(Part 2) Best products from r/AskNetsec
We found 30 comments on r/AskNetsec discussing the most recommended products. We ran sentiment analysis on each of these comments to determine how redditors feel about different products. We found 169 products and ranked them based on the amount of positive reactions they received. Here are the products ranked 21-40. You can also go back to the previous section.
21. Web Application Security, A Beginner's Guide
- Speeds up to 3200 MT/s
- Faster speeds and responsiveness than standard DDR4 memory
- Ideal for gamers and performance enthusiasts
- Intel XMP 2. 0 profiles for easy configuration
- Unbuffered / 8GB based / Single Rank module
Features:
22. Network Forensics: Tracking Hackers through Cyberspace
- [NON-SHEDDING]: Expertly machine-woven from enhanced soft synthetic durable fibers that have a virtually non-shedding pile for ultimate convenience
- [PLUSH & COZY]: Features a 1.2-inch thick textured pile height for just the right amount of cozy cushioned softness underfoot
- [EASY MAINTENANCE & DURABLE]: Stress-free cleaning includes regular vacuuming (without a beater bar) and gently blotting out minor stains with a mild detergent or carpet cleaner
- [TRUSTED BRAND]: SAFAVIEH has been a trusted brand and leader in home furnishings for over 100 years, using their expertise in crafting trendy high-quality designs; Begin your rug search with Safavieh and explore over 100,000 products today
- Product Note : Rugs may contain temporary creases upon arrival, allow time for creases to flatten and settle
Features:
23. IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job
- The Shaman's Body: A New Shamanism for Transforming Health, Relationships, and Community
Features:
24. 10 Don'ts on Your Digital Devices: The Non-Techie's Survival Guide to Cyber Security and Privacy
28. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography
- Anchor Books
Features:
29. Code: The Hidden Language of Computer Hardware and Software
- Microsoft Press
Features:
30. Gray Hat Hacking the Ethical Hackers Handbook
- Mechanical key infrastructure
- 20 fully programmable keys and 8-way thumb-pad
- Adjustable hand, thumb, and palm-rest modules
- Instantaneous switching between 8 key maps
- Backlit keypad for total control even in dark conditions
Features:
31. Mike Meyers’ CompTIA Security+ Certification Passport, Fourth Edition (Exam SY0-401) (Mike Meyers' Certficiation Passport)
- For use on plastic, metal, wood and more
- Perfect for indoor and outdoor projects
- Dries in 10 minutes or less
- Durable Covermax technology for premium coverage and brilliant color.
Features:
32. Forget the Parachute, Let Me Fly the Plane
- BOOOLE INC. researches and develops electronic products and open source hardware with the aim of promoting MAKER SPACE and DIY practice. It makes you believe innovation and invention are no more exclusive to scientific research institutes.
Features:
33. Cryptography: A Very Short Introduction (Very Short Introductions Book 68)
- 993-000439
Features:
34. Rtfm: Red Team Field Manual
- 98dB of room filling, crystal clear sound with less than 1% total harmonic distortion (Sound Pressure Level measured using pink noise at 1 meter, C-weighted. Total harmonic distortion calculated as electrical measurement of amplifier distortion)
- Deep Bass Modules add serious low end frequency without the need for an external subwoofer
- Connect to your TV with an easy, one-cable setup (analog and digital cables included in the box) - The perfect complement to any small to medium size HDTV
- Wirelessly stream your music from a smartphone or tablet via Bluetooth
Features:
35. Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
- Syngress
Features:
36. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
40. Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02): A Condensed Guide for the Security Operations Team and Threat Hunter
- Adjustable black 17mm resin strap fits up to 8-inch wrist circumference
- 100-hour chronograph with 10-lap memory; 24-hour countdown timer
- customizable alarm; 24-hour military time mode; 2 time zones; day, date & month calendar
- Black 42mm resin case with acrylic lens; gray digital display; Indiglo light-up watch dial
- Water resistant to 100m (330ft): in general, suitable for swimming and snorkeling, but not diving
Features:
That's a good setup you have going on, honestly. If you're looking for more resources, I can think of a few resources to supplement what you're already reading/doing
The Tangled Web - https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886
SQL Injection Attacks and Defense - https://www.amazon.com/gp/product/1597494240
Hacking Exposed: Web Application - https://www.amazon.com/HACKING-EXPOSED-WEB-APPLICATIONS-Edition/dp/0071740643/
https://pentesterlab.com/bootcamp - At this point, you can probably filter out what's relevant to you or not, this will map out other topics related to what you need to know, and may fill in any gaps you have at this point.
