I have played with the thought of creating a Getting started in Cyber Security Guide for a long time now. I'm not even sure if you can call it a guide, because the topic is so massive. It's more going to be something like a guideline for you to follow along.
Now, of course, I can only talk from my own experience and I try to re-visit my path retrospectively and start from the beginning. If everything on my personal journey was necessary to get where I am today, I can't say for sure. I can just tell you what I did to get where I am and what I think is most important.
This article will be our starting point, I will create tutorial series revolving around this topic and link them to this article in the future, so be sure to bookmark this article and check back regularly. You can see this as a mini-curriculum and reference guide for your own studies.
I am in the position of teaching you solid basics, but I am by no stretch of the word an expert in the field. I know my basics pretty well and I think I know what's necessary to get up to a level where you can start working in an actual job and start building your career. I show you the way, you need to put in the work.
I want to emphasize that every resource I link in this article is free to use. If I find paid content that is super worthy (like a Udemy course for example), I will list it, but the core is free. I put a high value on free content and free learning, that's why I create tutorials like those without getting paid (except for Ad Revenue).
You will find many parts throughout this article that says "Learn this, Learn that..." on some of them, I will link resources, on others not. This is purpose. I want to encourage you to learn how to find information on your own. It's all out there. A big part of working in Cyber Security, same as Programming, is using Google or other search engines to find information.
That being said, learn how to Google!
I will also list a couple of books that I personally bought and recommend to anyone, of course, they are not free either and are optional if you have the money to buy them. All the books that I list are well researched and all of them are highly recommended by the community.
Enough of the introduction, let's get started.
Table of Contents
- Why get started in Cyber Security?
- When you should not get started in Cyber Security
- How did I get started in Cyber Security?
- What I Recommend to Learn
- 1 - Basic Computer Skills
- 2 - Virtualization
- 3 - Linux
- 4 - Networking
- 5 - Firewalls
- 6 - Windows Server & Domains
- 7 - Installing your first Security Linux Distribution
- 8 - Over The Wire
- 9 - Your own Laboratory
- 10- Capture the Flags or short: CTF's
- 11 - Essential Tools
- Book Recommendations
Why get started in Cyber Security?
Well, that's a question you have to party solve on your own, but let me tell you my perspective and a few facts.
- High Demand for Security Professionals everywhere
- It's a fun field to work in (We get to that later)
- You can Hack things and get paid for it! (Without landing in Jail)
- You can feed your Technological Curiosity with Bleeding Edge Technology
- You can solve Problems!
- The satisfaction you get by breaking into a System successfully
- Competitive Salary
Those are just a few things that make Cyber Security interesting for me. Finding a Job even when you just start out but you got a solid foundation is pretty easy. I get an ungodly amount of Job offers every single week.
I was always been a big fan of Hacking culture since I was a small Kid and watched movies like Hackers and Wargames. I always wanted to become a "Hacker" but started that journey only much later in my life. The satisfaction you get, at least for me, when breaking into a System is incredible. It gives you a really nice sense of achievement.
The really good salary for Security Professionals is a nice motivation but should be put pretty far on the end of your list. If you are just in for the salary, you are most likely going to fail. You have to be borderline masochistic to learn something like Cyber Security or Hacking in the first place.
When you should not get started in Cyber Security
If you really dislike failing and can't deal with failure on a daily basis, working in Cyber Security probably isn't for you. You are going to fail and you are going to be frustrated a lot. On a daily basis. In fact, it will happen so oft that you consider quitting on the regular.
- You don't like failing
- You can't deal with stress
- You don't like learning
- You are scared of breaking things
Now you see that I don't list things like "..You don't know programming" or, "..You're not working in the IT field for XX amount of years". I believe that everyone can learn everything and that there is no "I should have started this when I was 8". The best day you should have started was yesterday, the second-best day is, well, you guessed it.
I don't want to discourage you, but I will tell you that it isn't going to be a walk in the park either. Every bit of experience you have upfront, even working in a Service Desk will help.
How did I get started in Cyber Security?
I think this information is somewhat relevant so you can understand where I am coming from and what my learning path was. I don't want to make you read my life story, so we use our good old friends, the Bullet Point list, to give you an overview and I say a few words to it after that.
- Started Gaming and fiddling with computers at a young age
- Mostly only gaming, built my own computers pretty early, only basic stuff
- Apprenticeship as a Computer Science Expert for System Integration // 3 Years
- We have a different System here in Germany, it's somewhat of an equivalent of a Computer Science Bachelor's in the US, which takes you 3 years. It's more real-world-oriented than an actual degree because you work for a company throughout the whole process.
