(Part 2) Best products from r/AskNetsec

That's a good setup you have going on, honestly. If you're looking for more resources, I can think of a few resources to supplement what you're already reading/doing

The Tangled Web - https://www.amazon.com/Tangled-Web-Securing-Modern-Applications/dp/1593273886

SQL Injection Attacks and Defense - https://www.amazon.com/gp/product/1597494240

Hacking Exposed: Web Application - https://www.amazon.com/HACKING-EXPOSED-WEB-APPLICATIONS-Edition/dp/0071740643/

https://pentesterlab.com/bootcamp - At this point, you can probably filter out what's relevant to you or not, this will map out other topics related to what you need to know, and may fill in any gaps you have at this point.

OWASP - https://www.owasp.org/index.php/Main_Page [Borderline vital to web app exploitation, Highly recommend if you haven't explored this site yet]

Now, the books and study materials are nice and all, but the most important thing is practical experience, and I see you've identified that by engaging yourself in DVWA. A few additional hands on labs you could dive into are vulnhubs that target the web (Broken Web Applications Project by OWASP is a must):

https://www.vulnhub.com/?q=Web&sort=date-asc&type=vm

Wargames (Overthewire / Smashthestack):

http://overthewire.org/wargames/natas/

SecurityInnovation (canyouhack.us):

http://canyouhack.us/ - It will start off with web challenges, feel free to stop when it starts getting into binary exploitation. What you've learned up to this point should carry you through the web application portion of this challenge, although some lateral thinking is required, which is also a skill you'll need for the GWAPT.

Google-Gruyere - https://google-gruyere.appspot.com/

Since you stated that you were going through the WAHH book, the labs over at mdsec may be a good investment for you at this point to follow along (although not exactly required if you properly use the resources above)

http://mdsec.net/labs/

https://www.wechall.net/challs - Again, filter out what you need to practice here. Lots of good challenges for multiple different areas of study.

CTF's: Be on the lookout for CTF's on http://ctftime.org and put a focus on the web challenges. These challenges will encourage lateral thinking like the securityinnovation challenge.
http://shell-storm.org/repo/CTF/ is an archive of older CTF's if you're having a hard time finding upcoming CTF's with good web exploitation sections. In my opinion, CSAW is especially good when it comes to web challenges, but check most of them out if you get time.

Another recommendation to you is to develop a decent understanding of how a web application is structured. It becomes easier to visualize how to attack a web application, when you can engineer one. So I will recommend that you learn:

HTML/CSS - don't spend way too much time on this, codecademy should suffice here

Javascript: The source of the client side exploits you will find in the future. Get your feet wet in javascript via codecademy, and progress further.

PHP: Source of the majority of server side exploits you will find (RFI/LFI, SQL Injection, etc). As with javascript, get your feet wet through codecademy, and try to progress further from there.

SQL: Important to know for SQL Injection. PHP is responsible for the implementation that leads to SQL Injection, but you should really know SQL to actually manipulate the DBMS to your needs.

With the web languages I listed, the end goal for you, should be to identify vulnerable source code, as well as being able to intentionally develop vulnerable source code, and fix it.

At this point, you should be relatively comfortable with the concepts covered in the GWAPT, however if not, take a look at the bulletin/syllabus of the actual exam, and individually research each topic.

http://www.giac.org/certification/web-application-penetration-tester-gwapt

Looking at the syllabus for the actual course that maps to GWAPT may provide some insight as well.

https://www.sans.org/course/web-app-penetration-testing-ethical-hacking

Hope I was able to help. Best of luck to you, and if you have any questions, feel free to let me know.

> I have zero Linux experience. How should I correct this deficiency?

First, install a VM (Oracle OpenBox is free) and download a linux ISO and boot from it. Debian and Ubuntu are two of my favorites. Both are totally free (as are most linux distros). Once installed, start reading some beginner linux tutorials online (or get "Linux In A Nutshell" by O'Reilly).


Just fuck around with it... if you screw something up, blow it away and reinstall (or restore from a previous image)

> Is it necessary? Should I start trying to make Linux my primary OS instead of using windows, or should that come later?

