A Noobs Guide to Cyber Security
Post-Image

A Noobs Guide to Cyber Security

  • By Conner Schiissler
  • on October 5, 2018

Getting into cloud and cyber security can be intimidating. Both encompass so many IT skills. I know people who have been in the industry for years and still struggle with the breadth and scope of the cloud. For a recent college grad, this presented a huge hurdle. My name is Conner and I am a consultant at Keep Secure. In this post, I am going to take you through the massive world that is cloud and cyber security, how I got started, and how people new to the industry can do the same.

This post comes from the point of view of someone who studied mostly infrastructure. Programming was a component of my course but was not the focus and certainly not as in depth compared to a software engineering or a computer science program. I come from the realm of servers, networking and database administration. So, who is the article written for? Anyone new to IT, a recent graduate or someone who has been in the industry looking to make a move over to cloud or security. Cloud or security professionals who have been in the industry for a while might also get a kick out of the article, thinking back to their struggles and lessons learned.

This article will go through what it was like getting started at Keep Secure, and how I got started learning the ropes. I will detail what I wish I knew going in and what advice I have for others new and interested in this line of work. One more thing to mention before getting started is each link mentioned will be provided at the bottom of this article to aid in your learning.

My IT Background

I remember my first semester at the college, fresh out of high school and excited to see what college had to offer. That excitement was quickly trumped when I sat down in my first-class. I remember the professor opening a simple and easy to use text editor (Visual Studio) and started typing away, asking us to follow along. What he was typing was gibberish to me. After I had finished copying down his code, I sat back in my chair and looked blankly at the screen. “Why am I printing Hello World to the console?” “What does cout and cin mean and what does #include even do?” “What have I gotten myself into” I thought to myself. I had just written my first program in C++ and to be honest my first program in any language. The confusion was unlike anything I had experienced before. I knew I was in for a journey.

It is always amusing looking back at old assignments. Back then I was just praying the program would just compile with no errors. My code was archaic and disorganized (Yes Shamir, I used globals back then too) lacking functions and riddled with what I would come to learn as bad programming practices. Having never programmed before, I had to learn from scratch. I can recall many caffeine fueled all-nighters trying to learn the ropes of a new language. That time spent paid off with better grades of course, but little did I know those nights would also benefit me professionally later. After I had scraped by passed my programming classes, I swore to never touch code in an academic or professional setting again. It is funny how things change.

Why do I tell this story? I think it is important, as it adds some context to this post. I know I am not the only one who really struggles struggled with programming and coming from a mostly infrastructure background certainly did not help. The industry is changing fast, and it is changing to the point where even infrastructure professionals need to know how to code. Automation is a big concept in cloud and that requires at least the most basic of programming skills. With that being said, I feel this article will benefit even the most seasoned of programmers. Cloud and cyber security are huge, and it can be hard to find good (and reliable) articles on the web. I hope to help create a place where you can get started.

Getting Started

“Why isn’t this working?” “This should be working!!” “PowerShell Sucks!!”. These were some common sayings of mine getting started with Azure. Sean and Shamir had decided Microsoft’s cloud offering would be a good place to start. I know there are some very strong opinions out there about what cloud solution is superior, but I think Azure is an excellent one. I have not had any hands-on experience with AWS or Google, so my opinion may be very a little biased. With that aside I think getting started with Azure is a good way to get into cloud. Microsoft provides some pretty good documentation, and I will provide links to some good resources to get started. The remainder of this post will outline what I wished I knew going in, and what you can do now to get ahead.

STEP 1 | Learn the Concepts

Clicking around the portal or running commands with PowerShell aren’t going to mean much to you if you don’t understand basic cloud concepts. It is so crucial to at least have some understanding of what is going on behind the scenes. Like what is the cloud? What is SaaS, PaaS and IaaS? Having a solid understanding of key concepts of cloud can really help you in the long run. The best way I learned was from watching videos and reading documentation online. This helped build a solid foundation and better positioned myself to tackle projects at Keep Secure. Cloud is such an interesting technology, as it encompasses everything in IT. It doesn’t hurt to know databases, networking, servers etc. Although you are not touching the physical hardware, knowing and understanding how all the little pieces fit together will help you. Pick something you are interested in and learn about it. It may not be directly related to cloud but having a broader understanding of the industry will allow you to make more informed decisions when architecting cloud solutions.

STEP 2 | Learn the Portal

Now that you have the basic concepts down, it is time to start playing with the portal and let me tell you, the portal is massive. Clicking through the portal for 5 minutes will demonstrate the seemingly endless menus. The Azure portal is great for completing simple tasks and learning the ropes of how Azure works. Practicing deploying web apps, virtual machines, databases and so much more, will help increase your cloud IQ. You can get started on the Azure website for free with a $200 credit for 12 months. Reading about Azure services is one thing, practicing your skills in your own environment (not your clients production environment) is the best way to learn. I found studying for the Azure 70-533 exam really helped to solidify my knowledge. “Implementing Microsoft Azure Infrastructure Solutions Exam Ref”, is a great book to read and will help you learn the most essential aspects of Azure. It covers more than just the portal and it does a great job of explaining the practical and theory portion of Azure. I recommend taking the test within 3 months of studying. It seems the portal changes daily, which mean the content you study today will be outdated tomorrow. Microsoft is constantly innovating, which is a good thing, so keep that in mind when you are planning on writing any Microsoft exam. The portal is great for doing small tasks, like provisioning one or two virtual machines. But what if you need to spin up 20 or 30 or even 100 virtual machines? PowerShell is the answer to all your problems (at least according to Shamir). Which leads me to my next point.