- Working in First Level Support for a huge company // 3 years
- This certainly helped to learn how people who have no idea about computers think and get all the basics down.
- Hoorah to all First Level Supporters who want to change their Careers < – You can do it!
- Long Break
- Traveling the world because f*** First Level Support
- Self Study Certificates and getting my game up to speed // 1/2 Year
- Microsoft Certified Solutions Associate Server 2016
- Microsoft Certified Solutions Expert Server 2016
- ITIL Foundation (bleh, you can skip that if you don't want to move into management)
- Starting Ceos3c.com
- We get to that later
- Starting to work as a "real" System Administrator for an IT Service Provider // ~1 Year
- My first real Sysadmin Job. Worked for different companies and learned all about Virtualization, Windows Servers, and Firewalls.
- Started to work as a CTO for a Startup // 3 years
- Stuff got serious from this point
- Working as the Head of the IT department and as a Cyber Security specialist at the same time
- Getting pfSense Certified
- Working as a Freelance Cyber Security Specialist on the side
Ok, let me say a few things about that. Everything that happened before the Long Break was kind of "winging it" on my side. I wasn't really interested in any of the stuff I was working with. That all changed after my Long Break when I decided to make an actual career out of that. That was also the time I got involved in Cyber Security for the first time and immediately caught fire.
I basically started Ceos3c around the time I started my first "Real Sysadmin Job" in 2016. I only ever started it because I wanted to document stuff for myself, because I found that so many tutorials out there were incomplete and I wanted to find the information I needed more than once on my own website, in a complete and working tutorial.
That pretty quickly turned out to be a great way to learn something. Because if you actually write a tutorial for something, you need to understand it yourself. Also, writing really helps to manifest the knowledge in your brain.
That being said, I highly recommend writing your own Blog while you are starting your Cyber Security journey. Even on a free platform like Blogger or WordPress. It's an incredible tool and maybe in the end, who knows, you will be the one writing tutorials for others and generate a nice stream of side incoming at the same time. Win-win.
Having to build a whole company network basically from scratch in my role as a CTO gave me an incredible boost in knowledge and understanding of how things work together. I knew kind of how things worked before, but this filled the gaps I still had. Around that same time, I really got interested in Security and started to intensively learn Linux and Firewalls.
I also started working as a Freelancer once I got my skills to a level where I could use them for assignments. My freelance work includes everything from Penetration Tests to Cloud Architecture to configuring Servers and consulting companies on Cyber Security questions. This also helped me a lot!
So you can see, I have a quite long journey behind me. How much all those previous experiences weigh into my knowledge today, I can't tell for sure, but every piece contributed a bit to it.
Now let's get started with the actual curriculum of this getting started in Cyber Security article.
What I Recommend to Learn
This will be a tough one and it highly depends on your background. If you have worked in IT before, you probably can skip a thing or two.
We try to move through this in the order that I think makes the most sense. You will find "starting to use Kali Linux" pretty late in that list. But that has a good reason. I eventually add things to this list as time passes, so make sure to check back regularly to stay up to date.
To keep those points as short as possible, I will work with Bullet Points that give you a summary of the things and don't go over everything in great detail. The great detail follows in the specific tutorials that I will link in this article later on, once I produce them.
1 - Basic Computer Skills
This basically goes without saying. You should have a basic understanding of how computers work.
- Learn what parts a computer consists of (RAM, CPU, etc) and how they work together on a Basic Level
- Learn what the BIOS is
- Learn what UEFI is
- Learn how to Create a Bootable USB Drive
- Learn how to boot from a USB drive
- Learn how to install Windows 10 and be aware of what happens to your old installation if you overwrite it (Hint: Your Data will be gone!)
Just make sure you know how to operate your Windows or Linux machine before you even think of getting started with Cyber Security or Hacking. If you don't know all of the above, don't go any further. Open up YouTube and learn the things I listed above before continuing with Step 2.
It seriously is that important. For all of you who are more advanced, this is a no-brainer, but I had so many people comment on my YouTube videos that their "Windows 10 is gone after following my tutorial" because they want to install Kali Linux and have no clue of the consequences.
2 - Virtualization
I put this in second place because most of you probably won't have the capacity to build a physical Homelab. Gladly, most of our modern computers are so capable that you can run at least 1 Virtual Machine on them. A Virtual Machine is a, as the name suggests, Virtual Computer that is running on top of your own computer, utilizing its spare resources.
