What is Cyber Security

Bat Shikata September 7, 2024 20 min read For Beginners Getting Started With Cyber Security Beginner Careers
A broad overview of security careers and introductory concepts for getting involved.
On this page
What is Cyber Security

Where Do I Start?

There is not a straightforward answer, as it largely depends on your current level of knowledge. The term “hacking” itself is broad, which adds to the confusion. Conceptually, hacking is like learning to pick a lock by understanding how the pins interact, then using that knowledge to unlock doors you weren’t supposed to open. If I could give one piece of advice that helped me the most it would be this: Worry less about what to learn, and just start learning.

Don’t be afraid of feeling stupid. Google is your friend. Expect to have to look up terms, guides, and follow curiousity down rabbit holes as you’re going through these resources. It’s better to get sidetracked learning something new than to avoid reading altogether.

Throughout our blog, you’ll find numerous links to external resources to aid your learning. However, those resources won’t be effective unless you have the right mindset. Decision paralysis is a real challenge. It’s far more productive to dive into a subject and discover the gaps in your knowledge than to waste time searching for resources that might perfectly align with what you currently know. If you’re still worried about what to learn, take a leap of faith, pick up whatever looks interesting and run with it. You’ll be more motivated to learn something that looks cool to you than reading a 600-page book writen in 1994 that some guy told you to start with.

Resources can include videos, articles, or even interactive wargames. While consuming content is helpful, getting hands-on experience is key to reinforcing what you’ve learned. For example, if you’re watching a video on reverse engineering, follow along by downloading the resources and debugging alongside the presenter. You may need to pause or rewind, but it’s well worth it. Avoid the temptation to simply finish videos and articles just to complete them. Do the work, that way you actually learn.

Information security (InfoSec) encompasses the practices, processes, and technologies used to protect an organization’s data, users, networks, and systems from unauthorized access, attacks, and/or damage.

The core goal of information security is to ensure the confidentiality, integrity, and availability of information, whether it is stored on physical devices or transmitted over digital networks. All careers in information security ultimately exist with the same goal in mind, but with vastly different approaches. While Information Technology (IT) professionals focus on the day-to-day upkeep of user-facing assets, information technology professionals focus on ensuring the safety of all assets owned by or attached to a given organization’s network.

Information security is an overwhelmingly large field with a collective knowledge-base spanning decades of brilliant innovation and stubbornly persistent backwards compatability. Inevitably, data has become a more valuable asset than oil. Security breaches can have global impact, moreso every day with the growing reliance on technology in almost every aspect of daily life and business. InfoSec is critical in safeguarding sensitive information from malicious actors, preventing unauthorized access, and ensuring systems remain operational and secure.

With that out of the way, let’s start small: security engineers. When someone identifies as an engineer, the immediate question is often:

This is because engineering covers a broad range of specialized fields, and simply saying “engineer” doesn’t clarify the specific expertise involved. Similarly, when someone describes themselves as an “Information Security Professional” or “Cybersecurity Specialist,” it doesn’t fully capture the diverse roles they play or the specialized knowledge required for their day-to-day tasks.

What Jobs Are There?

Red Team

Offensive security, or hacking, includes various roles focused on the idea that “the best defense is a good offense.” These professionals assess a company’s security by attempting to breach defenses and gain control of assets.

The role of an offensive security operator may involve:

  • Manipulating company employees to give you information.
  • Attempting to perform physical intrusions into buildings.
  • Finding vulnerabilities and weakness in websites.
  • Reverse engineering software to build exploits.
  • Developing custom malware to be used in live engagements.

Ultimately, this process typically concludes with the operator writing a report for the company, detailing the identified vulnerabilities and providing remediation recommendations.

Penetration testers focus on identifying vulnerabilities in specific systems within a defined scope, while red team operators simulate real-world, persistent attacks to test an organization’s overall security defenses and response capabilities.

While exploit developers focus on finding and exploiting vulnerabilities within existing systems or software, malware developers create entire malicious programs with specific goals, such as remote control, data theft, or damage. Exploit development is often a subset of malware development, where exploits are used to deliver or activate the malicious code.

Bug bounty hunting is primarily an independent endeavor through public or private programs. Organizations establish bug bounty programs with rules of engagement clearly laid out to allow security researchers to attack their infrastructure in exchange for rewards based on the severity of their findings before a malicious threat actor can abuse the same attack path.

Blue Team

The primary objective of professionals in this discipline is multifaceted; they must act as both the proactive hunter and the reactive responder. Proactive defensive positions are often involved in the constant improvement to designs & configurations of security controls; proactive defenders utilize bleeding-edge research of both public & private accessibility to assess if their environment may be vulnerable & remediate threats before they can propagate. Reactive defenders investigate suspicious activity, perform log analysis, and respond to potential intrusion attempts.

The role of an defensive security operator may involve:

  • Log analysis of all available telemetry to best understand what happened, why it happened, and how to prevent it from happening again.
  • Operationalizing data points discovered through log analysis to build creative solutions to detect & respond to attacks against corporate infrastructure.
  • Identification and reverse engineering of malicious code, both in private samples discovered internally as well as publicly accessible samples of common malware.
  • Maintaining communication streams between technical points of contact that may be involved in the incident & bridging these conversations into non-technical narratives for the consumption of stakeholders.

