The internet is on a boom. Enterprises being small or large, and individuals have completely moved over to the virtual world. I get so intimidated by the fact that one just need a laptop and internet and you possess the power to transform the generations!!
Internet provided us with endless capabilities but the greater the presence, greater is the security risk!!
Why am I at risk???
Consider an analogy. We lock our doors before moving out in order to ensure that no random person secretly gets in and steal my important stuff. So in the digital world, the important stuff can be your passwords, personal files, photos, videos etc. Just thinking of if seems like a nightmare!
So you get the point now! No-one wants their personal data, business logic ( for compaines) and other confidential things to be revealed publicly by hackers who are constantly attacking in order to gain some fruitful information.
So What is Information Security?
Information security, sometimes abbreviated to infosec, describes itself as securing the information that is important to an entity from any unauthorized access. There are numerous division under the term: Network security, Web Application Security, System Security. It follows the CIA triad i.e.:
- Confidentiality : the information is available to only the ones who are authorised to access it.
- Intergrity : There is no unauthorised modification to the information
- Availability : The information is available 24×7 to the users
Why Information Security?
- If you are someone who loves breaking into stuff ( hacking ), the field is just for you.
- Information security is amongst the most trending technologies to learn preceding AI and machine learning.
- As the world is constantly moving towards digitization, security becomes the major concern and therefore it exponentially increases the demand for security professionals.
How to get Started?
Security is something that’s not independent. Like for example, if you want to learn web development, you can start off with technologies like HTML, CSS, javascript, PHP and so on. Considering the example, if you want to become a web application penetration tester ( someone who finds vulnerabilities on the websites ), you need to have a fundamental understanding o of how the web application works. That is, you need to possess the knowledge of javascript, PHP etc in order to exploit it.
Same goes with every technology that’s around the market like android, cloud, docker, IoT.
Getting into information security has two-fold benefits:
- You are able to find the loopholes in the application
- You become a good developer because now you code it off with the hacker’s mindset towards the application. In this way, your application becomes less and less flawed.
Pre-requisites
- Networking: As exploiting an application always happens inside a network, one should be thorough with how the TCP/IP stack works. How the various protocols ( ssh , ftp, http etc) works.
- System Administration: One should be thorough with any one of the operating systems. Be is Linux or windows. Although in the infosec community, most of them prefer Linux over windows as it provides a whole lot of tools for penetration testing. By complete understanding of OS, I imply that one should know how the operating system working, its file systems, the default directories and its uses, basic terminal commands to administrate everything just with a cmd/terminal.
- Programming: If you wanna do good in any field of computer science, coding is a must. Language can be any of your preference. But, I recommend python as its more user friendly and easy to learn.
I myself got into linux by doing a course by Redhat : Redhat Certified System Administrator. This course really helped me a lot in understanding the basics of linux and how to do everything just with a terminal. If you want to learn network, opt for CCNA course. You will become damn good at it. If you are interested in learning python, sentdex is an awesome youtube channel that will help you build up on concepts.
Building a Lab
Building a lab is most important when doing any kind of testing stuff. A lab is a virtual environment that is similar to your base operating system. This virtual environment can be used for experimentations so you do not mess around with you actual machine.
A virtual environment can be created using virtualbox or vmware. Oracle’s virtual box is free to use, where vmware is paid. Once the lab is setup, you can practice diifent linux tools, commands and become proficient.
Platforms to practice
Building a lab is just an initial step. There is lot more than that required to actually become pro at what you do.
You must note that testing on the live applications is illegal (without consent) and if you do such things you can end up behind the bars. That’s when you do hacking for malicious purpose. On the other hand, when testing is done with the owner’s consent, you call it ethical hacking and the pentester gets paid too. Its the basic concept of bug bounty hunting programs (will see later in the post) . But that’s the end goal. First, we need to learn how to perform penetration testing!
For this, there are various platforms available online ho have set up vulnerable labs so that people can come and practice their skills without having any fear of getting caught or anything like that. I have been active on a lot of them and want to point out the best ones that can be the good starting point for you.
Hackthebox
Hackthebox is a very popular platform that lets you test your penetration skills. The labs are built in such a way that perfectly teaches you the pentesters approach. It has a concept of active and retired machines. Active machines are available to everyone but writeups online are not available for it. On the other hand, accessing retired machines needs a subscription ( 10 euros/ month ) and has a writeup available. Few htb writeups are available here. I highly recommend to purchase the VIP of hackthebox and start the machines sorted from easy to insane. Following this methodology is gonna really help you lot! You will thank me later!
PentesterLab
PentesterLab is another popular platform that consists of dedicated vulnerable labs to practice web application penetration testing. The labs are built such that covers the specific topic such as recon, sqli, code execution, etc. There are some free labs available on the platform. The pro subscription unlocks all the labs. I have been using its pro subscription for a while and really loved it. It has really improved me on lots of concepts. The subscription amount is 20$/month, but if you are a student, you get it for around Rs 2700 for 3 months. Cool! Right??
Port Swigger labs
Port Swigger is another platform that offers numerous quality labs that are available for free. It offers a very popular tool, burp suite that you will be using forever in your hacking career. The course structure is beautifully made covering the theory as well as the practical hands-on. If you want to get into web application security, these are the must-do labs.
TryHackMe
TryHackMe is another great platform to practise penetration testing. The platform is free to use. It has different learning paths even for those who are complete newbies. the labs have writeups posted online. The writeups are gonna really help you in building the approach of how everything works.
There are more such freely available flatforms that target specific topics of infosec. Do check them out. Here is a list of few of them!
1. Overthewire
2. Sqli-labs
3. Owasp Juice Shop
4. DVWA
5. Vulnerable Php website
6. Hack this!
7. Google gruyere
8. Root me
Stay updated on infosec content
The best place to stay updated is Twitter. Twitter has the most active infosec community, where people are genuinely willing to help and share the best content possible. Also, building connections in the twitter community can help you land to your dream job.
Apart from twitter, there are other plaftorms like reddit, linkedin, discord where you can find people sharing a lots of good resources that could take you hours if you do it manually over the internet. Discord offers a discussion platform where someone might be there to sort of your queries.
There are a few websites like Dark Reading, CSO online where you can find lastest news regarding infosec.
Github Student Pack!!!
If you are a school or university student, github offers something great for you. Its github student pack. When you are successfully verified as a student, you can get access to a list of tools that are used by professionals and are paid. But as a student, you get them for free!!!!
The tools range from domain providers to free courses to design softwares etc. The list is just endless! You can make the most out of it while your are student and become industry ready.
Bug Bounty: Path to getting rich!
Yes! you read it right. Its the most luring thing in infosec. This is sometimes the prime reason why most of the people dive into this field. If you are not aware of the term, let me explain it for you.
Bounty Bounty is a program in which a lot of small/large enterprises come forward and say that anyone pentester can come and test their sites for vulnerability. if the pentester is able to find a bug/loophole, he has to do a responsible disclosure to the concerned enterprise. If the enterprise think that the bug could have been a potential threat in the future, they approve it and gives bounty(MONEY!!!) to the pentester. The amount you get as bounties can be in thousands or lakhs depending on the criticality of the bug you found!! Platforms such as bugcrowd and hackerone provide bug bounty programs
Sounds interesting! right? The scope in Information Security is endless and is growing every day. But the important thing is to have a passion for the field. That can only help you survive the long run.
Things might seem so cool, but requires months of destined hard-work and also smart work! I hope this blog helps you to get the right direction!
Thanks for reading!!!
See you in the next post. Until then, happy exploring!!