OWASP - https://www.owasp.org/index.php/Main_Page [Borderline vital to web app exploitation, Highly recommend if you haven't explored this site yet]
Now, the books and study materials are nice and all, but the most important thing is practical experience, and I see you've identified that by engaging yourself in DVWA. A few additional hands on labs you could dive into are vulnhubs that target the web (Broken Web Applications Project by OWASP is a must):
https://www.vulnhub.com/?q=Web&sort=date-asc&type=vm
Wargames (Overthewire / Smashthestack):
http://overthewire.org/wargames/natas/
SecurityInnovation (canyouhack.us):
http://canyouhack.us/ - It will start off with web challenges, feel free to stop when it starts getting into binary exploitation. What you've learned up to this point should carry you through the web application portion of this challenge, although some lateral thinking is required, which is also a skill you'll need for the GWAPT.
Google-Gruyere - https://google-gruyere.appspot.com/
Since you stated that you were going through the WAHH book, the labs over at mdsec may be a good investment for you at this point to follow along (although not exactly required if you properly use the resources above)
http://mdsec.net/labs/
https://www.wechall.net/challs - Again, filter out what you need to practice here. Lots of good challenges for multiple different areas of study.
CTF's: Be on the lookout for CTF's on http://ctftime.org and put a focus on the web challenges. These challenges will encourage lateral thinking like the securityinnovation challenge.
http://shell-storm.org/repo/CTF/ is an archive of older CTF's if you're having a hard time finding upcoming CTF's with good web exploitation sections. In my opinion, CSAW is especially good when it comes to web challenges, but check most of them out if you get time.
Another recommendation to you is to develop a decent understanding of how a web application is structured. It becomes easier to visualize how to attack a web application, when you can engineer one. So I will recommend that you learn:
HTML/CSS - don't spend way too much time on this, codecademy should suffice here
Javascript: The source of the client side exploits you will find in the future. Get your feet wet in javascript via codecademy, and progress further.
PHP: Source of the majority of server side exploits you will find (RFI/LFI, SQL Injection, etc). As with javascript, get your feet wet through codecademy, and try to progress further from there.
SQL: Important to know for SQL Injection. PHP is responsible for the implementation that leads to SQL Injection, but you should really know SQL to actually manipulate the DBMS to your needs.
With the web languages I listed, the end goal for you, should be to identify vulnerable source code, as well as being able to intentionally develop vulnerable source code, and fix it.
At this point, you should be relatively comfortable with the concepts covered in the GWAPT, however if not, take a look at the bulletin/syllabus of the actual exam, and individually research each topic.
http://www.giac.org/certification/web-application-penetration-tester-gwapt
Looking at the syllabus for the actual course that maps to GWAPT may provide some insight as well.
https://www.sans.org/course/web-app-penetration-testing-ethical-hacking
Hope I was able to help. Best of luck to you, and if you have any questions, feel free to let me know.
> I have zero Linux experience. How should I correct this deficiency?
First, install a VM (Oracle OpenBox is free) and download a linux ISO and boot from it. Debian and Ubuntu are two of my favorites. Both are totally free (as are most linux distros). Once installed, start reading some beginner linux tutorials online (or get "Linux In A Nutshell" by O'Reilly).
Just fuck around with it... if you screw something up, blow it away and reinstall (or restore from a previous image)
> Is it necessary? Should I start trying to make Linux my primary OS instead of using windows, or should that come later?
It's not necessary, but will help you learn faster. A lot of security infrastructure runs on Linux and UNIX flavors. It's important to have at least a basic understanding of how a Linux POSIX system works.
> If you can, what are some good books to try to find used or on PDF to learn about cissp and cisa? Should I be going after both? Which should I seek first?
You don't need to worry about taking & passing them until you've been working in the field for at least 3-5 years, but if you can get some used review materials second-hand, it'll give you a rough idea what's out there in the security landscape and what a security professional is expected to know (generally)
CISSP - is more detailed and broader and is good if you're doing security work day-to-day (this is probably what you want)
CISA - is focused on auditing and IT governance and is good if you're an IT Auditor or working in compliance or something (probably not where you're headed)
> What are good books I can use to learn about networking? If you noticed I ask for books a lot its because the only internet I have is when I connect my android to my laptop by pdanet, and service is sketchy at my apartment.
