How to start in cybersecurity
Every person in this community was once a begginer and it’s usually a hard domain to begin with if you’re not guided.
I will try to guide you through this article and give you some tips to start your cybersecurity journey.
This article is for beginners.
1. The mindset
First of all, before even talking about how to begin and where, you should answer this question: why?
- Why do you want to learn cybersecurity?
- What are your intentions?
- What is your goal?
- Do you want to make it a career or is it a hobby?
You need to have the right mindset in order to be successful in learning this difficult field.
Almost all answers to these questions are valid, just avoid the dark paths… Do not start learning hacking if your intentions are to do something malicious.
You will not succeed this way, you cannot want to learn cybersecurity only to hack in your ex-partner social account or your neighbor WiFi network. Not only this is immoral and illegal, but also it’s a terrible mindset to have when beginning to learn new things and dedicating to long-term hardwork.
You will need a community in order to start learning fast. Don’t give a bad image of yourself.
You will probably be rejected from most honest communities if you introduce yourself as someone having bad intentions.
Be careful, cybersecurity is a very small world and people usually know each other.
If you have no intentions other than malicious to learn cybersecurity, and you have no interest in the technical details then you should probably do something else because in that case you don’t want to learn, you only want to achieve a malicious goal.
2. The community
Do not neglect the cybersecurity community, which is a key part of your learning process.
Your learning journey will be much difficult if taken alone. Basically, having other people of your level learning with you, and experts you can ask questions to, is a lot helpful.
Do not hesitate to join communities on the internet: e-learning platforms, Discord or IRC servers, forums, etc.
Most of the online learning platforms also have a lot of documentations and challenges to help you improve your skills and learn new things.
- Root-Me: e-learning platform with a huge and active community, documentations, challenges and dedicated vulnerable servers for your tests.
- Newbie Contest: challenges platform similar to Root-Me.
- Hack the box: a hacking playground giving you the access to many vulnerable machines in a lab-like environment in order to test different vulnerabilities.
- TryHackMe: a more guided “training” oriented approach to learning cybersecurity with labs to practice.
- Many others…
3. The documentation
If you’re a beginner and you’re not used to research things on your own, you’re not gonna like this: you have to read a lot of documentation.
It is not optional, and it’s a major part of your learning journey, you will need to read a lot of articles, papers, blogs, books and watch conferences, lessons videos, etc.
There is no teacher or mentor on the internet that will accept teaching you full-time free of charge. So you will have to document on your own.
You will find a lot of resources on the internet, but if you don’t know where to start, pick some documentations listed by those e-learning communities we talked about. For example, Root-Me lists documentation for each challenge, it’s a good start!
One major mistake made by most beginners is neglecting documentation. It’s a long and tedious task, but it is unavoidable.
You need theory of what you’re learning, you need to know how it works, and why, in order to practice. You cannot randomly test things and call it “practice”, that’s not how it works.
Practice also takes a major place in the learning process, but theory is at the base of everything.
4. The English language
That may not be the kind of advice you were looking here, but it’s a real advice: learn English.
If you can understand this blog post, then you’re good to go, but if you need Google Translate, then you probably lack some English skills and you need to fix it.
The reason for this is that a huge majority of the content and resources on the internet for the cybersecurity field are written in English. Most conferences and talks are also in English. Most blogs are written in English (like this one, even though I’m French).
If you want to be comfortable reading documentations and watching talks, without having to waste your time using Google Translate for everything, a good start to your cybersecurity learning journey is improving your English language.
You don’t have to become an English language master, you only need to understand what you’re reading or listening to. Of course it is better to be able to talk and practice in depth, but that’s not required for learning.
Even though documentations are in English, you will still find a lot of people talking your language in communities, if you ever need to ask questions.
You will find a lot of online courses or applications to learn English.
5. The practice
Documentations and theory in general are primordial for understanding a subject. But what makes you good at it is practice.
Without practice, and with time, you will forget what you have learnt or you’ll just never become good or skilled at it.
The actual skill is usually acquired through practice and not through theory. Again, theory gives you all the weapons you need to attack the practice field.
It is simply the concept of applying what you have learnt in theory.