It's not necessary, but will help you learn faster. A lot of security infrastructure runs on Linux and UNIX flavors. It's important to have at least a basic understanding of how a Linux POSIX system works.

> If you can, what are some good books to try to find used or on PDF to learn about cissp and cisa? Should I be going after both? Which should I seek first?

You don't need to worry about taking & passing them until you've been working in the field for at least 3-5 years, but if you can get some used review materials second-hand, it'll give you a rough idea what's out there in the security landscape and what a security professional is expected to know (generally)


CISSP - is more detailed and broader and is good if you're doing security work day-to-day (this is probably what you want)


CISA - is focused on auditing and IT governance and is good if you're an IT Auditor or working in compliance or something (probably not where you're headed)


> What are good books I can use to learn about networking? If you noticed I ask for books a lot its because the only internet I have is when I connect my android to my laptop by pdanet, and service is sketchy at my apartment.

O'Reilly is a reliable publisher of quality tech books. An amazon search for "O'Reilly networking" pull up a bunch. Also, their "in a nutshell" series of books are great reference books for Windows, Linux, Networking, etc... You can probably find older/used copies online for a decent price (check ebay and half.com too)

> How would you recommend learning about encryption? I just subscribed to /r/crypto so I can lurk there. Again, can you point me at some books?

Try "The Code Book" for a very accessible intro to crypto from ancient times thru today
http://www.amazon.com/The-Code-Book-Science-Cryptography/dp/0385495323


Also, for basics of computer architecture, read "CODE", which is absolutely excellent and shows how computers work from the ground up in VERY accessible writing.
http://www.amazon.com/Code-Language-Computer-Hardware-Software/dp/0735611319

Hey there,

I wrote it above, imagining it would have interested other people :) Let's go in further detail though, I realize there is plenty I left out!!

• CBT Nuggets - Building a Network Design That Works (in depth)
  
• CBT Nuggets - CompTIA Security+ SY0-401 (in depth)
  
• CBT Nuggets - ISC2 Security CISSP (not everything)
  (All the nuggets above are from the same trainer, he is REALLY good)
  
  
• This book http://smile.amazon.com/CompTIA-Security-Certification-Passport-Certficiation-ebook/dp/B00JFG708K helped, it also comes with a cd with questions, that help gauge your preparation (is there something similar online, free?)
  
• Threat modeling (here and there, mostly videos on youtube and the internal learning portal) - sorry but I don't have a good resource for this, except for looking into DREAD and STRIDE and usual
  
• 3 Infosec classes on Coursera (just watching the videos)
  
• Lots of background research on recent vulnerabilities and security incidents
  
• I read a few writethrough for some vulnerable apps (OwlNest, for example), never done one myself, but I did try to follow along for what I could - usually lost interest when the writer went into buffer overflows and too technical - I was mostly interested in the reconnaissance phase
  
• This video is really good https://www.youtube.com/watch?v=scQyykJwTsQ
  
• Also, some training on how to do migrations (I found them on the internal network)
  
• Random videos from the blackhat http://www.youtube.com/watch?v=GAuXcqt75Lk
  
  Anything video was really helpful - I did take LOTS of notes - What I did is create a local Jekyll blog, open my favorite markdown editor, and write whatever was interesting the trainers were saying. I would suggest this to everybody.
  
  Please note that the job I applied for is not strictly technical, so there were also lots of behavioural / case questions. I prepared for this with a friend, picking questions from the internet and using word clouds related to infosec and program management to improve my terminology
  
  you can find lots of them here https://www.google.com/search?q=infosec+word+cloud&safe=off&es_sm=119&biw=1280&bih=614&source=lnms&tbm=isch&sa=X&ei=sH1UVIGoM4PpoASY34DQBQ&ved=0CAYQ_AUoAQ

Hi sidvejs,

First I'd like to say congrats. That is an awesome position to be in. Perhaps my anecdotal experience below will be helpful.

I worked with the NSA community for six or seven years out in Maryland. At the start of your career these places can be a useful starting out point. If you're motivated by a sense of purpose such as duty to the "mission", you will likely be happy there. However as time went on, a coolness factor wore off for me. I'm motivated primarily by learning new things and sense of atonomy. (The whole sf-86 and scif life really puts a damper on atonomy IMHO). I also started to dislike the culture.

