🔍
Why Cyber Security is Hard to Learn (Tips For Success!) - YouTube
Channel: Cyberspatial
[3]
Cybersecurity is really hard to learn.
[5]
It’s not just broad and deep,
[6]
but also consists of many other fields
[8]
in technology and computing.
[10]
I get a lot of questions asking
[12]
what course to take
[13]
for learning cybersecurity,
[14]
which is kind of tough to answer
[15]
because the real answer is:
[17]
there is no course,
[18]
just a journey.
[19]
And everybody you ask
[20]
is going to give you
[21]
a different answer,
[22]
since each of their journeys
[23]
are all different as well.
[24]
It’s almost like asking
[26]
several UFC fighters
[27]
on how to fight.
[28]
Everybody’s going to give you
[29]
a different recommendation,
[31]
depending on where they came from.
[33]
Which is why in this video
[34]
we’re going to go over
[35]
why cybersecurity is so hard,
[37]
three different learning approaches
[38]
you can use to overcome this challenge,
[40]
and the overall mindset
[42]
you need to maintain to be successful
[43]
on your own journey.
[45]
So the biggest reason cybersecurity
[47]
is hard to learn is because
[49]
it consists of many different fields,
[51]
each with their own unique stack of skills.
[54]
Every component within each skill stack
[56]
could be a concept, tool,
[58]
or even an entirely new field.
[60]
Take networking for example,
[61]
a few components that come to mind
[63]
might be IPTables,
[64]
which let you set packet
[65]
filtering rules in Linux,
[67]
PCAPs, or packet captures, which are
[69]
static snapshots of data in motion,
[72]
TCP, or transmission control protocol,
[75]
which segments data into conversations
[77]
between devices.
[79]
BGP, or border gateway protocol,
[81]
which governs the routes between
[82]
autonomous systems on the Internet.
[85]
Or switches, which connect
[87]
physical devices together through cables
[89]
and relay ethernet frames between them.
[92]
Now that’s a lot of different things,
[93]
but they’re really just a few examples
[95]
of many different concepts that fall
[97]
under networking,
[98]
and the list could go on and on.
[100]
Each of these components
[101]
that I’ve mentioned can themselves,
[103]
be broken down into smaller
[105]
bundles of knowledge, rinse and repeat.
[108]
This idea of skill stacks can apply
[110]
to all the different subfields
[111]
in the cybersecurity world too,
[113]
some of which you see here.
[115]
What makes things complicated even further
[117]
is that all the stacks
[119]
are also interrelated to one another,
[121]
kind of like a skill network.
[123]
So to learn something
[124]
that’s more high level,
[125]
like penetration testing,
[126]
you might have to master a network of
[128]
skill stacks before having a solid enough
[131]
baseline to really understand it well.
[134]
This applies to other more cyber-specific
[137]
areas of concentration,
[138]
like privilege escalation,
[139]
security monitoring, incident response,
[142]
threat hunting, et cetera.
[144]
If you wanted to learn
[145]
all about cybersecurity, there’s really
[147]
too many different things to know,
[149]
since it could very well take
[151]
ten to twenty years mastering
[152]
just a few of them,at which point,
[154]
your mind might be oversaturated,
[157]
and not so interested in the other fields.
[159]
The reality is that you’ve got to
[161]
start off with just one or two areas
[163]
to concentrate in,
[165]
before expanding to others.
[167]
Whether you choose to become well-rounded
[168]
in a few different skill stacks,
[170]
or to be elite in just one,
[172]
there’s a lot of different journeys
[174]
you can take.
[175]
Personally I’d consider myself
[176]
as a mix of highs, mediums, and lows,
[179]
depending on the area we’re talking about.
[181]
So before you ask the question,
[182]
“How do I learn cybersecurity?”
[184]
and don’t know where to even begin,
[186]
the first principle is to discover
[188]
what topics are out there
[190]
and how they all connect
[191]
together on a broad level.
[193]
Then, you can start to narrow down
[195]
the learning scope to just the ones
[197]
you might be interested
[198]
in starting off with.
[199]
So with that being said,
[200]
let’s go over some techniques
[201]
you can use for learning
[202]
and training in cybersecurity.
[205]
Generally there’s three main ways
[207]
to learn complex topics:
[209]
top-down, bottom-up, and project-based.
[212]
Top-down is a really common approach,
[214]
where you pick a subject to tackle,
[216]
and then go after the resources
[218]
specifically tailored towards
[219]
learning that topic.
[221]
An example of people using
[222]
a top-down method might be pursuing
[224]
a specific certification on
[226]
“ethical hacking”, for instance.
[228]
It’s easy to think it’s as simple
[229]
as loading up Kali Linux
[231]
to sling some tools at targets,
[233]
or by grabbing some courses
[235]
and books on the subject,
[236]
then brain dumping everything
[238]
just to pass an exam or test.
[241]
Then you walk around thinking
[243]
that you're a Jedi,
[244]
but the reality is that your baseline
[246]
fundamentals are really weak,
[248]
and your true abilities
[249]
aren’t good enough to operate
[250]
in most real-world scenarios.
