(Part 2) Top products from r/cybersecurity

Early 30s is definitely not too late. I also have a bachelors in psychology and I made the jump to infosec four years ago at forty-one. Here is the blueprint for people starting from scratch:

You should be aiming to eventually get a position as a Security Operations Center (SOC) analyst.

A SOC analyst position gives you some insight into a whole range of different information security problems and practices. You'll see incoming recon and attacks, your org's defenses and responses, and the attacker's counter responses. You'll get experience using a SIEM. You'll become familiar with all of the tools in place and start to figure out what works and what doesn't. You'll learn the workflow of a security team and what the more senior engineers do to protect the enterprise. After a couple of years, you'll probably have a much better idea about your own interests and the path you want to pursue in your career.

Here's how you get there:

Step 1: Get the Network+ certification (Skip the A+, it's a waste of time for your purposes). You MUST understand IPv4 networking inside and out, I can't stress that enough. A used Net+ study guide on Amazon should be less than $10. Professor Messer videos are great and free: https://www.youtube.com/user/professormesser

Mike Meyers has about the best all in one Network + book out right now, you can get that from Amazon. You can also check out Mike Meyers' channel on Youtube, he has a lot of Network+ videos: Mike Meyers Network+

Step 2: Start learning some basic Linux. The majority of business computing is done on a unix type platform, this will not change anytime soon.

For Linux, I'd highly recommend "Unix and Linux System Administration Handbook" by Evi Nemeth, et al. The information is presented in a way that is comprehensible to regular people. You can get a used copy of the fourth edition for about $15.00. The second edition got me through my first three jobs back in the day :) Sys Admin Handbook

Step 3: Start looking for helpdesk or tech support jobs. You have to do a year or two there to get some practical experience. If you can use your Community College Career Center to get an internship instead which would line you up for a SOC job then do so.

Step 4: Get the Security+ certification.

Step 5: While in your tech support job try to do every security related task you can.

Step 6: Attend Bsides conferences (very cheap), there is almost certainly one within a couple hours of you.http://www.securitybsides.com/w/page/12194156/FrontPage

Step 7: Join a local hackers group similar to NoVA Hackers or Dallas Hackers.

Step 8: Network with everyone you can at security conferences and in your hackers group.

Step 9: After you get those certs and some technical work experience, apply for every SOC position you can. It might be difficult to move, but you might have to consider moving to a tech hub because that's where the jobs are. Seattle, San Francisco and NYC are all outrageously expensive so consider some up and coming tech cities like Dallas, Raleigh NC, Nashville or Austin. Mastercard's infosec dept. is out of St. Louis now. KPMG has a huge facility in Orlando. Dallas Hackers

Step 10: Take the free online Splunk Fundamentals class while you're waiting.

Step 11: Keep going until you get that SOC analyst job.

Guess what, you're an infosec professional!

That SOC analyst job should pay between $50K and $60K. You'll stay there for a year to eighteen months and get a couple more certifications, then leave for a new job making $75K to $85K. After five years in the tech/cybersecurity industry you should be at $100K+.

The program above is mainly for people that are starting from absolute scratch and using no resources beyond the Internet. If you're actually in some sort of formal program I'd also highly recommend at least one programming class, preferably in python. Being able to automate tasks is an invaluable skill as a SOC analyst and will set you apart from those that can't.

If you really want it, you can do it. Determination is by far the most necessary trait for a successful IT career, way more important than talent, connections, or intelligence (though of course those are all nice).

Based on reading some of your comments it looks like what you are really asking about is "how do I learn security engineering?"

The answer is by reading resources that explicitly teach the concept, because it is a specific discipline that blends software engineering, systems engineering, and computer security theory. It is probably most properly classified as a sub-discipline of systems engineering, so reading about systems engineering in general can be useful as well.

The following do not teach you "how to hack" they teach "how to look at this system/application from a security point of view" which seems to be what you are looking for.

