Published this week in a "Computer and Network Security Series of books recommended", hblf circle of friends gave me a certain touch, "Information Security How to Get Started" this issue reminds me of some interesting things, so taking the time to write about yourself s answer.

"Information security how to get started," I think this issue needs to be split into three part answer: what information security include? What kind of entry? How do you learn?

Note: Information Security in this article not specifically distinguish cyber security, data security and so on.

1. What information security, including

I personally feel that I was not completely answer this question, can only do my best to answer.

First we look at the almost know, questions about the "information security how to get started," what are?

Because of space reasons, we can go to their own search to see (after reading please laugh), then let us look at the QQ frequently asked questions:

** Master, I want to learn to dig in the band with me Well? ** In fact, in the face of this type of problem, I would like to say: "I am with you", but the truth is that I myself can not fly fat, how to take you.
** cousin, I would like to change the educational system or the results I want black xxx website down? ** You know it is against the law thing? Nothing more than to see okay network security methods?
** old classmates to help me steal a QQ, okay? ** Pirates not down ah! ** You do not engage in information security thing? ** I ah! ** that you do not steal down? **I………………

Of course there is the most egregious: ** you help me repair a computer, my computer card does not work, it must be poisoned. ** looked at, Sister do not play with so, 10 years ago, a change in our computer, okay?

Back to the topic, information security is a very wide range of subjects, most contemporary information security issues is essentially due to the information age derived, reflects the emphasis in the computer field. Let's look at a few cases:

Example 1: You want to become a "hacker", you really do not need knowledge of certain fields will be computer. For example: Fast and the Furious 5, Gal Gadot obtain the eldest child of a fingerprint, if you are beautiful as you can.
Then a few examples: 2014 12306 user data breaches, Apple Pornographic incident in 2014, 2017, Jingdong data breaches, and so on.

Let's look at the field of computer security, this part of my employment by the direction of the current security analysis, first of all I have provided a map on domestic security post here:

FIG substantially contains security information content in the computer field. If you're going to go this route, you can understand the specific job responsibilities.

Of course, now many companies are hiring copied Job Describtion, you do not even need to know in the end what kind of security engineers, if you encounter such a business, then do not go to the bar!

Recommend some fly JD check website (in alphabetical order):

Complete understanding of the needs of these positions, you also be aware of the information security of the iceberg.

2. What is considered entry

Skills Maturity Model: master -> Skilled -> proficient -> Sharing. Engage in any job is to master the basic requirements, unlike a few days ago to hear a piece of the piece: "proficiency can write on my college resume, the more you will find at a later stage I can only write grasp," this piece Feedback give us another thing: "continuous learning" .

Then for information security, how can you be considered as into the door, a few examples:

For safety test:
- You should be familiar with the use of different types (Web, API, APP, applets, public number, etc.) security testing tools, such as: BurpSuite, Drozer, SQLMap, Astra and so on.
- You have to understand the OWASP Top vulnerabilities, business logic vulnerabilities 10.
- You have to have a complete penetration testing methodologies: including addressing different system, what is your test points include (checklist), what focus.
- We have enough to think about testing, how to automate their own developed skills.
- ……

Getting stating: for you to learn or specialize in this direction, and have their own understanding and thinking even a beginning (is not too high a requirement for entry).

3. How do you learn

The best tool for learning information security is a search engine.

3.1 reading: oaks from little acorns

The first book (book basis): a computer operating system (at least you should be familiar with Linux), computer networks, programming languages (choose your favorite). Recommended: " Computer and Network Security Series of books "
The second type book (professional books): Choose your direction, depending on the direction to find the book.
第三类书(技术博文)：当你有了专业方向，需要在专业方向上深入的时候，你就不光要看书了，还需要结合一些技术博客、官网文档甚至一些论文中去学习。

关于看书我这里有一些建议：首先是查看整本书的章节目录，通过章节目录获取大概信息，找到自己感兴趣的或者所急需的章节进行深入阅读(这种方式适用于前后章节关联性不强，或对部分章节已经熟知的情况)。

3.2 实践：纸上得来终觉浅

当你实践足够多的时候你就会发现自己的技能在飞速提升。实践请谨记《网络安全法》。

如何实践：

搭建各种漏洞学习项目(DVWA、OWASP系列、PentesterLab、vulhub)；
搭建各种CMS环境进行安全测试和代码审计；
搭建内网环境进行模拟渗透过程(诸葛建伟老师的Metasploit魔鬼训练营附带了渗透靶场)；
SRC与众测平台：可以去挖掘SRC与众测平台，可能需要一定的基础，但是多看看网上的文章会得到一些思路。我这里放几篇(挖掘SRC或在众测平台挖掘漏洞请遵循《网络安全法》)
- 小白如何学习挖掘漏洞：https://www.secpulse.com/archives/55634.html
- SRC漏洞挖掘小见解：http://www.mottoin.com/detail/864.html
- 从哪里开始SRC之旅：https://security.ele.me/blog-detail.html?id=1
- SRC漏洞挖掘的使用技巧：https://xz.aliyun.com/t/6155
- 综合【收集到的一些SRC挖掘技巧】：https://www.ctolib.com/Wh0ale-SRC-experience.html
进入企业进行实践：企业中只要你愿意学习，我相信能提供给你实践的场景还是多的。

3.3 总结：提炼过程与结果

不论是看书，还是实践，你都需要总结，看书的总结会帮助你提炼书本中的知识点；实践的总结会帮助你在以后的路上可以不断去回顾与少踩坑。

总结最好的两个方式是：

画思维导图：思维导图更适合梳理自己的思路点。
写总结文档：比较完整的记录，可以是思维导图的延伸、是记录你渗透或推动项目的整个过程、也可以是你自己的一些感悟等。文档也可以用来后续的分享。

3.4 分享：认知自我真实水平

在你写分享之前，一定要做好心理准备：因为当关注度达到一定程度时，大家对于你的分享可能出现褒贬不一的时候，我也遇到过。一定要记住：写文章是给别人喷的，没人喷说明写的不够好，所以被喷了又如何呢？从中提取别人喷你的关键点，验证是否自己没有做好，来提升自己。如果是那种纯粹的喷子，狗咬你，你要咬狗吗？

把你的思路分享出来，不论是博客、公众号还是其他的形式。这不光是对你技术上的提升，也是对你自身的综合提升，同时还能帮你认清自我掌握的程度。

举例1：渗透技术学习

首先是工具使用学习，以及渗透技术的知识点，这些大多来源于博客文章、书籍。
其次就是环境搭建，请大家牢记未经授权对系统进行扫描、测试、攻击都是违法行为。如果你想要学习，自己搭建一个虚拟机环境吧，不要怕麻烦，你在搭建整个环境的过程中，你也能得到技能上的提升。
然后就是进行渗透测试，忘记你搭建过程中的那些东西，模拟黑客进行攻击。攻击的时候一定不要局限自己的思路(做渗透很多时候思路就是要猥琐多变)。
最后就是写文章：一是记录这次你的环境搭建过程，二是记录这次你的渗透过程，你使用了哪些技术进行渗透、是否渗透成功、如果成功了你使用的是什么方法，没有成功需要反思为什么？