Is information security/cybersecurity major good?

​I graduated with a major in information security and have worked in the security department of a large Internet company in Party A and a large security company in Party B. I have some experience that can be used as a reference for those who are interested in the security industry.

Maybe it’s because Han Shangyan has made more people aware of CTF, or maybe it’s because network security has received more and more attention from the country, and security has become more popular recently. Of course, no matter what makes you decide to choose this path, you should think carefully about how interested you are in security and whether you really want to study this major. Your enthusiasm for technology determines whether you can pursue a career in this major. Go down.

1. Started in college

Choosing a school is indeed the eternal focus after the college entrance examination. The same person will live a completely different life after growing up in two different schools for four years. In fact, college rankings and professional rankings are not worthy of reference . At least in the field of information security, they cannot represent your higher achievements after graduation, nor can they represent a better environment for your growth. Information security is a major that requires a great atmosphere, and it is extremely important to have an active security society in school. If a school ranks among the best in major CTF competitions, it can basically be said that the school has a good safety atmosphere. Although safety is not all CTF, things like atmosphere can only be reflected by the CTF ranking for the time being. To put it bluntly, since the inheritance of safety is very important , having a senior to guide you can save you a lot of detours . Here are also some recommended schools that frequently scan faces within the safety circle. Just based on memories, there must be some omissions :

985: Tsinghua University, Fudan University, Shanghai Jiao Tong University, Zhejiang University, Beihang University,
Chengdu
University

Graduate students are not recommended to refer directly to the above list. In addition, the city is also very important. It would be better to come to Beijing or Shanghai. Being close to security companies and major Internet companies determines whether you can intern in advance and when you can enter the industry.

You will find that although the network security industry is inseparable from hackers, vulnerabilities, and network attack and defense, these teachers will not teach you, and even if they are involved, they will only talk in general terms. Everything in the school is to teach you the basics. What if you accidentally teach you to become a hacker?

If you want to learn those interesting and dangerous things in the engineering field, you need a high degree of initiative . Of course, seniors who will guide you and guide you are indispensable. This is why I emphasized the importance of atmosphere before. It is easy for a person to learn programming, but it is difficult to learn network security because it develops so fast. If you spend your undergraduate period comfortably, it can be said that there is a high probability that you will accomplish nothing near graduation. Not to mention living into the senior year of high school, at least you should live into the high school.

In addition, some people may have questions about whether network security will discriminate against majors and non-professionals . In fact, the reason why academic qualifications and school background have relatively weak influence in the network security industry is because we can easily judge a person's programming level, and the level of programming level can determine whether he is qualified for the job. In the field of network security, the strong are even more crushing on the weak. The strong are qualified to hold 0days and know some exclusive tips; the weak may only have the strength to talk on paper. This gap is difficult to block by the barriers of academic qualifications. But if two people from 985 and Shuangfei are of average and equal strength, the one from 985 will do better, and a good school means more choices (for example, if you can only talk on paper, you can also be a document engineer ) .

2.Growing along the way

Everyone's growth trajectory is different, and security can be divided into many directions, which are very different from each other. If you make a resume when you are looking for a job after graduation, I hope you will make achievements in each of the following points:

• Subject foundation
  • Basic computer knowledge (all important professional courses in the subject)
  • Programming ability (at least PHP/Java/Python/Js)
  • Security basics (common/uncommon vulnerabilities)
• professional skill
  • Penetration testing
  • Code audit
  • Intranet penetration
  • Emergency Response
• Project experience (from internship & outsourcing)
  • XX penetration project experience
  • XX code audit project experience
  • XX emergency experience
  • XX network protection experience
  • XX security development experience
• Open source projects (personal)
  • A personal blog that frequently posts vulnerability analysis
  • Regular development projects with some complexity
  • Scanner/monitoring/white box auditing and other security development projects
  • Some simple and easy-to-use security gadgets/exp
• Competition Award
  • CTF competition award
  • National Competition Award
  • Other awards that make your resume look less skinny
• Honors in the circle
  • Vulnerability platform rankings
  • SRC leaderboard ranking
  • CVE vulnerability
  • Author of several high-quality articles
  • Security conference (non-academic) sharer

