High Schooler Wants t get started with Security

Dingdongbubble

Hi

I am in high school right now and I am leaning a lot towards a particular degree specializing in Security in University. Over there a time will come when students are put into teams and one defends while the other attacks. The winning team represents the University at some defcon or something. So I was thinking: When I get hooked onto something related to computers I normally do very well and get quite advanced I am not really a GREAT student, so why not compensate for that and become a good student PRACTICALLY unlike most people (no pun intended).

So can you people tell me how I can get INTO this hacking and security business? I want to learn on my own a my own pace at home. Then I would like to experiment at home, and later on possibly (with permission) attacking my Dad's office.

I have heard about a few people who are world class hackers (legal) while being just a few years elder than me indicating that they started off maybe at my age.

Slowhand

Sounds like you've got a good plan going, for what you're interested in. First thing's first, I'd recommend you start with getting some "regular" IT experience, like learning about Windows, Linux/Unix, and Cisco products. The first step to learning how to secure a system is learning how it works. I'd say you might want to look into getting on the Microsoft, Linux, and Cisco paths, and learn all you can in each field. You'll see that each field has a security focus, so that's something to think about, before you go on to general security-specific training.

Once you've got a handle on the technologies themselves, the various operating systems and equipment, you probably want to get some hands-on training with security tools. Hacking Exposed is a good place to start. Of course, this shouldn't be your be-all for training, see what else is out there, and look for other resources and books to learn from. Some of the ones I can recommend are:

The whole Hacking Exposed Series, depending on what you want to be working with, specifically.

Protect Your Windows Network: From Perimeter to Data is a book I'm reading right now, and it's very good.

I've heard that The Tao of Network Security Monitoring: Beyond Intrusion Detection is supposed to be a good read, as is Penetration Tester's Open Source Toolkit, but they're supposed to be pretty advanced, and you need to bring some networking and even coding skills to the table in order to take full advantage of them.

I'm sure that the others on this forum can recommend some great books to check out, as well as other resources, like CBT Nuggets, TestOut, LinuxCBT, and other training material. And never forget, there's lots and lots of free documentation and howto's out there, you just have to search the ol' Google to find them.

You'll also find that you need to work with specific types of tools, like intrusion detection systems, network analyzers, auditing tools, network monitoring software, remote access software and protocols, and how to do things like harden systems and even "harden" users.

Beyond book-recommendations and prerequisite knowledge, there are specific certifications you can obtain within the field of security. Security+ is a popular starting point for a lot of people, as is C|EH. The premium cert in today's IT security world is definitely CISSP, but there are some specific requirements you have to meet in order to become certified.

The security field is HUGE, and there are lots and lots of paths you can take as you're working and learning. It's also a highly competitive field, and you tend to be held accountable for your actions much moreso than if you were a software engineer or systems administrator. Of course, the payoff is that the wages are high, the work can be very exciting and fulfilling, and opportunities are pretty plentiful if you've got the skills and experience to handle it. Good luck on your journey, and don't be afraid to ask questions, that's what this forum (and others) is here for.

(P.S. And don't underestimate the value of your college education in the IT industry, especially in security. You'd be surprised the kind of respect you can get with a well-rounded education, especially if you've gone the extra distance and gotten an M.S. or even a PhD. Of course, a Bachelor's degree will take you a long, long way, and put you ahead of people who have no schooling under their belt. A college degree will be the best thing you can do for yourself, especially if you should ever decide to change careers or choose to take a different path, you'll still have a formal education to show for your effort and experience; and that counts for a lot.)

(*Edit: One of these days, I'll learn to proofread my URL strings.)

seuss_ssues

That was an excellent post and hard to follow.

I would also advise learning to program. Being able to create scripts or edit code is a very valuable skill for an administrator let alone someone working in security.

Alot of the tools are written on a *nix based platform and are open source. So getting involved with linux and learning to code will get you comfortable with editing / running them.

Slowhand

seuss_ssues wrote:

I would also advise learning to program. Being able to create scripts or edit code is a very valuable skill for an administrator let alone someone working in security.

