The cultivation of cyberspace security talents is multidisciplinary and wide-ranging, and the traditional knowledge system can no longer meet the needs of national strategies and the rapid development of the industry. The curriculum and knowledge system of related majors are scattered, and students lag behind in terms of knowledge structure and practical ability. The existing training programs in cyberspace security are not fully applicable to the development needs of cyberspace security itself. It is necessary to explore the training mode of cyberspace security talents based on relevant professional knowledge, and reconstruct the curriculum and knowledge system.
First, the construction of the environment.
1.Familiarity with basic virtual machine configurations.
2.Kali Linux, CentOS, Windows Experimental Virtual Machine.
3.Build your own IIS and Apache
4.Deploy PHP or ASP.
5.Build nginx reverse***
6.Understand the concepts of LAMP and LNMP.
2. Familiar with infiltration-related tools.
1.Familiar with the use of AWVS, SQLMAP, BURP, NESSUS, CHOPPER, NMAP, APPSCAN, MSF and other related tools.
2.To understand the purpose and usage scenarios of this type of tool, first use the software name googl;
3.**Software to install.
4.Learn Xi and use specific textbooks on secwiki, e.g. brup's tutorials, sqlmap;
5. These software to be commonly used have learned that you can install Sonic Startup to make an infiltration toolbox;
6.Learn the basics of MSF and reproduce the classic 08 067 and 12 020.
3. Concepts related to web security.
1.Familiarity with basic concepts (SQL injection, upload, XSS, CSRF Trojans, etc.).
2.Google Secwiki via keywords (SQL injection, upload, XSS, CSRF, one-sentence Trojan, etc.).
3.Reading is still one of the most important ways to acquire knowledge. Although some books may be outdated and errors in them may be corrected by new research, they can still give us the basics to get started and give us a general idea of a certain field.
4.Look at some infiltration notes** to understand the whole process of infiltration practice, and you can google Xi some high-quality content (infiltration notes, infiltration process, invasion process, etc.);
Fourth, infiltrate actual combat operations.
1.Master the entire phase of Port Penetration and be able to infiltrate small sites independently.
2.Find infiltration on the Internet and think about the ideas and principles, keywords "infiltration SQL injection**, file upload intrusion, database backup, dedecms exploit, etc.);
3.Find your own site Set up a test environment for testing, and remember to hide yourself
4.There are several phases of Thinker, and each stage needs to do what kind of work, such as this: PTES Penetration Test Implementation Standard;
5.Study the types of SQL injection, injection principles, and manual injection techniques
6.Study the principle of file uploading, how to perform truncation, double suffix spoofing (IIS, PHP), parsing exploits (IIS, Nignix, Apache), etc., refer to: Upload Attack Framework;
7.To study the principle and type of XSS, the specific learning Xi method can be found on google secwiki, you can refer to: xss;
8.To study the methods and specific uses of Windows Linux privilege escalation, please refer to: Privilege Escalation;
9.You may refer to: Open Source Penetration Testing Vulnerable Systems;
Fifth, pay attention to the dynamics of the security circle.
1.Stay up-to-date with the latest vulnerabilities, security incidents, and technical articles in Security Circle. Daily Security Technical Articles Incidents, take time to brush them every day;
2.Subscribe to domestic and foreign security technology blogs through feedly (don't be limited to domestic, usually pay more attention to accumulation), and if you don't have a subscription, you can take a look at the aggregation column of secwiki;
3.Develop a Xi habit of actively submitting security technical articles every day to link to secwiki for accumulation;Pay more attention to the latest vulnerability list, recommend a few: exploit-db, cve Chinese library, wooyun, etc., and practice when encountering public vulnerabilities.
4.If you pay attention to the topics or videos of domestic and international security conferences, we recommend secwiki-conference.
6. Familiar with Windows Kali Linux
1.Learn Xi basic commands and common tools of Windows Kali Linux.
2.Familiar with common cmd commands under Windows, such as: ipconfig, nslookup, tracert, net, tasklist, taskkll, etc.;
3.Familiar with common commands in Linux, such as: ifconfig, ls, cp, mv, vi, wget, service, sudo, etc
4.Familiar with common tools under Kali Linux;
5.Familiarity with the Metasploit tool.
Therefore, it is necessary to build a new mechanism for multi-dimensional evaluation and continuous improvement based on the core capabilities of cyber security to ensure the quality of cyberspace security talent training.
The core competitiveness of cyberspace security lies in professional personnel, and only by cultivating sufficiently outstanding cyber professional and technical personnel can we ensure that the country can gain an advantage in future cyberspace wars. Therefore, countries around the world have elevated the training of cyberspace personnel to a national strategic level, and invested huge financial and material resources to build a complete system for cultivating cyberspace security personnel.
The majors Xi of network information security engineers are mainly related to computing, and at the undergraduate level, similar majors include computer science and technology, software engineering, network engineering, and information securityAt the junior college level, similar majors include computer application technology, computer network technology, software technology, information security and management, and cloud computing technology and application. Those who want to engage in this work can participate in the "Network Information Security Engineer Personnel Proficiency Testing" project launched by the Recognition and Research Center of the State Administration for Market Regulation, and obtain the proficiency testing certificate through Xi, which is of great help to the future career development of practitioners.