Clone of https://github.com/rmusser01/Infosec_Reference . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

156 lines
15 KiB

5 years ago
5 years ago
3 years ago
3 years ago
5 years ago
3 years ago
5 years ago
5 years ago
4 years ago
4 years ago
4 years ago
4 years ago
4 years ago
5 years ago
3 years ago
5 years ago
4 years ago
3 years ago
4 years ago
3 years ago
4 years ago
3 years ago
3 years ago
  1. # Basic Security Principles/Information
  2. ### How to Suck at InfoSec
  3. * [How to Suck at Information Security – A Cheat Sheet](https://zeltser.com/suck-at-security-cheat-sheet/)
  4. * [How not to Infosec - Dan Tentler](https://www.youtube.com/watch?v=S5O47gemMNQ)
  5. *
  6. https://blog.usejournal.com/regular-expressions-a-complete-beginners-tutorial-c7327b9fd8eb?gi=8702ae6f23be
  7. Cognitive Fallacies
  8. Intro to statistics
  9. intro to networking
  10. Intro to X
  11. * [Towards Improving CVSS - J.M. Spring, E. Hatleback, A. Householder, A. Manion, D. Shick - CMU](https://resources.sei.cmu.edu/asset_files/WhitePaper/2018_019_001_538372.pdf)
  12. * [Designing Security for Billions - Facebook](https://newsroom.fb.com/news/2019/01/designing-security-for-billions/)
  13. * [Passwords in a file - erratasec](https://blog.erratasec.com/2019/01/passwords-in-file.html)
  14. * [Keyboard shortcuts in Windows - support.ms](https://support.microsoft.com/en-us/help/12445/windows-keyboard-shortcuts)
  15. claude shannon
  16. * [MarkOfTheWeb: How a Forgetful Russian Agent Left a Trail of Breadcrumbs - Yonathan Klijnsma](https://www.riskiq.com/blog/labs/markoftheweb/)
  17. * [Normalization of deviance - Dan Luu](https://danluu.com/wat/)
  18. * [One week of bugs - Dan Luu](http://danluu.com/everything-is-broken/)
  19. * [Apache and Let's Encrypt Best Practices for Security - aaronhorler.com](https://aaronhorler.com/articles/apache.html)
  20. * [Operation Luigi: How I hacked my friend without her noticing](https://www.youtube.com/watch?v=ZlNkIFipKZ4&feature=youtu.be)
  21. * My friend gave me permission to "hack all her stuff" and this is my story. It's about what I tried, what worked, my many flubs, and how easy it is to compromise Non Paranoid People TM.
  22. * [Blogpost](https://mango.pdf.zone/operation-luigi-how-i-hacked-my-friend-without-her-noticing)
  23. * [Welcome to Infosec (Choose your own Adventure) - primarytyler](https://docs.google.com/presentation/d/1_PjLGP28AH3HXbkwRkzGFeVPBmbBhp05mg7T6YofzRA/mobilepresent#slide=id.p)
  24. * [Choose Your Own Red Team Adventure - Tim Malcomvetter](https://medium.com/@malcomvetter/choose-your-own-red-team-adventure-f87d6a3b0b76)
  25. http://super-memory.com/articles/20rules.htm
  26. * [When to Test and How to Test It - Bruce Potter - Derbycon7](https://www.youtube.com/watch?v=Ej97WyEMRkI)
  27. * “I think we need a penetration test” This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.
  28. https://www.fastcompany.com/3060820/every-ted-talk-ever-in-one-brutal-parody
  29. https://en.wikipedia.org/wiki/The_Power_of_the_Powerless
  30. https://en.wikipedia.org/wiki/Eight-circuit_model_of_consciousness
  31. * [No Silver Bullet - fmiljang.co.uk](http://www.fmjlang.co.uk/blog/NoSilverBullet.html)
  32. * [The Asshole Filter - Siderea](https://siderea.livejournal.com/1230660.html)
  33. https://www.businessballs.com/self-awareness/personality-theories-and-types-156/
  34. https://danluu.com/wat/
  35. https://danluu.com/everything-is-broken
  36. https://danluu.com/sounds-easy/
  37. http://www.catb.org/jargon/html/Z/Zero-One-Infinity-Rule.html
  38. * [Structured Text Tools](https://github.com/dbohdan/structured-text-tools)
  39. * The following is a list of text-based file formats and command line tools for manipulating each.
