Start

When talking to people who want to get started in Information Security I often get asked, "Where should I start?"

This blog post is a culmination of many discussions with students, people eager to learn, and those looking to change careers. It is part advice column and part list of learning resources. I've attempted to compile a list for people who learn through listening, reading, and doing. Essentially, this is a letter to my past self, "If I could point someone to all the resources I wished I'd had when I started what would they be?"

I've compiled the below information with some of my favorite resources for people new to information security and those looking to polish their skills. Where possible I will try to focus purely on free resources. Where the resources aren't free I will try to note that. I only list paid resources that are accessible to students and not just those with "corporate training dollars" to spend. Many of the resources are about meeting people, listening to podcasts, and generally getting familiar with the information security industry. I've also included training materials, information on CTFs, meetups, and more to help increase your technical skills. In the books and meetup section there are links to resources to help you sharpen your career skills outside of technology. Check out the below sections for links and a little information about why I think these areas are important. These are in no particular order and is by no means exhaustive. I will try to keep this list up-to-date adding more items when they are found and removing sites that are no longer online.

Defensive Security has a great list like this one as well that shares many of these links. I've listed a number more that I like, but you should definitely check out their list here. https://defensivesecurity.org/entering-information-security-industry/

Lesley Carhart - @hacks4pancakes also does an outstanding job with this mega-thread on starting in Infosec. Check that out here.

Daniel Miessler also wrote a fantastic piece titled How to Build a Successful Career in Information Security / Cybersecurity. It covers a small mountain of information on many of the subjects listed below.

This is just a starting point and shouldn't be considered complete. As you find more resources share them. Feel free to tweet them at me @eanmeyer to be added here.

You can jump to sections below, but I would suggest you read the whole thing if you are new to the field.
Ready to get started? Here we go!

Skill Sets - What do you want to do?

When anyone asks me for advice about getting a job in infosec I generally start with one question, "What interests you about information security?" The answers vary wildly, but the people that seem to excel quickly have a very focused and specific example of something that "lit their fire."

Don't worry if you don't come from a pure technical background or if you've never worked in Information Technology or that you don't have certifications or a degree. The wonderful thing about this field is you can have a doctorate or no high school education and still become one of the best and brightest. Some of luminaries in infosec are liberal arts majors with music degrees or have absolutely no degree at all. This field is mostly about curiosity and learning every ounce of a subject going as deep down the rabbit hole as you want to go. You then apply that knowledge to making that area, the Internet, and world a fraction safer. If you have the mindset to ask why, distrust results, and find new ways to test whatever everyone tells you is absolutely true... this might be the field for you.

This does not mean curiosity is enough to get you a job, it means you may have what it takes to be successful. It also doesn't mean a degree or certification will prepare you completely to be successful in a security role. You will still need to develop some specific skills for the role you are interested in. Some of you may already work in IT and are looking to pivot to security. Like a degree and certifications this gives you a head start, but doesn't necessarily mean you are ready for a security role. Don't expect to start as a security engineer or penetration tester tomorrow, focus on becoming better at security in whatever field you work in now. If there isn't a security element in your current role (I assure you there is) then focus on the skills you may need to start working in a SOC (Security Operations Center) or NOC (Network Operations Center). These are often the first "entry level" analyst positions in technology that focus on security.

From there you can grow into a plethora of different roles in information security from attack (red team) to defense (blue team) and all kinds of specializations (social engineering, security automation, reverse engineering, exploitation, physical intrusion testing...). The list goes on nearly forever. Take the time to read through all of Lesley Carhart - @hacks4pancakes - Starting in Infosec - blog posts. They start here. However, if you want to read more on different roles in that series of posts you can jump here.

What does all this mean? It means that your curiosity can take you far and you can become a leader in a specialization by exploring areas of security others haven't tried yet. New technologies and integrations with old technology emerge almost daily. This community of professionals freely shares more about how to become better at your work than any other community I know. Once you start learning start giving that knowledge back. If you have the drive, curiosity, rigor, technical capability, love of learning, and the work ethic you can go very far in this field. You will need to work for it, but you can get there.
  • John Strand - Black Hills Information Security - The Five Year Plan to Infosec
    • Watch this first - this is the best advice you will ever get. There is no perfect certification or accelerator. Follow the advice of putting in the work over five years and focusing on the discussed areas and you can get where you want to be.  
    • https://www.blackhillsinfosec.com/webcast-5-year-plan-infosec/
  • InfoSec Skills by Role
    • Want to know what skills you should have for entry level to senior positions and many specializations in-between?  
    • There is no standard for what you need to learn, but this spreadsheet is a great list of skills you can hone to make yourself a much more valuable information security professional. 
    • Marc C. - @LargeCardinal - wrote an amazing article about ending the practice of expecting an analyst role to be far beyond entry level - https://medium.com/@LargeCardinal/we-need-to-kill-the-security-analyst-79ec205651f5
    • They followed with this spreadsheet of the types of skills you may need and how proficient you should be with those skills. You can view that matrix here: https://drive.google.com/file/d/1-JYGYUEbUvh1bd4sHj5cm3fpQUFNmBgb/view
    • If you read enough posts like this one they all give similar advice, "Find one thing in security you want to get really good at and get really good at it". To that end, find the things in the above list that are under a role you are interested in and start working toward getting better at those tasks. 
Training