O'Reilly is a reliable publisher of quality tech books. An amazon search for "O'Reilly networking" pull up a bunch. Also, their "in a nutshell" series of books are great reference books for Windows, Linux, Networking, etc... You can probably find older/used copies online for a decent price (check ebay and half.com too)
> How would you recommend learning about encryption? I just subscribed to /r/crypto so I can lurk there. Again, can you point me at some books?
Try "The Code Book" for a very accessible intro to crypto from ancient times thru today
http://www.amazon.com/The-Code-Book-Science-Cryptography/dp/0385495323
Also, for basics of computer architecture, read "CODE", which is absolutely excellent and shows how computers work from the ground up in VERY accessible writing.
http://www.amazon.com/Code-Language-Computer-Hardware-Software/dp/0735611319
Hey there,
I wrote it above, imagining it would have interested other people :) Let's go in further detail though, I realize there is plenty I left out!!
(All the nuggets above are from the same trainer, he is REALLY good)
Anything video was really helpful - I did take LOTS of notes - What I did is create a local Jekyll blog, open my favorite markdown editor, and write whatever was interesting the trainers were saying. I would suggest this to everybody.
Please note that the job I applied for is not strictly technical, so there were also lots of behavioural / case questions. I prepared for this with a friend, picking questions from the internet and using word clouds related to infosec and program management to improve my terminology
you can find lots of them here https://www.google.com/search?q=infosec+word+cloud&safe=off&es_sm=119&biw=1280&bih=614&source=lnms&tbm=isch&sa=X&ei=sH1UVIGoM4PpoASY34DQBQ&ved=0CAYQ_AUoAQ
Hi sidvejs,
First I'd like to say congrats. That is an awesome position to be in. Perhaps my anecdotal experience below will be helpful.
I worked with the NSA community for six or seven years out in Maryland. At the start of your career these places can be a useful starting out point. If you're motivated by a sense of purpose such as duty to the "mission", you will likely be happy there. However as time went on, a coolness factor wore off for me. I'm motivated primarily by learning new things and sense of atonomy. (The whole sf-86 and scif life really puts a damper on atonomy IMHO). I also started to dislike the culture.
I then went to private industry. I've worked at antivirus companies, bug bounty companies and now a really big social media company.
Private industry was/still is cool. I get to have a cell phone on me ( #scifjokes), and I get to live in a really beautiful part of the country (when it's not having earth quakes or on fire)
My first job in private industry was at an antivirus company. It made me realize that I really value a sense of camaraderie and learning from others. Having fun coworkers, who became my close personal friends was a really happy point in my life.
My current team at the big social media company has the same vibe. Each of us has a unique skill: windows, hardware hacking, reverse engineering, Linux, networking etc. We are paid to break into things :)
I've learned more from this team than my entire professional career.
Team vibe is very fun. I actually Amazon prime'd my teammate a pair of bongos today as a practical joke. Yesterday my coworker's spouse sent him a gift and we tried to convince him it was anthrax and he shouldn't open it.
When I find myself in position such as this, I actually check out this book. https://www.amazon.com/dp/B004ULVMKC/ref=cm_sw_r_sms_apa_i_CdJWDb8BD3X65
A former boss of my wrote it. I remember the look on his face when I have him notice and he asked if I was sure. I responded with "I read your book and I made the right call."
He lol'd.
Anyways, back to big internship decisions, I dont know what team you're looking at FB. but if you want to talk more let me know.
Based on some of your responses to other answers, it seems like you want to know a lot more about encryption than just the keys: TLS for instance is a protocol for initiating an encrypted session, and has little to do with your original question directly. Applied Cryptography is an excellent and authoritative source, but I’d also recommend the shorter, more concise “Cryptography ” from the Very Short Introduction series for beginners. But in short:
A symmetric key is a specific constant applied to a message with a encryption algorithm. Say we take the ASCII decimal value of each letter in the message “The Eagle has landed” => [84, 104, 101, 32, 69, 97, 103, 108, 101, 32, 104, 97, 115, 32, 108, 97, 110, 100, 101, 100]. The algorithm (we call it the cipher, here) is to multiply each character by “x” to encrypt the message; to decrypt the message we divide by “x”. In this case, the value of “x” is the key.
