Spencer Alessi

Spencer Alessi

hacker | pentester | researcher | active directory connoisseur | wiz-bang exploit slinger hiding in the shadows | Live now, be yourself, remember death 🛹🏂👨🏼‍💻🎮❄️🏔📷

Defensive Cybersecurity Mega List - FREE Training Resources

  6 minute read  

A mega huge list of Cybersecurity Training Resources, that are completely FREE. This list has a little bit of everything, from Blogs and Webcasts to college level courses. This list is for anyone who is new to cybersecurity or is just getting into the industry and has only a few years experience. I think you will find this to be a really great starting point for advancing your knowledge and hands on skills.

Why did I create this?

  1. Not everyone can spend oodles of money on training. SANS training is really great, but it comes at a cost. Traveling to conferences is great, but it comes at a cost. Attending a university (in person or even online) comes at a cost. Online training platforms and things like Udemy are really great, but it comes at a cost.

    There is really great content out there that is completely free. This content is absolutely great for anyone with no to a few years experience in Cybersecurity. You don’t need to spend an arm and a leg to get started.

  2. Offensive Security Content Bias. There’s an abundance of great free content related to Offensive Security and Penetration testing. It makes sense too right. It’s the flashy, sexy, fun and newsworthy part of Cybersecurity. Pentesting and hacking is super fun, even when you’re just starting out and learning.

    On the other hand, defending against attacks is not always as easy as firing up Kali, running a free tool and getting domain admin within minutes in a poorly configured environment. There’s oftentimes a lot of red tape, personalities to manage, legacy systems that break when you try and fix things and that list of headaches goes on and on. That’s one reason why there isn’t as much content for defenders.

    But rest assured, there is actually a whole lot of really great FREE training resources for the defensive minded cybersecurity professional and aspiring professionals.

Note to the reader: Google is your best friend, use it, a lot! Whether you’re a seasoned professional or just getting into the industry, google is one of the ultimate best resources available to you and me!

Quick Reference Guide

Defensive Security Handbook: Best Practices for Securing Infrastructure

Black Hills Infosec Blog & Webcasts

SANS Organization

ADSecurity[.]org

Command Line Kung Fu

Springboard Foundations of Cybersecurity

Massachusetts Institute of Technology: 6.858 Computer Systems Security

Standford University: XCS100 Introduction to Web Security

Cybrary

National Initiative for Cybersecurity Careers and Studies

Defensive Cybersecurity Training Resources Explained

Defensive Security Handbook: Best Practices for Securing Infrastructure

This book is far and away one of THE best books on defensive security for anyone new to the industry. This book will help you learn the basics, while arming you with the information you need to get a security program started or improve upon an already existing program. This book was written by Lee Brotherston(@synackpse) and Amanda Berlin (@infosystir) who together have decades of experience in information security. This book is a quick and easy read. So good in fact that you will find yourself reading it multiple times and referring back to it regularly.

Black Hills Infosec

BHIS hosts webcasts several times a month. They are some of THE BEST Blog & Webcasts in the industry. They are conducted by actual security practitioners and most of them cover both attack and defense. These are a must watch. You will seriously learn a lot from these, and often times walk away saying to yourself, “Wow I really should implement xyz.”

SANS Organization

SANS is a really great organization that provides a number of really beneficial services to the community and the industry. When it comes to free resources they have an abundance of things, such as: Webinars, posters and infographics, whitepapers, free training, newsletters, security tools and so much more. SANS does really amazing work, I highly recommend you check out what they have to offer.

SANS Cyber Aces is one of their free offerings and is an online course that teaches the core concepts needed to assess, and protect information security systems.

SANS Paid Resources. When it come to things that cost money, they have an institute where you can learn academically as well as a number of different types of conferences that focus on everything form Security Awareness, to Penetration Testing to Industrial Control. At these conferences are hands on week long training courses on specific topics such as Security Essentials Bootcamp and Blue Team Fundamentals.