"We don't rise to the level of our expectations, we fall to the level of our training" - Archilochos. Even the best must keep training. Don't feel overwhelmed by how much you still have to learn or how much you feel you don't know. Many people looking to get into information security feel like they will never be able to get caught up. Don't worry, the very best realize there is always more to learn. One of my favorite quotes is "Do what you can, with what you have, where you are" - Teddy Roosevelt. Start with the resources you have and work with those. The below training resources should help get you started on the right path.

Not everyone learns in the same way, some people learn by seeing, some by reading, others by hearing, or doing. Below are some resources that should cover all those learning types.

  • Microsoft Virtual Academy
    • https://mva.microsoft.com/
    • Microsoft offers many free high quality online learning modules.
    • Many of these modules deal with Microsoft systems you will need to understand to do well in security. 
    • Learning the fundamentals of some of the most popular software in the world will serve you will in your security journey.
  • Cybrary
    • https://www.cybrary.it/
    • Cybrary has an incredible list of free resources and courses. 
    • These are online learning modules much like you would take in a school or professional environment. 
    • They do also offer paid courses for a monthly fee. However, there are many incredible free courses available including penetration testing courses, courses on Python, and more.
  • EDx
    • EDx is a MOOC (Massive Open Online Courseware)
    • Colleges and Universities from around the world release some of their classes for free to anyone willing to learn. 
    • The courses are free, however if you want to receive a certificate of completion from the school there may be a fee. 
    • There are lots security and technology courses available.
    • https://www.edx.org/
  • Coursera
    • Coursera is much like EDx and is also a MOOC (Massive Open Online Courseware)
    • Colleges and Universities from around the world release some of their classes for free to anyone willing to learn. 
    • The courses are free, however if you want to receive a certificate of completion from the school there may be a fee. 
    • There are lots security and technology courses available.
    • https://www.coursera.org
  • UDemy
    • UDemy is slightly different than Coursera and EDx as it is less academic based and often focuses on instructor developed content. 
    • These modules can feel more like a bootcamp or conference training session than they do a college course. 
    • These courses often have a cost, but most are less than $200 many being under $50.
    • You can often find deals through Groupon or by being on their mailing list to get classes for $10 to $20. 
    • https://www.udemy.com/
  • Code Academy
    • https://www.codecademy.com/
    • Code Academy offers a great platform to learn Python and other languages.
    • From within a web browser the IDE is provided including guidance for the lesson each step of the way. 
    • If you need to learn to use Python (and you should) this is an incredible resource. 
  • PenTesterAcademy
    • https://www.pentesteracademy.com/
    • This has a monthly fee, but is fairly low cost at around $40 a month at the time of this post. 
    • This is a very good value as they have interactive labs where you actually work with real tools in a cloud environment. 
    • This is fantastic if you are learning without a lot of hardware and software in a home lab.
  • OWASP Bricks
    • https://sechow.com/bricks/
    • The Open Web Application Security Project (OWASP) has their Bricks site and video tutorials. 
    • These tutorials and vulnerable websites allow you to try XSS, malicious file uploads, and more. 
    • The end goal is to show you exactly how and why the OWASP Top 10 is important. The OWASP Top 10 are the top 10 vulnerabilities that you want to avoid in your web applications. 
    • By learning how these work you are better able to identify and remediate them.  
  • Brakeing Down Security Training
    • https://www.brakeingsecurity.com
    • The Brakeing Down Security team runs a Slack, more on that below, and occasionally runs affordable live training via WebEx, GoToMeeting, etc. 
    • This training is often done one day a week over a series of weeks and runs ~$20-$50. 
    • This is a live learning session where you can interact with the instructor. 
  • Sam Bowne Classes and Workshops
    • https://samsclass.info/
    • Sam Bowne has an amazing set of resources online for learning the basics of cryptography and all other areas of cybersecurity. 
    • He often live streams his workshops and classes as well as keeping the challenges run in his workshops online.   
  • Black Hills Information Security WebCasts and Blogs
    • https://www.blackhillsinfosec.com/30-things-to-get-you-started/ 
    • BHIS has a great list of blogs and webcasts about a vast number of information security subjects. 
    • BHIS has a team of some of the sharpest information security professionals in the world and this is one of the places they share their knowledge. 
    • Many of the webcasts are about tools they offer freely to the public. 
  • Clark Center - NSA NCCP - National Cybersecurity Curriculum Program
    • Clark Center has released a large amount of free cybersecurity training. 
    • This training aligns with the the NSA National Cybersecurity Curriculum Program
    • You can register for free and take course around cyber security topics recommended by the NSA. 
    • https://clark.center/home
CTFs

Capture the Flag (CTF) tournaments are an incredible way to grow your skills and show hiring managers you are serious about your craft. CTFs take common problems and challenges you might find in information security and gamify them. Points are assigned to the challenges and the team or person that completes the most challenges at the end wins.