Of course, some of them are more difficult. If you complete them all and you are a real master, just try your best. Also give some suggestions:

• Don't think that programming skills are not important, computer basics are not important, only security knowledge is important - I can only say that they are all important. Programming ability and computer foundation determine your upper limit, the real upper limit. A person who has only a high school level in mathematics and barely passed the exam can easily write business code; a person who lacks programming skills and computer basics can read any security knowledge like reading a bible.
• Digging more holes, participating in public testing in the current environment, and mining SRC will be very helpful in finding a job in the future. Do not engage in any other websites, and do not conduct unauthorized penetration tests. High-quality CVE is very important. Now GitHub has become the hardest hit area for CVE brushing. In fact, many CVEs are too weak and have no value. If you have one or two quality CVEs and publish a few articles in the industry, it will be easy to go to a big company.
• If you are keen on CTF, you can play more. Although the practical significance is limited, it is excellent for collecting tips. Of course, if you have the conditions, you can experience the net protection. The joy of red and blue confrontation is something that capture the flag competition cannot give you, and it is more practical. (A company recruiting security engineers may not participate in CTF competitions, but it rarely does. Not participating in network protection) .

3. How to learn network security

Preschool speech

1. This is a path that needs to be persisted on. If you only have three minutes of enthusiasm, you can give up and continue reading.
2. Practice more and think more. Don't know anything without leaving the tutorial. It is best to complete the technical development independently after reading the tutorial.
3. If you have questions, there are many Google, Baidu... we often can't meet a kind-hearted master, who will give you answers without chatting.
4. If you encounter something that you really don’t understand, you can put it aside for now and solve it later.

Getting Started with Zero Basics

For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said to be the most scientific and systematic learning route. It will be no problem for everyone to follow this general direction.

 Click to obtain the high-definition expandable brain map

Let's get down to the specific technical points. The overall learning time of the network security learning route is about half a year, depending on each person's situation.

1. Web security related concepts (2 weeks)

• Familiar with basic concepts (SQL injection, upload, XSS, CSRF, one-sentence Trojan, etc.);
• Google/SecWiki through keywords (SQL injection, upload, XSS, CSRF, one-sentence Trojan, etc.);
• Read "Mastering Script Hacking", although it is very old and contains errors, it is still possible to get started;
• Watch some penetration notes/videos to understand the entire process of actual penetration, you can Google (penetration notes, penetration process, intrusion process, etc.);

2. Familiar with penetration related tools (3 weeks)

• Familiar with the use of AWVS, sqlmap, Burp, nessus, Chopper, nmap, Appscan and other related tools;
• To understand the purpose and usage scenarios of this type of tool, first use the software name Google/SecWiki;
• Download the backdoor-free versions of these software and install them;
• Learn and use it. Specific teaching materials can be searched on SecWiki, such as Brup's tutorials and sqlmap;
• Once these commonly used software are learned, you can install Sonic Startup to make a penetration toolbox;

3. Penetration practical operation (5 weeks)

Master the entire phase of penetration and be able to penetrate small sites independently. Find penetration videos online and think about the ideas and principles, keywords (penetration, SQL injection videos, file upload intrusion, database backup, dedecms vulnerability exploitation, etc.);

• Find your own site/build a test environment for testing, and remember to hide yourself;
• Thinking penetration is mainly divided into several stages, and what work needs to be done at each stage;
• Study the types, injection principles, and manual injection techniques of SQL injection;
• Study the principles of file upload, how to perform truncation, double suffix spoofing (IIS, PHP), parsing vulnerability exploitation (IIS, Nignix, Apache), etc.;
• Study the principles and types of XSS formation. For specific learning methods, please refer to Google/SecWiki;
• Research the methods and specific uses of Windows/Linux privilege escalation;