Read about SQL injections? Test it in a lab-environment to actually see how it works in real life. Maybe that will trigger some bugs and you’ll understand more things in depth.
Saw a tool presentation at a talk? Download and test the tool yourself, become familiar with it, don’t be just a spectator.
Followed an online lesson about Python language? Take some time (days, weeks…) to make your own scripts in Python before moving on to the next lesson. Test many things, have fun with it. Learning should be fun.
You’re interested in Linux system? Read arch linux documentation and install the whole operating system by yourself! You may fail many times trying so, but you’ll eventually succeed and feel amazing. It can take days, weeks, months, that’s fine!
Of course those are just examples. Practice in the fields you’re interested in, and for which you’ve read some theory. You should at least know what you are doing, don’t randomly test things without reading proper documentation first.
If you don’t know where to start, you can actually use these platform communities to try to resolve some challenges. Some of these platforms, like Root-Me, provide documentation for each challenge that you can read before practicing.
6. Ask smart questions
It is not a shame to ask for help when you’re stuck somewhere. Some quick explanations by a more experienced person might save you days of struggling.
But before asking questions you need to make sure you have searched enough by yourself, and that you’re indeed stuck.
For example, do not seek help if you’re on a specific material only for 20 minutes: you need to learn to search for documentations and answers by yourself, on the internet, in books etc.
It’s only when you’ve exhausted all your ideas and searching potential that you seek for help, when you’re actually stuck.
When asking a question, ask smart questions (I recommend you to read this page).
If you’re on a generic subject, be precise with what you’re seeking as an answer. For example, don’t just tell someone to explain you how web works. They will probably not have time to give you a whole lesson about web, right? Be concise, aim the exact part of the field you’re not understanding.
If you’re on a challenge or an exercice, do not ask for the solution, ask for tips and directions that will help you get unstuck, but don’t ask someone to do all the work for you. They will probably decline and you’ll not learn anything of it.
If you’re wondering who to ask your questions to, you’ll find a lot of active members of the communities you’ll join.
Do not hesitate to go and introduce yourself in their IRC servers, Discord servers, forums or any other communication system they provide.
For example, Root-Me has an official Discord server (that I own by the way) with active members and channels for asking questions on various categories of cybersecurity.
One big mistake usually beginners make is thinking that anyone in these communities owns them something.
Nobody has to answer you or give you anything, they will do it by kindness. Be kind yourself, stay respectful and do not forget that you’re talking to human beings.
Saying “hello", “please” and “thank you” are basic forms of respect you should follow in any community.
You have to make people want to help you, don’t be a troll or a toxic person, nobody likes that.
7. Focus on some fields
Obviously, you should have a general knowledge of all the fields of cybersecurity, but as you continue to learn in depth, you’ll quickly realize that each field divides in many subfields and at some point, learning everything becomes impossible.
That’s the sad reality, you cannot learn everything and if you’re a curious person like me, this can be very frustrating.
That is why, you’ll have to focus on one of a few subfields you’ll continue learning in depth.
You might know a bit of everything, but be an expert in web security, or a reverse engineer, or a vulnerability researcher, or any other expert in the one of the cybersecurity fields.
But don’t worry about this point yet, you’ll make these decisions later, for now only remember that it is normal to not know everything, nobody does.
There isn’t any rule in choosing a field of expertise, nor there is any good answer to this.
As your learning journey progresses, you’ll find yourself more interested in some fields than others: that’s totally normal and that’s where you should focus your future research.
Learning never ends, even cybersecurity experts with 40 years of experience still learn new things. We’re all beginners at some point.
Learning cybersecurity is hard, you’ll have to spend a lot of time (years to be honest) to become comfortable in a field.
The good news are that anybody can do it with dedicated work and motivation.
Start now and don’t waste time on other useless things. Even if you’re working or studying, you can still dedicate a part of your daily time to learning cybersecurity.
For example, replace Youtube and Netflix by a 1 hour daily session of challenges on a e-learning platform or reading documentation or even listening to a talk.
Remember to take breaks if you feel overwhelmed, that’s the best way to get motivated again and continue with a fresh mindset.
I hope you enjoyed reading this post, and that you now have a clearer idea of where you need to start in order to learn this amazing field of cybersecurity.