To simplify this very much, think you have 8GB of RAM and 4 CPU Cores in your computer. Your Windows 10 only uses up to 4GB of RAM and 2 Cores. Hence, you have 4GB of RAM and 2 Cores spare. That would even allow you to run multiple Virtual Machines at the same time.
Read up on Virtualization and understand its core principle. You will need Virtualization if you want to work in the Cyber Security industry.
There are several providers of Virtualization Software, the most popular being: VMWare, Xen, KVM, and VirtualBox. We are going to be using VirtualBox in all of my tutorials.
- Learn about VirtualBox
- Learn how to install Linux on VirtualBox
- Learn what Snapshots are and how to use them
3 - Linux
Every single Cyber Security or Hacking distribution is based on Linux. You won't be working in Cyber Security on Windows. You have to learn Linux. There is no way around it. If you have followed the previous step, you can simply run Linux on VirtualBox, I even recommend doing this because you will mess things up so many times that you are happy to have a Snapshot of your still working system.
There are endless resources to learn Linux Basics. You can follow my Instagram Account (scroll all the way to the bottom in my feed and start from there), Linux Academy is a great resource to learn the basics, although not free. There are several YouTube channels that teach Linux Basics very well for free.
Now there is a gazillion of Linux Distributions out there. You can get lost very quickly. Choose a beginner Distro if you haven't used Linux before! I recommend Ubuntu or Linux Mint for beginners as they are the closest to Windows.
- Learn what Linux is
- Learn how to install Linux on VirtualBox if you haven't already in Step 2
- Learn Basic Linux Syntax
- Use either Ubuntu or Linux Mint to start playing with Linux (try both and see what you prefer!)
- Learn how to find out your IP Address
- Learn about the Linux Filesystem
- Learn how to create a User Account
- Learn about Root
- Learn about Sudo
- Learn about the Apt Package Manager
- The Linux Command Line: A Complete Introduction* by William E. Schotts Jr.
- UNIX and Linux System Administration Handbook* by Evi Nemeth, Garth Snyder, Trent R. Hein, Ben Whaley, and Dan Mackin
- Probably the only Linux Book you'll ever need
- How Linux Works* by Brian Ward
4 - Networking
Knowing how networks work is an essential skill in Cyber Security. You have to know all the different protocols and what they do. A lot of exploits use certain protocols like SSH. The more you know about networking, the better.
Personally, I learned most of my networking skills with the "learning by doing" approach, which means simply messing around with stuff. Having worked as a System Administrator certainly helped me to harden my skills in this area.
Now I don't know what happened to Eli The Computer Guy, he seems to only do Vlogging today, but he had some high-quality content on all kinds of System Administration stuff on his YouTube Channel. I learned a great deal from him.
I highly recommend you check out his Networking Playlist and just watch every single video of it. I couldn't grasp subnetting for a long time, watching one video from him explaining it in great detail made me get it. I sometimes still dream of Subnets. Not a nice dream.
That being said, make sure you understand the following:
- Learn about the most used Network Protocols
- Learn about the OSI Model
- Learn what a Switch is
- Learn what a Router is
- Learn what a Firewall is
- Learn about TCP and UDP
- Learn about VLANs
- Learn about IP Addresses
- Learn Subnetting
5 - Firewalls
Knowing how a firewall works is extremely important and beneficial if you are serious about getting started with Cyber Security. A few years back I decided to exchange my standard ISP Router with a pfSense firewall. To this day this was one of the most important steps I took.
Operating a firewall in your own home forces you to learn how it works. On top of it, it helps you to secure your home network. If you are a complete beginner, pfSense is a great choice. It is easier than you might think. If you want a comprehensive guide on how to get started, you can go to Amazon and grab my pfSense Starter Guide for a few dollars, or read it for free if you have Kindle Unlimited. I go through each step on how to set up pfSense with all the basic functionality, up until you can establish an Internet connection.
You can also check out my pfSense Playlist on YouTube, there are a lot of beginner-friendly pfSense tutorials, including "How to install pfSense on VirtualBox" videos.
That being said, those are a few examples of what you will learn when using a firewall, amongst many others:
- Firewall Rules
- Blocking and Allowing Traffic
- How to control Data in your own Network
- How to Block certain Devices from going out to the Internet
- Intrusion Detection
- Proxy Servers
- Network Interfaces
- pfSense 2.4 Starter Guide, written by me.
I haven't read any books on pfSense, so this is the only one I can come up with. I am pfSense Certified (which requires you to attend a pricey 3-day on-location seminar), so I got most of my knowledge from there and from YouTube.