STEP 3 | Learn PowerShell

As someone who was interested in infrastructure, never did I think I would code professionally. The reality of things is coding has become a crucial part of IT. Even if you do not work directly with it, it helps to know and understand basic concepts. PowerShell can make an infrastructure professional’s life much easier by automating tasks and having those tasks run on a schedule. But what is PowerShell? PowerShell is a full-fledged scripting language, and I was very surprised all you could do with it. Seasoned developers will feel right at home here. So how does a non-programmer get started with PowerShell? I am a learn by example kind of guy and websites like the PowerShell Gallery really helped with some good examples. Some of the examples on there can get complex, so to start check out the Azure PowerShell command reference. This will get you started with the most basic of PowerShell commands and will get you deploying virtual machines, databases, storage accounts and so much more in no time. I challenge people new to PowerShell and Azure to try the following:

  • In the portal, deploy a SQL server, database and a storage account with a blob container (Ensure to deploy your database with the sample AdventureWorks database)
  • Write a PowerShell script that exports the database to the blob storage and import it to a brand-new database

This is where Shamir had me start and I believe this is a good starting point for new Azure PowerShell users. Once your scripts work, start adding error checking, conditional operators, functions, parameters, etc. A fantastic book to learn the ins and outs of PowerShell is “PowerShell In Depth Second Edition.” It does not go into any of the Azure commands, however the skills in this book are crucial to interacting with the Azure objects in PowerShell. The most important tip I can give you is, practice makes perfect. I know it is a cliché, but keep practicing deploying resources. Once you have mastered that, look into getting your PowerShell scripts into Azure automation. Going into more detail will be out of scope for this post, but I will include some resources to go read.

What About Cyber Security?

There is so much to know in the world of cyber security. I have discussed only cloud and nothing about security and that is for a reason. I have found that the core concepts are important to know first before branching off into a specialization, such as cyber security. Having a good idea of cloud and programming can really help in being an effective cyber security professional. I think being in industry and getting familiar, as well as staying up to date with the latest practices and technologies can really help you be effective in this area. One of our offerings at Keep Secure, is the application security assessment. We use the OWASP to guide us in our testing. For those interested in cyber security, OWASP is a great place to start reading. The Open Web Application Security Project (OWASP), is an organization that aims to make software more secure. A quick google search of OWASP will return lots of results but let me help you with some key topics and things to try.

  • OWASP Top 10: This document is available for download as a PDF from the link I have provided. I feel this is a good place to start as it takes you through some of the most impactful software security risks. The document is great and even provides links to other sources, so you can read further.
  • Make a Web App: This really helped me to better understand application security. I developed a web app in Node.js, due to its growing popularity. Node is an excellent language to get started with. There are tons of resources online and videos to watch. I tried my best to incorporate security into my software development lifecycle (SDLC). I found this extremely tough, however when first starting out. This is true for any language but take my word that implementing security early in the SDLC will save you money and time. The take away from implementing security into your app will be so valuable. I challenge you to develop your app to protect from the OWASP top 10 security risks. Take your time and don’t rush through it, make it a side project and make a full web app. Complete with logins, change passwords etc. I created a blog site and I think this a good app to develop for beginners.
  • OWASP JuiceShop: For those who haven’t heard of the JuiceShop, it is an open source project written in Node that is an intentionally vulnerable web application. I found this was a good place to come next after my new-found knowledge of developing in Node. There is a scoreboard that keeps track of all the hacking challenges you have completed. However, the scoreboard is hidden, and it is one of the challenges to find it! The challenges can get tough, so if you find yourself stuck, a good book is Pwning OWASP Juice Shop. It is a fantastic reference and it take you through how to complete the challenges, but I encourage you try and solve as many as you can on your own.

There really is a shortage of application security professionals. If you are interested this is an excellent field to get into. After you have read all the above, I encourage you to look at the OWASP Application Security Verification Standard (ASVS) document and look at some of the tests. Some good tests to start with are domain 11 “HTTP security configuration.” Mozilla has an awesome article about HTTP and it will really help you get started with pen testing a web application. I will link some good tools to monitor HTTP traffic that you can try.

Wrapping Up

It has been a real journey for me so far. The time a flown by, and I have been enjoying the projects I have been put on so far. My advice to anyone looking to get into the cloud or security space is to do it. Nothing can prepare you for the challenges and learning of these specialties but getting started with the basics and branching out will make you very successful at whatever you chose. I really hope this article was helpful for anyone new to IT with an interest in cloud or security. I want to thank both Sean and Shamir for being such great mentors and guiding me in the right direction, and so I can pass some of this information onto you. The information I have provided will not make you an expert, but it will point you in the right direction. Let’s all work together in creating better awareness and information out there for both of these everchanging lines of work.

Step One:

Step Two:

Step Three:

Cyber Security:

 

About Conner Schiissler

Conner is a certified Azure administrator and is continually working on enhancing Keep Secure’s DevOps automation features. Conner also has a strong interest in security.

Share This Article

Comments