| ^^ A lot of security is kinda boring. Pentesters lament the writing of reports. Infrastructure security folks frequently end up working on operational problems more than security problems. Corporate security deals with phishing, account/permission management, and auditing what people do on their computers. Product security folks frequently respond to bug reports or have to walk engineers through how to rethink their goal or set up alerts on smelly code patterns and then teach the engineers how to correct them. If you just want to explore the technical side of security devoid of business responsibilities, then CTFs are pretty great introduction: https://ctftime.org/ You can think of them as series of technical puzzles. After competitions are done, many teams will do a detailed write up so you can look at what techniques and tools they use. An above average college student at a good college might be able to do 1-3 problems per competition, so if you find them hard, you are in very good company. picoCTF (https://picoctf.org/) put on by CMU, is probably the best one to start with. IIRC it's aimed at high school students and is much easier than most, so it is a great intro to CTFs and the "hacking" side of security in general. CTFs are kind of learning about the security primitive of "exploit" as well as the following step which is "shellcode." Corporate security is a lot more network, scanning, patching, and auditing focused. Learning/playing with metasploit and thinking about how to defend a machine someone hands you from it is probably where learning starts to get quite practical. owasp is also good stuff: https://owasp.org/www-project-top-ten/ |