1 Status Quo of Cyber Security Industry
1.1 Highest salary
The Internet is the highest paid in the computer industry, and technical engineers are the highest paid in the Internet, and security engineers are the highest paid in technical engineers. The explosion of the security industry has made the security department of every Internet company a standard configuration and gradually spread. However, since the security majors in colleges and universities have only begun to become popular, the shortage of security practitioners and the high entry threshold have led to rising salaries.
1.2 Good and bad
The advantage is that more people will devote themselves to security. Of course, the disadvantages are also obvious. The urgent positions and shortage of personnel lead to a large number of good and bad people fishing in troubled waters. The obvious feature is that you talk to him about technical details and he talks to you to advance the implementation. , you talk to him about advancing and landing, he talks about direction control, you talk about direction control, he talks about team management, you talk about team management, he talks about industry space, if you can talk about these aspects, then It’s okay, more people answer the question, or the sentence makes sense but is useless, or they heard a theory here today and haven’t figured it out yet. I’ll come to you to explain the concept tomorrow, although saying this will offend some people. .
1.3 Circle Culture
Security is a small circle, and things in the circle spread very quickly, such as whose database has been leaked, who has been robbed, who has been arrested, and who has been punished. This is also the biggest benefit of the small circle. People can quickly learn about new technologies, new directions, and new policies in this industry. You can also easily know the security construction of each company. For example, you can talk to people from Ali about how strong their offline means of cooperating with the public security are, and you can also talk to people from Tencent about how their SRC operates so well. , You can also talk to Baidu's security people about how to enable machine learning to empower security products, all of which are very easy in the security circle. There are also many security conferences where you can learn from the experience of each company, instead of trying to figure out everything by yourself or working behind closed doors.
The disadvantages are also obvious. Engage in so-called "circle culture", hang out in various meetings to actively get to know people in various circles (of course, this does not refer to the students who are operated by various SRCs, these are part of the work of the operating students), and those who know All kinds of people are fine if they are communicating with technology. After adding WeChat, they never said anything meaningful except for the self-introduction of greetings. It is ridiculous and sad to think that they have entered the center of the circle.
2 Necessary qualities of safety practitioners
Having a basic engineer quality is the foundation of everything. On this basis, if you are outstanding in offensive and defensive penetration and software development, interest-driven and adaptable, you can adapt to work challenges well.
2.1 Offensive and defensive penetration and software development
First of all, it is necessary to clarify a concept. It is not the norm to specialize in the security industry. Security itself is a job that covers the client, front-end, network, back-end, server, etc. and involves JavaScript, Python, PHP, Java and other languages. The direction you are good at, but the premise is that you understand everything. This understanding should not stop at the level of understanding. If you are a security development engineer, in addition to R&D skills, you must also know the causes, utilization methods and repair solutions of common vulnerabilities. In addition to understanding the attack details of various vulnerabilities, engineers must also have basic development capabilities.
People who have offensive and defensive penetration and software development at the same time will show great advantages in all aspects of doing things later.
We have had very senior R&D engineers, but security products are different from user products. They often have no experience and no reference. The best situation is that you have lived in this house before, so you often need to have strong security. Background/Continuous trial and error adjustments to develop the best products. Even in many cases, communication/thinking needs to be changed in order to better collaborate and reduce generation gap and communication costs. This requirement does not have to be proficient in all kinds of things.
The current situation is that more people in the security industry are inclined to attack and defend against penetration, and if they have strong development skills at the same time, the advantages will be very obvious. In security product development/vulnerability mining/code auditing.
The complementarity between different positions is very important. If you are a vulnerability scanner, you will be handy if you have dug vulnerabilities in SRC, if you do code auditing, you can develop software, and if you are doing compliance auditing, you will be handy.
2.2 Interest Driven
Like security product development, penetration testing also requires constant trial and error, constantly testing various possible loopholes one by one, often testing hundreds of requests before gaining results, which requires good persistence, but stick to this This quality cannot be learned immediately, but there are often many things that can prompt us to persist, such as interest. My persistence in safety is driven by interest. I will encounter a clue from the morning to the early morning, and I will fumble from the evening to the afternoon because of a breakthrough point. I have seen too many excellent white hats because of their love, and they can love across industries.
2.3 Adaptability
Software engineers change new technologies every three years, while security engineers have new directions every year. There will be new vulnerabilities/new attack methods/new language vulnerabilities every day, and there will be new security technologies, security defense methods, and security directions every year, and there is no other way to deal with it than learning. A good self-driving and self-learning ability is everything Foundation.
