Info Security Book: A Beginner’s Guide

TL;DR

For a complete beginner, “Security Engineering” by Ross Anderson is the best all-round book. It’s comprehensive, covers fundamental principles, and isn’t overly focused on specific tools that quickly become outdated. Supplement with practical labs using virtual machines (VMs) like VirtualBox.

1. Why “Security Engineering”?

Many information security books focus heavily on hacking techniques or specific certifications. While useful, they often miss the core principles of *why* systems are vulnerable and how to build secure ones from the ground up. Anderson’s book excels at this.

• Broad Coverage: It covers cryptography, network security, operating system security, human factors, and more.
• Principles over Tools: The focus is on understanding underlying concepts rather than memorising commands.
• Real-World Examples: It uses case studies to illustrate vulnerabilities and solutions.

2. Getting Started with “Security Engineering”

1. Obtain the Book: You can find it on Amazon or other book retailers. Look for the latest edition (currently 3rd).
2. Read Systematically: Don’t skip chapters! The concepts build upon each other. Start from the beginning and work your way through.
3. Take Notes: Security is a complex field. Writing down key ideas will help you retain information.

3. Supplementing with Practical Labs

Reading alone isn’t enough. You need to *do* security to learn it.

1. Set up a Virtual Machine (VM): Use software like VirtualBox or VMware Workstation Player. This creates an isolated environment for your experiments, so you won’t damage your main computer.
2. Install a Vulnerable Operating System: Consider these options:
   • Metasploitable 3: Specifically designed to be vulnerable; excellent for learning penetration testing techniques. Download from GitHub
   • OWASP Broken Web Applications Project: A deliberately insecure web application for practicing web security skills. Visit the OWASP project website
3. Follow Lab Tutorials: Numerous online resources provide step-by-step labs using these VMs.
   • TryHackMe: Offers guided learning paths and virtual machines with pre-configured challenges. Visit TryHackMe
   • Hack The Box: More advanced, but provides a realistic penetration testing environment. Visit Hack The Box

4. Other Useful Resources

• OWASP Top 10: A list of the most critical web application security risks. Visit OWASP
• NIST Cybersecurity Framework: Provides a structured approach to managing cyber security risk. Visit NIST
• SANS Institute Reading Room: A collection of white papers and articles on various security topics. Visit SANS

5. Basic Command Line Skills

You’ll need some basic command line skills, especially when working with Linux VMs.

• Navigating the File System: cd (change directory), ls (list files), pwd (print working directory).
• File Manipulation: cat (display file contents), grep (search for text within a file).
• Networking Tools: ping (check network connectivity), netstat (display network connections).

  ping google.com