It’s been a while since we’ve discussed beginning the cyber/IT journey here. I suspect some has changed in the last few years, but likely not the fundamentals.
If you were guiding a just-graduated high school student with an interest in tech and cybersecurity, where would you have them focus their learning efforts?
House Rules: Let’s take the “AI” topic as understood in this conversation. I don’t think going down that particular path is productive here. Let’s focus on areas of study beyond that tool.
I’m going hand wave the definition of “foundational knowledge” away here but I would encourage foundational knowledge in the following areas and probably close to this order:
Networking
Windows OS
Python
Powershell + Bash (optional)
Entry-level “boxes” (HTB, TryHackMe, etc)
Once that is done I would recommend building a homelab to reinforce those aforementioned skills and set up the groundwork for expanding to new skills.
I personally find it a little easier to frame understanding blue team work when you have done a few hacking exercises yourself too. Even if your goal is to be a SOC analyst I think step 5 is mandatory.
Bash/MacOS/Linux or whatever is eventually mandatory learning but I think most students can kick that can pretty far down the road before it is necessary.
What I mean by that for folks just coming into the space is to think of how to secure their systems from start to finish.
Upfront you have things like defining the problem you want to solve, vendor/product vetting and selection, custom coding, scanning, reviewing, building, deploying, testing. Each of these steps have multiple layers of mastery associated with them.
Defining problems
Business problem solving basics, speaking business talk for projects and approvals is essential
Defining it with information and data. By defining the types of information needing to be processed, you can better define how they should be protected and where the gaps are (especially if you using a framework like CSF)
Vendor/Product selection and vetting
using the same standards, judging your options in terms of cost, benefits to the company, and benefits to the security, what trades-off need to happen
it also starts getting you familiar with the various products out there that claim things
vetting is how do they prove they can do what they say they do, the assurance through things like certifications.
Risk management, what can you accept, what is unacceptable, how can you mitigate risk?
Custom coding
sometimes it is in house, and you have to do it yourself
familiarity with computer science concepts, variables, memory, OSes, networks
Picking the language and libraries for the job (by the way did you review and vet the programming language and the libraries you are considering?)
Scanning
Using automation to help you identify vulnerabilities (SAST/DAST/etc)
understanding that you can’t do everything yourself and you will need to rely on tools
Reviewing
Reading code to understand what it is doing (look at some vulnerable commits in supply chain compromises for how obfuscated these attacks can be)
Look at the scan artifacts
building
Building the code, more programming concepts
Building the systems the code will run on
networking
sysadmin tasks
Deploying
it works on my computer but not others, more automation
infrastructure as code
upgrades (from those pesky vulnerabilities that keep popping up)
Testing
User testing - can the business people actually use this solution
Information assurance testing - did it solve the the problems outlined and can you prove it
Can do the offensive tasks here like web app pentest
All of this while looking at it through the lens of what is happening to the information, how is the information being protected, how is it not being protected, how can you ensure it is protected in the ways it claims.
This is missing some important steps like the design and architecture, I think these are the next level after the initial getting started hump.
Agreed, I’ve seen so many people get caught up in a specific technical vertical slice, then bomb an interview because of missing the other things.
I really like the CISSP as a “foundational” body of knowledge (and garbage as classifying someone as advanced through experience), that is then applied and can get specialized certificates (even auditor and GRC). I really appreciated the defining nature of the body of knowledge (please don’t rush through it if you are fresh to cyber/IT!). You get the words that you can then use to form cohesive states to the other people in the business.
I don’t really have any new information to add that HGB and rbrins didn’t already say, so I think I’ll just share what I think some of the current best resources are out there, biased towards my interests since it’d be extremely long for me to find stuff for every specific niche:
For the CompTIA-style content (vocabulary is good to know), Professor Messer still holds up
Once you know some computing basics, literally this Discourse that we are in and the courses plus the Homelab Almanac
HTB Academy on a student plan ($8/mo) is probably one of the most valuable resources you can go through. Even without a paid subscription, the tier 0 modules have some good foundational knowledge in them as well.
PortSwigger Academy has great free labs and material on web application security
Antisyphon Training’s pay what you can live offerings, at least the ones I’ve done, are very good for any security professional
hextree.io’s Android content is the best free mobile course out there right now
Some of the many YouTube channels out there (warning: some of these have more AI stuff as time goes on but the older content is evergreen)
LaurieWired - not all security related but more computer science knowledge never hurts
Looks like teachyourselfinfosec[.]com is no longer maintained, which is unfortunate. Hyperlink goes to the internet archive of what that page used to be.
While I don’t think this is a bad approach. Personally, I would have been turned off by it if it’s how I was introduced to IT security straight out of high school.
Personally I didn’t have much education on IT just out of high school. I just feel like this broad overview (while probably a good umbrella of topics to keep in mind) is skipping a lot of the basics and fundamentals someone out of high school should be familiarized with first. Namely basic programming, networking, hardware etc. That’s just my two cents though. Since everything you listed here would have been way over my head and mostly incomprehensible before a couple years into my CS degree.
Not in a gate keeping way by any means, just I wouldn’t want folks to think you can take a 6 week bootcamp and be ready to take on experienced nation-state actors who have been learning for 2 years straight followed by 8 years on the job.
I did make a pretty big assumption if you are in the getting started web searching phase of the journey you have a few connected dots somewhere.
I do standby learning the business management and business side of IT/security first. Business project management basics should be fairly easy to pick up even for a fresh high school student. Then moving into the GRC space for reviewing should be slightly harder while getting more security terms down. From here you can jump around a bit, especially if you are using things you have downloaded and not programmed yourself, can get by will going to the Building phase first and then some scanning and review.