Tuesday, November 22, 2016

Information Security Learning Resources part 1

   Today we have a guest post by security analyst Chris Goff.  Chris has collected a set of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website
at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Information Security Learning Resources
or information security for the self-learner
by Chris Goff

This is the result of many years of notes. This is by no means an exhaustive list, nor the definitive path to information security.

If you come across a dead link, use the Internet Way Back Machine (https://www.archive.org).

Bookmark these Google Search cheat sheets, they will come in handy:

Official Google Cheat Sheet - http://www.google.com/help/cheatsheet.html

Google Advanced Operators Cheat Sheet - http://www.googleguide.com/print/adv_op_ref.pdf

Learning How To Learn - http://l.goodbits.io/l/407nqn1n

Core competencies

Here are three core competencies within information technology that will provide a solid foundation on which to start a security career:
  • Systems Administration
  • Network Administration
  • Programming
It is also critical that you learn to deal with people and business. Take some public speaking classes (Toastmasters: https://www.toastmasters.org/), volunteer for presentations at local groups, and volunteer to deliver training for folks at your workplace. One of the greatest methods of learning is to teach.

The core competencies are not a requirement, however be aware that InfoSec is expected to be a Subject Matter Expert (SME) on most topics. If you wish to be successful diversity of knowledge is key.
“There is no security without understanding.” – Michael Lucas, author Absolute OpenBSD
Systems Administration
“Fast, cheap, and reliable. Choose two.”

Understand how Operating Systems work at a low level
o   Operating Systems: Three Easy Pieces - http://pages.cs.wisc.edu/~remzi/OSTEP/
o   Linux From Scratch - http://linuxfromscratch.org/index.html
o   Hack The Kernel - https://www.ops-class.org/
o   levin/ux - http://mikelev.in/ux/
o   Active Directory
o   Group Policy
o   Exchange
o   IIS
o   File sharing in a Windows Environment (permissions, etc.)
o   Windows Update Services (WSUS)
o   System Center Configuration Manager (SCCM)
o   Event Logs
o   PowerShell
§  See resources under Programming
o   Office 365 (administration and architecture)
o   Windows Firewall

     Direct Download Links to the Official Microsoft ISO images - https://www.heidoc.net/joomla/technology-science/microsoft/
     http://ss64.com/ - command line reference
       http://www.nirsoft.net/ - amazing little tools

o   Learn Debian and Red Hat Linux or a derivative thereof (Ubuntu, CentOS). These are the two most popular distributions for getting stuff done.
§  The Debian Administrator’s Handbook - https://debian-handbook.info/browse/stable/
o   Apache, nginx
o   salt, ansible, Puppet, chef
o   BASH shell
§  Learn X in Y minutes BASH scripting - http://learnxinyminutes.com/docs/bash/
§  Explain Shell - http://www.explainshell.com/
§  ShellCheck - http://www.shellcheck.net/
o   Package Management (apt, yum, etc.)
o   Learn the most common command line utilities (grep, awk, sed, etc.)
§  The Hacker Ways: Gentle Introduction the Command Line and UNIX toolset - http://juanreyero.com/hacker-ways/index.html
§  Unix Toolbox - http://cb.vu/unixtoolbox.xhtml
§  Awk in 20 minutes - http://ferd.ca/awk-in-20-minutes.html
o   iptables / netfilter
o   UNIX Mages - http://www.unixmages.com/
o   Tips for Linux Explorers - http://www.brunolinux.com/
o   Rosetta Stone for Unix - http://bhami.com/rosetta.html
o   Linux command line examples - http://www.examplenow.com/
o   The UNIX School - http://www.theunixschool.com
o   nixCraft - https://www.cyberciti.biz/
o   UNIX Command Line - http://www.unixcl.com/

o   FreeBSD
o   OpenBSD
§  The OpenBSD documentation is very good. Use man liberally.
§  The Quick Guide to OpenBSD - http://nickh.org/computer/OBSDQuick.html
§  Absolute OpenBSD by Michael Lucas
§  The Book of PF by Peter N. M. Hansteen
§  That Grumpy BSD Guy - http://bsdly.blogspot.com/
§  pf – The amazing packet filter

o   Structured Query Language (SQL) - https://en.wikipedia.org/wiki/SQL
o   MySQL and Microsoft SQL are popular SQL options
§  PostgreSQL Exercises - https://www.pgexercises.com/

      Log management and system monitoring
o   Graylog - https://www.graylog.org/
o   Cacti - http://www.cacti.net/
o   Nagios - https://www.nagios.org/
o   syslog

o   Understand what a hypervisor is and how it works - https://en.wikipedia.org/wiki/Hypervisor
o   Understand Storage Area Networks - https://en.wikipedia.org/wiki/Storage_area_network
o   iSCSI knowledge is helpful.
§  Starwind iSCSI Initiator for Windows - https://www.starwindsoftware.com/iscsi-initiator
o   VMware
§  Be familiar with vSphere. Consider a VCP certification or browsing through the blueprints for the latest release.
§  I recommend purchasing a copy of VMware Workstation (or VMware Fusion if you are on a Mac), especially if you are going to be building labs. Note that you can build out an ESXi architecture within VMware Workstation, just make sure you have plenty of CPU and RAM (VMware Configuration Maxims: https://www.vmware.com/pdf/vsphere6/r60/vsphere-60-configuration-maximums.pdf). The VMware Communities are chock full of useful information for both learning and troubleshooting.
§  Download VMware evaluation software - http://www.vmware.com/try-vmware.html
§  Yellow Bricks - http://www.yellow-bricks.com/
§  vReference - http://www.vreference.com/
§  VMware Best Practices – http://communities.vmware.com/community/viops
o   Hyper-V
§  Docker for Beginners - http://prakhar.me/docker-curriculum/

o   Learn how to automate and orchestrate
o   Azure
o   Amazon Web Services (AWS)
o   Google

Network Administration

RFC 1925: The Twelve Networking Truths - https://tools.ietf.org/html/rfc1925
o   Note that the OSI model is not a rigid definition of where a protocol should sit on the network stack. For example, MPLS (https://en.wikipedia.org/wiki/Multiprotocol_Label_Switching) “sits” between layers 2 and 3.