[253]
People at this stage in their journeys
[254]
are often known as skiddies,
[256]
which stands for script kiddies,
[257]
referring to all the young aspiring kids
[260]
that only know how to run tools
[261]
written by other people,
[263]
but not the principles
[264]
behind why or how they work.
[267]
In my opinion,
[268]
the best way to be successful
[269]
if you’re looking to use
[270]
a top-down learning method
[272]
is through an apprenticeship.
[273]
Back before education
[275]
was institutionalized through schools,
[277]
the only real way to learn
[279]
a skill or craft was to apprentice
[281]
under a master,
[282]
someone who had a few decades
[283]
of experience under their belt.
[285]
The knowledge transfer process
[287]
was rigorous and methodical,
[288]
to make sure that an apprentice
[290]
was actually teachable
[291]
and useful in adding value.
[293]
The main advantage to an apprenticeship
[295]
is that masters can point you
[296]
to the skill stacks that are relevant,
[298]
while filtering out the ones that aren’t.
[300]
It’s also handy that they can be there
[302]
for questions that are really hard
[303]
to find answers for all on your own.
[306]
The net effect of being an apprentice
[308]
is the huge amount of time saved
[310]
in the learning process,
[311]
which in my experience,
[312]
can reduce years into months.
[315]
The drawback to top-down learning
[316]
through an apprenticeship
[318]
is finding one in the first place.
[320]
Unfortunately, the truth is that
[322]
without having a solid baseline first,
[324]
many of the journeyman-level
[325]
and master-level practitioners
[327]
are either way too busy
[328]
or not interested in coaching you.
[330]
It’s a huge time investment
[332]
on their part to teach students,
[334]
since it takes them away
[335]
from research or actual work,
[337]
with a high risk of failure,
[339]
especially if the students
[340]
don’t have very much grit
[341]
or the drive to succeed
[342]
in the first place.
[344]
If a senior practitioner doesn’t
[345]
see much potential in you,
[347]
it’s easier to just walk on by.
[349]
This is why on-the-job training
[351]
and experience for cybersecurity
[352]
is so helpful because you’re surrounded
[354]
by co-workers you can learn from,
[356]
most of whom are likely better than you
[358]
in one or more areas.
[359]
Try to identify the most technical people
[361]
in your social network,
[363]
even if that means the IT helpdesk guy,
[366]
and spend time learning
[367]
as much as you can from them.
[369]
Once you’ve developed a decent relationship,
[371]
find out which experts they personally
[373]
look up to.
[374]
Then reach out to those guys.
[376]
If you’re not able to get mentorship
[378]
through professional circles,
[379]
you might consider building
[380]
a solid baseline knowledge through
[382]
the bottom-up approach.
[384]
Bottom-up learning is where you start
[386]
by picking a subject to tackle,
[388]
then decomposing it into the most basic
[390]
principles, definitions,
[391]
and tools that are related to it.
[393]
Then you start by learning
[394]
those component parts first
[396]
before diving into the target subject.
[398]
For a boxer it might mean
[400]
countless amounts of conditioning
[401]
and training in very simple
[403]
exercises that build muscle memory
[405]
and situational agility,
[407]
which indirectly improves
[408]
your fighting abilities over time.
[410]
Even though it takes a lot longer to do,
[412]
you build a very solid foundation
[414]
that becomes helpful
[415]
when you do make the switch
[416]
to more skill-oriented exercises.
[418]
In the case of cybersecurity
[420]
where you’re a mental athlete,
[422]
bottom-up learning translates into reading,
[424]
lots of reading.
[425]
Start with all the books
[426]
you can find that are related to computer
[428]
and network security and just marathon away.
[430]
What’s good about books
[432]
is that you tend to get higher
[434]
quality content than the average
[436]
Internet post and learn a thing
[437]
or two about each author,
[439]
most of whom are active
[440]
practitioners themselves.
[442]
They might also happen
[443]
to maintain a blog
[444]
or Tweet links to resources
[445]
for you to follow.
[446]
When you are reading,
[447]
remember to jot down
[448]
all the different vocabulary and concepts
[450]
you’re learning in something like a mindmap
[452]
or spaced repetition software like Anki.
[455]
Anki is a free and open-source tool
[457]
that lets you build flashcards
[458]
to learn just about any concept.
[461]
Unlike normal flashcards,
[462]
the heart of Anki is a scheduling algorithm
[464]
that decides when to show you concepts based
[467]
on how well you know it.
[470]
Research shows that active recall,
[472]
where you’re asked a question
[473]
and forced to remember the answer to,
[475]
is much more effective than passive study
[478]
for building strong memories.
[479]
Distributing the process over increasing
[481]
periods of time consistently,
[483]
further cements your knowledge
[485]
because it forces your brain
[486]
to retrieve it with deeper and deeper
[488]
levels of recall.