An asymmetric key is different in that it is a one-way operation. Here, “x” is broken into two parts, and where encryption takes place with one part, you need the other to decrypt. By encrypting the message, you make the message practically unrecoverable without the private key. This is effected in many encryption schemes by using a modulus, which is the operation such that “1 x n mod 3 = 1, 2 x n mod 3 = 2, and 3 x n mod 3 = 0”. The idea being, if counting an ordered set of numbers to whatever, every time you count up to the modulus value, wrap around again and continue from 0. One of the most basic asymmetric operations that works this way is using the modulus 33, where one part of the key is 3 and the other 7; let the public key be (33, 3) and the private key be (33, 7).
As before, we take the message and encrypt it with an algorithm. In this case however, our algorithm is the ascii value of the char to the power of the public key, modulo 33, or (where ‘c’ is the character value), c^3 mod 33. This gives us [24, 26, 8, 32, 27, 25, 31, 3, 8, 32, 26, 25, 4, 32, 3, 25, 11, 1, 8, 1] for the message. Notice that you can’t invert this algorithm — a modulus can’t be “reversed” by any means mathematically. What you can do though is apply the same algorithm with the other key, “7”, and this will result in the original. A short proof of this can be found here.
Since it’s the same operation, note that you can use either 3 or 7 as your public key — the choice of which is public and which is private is arbitrary.
When discussing protocols like TLS, this is instead specifying how to set up an encrypted channel for communication, which often involves an initial stage of passing messages using a combination of symmetric and asymmetric keys to establish a secure line of communication, with an initial, temporary key created on-the-fly for that particular session, and which is thrown away following each “block” of messages. Since this gets outside of your original question, I won’t go into it here.
Hey man! I work as Security Analyst - about a year away from graduating with my Bachelors.
I suggest you pick up the CompTIA Security+ Certification, as well as start learning the basics of Networks and how they function. Learn ports and protocols, as well as how IDS/IPS/Firewalls function. This will get you an entry level role as a Jr Analyst. I suggest you use [http://www.professormesser.com/security-plus/sy0-401/sy0-401-course-index/](Professor Messers Security+ Videos) This will teach you the basics of security work, networking concepts, threats, etc.
At the same time start listening to podcasts like Paul's Security Weekly, Down the Security Rabbit Hole, etc. As well as start reading blogs on hacking to get a feel for whats done.
Get a home lab and learn a few tools like Wireshark and Nmap for basic Security Analyst work - to learn how packets work, how they are structured, and how to scan pc's for ports and services. At the same time, focus on learning about threats and vulnerabilities (which are covered in security+).
If you want to get into PenTesting then you need a wide range of knowledge. Pick up and learn a few languages (master the basics and understand what the code does and how to read/interpret it). You need to know: PHP, HTML, SQL, Python (or Ruby), and a basic language like C, or Java.
If you want to dig deeper into PenTesting then start reading: https://www.offensive-security.com/metasploit-unleashed/
Good way to get into the Kali Distro and learn how to run Metasploit against vulnerable VM's.
Take a look at https://www.vulnhub.com/resources/ for books, and vulnerable VM's to practice on.
https://www.cybrary.it/ is also a good place with tons of videos on Ethical Hacking, Post Exploitation, Python for Security, Metasploit, etc.
Pick up some books such as
The Hacker Playbook 2: Practical Guide To Penetration Testing
Hacking: The Art of Exploitation
Black Hat Python: Python Programming for Hackers and Pentesters
Rtfm: Red Team Field Manual
The Hackers Playbook and The Art of Exploitation are great resources to get you started and take you step by step on pen testing that will allow you to alter explore the endless possibilities.
Also a good list of resources that you can learn more about security:
Getting Started in Information Security
Pentester Labs
Awesome InfoSec
Awesome Pentest
Overall experience and certification are what will get you into the door faster. Most employers will look for experience, but if they see you have motivation to learn and the drive to do so, then they might take you. Certifications also are big in the infosec field, as they get you past HR. And having a home lab and doing side projects in security also reflects well.
How has the holy trinity not been mentioned?
Incident Response & Computer Forensics, Third Edition
Practical Malware Analysis
Art of memory forensics
Might be a little too mature for an 11 year old, but I'd recommend Little Brother and Homeland by Cory Doctorow.
I'd recommend you reading them as well. Some pretty good common-man explanations of some core security topics.
Please quote your understanding/interpretation of a "use case".
Do you want to actually improve your security posture and keep your crown jewels safe, or is it about ticking off compliance check-boxes? In case of the latter, don’t bother spending money on consultants, fire up the security essentals app, drown in alerts and call it a day.
The foundation for the technical implementation of use cases has to be rooted within the corporate GRC process and relies on a properly mapped out risk assessment and business impact analysis of system and process involved - across the actual value chain of your company. Knowing what to protect is SIEM agnostic.
