang=en or Cryptopals cryptopals.com.
Once you'll have resolved by yourself some of these challenges, you'll be able to try the "industrialized approach" of penetration testing. For this, this book is quite cool: https://www.nostarch.com/pentesting.
If you're more interested in "defensive techniques", you have tons of resources online.
Security fundamentally is just "the art and science of how things work". Breaches in security are caused by malicious actors finding vulnerabilities in trusted systems, such as when Chinese webcams shipped with default credentials which made it trivial for the Mirai botnet to take them over and acquire so many devices that it could DDoS Dyn.
Towards that end, just about anything you learn can be applied in some way towards security. The conventional recommendations others have made will get your foot in the door, but ultimately security is a lifestyle of never-ending learning and imaginative reasoning about systems.
So to directly answer your questions, yes, there are links between data science and security (others have mentioned its use in things like malware research, but going the other way it's also important to store your data securely to prevent theft, destruction, or tampering) and you can learn something about information security pretty much anywhere in-depth information about computers is taught. Which information is relevant to your interests will just depend on which aspect of security is of interest to you.
> Breaches in security are caused by malicious actors finding vulnerabilities in trusted systems
Alex Stamos, the CISO of Facebook, likened the causes of security breaches to a pyramid. The bottom of the pyramid, where the vast majority of security breaches happen (perhaps 80%), are caused by basic fraud: shared passwords, phishing, asking the user to do something like self-XSS. Of the remainder, perhaps 80% of security breaches are done through the more common, more mundane attacks like unpatched vulnerabilities or misconfigurations. It's only a fraction of a fraction of a percent of attacks that are done using zero-day vulns.
As much as what you said is relevant for security, I would argue that engineers think that security is more of an engineering problem set than it is.
The very first thing that you need to do is to pick a software stack, ideally opensource and then learn how that software-stack works bottom up. Learning how a linux application works might be a good starting point if you are totally new.
There are multiple layers involved here and really understanding each one would take time.
Next would come understanding browsers, browser although it is an app, it is a world in itself. How an http request flows through a browser, how an http response is rendered, what are various layers involved. TCP/IP stack to physical layer, wifi/usb. It is extremely vast and very interesting.
And once you have gained enough experience , you will be able to clearly see the similarities and differences between various software stacks, both bottom-up and top-down, right from hardware level to your application's code and vice versa. And then reasoning about security of the stack at various layers would become straightforward.
In terms of conferences, I find Blackhat(http://www.blackhat.com/) Conference is a very good source of keeping oneself up to date with world of security( including applying Data Science to Security)
"Cyber Security Base with F-Secure is a course series by University of Helsinki in collaboration with F‑Secure Cyber Security Academy that focuses on building core knowledge and abilities related to the work of a cyber security professional. The course series is free and open for anyone to attend."
If you want to get a really deep understanding, study computer science (e.g. bachelor/master) [1], then specialize by taking all security courses that are offered. Not only will you get a deep understanding of the topic, you will build on solid fundamentals, as well as have people (professors, assistants, trainers) who you can ask anything.
[1] Of course, you can this only freely in a country that remotely cares about the education of its citizens (e.g. most European countries, where you can go to university for a hew hundred Euros per year). Otherwise, the risk of a huge debt is probably not worth it.
I went to a mid level business school in the Midwest. Their IT program had a few segments. One was security. The difference was basically just one course on pen testing. I learned more about security in the CS courses they didnt recommend I take.
You don't need college, what you need is a desire to learn everyday.
* It is neatly packaged, wonderful UX and a little sweetening of humour that makes it palatable to the layman
* It gives code examples that provide a little bit more in-depth exploration for the enthusiastic or aspirational novice
* It has a nice structure such that single exploits can be shared. For example, after a client of ours was hacked via a SQL injection on their website, we were able to show them the SQL injection exercises to demystify the topic a little bit and to make it seem less intimidating
* It's a great go-to starter. When I go to schools for careers fairs, I always give this link out to kids who are interested in security work.
Buy the 3rd version book (used) and then try the labs as you go through the lecture vids/chapters http://csapp.cs.cmu.edu/3e/labs.html but avoid the 'global edition' as it's filled with errata, or just know there is mistakes.
