I dig working in infosec, but I have to admit: keeping my skills up-to-date is one of the most challenging aspects of the job. Infosec is a busy field, and infosec pros are expected to know a little bit of everything. If you’re in the same field, feel free to leave an “Amen, brother,” in the comments.
Attending conferences is a great way to stay in the know, assuming that you have both the cash and the time to step away from your day-to-day long enough to soak up some knowledge. Likewise, training classes from organizations like SANS and MIS Training Institute are great ways to dive deep into a specific subject area, when you can afford them.
If you’re pressed for cash, that’s still no excuse to let your skills waver. Thanks to the magical combination of the interwebs and the uncannily generous infosec community, you can stay in the know and continue to grow as an infosec pro. (For the record, the rhyming was absolutely unintentional, but I dig it, so it stays.)
If you want to pick up some infosec knowledge on the cheap, here are a few resources I strongly recommend you check out. And remember: have fun!
There’s more to security than hacking, but hacking is pretty entertaining. Want to get your feet wet? Then these links are for you.
- Metasploit Unleashed – Here’s an absolutely FREE course on how to use the tool that every pen tester is expected to know. Did I mention it’s from Offensive Security, the folks behind BackTrack Linux and Kali Linux?
- SecurityTube – Looking for a infosec how-to video? Chances are it’s available on SecurityTube. Check out their Wireless LAN Security and Penetration Testing Megaprimer to get a feel what you can find on their site.
- Wireless Defence – Speaking of wireless pen testing, these guys have a terrific Wireless Penetration Testing Framework online. Some of the tools are a little dated, but if it works, it works, right?
- Virtual Hacking Lab – Per the SourceForge project description, VHL is “a mirror of deliberately insecure applications and old softwares with known vulnerabilities.” Need I say more?
Web App Security
Maybe you’re wired more for web app sec. What better way to learn than by attacking deliberately vulnerable web applications?
- WebGoat – An oldie, but a goodie. I cut my web app pen testing teeth on WebGoat. In actuality, OWASP hosts something like a billion web app security projects (including the Broken Web Applications Project). Don’t like WebGoat? Then pick something else and give it a whirl.
- Mutillidae – If you’re more a PHP hacker, check this project from Irongeek and webpwnized.
- McAfee HACME tools – Here, you can download six different HACME apps to hammer against. While WebGoat and Mutillidae feel more like tutorials, I wanted to mention the HACME apps because they’re presented more like commercial websites.
Get out from behind your desk and talk to people! I find that infosec networking events that involve beer are almost always worth your time.
- Local ISSA chapter
- Local ISACA chapter
- Local OWASP chapter
- Local Infragard chapter
- Local (ISC)2 chapter
I’m local to CMH, and we’re damn lucky to have all of these orgs represented (and then some). I wanted to give a quick shout-out to a few of the local infosec groups I’ve participated in at one time or another.
- Central Ohio ISSA
- Columbus chapter of OWASP
- (ISC)2 / Security MBA (Master of Beer Appreciation)
- ISACA Central Ohio Chapter
- OSU SecWOG (Security Working Group)
- Central Ohio Infragard
- Ohio Information Security Forum
And when the time comes that you DO have the cash to attend a conference, here are a few you might want to put on your shortlist.
- (ISC)2 Security Congress
- InfoSec World Conference & Expo
- Central Ohio InfoSec Summit
This list isn’t by any means comprehensive. If I have any glaring omissions, feel free to enlighten me in the comments.