I then went to private industry. I've worked at antivirus companies, bug bounty companies and now a really big social media company.
Private industry was/still is cool. I get to have a cell phone on me ( #scifjokes), and I get to live in a really beautiful part of the country (when it's not having earth quakes or on fire)

My first job in private industry was at an antivirus company. It made me realize that I really value a sense of camaraderie and learning from others. Having fun coworkers, who became my close personal friends was a really happy point in my life.

My current team at the big social media company has the same vibe. Each of us has a unique skill: windows, hardware hacking, reverse engineering, Linux, networking etc. We are paid to break into things :)
I've learned more from this team than my entire professional career.

Team vibe is very fun. I actually Amazon prime'd my teammate a pair of bongos today as a practical joke. Yesterday my coworker's spouse sent him a gift and we tried to convince him it was anthrax and he shouldn't open it.

When I find myself in position such as this, I actually check out this book. https://www.amazon.com/dp/B004ULVMKC/ref=cm_sw_r_sms_apa_i_CdJWDb8BD3X65

A former boss of my wrote it. I remember the look on his face when I have him notice and he asked if I was sure. I responded with "I read your book and I made the right call."
He lol'd.

Anyways, back to big internship decisions, I dont know what team you're looking at FB. but if you want to talk more let me know.

Based on some of your responses to other answers, it seems like you want to know a lot more about encryption than just the keys: TLS for instance is a protocol for initiating an encrypted session, and has little to do with your original question directly. Applied Cryptography is an excellent and authoritative source, but I’d also recommend the shorter, more concise “Cryptography ” from the Very Short Introduction series for beginners. But in short:

A symmetric key is a specific constant applied to a message with a encryption algorithm. Say we take the ASCII decimal value of each letter in the message “The Eagle has landed” => [84, 104, 101, 32, 69, 97, 103, 108, 101, 32, 104, 97, 115, 32, 108, 97, 110, 100, 101, 100]. The algorithm (we call it the cipher, here) is to multiply each character by “x” to encrypt the message; to decrypt the message we divide by “x”. In this case, the value of “x” is the key.

An asymmetric key is different in that it is a one-way operation. Here, “x” is broken into two parts, and where encryption takes place with one part, you need the other to decrypt. By encrypting the message, you make the message practically unrecoverable without the private key. This is effected in many encryption schemes by using a modulus, which is the operation such that “1 x n mod 3 = 1, 2 x n mod 3 = 2, and 3 x n mod 3 = 0”. The idea being, if counting an ordered set of numbers to whatever, every time you count up to the modulus value, wrap around again and continue from 0. One of the most basic asymmetric operations that works this way is using the modulus 33, where one part of the key is 3 and the other 7; let the public key be (33, 3) and the private key be (33, 7).

As before, we take the message and encrypt it with an algorithm. In this case however, our algorithm is the ascii value of the char to the power of the public key, modulo 33, or (where ‘c’ is the character value), c^3 mod 33. This gives us [24, 26, 8, 32, 27, 25, 31, 3, 8, 32, 26, 25, 4, 32, 3, 25, 11, 1, 8, 1] for the message. Notice that you can’t invert this algorithm — a modulus can’t be “reversed” by any means mathematically. What you can do though is apply the same algorithm with the other key, “7”, and this will result in the original. A short proof of this can be found here.

Since it’s the same operation, note that you can use either 3 or 7 as your public key — the choice of which is public and which is private is arbitrary.

When discussing protocols like TLS, this is instead specifying how to set up an encrypted channel for communication, which often involves an initial stage of passing messages using a combination of symmetric and asymmetric keys to establish a secure line of communication, with an initial, temporary key created on-the-fly for that particular session, and which is thrown away following each “block” of messages. Since this gets outside of your original question, I won’t go into it here.

Hey man! I work as Security Analyst - about a year away from graduating with my Bachelors.

