This Page is about starting your way in the IT-Security. So if you are new to IT-Security, this page is the right place to explore this fascinating topic.

Note: If you are looking for help on how to use Freefire.org have a look at the Help page. You will find help on topics like personalization, meaning of the symbols and notation, explanation of the layout and a way to contact the webmaster for questions or comments.

The topic IT-Security is quite a wide and very interesting topic (after all it is important for private persons and companies engaged in business on the net). I can tell everybody it is a good topic to learn about.

Even if it is a hot topic and there is a great need for IT-Security Experts, it is not easy to get into that area. Some commercial certifications are available for individuals, to "proof" knowledge. But after all, to be firm in the various areas of IT-Security you need a great deal of background information, a lot of experience, and perhaps even a good share of psychological background.

Information on IT-Security is important for individuals, also. More and more of our every day live is related to online. You do banking and buying (with credit cards) over the net, your privacy is exposed by companies beeping able to profile you. Malware and Virus are treating your local PC, you are an easy victim to network terrorists, and your computer can be abused as a weapon or tool to break security of the law.

Therefore this page tries to be a starting point for individuals trying to get into the IT-Security business, as well as for individuals who simply want to have some common understanding on how to use Information Technology (especially the home PC) without having problems of the above mentioned kinds.

For some excerpts on the topic of a career path in IT-Security, have a look at the [html] CSI Archives. CSI is the Computer Security Institute, so take those articles carefully, they may want to sell you something :)

Home User Information Resources

IT Security Starters

• [txt] Learn to hack in 17 easy steps - A classical Usenet Text. ([html] German Version from <CCC Cologne>). Beware: Humor included.

• [html] How to become a Hacker (Hacker-HowTo) <Eric S. Raymond>. This is about ethic of a hacker and a definition of the term hacker. ([html] German version). Beware: Ethics and politics included.

• [html] Know Your Enemy - Interesting Analysis on how Blackhats operate. Look especially at their [html] Security Papers ([html] French, German, Suomi, Sloven, Korean, Russian, Italian, Chinese version). The Honeynet Project has a lot of useful resources on that Topic and even a Book: Knowing your Enemy <The Honeynet Project> to share those findings. It is good to have some background info, and the project is always up-to-date to the latest treats. #RootPrompt.org has a [html] Feature with articles from <Lance Spitzner>

• Book: Practical Unix and Internet Security <Gerfinkel/Spafford>. A classical Book and quite a good starter. A must read, even if it fails a bit short in terms of Microsoft Operating Systems.

• IT-Security for networked systems, especially if connected with the public Internet, or if based on TCP/IP protocols require a great deal of background knowledge. A lot of protocol have inherited problems, are weak and should be avoided. If you have to use them, you have to know how exactly to allow them. Here is a list of TCP/IP Tutorials on the net. Check out the [html] Uri's TCP/IP Resources List - this is a long, well maintained list of resources.
  

  dmoz: Computers: Internet: Protocols: Transmission Protocols: Networking Resources

• A very popular attack method is to exploit bugs in applications with "buffer overflows". Understanding how they work can help you to judge on the security of implementations. The following tutorials assume some knowledge of the C programming language: [html] A Look at the Buffer-Overflow Hack <Eddie Harari/Linux Journal>. [txt] Writing Buffer Overflow exploits - a tutorial for beginners <Mixter>. Of course there are solutions to this problem: [html] Countermeasures against Buffer Overflow Attacks <Niklas Frykholm/RSA Labs>.

• Once the most successful and most secure rated firewall systems had an open approach. Source code was available for review, fixing and investment protection. The term "Crystal box" was branded by TIS for their [html] Firewall Toolkit and their commercial Gauntlet Firewall.
  Nowadays that TIS is bought by NAI and DEC Seal is history, too, still people ask for open source solutions. One of the major reasons is the trust you can't have into closed source. The ability to review is one of the strength of open source IT Solutions. Thats why even governments fund the development of open source solutions ([html] e.g. Germany is supporting the Development of a GUI for the OpenPGP compatible GNU Privacy Guard). A few links to that topic are included in [html] Is Open Source Software Really More Secure? <Bud Rogers/SANS>

• [html] Securityfocus has a nice "Basics" Section featuring articles, sometimes they are vendor neutral and sometimes they feature free tools. A lot is about basic knowledge. Look [html] for their "infocus" articles and their [html] Glossary.

• [html] Internet Firewalls FAQ is a bit outdated, but the concepts and history, some important considerations and some methodologies are still well described <Matt Curtin/Markus J Ranum>.

• IT-Security Standards, Certifications and Classifications are very often abused or marketing speech. But after all, an understanding for basic classifications is very helpful. The Department of Defense' (US) [html] Trusted Product Evaluation Program was one of the first which started classifications, in the [html] Orange Book. Another program was the [html] UK ITSEC Schema adopted by the EU. Those Schemes are expected to vanish, now that the [html] Common Criteria (for IT Security Evaluation). (Note: you will feel the language therein is strange and academic, be warned :)

• And of course the Freefire.org Articles and the Freefire.org Library.