#cyber-and-careers

Hela is the curry-ketchup sauce 😄

anybody here from the UK?

i know it was dumb question lol

Most of THM users are from the UK 😄

@cursive shale good to know.

How are the recruitment in the UK in the South East guys?

just curious

Most of THM users are from the UK 😄
@cursive shale 👍

@radiant apex how east?

well surrey,hampshire area

How are the recruitment in the UK in the South East guys?
@radiant apex Depends what you're looking for and what your experience is

@warm hinge thanks for your reply. i have no IT background. I passed by EJPT now studying PTP. PTP is a big jump from EJPT.

You got a degree? Are you specifically looking for a pen-testing job or any IT job? My advice would be to try and find a support job to get experience and then go from there. It's going to be tough to jump straight into a pen-testing job

@warm hinge I have degree but not in IT. Any cybersecurity roles not necessarily penestesting. Lets see, I am in the army right now, i am just learning own weekends and evenings.

Even security is going to be tough to get into straight away. Entry level security roles aren't entry level by an IT standard. Even people doing entry level security roles tend to have to have a background in IT first
Maybe somebody else can chime in, a lot of the guys here who walk straight into security roles already have a strong background from learning security stuff while they're still at uni. In order to get my first security role I worked full time in infrastructure for 2 years while studying my degree, volunteering for a cyber security charity and doing TryHackMe write-ups. I'm not trying to put you off of course but thought it would be interesting to let you know what my path to security was

@warm hinge No you are not putting me off. I appreciate your time to help me here. I will start volunteering once i acquire my PTP while i keep my main job.

This is the program https://digitalskills.njit.edu/cybersecurity-professional/

Are there any rooms geared towards the Security+ exam?

there’s not a lot since I believe sec+ is a primarily just theory cert however Introductory Networking, Introductory Researching, Google Dorking, Web Fundamentals, Networking, MAL: Malware Introductory — maybe not sure about that one. Those are going to give some general help I believe

Yeah I figured something like introductory type rooms would be helpful

Sec+ is so broad many many of the rooms could apply to it

In particular try the Networking, Linux and Cryptography ones

Sec+ is theory. Just watch Prof Messer and read GCGA

Are E learn Security courses worth it?

Totally.. eJPT is getting really well known as a beginner level cert and other content they got is pretty good as well.

Thanks ..

Hey guys, my job is looking for basically a backend developer. Check out this document for full details, DM me if youre interested/ have any questions. It would be expected for you to move to Fairhope, AL

I’m honestly not exactly sure if this is allowed or not @gray reef can we post job openings?

Oracle has already approved this.

I approved it

There's "postings" in the channel topic

So 🤷‍♂️

👍

Go for it with postings

I remember it (Dark was it i think) when last time a guy posted for a job and admin approved it.. and said its allowed to post job postings in this channel.

Hey guys! Would you suggest putting your THM experience in your resume, and if yes, then how?

I just graduated uni and I am looking for my first job in the IT field. Preferable security, but I will take any IT job. I just want to learn as much as I can.

Hey guys! Would you suggest putting your THM experience in your resume, and if yes, then how?
@astral lily I just put my rank I think, and the fact that I'm a CM. I did like: ```
Serial CTF Addict

• #2 on TryHackMe.com, Community Mentor
• Winner of <BIG NAME> CTF
• Founding Member of Cyber Security Society

My problem is, I don't really have any corporate experience. The only experience I have is working on a confidential project for an organization. Plus, the fact is my rank keeps on changing continuously, like every 2 days. I am learning a lot here, and as soon as I finish a room, the rank changes. I am currently 4525, but it might change once I finish the rooms I am in right now. But anyways, thanks for the answer tho! They don't really seem to care about THM experience here in Canada

you don’t have to go into specifics just something to show that you do your own research and are an active member of the community with your own initiative

Sounds good. I guess something along the lines of "Active member of THM community. Ranked ---- out of ---- members. Loves to solve challenges and learn about Infosec stuff.(The last line isn't really good but you guys get the gist, I guess)"

Sounds good. I guess something along the lines of "Active member of THM community. Ranked ---- out of ---- members. Loves to solve challenges and learn about Infosec stuff.(The last line isn't really good but you guys get the gist, I guess)"
@astral lily I would lead with the rank first, it is the most impressive 🙂

@rugged sable sounds good! I don't really have an amazing rank (4525 currently), but once I break into the 3000 mark, that might be a sweet thing 🙂

What's a good ranking number? Top 5%, 10%, 25%? Of course the higher you are the better but percentage wise, especially for someone with IT experience, what do you think is a good number to include? At what point would it not make sense to add ranking to the resume?

I put rankings for CTFs but not sure about platforms like THM. I would just put # of boxes owned and roughly what they covered (web, AD, cryptography, etc.)

Unless you were something like top 100 or something

Your thm badge like some people have on their blogs can be a cool thing to have on it as well

It will show rank, username, rooms completed, rooms in

Creating rooms is a good thing to add too

so I am trying to convince my consultant company to pay for a certification for me. I heard many good things about PTP by elearn security. Also I am thinking if I finish it and and I like it to maybe go for PTX afterwards. Anyone with some input or other recommendations ?

It would depend on your role and end goal. If you aren't working as a penetration tester yet, prioritizing and investing in the OSCP would make sense.

ye, but I heard PTP is better than OSCP by a couple of people who has both.

so that is why I am asking

That's why your end goal matters.

OSCP is more recognised

The OSCP is the industry standard.

ELearn is getting better recognised over time

oh ok. Maybe I will start with OSCP 🙂 Hopefully they will pay for both. Thanks for the input ! 🙂

If you're having trouble convincing them with PTP, saying you're interested in the OSCP might open that door for you

As a consultant you should think about how clients will perceive your certs. eLS is still relatively unknown compared to OSCP, the GIAC ones or other ones that have been around the block for a while

Ye, you have all given me good directions. I will go for OSCP and PTP afterwards. Thanks for all the help 🙂

Does anybody have any experience with taking Comptia's cert exams at home? How strict is the proctors when it comes to background noise/traffic, and how long does the test normally take?

(Network+ in specific)

not strict about background noise

like, make sure there isn't a tv on

or music

but if its a car honking/passing by, its whatever

make sure you dont put your hand over your mouth btw, they don't like that

Hello guys, what is preferred certificate for beginners in cyber security?

OSCP is a highly recognised cert. But I depends on what the requirements for the job you want to do. Cyber security is a wide term. The Security and Network + qualified are also highly recognised too

I'm a beginner, and I'm getting a Comptia Network+ certificate right now atm. You could also look at Security+ if you're already more familiar with the content, but usually having actual experience or projects can help a lot

What about CEH?

Personally CEH is a nice base to have. However never ever have I had an employer seek it or some didn't even know what is is (HR people)

CEH is pretty much a joke, unless you want to work in DoD, since it's one of the approved certs in DoD directive 8570.

So as a beginner I have to go with Security+ and after gaining some real work experience I have to do OSCP?

Network+ and Security+ are all vendor neutral, and proves that you have the basic knowledge and fundamentals of networking and network security/administration, which is essential if you want to be relevant in the Cybersecurity industry

it's a very good foundation imo

OSCP would prove that you want to specialize more into pentesting and similar roles

Okay thanks a lot for the information

what about pts cert? im thinking of taking the cert then go for secrity+

I'm a beginner, and I'm getting a Comptia Network+ certificate right now atm. You could also look at Security+ if you're already more familiar with the content, but usually having actual experience or projects can help a lot
@warm hinge

From what I can see, the PTS cert is basically like a mini version of the OSCP cert, it's a good stepping stone for getting into Pentesting

i will take it then thanks

I think you should do research in your own area though

see how relevant the PTS cert is in jobs near you, and see if any companies recognize the cert, since it's not as widely recognized as the OSCP

I have the eJPT (PTS certification), got it last year. I have seen it pop up on less than 5 job posts the entire time.

