How I started my InfoSec Journey - and how you can do it too

How I started my InfoSec Journey

and how you can do it too

Yann Santschi
by Yann Santschi
on July 11, 2024
time to read: 10 minutes

Keypoints

The Information Security learning landscape. What will you need to be successful?

  • A solid IT foundation, passion for InfoSec, and clear career goals, inspired by industry experts
  • Start with fundamental IT skills through accessible platforms like YouTube and w3schools, focusing on programming, networks, operating systems, and websites
  • Use platforms like TryHackMe and HackTheBox, and pursuing certifications like OSCP and CISSP for deeper specialization in InfoSec
  • A variety of resources for all learning stages is highlighted, from YouTube tutorials to advanced cybersecurity platforms, ensuring learners can find materials that fit their interests and skill levels

Information Security is a broad field that overarches quite a lot of sub fields to get into. Many of the Information Security Younglings face the issue of choosing their field and trying to make an entrance, without any prior knowledge. This article highlights a Younglings Journey into Information Security.

Introduction

My Name is Yann Santschi, and I am currently the newest addition the scip Team. In this article I want to share my information security journey so far and want to showcase some of the learning opportunities that we currently have. Important to note here, these are my experiences. For everyone it is different and there are no partnerships with any of these platforms.

Previously there were some articles published in the past regarding the learning landscape and what to focus on when starting out in information security. Some of the information in this article is based on the article of Andrea Hauser Security Testing – Options for lateral entry and Stefan Friedli’s article Information Security – three things you need to hear so it will definitely make sense to read them in advance. Especially since this article will not specifically cover things like universities or apprenticeships but rather the self-taught aspect of InfoSec. Adding to this, an update should be given on some of the best upcoming learning platforms and learning solutions.

Just briefly I want to go over my professional experience to give some context on the information following. I started my IT journey in 2015 with an Apprenticeship at a large Swiss financial institute. I got a great overview of all distinct aspects of IT by having various stages in teams all thematically distributed all over the IT field. Afterwards I did consulting with a rather conceptual focus and now I am back with hands-on technical work. Meanwhile I also started studying information and cyber security in a Bachelors format at the HSLU. This is where I am currently.

While learning many things by working with them or them being introduced during the Bachelor, I also enriched this experience with quite a lot of other learning tools, people’s knowledge and experiences gathered through trial-and-error.

What are the prerequisites for a career in Information Security?

In short, I agree with my colleague Andrea in her Article already mentioned, you will need the following prerequisites:

  1. Excitement and Enthusiasm for Information Security, be aware you will need a lot of time to understand the basics.
  2. Make sure to understand your expectation when working in Information Security and ask someone to challenge this expectation, to have a better understanding why you want to do this.
  3. You will need a good foundation in general IT concepts to know where their weak points and vulnerabilities are.

Since those were already well explained in Andrea’s article, read what it takes in there.

Where should you start?

If you do not already have a good IT foundation, you should start by learning about programming, computer networks, operating systems and how websites work. The most important steps in all of this are to apply skills and to have fun while doing it. But how?

  1. Programming: There are thousands of programming classes and courses everywhere. Search up programming courses on YouTube or paid platforms like Udemy. Start out by learning the key concepts of programming. Learning Python is a good start since it is very beginner friendly. At a later stage, you can transition to C or C++ to further deepen your programming knowledge. You can also try to learn other languages or frameworks, this will only help you even though it is not a requirement.
  2. Computer Networks: Again there are many different resources when it comes to networking, the best in my opinion is the CCNA course by Cisco. To do the entire certification is very expensive, alternatively you can do YouTube video courses and build virtual labs with the Cisco Packet Tracer , which is a very good Networking simulation tool. You will only need to create an account, but there is no payment needed. You will learn what Switches, Hubs, Routers, and many more are, you will also learn about diverse types of protocols and network security solutions like NIDS or a Firewall.
  3. Operating Systems: When working in IT you will come across Linux, Windows, different Server OSs, sometimes MAC OS or even embedded systems. To know how to manage them, you will need to understand the basics to it. How do they do access control or privileged account management. To understand them the best, install them in virtual machines and try different tasks. Read up on Linux and how Windows work. Understand the concept of virtualization and containerization through Docker. And again, there are many different YouTube videos explaining the core concepts.
  4. Websites: Learn how websites work. Learn about front-end and back-end. How do they interact? What are databases and what are they used for? What can you do with a website? A good starting point here is learning about the front-end so HTML, CSS, JS, … which will give you the tools to create something and get immediate feedback on it. This is very motivating and from there you are open to branch into all the other topics. This is best learnt again by using YouTube videos or alternatively you can go through w3schools tutorials. There are similar tutorials, this is up for personal preference.