That is a very good piece of advice. Coding and scripting are valuable tools, especially when you become more advanced and outgrow downloadable tools to use for your work. If you're really interested in high-level security, most Computer Science curriculums offer a path that takes you into cryptography and network programming related to security. Even if you don't plan on going that far, taking a class or picking up a book on something like Java, C++, or C# is a good idea.

Dingdongbubble

Wow

That was long. Ummm so how do I start off with getting INTO the Operating System Security? Do I read books? How do I get the technical part. I dont want to be like some people (install Norton AV and you are good to go lol). Basically before I get INTO University, I get a good understanding of OSes and the basics and when I do get into Univ I will automatically be good with what they teach. Right?

Dingdongbubble

Umm should I go for a Linux+, CCNA/N+ or MCP to get to understand the technical part of OSes? And which is the easiest of the relevant MCPs?

seuss_ssues

Certs area representation of your knowledge and experience.

I would start with just reading books and practicing what I read. Once you hit a level of comfort then i would proceed to focusing on an exam.

Tesl

What is your skill level right now? Do you have a good understanding of computers? Are you really properly interested in how they work at the lowest most in depth possible level?

First, read this:

http://catb.org/~esr/faqs/hacker-howto.html

By Eric Raymond. Pretty famous guy when it comes to Open Source, I'd also advise you to read The Cathedral & The Bazaar.

Now, neither go into detail on intrusion (which from the sounds of things is what your interested in) but you definitely require that kind of mentality if your going to succeed.

First your going to have to learn how to program. To get highly proficient in a low level language (Let's say C or C++) this is going to take a few years from zero. If you work fairly hard at it. To get to a stage where you can write/debug ASM code and produce clever shellcode, you will be needing to practice a lot and read like crazy. An understanding of how to reverse engineer binaries goes a long way in the land of Security.

Operating Systems. If you want to be developing your intrusion skills, run Linux (or BSD). Forget Windows, there aren't enough tools for it and its much harder to script. Linux is a better OS anyway It's also more open, allowing you to actually read its code and tinker with it if desired. Not that I'd expect you to do this, but you can learn plenty writing rootkits as kernel modules. That openness will definitely help.

Shell scripting will also be important, and an ability to produce your own hacking tools is important. Learn BASH scripting, Perl would probably be very useful, and chucking something like Python/Ruby into the mix can't hurt.

Networking. If your going to be hacking into systems over a network (most likely) your going to really need to understand how networking works. Since TCP/IP is the language of the internet, you need to know exactly how it works, its intracies, most of the included protocols, differences, when to use TCP or UDP, how the header of an IP packet is structured. If your hacking into a large network, the first thing your going to hit is the external router - and your going to need to know how to hack it. This means your also going to need to know a lot about how routers work, and switches, and how to configure them (I'd suggest starting with Cisco routers for this).

By this stage, you just might be getting to the point where you can really properly hack on your own. Of course, practice is one of the most important things, so I'd suggest running a few machines in your home, running an old Linux or something like damnvulnerablelinux. Then keep hacking!!

As for books, read as many as you can. Not just "How To Hack" books either, but any technologies your likely to come across (web servers, directory protocols, file servers, etc).

Let me know if you have any further questions

networker050184

I agree with seuss_seuss. Certifications prove that you have the knowledge. You shouldn't just go out and get a certification. Thats what people call a paper cert, and you will get figured out if you do this. I worked with networking technologies for five years before I got my CCNA. It was a breeaze for me, because I already knew most of it from EXPERIENCE! Just worry about learning now a certifications later.

Dingdongbubble

Ahemm.........

That looks really really long. If I did not have this future planning mind, what do you expect the University to have done? I mean in 4-6 years do you think they could have covered all that plus the Univ says that it will also build business environment skills. So what now. I am just a teenager. OK if I try really hard I might be able to et programming 'properly'. I can switch to Linux, I mean I got my friend to and I used it for some time but I am a bit unfortunate. I grew up at a time when almost all computers ran on GUIes. Uggghh.

OK lets start out step by step before I get confused. I am a person who likes challenges (computer challenges only plz), I am a master of the GUI (heehee)
I understand some of the basics of how a computer works like in terms of hardware mostly. The only programming languages I know and am comfortable with are HTML and CSS and those I just started a few week ago but I took up the challenge of getting past their boredom and now I am comfortable with them.