It's an awesome starting point for learning but it isn't recognized. I would recommend if you want to earn the eJPT, couple it with CEH (Practical) (it's usually $550, but if you apply for and get the scholarship before the end of the month, it's $99) or Security+.

eJPT + CEH (Practical) or
eJPT + Security+

https://blog.spookysec.net/certifications/

Seems like quite a lot for 4 hours of content for 802.11

(WiFu)

very interesting to hear those thoughts though @languid hearth (: thanks for sharing!

pog

@languid hearth thanks!

someone had posted about a Defcon wireless village writeup

and I believe after taking OSWP, I'd have been able to sufficiently complete all the challenges with the knowledge learned

if you have the $400 to spare and a weekend free, I'd highly recommend it. Wireless technologies haven't changed too much, so despite its age, its still very much relevant.

I think 4 hours is definitely overkill, because I had the report done within 4 hours of starting my exam lol

That's on my list of certifications. Have way too much learning to do for the next 4 months. But maybe I can squeeze it in December. 😊

Probably going to end up doing both the OSWP and OSCP first quarter of next year though.

OSWP is a great primer to OffSec courses, it gets you a feel for their format and is pretty easy

@quasi stream can we spin spook's post

oh wait u did

nvm

imagine if i read before i posted

mood

I think it's a really good perspective into a handful of certs so (: got pinned without a doubt

least not it was spooky

I really should go back and take eCPPT and eJPT to get a proper overview of the courses

@languid hearth Can you take every possible CERT so we can have a full range review?

"The 147 certs live in harmony, until the fire nation attacked. Only Spooks, master of every cert, could bring harmony"

why would you take ejpt when you have certs above that level?

^ x2

Because he has money and likes the spicy paper

I do enjoy spicy paper

plus I gotta nice big plump salary to use

your cert game is too good

Hi everyone

Hi everyone, I am thinking about doing a compTIA security+ course and I was wondering does anybody here know or have any advice about cybrary if its any good or worth paying for? I have done some research but find a lot of mixed reviews

I haven't used Cybrary for Sec+, but I've heard a lot of people who use Professor Messer succeed.

Highly recommend Professor Messer- I didn't specifically watch his Security+ videos, but his Network+ videos are very detailed and in-depth, and covers pretty much everything you need to know about the cert exam

I assume that his Security+ is probably similar

Great I will check it out now! Thanks for the recommendation 🙂

There's tons a resources for learning Security+ so pick whatever matches your learning style and budget. For me I didn't want to spend a lot of money so I got a book from Mike Meyers at the library and spent $20 for Prof Messer's course notes

Also Jason Dion's practice questions on Udemy

Yes I am in a situation where I can't afford to spend a lot of money on courses but I am willing to if they are worth it. My biggest worry is wasting time rather than the money! Thanks I will check Udemy for practice questions too, thats a good idea

You can definitely study for the cert exams for free, there's a lot of free material out there on the internet, especially YouTube.

Comptia even gives you the exam objectives, which basically outlines everything that will be asked on the test, and you can use that as a study guideline for what you should be focusing on

https://comptiacdn.azureedge.net/webcontent/docs/default-source/exam-objectives/comptia-security-sy0-601-exam-objectives-(1-0).pdf?sfvrsn=977bbaa9_2

You can definitely study for the cert exams for free, there's a lot of free material out there on the internet, especially YouTube.
@warm hinge but its very difficult if you havent got real experience

they even recommend 2 years experience

I mean- there's a perfectly good website really close by that you can get some pretty decent experience with, and it's mostly free

I mean- there's a perfectly good website really close by that you can get some pretty decent experience with, and it's mostly free
@warm hinge link 😄

plz

http://tryhackme.com 👀

LMAO

hahahaha

joker

i just found this site today

i really wana change career

I mean- you definitely can't get enterprise/corporate experience without already being in the field, but you can definitely get very similar experience via all the free ethical hacking training websites.

yeah true

You can learn a great deal about networking and security in general just from them.

i have been working in tech for 4 years now but i really wanna change career and cyber is one of my biggest interest

As long as you're doing them for educational purposes and with the intent of learning the entire system, rather than just doing it for points and "hacking"

solid

Also, cybersecurity is a very broad subject that entails many diverse roles. I suggest looking up the different roles at companies for cybersecurity/infosec, and focusing on the skills needed for those jobs

its very difficult to get a junior role

i have been trying

Participating in CTFs or developing boxes is a resume bullet point that most cybersecurity jobs consider

Participating in CTFs or developing boxes is a resume bullet point that most cybersecurity jobs consider
@warm hinge sorry whats developing boxes?

what do you mean by it?

It counts as experience if you're able to sell it

Developing boxes = developing CTF challenges, like rooms on THM

Creating a vulnerable VM with flags to capture

Or making walkthrough content

It's good to start with walkthrough content if you want to start contributing

ahha

that would be interesting

I have been looking for a job in tech for a while I had been learning python and java during the lockdown and found THM about 3 weeks ago and have been hooked on it since, I have been researching jobs in my country and find most of them mention compTIA (among some others) in thier job descriptions which Is why I want to work towards getting certified as soon as I can but for sure anything I do will be in conjunction with THM. It's a big jump from lifeguard to SOC analyst for example 😅

if you're a junior expect to apply to over 200 or so jobs before you get a phone call

Oh trust me I have no illusion about walking in to a job, but I will be happier with myself when I can at least start applying with some self confidence in my abilities.

Does anyone know about CISSP certificates? and how difficult to get it.

CISSP has a 5 year pre-requirement that is verified, or a sponsored requirement from your employer.

I guess I will skip

at the risk of being annoying and asking a common question, im a cs student with virtually no exposure to the technical side of cybersecurity but wanna get into it. anyone got a recommendation for where to start/best place to learn?

TryHackMe 😉

lol

fair answer

i should have foreseen this i guess

outside of tryhackme, I hear people talking about doing exercises like CTF and shit. Is this like, the cybersecurity equivalent to Kaggle projects?

I am trying to get a lay of the land, im a data science guy so the whole field y'all are in is very very different than what I'm used to

It depends on what you're trying to aim for in the Cybersecurity field, as it's very broad, and CTFs/THM specifically help a lot with pentesting.

THM/

?

TryHackMe

oh yeah gotcha

Pentesting is specifically analyzing a webapp/server/application to find vulnerabilities and possible impacts of said vulnerabilities, which CTFs are a great proving ground to show off your skills in that regard

An the broadness of the field is in light of what exactly? Defensive software development kind of roles?

Honestly, cybersecurity and infosec can cover a large range of topics, and a lot of them can overlap depending on the company you work for. It's possible that if you know how to exploit vulnerabilities and program, that you are able to develop software that prevents these, but most of the time you could also just do general sysadmin/netadmin work with hardening a system/network via manual patches and such, but everything often ends with the idea of doing preventative measures against malicious attacks from the outside

There are also both development jobs, and also policy/auditing based jobs in the cybersecurity industry, as you could be directly developing software and patches for things OR be in charge of managing an entire network of machines ensuring that each one is fully compliant with modern security practices or auditing applications/webapps made by developers to ensure that they're not being developed carelessly

Do you recommend I at least complete the THM basics course before I even bother moving on to anything else or are supplementary things worth the time atm?

again sorry if my questions are stupid, this field is totally out of my comfort zone

the most hack-y thing i ever did was yoink minecraft accounts when I was like 11 and in hindsight I feel terrible about it

I would say, try using THM and learning anything relevant to networking and cybersecurity with it, as there's a lot of rooms that are purely about the concepts and methodologies

Remember, while you're doing this, you should be thinking of how this is relevant to cybersecurity as a whole

cant wait to try hacking in real world after i learn all this

of course legally

smh

Has anyone get a job from this course ?

From what course?

