This post has been on my mind for a while now, but the length and laziness to search my archives and bookmarks has deterred its publication, but alas! it is here now. Since 2014, I have encountered lots of materials here and there that I keep track of and frequent to update my knowledge. This list of resources also includes twitter accounts, but I have excluded that category from this post. There are various sub-domains in cyber security. Hopefully, this post can give you a place to start in the your field of interest. This is a non exhaustive list.

Early 2017, I did a seminar with an old friend on the topic. At that time, I was trying to get students to enroll in my new club on Computer and Network Security. Unfortunately the club was terminated after I graduated in 2018 but it may be resurrected soon (hopefully). I cringe every time I see a snippet of that video. I don’t know why I kept smiling the whole time, but that’s story for a different day. I never watched the full video so I may have said some b.s but oh well..

In the same year, I was privileged to be teaching assistant for CSCD27H3 - Computer and Network Security under Prof. Thierry Sans. At the end of the course, I made a final post for the students in case any one wanted to continue their studies in the field. The content of the original post will be in the Appendix section.

This post is an updated take on the original, links have been updated and newer or more useful materials have been added. These are marked as [UPDATE] and [NEW] respectively. The marker [NU] means No updates at this time. Most likely reason being I haven’t done much in this domain since the original post. Another reason could be the materials from the original post are still authority in the field. Feel free to suggest

DISCLAIMER:

As much as I try to stay in loop with most of the aspects of Computer and Information Security, I have a strong bias from certain sub-domains. You can expect that my knowledge on materials and resources will be skewed in favor of these areas. If you have a resource that you can vouch for, mention in the comments and I’ll add it to the list and credit your mention.

Also, I have not visited or used every resource there is, so if something is missing from this list, it does not in any way imply that the material is subpar. I’ve just not looked into it. Also, I do not rate content. If I have used a resource and it was beneficial to me in any way (or recommended from the comments) it will be on this list.

Appendix

Hi Mallories,

This post is in response to

Hopefully, for most of you, this course has sparked an interest in Computer and Network Security! and now for those of you interested in pursuing this interest, it’s never too late to start. Security hasn’t been the most publicly available knowledge but that has changed in the recent years given the rise in breaches and the shortage of grey hats.

I’ll attempt to provide a list of resources related to the topics covered in this course and more so you can explore your curiosity! You’ll learn by doing so I’ll provide books and challenge sites. This is a non exhaustive list and the list is unordered.

Combining it all together:

  • Penetration Testing
    • Hack the box:
      Site:
      https://www.hackthebox.eu/About: You’re required to hack the invite process before you can register. The platform has a variety of Windows and Linux servers available for compromise over VPN.
      Hackers are ranked by number of system accounts hacked (NT\AUTHORITY and root) and regular user accounts. You start as n00b. This hacker rank also comes with some perks. There are also job postings and you can only apply to jobs whose hacker rank requirement includes your rank.

      Access to servers is completely free but while attacking a server you may get kicked out or the server may be reset by another hacker if you don’t cancel the reset request in time. I usually have to wait for off hours to work.
      There’s also an in house community. Allowing you to chat with other hackers in case you’re stuck. Your questions have to be smart though, no one would give you the direct answer. If you think Prof. Thierry’s answers were usually indirect, you haven’t met these folks. This is why people there know everyone has earned their stripes. That being said, in this field, talking to someone is better than Google.

      There’s also regular challenges on forensics, crypto, exploitation etc. You also cannot find writeups online because that will ruin the fun. My handle on this platform is n33trix. I haven’t been active since May but I’ll probably spend my holiday on here. If you stop by, hit me up :-)

    • Pentestit Labs
      Site:
      https://lab.pentestit.ru/
      About:Registration is free. The platform simulates a cooporate environment and runs for about six months before a new simulation is up. Hacker progress are also publicly announced on their site and twitter. Since the lab simulates a cooperate environment, there is a sense of accomplishment when you own the Admin servers/boxes.

      You start as an external attacker over VPN. Starting from the external gateway (the only box you initially have access to) you are required to make it into the Admin network, owning as many machines as possible. This is a sample network map. Connectivity is more stable. There’s community as well and same applies for the community mentioned above. Hacker’s aren’t ranked. Write-ups are posted about 3 months in.

  • Malware Design and Analysis
    • Malware DesignNot many books or resources on the design of malware (how to make/write). However, there’s this (possibly dated book) does a good job. You’ll need to brush up on your assembly skills and knowledge of OS to read this book. Good thing is, if you can analyze Malware, then you can find the recipe to how they work :-). I also haven’t researched a lot on this so there may be some resources i’m not aware of. Be curios but that land in the wrong place.
    • Malware Analysis
      Shout out to all the reverse engineers reading binaries on a daily, much respect. Reverse Engineering is not for the faint of heart, so you’ll need to be good with that first. After which, you can explore, the following from OpenSecurityTraining. These courses might have pre-reqs, I find it’s better to complete the pre-req courses first.

      1. Malware Dynamic Analysis

      2. Reverse Engineering Malware

      3. RPISEC on Malware

      Books:

      1. Practical Malware Analysis

  • Bug bounty
    • Introduction to bug bountyThis is a new step to better security. Essentially, companies release their software or service for hacking and the successful hacker gets rewarded. You will need to report the bug to the company and probably work with them to fix it. Hacker’s are registered, no fowl play. This book will enlighten you further. HackerOne and BugCrowd are example bounty platform. Companies like Google also have standalone bounty programs.
  • CTFs

    After you have trained like a pro, go out there and join a team! All of this is to much work for one person, find a niche you love the most, specialize in it and play CTF games for fun and profit. For more about CTFs, read this and check out CTFtime.org to join a team and play

Best of luck!