6 - Windows Server & Domains
Alright, this is the last step before we get into actual Cyber Security stuff, I promise.
It is important that you know what Windows Servers are and what Domains are. Each and every company will run some kind of Active Directory or other authentication, Windows still being the most dominant. You have to have at least a basic understanding of how Domain Authentication works and how user accounts and computers are connected with a Domain Controller.
Most of you who are looking into this topic most likely have previous System Administration experience anyway, so just make sure you got your basics straight.
Make sure you know at least:
- What a Domain is
- How Domain Authentication works
- What a Domain Controller is
- What LDAP is
- What the Linux equivalent to a Microsoft Windows Domain is
- Different Windows Account Roles (Like Administrator, Domain Administrator, etc)
- What a Forest is
- How Windows Domains are structured
- Windows Server Best Practices
- The Practice of System and Network Administration by Thomas A. Limoncelli, Christine Hogan & Strata Chalup
The very detailed and good book was recommended through Reddit many, many times.
7 - Installing your first Security Linux Distribution
Now we are getting to the part you probably have been waiting for: Choosing your first Security Linux Distribution. Many people recommend starting out with something like Ubuntu or Linux Mint because those distros are more beginner-friendly. But let's be honest. Nobody is going to follow this advice, everyone just wants to install Kali Linux right away.
Kali Linux is by far the most popular Pentesting / Cyber Security / Hacking distribution out there, you even see Kali Linux being used in Movies and TV Shows. Kali Linux isn't the only choice. There are quite a lot of Security Distributions out there, the most popular ones are:
- Kali Linux
- ParrotSec OS
The choice here really is yours, but my recommendation, especially if you are a beginner is the Parrot Security OS. Why Parrot Security OS over Kali you ask? Because it's set up a little bit more securely out of the box. In Kali Linux, you get a root user account when you install it and that's it. To look at reality, as a beginner, you are just going to use the root account because you don't know any better. That's a bad idea. Every Professional will be creating a new non-root user account as the first thing after logging in to Kali.
ParrotSec OS, on the other hand, creates a low-privileged user account for you right from the start.
Ultimately, the choice is yours. I have instructions on how to install either of the operating systems on VirtualBox:
Right after installing either one of them, follow this article and watch the video linked in it. It is essential that you understand what the first steps are after installing a Linux Security Distribution.
Get familiar with your distro. Start using the terminal. From now on, you will use your Linux VM for all the following steps. Learn how to connect to a server via SSH using the terminal.
8 - Over The Wire
Overthewire is the place where you will practice and ramp up your basic Linux skills using your Linux VM for the first time. Overthewire.org is a great place to start your journey into Cyber Security because you need the commands used there on a daily basis.
You start here. You start with Bandit Level 0 and you will work your way all the way through until you reach Level 34. I highly recommend you don't look up straight solutions. Use your Google-Fu and start researching.
An example search would be: "How to find files on Linux", or, "How to find certain lines of text on Linux".
If you really get stuck and your brain is fried, in case you REALLY get stuck, I covered Level 0 - 15 on ceos3c with hidden spoilers. There are other websites out there that cover the whole thing. But again, I encourage you to try it on your own first!
Once you finish Bandit, you can go ahead and continue with the other challenges, they are all great. Just see how far you have come.
9 - Your own Laboratory
While it's not necessary anymore nowadays, thanks to sites like Hackthebox and a ton of Hackme sites out there, I still recommend running at least a small Homelab. You can run it locally on your computer using only VirtualBox if your computer has the capacity.
The advantage is that you can download vulnerable VM's and run them inside of your own local network, using your Kali or Parrot to penetrate them.
Two great vulnerable VM's (Vulnerable Virtual Machines) to start with are:
I created a separate tutorial solely dedicated to creating your own free homelab. You find it here.
I do this all the time. This brings us to the next point: CTF's.
10- Capture the Flags or short: CTF's
Capture the Flag is an essential part of learning Cyber Security, at least for me. There is no better way to practice your skills than with a CTF or a Vulnerable Machine.
What are CTF's?
If you have been playing computer games, you probably came across this phrase before. There are two teams competing against each other, both of them trying to capture a flag and bringing it back to the safety of their own base.
CTF's in hacking is essentially the same. There are people who create a Virtual Machine that you can download to your own computer. This Virtual Machine is vulnerable by design, meaning, the creator placed certain vulnerabilities in it on purpose.
Flags are usually placed on some locations on the system as flag.txt. It is your job to find them. This mostly requires you to gain elevated privileges on the machine to be able to get access to the flag.