THM

THM isn't a course, so no one has

I've got a job at THM making boxes from doing THM

right right... idk what to call it 😅

THM isn't going to get you a job, but it's going to help you with getting some of the knowledge you need to get a job or get certified so you can get a job.

THM is a structured way to help you learn

Ahh okay thank you

THM doesn't offer a professional cert

But it offers you a lot of resources to get the skills for a cert

*to pass the test for a cert

True !

Could they in the future make a cert?

It wouldn't be respected, because it'd be new

The eJPT certs are barely respected because of how new they are

Gotta start somewhere

yeah, not going to happen

it requires administering an exam of some sort

and from what I've spoken to Ashu, he's not down for that

certificates of completion on the other hand

well yea I’m not talking CCNA

Yeah I don't think people realize how much work that would be haha

lol

there's a huge difference between a certificate of completion and a certification

^

You can dump THM on your resume FWIW

What does FWIW mean

thats a goofle question

excuse me

Why has my name been reset

I have a feeling spooks is behind this

nope

pars probably

thats a goofle question
@languid hearth sorry

If you're really high on a leaderboard for a relevant skill that is actually worth a lot

I can't speak to THM in particular, but in my field, for example, high placement in Kaggle competitions is a huge deal and it is incredibly common for people to be recruited directly off the leaderboard

If you are going to put THM on your resume, I advice to translate the skill/project/interest into a language that HR understands. Align it, if possible, with a requirement that is included in the job description.

Yeah saying "X Rank on TryHackMe" communicates very very little

Relevant Experience: I am a GOD on THM

I list tryhackme on my motivation letters as an example of what I do in my spare time to practice and learn

Not on my resume because I'm not that high up the leaderboard

Damn

Cheatsheets

@rugged sable reee typo

sqlmap is one word!

you mean it's not an actual map?

@rugged sable reee typo
@quick forum no wonder every company i applied to rejected me

😦

Anyone with a recent GIAC cert done a Gold paper? Did you find it was worth it given the application fee and time commitment?

so my idea on the people who that would be beneficial for is those who are looking to become SANS trainers @meager hazel. If that's your goal, then I'd recommend it

also their Advisory board is something to look into

Anyone with a recent GIAC cert done a Gold paper? Did you find it was worth it given the application fee and time commitment?
@meager hazel done GCIH for work, i definitely would not have funded that myself, alot to cram in within the week courses but i found the SEC504 to go over the very basics, however, that seems to be who it is intended for, will be doing the SEC560/660 this year (again through work) but personally i'd rather OSCP and getting CREST certified over them

Yeah so far it seems more for people who are looking to do training or GSE (which I’m not interested in). Just completed my GWAPT so deciding if I should do a paper if my employer pays for it. But doesn’t sound particularly fun to me lol

i mean it's one of them, i think if your employer pays for it then it can't hurt to have something else under your belt

thats fair also ^

but if it was self funded i think there's better options

contributions to the community is huge

Yeah, having a paper on there I could reference would be nice

so there's also the flip side:
You could write a research paper normally and not submit it to SANS

and still have that on your portfolio

Yup. Having a peer-reviewed paper would be nice but what's the opportunity cost if I decide to publish my own research. Then again I'm not doing that now so this might be some motivation if my employer pays for it and encourages me to do it

What does FWIW mean
@donoven_clark#6123 FWIW For What It's Worth

When scanning for files using gobuster etc, is there a good default filename/file extension list to use? A rockyou equivalent.

I use /usr/share/seclists/Discovery/web-content/Big.txt

/usr/share/wordlists/dirbuster/2-3-medium.txt
is also pretty good

i usually do 2.3-medium.txt with common extensions, and then big.txt with no extensions

@static tide, why 2.3 with extensions and big without?

It's amusing how 2.3-medium is 10x the size of big

check the contents of both, 2.3-medium.txt is just words, big.txt has directory's and file's (i.e. with extensions)

Aaaah, cheers

@rugged sable woah deloitte has a ctf event? wtf? what kind of project do you do for an accounting firm?

They're a consulting firm, not just accounting https://www2.deloitte.com/cy/en/pages/risk/solutions/cyber-security-services.html

huh

they're considered a "big 4" accounting firm so I just assumed that was what they did

I'm also curious @rugged sable if you have any professional certs?

Speaking of which, what is the most valuable professional cert? Google says CEH based on a massive dataset but some random guy from this discord said it's worthless so I'm conflicted

It's an HR cert

..

human resources?

Basically you use ceh as a way of checking a box in Human Resources

It’s a terrible certificate but administrative teams use it to filter out the brain dead average applicant to those who have a “cyber cert”

ahhhhhhhhhhhh

Yeah apparently people the CEH cert is the cert most correlated with employment in info cybersec

But if it's a baseline cert it would make sense that virtually everyone has it, and the sample stratifies into camps which have various different certs

It’s really hard to form an opinion of ceh due to them having a clause in their contractual agreement saying once you have signed on you cannot trash talk them in any way

It’s also highly dependent on location as to which certs you’ll want to aim for

~~ I trash talk them anyways~~

Sec+ is like that as well, no?

wait wait

what

"once you have signed on you cannot trash talk them in any way"

Sec+ is actually decent in the sense that it teaches you the fundamentals of security

schwat!

yeah, I had to sign a statement saying that I will not trash talk them, the certification, the exam, or the company in any way

I wish I had kept a record of that doc

?????

hm

I took a contract law class a while back and I distinctly remember a lesson where it was explained to me that companies love to put shit in contracts which they are not legally allowed to do, but serve to scare signees

i wonder if this is one of those

that's soooo strange

Not trying to deviate too far from the topic, but yes that is very common. You see it a lot in Terms of Service/User Agreement contracts for software.

It's also very very common in lease agreements

very common

https://cert.eccouncil.org/images/doc/EC-Council-Certification-Agreement-5.0.pdf

I believe it's outlined here

That stock photo omg

• Not to take part in any black hat activity or be associated with any black hat community that serves to endanger networks.

So... uh. No more DEFCON after you get certified, huh?

You as a Certified Member shall agree to (i) conduct business in a manner which reflects favorably at
all times on the products, goodwill and reputation of EC-Council; (ii) avoid deceptive, misleading or
unethical practices which are or might be detrimental to EC-Council or its products; and (iii) refrain
from making any representations, warranties, or guarantees to customers that are inconsistent with the
policies established by EC-Council. Without limiting the above, you are also obliged to not to misrepresent
your certification status or level of skill and knowledge related thereto.```

Wow at first I thought that meant "don't do black hat stuff" but then they literally outline refrain from making any representations, warranties, or guarantees to customers that are inconsistent with the policies established by EC-Council

i.e. if they don't like what you're saying (deceptive or misleading) then they'll take your cert away

deceptive/misleading coming in at devaluing the certification

@rugged sable No I was just asking because that section of your resume was really impressive and you said you didn't get offered a job anywhere lol

And I was trying to figure out if you had no certs and those are like essential because of the quality of your CV

@rugged sable No I was just asking because that section of your resume was really impressive and you said you didn't get offered a job anywhere lol
@sharp tusk ahhh I was joking ;-; sorry I turned done a lot of jobs lmao

Lol! Okay that makes wayyy more sense

Whats your job title?

uhmmmm

"Tech"

😂😂😂😂😂😂

I'm working in AI & pentesting though

Any thoughts/insight about AI cybersec companies?

Not from the perspective of employment, just in general

I work in venture and AI+Cybersec was hot for a little while, I have no expertise in the field but more knowledge is always good for business.

Most of them are using AI for things that it shouldn't be used for. Like 90% of their AI requirements can be fulfilled by a simple SQL query. Take tryhackmes "suggested room" feature on the new homepage. that's am SQL query but people could easily turn it into AI

Do you think most cybersec jobs are safe from AI?