There are many CTFs out there. Some focus on forensics, others on exploitation, however there is no limit to the types of challenges you may find. CTFs are a fantastic way to learn because often the winner or the group running the CTF will release the solutions after the fact so you can find out how to solve whatever you were stuck on. Many CTFs competitors are onsite teams at conferences or remote teams wherever a group of people that want to compete together can gather. Competing as a team either together online or in person is a great way to learn as you can solve problems as team.

There are a number of CTFs that stay online all the time while others are only for a set period. The ones that stay online all the time are great for beginners. There are often tutorials to help walk you through challenges while you learn some of the information security tools you will need to be familiar with to do well in many information security roles. Further, hiring managers that really understand security often look favorably on competing in CTFs. CTFs can help you learn about real world challenges while playing the game. Being able to speak specific to CTF challenges and how you solved them often goes a long way in interview process.
  • CTFTime
    • This is one of the most popular sites listing CTFs. 
    • CTFTime lists CTFs that happen all over the world
    • These can be local to you where you compete in a room such as a conference or done remotely. 
    • CTFs for beginners and pros are listed here. 
    • https://ctftime.org/
  • OverTheWire
    • OverTheWire is a level based set of challenges that operates a lot like a CTF.
    • As you progress the challenges get significantly harder.
    • You must find the flag in each level to progress to the next level. 
    • OverTheWire is great for beginners as there are many tutorials to help you get started. Searching YouTube for OverTheWire and walkthrough plus the level you are on will yield many results. 
    • Remember: With older or prebuilt CTFs this isn't cheating. This is a normal part of the learning process. Learning about the tools and how they are used is a great way to increase your skills.
    • http://overthewire.org/wargames/
  • SANS Holiday Hack - Past Challenges
    • The SANS Holiday Hack is amazing. Put on each year by SANS over the years its become part RPG, part online conference, part CTF. 
    • SANS keeps all their past challenges online 
    • Winners and competitors often write up explanations of how they solved challenges for the previous years. 
    • You can use those tutorials to practice with new tools, solve puzzles, and get flags in the game. 
    • By exposing yourself to how tools should work by completing walkthroughs you will hopefully have an easier time with a concept than trying something and not knowing if it isn't working because you don't know how to use it or if you are on the wrong path.
    • https://www.holidayhackchallenge.com/past-challenges/
  • Sites to practices specific hacking challenges.
    • The below sites are very similar in the way they work. They are hosted sites with no significant resources needed on your own system. All the challenges and webpages are hosted by the website. This makes it easy for most learners who may not have the hardware to run vulnerable virtual machines to attack locally. Make sure you read each sites rules and obey them when trying the security challenges.  Often tutorials for these challenges exist on YouTube. Don't feel like you are cheating to look for tutorials and resources to learn the challenges. 
Home Labs and VMs

At some point you will move beyond CTFs. You may want to do research or test skills that don't have prebuilt online environments. This is where Home Labs and Vulnerable VMs come into play. By creating a lab that you can play with on your own network and your own hardware you have less concerns about causing an issue that impacts other people trying to use the same online challenges. It also avoids issues where security technologies in someone else's environment stop you from completing challenges because tools and exploits are blocked.

Once you continue on your journey through infosec having a Windows and Linux infrastructure created in a lab will help you immensely. You can learn to test security configuration, attempt exploits, and more without impacting others.

The safest way to perform testing and learn to use new security tools is on your own hardware, OS, and network.
  • VulnHub
    • VulnHub is a listing of purposely vulnerable VMs you can download and use on your laptop or home computer. 
    • As long as you have a laptop with enough resources to run VMWare Fusion/Workstation, VirtualBox, or another HyperVisor you can download and run these VMs in their own virtual setup on your laptop.
    • These VMs are designed with specific flaws for you to attack with real security tools. 
    • Many are setup with flags just like in a CTF. 
    • This gives you a system that you know can be compromised with specific attacks.
    • There are VMs for beginners and pros. 
    • https://www.vulnhub.com/
  • Building Virtual Machine Labs - A Hands-On Guide
    • While writing this post the author of Building Virtual Machine Labs - A Hands-On Guide made it free with a donate option!
    • If you can chip in some money when you download it, please do, if not this is exactly the spirit of the hacker community you often find. 
    • This book details how to build virtual machine labs and how to make sure they are configured correctly for security research. 
Books

Books are a tried and true way to learn. If you are a reader there is no shortage of books on the subject of security. I've listed a number of books below broken into three categories: history and stories, technical, and career. This is by no means an exhaustive list, but there is plenty of great advice in these books to get most people started.

