What are steps to become a cyber security professional in India? What certifications and skills are required?
I am 1st year BE grad aspiring to become a ethical hacker.Pls suggest a learning path from basic to advanced.Posted in: #Hacking and Security
Tagging @Rahul , a cyber security professional himself to guide you. Let's wait for his response.
In the mean time, here's what I would recommend -
A cyber security professional needs to have a thorough understanding of how computers operate - right from the hardware to the software. In addition, you'll need to know networking in depth.
Among the operating systems, start learning UNIX systems as much as you can - because they form majority of the server side of the network. Windows and MacOS are also being used as servers - which means you'll have to develop deep knowledge of these operating systems as well.
The next comes the 'security' aspects of computers - you'll need to understand buffer over-runs, SQL Injection techniques, use-after-frees (some of the things) and various tools used by hackers (which I will not name here for obvious reasons).
A cyber security professional must think like a hacker or attacker - in order to find the system exploits. A lot can be understood by reading about computer security publications and papers. Perhaps you could look at publishing a paper on your own - to get noticed by other security professionals.
You'll also need to have good knowledge of programming logic (which goes beyond any specific programming language). Make sure that you understand how programming works; and you should be able to write efficient code as well. Most of the exploits happen because of poorly written code.
Finally, do not underestimate the knowledge of Law! Any cyber security professional needs to have a good knowledge of the law of the land; to understand what's allowed and what's not.
Here's my suggestion -
1. Start with the fundamentals of networking and operating systems.
2. Subscribe to computer security blogs and publications and read them religiously.
3. Get hold of cyber security law related articles or join relevant courses.
I hope this helps to some extent. Let's wait to hear from others.
Kaustubh has already made a good set of points . To add few more points, here you go.
Cyber security is a vast field in itself. It has its own ecosystem.
It covers many different topics like Vulnerability Assessment, Penetration testing, Disaster Recovery, Business Continuity Planning, Cyber Laws, Cyber crime investigation etc...
However your interest seems to be more into Ethical hacking. To start with its better you first understand OS and Networking followed by Web Applications and other Technologies like Biometrics, IoT and SCADA systems(for advance concept and industrial security).
The conceptual understanding is necessary , once you have it, you can explore in depth "on your own". To start with, following are the pointers,
OS : Learn about Windows ADS,User Management, Windows Logs and Auditing, Linux user management and syslogs, remote and secure logins.
Networking : Understand TCP/IP, Ports, IP addressing, Service associated to ports, Weakness in TCP/IP, session hijacking, DoS attacks, Man-in-the-Middle attacks etc.
Web Applications : IIS weakness, Apache configurations and issues associated,input validation issues like SQL injection and similar injections,Cross-Site scripting, Broken Authentication, Misconfigurations, Sensitive data exposure. Also there are sites that provides more insight like OWASP top 10.
Biometric : There are many issues with Biometric authentication. Most of them can be broken easily, like fingerprints,IRIS scans, face recognition.
Iot :Though new introduction , but can be a big security concern like CAR vulnerabilities,Electronic door issues,RFID,digital payment Swipe cards and, Company ID cards, NFC hacking and many more.
SCADA : Electrical Grid, Remote monitoring of industrial units and such similar.
It is a good idea to explore some simple tools that can be used for such purposes. Also there are readymade OS called vulnerable OS that you can download and practice on. Some such OS and applications are "Damn Vulnerable Linux", "webgoat", "owaspbwa" and "metasploitable".
The OS that are available with ready made tools for exploitation are, Kali Linux,Parrot OS, Pentoo OS, BackBox.
Make sure that you go through websites like,
However it is very important to understand that , you have to test on your own systems that you are authorized to. Trying on systems that you are not authorized to can land you in legal trouble as it is a crime. There are stringent laws (India and in other countries as well) that can land you in jail from 3 years to Life imprisonment depending upon the crime severity. Also monetary penalties can be imposed. Do not every try your skills on the systems/network that you are not authorized to do.
Note: Don't jump directly into youtube. It does not provide systematic approach.
Hope this helps.
This is a great question and the most common ones, asked by everyone, in fact, I got started by asking such questions. @Kaustubh Katdare and @Rahul Jamgade have given in many valuable inputs. So, instead of talking about the steps I would suggest you to first get to know which area of cyber security you are interested in. Many people start their career in bug bounty programs and often stay in that comfort zone as they get paid a lot.
Anyhow as a cybersecurity professional, one needs to know the various server systems and their internal structure. Like Windows Active Directories are important.
Similarly, you need to know the networks well in and out. All these falls under defensive practices. But for offensive security things look different. You need to know how to compromise things without causing damage to it.
Another area is forensics. This is interesting if you like malware research and all that. This area requires you to be good at reverse engineering, recovery, etc...
Well, I hope that helps in getting clarity to do some research on understanding your interest and also explore these areas.
Additionally, I'll provide a link to my Cyber Security resources repository, if that could be helpful.