Yeah absolutely, cybersec requires creativity which is hard

AI will never replace jobs- only make it require a higher skill level and understanding

AI is like mutually assured destruction but in the other way around- once you have AI tools for good, then you also have AI tools for evil, and thus you require the manpower to be able to fight that battle regardless

i mean

AI will probably replace most jobs if only in the very very very distant future

but who knows

I mean the industrial revolution destroyed a lot of jobs, but also created new jobs 🙂

Anyone preparing for Sec+ want to do so together? Preferably in ~UTC+10

https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/

AI will be good for the blue side as it helps to detect anomalies in network data flows.

Feed it the logs, train it to detect malicious code/requests and raw network flow data and watch it flag stuff for you.

They can also be trained for offensive purposes but is harder as it needs creativity as stated above and that it cant comprehend human behavior yet to predict system configurations completely.

AI will replace some jobs no doubt about it, but rather than fighting it, learn to work with it if you can.

Will it affect pentesting too?

Cause soon servers will go everything will come on cloud...

probably after few year everything will shift to cloud how do you guys think it will affect the pentesting feild ...Your views on it and like how we prepare for cloud will the opportunities for pentesters decrease?

Like what we currently we do and practice on thm are mostly web server hacking or internal network pentesting... when all this will shift to cloud how we'll cope up with cloud...

I'm sorry if I wrote something wrong some terms maybe .....it was just a random thought...

computers are computers regardless of whether or not they're in the cloud, not much will change imo.

it does make it easier to manage environments, so some easy wins might be harder to come by

there are certs such as ccsp to prepare you for cloud security

i dont think ccsp is too technical, you might be more interested in aws/azure security certs

oh sorry my bad

I've heard this industrial revolution argument quite a lot, I'm not really sure if AI and the industrial revolution are comprable with respect to their probability of replacing jobs, the only analogous feature is that both events stand (and stood) to fundamentally change the makeup of the work force

but also I don't think this chat is the place to have this conversation lmao

well actually maybe it is 🤔

TBH the only job I'm worried about is pentesting 😂

Hello everyone ,
We are AnalyticWare , an AI based company . We are looking for an intern who has some skills in
Frontend Development , python and Business Development roles.
If anyone is interested and fits in above-mentioned roles , please fill the form attached below. It will be a great learning experience plus you have the opportunity to network a lot.

https://forms.gle/qC2xxim2eAwPgTfP8

You can check us out at :
analyticware.in

https://www.linkedin.com/company/analytic-ware

🤔 sounds interesting

Why is a company doing recruitment via a Google Docs Form?

Doesn't ask for resume

It's a startup guys .....

Intern just means you are doing work for free. Not asking for resumes means they will take anyone.

they also went to a discord full of hackers for an intern for a front end and business development internship...... interesting

"They" didn't go to this discord just to post. This is a startup from his college they’re helping out (has posted this in other servers)

Though yeah, probably better venues to ask for front-end dev interns

I'll take care next time 🤔

Yeah, sorry about being suspicious, it's part of our ethics to be wary and question everything no matter how mundane it is

Yea I understand it's ok:)

It was just a startup so my friend asked me if I could help so yea I just posted it if someone was interested to get some experience...cause I think internships are for experience only:)

tbf it is becoming increasingly common for companies in the startup space to use google docs to do initial vetting

but other than that one specific thing, yeah lol odd place to post this up.

GSuite is nicely featured and fairly cheap

hello

howdddy

Does anybody know of any jobs that require a CNSS certification?

no i dont but someone probably does

hi guys
any idea about CEH practical exam?
i want to make sure is it only MCQs or rooting machines ?

CEH practical is like "here's some challenges, find the flags"

EC-Councils LPT is more rooting machines

Anyone with knowledge who could help me out? What is the DFIR scene like in the UK?

It's what I'd love to pursue over offensive pentesting tbfh

I have a contact in the DFIR scene I might be able to put you in contact with @quasi stream?

She might even be based in England, from memory

@undone shore that'd be super super super cool if you find the opportunity to

I shall ask 😄

Anyone know if there are cyber security graduate programme/training/junior/jobs about in the UK or if you have any contacts?😉 I'm looking for any type of offensive security roles such as pentesting but I'm open to pretty much anything

Anyone know if there are cyber security graduate programme/training/junior/jobs about in the UK or if you have any contacts?😉 I'm looking for any type of offensive security roles such as pentesting but I'm open to pretty much anything
@ashen geode Theres quite a few. I'm a big fan of BAE, and Context have connections with TryHackMe (complete their BorderLAnds room and they'll like you more 😉 )

I know that Kent University have a Cybersecurity MSc certified by the GCHQ but dunno if it’s what you was looking for

@ashen geode

Btw I almost finished this MSc so if you have any questions about it you can ask 😊

If you're looking for courses keep in mind admissions for most university programmes close on friday, you'd need to get on it fast

CEH practical is like "here's some challenges, find the flags"

Thank you

@languid hearth

@formal sun are you in kent?

I am currently staying in Kent ;-;

never thought a THM member would live in the same county as me >:

@rugged sable Nope I’m back in France

Was at kent because when you reach the 4th year at Epitech (French computing school) you have to pick a foreign school to do the 4th year

So I picked the university of Kent at Canterbury 😊

Hey there,
I probably receive today some topics to learn and a description of an assignment that'll be taken after that (don't know the dead-lines yet)
Once I get those topics and description, can I ask someone here for a good source to learn those topics, also to be ready to that assignment?

It's a part of a student position I want to get into

Let me know if it's not an appropriate room for that question please:)

also to be ready to that assignment?

that sounds like cheating

can I ask someone here for a good source to learn those topics,

just ask in this channel 😜

^^ or uhhh general?

or resources

Going to post here as I should:

anyone looking for former Jr. Sysad infosec grad used to working with O365 and vsphere & misc infa
@quasi stream

Also v keen on making an entry way into DFIR (previous APT & malware analysis experience so)

https://pgp.cmnatic.co.uk
(or dm)

💋

self promo over for the next 6 hours

https://mashable.com/shopping/jan-22-comptia-training-bundle/?utm_source=Facebook&utm_medium=Facebook_Ads Do you thinks is worth value?

Even if you only want to take 1-2 of them, having access to the materials for life is very handy

nope

They can definitely be worth the value. Lifetime access to these is really awesome although I should tell you there are not official courses and nor would you get any certifications. Theses are just prep courses from a third party so decide for yourself if they are worth anything to you

they run those "deals" all the time. not worth.

i can promise you that there's better free resources for each one of the exams

thanks for the response, i was deciding to accept that or earning the OSCP voucher and continue with my plan of ethical hacking.

The OSCP Voucher 🤔

@midnight sparrow THM is doing great stuff in the platform but those learning paths are preparing us to do certifications in some degree and like someone said to me one time,doing certificates is a investment of learning ethical hacking, i was thinking about getting the voucher but elearn security they have good courses and good for the price so i am in that midpoint decision.

you realize that the learning paths are yes good for learning however none of them are specifically designed for certifications

also I would go with the OSCP since elearn is yet to be respected in the industry

nevermind about the learning path I didnt realize that you were talking about the comptia one

@gilded blaze like spooks said those "deals" really are not worth it and you can find better content for free. both the OSCP and Elearn certs are courses as well as certs so anything that you dont already know you can pick up from there and then either do their labs to prepare or do labs from thm, htb, csl etc

@polar rock Thanks for the help i really appreciate it

jobs jobs jobs, give me job!