     Read the Request For Comments (RFCs) - https://www.rfc-editor.org/rfc.html
o   Network Sorcery RFC Sourcebook - http://www.networksorcery.com/enp/default.htm

§  If your ISP does not offer native IPv6, you can use a tunnel broker such as Hurricane Electric (http://he.net/). Hurricane Electric also offers a free IPv6 certification process which is an excellent learning tool: https://ipv6.he.net/certification/.
o   Virtual Private Network (VPN) - https://en.wikipedia.org/wiki/Virtual_private_network
§  OpenVPN - https://openvpn.net/
o   Routing protocols such as BGP

     Basic Applications
o   SMTP
o   POP3
o   DNS
§  How DNS Works (https://howdns.works/)
§  DNS for Rocket Scientists (http://zytrax.com/books/dns/)
§  Why DNS is awesome and why you should love it (https://blog.skullsecurity.org/2015/if-youre-a-pentester-you-should-love-dns)
o   HTTP
o   FTP
o   Etc.

o   LDAP
o   Kerberos
o   MFA (Multi-factor authentication)
o   OTP (One Time Password)
o   PKI (Public Key Infrastructure)

      Switching / Layer 2
o   Virtual LAN (VLAN) - https://en.wikipedia.org/wiki/Virtual_LAN

o   Firewall.cx - http://www.firewall.cx
o   Internet Firewalls FAQ - http://www.interhack.net/pubs/fwfaq/


              Network Access Control

             Load Balancing


      Network Time Protocol (NTP)

      Intrusion Detection and Prevention

  • Interconnections: Bridges, Routers, Switches, and Internetworking Protocols by Radia Perlman.
  • Network Security: Private Communication in a Public World by Radia Perlman.
  • The TCP/IP Guide is one of my favorite books and is freely available online: http://www.tcpipguide.com/.
 Programming / Scripting

A common response to programming from operations folks is “I don’t need that”.

If you want to take your skills to the next level I recommend learning a scripting language (e.g. Python or PowerShell) and a “real” programming language (e.g. C). Having a detailed understanding of how computers work will change the way you perceive security, and give you a newfound respect for the difficulty of creating secure (and usable) software. If you plan on doing any of the “sexy” things in security (pen testing) effectively you will need to be able to get around in a programming environment.

If you have trouble learning programming: consider a project you are working on and how you might automate it using a script. When you’ve automated something, work on improving the efficiency of the script including documentation and error control.

Learn how to use a good text editor. Some common ones include vim, Atom, Sublime Text, Notepad++, and nano.

Programming Languages and Tools - http://hyperpolyglot.org/

Learn X in Y Minutes - https://learnxinyminutes.com/

“This is the UNIX philosophy: Write programs that do one thing, and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface.” – Doug Mcilroy
  1. Small is beautiful
  2. Make each program do one thing well.
  3. Build a prototype as soon as possible.
  4. Choose portability over efficiency.
  5. Store data in flat text files.
  6. Use software leverage to your advantage.
  7. Use shell scripts to increase leverage and portability.
  8. Avoid captive user interfaces.
  9. Make every program a filter.
“Computers do calculations, and remember the results of those calculations. Two things, and two things only.”
o   Stack, heap, pointers, buffer overflows

     Assembly, computer organization (architecture)
o   Hacker's Delight (http://www.hackersdelight.org/)
o   David Poplowski’s Page, Michigan Technical University, Department of Computer Science (http://www.cs.mtu.edu/~pop/)
o   “Think of assembly instructions as the DNS of CPUs. Opcodes would be analogous to IP addresses.”

o   Object Oriented
o   Patterns - book by the Gang of Four

o   Server and client side
o   Cross site scripting
o   JavaScript sandbox
o   JSON
o   Jquery
o   AJAX/Asychronous requests
o   REST (state versus stateful)
o   OAuth2
o   Sessions
o   Load balancing, sessions across multiple servers

      SQL, relational databases
o   How does data map?
o   Indexes, SQL injection, etc.
§  SQL Pattern Matching
§  Pattern Matching in Search Conditions - https://technet.microsoft.com/en-us/library/ms187489(v=sql.105).aspx
o   Entity Framework
o   Dapper
o   nHibernate
      Automatic Testing
      Continuous Integration
      Write lots of programs
      Look at other people's code (open-source)
      Regular Expressions
      Source control
o   Github, Bitbucket etc.
§  git, the simple guide - http://rogerdudler.github.io/git-guide/
o   Swim lanes (different environments)

PowerShell Resources
C Resources


  1. I stumbled across your blog and wanted to let you know that I'm the author of http://tcpdump101.com listed here. Just wanted to say thanks to you and your submitter and that I hope you and your readers find it useful.



  2. This comment has been removed by a blog administrator.