I was advised to start o with a simple language and I started Ruby but never really got into it. I basically need to get past this barrier. I dnt understand how software works and how people can type out words and make complex software. I need to get past this barrier and understand what and how a language works.

So can you tell me step by step how to get into the advanced computers world? Shoul I start with Networking, or Programming or OSes? and how do I go about them? I want to learn atmy own pace in a simple manner because I will not be having any teacher. However if I have any questions on C++, I will be able to ask my Dad's secretary who knows C++.

I do really want to get into the depths of computers but I can say that my knowledge is dep mostly or totally in hardware not software. At the rate I am going at, I guess I would be better off going for computer engineering bt for other erasons I want to go into software.

BeaverC32

That looks really really long.

I hate to break it to you, but working in IT requires a ton of work (research, study, practice, troubleshooting, etc). Unless you're willing to really work hard at excelling in IT, you might be in for a rude awakening.

My advice is to start with "introductory" level certifications/material, such as the A+ and Network+. These exams cover fundamental information which, in my opinion, everyone in IT should have. Taking these exams should also give you a better idea of the direction you want to follow in IT.

My perspective on IT prior to going to college was that IT = programming. I didn't realize there was so much more to "computers", but my college really opened my eyes...perhaps going to school will do the same for you. I'm not implying you're not knowledgeable, but I do believe that formal education does provide a good amount of guidance.

matradley

BeaverC32 wrote:

That looks really really long.

I hate to break it to you, but working in IT requires a ton of work (research, study, practice, troubleshooting, etc). Unless you're willing to really work hard at excelling in IT, you might be in for a rude awakening.

My advice is to start with "introductory" level certifications/material, such as the A+ and Network+. These exams cover fundamental information which, in my opinion, everyone in IT should have. Taking these exams should also give you a better idea of the direction you want to follow in IT.

My perspective on IT prior to going to college was that IT = programming. I didn't realize there was so much more to "computers", but my college really opened my eyes...perhaps going to school will do the same for you. I'm not implying you're not knowledgeable, but I do believe that formal education does provide a good amount of guidance.

I agree with this statement. When I started College, I went in knowing quite a bit about computers. However, with formal education and guidance, you learn so much more. In fact, along with working with others, you develop networks and begin to develop your interpersonal skills as well as teamwork. I must admit, after a year in my program, even when I do self-study, the guidance from my program goes a long way.

Slowhand

If you're worried about how and what to learn, I'd say that starting with what interests you most is a good idea. If you're into Linux or Unix, Windows, or networking technologies, etc, start with one of those. Personally, I found that learning networking and systems administration, and in turn, security, on my own was relatively easy. I had a harder time "just learning" to write code, simply because it's hard to find projects and programs to work on. It was a lot easier to learn C++ when I took a class on it, since it gave me a structured start. Just something to think about: learn what you find interesting and doable on your own, and take some classes on things you find more difficult.

Tesl

Dingdongbubble wrote:

Ahemm.........

That looks really really long.

Yes

If I did not have this future planning mind, what do you expect the University to have done? I mean in 4-6 years do you think they could have covered all that plus the Univ says that it will also build business environment skills.

No, going to university will not turn you into a hacker. A computer science degree will help, but the course will not cover what you need to know. In my case, my degree covered almost nothing of what you would need to know (No C++, A week of Unix, and no networking *sigh*)

Good job I wanted to know enough to learn them on my own

So what now. I am just a teenager. OK if I try really hard I might be able to et programming 'properly'. I can switch to Linux, I mean I got my friend to and I used it for some time but I am a bit unfortunate. I grew up at a time when almost all computers ran on GUIes. Uggghh.

Linux can run a GUI. I'm typing this in Linux right now, from a GUI. Check out these videos:

http://www.youtube.com/watch?v=i0ZtcxHUSDQ

http://www.youtube.com/watch?v=ZD7QraljRfM&mode=related&search=

Looks like a GUI to me. A damn fine one infact

But yes, you will still need to be familiar with the command line if your ever going to hack. Being able to work your way around a *nix machine via text is important. For me, I actually do most things by CLI because I actually find it faster and more convenient (especially when managing files)

I understand some of the basics of how a computer works like in terms of hardware mostly.