Janitor at google is the best I can do

Probably still get 300% increase in LinkedIn solicitations from having worked there

If I want to go in pen testing / bug hunt (mostly as a part-time student job) do I need to do some compTia ceritifications/classes like A+,Net+,Security+ etc or I can just practice THM/HTB and it should be good to go

that depends those are two different fields

If you want to go bug bounty which I don’t exactly recommend as your only source if income I would just practice THM / HTB / Hacker101 and read some books and articles in bug hunting

if you want to go penetration testing that’s a much longer road and I would start off in a sysadmin / network engineer / blue team / help desk to get your foot in the door in IT you can get those certifications or you can look for a company to pay for them just remember that these are certs not exactly courses / classes unless specifically stated that it is a course as well

@flint tide

The thing is since I am in school now I can only get something weekend only and it's nearly impossible to find something like that that's why I wanted to start with bug hunt since I could sort of manage my time and work when I can @polar rock

2- But I want to go with pen testing eventually, I would do A+ -> Net+ -> Sec+ -> CEH?

I wouldn’t waste your time and money with A+

I have almost none knowledge in IT yet that's why I thought it could be a start to go A+ so I skip to Net+ directly?

net+ is fine you could also go ccna which gives you more options, sec+ is fine, don’t go CEH it’s just... don’t go for OSCP or eJPT instead

if you feel the need to take A+ sure knock yourself out but most of it I believe is intuitive a couple of helpful things but I haven’t heard much this cert changed my life again it’s just a cert not a course

it’s literally just an exam

so for someone with 0 knowledge I can start as Net+ good to know

my real issue is really that school takes my whole week days and weekends only IT jobs seem inexistant

A+ is good if you know zilch about computers and electronics- and wish to know everything about them hardware wise, and some core software knowledge.

For filling up your weekend, is your priority income or experience? If it's the first I wouldn't get into bug bounty, especially if you don't have most of the prerequisite skills already.

Honestly, it's a bad idea to jump straight into the field with income in mind without any prior experience (unless you're like, super determined)

You should get a lot more familiar with the field, and in order to make income, you should kinda already know exactly all the ways to make income from freelancing.

Because otherwise you might be setting yourself up for failure

@polar rock could you elaborate more on why not CEH? I was thinking I’m going for that one. It would be my first course and (hopefully) certification towards security / hacking. But if you have better recommendations i would love to hear them 😃

it’s a cert that no one except government cares about, its not practical and really won’t teach you anything, and it’s expensive you’re better off going OSCP or eJPT than CEH

Ah, alright. Recently they do offer a ceh practical exam, but that’s purely an extra exam based on what you learn in ceh. So it won’t add much I guess?

Ill make sure to have a look at OSCP and eJPT then. CCNA was also on the list

Thanks for the advice mate! 😃

@craggy glen the CEH (Practical) is affordable and has name recognition, and a good starting point for those coming into the field. eJPT is a good junior certification but eLearnSecurity still has some way to go before it is recognized.

to be fair about the A+, I only passed the 1001 a week ago and am planning to take the 1002 with 2 weeks, and just putting on my resume that I am an "A+ candidate" has gotten me a lot of callbacks and potentially a job next week

around me pretty much every IT job wants A+ for most entry level positions

That's really good @ancient prairie. A+ like many certifications is a jumping off point.

Oh yeah, it's really good for entry level IT and non-technical positions

like if you want to do help desk or computer repair or even datacenter tech

Avoid CEH unless you need DoD approved certs

A+ proves that you really want to transition into the IT field tbh, even though you come from a non-computer background

that's exactly what Im doing lol

worked hospitality for about 8 years, have a fairly worthless associates degree in IT so looking to take the cert route

There are companies out there, besides government jobs, looking for CEH (the CEH (Practical) would fulfill that requirement). It's all about end goal. If it helps someone get a job, then the CEH (Practical) is an investment to consider. The best thing to do is search job boards for one's local market to determine what certifications the companies there are looking for.

There are better certs than CEH for the same price

Right but it largely depends on the job market, like around me I see a lot of InfoSec jobs asking for CEH/OSCP and some omitting the OSCP entirely in favor of CEH

rarely do I see places ask for SANS/eJPT/eLearnSecurity or anything else

@languid hearth pls say ceh bad thnks

the reason you don’t see sans is because it’s god awfully expensive and most everyone only gets it through their employer however I’d say they’re the most respected in security, the elearn certs are good however yet to be respected, the OSCP has just become a standard, and the CEH just needs to crawl back in the hole it came from unless you have a very specific job that requires it

right, if you want the opinion of someone whos in Industry in the U.S:

The CEH was a waste of money. I learned nothing from it. I took the certification and passed it with over 85% without studying for it.
For the price I paid for it -- (a little over $1,000 USD) I would have learned so much more from other certifications.

I outlined my personal thoughts & opinions here:
https://blog.spookysec.net/certifications/

And don't put too much weight into the certs asked for in a job posting, unless it's something like DoD. Your OSCP is more likely to look more impressive to the actual hiring manager/team than CEH, even if HR didn't put OSCP in the jp

@quick forum you're right - the CEH multiple choice exam is expensive when one can get the Security+ or SSCP for a fraction of the price. But the CEH (Practical) is about the price of the eJPT and they are both hands-on certifications.

Ok, or get OSCP

Or anything that's actually respectable

If you have a choice between spending 1k on something that will get you a job, or at least a callback, or silence because HR doesn’t know what they are looking at, you’ll pick the former.

OSCP is widely recognized

CEH is a meme cert outside DoD jobs. That's for a reason.

OSCP is great and no one denies that but it is out of reach for many due to how expensive it is, especially if you consider that many people do end up having to retake the exam several times. Plus not everyone coming into security is going to be needing the OSCP. The CEH (Practical) is an option, just like the OSCP is one for those who want to go there and can afford it.

Sorry, what?

CEH is $1.2k

OSCP is the same

So is eJPT

Why meme yourself when you can get a good cert?

CEH (Practical) is $550, eJPT is $400. OSCP is at least $1200 depending on labs and retakes (60-day lab time seems to be the average).

PWK starts at $999

It has the course

CEH CEH is $1200

You can't compare Cert+Course to cert alone

Being in the middle of the PWK, and having heard about CEH from people who've done it

It's memed for a reason

I highly recommend saving up for the OSCP

Agree Muir

ok how about this

you do you, and y'all stop bickering

And don't waste your money on CEH

problem solved

you'd very much be shooting yourself in the foot

but if you wanna burn that kinda cash, that's your decision.

That appears to be the summary of the advice in here, but in the end it's an individual choice 🙂

Like it's been said earlier, it honestly just depends entirely on the job market around you, if you get a CEH but none of the jobs around you are looking for it, then it probably won't help you.

Yes,no matter what you say @undone shore is a individual decision

You can get it if you really want to, just to prove a point or whatever, but in the end, it's entirely up to how you utilize it to represent your skills.

but at least you are telling your perspective

(just know that OSCP usually satisfies most automated resume filters)

I’d like to have 1.2 grand to throw at certs all day

Also yeah keyword filtering is a thing

Look up commonly searched terms for resumes and just soup it

oh you'd be sweating bullets if you saw how much my last cert was..

How much...

7.8k

I think exceptional is one of those weird common words. You can easily soup that into a description talking about yourself

HOLY

What was that for?

SPOOKS WHAT

What the heck is that

https://www.sans.org/course/advanced-network-forensics-threat-hunting-incident-response

Sans

Of course it's sans

I saw 7.8k amd thought sans

Yeah I think most of their courses+cert attempt cost that

I need to get an employer that will pay for certifications, let alone SANS training.

Or a bigger check.

I would love to go through a SANS program. Some very interesting courses there.

It's probably the two areas SANS is far ahead of everyone else: Advanced DFIR and Advanced Exploit Development.

For the latter you would do SEC-760.

I hear very conflicting things about how good SANS is

Let your employer pay for that unless you REALLY need the cert for the job you're aiming for

What jobs do hackers get?

@warm hinge what do you mean, you'll have to elaborate

what jobs would someone who learns the toolset from tryhackme find themselves in?

