Shulou(Shulou.com)06/01 Report--

I have been in contact with information security since 2013 when I led a team to participate in the Information Security Management and Evaluation skills Competition of higher Vocational Education. I visited the Information Security Center of Beijing University of posts and Telecommunications in 2015, returned to school after my visit in the second half of 2016, and began to concentrate on leading teams to participate in various competitions. I have been participating in CTF competitions for several years since 2018. This article mainly aims at the students who are interested in learning information security technology, to talk about some of my views and suggestions.

In today's era, information technology is profoundly changing the whole human society. In information technology, I think there are several most important development directions: artificial intelligence, big data, cloud computing, Internet of things, information security. Up to the national level, this is the core industry vigorously advocated and promoted by the state, down to university enrollment, these are the hottest green card majors in recent years. In the employment salary survey report released by Max for 2017 and 2018 college graduates, the information security major ranked first for two years in a row.

This can also be confirmed by my previous graduates. Most of them work in Beijing and earn more than 10K a month. Therefore, there is no doubt about the security of learning information, broad employment prospects and high salary.

But we can actually think about it a little bit more. Why do information security majors get the highest pay? Of course, this is because there is a shortage of talents in this field. Then why is there a shortage of talent? I think the main reason is that it is very difficult to learn information security technology and involves a wide range of knowledge, so it is really not easy to learn information security well.

Learn the necessary ability of information security

As an instructor who leads the team to participate in the competition all the year round, my biggest headache at present is how to select excellent players. I do a lot of publicity on the entrance of freshmen every year, and there are many students who want to join our team. For example, nearly 2019 students have been recruited in this year's Class of 2019. However, most of these students will be eliminated in the end because the soldiers are more valuable than excellent.

For these new students, first of all, I have put forward three requirements, that is, to have three abilities:

Self-study ability

Self-control ability

Coding ability

I will not elaborate on these three abilities. In short, you can examine yourself in your heart. If you do not have these three abilities, don't waste your time on this.

For students who have no problem with self-confidence, then I arrange an entry-level learning path, which is mainly divided into three levels:

The first level, Linux

Linux system is too important now. If you can't use Linux, you can't learn not only information security, but also artificial intelligence, big data, cloud computing, Internet of things and so on. Linux is a necessary foundation for continuing learning in these professional areas. But the learning curve of Linux is very steep, especially for beginners, because a large number of commands have to be memorized at the beginning of learning. So Linux was put in the first level of entry by me, if you can't pass this level, then stop as soon as possible and find another suitable learning direction for yourself. But if you can get through this, even if you end up stuck at other levels and can't continue to learn information security, it also adds a very important skill to yourself, and it will be easier to learn areas such as artificial intelligence in the future.

In addition, Linux is not so difficult to learn. There are only about 50 regular commands that must be mastered. In the entry stage, we do not need to study in depth, as long as we can master some basic knowledge. Specifically, I have prepared more than 50 courses (each lasting more than 10 minutes). As long as I finish these courses and pass the examination, then I will pass the first entry level of Linux. These courses are:

Understand and install the Linux system (lecture 17):

Https://edu.51cto.com/sd/64978

Linux file and directory management (lecture 29):

Https://edu.51cto.com/sd/8b646

Linux user and Rights Management (the first 15 lectures):

Https://edu.51cto.com/sd/36ff3

At the end of this level, I will also combine Kali and Metasploit to introduce some more basic buffer overflow vulnerabilities. In short, the core of this level is whether you can remember and flexibly use the common commands of Linux.

The second level, Python

All students who have participated in the CTF competition know that if they do not know how to Python, then it is difficult to move in the competition, but if they can master Python, it will be like a tiger.

Of course, the essence of Python is its rich and colorful library, but I think it is equally important to master some core syntax knowledge of Python, as well as common functions and methods for handling objects such as lists and strings, as well as various deductive and exception handling, which are Python's unique stunts. Elegant, simple, and clear, in the process of learning Python, I often marvel at its powerful features that can be achieved in just one line of code. In addition, Python is so hot at the moment that, like Linux, mastering Python, even if you can't learn security in the end, it will also be very helpful for yourself to learn other fields.

There are many online Python tutorials, as beginners, be careful not to choose the wrong courses. Some Python courses are aimed at artificial intelligence, some are aimed at big data, although they are all Python, but the content of learning will be very different. The Python we want to learn is, of course, aimed at the direction of information security. My idea is to combine some of the contents of information coding and classical cryptography to talk about the basic knowledge of Python. Specifically, there are more than 50 courses, of which the first set of courses has been released and the second set of courses is being recorded and edited:

Python basic Grammar (16 lectures)

Https://edu.51cto.com/sd/53aa7

The third level, Web security

There are so many areas covered by information security that if I were asked to pick the most important area, there would be no doubt that Web security is now (of course, binary and reverse in the future).

Among the recruitment positions aimed at information security, the most common category is ShenTou test engineer, which is the typical Web security direction, and the typical requirements of this position:

Of course, as an entry stage, it is not necessary and impossible for us to master so much content. I only need to be able to master basic SQL injection.

First, you need to be able to manually inject PHP+Mysql.

Second, you should be able to use the SQLMAP tool for injection.

Finally, you should be able to defend against PHP injection from the perspective of SQL code audit.

The main courses to be learned in this level are:

Getting started with Web Security, https://edu.51cto.com/sd/45eb5

PHP code audit (this course has been taken off the shelves for reasons of force majeure. I will adjust the content and re-record the new course later).

If you can finally pass these three hurdles, then you can formally join our security team, and you also have the basic qualities to further study information security. Then how to learn, you can combine personal interests to choose a suitable main direction.

As for learning methods, I think there are two main ways:

1. SRC digging holes (actual combat type)

SRC, that is, vulnerability response platform. This kind of learning style belongs to the practical type, which is to dig the loopholes of each website on the Internet, and then write a detailed report and submit it to the SRC platform, so that you can not only improve your skills, but also get a lot of rewards. But I do not recommend that college students adopt this way of learning, because hacker and white hat are only in the blink of an eye, and if you accidentally cross the red line of the law, the loss will outweigh the gain.

2.CTF Competition (theoretical)

CTF, that is, winning the flag, is the most popular form of competition in the field of information security, and I think it is the most suitable way for college students to learn. This way of learning is mainly to do exercises, but the topic of the competition involves almost all areas of the computer, so participating in the CTF competition can greatly broaden your knowledge.

So far, I have released three sets of introductory courses for the CTF competition:

HTTP protocol, https://edu.51cto.com/sd/0ad83

Character encoding, https://edu.51cto.com/sd/53206

PHP function vulnerability, https://edu.51cto.com/sd/74a09

Of course, CTF competition is very difficult, especially for higher vocational students, if they want to get good grades in some major national competitions, the probability is almost zero. But the competition is only a way to promote our learning, and the result comes second. In addition, opportunities are always for those who are prepared. As long as they have the ability to do so, they may be able to seize the opportunity at any time.

The above is a personal point of view, welcome to put forward different views, I am happy to communicate with you.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.