Cyber security majors need to be studied from beginning to end, and universities cannot cultivate qualified cyber security talents. This is the fundamental reason why there are many graduates majoring in cyber security every year, but there are very few people who are actually engaged in cyber security positions.
If you plan to engage in network security positions in the future, continuous learning is your only way.
Why is network security on fire?
There are mainly two reasons, one is market demand, and the other is industry development. With the popularization of the Internet and the increasing number of cybercrimes, enterprises pay more and more attention to network security, so the demand for network security professionals is also increasing
How to become a master of network security (hacker)?
As more and more people see the big cake of Internet security, we will become the top of the best if we want to eat a large piece.
However, self-learning network security is equivalent to flying around without a head, wasting time and energy Not to mention, during the period of your blind study, others have already left you thousands of miles away.
⚡Now is a good time to learn cyber security, don't waste this opportunity! ! ! So what should we do?
The following is pure dry goods, be sure to read carefully! If you can't finish reading, you can like and bookmark for subsequent digestion! Here I recommend a hacker learning column, which contains multiple high-quality shooting ranges, detailed explanations of various special exercises on the CTF platform, and attack ideas, etc.:
1. Detailed learning route
Self-study network security is completely useless, you will learn blindly, learn PHP first, learn tools later, resulting in poor learning, knowledge points cannot be linked together, and in the end, you will only become a CV script boy.
Get a big gift package for Internet security here: "Hacker & Network Security Introduction & Advanced Learning Resource Pack" is free to share , everyone remember to pay attention, after paying attention, the background will automatically send it to everyone!
The following is a high-quality online security learning route. Follow this picture, and I guarantee that you will learn more with less effort, faster than anyone else:
Web security knowledge learning (theoretical period)
Web foundation/penetration environment construction/common tools
1. Basic knowledge of Web, such as HTML, CS, JS and other content. And network communication protocol, cryptography foundation, common vulnerability types, operating system and explanation of related professional terms, etc. (For details, please refer to the content of the vulnerability bank learning route)
2 You can try to build a relevant environment locally, such as DVWA, Pikachu and other safe shooting ranges. As well as various frameworks and tools that need to be used in the later stage, related environments need to be configured (for example, Sqlmap needs a Python environment, burpsuite needs a Java environment, etc., and it can also be done in one go, and a virtual machine with an integrated environment can be built)
3. The second is to understand the commonly used security frameworks and tools.
- For example, the mainstream SQL injection utilization tool Sqlmap
- And burpsuite that can be used to capture packets, brute force cracking and other functions. Metaspolit, CS used in intranet penetration
- Nmap that may be used in information collection, related cyberspace surveying and mapping platforms, Webmaster’s Home, third-party threat intelligence centers, etc. There are also tools such as Beef, AWVs, and Wireshark to assist penetration testing, which can be downloaded from Glthub. Source files of some mainstream security frameworks
Owasp top 10 vulnerabilities
- injection
- Broken Authentication and Session Management Sensitive Information Leakage
- XML External Entity Injection (XXE) Access Control Break
- Security Misconfiguration Cross Site Scripting. (XsS)
- unsafe deserialization
- Use components with known vulnerabilities. Insufficient logging and monitoring
Vulnerability mining (initial combat)
Cyberspace Mapping Platform
Compared with Google Hacker Grammar, it is a more professional way of collecting information.
Cyberspace surveying and mapping is to use some technical methods to detect the distribution of nodes and network relationship indexes in the global Internet space, and to build a global Internet map.
Compared with Google hacker syntax, you can get more detailed and professional search results, as well as more complex search syntax. There is a small threshold for flexible use. Many common vulnerabilities are also exploited based on cyberspace mapping platforms.
In fact, the loopholes cannot be found. In addition to the problems of thinking, technical problems, and being dug by the boss, there is another point, the information collection is not in place. Sometimes the information collection may be trivial and useless, but sometimes he can decide this infiltration. Can it be successful, so we must do a good job in information collection in advance, such as whois, port, directory, subdomain
Actual Vulnerability Analysis
-
Reproduce and analyze popular and classic vulnerabilities (mid-term actual combat)
-
Find suitable CVE, CNVD and other well-known vulnerabilities of major platforms, configure the environment, reproduce and analyze.
-
After the mid-term learning, you can try to find some well-known vulnerabilities on major platforms, configure the environment or directly find online shooting ranges for recurrence and vulnerability analysis (you can try the more famous Apache log4 RCE vulnerability recently)
How to find related items?
As mentioned above, you can practice in various online CTF competitions, SRC platforms, and forums in the early stage. Achievements and rankings are also bonus points for employment. This industry pays more attention to personal technical level, and whether you can find a job depends largely on your own level, and has nothing to do with others.
CTF problem-solving formula: WEB/MISC/RE/PWN/CY professional knowledge + CTF problem-solving thinking
The CTF competition questions will definitely be different from the actual combat. You can't always solve the problems from the perspective of actual combat, and you can't always complete the actual project with the idea of solving the problem. The essence of playing CTF is to improve technology, communicate and learn, and don't forget the original intention.
join a team
If you want to develop in the long-term on the road of network security, it is very necessary to join a team that suits you. Not only will you have a better learning environment, but you will also have more opportunities for competition and communication (most competitions are participated in the form of teams, And divided into online trials and offline finals), after all, most of us are not full-stack players, and we cannot take care of the overall situation alone.
Everyone remember to pay attention. After paying attention, the background will automatically send Internet security information to everyone!
Summarize
Network security cannot be blindly self-taught, blindly confident, and blindly arrogant! ! Only by closely following the network security learning route in this article and making full use of the information given in this article, can you truly achieve fast lane overtaking and let you quickly become a master in the field of security!
As long as you study hard and persevere, you will have results. The knowledge of WEB security is not difficult in nature, but there are many knowledge points and it is very complicated. After having certain WEB security professional skills, you can try to challenge and further improve yourself.