[490]
Using a bottom-up approach for cybersecurity
[492]
sets you up for learning new fields
[494]
much easier, since in cybersecurity,
[497]
many of the concepts show up again
[499]
time after time,
[500]
since everything is interconnected.
[502]
One downside to bottom-up learning
[504]
is that it can get monotonous,
[506]
since doing any activity
[507]
for its own sake without a clear goal
[509]
can get boring over time.
[510]
Which leads us to a third approach
[512]
for learning,
[513]
and actually one of my favorite methods,
[515]
which is through projects.
[517]
Project-based learning is a bit of a hybrid
[518]
approach between the previous two,
[520]
and gives you some more flexibility
[522]
using both.
[523]
To begin, you need to define
[525]
a technical outcome to work towards
[527]
that forces you to gather
[528]
and learn resources.
[529]
One of my first projects,
[531]
for example, was to be able to use
[533]
a computer without ever touching the GUI.
[535]
This process led me to become
[537]
quite proficient at the command-line
[539]
and learn many more concepts
[540]
than the original project entailed.
[542]
They say you should set smart goals,
[544]
which are specific, measurable, achievable,
[547]
relevant, and time-bound.
[549]
So something like “I want to hack”
[551]
wouldn’t qualify as smart.
[552]
A better alternative would be,
[554]
“I want to learn how to crack WEP encryption
[556]
on my home wireless network
[558]
by the end of the month.”
[560]
Even if it takes you much longer
[562]
than a month,
[563]
the process will expose you
[564]
to all sorts of different skill stacks,
[566]
from Aircrack, layer 2 networking,
[569]
the 802.11 protocol, and much more.
[572]
Project ideas tend to fall
[573]
into one of four categories:
[575]
making things, breaking things,
[577]
fixing things, and knowing things.
[579]
For instance, you could decide to build
[581]
a computer, then intentionally install
[583]
publicly available malware on it,
[585]
and then try to use host
[586]
or network forensics methods
[588]
to detect and eradicate the infection.
[590]
Documenting your entire process and workflow
[593]
can help solidify the entire
[595]
learning experience.
[596]
Whatever your project is,
[597]
it’s an opportunity to incorporate
[599]
both the top-down and bottom-up learning
[601]
we mentioned earlier.
[603]
The final principle that’ll help you
[604]
to get better at cybersecurity
[606]
is to change your mindset
[608]
and time horizon for picking it up.
[610]
The reality is that cybersecurity
[612]
takes a really long time to master,
[614]
much like becoming a doctor or lawyer.
[616]
What’s easy about established professions
[618]
like these is that there’s institutionalized
[621]
paths that have matured over the centuries.
[624]
If someone asked,
[625]
“Is there a doctor course anywhere”,
[626]
the answer is pretty clear.
[628]
In the United States, it takes
[629]
four years of medical school followed
[631]
by three to seven years of residency.
[634]
Medical residencies are basically
[635]
apprenticeships that involve working
[637]
at least 60 hours a week.
[639]
Many doctors that I’ve known
[640]
have worked 80 or more hours a week,
[643]
sleeping five or six hours each night.
[646]
Depending on your residency of choice,
[647]
this is anywhere from ten to twenty thousand
[650]
hours of training.
[651]
Assuming you’re only working 40 hours a
week,
[654]
this would take you at least ten to twenty
[656]
years on the job in a cybersecurity role
[658]
to attain just the absolute number
[660]
of equivalent hours as a doctor.
[663]
The author Matthew Green describes mastery
[665]
of any skill as a function of time
[667]
and intense focus applied to a particular
[669]
field of knowledge.
[671]
In our age of two-second attention spans
[672]
and instant gratification,
[674]
it’s easy to just want a simple crash course
[677]
or quick tutorial to teach you everything.
[679]
But just seeking out surface level education
[681]
keeps you at the unconsciously incompetent
[684]
level of learning,
[685]
where you’re really
[686]
confident but not actually skilled.
[689]
As you grow and progress,
[690]
you then realize you’re actually pretty
bad,
[692]
which could be a decision point as whether
[695]
or not to continue on the path.
[697]
If you do push through though,
[698]
you start to feel more comfortable
[700]
and accepting of the concepts
[701]
you know and don’t know.
[704]
At the most mature stage
[705]
of unconscious competence,
[706]
you’re pretty skilled
[707]
without even thinking about it.
[709]
In a field like cybersecurity
[711]
where there’s no clear,
[712]
institutionalized path
[713]
to becoming a professional,
[714]
you’ve really got to self-educate
[715]
using a combination of the different
[718]
learning approaches available
[720]
to achieve mastery.
[721]
So that’s it for this episode of
[723]
learning cybersecurity.
[724]
Hit that like button, subscribe,
[725]
and share it with friends
[726]
if you think this video has been
[728]
valuable for you.
[729]
Hit that notification bell
[730]
if you want an update for each new video
[732]
we launch.
[733]
It really goes a long way in supporting
[734]
what we’re doing.
[735]
Thanks so much for watching,
[736]
and I’ll see you soon!
Most Recent Videos:
You can go back to the homepage right here: Homepage