You will learn assembly/C and also Return Oriented Programming, stack protections and how they work, buffer overflow attacks, implicit casting grenades, cache optimization, how the linker works, ect. Then you sign up for that old Matasano CTF https://microcorruption.com/login
When you complete it apply to NCC Group who I believe now owns microcorruption. Start at the bottom, work your way into a policy/advisory role somewhere else after gaining experience and applying for certs https://ciso.eccouncil.org/ Having data science experience is likely helpful since you can produce shiny presentations that board rooms like to see when you become their CISO
If you are a veteran or a federal employee, the Dept. of homeland security offers free online courses in network security. The program is very networking specific and you'd have to pay for any certification testing yourself, but the courses will help take you a good chunk of the way in terms of prep and learning. https://fedvte.usalearning.gov/
Since no one has mentioned it yet, Capture the Flag contests (CTF's) can be a good way to get into security. They are online contests featuring a series of security related puzzles.
They are hosted by lots of different groups at different levels. There are CTF's aimed from high school through the DEFCON CTF. This is a directory: https://ctftime.org/
One question I have along with the very good question from the OP, do larger companies and governments actually care about security, or are they more interested in doing the proper dance and checking the right boxes to not be held responsible when they're hacked?
It seems irrational to want to learn how to secure systems when their owners don't care about it (and won't pay to secure them) if the risk can be transferred to other parties. I'm sure there's a few organizations that care if their data are stolen, but by and large it's a cost center, and treated accordingly in my experience.
It’s a spectrum. There are companies that absolutely care with every fiber of their being, and those that couldn’t care less.
Now that “cyber” is a thing that can lead to a CEO losing their head, most companies are roughly in the middle somewhere. Sure, there will be a fall-guy and finger pointing, but it’s better to at least not be completely negligent.
“If the risk can be transferred to other parties” - that’s pontentially a business avenue OP wants to pursue. AcmeCorp can buy OPs shiny datascienceDefender(tm) network monitor.
A lot of tech-first companies (and don’t forget, some legacy companies are desperately trying to become these) care a massive amount about security, so there is definitely volume of work with people who genuinely want to improve the state.
If the incentive systems are designed correctly, maybe the dancing and box-checking can result in a near-optimal state. I think most of us here share the notion that hardening systems up-front is the most cost-effective way in the long run, but that companies tend not to do so due to a myopic view of security as a short-term expense rather than a long-term investment.
I read a post with an interesting idea recently: entities are currently treating customer data a an asset, whereas they should be treating it as a liability. If the regulatory incentives are set up such that customer data is a liability, companies will find it most efficient to buy insurance. And no successful insurance company will offer coverage without performing their due diligence. If the hardening itself is not the cost center, but rather the insurance premiums, then then end result may be companies doing infosec the right way, just because it's the most cost-effective thing to do.
Data Science can be applied in many different ways, (somewhat) Recently LightCyber was acquired by PANW [0] and I believe that if you are in data science that may be something that tickles your itch.
if I may give advice, asking a more specific question to a search engine may also get you ona path with additional information. 'cyber security' is a pretty large umbrella and much of it may bore you while only a small handful is interesting... so try to be more specific rather than say 'stuff'
Just created this account so that I could comment, and stay (reasonably) anonymous. I'm the CTO of a reasonably well known security company, for what it's worth - and I've been doing this for a little over two decades in a few countries.
This first misnomer, is that there's one security thing. There are several. The offensive security folks (penetration testers) are far different than the advisory folks (think PCI, HIPAA). Vulnerability scanning, SOC (Security Operations Centers), secure development, and more - it's a wide field. The first thing to ask yourself is "what does security mean to me, and what do I want to do with it".
Give the first part of your question, I'll assume you're interested in software-based security (development) as opposed to infrastructure (network security, physical security, systems security), or the offensive side.
On the other hand, if you just want to 'get into security' - then learn a little bit about networking, and go find a job as a 'Network Operations Engineer' or 'Security Operations Specialist'. These are fairly low-level jobs in the security industry, that can serve as entry points, and help you learn about the other parts of the industry in depth, whilst getting paid.