ADSecurity[.]org

I don’t expect those new to cybersecurity to jump right into the content on this site, however, if you’re at all familiar with Windows networks or Active Directory, this site is a gold mine. Chances are good that your current or future employer runs an Active Directory environment. Learning about AD is never a wasted effort.

ADSecurity.org (Active Directory Security) is a place where Sean Metcalf shares Microsoft enterprise security guidance and information about current threats to enterprise networks & mitigation for these threats, Active Directory design and configuration tips, as well as leveraging PowerShell in an Active Directory environment. Sean Metcalf (@PyroTek3) is a Microsoft Certified Master (MCM) and legit Active Directory wizard.

Command Line Kung Fu

The Command Line Kung Fu blog is all about command line and scripting. The site is no longer actively updated, however, there is a huge collection of scripting tricks and 1 liner magic in their archives to keep you busy for months. If you’re into linux, scripting, command line magic, definitely read this blog. They describe the site like this:

“THIS BLOG WILL INCLUDE FUN, USEFUL, INTERESTING, SECURITY RELATED, NON-SECURITY RELATED, TIPS, AND TRICKS ASSOCIATED WITH THE COMMAND LINE. IT WILL INCLUDE OS X, LINUX, AND EVEN WINDOWS!”

Springboard Foundations of Cybersecurity

Springboard has mostly paid content, however, this free Foundations of Cybersecurity course is really cool. It’s a collection of content and resources that was put together from a number of different sources. They pull free content from SANS and vendor blogs such as Kaspersky and major news articles from sites like Wired. Not all the content is in written form though, they also have videos in this course. It’s a great starter course to get your feet wet and begin introducing yourself to Cybersecurity.

Massachusetts Institute of Technology: 6.858 Computer Systems Security

Their Computer Systems Security class is all about the design and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and techniques for achieving security, based on recent research papers. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware security, and security in web applications. Definitely check out thier huge collection of open courseware for other subject areas that interest you: MIT OpenCourseware

Standford University: XCS100 Introduction to Web Security

In this course, you’ll learn from experts in the field about the Fundamentals of Web Security and some of the latest threats and their defenses. You’ll gain a deeper, technical understanding of cyber security, the Internet’s common and emerging vulnerabilities, and techniques for addressing those vulnerabilities. Topics include: click-jacking, frame busting, attacks on TLS, password breaches and more.

Cybrary

Ok ok, this again has a lot of paid content, however, Cybrary does have quite a bit of free content. Trust me, they have really good stuff. Highly recommend creating a free account and exploring the topics.

Cybersecurity Career Resources

If you are searching for free cybersecurity training courses and content, chances are that you are either looking for a job, are recently hired or are looking to make a move to cybersecurity. That’s awesome! I have a lot of thoughts on how to set yourself apart from “the competition” and how to land your first or second job in cybersecurity, but i’ll save that for another day.

NICCS

The National Initiative for Cybersecurity Careers and Studies is a great resoures to comb through for all things cybersecurity workforce and career related. On that site you will find outlooks on cybersecurity careers of the future, what talents and skills employers are looking for, tips for starting your cybersecurity career and seriously a whole lot more. There is content and tips and strategies for students and new job prospects, educators and even employers. Definitely a great resource!

You may also enjoy

Why You Should Have A Personal Blog as A Pentester

  4 minute read  

Writing on a personal blog is a really great investment in yourself. It shows gumption and can be a sign that you take your career seriously. It can be an outward display that you “know your stuff.” A person blog is also a great place to link to open-source projects you work on, or tools you’ve written or CTFs you’ve participated in.

Twenty Days of Consistent Writing

  2 minute read  

What happens to your brain when you write every day? The results are pretty interesting, at least for me personally.

Complexity Is The Enemy Of Security

  2 minute read  

As a Security Practitioner, you win or lose by how you strategize, plan, design and build. To me that’s some of the most enjoyable parts of security. Thinking of creative ways to solve problems. The issue becomes, sometimes the more creative we are, the more complexity we add. Complexity adds to confusion. Confusion leads to more problems and problems lead to incidents.