Hi everyone. Wow what awesome responses, guess I'll be hanging around here for a while. Thanks for being so kind to the newbie

Hayabusa - Thanks for your input. With regards to protocols I believe what you say about knowing the way things work in depth. I guess what I should start doing is learning how everything works at a deep level before I start worrying about how to break it in any significant way, as many security targeted books and courses will let me do. Without solid foundations any knowledge I gain will always have lots of holes that need fixing.

On that note, after TCP/IP - and then I'm assuming in depth knowledge of Windows & Linux, would you recommend any particular area? If nothing comes to mind don't worry, I imagine I've just flippantly given three area's with a huge amount of information in them which will take me quite a while to get through and bring up 10's of questions I will need to continue answering on my own

With certifications I'll defiantly check out eCPPT. I don't "need" certs in the sense I'm happy in the field I am currently in, but I find I learn well with a structured framework so I'll still look into it. Pen testing sounds the most fun but who knows with experience I may learn to enjoy something else! Thank you for your awesome response.

cd1zz - Thanks for breaking it down for me like that. It's just what I was after. Helps me see what area's are really useful and what are the 'core' foundations to pen testing. Don't get me wrong, I appreciate that ALL area's of knowledge are definitely useful, but with everything some are used more than others. I'll definitely be focusing on networking and web applications (TCP/IP study ftw!)

ajohnson - Just a range of VM machines I've set up myself. Windows XP, Metasploitable / Metasploitable v2, De-ICE Challenges, OWASP BWA - the basics. I'll check out what other labs people have set up and take that on board for what I can integrate myself Thanks for your reply.

m0wgli - Thanks for the links, I'll definitely check them out!

Thanks again everyone, really appreciate the quality posts and it helps me a lot more with the directions I'll be taking (Networking / Web App focus, studying the knowledge in depth first before worrying about security concerns, then studying security aspects while testing out practical knowledge in a VM lab.)

Cheers!

Hi everyone - first post here I tend to make long posts so sorry in advance! Looks like a great community.

I'm an engineer with a growing interest in security related computer topics. I'm not scared to read a ton, and I know that's required to learn anything in this field. I've also looked over awesome threads in your forum such as skills required for pen testers etc, which gives a nice high level overview for the basics that are required. In other words, I have looked around a lot for this question I'm asking, please do your best not to tell me to search  I promise I have.

After reading several books such as (sorry to list them all off)

• "Backtrack 4, Assuring Security by Pen Testing"
• "Grey Hat Hacking"
• "Metasploit - The Pen Testers Guide"
• "Google Hacking for Pen Testers"
• "The Basics of Hacking and Penetration Testing"
• "The Web Application Hackers Handbook"
• "Backtrack 5 - Wireless Penetration Testing"

Currently Reading "TCP/IP Illustrated"

I feel as though I have a solid fundamental grasp of how different areas of security function, and unfortunately for me, how wide this area is for learning. I really feel like I want to knuckle down and learn more topics in depth (i.e. like learning about TCP/IP from the current book I'm reading) but I don't know what area's in pen testing are important / more important than others; or if it's purely a preference thing. It seems you can go into forensics, network testing, wireless testing, web application testing, exploit writing etc.

Give your experiences - Do you feel there is a particular field is most used, or perhaps a topic that is most prevalent throughout? What should a beginner learn first? I understand the "soft" areas of security are important such as linux / windows / network protocols, but I'm curious if there is actually a security field that should be focused on?

If you had to recommend a certificate for someone starting out, what would you recommend?

I know it's hard to answer these questions, and sorry if there isn't a right answer, but any feedback you could give me on the topic would be greatly appreciated. If it does all come down to personal preference I can accept that, but at least I know I won't regret whatever I choose. I can also appreciate that it's hard to assign a right answer without knowing motivation and background, but for me really it comes down to really enjoying learning about security, fascinating how people can bypass / make things do unintended things and gaining access to systems.

Thanks so much if you've read this far. I look forward to participating in the community