Echoing what @santigobalsuto and others have mentioned.
1. CS - Understand how software works, not just how to code, but how things happen on machines. What are CPU registers? Write some assembly - nearly every single week my staff uses assembly to test an exploit. It's one hell of a lot easier to make a good developer a decent security professional than the other way around - just trust me on this.
2. Take philosophy and propositional logic courses - Good security folks are terrific critical thinkers. They learn to understand what risk means, and how to contextualize it for an organization. In other words the approach to risk and tolerance is completely different for Home Depot than it is for Evernote.
3. Learn Software Testing (not Quality Assurance). Combining this with critical thinking means you can start to pick apart software, even networks, from varying vantage points. If you combine this with your CS knowledge, it can really help you understand how to attack an application, or an organization.
4. Build lab out of cheap, garbage hardware. For about $300-500 you can get 4 servers on Kijiji that can be used to run OpenStack and VMWare. Get a physical switch, ideally something with a TAP port (but you can replice with VMWare easily enough). Create VMs, play with things like Security Onion, create and destroy networks - use traffic generators... have a great time.
5. Read about standards - it helps to understand what NIST is for, what CVEs are, CWEs, OVAL. Explore a few vulnerabilities (CVEs), and understand what they are, why they matter, how they apply. Then grab a copy of Nexpose Community Edition, and scan your lab - play around.
6. Rebuild your lab, iterating on what you've learned above.
Thanks for your reply. I asked above already, could you explain what to study or what certs to get to follow the path of "advisory folks (think PCI, HIPAA)"
OP: you’ll find you got a lot of very vague, broad, range of answers. I think it might help if you try to find a subset of security that you’re interested in or would like to tackle.
It’s very hard these days to be a complete and effective generalist in security, let alone be good at a range of security stuff while also being great at data science.
I’d consider focusing on appsec for a year, get a job attacking or defending apps for a year, and then you’ll have a basic understanding of the problem space.
[+] [-] artie_effim|8 years ago|reply
For a while I was doing Governance, Risk and Compliance (GRC) work, but have always loved being a network security engineer, so I went back to that.
Also - I have a CISSP, which opens a lot of doors. I know that it is being knocked a bit nowadays, and there are certainly a some who are test knowledgeable but no hands-on, common sense experience. I still find it valuable enough to maintain.
Set up a lab - 2-4 computers and a switch should do (you could virtualize some/all of it) and work on all aspects of the TCP/IP stack if you're interested in netsec.
If appsec is your thing, spend a lot of time looking at good and bad code, plus reading on-line of good and bad appsec.
IF GRC is up your alley - read NIST 800-53, HIPPA, PCI-DSS, SANS Top 20 and GDPR - to understand the full breadth of controls and risk mitigation.
As far as data science python and pandas are all over the industry, R not so much. There is a big push for ML/AI work, but it might be snake-oil, time will tell. I use a lot of python and pandas for log and flow analysis.
Also - learn Linux CLI; grep, sed and awk can save your butt in most situations. Gray beard stuff will come later.
Good luck!
<edit - word choice>
[+] [-] elorant|8 years ago|reply
[+] [-] Grasshoppeh|8 years ago|reply
I would like to add onto this, if you cannot virtualize this and you do not have extra computers try using raspberry pi's. You can fully customize them to act as computers (with all different operating systems), servers, super computers, routers, etc.
Its an inexpensive and practical option compared to buying expensive equipment.
[+] [-] EGreg|8 years ago|reply
If you are storing sensitive info such as username/password to a TRADING PLATFORM (because the bank -- in this case OZforex -- doesn't have an API that lets you access it without them) what regulations do you need to meet in the USA and Europe? How does one even begin to find this out?
This is for a client of mine. I realize in Europe you'll of course need the GDPR. But besides that, I tried for example to find out whether they need PCI-DSS level 4 but was told by an auditing firm that since they aren't storing CREDIT CARD info then PCI doesn't apply. I am not convinced. But there has to be SOME regulation to protect this data, no?
I would aprpeciate any info, or if there is a way to speak offline (email you?) let me know.
