cft

Starting with Cyber Security? Here are 10 Common Mistakes You Should Avoid & Tricks to Adopt

It all started with writing some batch scripts using notepad looking from internet and make computer system go shut down automatically or have a matrix rain


user

Tealfeed Guest Blog

3 years ago | 5 min read

It was the year 2012 when I started into Ethical Hacking & Cyber Security. I always had a love for computers, and at present, it’s been almost 7 years, I am working actively in this domain. 

It all started with writing some batch scripts using notepad looking from internet and make computer system go shut down automatically or have a matrix rain in the terminal. It was so fascinating that it took all of my attention, and I dedicated to learning this thing. Over the years, I started exploring various programming languages, operating systems, networking concepts and then started practising hacking concepts on demo websites and demo environments.

It went like this for almost half a year, and after that, I decide to work on advanced skills, and I devoted one year to learn and practise everything. I had a hunger to learn about this domain.

During my 6+ years of experience learning, practising and working in this domain, I have authored two books on hacking, participated in CTFs, reports bugs and did a lot of Vulnerability Assessment & Penetration Testing.

THE START IS ALWAYS TOUGH, LEARN TO HACK IT

Right now,  you might be starting or already started into this domain, learning from various websites or resources and trying to get your hands dirty with some real-life situations or applications. You might be reporting vulnerabilities to websites but getting no scope or duplicates or you might be thinking to prepare for certifications like OSCP and are not able to crack the practice machines like Hack the Box or VulnHub?

Are you getting confused between multiple courses available to you or multiple directions attracting you towards them? 

“It might be happening with you, and it does happen with almost every beginner at present. Due to an increase in resources and information & clashes in the opinion of everyone leads to significant confusion and at last, I have personally seen many talented aspirants leave this domain.”

LEARN WHAT TO AVOID AND WHAT TO ADOPT TO WHILE STARTING WITH CYBERSECURITY

You might have looked for almost hundreds of forums like Quora to get out of this confusion or choosing the right path, but everything turned out to be more and more confusing? 

Here are 10 Common Mistakes You Should Avoid & Tricks to Adopt While Starting into Cyber Security

PATIENCE IS THE KEY

Manual approach of security testing is frustrating at times and even some times with tools. You should be patient enough and thoroughly examine each point to look for vulnerabilities. Don’t give up so easily; if you give up now, someone else might report the issue and win the game. 

Literally, Patience is “the key”. (Image Source: Lynda.com)
Literally, Patience is “the key”. (Image Source: Lynda.com)

TAKE SUFFICIENT BREAKS WHILE PLAYING CTF OR SOLVING THE MACHINE

 It lets you relax and boost your analytical thinking, which helps in many cases where you get sudden ideas about what to do or where to look for the vulnerabilities.

START WITH FUNDAMENTALS & PREPARE YOUR BASE

Many beginners start taking courses for advance Hacking skills like web application penetration testing or network security without building a strong foundation. Before starting into Cyber Security, you must learn about fundamental concepts which include Operating System, Computer Architecture, Networking & Programming.

These are very much required while understanding the target system, especially when the challenge is about reverse engineering, fuzzing, buffer overflow malware writing or exploitation. I have attached some resources to learn about the fundamentals. 

PRACTISE CODING

Programming is essential in Cyber Security. Automated or pre-developed tools are helpful, but they will not always work. You might have to face situations where the tools are a disabled/block or are not fulfilling the scope, and in such scenarios, you need to write your piece of code.

Generally, the programming part in cyber security is useful while developing the malware to infect target and writing exploits for exploiting specific vulnerabilities (especially Zero Days). 

Many CTF & Practise machine and exams require you to write your Exploit to pass the challenge.

INVOLVE IN THE INFORMATION SECURITY COMMUNITY

Besides professional learning, you should start actively participating and contributing to Information Security Communities such as OWASP, Null, Defcon, Peerlyst, to name a few. You can find many local communities running around you, or you can participate in various conferences.

Ethical Hacking and Cyber Security community: OWASP.
Ethical Hacking and Cyber Security community: OWASP.

Meeting with Hackers and other people from the domain always motivate you, and you have a chance to get a mentor who can guide you.  

AVOID WALKTHROUGHS 

This one is especially for solving practise machines such as VulnHub or HackTheBox. You might get frustrated when you are not able to crack a challenge and look for the solution on the internet, and there are dozens of walkthroughs available through which you can crack the challenge, but it reduces your learning curve, and you get habitual of using the walkthroughs every time you get stuck.

