Q: What courses should I take?
Look for classes that go beyond writing a program and seek courses on how computers work, how operating systems work, and how networks work. Good examples, which should translate to most colleges, include Computer Architecture, Operating Systems, Computer Security, Computer Networks, Cryptography (sometimes cross-listed as both CS and Math), Programming Language Concepts, and Compilers.
You can also pursue independent study. If your school’s computer security class is only high-level, try to find a sponsor for a more practical exploitation class. If your networking class is more “How does the internet work?” without much hands-on programming, see if you can craft a class (or just do it for fun) where you start writing your own router (there are frameworks that make this easy to get started).
Q: What computer languages should I learn?
Learn assembly to understand the computer at a low level—it will be beneficial in disassembling and reversing your own binaries. Learn an interpreted language like Python; it’s easy to learn, hard to master, but a great introduction to software engineering. Learn C. Despite its age, most operating systems and other core software are still written in C. C is crucial to know for exploiting a computer's software or the network it runs on.
Learn about disassemblers and tools to analyze binaries. Tools you could learn include IDA, Ghidra, Binary Ninja, GDB, objdump, windbg, and X64DBG.
Q: What campus resources should I take advantage of?
Look for opportunities to learn more about low-level disciplines that classes probably stop short of. Examples include computer security clubs that participate in capture the flags (CTFs) and clubs that have need for embedded systems development.
Q: Should I participate in CTFs?
Next time you do a CTF, instead of falling into what you’re comfortable with, try something new. For example, if you’ve written a solution to a crypto problem using Java because it’s what you were familiar with, focus solely on using Python during the next CTF. CTFs are for learning first and winning second. If you learn enough during it, you’ll win at applying those skills to an actual job (where the stakes are higher than just what place your team got on a scoreboard) and it won’t matter that you didn’t end up finishing a single problem yourself.
You can also study public write-ups of exploits/viruses, CTFs, and hackme challenges. Find a write-up of how a team solved a particular CTF problem, but don’t read it. Instead, find the problem itself and start trying to solve it. Then use the write-up only as necessary when you get stuck. This will allow you to learn the information instead of reading it and not really retaining much. Read malware reports and think about how you could have found the malware yourself, and how to mitigate it, and how you would have written the malware better to evade detection.
Q: What else should I study?
Spend time learning the fundamentals of computers. Learn how data goes from an application over the network to a server, and what are all the ways this data can get lost or corrupted. Study how multiple programs run at once—and when multiple programs actually run at once versus when multiple programs only appear to run at once. Read about how resource control works. Investigate how you can run the same program twice such that they don’t interfere with each other.
If you're curious to learn more and are interested in self-study, talk to friends and instructors about educational resources. Ask them about websites you can visit and books you can read to learn about these topics:
- Pwnable challenges of varying degrees of difficulty
- Binary hacking
- Modern binary exploitation
- Reversing and exploitation
- Bug classes and shell coding
- Reverse engineering for Windows
- Software security assessments and identifying and preventing software vulnerabilities
- Experiences of bug hunters
Hobbies are a great way to learn—either by yourself or with like-minded friends. Run your own website to gain experience with sys admin-type work, securing the site against potential attacks, monitoring common vulnerabilities and exposures (CVEs), and applying patches. Go beyond those and look at what the CVEs say, finding the bug itself, and comparing the patched software to the previous version to identify what changed and why it mattered. Look into a fun project that Raspberry Pi supports and set it up. Then extend it.
Look at job postings. The quarterly hiring thread on https://www.reddit.com/r/netsec/ can give you a sense for the skills people are listing, then teach yourself those skills.