History and Stories will generally focus on one specific event or group of people in information security. These books are meant to give you some background on the people and events that helped shape the industry. The books listed are well written and do an excellent job of informing the reader even if they haven't developed technical skills yet.

Technical is a listing of books to help improve your skills. This is by no way exhaustive, but they are all well regarded books. I attempted to focus on books that have a larger view of security than a deep dive into one niche subject within a security discipline.

Career are books that should give you advice around how to get a job and become a better more valuable person in your career field. These books range from tactical discussing what you can do to improve your interactions with employers to inspiring guidance from people already in the field.

History and Stories
  • Countdown to Zero Day
    • This is the bordering on science fiction story of one of the first cyber weapons that caused physical damage to Iranian nuclear enrichment facilities.
    • It is impossible to understate the importance of stuxnet in the history of modern cybersecurity and warfare. 
    • This book details the creation and launch of one of the worlds first real cyber weapons.
    • https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital-ebook/dp/B00KEPLC08/
  • Spam Nation
    • Brian Krebs of krebsonsecurity.com (this is a site you should follow for infosec news) released his first book covering one of the largest spam companies in the world. 
    • Spam Nation chronicles the rise and subsequent fall of the largest spam email organizations in the world. Brian covers the story with insights gathered by speaking directly to those running the organizations and includes enough technical detail for many in the field without being inaccessible to people without strong technical background. 
    • https://www.amazon.com/Spam-Nation-Organized-Cybercrime-Epidemic/dp/1492603236
  • Kingpin
    • Kevin Poulsen is no stranger to the legal side of cybersecurity.
    • Now a writer for Wired, he brings in-depth knowledge of the world of cyber crimes and scams to this book.
    • Again at the hight of the "carding" era one man took control of almost the entire credit card theft and resale market.
    • This book describes how cards were stolen, copied, and "cashed out" giving the reader an inside view of how cybercrime is often monetized. 
    • It also follows the people and relationships that were required to make the whole system work. 
    • https://www.amazon.com/Kingpin-Hacker-Billion-Dollar-Cybercrime-Underground/dp/0307588696/
  • Masters of Deception
    • Long before most people were on the Internet illegal activity was still common on computers.
    • In the case of the Masters of Deception (MoD) they lived through the beginning of the CFAA (Computer Fraud and Abuse Act) when much of their "exploring" or "criminal activity" was almost impossible for the courts to define as a crime. 
    • This book is a fascinating look into hacker history long before every device was connected to the Internet. 
    • https://www.amazon.com/Masters-Deception-Gang-Ruled-Cyberspace/dp/0060926945/

