Dear Gentle Academy readers,
Now not to toot my own horn … I just just finished a bootcamp in cybersecurity and simultaneously saw the Academy launched its own Cyber content… and I thought hey let’s give it a whirl. I need to study and keep these skillz fresh for I am definitely going to undertake the ordeal of studying for Sec+ (more about that later) so I thought why not chime in on my experience with the experience of Codecademy’s own cybersecurity curriculum.
And right off the bat the TL DNR version of this is: This a great topical course that I would 100% recommend for Cybersecurity awareness training for organizations and to make it a better introduction to Cybersecurity these are my thoughts and feelings.
As of right now: I am only 31% the way through the curriculum:
Observe: This is from today as I write this post right now!!
So these observations some from the first few units of the curriculum and of course may be covered in greater detail in either other courses set out by the Academy or crucially later in the unit.
Right off the bat: The CIA triad was absolutely one of the first things covered. So this is absolutely essential knowledge you need to know to function in Cyber.
Though to this point there are only two text based multiple choice questions that cover this topic and honestly this part could be better as the answers to the two questions branch of widely into really important topic you again absolutely need to know and understand in cyber.
Probably a good idea to drill all three of branches of the triad. In that spirit I’ll shoot three at you now:
A healthcare facility allows authorized personnel within a department to access patient data. When personnel move departments, they lose their access. Where does this fit in to the triad?
A cybercriminal (hacker) cracks a hashed message and changes its contents. Where does this fit in to the triad?
A company uses multiple servers (a.k.a redundant servers) so that in the event of a malfunction, one server will step in for the other. Where does this fit in to the triad?
While it may seem like busy work, it is pretty essential to understand all branches of the triad. The answers to these are : 1) Confidentiality 2)Integrity 3)Availability
While this lays out a complex scenario that you really have to read through:
The answer to this question branching off into encryption which of course again absolutely essential in understanding in cyber, is kind of an overwhelm:
This is the right answer explanation right here
Emerging Cyber folks you are going to have to know AES 256 and 3DES … Why SHA256 isn’t great… And I think also mentions something about Asymmetric and Symmetric encryption that again you’re absolutely going to need to know about. Also, the programs that how to generate keys, like PGP, but again not to overwhelm but just to point out you’re going to need to have a basic understanding of how these things work.
This brings bridges the second point I’m trying to make which is that the overall flow of the introductory topics of sort of varies widely from the CIA triad to topic such as password security.
This is not wrong as some of the most common passwords are: password, Password, Qwerty, qwerty,123456. These should absolutely not be your passwords. You should look into passphrases… like a whole sentence: TheBestBreakfastFoodsarecoldpizza&Tacos (BTW don’t use that now that it’s been mentioned) as opposed to passwords and change them often. The fact that passphrases are so long in fact makes them mind boggling long to crack and are a great start. Also, to that point do not come up with one super amazing password and then use it on multiple sites. It’s basically having one key to unlock all the doors to your life liberty and pursuit of happiness.
This of course ties in with the RockYou.txt mention which is a list of all those commonly used passwords. Though do not go hunting for this in the wild for curiosity’s sake because there are a lot of risky GitHubs out there in the wild. Though I could be wrong I believe the curriculum mentions of a installing a running a VM (virtual machine) which again is pretty essential knowledge for Cyber folks is mentioned. They are recommending Kali Linux which is excellent and RockYou.txt comes standard with its installation as does John the Ripper another password utility. The important thing you need to take away from this is 1) understanding how to use a virtual machine 2) getting to know Linux and bash 3) do not use password utilities unless you own the machine you’re trying to figure out or have express written permission for because that’s a BIG BIG no no legally speaking. Though again I feel that this tutorial should come later or have its own separate course introducing you to the wide world of virtual machines. Kali Linux is generally used for Red Team pursuits (aka Penetration Testing, Pen Testing). Maybe start with Ubuntu which is a friendlier distribution to learn the ropes but of course you do you.
I think a better topic to cover right after the CIA triad would be security measures you or an organization can take. This would be introducing topic such as what kind of security threats there are in the wide world looking to impact the CIA triad such as hacktivists, script kiddies, nation states or organized cybercrime like the ransomware folks. Or less fascinating security measures an organization can take: Administrative, Technical, or Physical.
An administrative security measure is something like requiring employees to follow security guidelines like call in the case of maintenance workings asking for access to anything.
A technical security measure is requiring Dev’s to login over SSH (short for Secure Shell uses encryption and connecting between ports on a computer using an IP address…Something again pretty essential for cyber folks to understand)
A physical security measure such as keycard access or biometric scan.
So, to this point I would argue the Academy could do better and cover these kinds of controls and more crucially the elevator maintenance team is avoiding administrative controls through social engineering. The clear administrative security policy would be having an administrative assistant call to verify that elevator maintenance is happening today ect.
Aside from let’s call it strict cybersecurity topics. There was also an extensive section covering roles in cybersecurity and their associated certs and qualifications. Now this part there are a lots of thoughts and feelings. Security+ or Network+ administered by Comptia are generally intro certificates that will probably open a lot of doors for you in cybersecurity. Comptia is favored as it is vendor neutral (so it’s not like Microsoft telling the world you are amazing at cyber). Though in the same breath you will see things like this:
CISSP for example is only recommended for those folks who have 5+ years of experience in Cyber and not an introductory cert that you would need to chase in the beginning. Also with a bit of luck you might even get your company to pay for your course because it does cost a significant amount of cupcakes.
Which is why I mention this list down here with the GIAC which is good if you want to get into something like cyber forensics but again, get your Network+ Sec+ first, and I believe it is a 2-5k price tag so it would be best to get some sort of support from your company. And as for the experience thing … you are going to face a bit of an uphill battle. I have a bootcamp cert but I’m going to keep pushing on here building things and hopefully the academy will have some CTF(Capture the Flag) so you can show your skillz. I’m at this stage where I’ve got to demo my knowledge which is in part why I want you all to have a bit of an easier time of it than I am so I am sharing as much as I can on here.
This brings me to here:
If you do want that sweet Security Analyst role: Your first job in cyber (awww look at you go ) You’re most likely going to be a level one incident responder when you land your first cyber role and as such generally, you’re just going to be doing a lot detection of: UM…GUYS SOMETHING IS HAPPENING !!! And running it up the flagpole so that 1337 wizards higher up than you will stop the ongoing events which is why: not only should you know what they are mentioning here:
MITRE’s ATT&CK framework that outlines Tactics and Techniques used by a Red Team to stress out you Blue Team folks (defending). I would add to the list list too it would be a good idea to learn the Cyber Kill Chain model as well.
Well I think I’ve talked your ear off … Or maybe more accurately Tired your eyeballs out here so I’m going to end this post now but there are more things I would like to touch on as I keep on digging on in to the curriculum. So probably going to be a forum menace but there are worse things such as someone eating your last treat item and not telling you so just in case: