A little while ago I had a LinkedIn questionnaire...forgot about it and it popped up just yesterday. Thought i'd share the excerpt (https://breakingintocybersecurity.com/career/). A similar, more detailed guide of another fellow Melbourne based pentester can be found here (http://securityshiba.io/Cyber-Security-For-Beginners/).
What Do You Do Within Cybersecurity?
I am currently a penetration tester; I ‘don’ the title ‘Cyber Security Consultant’ but am in a technical facing role that works on pretty much 1 or 2 different clients a week. My role includes web and infrastructure penetration testing, Open-Source Investigations, Incident Response and some limited Forensic work.
Did You Always Want A Career In Cybersecurity Or Do You Migrate Into It?
I started out with gaming – I’d been breaking too many bones at the skate park during high school and so a lot of my time was spent on the computer. I tried a bit of game hacking and, after learning to program my own tools, started discovering the hacking community.
The hacking community filled my craving for curiosity and gave me the thrill of a challenge – the mystic of it really pushed me to learn the ins and outs of it. I was very fortunate to have some mentors that pushed me in the right direction – many people might disregard University as not the most ‘practical’ area to learn technical penetration testing, however for me it was a place I could focus on my skills and passion in a more legal environment. I met some incredible people there who continually showed the ‘whitehat’ path can be just as fulfilling and pays well at the same time.
During university I spent my time on Capture-The-Flag (CTF’s) competitions and online wargames, this allowed me to collaboratively learn while meeting some seriously awesome names in the industry. Seeing your name on scoreboards among other well-respected hackers is a big motivation, and being able to speak to them, learn off them was priceless experience.
I never faltered from my passion to have a career in CyberSecurity – I think it’s always driven me and it’s my 24/7 goal, purpose and what takes up almost all my time! It’s an area that moves so quickly that you’re forced to keep learning, reading about new CVE’s, reading blog posts and trying new things. IoT and embedded devices have certainly shown that there’s no ‘comfort zone’ in cybersecurity, you’re always moving forward.
I interned for a little while developing a secure protocol that really gave me a backstage insight into the developers life. This was super essential to my work now, as I can start to understand how my reports or my actions will be received, read and mitigated by developers. It’s also cool trying to attack a developer tool that you know the ins and outs of – it gives you almost an ‘insider feeling’ where you can test the parts you know will have a large impact on the organisation as a whole. Similarly, playing with Amazon Web Services (AWS), digital ocean, and other servers online gave me a look at the ‘whole spectrum’ of a server you could say – not just attacking a web front end but really taking the whole thing into context. The infrastructure, DNS, open source info, git repos, the software they’ve used, the OS and so on. All little parts that work together to give the user what seems like a nice front end – with multiple vectors of potential compromise for a hacker.
My career will almost certainly always be related to CyberSecurity – whether that takes on the form of more red teaming, hacking drones or something else i’m sure it will always relate.
What Advice Would You Give To Someone Trying To Break Into Cybersecurity?
It’s really hard to translate a business trying to make money through cybersecurity into a theoretical, or even practical sense in a pre-work context. That’s simply the truth – you don’t come in knowing how to consult, write business-excellence reports or make calls on what you should say to a customer asking you to make calls about their security posture.
What you can do however, is expose yourself to some things which make this transition a super easy one, allow you to learn quickly and get the job in the first place by proving it to the interviewers.
If you’re applying for cybersecurity in general (technical such as penetration testing, or general such as GRC), become aware of the landscape. This includes the people (twitter, linkedin, facebook groups), the current events and info (blogs, daily news, hacker cons) and the skills (CTF’s, wargames, competitions such as CySCA).
Most web developers show up with a portfolio of websites they’ve designed for their interview – what about a hacking portfolio? My perspective of this would be a github account with a tool or script you’ve made, or even a list of tools you’ve tried or used in CTFs. A list of CTF events and some of your favorite challenges and why, how you solved it and how it might be fixed (writeups). Possibly you’ve tried your hand at Bug Bounties – put down your findings and explain why they might be important. Most importantly, take advantage of your two feet and get yourself to a hacker conference – the people you meet there will become friends for life and will certainly welcome you into the community. Many incredible opportunities, experiences and learning can come from human interaction.
Finally, I would say apply for positions. Go to the interviews and learn what they’re looking for, what you may be missing and ask for feedback. If you can demonstrate learning from a few failed interviews, this equally demonstrates your persistence with say attempting a buffer overflow that won’t work the first ten times. Connect with people on LinkedIn – ask them questions, ask questions on quora, soak everything up like a sponge.
Finally, start learning linux. It’s not an absolute must some may argue, but it demonstrates your ability to learn technical concepts and provides powerful functionality for when used (and quite often). You want to gain experience with many tools, concepts and software that might not even relate to security – one day you might be testing it and wish you knew it better. Understand how things work and then you can start working towards exploiting it.
How Important Are Cybersecurity Certs And Which Ones Would You Advise?
Certifications are certainly more practical than theoretical courses such as Universities. However I wouldn’t shy away from the one – learn as much as you can from any given opportunity.
The OSCP from Offensive Security is a hands-on cert that allows you to learn fundamental infrastructure, web and network penetration testing, with the added benefit of report writing. It’s a course which doesn’t rely on vulnerability scanners, and rewards students who script and code their own tools; in this sense it can be a very powerful tool for learning the ropes of penetration testing. Similarly, it gives experience in both windows and unix machines, and teaches the importance of recon and information gathering across all domains.
If breaking into a technical role such as penetration testing, I would recommend time spent on practical areas such as CTFs, Bug Bounties and OffSec certs rather than completing something like CEH or CISSP. If going into a more general role, those kind of certs may be preferred.
Finally, try to save and and enrol in one of the hacker convention trainings – these usually last 1-3 days and include some of the best InfoSec trainers in the world. They are costly but well worth it. Similarly, short courses such as ‘Automating OSINT with python’ or worth the practical knowledge and pivot you into a more niche area of knowledge which is well worth mentioning to future employers.