Technical 

  • Open Source Intelligence Techniques
    • Michael Bazzell is a leading expert in using Open Source Intelligence techniques to find information about companies and people. 
    • Michael runs training at Black Hat on the subject for people looking to learn more about finding information about themselves and companies they want to protect from open sources on the Internet. 
    • There is a lot of information freely available on the Internet that can allow potential attackers to know more than they should. This book will help you find it. 
    • https://www.amazon.com/Open-Source-Intelligence-Techniques-Information/dp/1984201573/
  • The Complete Privacy and Security Desk Reference
    • Michael Bazzell and Justin Carroll also wrote an amazing book about keeping your data out of open source intelligence feeds. 
    • This book has great explanations about VPNs, trackers, and general security and privacy techniques.
    • The methods described in this book are how you keep your information from showing up when techniques from Open Source Intelligence Techniques are used.
    • https://www.amazon.com/Complete-Privacy-Security-Desk-Reference/dp/152277890X/
  • Hacking - The Art of Exploitation
    • This is considered almost required reading as you move into exploitation or vulnerability research.
    • Jon Erikson wrote one of the most well regarded introductions to the subject of thinking like a hacker and using that methodology to exploit vulnerabilities. 
    • This book doesn't just walk you through Metasploit modules, it shows you how exploits are thought through and created. 
    • https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/
  • Penetration Testing - Hands on Introduction
    • Georgia Weidman wrote one of the most influential books on penetration testing on the market. 
    • The book is a complete beginners guide on the subject helping the reader understand the tools and techniques they will need to know to be a successful penetration tester. 
    • If learning about penetration testing is something you are interested in, this is a great place to start. 
    • https://www.amazon.com/Penetration-Testing-Hands-Introduction-Hacking/dp/1593275641/
  • Web Application Hackers Handbook
    • There are many types of penetration testing. Georgia does a great job of covering the subject broadly above.
    • However, if you find you are interested in testing web applications this book is for you. 
    • Dafydd Stuttard and Marcus Pinto wrote what is often considered as the go to starting point for web application security students. 
    • Many vulnerability researchers working in bug bounty programs credit this book as their starting point. 
    • https://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470/
  • Practical Lock Picking - A Physical Penetration Testers Training Guide
    • Deviant Ollam is a physical intrusion specialist. 
    • In his books he shares tools, techniques, and procedures that allow him to get into many places he "shouldn't be".
    • He then uses this knowledge to educate organizations about improving physical security.
    • If you are interested in the physical side of security his books are for you. 
    • https://www.amazon.com/Practical-Lock-Picking-Physical-Penetration/dp/1597499897/
  • Offensive Counter Measures 
    • John Strand, owner of Black Hills Information Security, created the book Offensive Counter Measures along with other contributors. 
    • This book helps practitioners create not just defensive capabilities to protect their systems but active counter measures that help systems respond to threats. 
    • If you like being on the defensive side of security this is the book you read right after the Defensive Security Handbook. 
    • https://www.amazon.com/Offensive-Countermeasures-John-Strand/dp/1974671690/
  • Literally anything by No Starch Press
    • Many of the books above are published by No Starch Press
    • No Starch has some of the best technical guides creating guides written by experts before most publishing houses realize there is a market for books on the subject. 
    • Further, No Starch Press is an ardent supporter of the Information Security Community. 
    • You can buy literally anything from them and not be disappointed. 
    • https://nostarch.com/
  • Humble Bundle Books
    • Further, Humble Bundle often partners with No Starch Press. 
    • No Starch releases digital DRM free copies of their books and Humble Bundle sells and distributes them in a tiered donation model. Generally, $15 - $20 will get you digital copies of all the books in the bundle. 
    • The money raised then goes to charity. 
    • It's an amazing win-win for everyone involved.
    • Watch out for security related bundles as they come out fairly often. 
    • https://www.humblebundle.com/store
Career
  • Tribe of Hackers
    • Marcus J. Carey and Jennifer Jin compiled an incredible book with advice from many luminaries in the information security community. 
    • With knowledge and advice from 70 of the best in the industry readers get an amazing view into what it takes to be successful in information security. 
    • This includes more than just success in "titles and money", but success from work ethic, community, and more. 
    • https://www.amazon.com/Tribe-Hackers-Cybersecurity-Advice-World/dp/1793464189/
  • InfosSec Rockstar
  • Women in Tech
    • Tarah Wheeler created a book to help women learn how to accelerate their careers in technology. 
    • This book also interviews women who are top in their field and shares their advice for everything from interviews, salary negotiation, and much more.
    • The advice in the book is not just applicable to women. If you need help figuring out how to take your career to the next level this is a book you must read. 
    • https://www.amazon.com/Women-Tech-Practical-Inspiring-Stories/dp/1632170663
Podcasts

