This article was originally published in the SOC Issue of our PROMPT# zine, which you can read for free HERE. The information was adapted from the 2018 webcast “John Strand’s 5 Year Plan Into InfoSec, Part 2” which is linked to at the end of this blog. Some information or resources may be out of date.

Phase 1

Learn your core operating systems. Build a lab. Get started with a language. Learn basic security fundamentals.

Start your education with the soft skills. Understand the technology: how are these machines used in business? What are people doing with them? You can be as technical as anyone, but if you don’t understand the application of what you’re trying to do and if you can’t SPEAK THE BUSINESS SPEAK, you won’t get far.

Windows: Go to the Windows Evaluation Center. Install software from Microsoft. This is going to be painful. Some things are easy to install, like Active Directory. Some things are very, very difficult to install, like SCCM or Configuration Management. But these are important lessons for you to learn. Set up the things that you will be constantly defending (or constantly attacking) as a security professional.

Linux: Install everything… from scratch. Don’t know how? Visit a search engine. Type your question. Click the button. Don’t give up just because it’s hard. Security isn’t about taking the easy route — it’s about constantly learning, even under exceptionally difficult circumstances. The only way to get good is by struggling. If you need to, remove your easy way out and uninstall Windows. Also, learn Bash scripting (there are other shells, but Bash is the one you’re gonna end up using more than not).

Networking: Set up a network lab. First, get your stuff at home up-and-running and make sure you KNOW what it is doing. Then, get some simulators (https://www. brianlinkletter.com/open-source-network-simulators/). Get some gear. You can buy old equipment for cheap on eBay. Take it apart. Find out how it works. Buy two or three of things… you’re gonna end up breaking a few.

Coding: Learn to code. Python is the best place to start (though other languages are important to learn). Study online. Code Academy, Code Warrior, and Pluralsight are all great resources, among many others.

Security Standards: Learn the 18 CIS Critical Security Controls. Knowing these is a big plus in your resume. It’s strategic and high-level. Learn it.

Phase 2

Time to start projects! (You may have already… that’s fine!)

Move from being a consumer, to a creator.

You should:

• Start a security group (working on a team is an important experience)
  • At work
  • At school
• Learn PowerShell (…this will take a while)
• Keep up-to-date on security news
• Eliminate distractions that are holding you back

Phase 3

This is the time of web apps — you’ll have to know these.

Start with PHP and ASP.NET (don’t get distracted by anything else yet.

Feel free to branch out to networked iOS and Android apps.

Learn to code (badly).

DEVELOP SOMETHING.

Dare to suck at something. Embrace the suck. It’s okay.

John Strand

Phase 4

Time to start hacking stuff!

Learn IDA and Immunity Debugger.

Pick a protocol and understand that protocol.

Hit online challenges.

(You’ve already been playing with Metasploit this whole time, right?)

Download ZAP from OWASP.

Use and learn ALL this:

• Windows ATT&CK for Enterprise Matrix
• SANS Ultimate Pentest Poster

Phase 5

PRESENT!

Give talks everywhere and anywhere.

Present on things you JUST learned!

Take advantage of cons/events/webcasts as a speaker and…

PUT. YOURSELF. OUT. THERE.

In Closing…

Feel free to:

• Indulge in distractions
• Stick to this plan
• Ignore this plan
• Develop your own plan
• Get good at just one thing
• Get a degree
• Don’t get a degree
• Get certifications
• Don’t get certified

Do NOT do the following:

• Sink into video games
• Waste your time figuring out the cube
• Binge watch shows on Netflix
• Use Bing for anything
• Just barely learn Metasploit to impress people
• Spend more time on the hacker “look” than learning
• Get angry
• Blame others

Check out the full video of John talking about his plan here:

Read more in our “Infosec for Beginners” blog series:

• How to Get a Job in Cybersecurity
• John Strand’s 5 Phase Plan For Starting in Computer Security
• From High School to Cyber Ninja—For Free (Almost)!
• Blue Team, Red Team, and Purple Team: An Overview
• Pentesting, Threat Hunting, and SOC: An Overview
• What Is Penetration Testing?
• How to Perform and Combat Social Engineering
• The Human Element in Cybersecurity: Understanding Trust and Social Engineering 
• Build a Home Lab: Equipment, Tools, and Tips
• Questions From a Beginner Threat Hunter
• Shenetworks Recommends: 9 Must Watch BHIS YouTube Videos
• Mental Health – An Infosec Challenge