[+] [-] amorphous|8 years ago|reply
[+] [-] santiagobasulto|8 years ago|reply
Recommended path:
1. CS Basics (concepts) Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.
2.Low level programming Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.
3. Networking [0] You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it. Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.
4. Web standards Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.
5. Known threats and vunerabilities In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed? You should also practice with every other security threat known like XSS, SQL Injection, etc.
[0] depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.
This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.
Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.
[+] [-] M8thril|8 years ago|reply
> Recommended path:
> 1. CS Basics (concepts) Conceptually understand how computers work, how interpreters work, compilers etc. You're probably past this point.
> 2.Low level programming Basically C, but pay attention to the OS APIs (posix, win32). Make sure you understand the fundamentals of memory management, procedures, threading, etc. You need a lot of C knowledge.
> 3. Networking [0] You basically need to know by heart all the TCP protocol. I have a friend who's incredibly successful working in security and he knows each bit in each packet in a TCP connection. He can just recite it. Once you know about networks, start throwing code at them. See if you can push the wrong bits to a switch, or if you can access some other processes network stack, etc.
> 4. Web standards Basically, how the web works. Once you're past that: Apache and Nginx. You have to know them in depth.
> 5. Known threats and vunerabilities In this process you'll know that there are many exploited issues that have been resolved. But you should study from them. For example, Heartbleed. Would you have the knowledge to find Heartbleed? You should also practice with every other security threat known like XSS, SQL Injection, etc.
> [0] depending the security field, you might not need so advanced networking knowledge, this is just a general recommendation.
> This is just my recommendation, I'm more of a purist, and I have a lot of respect for cybersecurity people.
> Source: +10 years programming, I have a good friend making A LOT of money as a private security contractor and we speak about this all the time.
Great answer. Look at an offensive security certified professional course for a basic affordable course that covers all of the above.
[+] [-] godelmachine|8 years ago|reply
[+] [-] altharaz|8 years ago|reply
Data Science might be useful if you want to work in Security Information Management or in malware analysis: big companies try to identify "weird behavior" in their networks, based on "normal behavior" records.
"Where can I learn cyber security stuff?"
Well, that depends on the stuff you are interested in...
You should focus at first on learning "system administration" and at least a programming language like Python or Ruby. Network protocols would also be a bonus.
Then, if you want to learn "offensive techniques" or "penetration testing", I suggest that you try websites like RootMe https://www.root-me.org/?lang=en or Cryptopals cryptopals.com.
Once you'll have resolved by yourself some of these challenges, you'll be able to try the "industrialized approach" of penetration testing. For this, this book is quite cool: https://www.nostarch.com/pentesting.
If you're more interested in "defensive techniques", you have tons of resources online.
For instance:
Secure Coding Best Practices: - https://www.owasp.org/index.php/OWASP_Secure_Coding_Practice... - https://security.berkeley.edu/secure-coding-practice-guideli...
=> These documents will help you to understand what are the main risks in your apps
For "general" cybersecurity: - ISO27001 standard - The NIST Cybersecurity Framework https://www.nist.gov/cybersecurity-framework - PCI/DSS - https://www.us-cert.gov/
=> These documents will help you to understand what are the main risks in an organization based on their assets.
[+] [-] indigochill|8 years ago|reply
Towards that end, just about anything you learn can be applied in some way towards security. The conventional recommendations others have made will get your foot in the door, but ultimately security is a lifestyle of never-ending learning and imaginative reasoning about systems.
So to directly answer your questions, yes, there are links between data science and security (others have mentioned its use in things like malware research, but going the other way it's also important to store your data securely to prevent theft, destruction, or tampering) and you can learn something about information security pretty much anywhere in-depth information about computers is taught. Which information is relevant to your interests will just depend on which aspect of security is of interest to you.
[+] [-] thephyber|8 years ago|reply
Alex Stamos, the CISO of Facebook, likened the causes of security breaches to a pyramid. The bottom of the pyramid, where the vast majority of security breaches happen (perhaps 80%), are caused by basic fraud: shared passwords, phishing, asking the user to do something like self-XSS. Of the remainder, perhaps 80% of security breaches are done through the more common, more mundane attacks like unpatched vulnerabilities or misconfigurations. It's only a fraction of a fraction of a percent of attacks that are done using zero-day vulns.