4. Pay attention to the dynamics of the safety circle (1 week)

• Pay attention to the latest vulnerabilities, security incidents and technical articles in the security circle;
• Browse daily security technology articles/events through SecWiki;
• Follow the practitioners in the security circle through Weibo/Twitter (if you encounter the attention of a big influencer or a friend decisively follows it), take time to check it out every day;
• Subscribe to domestic and foreign security technology blogs through feedly/Xianguo (don’t be limited to domestic ones, pay more attention to accumulation). If you don’t have a subscription source, you can check out the aggregation column of SecWiki;
• Develop a habit and actively submit links to security technology articles to SecWiki every day for accumulation;
• Pay more attention to the latest vulnerability list. We recommend a few: exploit-db, CVE Chinese library, Wooyun, etc. If you encounter public vulnerabilities, practice them.
• If you are interested in topics or videos of domestic and international security conferences, SecWiki-Conference is recommended;

5. Familiar with Windows/Kali Linux (3 weeks)

• Learn basic Windows/Kali Linux commands and common tools;
• Familiar with common cmd commands under Windows, such as: ipconfig, nslookup, tracert, net, tasklist, taskkill
• wait;
• Familiar with common commands under Linux, such as: ifconfig, ls, cp, mv, vi, wget, service, sudo, etc.;
• If you are familiar with common tools under the Kali Linux system, you can refer to SecWiki's "Web Penetration Testing with Kali Linux", "Hacking With Kali", etc.;
• If you are familiar with metasploit tools, you can refer to SecWiki and "Metasploit Penetration Guide";

6. Server security configuration (3 weeks)

• Learn server environment configuration and be able to discover security issues in the configuration through thinking;
• IIS configuration in Windows 2003/2008 environment, pay special attention to configuring security and running permissions;
• The security configuration of LAMP in the Linux environment mainly considers running permissions, cross-directory, folder permissions, etc.;
• Remote system hardening, restricting username and password login, and restricting ports through iptables;
• Configure the software Waf to enhance system security, and configure mod_security and other systems on the server;
• Use Nessus software to perform security inspections on the configuration environment and discover unknown security threats;

7. Script programming learning (4 weeks)

• Choose scripting language
• One of Perl/Python/PHP/Go/Java, to learn programming with common libraries;
• Set up a development environment and choose an IDE. Wamp and XAMPP are recommended for PHP environments, and Sublime is highly recommended for IDEs;
• Learn Python programming. The learning content includes: grammar, regularity, files, networks, multi-threading and other common libraries. We recommend "Python Core Programming", don't read it to the end;
• Use Python to write an exploit for the vulnerability, and then write a simple web crawler;
• Learn the basic syntax of PHP and write a simple blog system, see "PHP and MySQL Programming (4th Edition)" and video;
• Be familiar with the MVC architecture and try to learn a PHP framework or Python framework (optional);
• Understand Bootstrap layout or CSS;

8. Source code audit and vulnerability analysis (3 weeks)

• Able to independently analyze script source code programs and discover security issues.
• Be familiar with dynamic and static methods of source code auditing, and know how to analyze programs;
• Find vulnerabilities in open source programs from Wooyun and try to analyze them yourself;
• Understand the causes of web vulnerabilities, and then search and analyze them through keywords;
• Study the formation principles of web vulnerabilities and how to avoid such vulnerabilities from the source code level, and organize them into a checklist.

9. Security system design and development (5 weeks)

• Be able to establish your own security system and put forward some security suggestions or system architecture.
• Develop some practical security gadgets and open source them to reflect your personal strength;
• Establish your own security system and have your own understanding and opinions on company security;
• Propose or join the architecture or development of large-scale security systems;

Finally, I have compiled some network security information for you below. If you don’t want to look for it one by one, you can refer to this information.

Epilogue

To be honest, there is no threshold for obtaining the information package mentioned above. However, I think many people get it but don’t learn it. Most people's problem seems to be " how to act ", but in fact it is " can't start" . This is true in almost any field. As the saying goes, " Everything is difficult at the beginning", most people are stuck in the first step and eliminate themselves before they even start. If you really believe that you like network security/hacking technology, take action immediately, more importantly than anything else .

The field of network security is like a towering tree with abundant fruits, with countless onlookers standing underneath. They all claim that they like network security and want to go up the tree to pick fruits, but they hesitate to move forward when faced with the vine branches hanging down from time to time. Undecided.

In fact, you can climb this tree by grabbing any vine branch. What most people lack is such a beginning.

This complete version of the cyber security learning materials has been uploaded. If you need it, you can click on the card link below to get it for free [Guaranteed 100% free]