I know very little about hardware, and have never been too interested in it. That's good your interested though, that kind of knowledge might help with Assembly programming (Maybe thats when you will realise you don't know that much about hardware works at all, haha)

The only programming languages I know and am comfortable with are HTML and CSS and those I just started a few week ago but I took up the challenge of getting past their boredom and now I am comfortable with them.

HTML and CSS aren't real "programming languages" in the sense you need to know. They are just tagged languages for formatting a webpage. Not useful for hacking.

I was advised to start o with a simple language and I started Ruby but never really got into it. I basically need to get past this barrier. I dnt understand how software works and how people can type out words and make complex software. I need to get past this barrier and understand what and how a language works.

Ruby is a good start. I would reckon that or Python. Go get a good book (or two or three) and read them through, and then just write code! (I'd advise writing something like a text based RPG first).

So can you tell me step by step how to get into the advanced computers world? Shoul I start with Networking, or Programming or OSes?

Read my other post. It doesn't really matter too much, though I'd argue being proficient programming will help you pick up the other things more easily than the other way around. For example, if you learn to program THEN start studying OS theory, you will get a strong understanding of both faster than if you study OS theory before coding (It's hard to understanding certain design decisions without being able to imagine the code behind it)

and how do I go about them? I want to learn atmy own pace in a simple manner because I will not be having any teacher. However if I have any questions on C++, I will be able to ask my Dad's secretary who knows C++.

There are billions of resources for learning C++. Look for related forums online, read books. Hell, you can PM me on here if you really have to

I do really want to get into the depths of computers but I can say that my knowledge is dep mostly or totally in hardware not software. At the rate I am going at, I guess I would be better off going for computer engineering bt for other erasons I want to go into software.

For me, software is way more interesting. You need to let your passions guide you.

I've actually been a little terse in my posts on this thread. The term "Hacker" refers more to ingenuity and high levels of ability, not just breaking into computers. To be a proper "Hacker", one must really truly be immersed and love what it is they do. If you don't have that level of passion (which is fine), then you may not enjoy the road as much as others

Dingdongbubble

Well I dont really want to be ahacker in the sense that normal people think. No cybercrime no hitech messups, nothing like from the movies. All I want is to start of with learning for my career now so that I can have a bit of an advantage. As you suggested, I think I will go into programming first and then choose what to go into next. I have heard that a degree in Software Engineering is considered VERY flexible because they say that programmers can basically get into anything to do with computers because they understand code and how to run it and it is code which runs a computer.

So I will now go for programming. I will start of with Ruby, then Java and finally C/C++/C# or objective C.

I have already used Linux, in fact I got my friend to switch to it totally except for Win only programs and you wont believe it but when I got him to put Beryl, his sister (a computer illiterate kid) switched too. This was VERY surprising. I first got some obscure Linux distros and now if I switch, I cant decide what to use, Ubuntu or Fedora Core or Suse. Will it be ok if I use Mac OSX? It is Unix so wouldnt it be nearly good enough? Because for the time being I will not be going into the advanced stages of CLI.

By the way for Ruby, do you recommend me to read Why's Poignant Guide to Ruby? Its free and quite funny and I think it won some awards. And would you recommend the program Hackety Hack to learn Ruby interactively? I know I am being a bit kiddish but to start of into something for the first time I want something funny and not boring.

Tesl

Dingdongbubble wrote:

Because for the time being I will not be going into the advanced stages of CLI.

On a modern Linux distribution you should be able to do almost anything without dropping to the CLI. This is especially true of Ubuntu IMO

By the way for Ruby, do you recommend me to read Why's Poignant Guide to Ruby? Its free and quite funny and I think it won some awards. And would you recommend the program Hackety Hack to learn Ruby interactively? I know I am being a bit kiddish but to start of into something for the first time I want something funny and not boring.

I've never done any Ruby, so have no idea how good or bad those are. It can't hurt though, too many people waste time deciding what to do and what to read, when the most important thing is to just get stuck in! (And to stop planning how your going to get stuck in! )