Instead, use your contacts that you got from involving into security community and take their guidance about what wrong you are doing or hints about what to do. It is the best way to eliminate the problems you are facing.

PREPARE YOUR CHEATSHEET & KEEP IT HANDY.

There are thousands of commands in popular and widely used security tools like Metasploit, Nmap, and others. You can’t remember them all. The best way to eliminate this situation is to make a cheat sheet of commands and essential points when you are learning and practising tools which are helpful when you work on real-life problems.

FORGET ABOUT $$

When you are starting in this field, you connect with professionals, especially the bug hunters, and you may notice the fair amount they are getting for their submissions. However, avoiding thinking about gaining some amount or swag and focus on it as learning goals. They are earning because they hold experience doing that. Keep that money perspective out. Chase the target you have, get some sweat working on it, and money eventually comes. Your goal should not be money in the first place.

UNDERSTAND THE FUNCTIONALITY & ARCHITECTURE OF THE TARGET

When you get a target to work on, first and the foremost thing most people do is they directly shoot up their terminal start with network scanning and enumeration, try some automated tools to get scope about vulnerabilities. However, the best approach is first to relax and understand the architecture and functionality of the target.

Access the target as a regular user and look at what feature they are providing. It is called usability testing. Many times usability and security are enemies, many applications while providing better usability compromise with the security. 

You might get the basic idea about where you can find the bugs just by looking at the application. Like where is the search bar or input box, how it returns the data, how URL bar is working and others? Focus on understanding the functionality and architecture of the target before becoming the hooded hacker guy.

READ ABOUT PREVIOUS VULNERABLE DISCLOSURE REPORTED IN THE TARGET 

You can also refer to the various vulnerability disclosures made by other research about their findings. It helps you to understand how to deal with the application, what might be the scopes and is there any new issue produced after patching that bug. So more of your attack surface gets some more points to consider.

BE PROUD OF YOUR WORK & CHEER.

Whether you get it in first try or 100th try, you should always cheer and be proud of your work. Practise makes you perfect, so keep on practising and solving the challenges. 

REMEMBER – YOUR HARD WORK NEVER FADES.

HERE ARE SOME OF THE RESOURCES TO START INTO THE CYBER SECURITY DOMAIN:

Learning Resources

https://www.freecodecamp.org/

https://www.cybrary.it/

https://www.bugcrowd.com/hackers/bugcrowd-university/

https://www.cisco.com/c/m/en_sg/partners/cisco-networking-academy/index.html#~stickynav=1

https://github.com/enaqx/awesome-pentest

https://www.paloaltonetworks.com/services/education

https://portswigger.net/web-security

https://sites.google.com/site/bughunteruniversity/

https://info.varonis.com/thank-you/course/web-security-fundamentals?submissionGuid=ec00e37c-acec-4fdd-835d-ec5e1ea18cf4

https://www.offensive-security.com/metasploit-unleashed/

https://nmap.org/nsedoc/

https://acknak.fr/en/articles/oscp-tools/

http://zerofreak.blogspot.com/p/sqli-tutorials.html?fbclid=IwAR2sq7s3aJf1_n0i3bZZwz-gPKw1Z0zi_Lrs7gGFwrY9mfSn2umw_XMmyUg

BLOGS, CHEATSHEETS, REPORTS & OTHER RESOURCES

https://medium.com/@gavinloughridge/hacking-101-an-ethical-hackers-guide-for-getting-from-beginner-to-professional-cd1fac182ff1

https://www.hackingarticles.in/

https://github.com/so87/OSCP-PwK

https://github.com/ibr2/pwk-cheatsheet

https://www.peerlyst.com/posts/resource-online-hacking-and-penetration-testing-labs-chiheb-chebbi?trk=explore_page_resources_recent

https://danielmiessler.com/blog/build-successful-infosec-career/?fbclid=IwAR3b0Fj6PEbvP30sGn3MyujgK7uhxqxoucP3qPX22zChAwzMv_tLhPIGzR8

http://h1.nobbd.de/

BUG BOUNTY PLATFORMS

https://www.bugcrowd.com/resources/

https://hackerone.com/hacktivity

CTFS & PRACTISE MACHINES

https://www.hackthebox.eu/login

https://www.root-me.org/?lang=en

https://attackdefense.com/

https://ctf365.com/

http://google-gruyere.appspot.com/

https://www.hacksplaining.com/

Upvote


user
Created by

Tealfeed Guest Blog


people
Post

Upvote

Downvote

Comment

Bookmark

Share


Related Articles