What is the most basic absolute beginner jumping off point for infosec, for someone with slim to zero IT experience?

Okay, so I need help. I may just be being an idiot about all this, but I figure it doesnt hurt to ask. I keep trying to look up where to start in the infosec field. I have found plenty of posts stating that there are all sorts of different places to specialize and to choose one that interests you most, but that doesn't really help on where to start.

Some sort of direction is all I'm trying to find with infosec. I have a very basic understanding of computers, dabbled a little(very very little) in web development. And taken a few computer science classes, but I still would consider myself an absolute novice. I need at least a vague outline, a starting point.

I'm assuming I start with basic computer science, do I move on to networking, systems admin? My interest so far is in pentesting, but everyone says those are very different disciplines. However, wouldn't I want to understand potential security holes in networks, and potential system admin flaws, in order to be an effective pentester?

I may not have worded this in an understandable way. One last thing, I know a language would be beneficial. Should I start with python, C#, something else?

Touch here for the full post on Network Security Noblemen tumblr

What is the most basic absolute beginner jumping off point for infosec, for someone with slim to zero IT experience?

Okay, so I need help. I may just be being an idiot about all this, but I figure it doesnt hurt to ask. I keep trying to look up where to start in the infosec field. I have found plenty of posts stating that there are all sorts of different places to specialize and to choose one that interests you most, but that doesn't really help on where to start.

Some sort of direction is all I'm trying to find with infosec. I have a very basic understanding of computers, dabbled a little(very very little) in web development. And taken a few computer science classes, but I still would consider myself an absolute novice. I need at least a vague outline, a starting point.

I'm assuming I start with basic computer science, do I move on to networking, systems admin? My interest so far is in pentesting, but everyone says those are very different disciplines. However, wouldn't I want to understand potential security holes in networks, and potential system admin flaws, in order to be an effective pentester?

I may not have worded this in an understandable way. One last thing, I know a language would be beneficial. Should I start with python, C#, something else?

Touch here for the full post on Network Security Noblemen tumblr

Is a Master of Science in Identity Management and Security through the University of Texas worth my time?

So 27 yo male here. I currently have a bachelors degree in the greatest major of all time, Criminal justice.

Obviously this degree I have hasn’t helped me out and I actually have zero interest in law enforcement in any capacity.

I will soon be in a position that I think I will have time to be able to pursue a masters degree but wasn’t sure what to pick. I stumbled apon this program at the University of Texas at Austin which will be an Online program that meets once a month in person.

Without divulging too much personal information I currently hold a certain clearance through the government and was wondering if this program Would actually lead me into more opportunities and a decent salary after I leave my current employer.

From their website:

The Master of Science in Identity Management and Security (MSIMS) is the Nation’s premiere professional degree program for those seeking employment or advancement in management or executive roles in identity security, or privacy. The Center for Identity joined with The University of Texas School of Information (ranked among the Top 5 in the Nation) to offer this unique interdisciplinary program bringing together law, public policy, communications, technology and the social sciences. The MSIMS delivers a 360-degree perspective of information security and privacy not available through existing programs in cybersecurity and information assurance

Is this just another cyber security degree that will lead to dead ends?

Thanks for your help!

Touch here for the full post on Network Security Noblemen tumblr

Question about adding salt to hash

How important is it that the salt is unique?

For instance, in the case of this, where it's using sha-512, and the password itself is pretty unique – does it really matter that the salt is the same? If you added this as a hash to /etc/shadow for a user, and someone got the hashes, would it make a difference security wise?

$ perl -e "print crypt('9d138ydHDTD8g1d\!@%\!23[asd', '\$6\$saltysaltingsalt\$')"; echo $6$saltysaltingsalt$reh3kbzOgv96pxTLGjnEdp/oLKAKbFdnCnP21YBv9OGblJ6nN2H3Pty4GYLh.G5UNQT2A7iOntrVWDvQk1kyz0 $ perl -e "print crypt('dh7d1$%%^(1uidhbausbdIDGASad36%^&', '\$6\$saltysaltingsalt\$')"; echo $6$saltysaltingsalt$SUVCFh9yeApgxgNsGKKoMHcHOUGmcn0GvTVbLaIWvcvZe7R/qzeee3AOgUMyjFcTmbmjCa6uRrrfua1WuZHQn0 

Edit: My understanding is the salt should be unique for the database locally, i.e. it doesn't need to be unique for every salt ever known. And also, it's primarily to combat against pre-hashing attacks, like rainbow tables. But if the password is symbolic + alphanumeric – do duplicate salts really matter?

Touch here for the full post on Network Security Noblemen tumblr

Advice needed for vulnerability notification

I recently received a phone call from an unknown number. I looked up the number and found a PDF associated with the search. I assumed it was just a mass phone number listing PDF but opened it up anyway. When the PDF opened, I saw it was actually an invoice. I could see the phone number I was searching for, plus: name, address, and products purchased. The transaction date on the invoice was 2015. I looked at the URL and noticed that the PDF was located in a folder called "2015". So I changed it to 2016 and removed everything that followed it, more PDF files. I clicked a few and sure enough they too were invoices. At this point chrome displayed everything is a directory tree structure and allowed me to browse with ease all the way up to the site’s root directory. There are thousands of files, I didn’t browse them all, no need, I don’t want or need anyone's’ information.

At this point my voicemail notified me I had a message. It turns out the phone number was the personal cell phone of a the parts guy at my local car dealership. The name the guy left matched to the invoice I first found.

So at this point I am left with a dilemma. How do I go about informing the company that their website is wide open? Should I do it straight up as myself or anonymously?

Should I notify the parts guy that his personal data is exposed due to this particular vendor’s website?

Touch here for the full post on Network Security Noblemen tumblr

Cisco DNA Snort IPS/IDS VS Palo

Evening all!

I was hoping to get some feedback on a comparison between these two products.

To spare those who dont want to read all the poorly thought out context: TLDR: How does the DNA Snort IPS/IDS compared to a Palo NGFW or even the Palo Prisma cloud offering?

Reason for asking is we're currently in the process of a cloud migration and trying to scope some equipment and we're getting a pretty solid sales pitch for leveraging a v5000 with the DNA Advantage license which includes the basic SD-WAN security services (such as L3/L4/App-Aware Firewall and the Snort IDS/IPS with the Talos Signature updates).

If we went this route we'd essentially be taking that over a Palo IPS/IDS solution and while I think understand the argument the team is making for the benefits of having Cisco host the vManage, for the gear instead of us having to built it out and deal with the virtual vEdges in our cloud environment, I cant help but shake the feeling that this isnt a real IDS/IPS replacement based on what I've read.

Past information on the Cisco DNA platform was pretty negative, but it seems like its evolved considerably since then. Likewise while Snort does sound like just an add on, this community seems to have a fondness for it.

Touch here for the full post on Network Security Noblemen tumblr