Resources:

• NIST SP 800-160 (read through Appendix F which covers tons of secure design principles -- dense but comprehensive)
  
• Security Engineering by Ross Anderson is a phenomenal book and essentially the Bible of security engineering
  
• The Art of Software Security Assessment is a great book I literally just found a few minutes ago that covers a tremendous amount of information on how to go about conducting application security audits (process to follow, technical key points to look for, threat model analysis, etc)
  
• MIT Computer Security lectures basically an entire semester worth of lectures on how to think about security as an engineer
  
  Both of those books can be bought through Amazon or there are PDFs online. I have the first two and am now buying the last one after reading a bit of the PDF I found.
  
  Be warned, the last two books are very large. The second one would probably cover two semesters worth of material. The last one is nearly 1200 pages across two volumes.
  
  The MIT videos are great.
  
  Regardless of the above, Security+ or equivalent would give you a base level of knowledge from which you could get more out of the above materials. You can get Sec+ study guides online cheap/free, either in book or articles or video lecture form. Cybrary has great free cybersec lecture courses including Sec+.

https://www.amazon.com/gp/product/1337288780/ref=ppx_yo_dt_b_asin_title_o05_s00?ie=UTF8&psc=1

This was the book I used. I originally rented it for a class, but had to change my schedule up so I just decided to keep it and start studying. I would definitely read another though. Or watch Professor Messers videos if I were to study again. I feel like the book I used was really good, but I definitely would have been more prepared had I used another dedicated study material. Had I rented a second book, I would have rented this one
https://www.amazon.com/CompTIA-Security-Guide-Fifth-SY0-501/dp/1260019322/ref=sr_1_5?crid=14IBV4EVTTAYM&keywords=comptia+security%2B&qid=1562432800&s=books&sprefix=comptia%2Cstripbooks%2C171&sr=1-5

I used their COMPTIA IT Essentials book and I thought it was very good. Those would be my personal recommendations for books, because they are what I am familiar with. I think if you can, you should absolutely watch Messer's videos though. They are really amazing.

Unfortunately, most of the university programs lag significantly behind industry. I've interviewed candidates with graduate degrees in cybersecurity that were not aware of most modern techniques used to find persistent adversaries. The good things those programs provide is a broad coverage of information security as a whole.

I saw you mention "finding the vulnerabilities before the bad guys do". Unfortunately, in the real world the code is either unpublished and you're a software security consultant, analyst, or tester, or it is published and you're fixing a hole that the adversary has already discovered. If your interest is in the software security side, I would recommend two books above all others.

The 24 Deadly Sins of Software Security: https://www.amazon.com/Deadly-Sins-Software-Security-Programming/dp/0071626751?_encoding=UTF8&%2AVersion%2A=1&%2Aentries%2A=0

Writing Secure Code: https://www.amazon.com/Writing-Secure-Code-Strategies-Applications/dp/0735617228/ref=sr_1_1?s=books&ie=UTF8&qid=1499038741&sr=1-1&keywords=writing+secure+code

That said, there is also a lot of work in the systems engineering side of the house - along the lines of credential theft and secure enterprise design. If you think this might be interesting to you, I would recommend reading papers such as these:

Microsoft Pass the Hash Whitepaper: https://www.microsoft.com/en-us/download/details.aspx?id=36036

Think Like a Hacker (shameless plug for my book): https://www.amazon.com/Think-Like-Hacker-Sysadmins-Cybersecurity/dp/0692865217/ref=sr_1_sc_1?ie=UTF8&qid=1499038880&sr=8-1-spell

Cybersecurity is typically broken into various subfields, such as reverse engineering, forensics, threat intelligence, and the like - each with its own set of tools and skills. Ultimately, I would recommend attending a decent hacking conference such as DEFCON, DerbyCon, ShmooCon, or the like to get familiar with the field.

+1 to RTMAL11 on the Krebs on Security suggestion. I love reading the blog. Cybersecurity and Cyberwar: What Everyone Needs to Know is also a book I enjoyed. In terms of quick read, I recommend a report on the 2016 threat landscape (needs your info to get the free copy). I also just started reading "The Dark Net" by Jamie Barlett. Good stuff.

