Reference to Facebook Group: Breaking into InfoSec
So you wanna be an infosec rockstar, and live large? Zero days & fast cars?*
But seriously, most people are hear as they want to, as the title suggests, break into InfoSec from a pre-existing IT career. So, whats the difference?
One thing that people look for when interviewing for junior / early career Infosec jobs is PASSION. . . the willingness to stay-up all night learning the new things, to keep up and head of the curve. A lot of the tech can be taught, but the passion has to be already there. You want to be able to demonstrate that pre-existing passion.
Knowledge is power. Leverage blogs, twitter and other services to keep finger on the pulse of whats new in InfoSec.
Create a twitter account *solely* for InfoSec related content. Add the key players, see what they’re reporting or retweeting. Put your slant, reach out and talk to them.
(Mine is @2wiredSecurity, and its enabled me to talk to my heroes, and helped me land my first job in IT Security. 2 years later, I still can’t recommend this technique enough.)
First and foremost, : Learn the TCP/IP stack intimately, learn to use
Ok, so, you’re hooked up with the latest news, from some of the bigger mover and shakers. You’re firing up your passion… now what? Time to roll up your sleeves and get to it!
Blue Team? Red Team? What area suits me right now? The short answer is: whatever leverages your existing skills and interests. If you already know the underlying tech or foundations, learning the new stuff will be easier. If it sparks a flame in your heart, you won’t even notice those hours spent turning pages and booting up virtual machines fly by. So get out there and whet your appetite!
Have a go at the OLEDUMP project to start yourself off on the Blue team (defense) here: https://dfir.it/…/analysts-handbook-analyzing-weaponized-d…/)
Learn the basics of a scanner like Nessus to discover vulnerabilities on your network: (https://www.cybrary.it/…/nessus-fundamentals-certification-…)
Or maybe just kick things off by getting to grips with OSSEC host intrusion detection system (HIDS) here: (https://www.pentestpartners.com/…/diy-how-to-build-your-ow…/)
Start by learning to use Burp Suit (http://academy.ehacking.net/…/burp-suite-web-penetration-te…)
and BEEF (https://www.hackingloops.com/beef/)
have then a little go at the SQL injection course here: (http://zerofreak.blogspot.co.uk/p/sqli-tutorials.html)
CYBRARY MegaDump inc books, videos and more: https://www.cybrary.it/…/information-research-content-cate…/
****** BOOKS ******
Here are some of the “bibles” you need to get acquainted with for a generalist Infosec role:
I) “WireShark 101”
II) “The Art of Memory Forensics” http://www.amazon.com/Art-Memory-Forensics-Det…/…/B00RI5ZKCI
III) “Practical Malware Analysis” http://www.amazon.com/Practical-Malware-Analys…/…/1593272901
IV) “The Practice of Network Security Monitoring: Understanding Incident Detection and Response” http://www.amazon.com/Practice-Network-Securit…/…/1593275099
V) “The Tangled Web: A Guide to Securing Modern Web Applications”https://www.amazon.com/Tangled-Web-Securing-Mo…/…/1593273886
****** Certification ******
Ok, this is possibly the most controversial section. Some people will say:
– “certs don’t mean anything, they can be basically bought by forking out a few thousand dollars, attending a bootcamp and passing the exam on the last day.”
– “the proof of in the pudding is in the eating, and that it doesn’t matter how many certifications you have if you’ve no real world experience.”
– “In an ideal world, your experience should be all that people need to check”
My argument is that, simply we don’t live in an ideal world. Your application is a response to a job vacancy written up by a HR staffer, if you’re lucky, or a 3rd party recruiter with little to no understanding of what that role requires. Hence you see roles like “Junior Analyst required, must have CISSP”. Thing is, you need 4-5 years of direct InfoSec experience before you can fully achieve the CISSP. . . . its like asking for someone with “Windows 10 Admin with 15+ years experience”…
Right, rant over. Heres the realities, as I see it.
Certifications offer a standardised way recruiters, HR interns and automated CV scanning software gauge if you’re qualified to get an interview. After that point, its all about what you actually know, can do, and how you communicate. But lets concentrate on getting you to that point, and worry about the rest afterwards!
Remember, this is in no way a comprehensive list, nor is it listed in order of importance, difficulty or cost.
o CompTIA Network+
o CompTIA Security+
o Mile2 C)PTE – Certified Penetration Testing Engineer
o GIAC GSEC (GIAC Security Essentials Certification)
o ISC2 SSCP (Security Systems Certified Professional)
o Cisco CCNP Security
o Palo Alto (various)
o Juniper (various)
o CompTIA CASP
o Offensive Security OSCP (Penetration Testing using Kali Linux)
o GIAC GWAPT (Web Application and Penetration Testing)
o GIAC GCFA (Certified Forensic Analyst)
o GIAC GREM (Reverse Malware Engineer)
Advanced (Management orientated)
o ISC2 CISSP
o ISC2 CAP
o ISACA CISA
o ISACA CISM
Here are two “certification path” guides, issued by two major certification issuers, CompTIA and SANS. Bear in mind that both of these are highly biased, as each is in the business of delivering training materials and certifications for profit, so read between the lines, and use the suggested skill-sets to roughly gauge your intended direction. There are far more certs out there than those listed here, and some are more difficult / popular / valuable than suggested, others are far far less. As the Romans used to say: “Caveat emptor!”
****** GROUPS TO BECOME INVOLVED IN ******
Join / Start a local DefCon group, or OWASP chapter. Attend every meeting. You have two ears, and one mouth, so listen, and learn.
Defcon Groups: https://defcongroups.org/
OWASP Groups: https://www.owasp.org/index.php/OWASP_Chapter
After 3-4 meetings, and within 6 months submit and give your own talk. Within a year, volunteer to help run it. I now co-run a DefCon group.