Defensive security specialists are on the front lines, protecting clients from threats ranging from nation-state hackers to low-level script kiddies. Defenders must be right every time, while attackers only need to succeed once.

Defensive work is typically fast-paced & is best described as “drinking from a fire hose.” Most aspects of defensive security revolve around the DFIR (Digital Forensics & Incident Response) lifecycle which can be simplified to the following:

  1. Preparation of breach response & disaster recovery plans, building playbooks on how to respond to types of threats.
  2. Identification and analyses of anomalous behavior & security alerts based on known malicious behavior.
  3. Performing active containment & swift eradication of threats from corporate assets.
  4. Post compromise analyses, recovery of company data.
  5. When complete, the incident handler documents all potential areas of improvement for future intrusions.

Purple Team

A Purple Team combines offensive and defensive security strategies to bridge the gap and offer a unified solution, especially for smaller organizations. They are responsible for simulating attacks as well as detecting and responding to these simulations, ultimately strengthening the organization’s security posture. Purple teams are a newer concept than the classic “Red versus Blue” model, and will widely vary in structure per security team.

Sometimes a purple team is balanced into equal defense & offense operators. Sometimes a purple team is just one very determined nerd with Splunk access and a dream.

Architecture

Architecture Security focuses on the strategic design and planning of secure IT systems and infrastructure. It involves creating blueprints for secure networks, applications, and systems that align with business goals while ensuring robust protection against potential threats. Security architects design security frameworks, integrate security controls from the outset, and ensure compliance with industry standards and regulations. They conduct risk assessments, define access control policies, and design resilient systems capable of scaling securely as the organization grows. The goal is to build a secure foundation that not only meets current needs but is also flexible enough to adapt to emerging security challenges and evolving business requirements.

In larger organizations, architecture often includes highly specialized architects for each aspect of the attack surface, such as Cloud, Network, Endpoint, Application, and DevSecOps.

Infrastructure

Infrastructure security focuses on securing the underlying physical and virtual components that support the applications and services that an organization provides. This discipline is responsible for ensuring that the systems are configured securely, that the systems are patched and up to date, and that the systems are monitored for security events.

DevOps vs. DevSecOps: DevOps focuses on streamlining the development and operations processes to enable faster and more efficient software delivery through automation, continuous integration, and continuous deployment (CI/CD). In contrast, DevSecOps integrates security practices directly into the DevOps workflow, ensuring that security is considered at every stage of development, from planning to deployment. While DevOps emphasizes speed and collaboration between development and operations teams, DevSecOps adds a proactive security layer, ensuring that vulnerabilities are identified and addressed early in the development cycle without slowing down the overall process.

Governance, Risk, & Compliance

A company’s security posture is only as good as their Governance, Risk, & Compliance (GRC). Without contingent plans in place for disaster recovery, incident response, and business continuity, companies will fall short of their recovery & response plans in every intrusion. While GRC roles often sit on the edge of the sphere of security, their impact on defensive posture & good hygiene cannot be overlooked.

Now that we have a basic understanding of what roles might look like, let’s peel back the first layer of the onion.

When Can I Start?

In short, that’s entirely up to you. Realistically, you’ll never feel ready – that’s okay, apply to those open CISO jobs anyway. 😉

For many, the task of mastering so many areas of knowledge can feel daunting, leading some to reconsider a career in InfoSec altogether. Learning the fundamentals is more accessible than ever, however, with the wealth of online resources available to anyone with a computer and internet connection.

No one knows everything, no matter how experienced they seem (or claim to be). Giving in to imposter syndrome only holds you back—it wastes your time and energy. Every challenge and setback is an opportunity to learn and grow. The more you study, the closer you get to finding the right fit for your skills and interests. Embrace the process, and remember: growth happens when you push through discomfort, not when you stay stuck in fear.

Studying is not a race. It is okay to move as slow as you need. Don’t rush/skim over topics because you’ve placed a time crunch on yourself, it is far better to be thorough and correct than rushed and wrong.

The breadth of knowledge required to break into the industry can be overwhelming and discouraging for newcomers. This challenge arises from the need to build a solid foundation across many complex disciplines, each of which often a career in its own right. It’s unrealistic to expect an entry-level candidate with minimal IT experience to have strong coding skills, or someone with a help-desk background to be comfortable with binary exploitation. It is important to note that one does not need to become an expert in each of these topics, but that a core understanding is instead needed in order to succeed in the field.

The reality is that none of us will ever know everything. Given time, however, you will know enough to know how to find the answers to things you do not yet understand.

Just keep learning, and do not be afraid to admit “I don’t know that”. Trying to bullshit your way through a topic you do not grasp will only hurt your chances with a hiring manager who truly knows the subject. Technical leads in cybersecurity are well aware of this and tend to prioritize candidates who demonstrate a strong desire to learn and grow, even if they lack experience, over those with a strong technical background but refuse to acknowledge their shortcomings. Passion is something that can’t be taught, but knowledge can be.