As much as what you said is relevant for security, I would argue that engineers think that security is more of an engineering problem set than it is.
[+] [-] emiliobumachar|8 years ago|reply
(disclaimer: I didn't pass the Capstone project, and never got around to trying it again)
Back then it was free if you didn't need a certificate, may still be.
https://www.coursera.org/specializations/cyber-security
[+] [-] aknoob|8 years ago|reply
There are multiple layers involved here and really understanding each one would take time.
Next would come understanding browsers, browser although it is an app, it is a world in itself. How an http request flows through a browser, how an http response is rendered, what are various layers involved. TCP/IP stack to physical layer, wifi/usb. It is extremely vast and very interesting.
And once you have gained enough experience , you will be able to clearly see the similarities and differences between various software stacks, both bottom-up and top-down, right from hardware level to your application's code and vice versa. And then reasoning about security of the stack at various layers would become straightforward.
In terms of conferences, I find Blackhat(http://www.blackhat.com/) Conference is a very good source of keeping oneself up to date with world of security( including applying Data Science to Security)
[+] [-] stoneridge|8 years ago|reply
"Cyber Security Base with F-Secure is a course series by University of Helsinki in collaboration with F‑Secure Cyber Security Academy that focuses on building core knowledge and abilities related to the work of a cyber security professional. The course series is free and open for anyone to attend."
[+] [-] vog|8 years ago|reply
[1] Of course, you can this only freely in a country that remotely cares about the education of its citizens (e.g. most European countries, where you can go to university for a hew hundred Euros per year). Otherwise, the risk of a huge debt is probably not worth it.
[+] [-] justaman|8 years ago|reply
You don't need college, what you need is a desire to learn everyday.
[+] [-] kalimatas|8 years ago|reply
[+] [-] Zhyl|8 years ago|reply
* It is neatly packaged, wonderful UX and a little sweetening of humour that makes it palatable to the layman
* It gives code examples that provide a little bit more in-depth exploration for the enthusiastic or aspirational novice
* It has a nice structure such that single exploits can be shared. For example, after a client of ours was hacked via a SQL injection on their website, we were able to show them the SQL injection exercises to demystify the topic a little bit and to make it seem less intimidating
* It's a great go-to starter. When I go to schools for careers fairs, I always give this link out to kids who are interested in security work.
[+] [-] hackermailman|8 years ago|reply
https://www.cs.cmu.edu/~213/schedule.html
Buy the 3rd version book (used) and then try the labs as you go through the lecture vids/chapters http://csapp.cs.cmu.edu/3e/labs.html but avoid the 'global edition' as it's filled with errata, or just know there is mistakes.
You will learn assembly/C and also Return Oriented Programming, stack protections and how they work, buffer overflow attacks, implicit casting grenades, cache optimization, how the linker works, ect. Then you sign up for that old Matasano CTF https://microcorruption.com/login
When you complete it apply to NCC Group who I believe now owns microcorruption. Start at the bottom, work your way into a policy/advisory role somewhere else after gaining experience and applying for certs https://ciso.eccouncil.org/ Having data science experience is likely helpful since you can produce shiny presentations that board rooms like to see when you become their CISO
[+] [-] trapspring|8 years ago|reply
[+] [-] cschmidt|8 years ago|reply
They are hosted by lots of different groups at different levels. There are CTF's aimed from high school through the DEFCON CTF. This is a directory: https://ctftime.org/
[+] [-] urahara|8 years ago|reply
[+] [-] twoquestions|8 years ago|reply
It seems irrational to want to learn how to secure systems when their owners don't care about it (and won't pay to secure them) if the risk can be transferred to other parties. I'm sure there's a few organizations that care if their data are stolen, but by and large it's a cost center, and treated accordingly in my experience.
[+] [-] wepple|8 years ago|reply
Now that “cyber” is a thing that can lead to a CEO losing their head, most companies are roughly in the middle somewhere. Sure, there will be a fall-guy and finger pointing, but it’s better to at least not be completely negligent.