I suggest you pick up the CompTIA Security+ Certification, as well as start learning the basics of Networks and how they function. Learn ports and protocols, as well as how IDS/IPS/Firewalls function. This will get you an entry level role as a Jr Analyst. I suggest you use [http://www.professormesser.com/security-plus/sy0-401/sy0-401-course-index/](Professor Messers Security+ Videos) This will teach you the basics of security work, networking concepts, threats, etc.

At the same time start listening to podcasts like Paul's Security Weekly, Down the Security Rabbit Hole, etc. As well as start reading blogs on hacking to get a feel for whats done.

Get a home lab and learn a few tools like Wireshark and Nmap for basic Security Analyst work - to learn how packets work, how they are structured, and how to scan pc's for ports and services. At the same time, focus on learning about threats and vulnerabilities (which are covered in security+).

If you want to get into PenTesting then you need a wide range of knowledge. Pick up and learn a few languages (master the basics and understand what the code does and how to read/interpret it). You need to know: PHP, HTML, SQL, Python (or Ruby), and a basic language like C, or Java.

If you want to dig deeper into PenTesting then start reading: https://www.offensive-security.com/metasploit-unleashed/

Good way to get into the Kali Distro and learn how to run Metasploit against vulnerable VM's.

Take a look at https://www.vulnhub.com/resources/ for books, and vulnerable VM's to practice on.

https://www.cybrary.it/ is also a good place with tons of videos on Ethical Hacking, Post Exploitation, Python for Security, Metasploit, etc.

Pick up some books such as

The Hacker Playbook 2: Practical Guide To Penetration Testing

Hacking: The Art of Exploitation

Black Hat Python: Python Programming for Hackers and Pentesters

Rtfm: Red Team Field Manual

The Hackers Playbook and The Art of Exploitation are great resources to get you started and take you step by step on pen testing that will allow you to alter explore the endless possibilities.

Also a good list of resources that you can learn more about security:

Getting Started in Information Security

Pentester Labs

Awesome InfoSec

Awesome Pentest

Overall experience and certification are what will get you into the door faster. Most employers will look for experience, but if they see you have motivation to learn and the drive to do so, then they might take you. Certifications also are big in the infosec field, as they get you past HR. And having a home lab and doing side projects in security also reflects well.

How has the holy trinity not been mentioned?

Incident Response & Computer Forensics, Third Edition

• This one will hit a lot of the beats you're looking for, even though it's a bit old (up to Win7) but still has the majority of things you need to get in there. Learn this book at 50% retention and you'll be better than a good majority of the IR professionals currently billing hours.
  
  Practical Malware Analysis
  
• Less focused on attack to defense relationships but lays the groundwork for a better look into what and why certain things "be how they be"
  
  Art of memory forensics
  
• Rounds it all out a bit with some fresh volatility goodness

Might be a little too mature for an 11 year old, but I'd recommend Little Brother and Homeland by Cory Doctorow.
I'd recommend you reading them as well. Some pretty good common-man explanations of some core security topics.

Please quote your understanding/interpretation of a "use case".
Do you want to actually improve your security posture and keep your crown jewels safe, or is it about ticking off compliance check-boxes? In case of the latter, don’t bother spending money on consultants, fire up the security essentals app, drown in alerts and call it a day.

The foundation for the technical implementation of use cases has to be rooted within the corporate GRC process and relies on a properly mapped out risk assessment and business impact analysis of system and process involved - across the actual value chain of your company. Knowing what to protect is SIEM agnostic.

Aside from that, implementing "some rules and alerts" to look for traces of things found on the latest ABC threat list will also only get you so far. And will definitely not justify the inevitable upgrade to Splunk Enterprise Security.

Given all the above is present, you might be looking at 2-4 days of workshops where you map out a stage 1 baseline comprised of generic uses cases (account misuse, phishing/malware, etc.) and those affecting your actual business processes. Implementation will vary -> Connect log sources, normalize/enrich where possible, ingest, create rules and correlations, setup alerting, tweak/refine - rinse and repeat.
You’ll start with quick wins and start to dig deeper. Going for the classic (as opposed to ML/UEBA-driven approaches) will need constant tuning during the first weeks a new use case has been implemented. New threats, vulnerabilities, changes to your internal net - you can figure that out.