Podcasts are an incredible way to stay up to date on security news, community events, and to generally build your knowledge of terminology. Many podcasts have specific focuses that will allow you to learn more about people or businesses in the information security field. I listen to podcasts on my drive to work. The great thing about podcasts is they can be listened to anywhere and on your schedule. You can get a lot of information in 30-60 minutes. Also, if you are someone who learns by listening you get to hear people discussing security concepts in context. This may help you relate some of the more academic terms to real world problems.
  • Risky Business
    • Patrick Gray runs Risky Business from Australia and has become a staple of information security podcasts.
    • With a news segment, feature interviews, and sponsor interviews they cover a lot in one very polished hour every week.  
    • They also run sponsored podcasts under the name Snake Oilers and Soap Box. These are paid podcasts in the same feed. However, I listen to all of them. Patrick does a great job of being your voice in the room questioning vendors on new products and technology. 
    • It feels less like sales pitch and more like a valuable way to get information about new products and companies. Being able to hear from three competitors in the same podcast talk about why their technology is better than someone else's technology is a great way to save many hours doing the first tier of research on a new product. 
    • https://risky.biz/
  • Darknet Diaries
    • Jack Rhysider has created an informative and entertaining podcast that tells stories of crimes and the darker side of the Internet. 
    • The stories are well produced and informative without being overly technical for the beginner. 
    • https://darknetdiaries.com/
  • The Social Engineer Podcast
    • Chris Hadnagy and his team at Social-Engineer.org host a monthly podcast talking about social engineering and news related to social engineering. 
    • They also do a great job of bringing on guests to talk about non-security related topics that tie to social engineering. Guests are frequently magicians, public speakers, sales people, psychologists, and more. 
    • https://www.social-engineer.org/category/podcast/
  • Bellingcat Podcast
    • Bellingcat is an investigated journalism organization researching and exposing crimes around the world. 
    • The episodes discuss many sensitive subjects about dangerous people and groups.
    • It's a narrative style focusing on one story and although is not information security specific covers a lot on disinformation campaigns and Open Source Intelligence Techniques. 
    • https://www.bellingcat.com/category/resources/podcasts/
  • Tribe of Hackers
    • Based on the series of books created by Marcus J. Carey and Jennifer Jin. 
    • Hosted by Ray [Redacted] it interviews security practitioners and leaders. 
    • They generally aren't "thought leaders", but experienced security practitioners experienced in their craft. 
    • Lots of great insight from people that have learned the lessons and give advice so you don't have to learn them on their own. 
    • Great for learning more about building relationships and communities. 
    • https://www.tribeofhackers.com/
    • https://podcasts.apple.com/us/podcast/tribe-of-hackers-podcast/id1510526299
  • The Privacy, Security, and OSINT Show
    • Michael Bazzell hosts a podcast where they talk through issues relating to protecting your identity online and finding information on others. 
    • This is a great companion to his books and website inteltechniques.com 
    • https://inteltechniques.com/podcast.html
  • Paul's Security Weekly and it's many other podcasts
    • Paul Asadoorian has developed a podcasting network with many specific podcasts around information security. 
    • These include Start-up Security Weekly, Tradecraft Security Weekly, Enterprise Security Weekly, Application Security Weekly, and many more. 
    • Security Weekly, their flagship podcast, is more like a group of friends sitting around discussing security. If you are looking for something casual and fun this may be your first stop when listening to podcasts.  
    • https://securityweekly.com
  • SANS Internet Stormcast
    • Dr. Johannes Ulrich runs a daily five minute podcast that discusses just issues detected by the Internet Storm Center from the day and night before. 
    • If you are a Security Operations Center Analyst or network defender this is required listening on your ride into work. 
    • Even if you aren't in active defense this podcast is a five minute update regarding real issues affecting security that the day. 
    • https://isc.sans.edu/podcast.html
  • Black Hills Information Security
    • Black Hills takes many of their popular webcasts and turns them into podcasts for easy listening. 
    • They also run webinars and occasional discussions. 
    • These are often very practical and tactical in nature focusing on specific problems. 
    • This podcast is a great way to learn more specific technical skills. 
    • https://www.blackhillsinfosec.com/podcasts/
  • Defensive Security
    • Jerry Bell and Andrew Kalat run a weekly information security news podcast specifically around blue team and defensive security subjects. 
    • With a dash of humor they discuss news stories that impact security, ways to solve those problems, and the challenges that make securing systems difficult.
    • https://defensivesecurity.org/ 
  • Breaking Down Security
    • Bryan Brake, Brian Boettcher, Amanda Berlin blend news and technical discussion around defensive and operational tactics for information security. 
    • The podcast is friendly, casual, and sometimes off the cuff where actual practitioners discuss what they've learned and share it with the listeners. 
    • https://www.brakeingsecurity.com/
  • Down the Security Rabbit Hole
    • Rafal Los and James Jardine talk security and business, specifically security as it relates to organizations that have business challenges and security challenges. 
    • http://podcast.wh1t3rabbit.net/
  • The Cyberwire
  • CoinSec 
    • The CoinSec podcast covers news around cryptocurrency and blockchain.
    • This is a great source of information around an emerging field in security. 
    • https://coinsecpodcast.com/
Twitter and Social Media

Social media is pervasive no matter what industry you are in. However, for one reason or another information security seems to gravitate toward Twitter. Social Media and specifically Twitter is a great way to engage with people in the field and learn about hyper-current events. It's not unusual for security professionals to call Twitter their "threat intel feed". It's also common for information about a new botnet, type of attack, or new vulnerability to show up on Twitter in almost real time as it's discovered.

Below I've created a list of people are great for beginners and pros to follow on Twitter. This list isn't an endorsement nor is it exhaustive of who you should follow. It also doesn't mean I always agree with everyone on the list. However, I have found this list of people are generally positive in their intent, incredibly inclusive, and very knowledgeable. More over, these people like to share their knowledge and generally make the world a little better place where they can.

Take a look through the list and see what you find. Follow those that bring value to your journey. Find those that can become that "threat intel feed" for you. Further, find the voices that inspire you to keep going!

https://twitter.com/EanMeyer/lists/for-people-new-to-infosec

Slack

Slack has become an indispensable part of InfoSec communication. There are a few Slacks that are very active and great for people looking to learn. Many of them have career and job channels. Often teams will work together in Slack channels on CTFs. Other channels may just be for questions and advice. This is a great way to get to know people and chat outside as public a forum as Twitter. You can lurk if you are a bit introverted or participate. Whatever your style Slack channels are a great way to meet people that may share similar interest or are at similar points in their career journey.