I'm not sure how it works to specialize your practice, but you might want to pickup the Tallin Manuals: https://smile.amazon.com/Tallinn-Manual-International-Applicable-Warfare/dp/1107613779/ref=smi_www_rco2_go_smi_g3905707922?_encoding=UTF8&%2AVersion%2A=1&%2Aentries%2A=0&ie=UTF8

You probably don't need industry certifications to successfully practice law with a focus in cyber, but then again idk how practicing law actually works. Might have more success asking in one of the lawerly subreddits.

The got my doctorate in cyber security in 2015. I was focused on system hardening and found this book and loved it. "The Craft of System Security" https://www.amazon.com/dp/0321434838/ref=cm_sw_r_cp_awdb_BpfKzbD3VNX2X

The CISSP is the gold standard for cyber security certifications. To qualify for the full cert, you need 5 years of experience in at least two distinct areas of the field. Otherwise, passing the test grants you "associate" certification.

The guys that I work with (who have 10 years in the field) took a two week bootcamp and then studied nonstop for a month before they took the test- they took a week off of work at the end to do nothing but study. They said it's the most challenging certification they have had to take. in the field.

It is NOT something that you can take a 5 day bootcamp and breeze through with no experience at all. The study guide is more than 1000 pages long.

There are a wealth of places you can get started. But if you're starting out with the goal of passing the CISSP right away with no prior experience, you're going to be drinking out of a firehose of information. Be ready for that.

These are technical committees that have been working in various topic areas for decades. For any of these areas you will find they have a related annual conference (often a journal too) and if you want to know more you can simply read some past papers, or attend the conference.

You will find all the top academics in the world in most of these topic areas are involved with IFIP TC11. For example, at TC11 this year the following people attended (amongst many many others)

Prof Ravi Sandhu (The guy who came up with role-based access control)

Prof Matt Bishop ( https://www.amazon.com/Computer-Security-2nd-Matt-Bishop/dp/0321712331/ref=sr_1_1?crid=L0S40U3N0435&keywords=matt+bishop+computer+security&qid=1569307692&sprefix=matt+bis%2Caps%2C256&sr=8-1 )

Prof Steven Furnell, Prof Gurpreet Dhillon, Prof Johan van Niekerk
These are the people who wrote the ACM / IEEE 's CSEC2017 curriculum. All of them are great to chat to and network with.

Referring to Security+ books. I like the Security+ ExamCram (https://www.amazon.com/CompTIA-Security-SYO-401-Exam-Cram/dp/0789753340/ref=sr_1_7?ie=UTF8&qid=1520956323&sr=8-7&keywords=security%2B+401) a lot better than All in One Comptia Security+ (https://www.amazon.com/CompTIA-Security-Guide-Fourth-SY0-401/dp/0071841245/ref=sr_1_4?ie=UTF8&qid=1520956323&sr=8-4&keywords=security%2B+401)

Cool! That's a good one. Also really thought this was good.

Here is a decently nice set with a clear learning lock (see through).

https://www.amazon.com/dp/B07YH23191/ref=cm_sw_r_cp_api_i_k9i0DbQD1SV7W

Here is a 9 piece test lock setup.

https://www.amazon.com/dp/B07XV2T3BY/ref=cm_sw_r_cp_api_i_6aj0DbY87XS39

This is a tubular picking set.

https://www.amazon.com/dp/B07S8VXR89/ref=cm_sw_r_cp_api_i_cdj0DbD4Y4X27

There are plenty of books and videos online for him to learn from.

The best: https://www.amazon.com/Blue-Team-Handbook-Condensed-Operations/dp/1091493898

If you want detail, I'd start with Sidnie Feit's TCP/IP.

Zero Day Zero Budget.
https://www.amazon.com/Zero-Day-Information-Management-Standards/dp/1097574172/ref=tmm_pap_swatch_0?_encoding=UTF8&q

For $5 I don't think you can go wrong.