  40. https://github.com/nsacyber/WALKOFF
  41. https://github.com/alcor/itty-bitty/
  42. * [Bedford and the Normalization of Deviance - Ron Rapp](https://www.rapp.org/archives/2015/12/normalization-of-deviance/)
  43. https://github.com/swisskyrepo/PayloadsAllTheThings
  44. ### General Information
  45. * **101**
  46. * [Ten Simple Rules for Doing Your Best Research, According to Hamming](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2041981/)
  47. * [Learning the Ropes 101: Introduction - zsec.uk](https://blog.zsec.uk/101-intro/)
  48. * [InfoSec Newbie List by Mubix](https://gist.github.com/mubix/5737a066c8845d25721ec4bf3139fd31)
  49. * [infosec_getting_started](https://github.com/gradiuscypher/infosec_getting_started)
  50. * A collection of resources/documentation/links/etc to help people learn about Infosec and break into the field.
  51. * [Salted Hash Ep 34: Red Team vs. Vulnerability Assessments - CSO Online](https://www.csoonline.com/article/3286604/security/salted-hash-ep-34-red-team-vs-vulnerability-assessments.html#tk.twt_cso)
  52. * Words matter. This week on Salted Hash, we talk to Phil Grimes about the differences between full Red Team engagements and vulnerability assessments
  53. * [Encoding vs. Encryption vs. Hashing vs. Obfuscation - Daniel Messler](https://danielmiessler.com/study/encoding-encryption-hashing-obfuscation/)
  54. * **Careers in Information Security**
  55. * **Educational/Informational**
  56. * [Navigating Career Choices in InfoSec - Fernando Montenegro - BSides Detroit2017](https://www.youtube.com/watch?v=yM2xCjrQSY4)
  57. * Making career choices can be intimidating and stressful. Perhaps this presentation can help. The tidal forces affecting technology impact our careers as well. If we're not actively managing them, we're leaving decisions to chance (or to others), and may not like the outcomes. This presentation describes a framework I've used over the past few years to evaluate both ongoing job satisfaction as well as new opportunities as they appear. I'm happy with the outcomes I've obtained with it, and have used this same framework when providing advice to others, and it has been well received. Hopefully it can help others as well.
  58. * [Infosec Tools of the Trade: Getting Your Hands Dirty](http://www.irongeek.com/i.php?page=videos/bsidesnashville2017/bsides-nashville-2017-green00-infosec-tools-of-the-trade-getting-your-hands-dirty-jason-smith-and-tara-wink)
  59. * In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective.
  60. * [So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
  61. * **Interview Preparation**
  62. * [How to prepare for an infosec interview - Timothy DeBlock](http://www.timothydeblock.com/eis/135)
  63. * **Relevant Standards**
  64. * [NICE Cybersecurity Workforce Framework](https://www.nist.gov/itl/applied-cybersecurity/national-initiative-cybersecurity-education-nice/nice-cybersecurity)
  65. * The NICE Framework, NIST Special Publication 800-181, establishes taxonomy and common lexicon that is to be used to describe all cybersecurity work and workers irrespective of where or for whom the work is performed. The NICE Framework is intended to be applied in the public, private, and academic sectors. (USA Focused)
  66. * **Data Scientist**
  67. * [What Data Scientists Really Do, According to 35 Data Scientists - HBR](https://hbr.org/2018/08/what-data-scientists-really-do-according-to-35-data-scientists?mc_cid=f8f788d39e&mc_eid=f956a0c5ca)
  68. * **Penetration Tester**
  69. * **Articles & Writeups**
  70. * [How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)
  71. * [Attacking Big Business](https://www.cyberis.co.uk/blog/attacking-big-business)
  72. * [10 common mistakes aspiring/new pentesters make - PentesterLab](https://blog.pentesterlab.com/10-common-mistakes-aspiring-new-pentesters-make-b74a81e58934)
  73. * [So You Want To Be a Pentester? - Jack Halon](https://jhalon.github.io/becoming-a-pentester/)
  74. * [And THIS is Why Penetration Testing Sucks - Ronin Chang](https://www.linkedin.com/pulse/why-penetration-testing-sucks-ronin-chang/)
  75. * [So You Want To Be a Pentester? - Jack Halon](https://jhalon.github.io/becoming-a-pentester/)
  76. * [World's Worst Penetration Test Report - rant](https://it.toolbox.com/blogs/chiefmonkey/the-worlds-worst-penetration-test-report-by-scumbagpentester-012814)
  77. * [Make It Count: Progressing through Pentesting - Bálint Varga-Perke -Silent Signal](https://silentsignal.hu/docs/Make_It_Count_-_Progressing_through_Pentesting_Balint_Varga-Perke_Silent_Signal.pdf)
  78. * **Talks & Presentations**
