The Basics of Web Hacking: Tools and Techniques to Attack the Web (2013)
Chapter 8. Next Steps
Chapter Rundown:
■ Joining the hacking community: groups and events
■ College for hackers: what universities can offer you
■ What certificates are worth your time and money?
■ Top-notch security books to add to your collection
Introduction
There are several different areas of security that you can move into from beginning web hacking. There is much deeper technical material dedicated to web hacking in addition to all the other specific areas of security such as network hacking, software exploitation, network defense, secure coding, digital forensics, the art of penetration testing and red teaming, and many others.
There are also security community groups and events that are a great resource for those of you interested in continuing to grow your security knowledge and skills. You may also be interested in furthering your formal education in the information security field. If that's an interest of yours, there is a long list of community colleges, technical colleges, and universities that provide information security degrees at all levels; from a 2-year degree all the way through a doctoral degree.
You may also be interested in obtaining security certificates to further separate yourself from your peers. Lastly, there are countless additional books that are great avenues to explore next as you continue down the hacking road.
Security Community Groups and Events
There are countless security events around the world that you can take part in with more being added all the time. Some are very well known, such as Black Hat and DEFCON, while other newcomers are starting to really gain traction in the security community such as DerbyCon and the B-Sides series. While not a complete list, here are some of the most popular and well-respected events in the security community that you should try to attend at some point:
■ Security Week in Las Vegas is an annual pilgrimage of those interested in security to attend three of the most popular conferences in the world. There are not only talks, but also training workshops, contests, and villages that offer specialized content such as hardware hacking, lock picking, and social engineering in addition to the traditional areas of hacking that you are familiar with. Outside of the formal agenda of the conferences, there are tons of opportunities to meet the great folks in the security industry and grow your network of friends, associates, mentors, and other like-minded people! It's truly an experience that everybody interested in security should attend at least once in his or her life. More information on Black Hat, DEFCON, and B-Sides Las Vegas is available at the following websites and by following them on Twitter. Black Hat USA (https://www.blackhat.com/ | @BlackHatEvents), DEFCON (http://defcon.org/ | @_defcon_), and B-Sides Las Vegas (http://bsideslv.com/ | @bsideslv).
■ DerbyCon is a new conference that has experienced explosive growth since its inception in 2011. It offers talks and trainings that require a very competitive registration fee ($150 for talks and $1000 for trainings for DerbyCon 3 in 2013) compared to the larger information security conferences. It's held in the fall of every year in Louisville, KY. More information can be found at https://www.derbycon.com/ | @DerbyCon.
■ ShmooCon is an annual hacker convention held in Washington, DC usually in January or February that offers 2 days of talks at a very affordable price. ShmooCon always sells out and space is limited, so you're encouraged to act quickly if you'd like to attend. They pride the event on an atmosphere for demonstrating technology exploitation, inventive software and hardware solutions, and open discussions of critical information security issues. (http://www.shmoocon.org/ | @shmoocon)
■ DakotaCon is an annual springtime security conference held on the campus of Dakota State University in Madison, SD that offers 1 day of free talks on Friday from some of the top security professionals in the world. The weekend is filled with hands-on trainings from the speakers at deeply discounted prices for the participants. (http://dakotacon.org/ | @DakotaCon)
■ AppSecUSA is OWASP's annual convention that includes talks, trainings, and competitions specific to web application security. This is a roving convention that always picks great locations and is held in the fall of the year. (https://www.owasp.org/index.php/Category:OWASP_AppSec_Conference | @AppSecUSA)
■ Security B-Sides events are held around the world during the year. You're strongly encouraged to check out the full schedule and get involved! The B-Sides group is always looking for good help from honest folks that want to assist putting the conferences together. And as an added bonus, B-Sides events are free and are offered at several locations and dates around the world! (http://www.securitybsides.org/ | @SecurityBSides)
■ And tons of other conferences that are just a web search away! There is even a Google Calendar named Information Security Conferences and a @HackerCons Twitter account that has many more great events that you can attend.
Regional and local security groups continue to gain momentum as more people become interested in both the offensive and defensive aspects of security. If you can't make it to some of the national events, spending time with your local groups is a great investment of your time and effort. There are several national groups that have local chapters that are well worth checking out.
■ FBI's Infragard, which is a partnership between the Federal Bureau of Investigation and the private sector, is an association of businesses, academic institutions, state and local law enforcement agencies dedicated to sharing information, and intelligence to prevent hostile acts against the United States' critical infrastructures. If that's too heavy for you, Infragard is also a great place to network with regional professionals that share a security interest. (http://www.infragard.net/)
■ DEFCON Groups, which are usually broken out by area code, are the official groups associated with the larger national conference. Group projects, schedules, and emphasis areas differ from one group to the next, but DEFCON groups are some of the most active memberships in the security community. There is usually a meet-up at the national conference. (https://www.defcon.org/html/defcon-groups/dc-groups-index.html)
■ OWASP Chapters, which are the local and regional chapters of the Open Web Application Security Project, are one of the best groups dedicated to web security. These groups are always looking for participants to attend and present at meetings. (https://www.owasp.org/index.php/Category:OWASP_Chapter)
■ There are also countless other associations and groups, such as the ISSA, ISACA, ASIS, and the 2600 groups that have groups in most major cities.