Something that also helped me were some very entertaining and containing lots of great information were videos of different Youtubers, my favourites are NetworkChuck , The Morpheus and Fireship. Only stay at a topics as long as you have fun with it. Move on as soon as you think it is boring. You won’t learn more or better by pushing through, but rather by having fun and experimenting with stuff.

Navigating Certificates, Courses, and Tools

Choose the topic first. Then choose your level. It made sense for me to start with Penetration Testing, because I had the most curiosity about it. If you want to start out with that and want to strengthen your understanding of core concepts you could do some TryHackMe courses . This is a paid learning platform providing many different entry level courses and introductions to different topics. You can have a free account to access some of the content. They are focused on being beginner friendly and provide a broad bandwidth of offensive and defensive courses. A good and free alternative to THM could be the OverTheWire Wargames . They offer a bit more advanced labs, where you do not get to much of an explanation, but you are encouraged to learn about different attacks and problems by trying it out. Depending on the topic you would like to do, you can start a path and to advance to the next level you will need the password of the previous one. Another great option is the HackTheBox Academy. These courses are a bit expensive, but they are worth it. Especially when you want to go further into the CTF realm. The best CTF platform, in my opinion, is HackTheBox. They offer great training with many practical applications. In my experience you will already need some knowledge to be able to get through the learning path. But you will get a great understanding of potential attacks, how to further enhance them and how to defend against them. This was the way to go for me. I am still working on my HTB CPTS Certification. And last but not least, if you are especially interested in webapps, check out the PortSwigger labs . They have exceptionally good explanations and labs on webapps.

If you are even more advanced you can try to go for the OSCP Certification by OffSec. This certification is a staple in the Information Security space. Or if you want to go into a managerial direction I recommend the CISSP Certification which delivers a very broad overview of all the InfoSec fields.

Some more resources I came across while learning, they are particularly good as well:

  1. Rangefore and Immersive Labs : Two great resources especially to train Blue Team topics.
  2. OWASP Security Shepard and the OWASP Juice Shop and other OWASP projects in general: An opensource Project to learn about and improve the security of web and mobile applications.
  3. CrackMes : A training platform specific to Reverse Engineering.
  4. CodeWars and LeetCode : To solve different programming problems
  5. Root Me : Another CTF platform.

And if you are really advanced you can start out with Bug Bounties on HackerOne , they also have a web security training.

Conclusion

As you see, there are so many different resources to choose from. And there are many more learning platforms, and I’m sure they are great as well. Those were just the one’s that I personally used. Just try one and see if you like it. If not, try another until you find one you like. Again it is all about fun. There is no perfect resource, but the combination of them will make it perfect. The more advanced you will get, the more up-to-date you will need to be. Therefore you should start to read about new techniques and try them out. A useful source for this, could be our articles as well as other blogposts and for some reason Twitter or X, whatever you want to call it, is a good source for information as well.

About the Author

Yann Santschi

Yann Santschi completed an apprenticeship as a systems engineer at the Swiss Stock Exchange and then worked as a cyber security consultant at one of the Big Four consulting firms. He is currently pursuing his Bachelor’s degree in Information and Cyber Security with a major in Attack Specialist and Penetration Testing at HSLU. His focus is on web applications, network security, and social engineering.

Links

Your Blue Team may use some support?

Our experts will get in contact with you!

×
Area41 2024

Area41 2024 - A Recap

Michael Schneider

Prompt Injection

Prompt Injection

Andrea Hauser

How to secure your online accounts

How to secure your online accounts

Ian Boschung

Microsoft Cloud Access Tokens

Microsoft Cloud Access Tokens

Marius Elmiger

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here