  79. * [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY)
  80. * So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
  81. * [Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
  82. * **Cognitive Bias**
  83. * [List of cognitive biases - Wikipedia](https://en.wikipedia.org/wiki/List_of_cognitive_biases)
  84. * [58 cognitive biases that screw up everything we do - Business Insider](https://www.businessinsider.com/cognitive-biases-2015-10)
  85. * **Critical Thinking**
  86. * [How to Apply Critical Thinking Using Paul-Elder Framework - designorate](https://www.designorate.com/critical-thinking-paul-elder-framework/)
  87. * [Paul-Elder Critical Thinking Framework - University of Louisville](https://louisville.edu/ideastoaction/about/criticalthinking/framework)
  88. * **General**
  89. * [Mozilla Enterprise Information Security](https://infosec.mozilla.org/)
  90. * [Rating Infosec Relevant Masters Programs - netsecfocus](https://netsecfocus.com/training/development/certifications/2017/03/08/rating_infosec_masters.html)
  91. * **General Good Stuff**
  92. * [Words Have Meanings - Dan Tentler - CircleCityCon 2017]
  93. * [(Deliberate) practice makes perfect: how to become an expert in anything - Aytekin Tank](https://medium.com/swlh/deliberate-practice-makes-perfect-how-to-become-an-expert-in-anything-ec30e0c1314e)
  94. * **How to Ask Better Questions**
  95. * [How To Ask Questions The Smart Way - Eric Raymond](http://www.catb.org/esr/faqs/smart-questions.html)
  96. * [Socratic questioning - Wikipedia](https://en.wikipedia.org/wiki/Socratic_questioning)
  97. * [The Six Types Of Socratic Questions - umich.edu](http://www.umich.edu/~elements/probsolv/strategy/cthinking.htm)
  98. * [Ask Good Questions: Deep Dive - Yousef Kazerooni](https://medium.com/@YousefKazerooni/ask-good-questions-deep-dive-dacd8dddc247)
  99. * [Relearning the Art of Asking Questions - HBR](https://hbr.org/2015/03/relearning-the-art-of-asking-questions)
  100. * [How To Ask Questions The Smart Way - wiki.c2.com](http://wiki.c2.com/?HowToAskQuestionsTheSmartWay)
  101. * **Learning:**
  102. * **Excel**
  103. * [You Suck at Excel with Joel Spolsky(2015)](https://www.youtube.com/watch?v=0nbkaYsR94c&feature=youtu.be)
  104. * The way you are using Excel causes errors, creates incomprehensible spaghetti spreadsheets, and makes me want to stab out my own eyes. Enough of the =VLOOKUPs with the C3:$F$38. You don't even know what that means.
  105. * [Notes](https://trello.com/b/HGITnpih/you-suck-at-excel)
  106. * **The Command Line**
  107. * [explainshell.com](https://github.com/idank/explainshell)
  108. * explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
  109. * [A little collection of cool unix terminal/console/curses tools](https://kkovacs.eu/cool-but-obscure-unix-tools)
  110. * **New Skills**
  111. * [The Paradox of Choice: Learning new skills in InfoSec without getting overwhelmed - AzeriaLabs](https://azeria-labs.com/paradox-of-choice/)
  112. * **Problem Solving**
  113. * [Software Problem Solving Cheat Sheet - Florian Roth](https://www.nextron-systems.com/wp-content/uploads/2018/06/Software-Problem-Solving-Cheat-Sheet.pdf)
  114. * [The XY Problem](http://xyproblem.info/)
  115. * The XY problem is asking about your attempted solution rather than your actual problem. This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.
  116. * [The AZ Problem](http://azproblem.info/)
  117. * This website introduces the AZ Problem: a generalization of the XY Problem. To wit, if we agree that the XY Problem is a problem, than the AZ Problem is a metaproblem. And while the XY Problem is often technical, the AZ Problem is procedural. The AZ Problem is when business requirements are misunderstood or decontextualized. These requirements end up being the root cause of brittle, ill-suited, or frivolous features. An AZ Problem will often give rise to several XY Problems.
  118. * **Security 101**
  119. * [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)
  120. * [Access control best practices](https://srlabs.de/acs/)
  121. * **Skill-Testing/Question Prep**
  122. * [test-your-admin-skills](https://github.com/trimstray/test-your-sysadmin-skills)
  123. * A collection of \*nix Sysadmin Test Questions with Answers for Interview/Exam (2018 Edition).
  124. * **The Web**
  125. * [Web Architecture 101 - Jonathan Fulton](https://engineering.videoblocks.com/web-architecture-101-a3224e126947?gi=d79a0aa34949)
  126. * **Tools you should probably know exist**
  127. * [Introduction To Metasploit – The Basics](http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/)
  128. * [Shodan](http://www.shodanhq.com/help)