■ Hackerspaces, which are community-operated physical places where people can meet and work on their projects, have long been a staple of the security community. (http://hackerspaces.org/)
There are also a large variety of in-person and online training workshops available in every area of security. Depending on which venue and course you select, the cost of the training courses can be prohibitive for some would-be participants. However, they are great classes and you will surely learn a great deal by enrolling in them. Black Hat (http://www.blackhat.com) and SANS Information Security & Research (http://www.sans.org) are industry leaders in providing large offerings of security workshops, so check out their sites for upcoming events. If you are looking for perhaps the most technically challenging training available for using the entire BackTrack distribution, look into the trainings provided by the team at Offensive Security (http://www.offensive-security.com/information-security-training/) where they offer both in-person and online workshops that are highly regarded in the security community. Most training workshops span 2-5 days depending on the venue and the topic, so be prepared for a very intense experience that will push you to learn even more! There is also a vast array of online videos and tutorials that are simple Google search away. One collection that includes many different topics from multiple presenters is housed at http://www.securitytube.net.
Formal Education
There are several options if you'd like to earn any level of college degree in information security; there are associate's degrees, bachelor's degrees, master's degree, and doctoral degrees. There are both in-person and online delivery options so you don't have to necessarily move or quit your existing job to obtain your degree. The Department of Homeland Security (DHS) and the National Security Agency (NSA) have identified 170 + higher education institutions that offer applicable security coursework as Centers of Academic Excellence in Information Assurance Education (CAE-IAE) and many have dedicated degree programs to security. A listing of these schools, along with links to available academic programs, is available athttp://www.nsa.gov/ia/academic_outreach/nat_cae/institutions.shtml.
The NSA has also created a designation for Centers of Academic Excellence in Cyber Operations (CAE-CO) that provides the most technical skills to complete advanced security tasks. These programs have a heavy influence from computer science and, depending on your career goals, may be a great fit for you. More information on the CAE-CO is available at http://www.nsa.gov/academia/ nat_cae_cyber_ops/nat_cae_co_centers.shtml.
Certifications
There is a great debate in the security community on the true value of certificates. (Actually, the same arguments made for and against certifications can be made for and against formal education!) Some people view them as nothing more than being able to memorize test questions, while others hold them in high regard as an indicator of your security knowledge. Some certifications are multiple-choice questions, but others are very practical and hands-on and give a true indicator of a participant's technical security knowledge and ability. There is no harm in earning certifications and some professional positions require (or at least strong encourage) you to have certifications. Regardless of your personal feeling on certifications, here are some of the best in the security industry.
■ The Offensive Security team has a series of highly respected hands-on certifications including Offensive Security Certified Professional certification (OSCP), Offensive Security Wireless Professional (OSWP), Offensive Security Certified Expert (OSCE), and Offensive Security Web Expert (OSWE). More information on these is available at http://www.offensive-security.com/information-security-certifications/.
■ Global Information Assurance Certification (GIAC) offers many certifications, but perhaps the most applicable to technical security is their Security Essentials (GSEC). It's best for IT professionals who have hands-on roles with respect to security tasks. Candidates are required to demonstrate an understanding of information security beyond simple terminology and concepts. More information on the GSEC is available at http://www.giac.org/certification/security-essentials-gsec.
■ The International Information Systems Security Certification Consortium (ISC)2 offers the Certified Information Systems Security Professional (CISSP), which is one of the most well-known certifications available today. You must have five or more years in the security field before attempting to earn the full CISSP certificate. More information on CISSP, and all of other certifications available at (ISC)2, is available at https://www.isc2.org/cissp/default.aspx.
■ The Security + certification from CompTIA is usually one of the first certifications that participants new to the security industry earn. It's often strongly encouraged for placement in the U.S. Federal Government for entry-level security jobs as it provides a strong foundation of security topics. More information on Security + is available at http://certification.comptia.org/get Certified/certifications/security.aspx.
Additional Books
There is no shortage of great security books that you can transition to after completing The Basics of Web Hacking. And, although not officially a book, the OWASP Testing Guide is a great publication for everybody interested in web applications security and can be downloaded (or purchased as a hard copy) at https://www.owasp.org/index.php/OWASP_Testing_Project. In no particular order, here are some other books that you are especially encouraged to look into.
■ The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws by Dafydd Stuttard and Marcus Pinto
■ The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy (2nd Edition) by Patrick Engebretson
■ Tangled Web: A Guide to Securing Modern Web Applications by Michal Zalewski
■ Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni
■ Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorski and Andrew Honig
■ Gray Hat Hacking The Ethical Hackers Handbook by Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams
■ Fuzzing for Software Security Testing and Quality Assurance by Ari Takanen, Jared DeMott, and Charlie Miller