Most Slacks are set to allow public invites. For the below most should auto except you, but don't fret if they don't respond immediately. The owners of the Slacks may have a review set to prevent bots from joining. It may take some time for them to review and approve you joining.
  • Breaking Down Security
    • The Slack for the Brakeing Down Security Podcast. 
    • This is a very active community with lots of members chatting about many security subjects.
    • https://brakesec.slack.com/ 
  • Defensive Security
    • The Slack for the Defensive Security Podcast
    • This is also a very active community with lots of discussion for those new to security and pros.
    • https://defsec.slack.com/
  • CentralSec
    • This Slack has less activity, but is for all the local Central Florida groups.
    • It also regularly becomes an unofficial home for people looking to chat about the SANS Holiday Hack each year.
    • https://centralsec.slack.com/
Conversation Threads

It became apparent there are some great conversations that occur that never get turned into blog posts, but have a ton of value for those getting started. Check out the below Twitter and other conversation threads that are packed with information for those just starting out. You may even find some new people to follow and start conversations of your own.

This thread from Darksim905 has a lot of feedback on VMs you can use to learn security concepts and where to find them: https://twitter.com/darksim905/status/772420136951222272

Conferences

Conferences can have a high barrier of entry in terms of costs. Black Hat, InfoSecWorld, and RSA can cost thousands just for an attendee badge. This doesn't include hotel, food, and airfare. This is not to say these conference do not have their own level of value. (This is a hotly debated item I won't debate here) However, for those looking to learn more about information security or change careers and don't have the benefit of corporate training dollars these conferences can unobtainable.

The good news is there are many regional and lower cost conferences to help fill the gap. These conferences are often completely volunteer based and run because the people running them are passionate about security. Don't let that confuse you as to the quality of the event or the speakers. Often the same speakers that find their way to speak at Black Hat, Defcon, and other high profile conferences come to speak at smaller conferences. They do this because they are passionate about helping those in the field.

I've listed a few conferences I am partial to for beginners because at the high end they cost $250 for a badge while most are under $100 or free. Find a conference close to you, go learn, meet people. Many careers were started by getting to know people and learning from them at conferences. Even more were started by volunteering at those conferences so people can see your work ethic. People like to invest time helping people that like to help others.

I've tried to distribute these regionally. If you know of a low cost regional conference that is high value that I should look at let me know!
  • B-Sides
    • B-Sides grew into a series of conferences all over the world. 
    • The original intent was to create a low cost or free conference that occurred around the same day as a larger more expensive conference. 
    • The smaller conference is the B-Side of the "record". 
    • These conferences are often free or very low cost and run by volunteers that are very passionate about security. 
    • Some events are relatively small while some are very large. B-Sides Las Vegas and DC regularly have over 1,000 in attendance. 
    • Many B-Sides include Lock Picking Villages, Capture The Flag Tournaments, talks, workshops, and more. 
    • http://www.securitybsides.com/w/page/12194156/FrontPage
  • B-Sides Orlando
    • I have to mention this one as if you are reading this you are likely local to Central Florida and I am one of the conference organizers. 
    • B-Sides Orlando regularly sees 500+ attendees and features talks, workshops, lock picking village, a CTF, and much more. 
    • Students are FREE and attendees are $20
    • https://bsidesorlando.org/2019/
  • Circle City Con
    • This conference is hosted in Indianapolis, IN
    • Ticket start at $125
    • The conference features talks and training. 
    • https://circlecitycon.com/
  • KernelCon
    • This conference is hosted in Omaha, NE
    • Tickets start at $155
    • The conference features talks and low cost workshops: most workshops are $20 to $30.
    • https://kernelcon.org/
  • Cactus Con
    • This conference is hosted in Mesa, AZ
    • Tickets are FREE if you don't want swag (badge, etc) and $30 if you want a badge and swag.
    • This conference includes a talks, workshops, a CTF, lock picking village, hardware hacking, and more. 
    • https://www.cactuscon.com/
  • Wild West Hacking Fest
    • This conference is hosted in Deadwood, SD
    • Tickets are $270 placing this on the higher end of the conferences listed, but the value is incredible. 
    • Black Hills Information Security created a conference focused on hands on labs and many CTF challenges. 
    • The conference area is littered with well documented hands on demos where you can try your hand a wireless hacking, packet capture, physical intrusion techniques, and much more. 
    • The conference includes talks, workshops, hands on demos, a CTF, and much more. 
    • This is one of my favorite conferences as it takes place in a beautiful part of the country and feels very small even though many people show up to learn and meet others. 
    • https://www.wildwesthackinfest.com/
  • Nolacon
    • This conference is held in New Orleans, LA.
    • Tickets start at $150
    • The conference includes talks and training.
    • Training is run by professional trainers and generally costs between $1,000 and $2,000 per class. However, even without purchasing the additional training, the conference has great speakers and is affordable for those who may be close to Louisiana. 
    • https://nolacon.com/
  • Defcon
    • This is the big one. When people talk about "the hacker conference" they are talking about Defcon. 
    • Defcon is held in Las Vegas, NV during "Hacker Summer Camp"
    • For one week BSidesLV, Black Hat, and Defcon happen in Vegas. Not to mention many other associated conferences like The Diana Initiative, QueerCon, and more.
    • Tickets are $270 and are cash only at the door (unless you to to Black Hat where you can purchase in advance with a credit card.)
    • To try and list all the events that happen at Defcon would be daunting. Beyond talks and workshops there are villages. The villages on their own are mini-conferences with their own talks, CTFs, and challenges. There are also unending parties everywhere. 
    • Defcon regularly consumes all the conference space at main hotels on the Las Vegas strip.
    • Defcon is something you should do at least once. Prepare to lose a lot of sleep and learn a ton. 
    • The biggest trick to your first Defcon is not to worry about what you are missing as there is way to much to see. Make a small list of things you want to see before you go, then let yourself discover things you never knew you would be interested in until you tried it. 
    • https://defcon.org/
  • More Conferences
    • There is no shortage of information security conference. 
    • Infosec-Conferences lists most of them all over the world. 
    • You can likely find a conference near you on this site. However, the ones I listed about are generally financial achievable for those just starting out and provide a lot of value for the student dollar. 
    • https://infosec-conferences.com/ 
Meetups, Associations, and Mentors