It depends they're a variety of rooms that teach different topics such as pentesting, steg, RE and many more

Search up different jobs within the cyber security industry and see which jobs/roles intrigue you

and if it's something you want to pursue

I highly recommend checking this out

https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/amp/

there's also a list of potential (but not all) roles in both the red team and blue team side of things in there

Well, I can say that being in-between is somewhat fun as well

@warm hinge really good share, worth the read, thanks.

I'm really liking a mix as well - purple team, and threat hunting.

Threat hunting is still relatively new but I'm hoping I can go down that route in the coming months, or by next year.

Glad you enjoyed it

I do threat hunting at work, and eLearn has a course on it thats worth checking out.

Yeah I saw the course on eLearnSecurity. It's a little out of my price range but I'm hoping to get it in December.

How are you liking the role, @languid hearth? How long have you been in it?

4 months now, its a completely different beast

Sounds exciting. 😄

I bought the Threat Hunting course from Security Blue Team for £20. I liked their Network Analysis course so I'm curious to see how Threat Hunting goes.

I'm sure it's not eLearnSecurity level but it's a start.

I checked out the Chris Sanders course, the only other one I could find out there but also too expensive for me.

it's worth checking out some active APT groups like Cozy Bear

GCHQ released an advisory last month

https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development

Thanks, I'll check it out.

COOOOOOZY BEARRRRRRRR

APT names are somewhat strange at times, from Charming Kitten to Putter Panda. 😄

yeah but it’s better than trying to just remember APT29

instead I can remember COOOOOZY BEARRRR

I like that they choose the animal based on the nation (Iran = kitten, Russia = bear, etc.)

@distant pier some orgs have a rosetta stone just for APTs as different companies have different naming schemes.

However the MITRE ATT&CK framework has some of the examples - https://attack.mitre.org/groups/

Hey guys,
I'm a second year CS student
My final goal is to get a job of PT
Meanwhile, my best knowledge is about programming (Python, C, CPP, C#, JAVA-OOP, Algorithms)

I checked some relevant certifications across the Internet, like CEHv10.
Now, this course demands some pre-requisities, so here is my question:
Is "Complete Beginner" room in TryHackMe can be relevant for me?

It’s a path. But yes

It’s relevant for everyone imo

It certainly won’t hurt to take that path

I recommend avoiding CEH unless you're going for a US department of defense job

Actually, ofc I don't want it to hurt me, but would it provide me with the relevant knowledge for being a PT?

Yes

Start there. Then you can do the offensive path

No, CEH will quite literally teach you not fully correct information

@quick forum I'll tell you. My goal now is to get a student position in PT.
Besides my formal studies here in University, I want to invest my spare time in learning some topics which are relevant for these jobs.

Moreover, I'm now applying for a PT student position, they have to send me this week a list of topics to learn, then they will give me an home assignment about those topics - they want to understand better my learning abilities, etc...
@languid hearth

Skip CEH then

If you scroll up in chat awa awa has a blog on the certs

It’s pinned

I think

Oh yea it is

https://blog.spookysec.net/certifications/

@quick forum So you actually says that TryHackMe is very good for my needs.
I see the minimum purchase is for 3 months (30$)
Two questions about that:

1. Can I achieve somehow some coupons?
2. I see there that if I'm a student I have 20%-off - how do I use that?

you actually say*

It's 3 months with paypal

You can do shorter times if you don't use paypal

There's also free content

@quick forum Suppose I need content for Complete Beignners - is there something free there besides the path in money? Becuase I can't see anything else...

You don't have to follow a learning path

There's free content, and a set of suggested rooms on your dashboard

https://blog.tryhackme.com/going-from-zero-to-hero/

Also there's that

But that's slightly weirdly ordered

CC:Pentesting?

yeah found that

Do /zthlinux first if you haven't

@viscid whale No

There's a lot of content on your dashboard, that will guide you

Pretty much everything is going to use Kali so you kinda want to know how to at least somewhat find your way around a Linux system, even if you gotta reference a handbook a lot

Then I'd start doing what's on your dashboard

@quick forum @dark prairie
So you say better go through the order fo the dashboard - Welcome, Introductory Reasearching, etc...

Yes

Yes. I'd do welcome, introductory researching, then zthlinux

Looks good.
So why for anyone actually to purchase at all?

Support THM, videos on rooms (more are constantly being made!), access to some rooms that are not free

Access to paths

Most of THM's content is free, but some isn't

Also the Kali VM

Choose your machine in KoTH

Subscriber only VPN servers

More resources on VMs that you deploy

(that makes them faster to deploy and faster to use)

Got it.

One last question before I dive in:

As mentioned before, this week the company I'm applying for has to send me list of topics and description of an assignment I'll be given after that (including the dead-lines)
Should I ask here for good resources for those topics and assignment? I'll need the most matching ones

THM should be one resource you use, not the only one.

You might find topics for what you're looking for and that's great; but you might not find everything and someone else might go in-depth and explain it better for your understanding or mention things that might not have been obvious. This isn't to discredit THM, but you should always have second opinions for your information. Like for anything.

@dark prairie Good.
So I'll share it with you, so you can tell me what are the best resource for my needs in regards to the topics and the assignment description

you should ask in #resources

Yeah I'm not kinda a super wealth of information, but what others have posted there is.

People usually post discounted learning materials and such there

#bookclub recommends books for researching

Start looking at the security analyst role. Got questions to ask.

I’m dev now with a couple of years experience. How much do I need to skill to find a penetration job? Does the certificates will help that?

@crude sage I am currently looking into it too. I got told today that Security+ or SSCP is a good starting point and that if you struggle on them, you can switch to CCNA, get more of the basics and then continue.

I am currently looking into https://itpro.tv they seem to have lots of good content worth a check

Correct me if I'm wrong veterans

CCNA is a networking cert

@quick forum so I can skip it directly and get in SSCP?

I have almost 0 prior knowledge in IT, I was in CS and now EE

If you're looking for pentesting, as AlvinS said they were, why not get a pentesting cert?

Makes sense

Does it make any sense to go for OSCP as a first cert?

I feel like it's the most useful cert that you don't need like 5 years of working experience for

Yup I guess oscp is most demanding

OSCP is still an entry level cert

So starting with OSCP makes sense?

Thinking OSCP -> CEH

If you are starting with oscp why ceh after that

@hasty geyser Ignore CEH

Seems to be a requirement for a bunch of jobs around here

But maybe it's not useful with OSCP?

Unless you're going for a US Department Of Defence position, it's garbage

kk

So to become an actual pentester, OSCP -> ?

Well, if it's a requirement for the jobs that you want to apply for it doesn't hurt to get it

I had CISA on my list still

OSCP and then a job

But if the CEH isn't mentioned- then people will probably ignore it

But that's like 5yrs of experience

Alright fair enough

the OSCP alone can get you a junior position

^

OSCP is a fine choice

CEH is not a good cert

for all-around

It's memed on for a reason

Any suggestion on eJPT?

It's also not even a pentesting cert

https://blog.spookysec.net/certifications/

@royal veldt It's getting better recognised over time, but it's still not there

Weird that it's like the #2 most asked for cert in pentesting jobs around here

Then again... recruiters be recruiters

Because HR has no clue

^

CEH is probably only just a resume-filter check, but OSCP can satisfy that already WHILE also being very valuable to a majority of employer's eyes

EC Council is good at marketing rather than providing good content

Guess I'll focus on OSCP then 😄

And then somehow find a 50/50 development/cysec job so it still makes sense financially

i had a question for a junior soc analyst position that i answered really badly

"you're working in a soc and you get an alert on one of your third party tools that a server was reaching out to a known c2 server, what do you do from start to finish?"

my answer briefly: isolate the server by taking it offline, figure out what process is reaching out, check firewalls logs, add to firewalls rules

anyone able to give a better answer for me? 👀 never worked in security before

by the way - he was very very interested that i did some ctf development, so making rooms will look good on your cv :)

are the Sybex Flashcards good for Sec+?