“If the risk can be transferred to other parties” - that’s pontentially a business avenue OP wants to pursue. AcmeCorp can buy OPs shiny datascienceDefender(tm) network monitor.
A lot of tech-first companies (and don’t forget, some legacy companies are desperately trying to become these) care a massive amount about security, so there is definitely volume of work with people who genuinely want to improve the state.
[+] [-] bourgoin|8 years ago|reply
I read a post with an interesting idea recently: entities are currently treating customer data a an asset, whereas they should be treating it as a liability. If the regulatory incentives are set up such that customer data is a liability, companies will find it most efficient to buy insurance. And no successful insurance company will offer coverage without performing their due diligence. If the hardening itself is not the cost center, but rather the insurance premiums, then then end result may be companies doing infosec the right way, just because it's the most cost-effective thing to do.
[+] [-] brudgers|8 years ago|reply
[+] [-] lrvick|8 years ago|reply
There is no replacement for mentorship and getting your hands dirty with real world systems.
I will now shamelessly plug the community I learned the most from: https://hashbang.sh
[+] [-] ajr0|8 years ago|reply
Data Science can be applied in many different ways, (somewhat) Recently LightCyber was acquired by PANW [0] and I believe that if you are in data science that may be something that tickles your itch.
if I may give advice, asking a more specific question to a search engine may also get you ona path with additional information. 'cyber security' is a pretty large umbrella and much of it may bore you while only a small handful is interesting... so try to be more specific rather than say 'stuff'
[0] https://www.paloaltonetworks.com/products/secure-the-network...
[+] [-] perlgeek|8 years ago|reply
I'm sure there are fields where data science is useful, like anomaly detection, malware classification etc.
[+] [-] sectossaccount|8 years ago|reply
This first misnomer, is that there's one security thing. There are several. The offensive security folks (penetration testers) are far different than the advisory folks (think PCI, HIPAA). Vulnerability scanning, SOC (Security Operations Centers), secure development, and more - it's a wide field. The first thing to ask yourself is "what does security mean to me, and what do I want to do with it".
Give the first part of your question, I'll assume you're interested in software-based security (development) as opposed to infrastructure (network security, physical security, systems security), or the offensive side.
On the other hand, if you just want to 'get into security' - then learn a little bit about networking, and go find a job as a 'Network Operations Engineer' or 'Security Operations Specialist'. These are fairly low-level jobs in the security industry, that can serve as entry points, and help you learn about the other parts of the industry in depth, whilst getting paid.
Echoing what @santigobalsuto and others have mentioned.
1. CS - Understand how software works, not just how to code, but how things happen on machines. What are CPU registers? Write some assembly - nearly every single week my staff uses assembly to test an exploit. It's one hell of a lot easier to make a good developer a decent security professional than the other way around - just trust me on this.
2. Take philosophy and propositional logic courses - Good security folks are terrific critical thinkers. They learn to understand what risk means, and how to contextualize it for an organization. In other words the approach to risk and tolerance is completely different for Home Depot than it is for Evernote.
3. Learn Software Testing (not Quality Assurance). Combining this with critical thinking means you can start to pick apart software, even networks, from varying vantage points. If you combine this with your CS knowledge, it can really help you understand how to attack an application, or an organization.
4. Build lab out of cheap, garbage hardware. For about $300-500 you can get 4 servers on Kijiji that can be used to run OpenStack and VMWare. Get a physical switch, ideally something with a TAP port (but you can replice with VMWare easily enough). Create VMs, play with things like Security Onion, create and destroy networks - use traffic generators... have a great time.
5. Read about standards - it helps to understand what NIST is for, what CVEs are, CWEs, OVAL. Explore a few vulnerabilities (CVEs), and understand what they are, why they matter, how they apply. Then grab a copy of Nexpose Community Edition, and scan your lab - play around.
6. Rebuild your lab, iterating on what you've learned above.
[+] [-] amorphous|8 years ago|reply
[+] [-] wepple|8 years ago|reply
It’s very hard these days to be a complete and effective generalist in security, let alone be good at a range of security stuff while also being great at data science.
I’d consider focusing on appsec for a year, get a job attacking or defending apps for a year, and then you’ll have a basic understanding of the problem space.