Meeting people that are like minded is a large part of growing in any career field. This one is no different. There are plenty of meetups, professional associations, and people that want to mentor (sometimes that last one is more difficult given the demands on experienced mentors). The import thing is to find people to talk and share knowledge with. Before you know it you will be the person showing what you know and teaching the next curious individual. The best thing about this is even people that are considered luminaries are still learning and growing. You may know something they don't and can share that knowledge. No matter what level you are at you likely learned something you can share with the next person that shows up at a meetup.
  • CitySec
    • CitySec is an informal meetup of information security professionals and those who are just starting. All are welcome. 
    • These are casual meetups with no vendor pitches, you pay for your own drinks and food, and has no membership or RSVP. 
    • There are CitySec meetups all over, you can find one close to you at the link below.  
    • https://www.reddit.com/r/netsec/wiki/meetups/citysec
  • CitrusSec
    • CitrusSec is the CitySec Meetup for Central Florida. 
    • I generally help organize this meetup.
    • It often coincides with the TOOOL (The Open Oraganization Of Lockpickers)
    • It happens on the 4th Wednesday of every month at 7pm.
    • See the below link for location and details.
    • www.citrussec.com
  • The Open Organization Of Lockpickers (TOOOL)
    • TOOOL has meetups throughout the United States for people interested in lock sport.
    • Lock sport is lock picking and other lock related challenges. 
    • You can find people at TOOOL meetings eager to teach others about lock sport.  
    • The link below lists Tool meetings throughout the US.
    • https://toool.us/
  • Defcon Groups
    • Defcon Groups are a local extension of Defcon.
    • These are usually tied to telephone areas codes.
    • Defcon Groups are often technically focused with people presenting research, running labs, or competing in CTFs.
    • Each groups is slightly different. You can find a group close to you at the link below.
    • https://defcongroups.org/
  • DC407
    • DC407 is the Defcon Group for Central Florida
    • They meet regularly, are open to anyone, and often focus on presenting technical topics and research. 
    • https://dc407.com/
  • ISSA Central Florida
    • ISSA is the Information Systems Security Association
    • These groups meets regularly presenting security topics from technical presenters and vendors. 
    • Often you can come as a guest to try out the organization before joining. 
    • Check their calendar for upcoming events.
    • http://centralflorida.issa.org/
  • ISC2 Central Florida
    • ISC2 is the certifying body for the CISSP (Certified Information Systems Security Professional) and other security certificates. 
    • They have a very active Central Florida Chapter.
    • They meet regularly presenting security topics from technical presenters and vendors. 
    • Often you can come as a guest to try out the organization before joining. 
    • Check their calendar for upcoming events.
    • https://www.isc2chapter-centralflorida.org/
  • ISACA Central Florida
    • ISACA is the certifying body for the Certified Information Systems Auditor (CISA) and C-RISC (Certified in Risk and Information Systems Controls) and more.  
    • The chapter isn't very active. 
    • Check their calendar for upcoming events.
    • https://engage.isaca.org/centralfloridachapter/home
  • Infosec Mentors Project
    • This is an amazing project put together by Keith Hoodlet and Jimmy Vo.
    • It's purpose is to pair people with infosec mentors at the next level from where they are in their career. 
    • Mentors join to receive mentorship from someone at a level they are looking to get mentoring from. 
    • Everyone that joins is required to mentor someone that is trying to get to the next level of their career.  
    • Each person lists how much time they have available to mentor and how they would like to mentor and be mentored (email, phone, chat, video call, etc)
    • The goal being everyone that participates gets mentored and provides mentoring. 
    • https://infosecmentors.net/about
If you made it this far you must be really curious about how you can learn more. I hope this was informative and sets you on a path to lifetime learning and potentially a successful career in information security.

Please share your thoughts by tweeting @eanmeyer on Twitter.

Thanks!

Ean