Im looking to bolster teh videos im watching with some memorization

@static tide Have a read https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

@static tide Have a read https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
@distant pier ooh that's quite big, think i'll use that as bedtime reading 😅 thank you!

18 pages. PWK PDF is 800+. 😄

850 odd 🤣

and i've up to section 4 and quit hehe

Learn to academically read, instead of front-to-back. It is an acquired skill.

yeah i watched a video on something like that

😄

it was something like this, for each chapter

• flick through the pages, go back to start
• read headings, , go back to start
• read bold or italic things, , go back to start
• read ending sentences in paragraphs, , go back to start
• read it normally

It will save a lot of time. Most technical books are written poorly, especially IT books, with a lot of filler. this way it is easy to skip all the filler.

yeah true

the only other thing i've done with pwk is read the commands

hehe

First thing I read in a book is the Conclusion or Summary for each chapter, followed by the Index. I know, I am weird. 😄

first thing i read is the pictures

then i close the book

If the Index does not have any topics I am looking for, I don't even continue.

@static tide ill tell you I would have immediately shot back at him saying "Why don't we have an ACL blocking communications to known C2 servers?"

@static tide ill tell you I would have immediately shot back at him saying "Why don't we have an ACL blocking communications to known C2 servers?"
@languid hearth well i did mention adding one, but he said it was known to the 3rd party tool that flagged it, not necessarily on their firewalls

Why don't they share their lists?

just to get me to walk through what i'd do

they probably do

so what would be the most valued cert for pen testing?

traditionally, the OSCP.

there are better value for the cost things

thanks

so PWK?

yes

you guys are awesome!

And Ceh?

CEH bad

Can probe requests used to replicate the same wifi network in the request with the same password used in the real network

@dreamy dagger Wrong channel

Which one is the right one ?

#general

Like, that question is pretty obviously unrelated to cyber and careers

@quick forum
Sorry, my bad.

I am a student of Cyber security and currently I am in the last year so I am looking for a project. can anyone help me here? Or can someone provide some guideline for somekind of an implementaion.

@austere siren #general please don't post the same message in a bunch of chats at the same time, it's spam

oky

Does anyone have a Metasploitable3 (Windows) VM they can share? I keep getting errors when I try to build it 😕

@earnest carbon not the right channel

go to #general maybe

I dont know if it works but you could use WSL Kali on windows and try

@quick forum I just saw you said CEH is bad any reasons behind it?

@earnest carbon not the right channel
@light parrot A mod told me this is for cyber-related stuff and general is for non-cyber stuff (i.e. memes)

Here is for cyber in careers (certif, jobs, formation, etc.) ^^

There are other channels for technical questions

Not what James said to me. Note the description for this page is "Infosec topics and ...", whereas General is "random chat"

Well if James told you, I'm wrong, my bad

I thought the same as you at first, thinking this was just career-related stuff. Apparently not 🤷‍♂️

I got told to come here when I posted cyber stuff in general haha

I hope you'll find your answer here then 🙂

Cheers mate ^^ Still trying to get Metasploitable3 working, still failing every time and I can't figure out why 😢

Never used it on Windows unfortunatly, so I can't help ya 😦

I'm just trying to get the VM built

Maybe I should try building it on a Linux machine

Metasploit is included in Kali

So you can try to build a Kali VM

There are prebuild Kali VM for VirtualBox and VMware

I'm talking about Metasploitable3, the vulnerable Windows Server 2008 machine

Oh shit miss read

lol I also read Metasploit missed 'able' that's why suggested WSL

@neat shore The reason CEH is bad is because most of it is inaccurate and it’s not even a recognised cert that’s why CEH is bad

Ohh....I don't know
But my teacher told me that Ceh have its value and u will be recognized by it?

@exotic vessel It's only really reccomened if you want to go for DoD it's inaccurate and outdated

@unreal arrow ohhh...thanks

HR usually only put it there because they don't actually really know anything about it they just see others putting CEH so they do it

HR

Hey guys 🙂 I have a question about be EH or pentester OR working in security in genral ^^ I think is depending of the country but a diploma is really needed ? or it's more about the certification ? If I ask that , it because I would like to change the career path and I'm not sure to remake 5 years of study ^^

Thanks in advance for your help

@frank swift What country are you in? In the U.S. there are some companies that don't care as long as you know your shit, but there are others that you 100% need a degree/specific certification set to even get interviewed at

@languid hearth EU

@quick forum can probably speak to that a bit more

and I'm afraid about the second category for company xD

aren't we all lol. I bailed after my 2 year degree

At least in the UK, the jobs I've seen are degree/experience AND a cert

The degree is a substitute for the experience

yes but you need the degree to jump in and get XP :p

so what I understood is the cert is not enough ? right ?

Just a cert on it's own won't be

damn 😦

But I recommend checking

It varies by country

Just have a look at jobs you'd want to apply for, see what they ask for

they ask for both 😄

cert + degree + xp + EVERYTHING !! :p

pretty much

maybe , I will double check that and try to pass a degree 😦

if you can make some connections to business owners/hiring managers, it helps a lot

yes sure

Isn't it also possible working your way up from a beginner role?

if you want to work helpdesk, sure, but even then it's difficult (cc @green parcel )

it's really hard to change from one career to another , especially when you need high degree

@unreal arrow These are entry level positions

What's going on

moving from helpdesk role -> security

you can attest to it's difficulty

I haven't tried applying anywhere

(internally)

Depends on the company

All my company's security positions are in a different state and I'm locked in place for the time being

So it depends on your situation

Are they not remote?

Nope

Corporate location only

But who knows down the road

(Lots of Security positions are strictly at HQ)

Hard work, improving yourself and persistence and perserverence will pay off in the end though

I took a long time to get to IT

So I'm not exactly what you'd consider "normal"

Maybe a few people to push you along the way

Doesn't hurt

yes fore sure ! It's just a bit scary after X year in one career , try to move to other one... but yeah I'm sure the perseverance will pay off 🙂

I will double check everything about the degree on my country , thanks guy for your answers !

also check out LinkedIn postings, it can help point you in the right direction on what to get/next steps/when you can/should apply and so on

why is it difficult to get an entry level job or junior role in cyber in the tech companies? is there some sort of knowledge that people are missing that only some knows it?

Cyber security is mostly merit based- you can only prove your knowledge about security usually by demonstration of your knowledge and skills in some way

Just having a certification doesn't prove that you know how to penetrate a system and communicate everything in a detailed report, or know how to set up a network that is hardened against DDoS and hacking attacks

fair enough, i never see a cert a way of getting into a role but exp takes over cert and degree any time

but how am i going to get the exp if i cant land a junior role or entry

Usually showing that you've already been in charge of a network or server and have had previous experiences with actually hardening the system shows decent security knowledge

but how am i going to get the exp if i cant land a junior role or entry
@stoic quest By getting a cert

You don't necessarily have to be in a security role to demonstrate exp

And having experience or a degree

i have got a computer science degree and the past year i have been trying to shift from my current role to a junior role i still cant land it

So considering getting a cert

^

Or look what jobs actually ask for

Also, the cybersecurity industry is actually somewhat close-knit in the sense that it's a "if you know, you know" kinda thing

i was looking into comptai security+ cert

just demonstrating some kind of contribution or practical knowledge of security often helps a lot

man what are the keyswords i can add to my CV that will catch the cv reader attention 😆

https://blog.spookysec.net/certifications/

thank you

From our very own spooks

thanks James and Ponspector

appreciate it

first time for me on this discord and I really like the mood 😮

thanks guys for helping people to get in

first time for me on this discord and I really like the mood 😮
@frank swift hope u stay around!!! 😄

i can now say this

but i got a job in cybersec without a degree so you can too 👀 @frank swift

Gives me a glimmer of hope

Ey! Well done @static tide!

thank you muir !!