Aside from that, implementing "some rules and alerts" to look for traces of things found on the latest ABC threat list will also only get you so far. And will definitely not justify the inevitable upgrade to Splunk Enterprise Security.
Given all the above is present, you might be looking at 2-4 days of workshops where you map out a stage 1 baseline comprised of generic uses cases (account misuse, phishing/malware, etc.) and those affecting your actual business processes. Implementation will vary -> Connect log sources, normalize/enrich where possible, ingest, create rules and correlations, setup alerting, tweak/refine - rinse and repeat.
You’ll start with quick wins and start to dig deeper. Going for the classic (as opposed to ML/UEBA-driven approaches) will need constant tuning during the first weeks a new use case has been implemented. New threats, vulnerabilities, changes to your internal net - you can figure that out.
Will you be running/building an internal SOC? Work with a MDR/MSSP?
I can highly recommend this link http://correlatedsecurity.com/risk-driven-siem-use-case-development-methods-2/
Follow up with articles from Anton Chivakin, get yourself a copy of the MAGMA UCF use case framework and assess your actual readiness and security organization maturity before going forward.
Order a copy of https://www.amazon.com/Blue-Team-Handbook-Condensed-Operations/dp/1091493898 - highly recommended!
If its a windows environment you will be working in, which is the most common, there is a good list available here:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Note that versions after xp have different codes for the same event.
------
Also this may sound a little corny, but it is a really good reference for Netsec Interviews:
http://www.amazon.com/IT-Security-Interviews-Exposed-Information/dp/0471779873
One of the authors is Russ Rogers (One of my mentors), a really smart guy that has done a lot in the security community.
You're not necessarily looking for a book, but the one I wrote with a friend is geared towards the non-technical audience. Might be a good supplement to a video or course:
https://www.amazon.com/Donts-Your-Digital-Devices-Non-Techies/dp/1484203682/
Either one of these two should get you started. I haven't personally read the 2nd one, but I've heard good things.
Followup/Read along with either/both of the following:
I have 3 semesters left so my plan has been to seek an internship next summer closer to graduating. Do you think it's unwise to wait that long? My independent study could be better but I've become proficient with Linux using Arch as my daily driver and reading through The Linux Command Line. I'm also going through The Basics of Hacking and Pentesting which had me set up a "lab". Just finished the recon chapter. Also proficient in Python/Java/C++ ("proficient" might be a bold claim, rust considered).
Red team and pen testing isn't my forte so I would defer to some others. I am going for my OSWE. I am doing some pen test labs, reading hacker one and going over vulnerabilities and their PoCs. Starting to do hack the box. OWASP Juice. Reading OWASP site in general. I read this book awhile go. Might be useful as a new AppSec person.
https://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168
Honestly it's just DO DO DO DO, LEARN, LEARN, LEARN. Any topic you dive in will be hard. Learn something and apply it to the next topic.
Also understand some security fundamentals. Encryption, hashing, Risk, CIA.
In that case, Violent Python may be helpful--not a tutorial on kali/netsec, but it'll help you learn about netsec aspects through coding your own "exploits"...
> and pentesting isn't an entry level job
WRONG. I know lot of companies who posts pentest positions for fresh grads, because there is a big need for these people.
Do download a kali copy and play around with it. Read books I recommend Gray Hat Hacking The Ethical Hackers Handbook
forget CISSP and CCNA (and don't even mention Ethical Hacker Cert) .. go for OSCP!
http://www.amazon.com/The-Linux-Command-Line-Introduction/dp/1593273894
I bought and read this book as a before taking OSCP, and it's been one of the most useful books I've read.
Penetration testing is a really broad term. If you want the overview i would suggest picking up a book like Gray Hat Hacking.
Metasploit is a fun tool, but learning to use it without understanding the basics will not really lead to anywhere.
This book would be a good start: https://www.amazon.com/Network-Forensics-Tracking-Hackers-Cyberspace/dp/0132564718
I recommend reading the following to get an overview:
The Basics Hacking Penetration Testing
If you want to do some programming specific (i.e. Python) try
Violent Python
IT Security Interviews Exposed.
http://www.amazon.com/IT-Security-Interviews-Exposed-Information/dp/0471779873
https://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579
RTFM
Check out Code: The Hidden Language of Computer Hardware and Software https://www.amazon.com/dp/0735611319/ref=cm_sw_r_awd_Rdrfub17VD49B