  • Rabbit holes are good! Follow them to fruition: take notes of the paths you took, what worked, what didn’t work, and the resulting outcome. You will forget far more than you will know in a given time, so keeping consistent documentation for yourself in your studying & research will absolutely be beneficial.

  • The “hacker mindset” applies to all aspects of the field, not just offensive security.

  • Everyone has a different learning style, dependant on the best way you consume and retain content (Visual, Auditory, Reading/Writing, Kinesthetic). Know how you study best and use that to your advantage.

In short:

What’s a “Hacker Mindset”?

If you’re an auditory learner, these are for you:

For those reading/writing learners, let’s create a practical example and compare the different approaches between a web developer (“Alice”) tasked to solve the problem and a curious hacker with too much time on their idle hands (“Bob”):

Web Developer Methodology:

  1. Replicate the Issue: Alice first replicates the issue in different browsers and network environments to check if this issue is consistent.
  2. Check Client Console: Alice uses the browser’s developer tools to see if there are any errors returned after the upload button is clicked. She notes no issues on the client-side.
  3. Check Server Logs: Alice then checks server logs to identify any delays in processing or unusual activity, like excessive memory usage, file handling errors, or server-side timeouts. She does not find any abnormalities.
  4. Check Request Handling: Alice checks the server-side code that processes the file upload to check if it’s experiencing bottlenecks or has misconfigured timeout settings. She also checks if the file is being processed synchronously, which could cause delays, and tests if refactoring to handle file uploads asynchronously resolves the issue.
  5. Check File Upload Process: Alice reviews the code that handles post-processing of the file to ensure her single-threaded Flask app isn’t waiting for this function to complete.
  6. Test with Different File Types: Alice tries uploading different file types to see if certain files cause slower processing.
  7. Check Client-Side Interactions Again: Alice looks for any JavaScript running on the client-side that could be delaying the request but once more finds no issue on the client.
  8. Optimize Server Performance: Alice determines the issue must then be server-side. She opens a ticket in her sprint backlog to optimize file processing.

Hacker Methodology:

  1. Replicate the Issue: Bob starts by replicating the issue across different browsers, OS environments, and network conditions to check if this behavior is consistent.
  2. Analyze Network Traffic: Bob proxies his browser through BurpSuite to monitor web traffic during the file upload. He spends the next 2 hours here.
  3. Analyze Response Timing: Bob is transfixed on why the response hangs for 5 seconds. He checks if the delay correlates with specific parameters (file size, file type, MIME type) and causes a DoS (Denial of Service) by overloading the server on accident.
  4. Check for Input Validation: Bob tests the upload functionality with various malicious payloads to see if the delay is a result of poor input validation or any attempt to sanitize files.
  5. Check for Timing-Based Attacks: Bob wastes a few hours trying timing attacks by uploading different files in rapid succession and observe if any patterns emerge regarding how long the server waits before responding.
  6. Check for Input Validation Again: Bob uploads more files that trigger server-side processing, this time hoping for a callback that would indicate the server executed his payload.
  7. Fingerprint and Google: Now that Bob has gotten familiar with the server’s infrastructure from hours of poking it blindly, Bob spends the next 14 hours reading source code of known dependencies on GitHub.
  8. ?? Profit: from his enumeration and testing, Bob concludes the delay stems from an imported file handling library that insecurely deserializes his payload. He applies for a CVE and moves on with his life.

Web Developer: The developer’s primary focus is on identifying the source of the abnormal delay, analyzing server and client-side code, improving performance, and ensuring that the file upload works as intended without any unexpected behavior.

Hacker: The hacker’s focus is on investigating the delay to determine if it’s indicative of a vulnerability that could be exploited, especially looking for ways to manipulate the file upload process or test for weaknesses in input validation, timing, or server response handling. The key difference in their approaches lies in their intent. One works from the perspective of a “known-normal” baseline, aiming to identify and resolve issues, while the other operates under the assumption that this behavior can be manipulated or exploited.

Be curious. Read code. Ask questions. When you run out of answers, do the research yourself (and share with the community, because sharing is caring). You get the idea. This entire tangent boils down to the importance of curiosity and the drive to learn more.

Skipping the basics for the “cool stuff” is like entering a sword fight with a pool noodle—you’re going to lose, and it’ll be a little embarrassing. If you leap from a C++ Hello World straight into malware development without understanding computer networking, congratulations: your C2 server is about to star in a Twitter thread with the hashtag #opendir.

What Now?

Now… just do. Shoo. Go solve some CTFs, study for certifications, check the wiki, or touch some grass. Good luck, have fun!

  _   ,_,   _
 / `'=) (='` \
/.-.-.\ /.-.-.\ 
`      "      `
Hunting Storm-0249 Fake Captcha TTPs
Reference Links
Reference Links

Ac1dF0x

Group of cybersecurity professionals who participate in competitions and share research. We run the Dropout Phreaks Discord server.

Ac1dFox Group CyberSpace

Text Goes Here