This is so much fun once you get the hang of it that you might really start enjoying it. There are even competitions with huge price money and spectators in CTF's, where the best Hacking Teams compete with each other.
Most of the Vulnerable Machines are categorized as Easy, Intermediate or Hard.
The ones categorized as easy mostly have well-known vulnerabilities, where intermediate ones force you to think out of the box and hard ones mostly have really exotic vulnerabilities that can only be found by experts.
Now if this is confusing for you and you have no clue where to start, start with this:
Those are awesome and well-known vulnerable machines with easy-to-solve vulnerabilities. That being said, learn how to import an appliance to VirtualBox first.
The same that goes for OverTheWire also goes for CTF's. Try yourself the best you can before looking up any solution.
There is another thing that is very similar to CTF's, those are called "Boot to Root". It's basically the same, the only difference is that you are not looking for a flag but your only goal is to get root privileges on the machine. They are fun too!
I recommend permanently working on a CTF. You got an hour of free time and don't know what to do? CTF. Commuting to College or Work? CTF. Girlfriend telling you to do laundry? Do the damn laundry but while the washing machine is running: CTF!
You get the idea.
Great CTF resources I personally use all the time:
There are so many resources out there that you will never run out of work.
11 - Essential Tools
You will learn a ton of skills just doing CTF's. Below is a list of tools that I think are important to know when using a Security Distribution and which tools I use regularly, sorted by category. I recommend just going through each tool and learn its purpose. If I have a tutorial on a certain tool, you will find the link to it there. This is going to be long'ish list. You can also check out a list of the most popular Hacking Tools as of 2021, right here.
- Metasploit - Huge Penetration testing Framework. Essential for pentesting.
- AutoSploit - Automated Mass Exploiter.
Network Vulnerability Scanner
- OpenVAS - Open Source Vulnerability Scanner. Highly recommended to check it out.
Web Vulnerability Scanner
- Nikto - Noisy Web Application Vulnerability Scanner.
- WPScan - WordPress Vulnerability Scanner.
- Sparta - Network Infrastructure Scanning & Enumeration Tools with Graphical GUI.
- Printer Exploit Toolkit (PRET) - Toolkit for Printer Security Testing.
- Routersploit - Very useful Open Source Exploitation Framework similar to Metasploit but for Routers / Embedded Devices.
- THC Hydra - Popular Online Password Cracking Tool. Supports a lot of different protocols like HTTP, SMB, FTP and many more.
Network Reconnaissance Tools
- Nmap - The most popular Network Scanner.
- Zenmap - Nmap with GUI.
- DNSMap - A passive DNS Network Mapper.
- Unix-Privesc-Check - Checks for privilege escalation possibilities on UNIX. Very useful.
- Maltego - Open Source Intelligence & Forensics.
- Shodan - Search Engine for IOT devices.
- Recon-NG - Web Reconnaissance Framework.
Tools to stay Anonymous
Protocol Analyzer & Sniffer
Wireless Network Tools
- Aircrack-ng - Popular Wireless Auditing Tool.
- Reaver - Brute Forcing Tool for WiFi Networks.
- Wifite - Automated Wireless Attacks.
- Fluxion - Automated Wireless Auditing Tool.
- Airgeddon - Automated Wireless Auditing Tool.
- Bully - WPS Brute Force Attacks.
- OWASP ZAP - HTTP Interception Proxy & Fuzzer for Web Application Testing.
- Burp Suite - Web Application Security Testing Platform.
- BeEF - Web Browser Exploitation.
- John the Ripper - A fast password cracker.
- Hashcat - Fast Hash Cracking Tool.
- CeWL - Wordlist Generator.
This should keep you busy for a good while.
For the best Cyber Security Books, I recommend you check out my Best Hacking Books in 2021 Article. I put together a detailed list of which books I recommend sorted by difficulty level.
You can also just check out my Amazon Affiliate Store, here you will find all books that I have personally read and recommend.
This should set you up for more than enough hours to learn, read and practice.
This is the initial article that I am writing right now. As I mentioned somewhere in the introduction above, this article will get updated on the regular, and new content will be added as I craft new tutorials on video & in written form.
This getting started in Cyber Security article should give you a good idea of where to start and which direction you should (or can) go.
It's really not easy to get started in Cyber Security if you don't have any prior knowledge in the field, but it is possible. I don't want to discourage you in any way, but this journey is a tough one and you really have to enjoy doing it, otherwise, there is almost no way to succeed.