Will you be running/building an internal SOC? Work with a MDR/MSSP?

I can highly recommend this link http://correlatedsecurity.com/risk-driven-siem-use-case-development-methods-2/

Follow up with articles from Anton Chivakin, get yourself a copy of the MAGMA UCF use case framework and assess your actual readiness and security organization maturity before going forward.

Order a copy of https://www.amazon.com/Blue-Team-Handbook-Condensed-Operations/dp/1091493898 - highly recommended!

If its a windows environment you will be working in, which is the most common, there is a good list available here:

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Note that versions after xp have different codes for the same event.

------

Also this may sound a little corny, but it is a really good reference for Netsec Interviews:

http://www.amazon.com/IT-Security-Interviews-Exposed-Information/dp/0471779873

One of the authors is Russ Rogers (One of my mentors), a really smart guy that has done a lot in the security community.

You're not necessarily looking for a book, but the one I wrote with a friend is geared towards the non-technical audience. Might be a good supplement to a video or course:

https://www.amazon.com/Donts-Your-Digital-Devices-Non-Techies/dp/1484203682/

• The Practice of Network Security Monitoring: Understanding Incident Detection and Response
  
  
• Applied Network Security Monitoring: Collection, Detection, and Analysis
  
  Either one of these two should get you started. I haven't personally read the 2nd one, but I've heard good things.
  
  Followup/Read along with either/both of the following:
  
  
• [Practical Packet Analysis: Using Wireshark to Solve Real-World Network Problems] (http://amzn.com/1593272669)
  
  
• Network Forensics: Tracking Hackers through Cyberspace

I have 3 semesters left so my plan has been to seek an internship next summer closer to graduating. Do you think it's unwise to wait that long? My independent study could be better but I've become proficient with Linux using Arch as my daily driver and reading through The Linux Command Line. I'm also going through The Basics of Hacking and Pentesting which had me set up a "lab". Just finished the recon chapter. Also proficient in Python/Java/C++ ("proficient" might be a bold claim, rust considered).

Red team and pen testing isn't my forte so I would defer to some others. I am going for my OSWE. I am doing some pen test labs, reading hacker one and going over vulnerabilities and their PoCs. Starting to do hack the box. OWASP Juice. Reading OWASP site in general. I read this book awhile go. Might be useful as a new AppSec person.

https://www.amazon.com/Web-Application-Security-Beginners-Guide/dp/0071776168

Honestly it's just DO DO DO DO, LEARN, LEARN, LEARN. Any topic you dive in will be hard. Learn something and apply it to the next topic.

Also understand some security fundamentals. Encryption, hashing, Risk, CIA.

In that case, Violent Python may be helpful--not a tutorial on kali/netsec, but it'll help you learn about netsec aspects through coding your own "exploits"...

> and pentesting isn't an entry level job

WRONG. I know lot of companies who posts pentest positions for fresh grads, because there is a big need for these people.

Do download a kali copy and play around with it. Read books I recommend Gray Hat Hacking The Ethical Hackers Handbook

forget CISSP and CCNA (and don't even mention Ethical Hacker Cert) .. go for OSCP!

http://www.amazon.com/The-Linux-Command-Line-Introduction/dp/1593273894


I bought and read this book as a before taking OSCP, and it's been one of the most useful books I've read.

Penetration testing is a really broad term. If you want the overview i would suggest picking up a book like Gray Hat Hacking.

Metasploit is a fun tool, but learning to use it without understanding the basics will not really lead to anywhere.

This book would be a good start: https://www.amazon.com/Network-Forensics-Tracking-Hackers-Cyberspace/dp/0132564718

I recommend reading the following to get an overview:

The Basics Hacking Penetration Testing

If you want to do some programming specific (i.e. Python) try

Violent Python

IT Security Interviews Exposed.

http://www.amazon.com/IT-Security-Interviews-Exposed-Information/dp/0471779873

https://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579

RTFM

Check out Code: The Hidden Language of Computer Hardware and Software https://www.amazon.com/dp/0735611319/ref=cm_sw_r_awd_Rdrfub17VD49B