What service typically runs on port 5900? What are the layers in the OSI model? What do the TCP flags mean? What are the CIS top 20 critical security controls? What does HTTP status code 504 mean?
Infosec is full of things you need to remember, as evidenced by the popularity of cheat sheets, and the profound amount of Googling involved when natural information recall fails us. Unfortunately, we don’t always have the right cheat sheet in hand, and Googling can be slow and often turns the simplest activity into a game of wading through irrelevant or poor-quality search results. Sometimes neither of these things are an option at all, such as when giving a presentation or taking an exam for a certification.
Spaced Repetition Software
My personal experience with facts and memorization is that some information would just stick, whereas other things would fall out of my brain seconds after they entered my ears. It seemed that the sticky information must be processed differently to the pesky forgettable stuff and unlocking that process would be an incredibly useful life hack. If I had something that formalized the process of remembering information in a way that takes advantage of how the brain retains information, I could have better recall of things that otherwise escape me.
Enter spaced repetition.
Spaced repetition takes advantage of the brain being more efficient at encoding information into long-term memory when the study of that information is spaced out over periods of time. It’s the opposite technique to cramming, where you try to memorize something in an intense, single study session. Take the example of a television commercial, which has the goal of planting the vital information “buy more of our products” into your head (with or without your permission). If an over-zealous company bought up an entire block of commercial space during prime time and aired their commercial back-to-back seven times, it would not stick in the viewer’s mind particularly well. If they bought a single daily slot and the viewer saw the commercial once every day for seven days, they would be sure to remember it in detail, perhaps even becoming so familiar with it that they could repeat the spoken dialogue in the commercial. It would stick in their long-term memory too, leaving them with a valuable impression of the product far beyond the original commercial run.
This is the pattern we need to take advantage of for our own fact-memorization benefit, and the tools used to do that are called Spaced Repetition Software (SRS).
You might have come across this software before without knowing it. Exam preparation sites often used space repetition techniques, using custom algorithms to repeat individual questions at intervals depending on whether you have passed or failed that question previously. It would be far more powerful if we could control the content we’re learning, as well as parameters of the learning process, allowing us to build up a personalized internal corpus of knowledge applicable to short-term goals (e.g. upcoming exam attempts or presentations) or long-term recall (some things we just want to know forever).
Anki—pronounced “an-key” after the Japanese word for “memorize”—is the most popular SRS software, and likely encompasses everything you will need. It uses the SM2 algorithm pioneered by the older software SuperMemo. It’s possible to look into the exact workings of the algorithm and tweak it to your personal needs by changing parameters and using plugins, but for general use you can just trust Anki’s default settings and let it drive your learning experience. The software is available for every major computing platform, including mobile devices.
The core mechanism of the SRS studying process is simply reviewing flashcards. Something on the front of the card serves as the question or prompt, e.g. “what typically runs on TCP port 80?” and the reverse of the card—hidden until the user presses a button—shows the answer (in this case, “HTTP web server”). If you were able to recall the answer before (virtually) flipping over the card then you click the “pass” button, otherwise you click “fail”. Anki will choose a selection of cards for you based on your current mastery of each individual card and how new the card is, along with other factors. This interval choice is driven by the SM2 algorithm and is designed to take advantage of the psychological tricks involved in optimizing information retention.
Finding and Making Decks
The art of using Anki for building up your ideal corpus of information that you can retrieve via memory recall is to curate a personalized set of Anki decks covering the exact things you want to remember. This will involve taking decks that others have shared, such as this Nmap Cheat Sheet as well as making your own. Finding decks is easy; the community at AnkiWeb provides a searchable database of pre-existing decks made by other people that you can easily import and use for yourself. Anki is used across so many fields that you can find cards related to all kinds of topics, such as language acquisition, medical study, trivia and of course, infosec.
Making your own decks is naturally a more involved process but is easy enough that it can be done seamlessly during a study session. Decks are primarily created by editing the front and backs of a card using basic HTML, but the option exists to add media such as voice recordings and images, giving you the option to simply clip an image or speak a voice memo as the back of a card. This is where the true power of SRS comes into play, as you have the ability to simply throw nuggets of information ad-hoc into your decks, allowing you to hone in on that specific things unique to you that you have trouble retaining, or even training yourself to be a domain expert on a very specific set of knowledge.
One particularly useful scenario for SRS is studying for a certification. If every key point is added to a custom Anki deck as you consume it in the teaching material, daily review with Anki will make sure that you have it committed to memory when the exam comes around. What a life hack!
Some knowledge you want to retain forever, whereas other knowledge only has a limited lifespan. What happens when your decks keep growing and you amass an overwhelming and unmanageable number of cards?
For the exam that has been taken and aced, you can simply remove the cards or deck relevant to it (unless you really want to retain the knowledge permanently, in which case keep those cards around).
Some other knowledge simply just needs to be retired. After a while it becomes apparent that you are never going to forget most of the TCP flags, and you’d like to phase them out of your card rotation. Using addons such as MIA Retirement it’s possible to have Anki judge when it thinks you’ve permanently learned a card and remove it from the deck (and eventually the full deck itself), providing an automated cleanup process.
The art of deck management is the way to truly get the most value out of SRS. Separating decks by subject matter, using plugins to tailor the study process and pruning content as necessary makes the daily study process as effective as it can be without ever becoming overwhelming. The stats screen in Anki can help you here, is it gives you a projection of your upcoming reviews over time, giving you the information to judge whether you can handle more information or if you need to prune your existing decks.
Involving Anki or other spaced repetition software in your studying process is potentially a major change, particularly if you didn’t previously have a process for retaining information, or if like me you’re not somebody who even reviews their notes. If the idea interests you, start small. Pick one specific area of knowledge to focus on, find a relevant deck, and see how it helps you commit that information firmly into your memory. From there you can widen the process as much as you like, using your own decks and decks shared online!