Ticker

6/recent/ticker-posts

How to Build a Career in Cybersecurity

TheSecurityByte October 13, 2020

 



I’ve been doing Cybersecurity for around 10 years now, and I haven't spent most of that time writing but i get a lot of email asking the following question:

What should I do to get into Information Security?

I bet you have this type of question too. To explain you better  I have it broken down in these category. 

  • Type of Education
  • Type of Programming Languages you need to learn
  • How to Stay up to date with cyber world
  • How to practice ethically
  • How to do Projects
  • How to practice your skills
  • Have a presence 
  • Type of certification
  • Getting your first job


Education

let’s assume you don’t have a Tech background, and that you need to start from nothing. We need to learn you up, and there are three main ways of doing this:

  1. University
  2. Certifications
  3. Online

    4. I recommend doing Computer Science or Computer Information Systems or Information Technology with a good university. If you can’t do university you’ll need to learn another way, e.g., Online or certifications. Any of these will do as long as you have the curiosity and passion to complete what you start.

    Here are the basic topics you need to learn from either university, self study or certification:

    1. Networking 
    2. System Administration 
    3. Programming (programming concepts/scripting/object orientation basics)
    If you don’t have a good understanding in all three of these, and at least good strength in one of them, then it’s going to be hard for you to progress the early stages of an information security career.

    There are some great books out there (just Google it) that can show you the basics of a topic quite deeply. books are a good way to make sure you you understand a particular topic.


    Programming

    Programming is very important on its own. you have to have a basic knowledge of programming. if not then you will be severely limited in your information security career.

    You can get a job without being a programmer. But you won’t ever hit the elite levels of infosec if you cannot build things like Websites. Tools. Proofs of concept. Etc.


    Stay Updated

    One of the most important things for any cyber professional is a good source of inputs for news, articles, tools, etc.

    My recommendation is to use two main sources:

    1. Twitter
    1. RSS Feed
    1. Some Online Articals

    Follow people on Twitter who can show you to new ways of thinking, new ways of learning things, and new knowledge. And find all their sources and track those in your RSS reader. I recommend Feedly for RSS.

     

    Practice Safely

    You need to build a lab environment. Having a lab is essential. The lab is where you learn, where you run your projects and where you grow.

    There are a few options for lab setups.
    1. VMware
    2. VPS
    The advantage of a lab is that you now have a place to experiment. You hear about something from your news, and you can hop onto your lab and experiment about it.

    Here are some of the things you want to be able to do in such a lab:

    • Stand up a website on Windows/Linux/PHP
    • Build a blog on Linux/Wordpress
    • Have a Kali Linux installation always ready
    • Set up a proxy server
    • Build and run your own VPN on a VPS
    • Build an Active Directory forest for your house
    • Setup a Vulnerable Machine and test your skills
    Now that you have that list going, you can start focusing on your own projects.


    Build Your Own Projects

    You should always be working on projects. The idea is that you come up with a tool or utility that might be useful to people, and you go and make it.

    First, have a definite, clear practical ideal; a goal, an objective. Second, have the necessary means to achieve your ends; wisdom, money, materials, and methods. Third, adjust all your means to that end
    And while you’re learning, don’t worry too much if someone has already done something like that. It’s fun to create, and you will learn. The key skill you’re trying to improve is the ability to identify a problem.
    1. Come up with a solution, 
    2. Create the tool to solve it. 
    Don’t think about how many projects you have, just focus on interesting problems in security.

    Projects are all about showing, and collecting knowledge.


    Earn While You Learn

    Now that you got some solid understanding of concepts, Build a lab, did some projects. Now it's time to get your hands dirty doing Bug Bounties, 
    A reward offered to a person who identifies an error or vulnerability in a computer program or system.

    "Bug Bounties are awesome. According to the BBC, Ethical hackers can earn more than $350,000 yearly. Bug bounty programs award hackers an average of $50,000 a month, with some paying out $1,000,000 a year in total."

     There are two main platforms i recommend you to do bounties on: BugCrowd, and HackerOne

    The process is simple, you register on the site, look for a program you’re interested, and then you start finding bugs. Here are a few things to keep in mind:

     

    • Read the rules and limitations associated with each program very carefully.
    • There are manly 2 types of bounty program. Some pay money and Some 
    "A hacker does for love what others would not do for money"


    Have a presence

    Ok, now that you’ve done a few projects it’s time to let people know about them.

    Website 

    First you need a website. Avoid writing too much on other services like Medium or Blogger—and definitely avoid Facebook.

    Twitter

    it’s time to start following some folks. Engage in conversation. Don’t force it. Don’t overthrow when you aren’t knowledgeable about a particular topic. But if you have something to add then feel free to contribute. It doesn’t matter if you have 10 followers.

    Don’t take it too seriously. Many top security researchers on Twitter ramble on about nothing 90% of the time. don’t worry about it. Keep to the above and you’ll be fine.

    Certifications

    Let’s do this by levels:

    Beginner cert

    If you’re just starting out, I recommend you get the following certifications:

    1. A+
    2. Network+
    3. Linux+
    4. Security+

    Advanced certs

    1. CISSP for anyone who wants a career in security
    2. CISA/CISM for all-around security people who want to become managers
    3. SANS (GSEC/GPEN/GWAPT) for technical people
    4. OSCP for penetration testing oriented people

    OSCP and CREST are the most respected certifications for hardcore penetration testers, so definitely start thinking about those if that’s your interest. 

    Then there’s CEH. It’s there, and people sometimes ask about it, so you might as well get it just to have it. But don’t brag about having it and especially not around seasoned security people.


    Getting your first job


    there’s a weird thing happening with jobs in Cybersecurity. Employers think there are no candidates, and people looking to get into the field think there are no jobs. And they’re both right.

    but it turns out to have a very simple answer: there are no starting positions—only intermediate and advanced.

    Thing is there is no "Entry-Level" jobs in this field. 
    For real-world work, you’re going to need a blog, a GitHub account, a Twitter account, and most importantly—you’ll need to find or create projects you care about and actually produce code around them.

    Whatever—just get out there and create.

    Summary

    I hope this resource is helpful to people as they enter and move through the various levels of a Cyber/InfoSec career. It is a journey for sure, but a worthwhile one.

    Tags:

    Post a Comment

    0 Comments