3 Getting Started and Learning about Security
In the process of network security learning, the knowledge of each module is not difficult, but the knowledge involved is too wide. If there is no direction, it is too easy to take detours and the efficiency is particularly low. I suffered from this before, and wasted too much time.
Fortunately, I have landed now. During the job hunting process, according to the needs of each position, I summarized the learning route for quick entry. Interested friends can refer to the following:
Click to get the high-definition expandable mind map
The first stage: getting started with basic operations and learning basic knowledge
The first step to getting started is to learn some current mainstream security tool courses and supporting books on basic principles. Generally speaking, this process takes about 1 month.
At this stage, you already have a basic understanding of cybersecurity. If you have finished the first step, I believe you have theoretically understood the above is sql injection, what is xss attack, and you have also mastered the basic operations of security tools such as burp, msf, and cs. The most important thing at this time is to start laying the foundation!
The so-called "foundation" is actually a systematic study of basic computer knowledge. If you want to learn network security well, you must first have 5 basic knowledge modules:
1. Operating system
2. Protocol/Network
3. Database
4. Development language
5. Principles of Common Vulnerabilities
What is the use of learning these basics?
The level of knowledge in various fields of computer determines the upper limit of your penetration level.
[1] For example: if you have a high level of programming, you will be better than others in code auditing, and the exploit tools you write will be easier to use than others;
[2] For example: if you have a high level of database knowledge, then when you are conducting SQL injection attacks, you can write more and better SQL injection statements, which can bypass WAF that others cannot bypass;
【3】For example: if your network level is high, then you can understand the network structure of the target more easily than others when you infiltrate the internal network. You can get a network topology to know where you are, and get the configuration of a router. file, you will know what routes they have made;
【4】For another example, if your operating system is good, your privilege will be enhanced, your information collection efficiency will be higher, and you can efficiently filter out the information you want.
The second stage: practical operation
1. Mining SRC
The purpose of digging SRC is mainly to put the skills into practice. The biggest illusion of learning network security is to feel that you know everything, but when it comes to digging holes, you can’t do anything. SRC is a very good opportunity to apply skills.
2. Learn from technical sharing posts (vulnerability mining type)
Watch and learn all the 0day mining posts in the past ten years, and then build an environment to reproduce the loopholes, think and learn the author's digging thinking, and cultivate your own penetrating thinking
3. Range practice
Build a shooting range by yourself or go to a free shooting range website to practice. If you have the conditions, you can buy it or apply to a reliable training institution. Generally, there are supporting shooting range exercises.
Phase 3: Participate in CTF competitions or HVV operations
Recommended: CTF Competition
CTF has three points:
【1】A chance close to actual combat. Now the network security law is very strict, unlike before, everyone can mess around
[2] Topics keep up with the frontiers of technology, but many books lag behind
【3】If you are a college student, it will be very helpful for finding a job in the future
If you want to play a CTF competition, go directly to the competition questions, if you don’t understand the competition questions, go to the information according to what you don’t understand
Recommended: HVV (network protection)
HVV has four points:
[1] It can also greatly exercise you and improve your own skills. It is best to participate in the HVV action held every year
【2】Be able to meet many bigwigs in the circle and expand your network
【3】The salary of HVV is also very high, so you can earn a lot of money if you participate
[4] Like the CTF competition, if you are a college student, it will also be very helpful for finding a job in the future
According to this study plan, if all of them are completed, it will be no problem to just find a promising job or internship.
Corresponding to this plan, I have also collected video tutorials. Each stage has corresponding videos and information notes, etc.:
Epilogue
To be honest, there is no threshold for obtaining the information package mentioned above. However, I think many people get it but don't learn it. Most people's question seems to be " how to act ", but it is actually " can't start" . This is true in almost any field. The so-called " everything is difficult at the beginning", the vast majority of people are stuck at the first step, and they have eliminated themselves before they even started.
If you really believe you like cybersecurity/hacking, do it now, more than anything else.
The field of network security is like a towering tree full of fruit. There are countless onlookers standing under it. They all claim that they like network security and want to pick the fruit from the tree, but they are hesitant when faced with the vine branches that hang down from time to time. indecision.
In fact, you can climb this tree by just grabbing any vine branch. What most people lack is such a beginning.
This full version of online security learning materials has been uploaded. If you need it, you can scan the QR code of the CSDN official certification below on WeChat or click the link to get it for free [guaranteed 100% free]
https://mp.weixin.qq.com/s/rB52cfWsdBq57z1eaftQaQ