35% Off eLearnSecurity this month on all their courses https://cdn.discordapp.com/attachments/735932466757501069/741018167060594818/unknown.png

Goddamn now I wanna drop another grand to get eCPPT

Is eLearnSecurity good? I've heard good things about them from the cyber mayor and John Hammond

It's an great deal - 35% so I might use it

It's as good as you're willing to utilize the knowledge and skills gained from it.

yeahh i'm considering dropping 1k on the threat hunting course

Yeah these certs are expensive lol

Elearn's recognition is improving over time

Yeah I have to look into these certs once I have more time after graduating - currently working through my way through sec+ and TCM's Udemy courses

its mainly gaining traction due to the acquisition of them by INE

I'm considering to apply for a job as junior penetration tester. I have studied computer science and have general knowledge about programming, networking and computer systems, but not so much in cyber-sec specifically yet. I also work full-time in IT and don't have as much time as I would like to spend on becoming better in cyber-sec. I'm eager to learn though! I belive that a Job in this area would give me the hands-on experience which I otherwise wouldn't have time to gain.
So my question is directed to those who already got a Job in that industry: When you applied, how much prior knowledge did you had with kali tools and the various ways to exploit a system and escalate privileges? What professional experience in IT did you had before?

Depending what IT profession you have or what company you work for i suggest you ask them for more knowlgage doing IT certificates. They give you knowlage, a certificate of completion and your company pays for it. Its a nice way to get knowlage. Look up Cisco CCNA CyberOps and CompTIA certificates. But if youre looking for something for free it would be online and testing things on the virtual machine at home. Try to get a 10$ course on Pen Testing on Udemy. They arent that bad. Or yt videos.

But at the end of the day its the passion and motivation towards the subject that will help you on your way.

hey guys ! I've a question since you are manly native english people you might be able to answer it ^^ So I almost finished my MSc (english one at kent university) in cyber but I plan to move to canada in 2/3 years, the question is, do you think than my english diploma will be recognised as an MSc in Canada ?

I'm asking the question since, if I'm right, the Canada is a part of the commonwealth, so the MSc system and all that stuff should be the same as in england no ? ^^'

is the 100$ for unlimited lab time for the PTS by elearn worth it? or is 60 hours labtime access enough? im planning on grabbing the 35 % off deal for the pts

https://www.quora.com/How-recognised-is-a-UK-degree-in-canada

^^ they probably know more than i do @formal sun

thanks ^^

@pale burrow, 60 hours lab is more than enough.

@pale burrow, 60 hours lab is more than enough.
@pastel portal oh great! thank you for answering

Hey all, has anyone done the "updated" OSCE lately?

OSCE hasn't been updated afaik

AWAE and PWK have tho

Decided to pick up the boot camp for CEHv10 so that I’ll have a possible cert before graduating with a bachelors, anyone know if the HTB or THM labs are similar to the CEH ones?

uh

no

lol

they're other worldly. You're about to be in a world of disappointment. iLabs is horrid

Oof

Does the knowledge transfer over at least? My boot camp is going to be in a couple of weeks

CEH? oof

Supervisor and the CISO in my internship recommended the cert. it’s starting to sound like I made a mistake xD

They also recommended the sans certs but those are just too expensive for me

CISSP was also brought up but that requires 5 years of experience which I don’t have yet

CEH is a mistake in general

Rip, will it help with jobs at least? Or is it a waste of money?

CEH is only really good for DoD

And even then, pretty sure there's better

not a 100% waste, you'll open some HR doors, but its poor for knowledge, accuracy, and valuable information. OSCP is an all around better pick.

CEH is only valuable if the jobs around you specifically ask for CEH

It depends really

You can learn a lot of the CEH stuff in other certs that are more widely recognized

(And it'll actually be correct)

But CEH specifically is like said earlier, mostly just a way to tick off a checkbox in the HR filters

while providing proof of just... adequate? knowledge of hacking

Welp, might as well finish it and keep doing HTB and THM puzzles

Whereas the OSCP is a more fully fledged test that really does demonstrate understanding of pentesting

if you're doing HTB, you're well above CEHs level and will be severely disappointed.

I’m not too great with HTB, I only got user access for a couple of the easy-medium boxes and root for one box

Welp, moving forward, I guess after CEH go for OSCP?

TBH- unless your employer asks for CEH, I would just skip it and go straight for OSCP

OSCP implies you already know CEH material and way beyond that, to the professional level.

CEH is mostly just amateur stuff

I’m not necessarily looking for a pentesting job, but something in information security.

The issue is I already paid for the CEH course xD

If you've already paid for it you might as well do it

even tho it is inaccurate and outdated if I remember correctly but it's something to have I guess

I definitely should’ve asked here beforehand. The info definitely crushes my spirit haha

I mean- hey- it's still a cert I guess

so don't be all too depressed

It's just that a lot of other certs just "outshine" the CEH

if you look at spooks (Korone) blog in the pinned messages it will help give you a better understanding

I collect certs for fun at this point :p

Master of certs

Life goal is to become korone

ez test are ez

Spooks needs to collect all his certs to battle the elite four

tru

i think im going into the 12-14k~ worth range now?

Thanks for the insight, I’ll check out the blog

Spooks needs to get a Champion cert after battling the elite four of certs 👀

does anyone think its worth putting your tryhackme score/rating on your resume?

i dont know if it will be ignored or seen as 'silly' or if it would actually be valuable

Only if it’s high imo

does anyone think its worth putting your tryhackme score/rating on your resume?
@full sandal I think it can have value if you combine it with showing writeups you wrote, so you can actually show off skills/ what you learned

Writeups and room creation probably have more value IMO

^

Tryhackme score/level has no meaning whatsoever to the employer.

It's a good thing to talk about in an interview

I'd agree with all of that. It's not like HTB where the competition is the main selling point. This is a learning environment, so showing that you've learnt is more important

Writeups are a great way of doing that

thx for the answers

putting your rank is a meh, putting your involvement in the community is a eh!

^

gotta market your skills

just because you worked at Burger Kings as a burger flipper/cashier doesn't mean you can't make it sound like the best damn job

true

"Responsible for business interactions with clients, multiple awards in outstanding performance from supervisor "

Burger Artisan
Managed several workstations for preparation of food for customers and maintained a high standard of hygiene and cleanliness.
Dealt with customer service on the spot, and handled day-to-day finances and transactions.

just because you worked at Burger Kings as a burger flipper/cashier doesn't mean you can't make it sound like the best damn job
@warm hinge i have a section in my book for this

quite literally

burger flipper at mcdonalds

kek

i've had a lot of experience fluffing up resumes

Let's say you work part-time at McDonalds. I chose this because this is the most mediocre thing I could think of. While working at McDonalds, you discovered that it's faster to type in the order as the person says it rather than to type it at the end. This isn't ground-breaking stuff, just a simple observation. We're going to spin this story to make you sound mind-blowingly amazing.

“In my teenage years I worked at a rapid quickfire fast food chain. On average, we served around 400 customers an hour and during our peaks the store would get so busy the line would go out the door. In this environment, I learnt that I thrive under extreme amounts of pressure. Not only did I have to make sure that every single customer was over-joyous with their meals, but I had to do it fast.

Whilst working here, I created a new system that increased the speed and accuracy of processing information into an End Point of Sales system. This new system allowed us to serve twice as many customers per minute all whilst keeping the customer satisfaction levels high.

One time, my store ran out of milk. My manager chose me to partake on this critical mission. To refill our stock supplies and refill them fast. Not only did I achieve this mission within 5 minutes, but I managed to achieve it before any customers requested items containing milk. Considering this restaurant serves 10 people a minute, I'll say that's some achievement.”

The point I'm trying to make here is that no matter how mediocre of a job you think you had, you can always spin it to make you sound amazing.

Very excellent

i agree absolutely

when I was hiring people- I wasn't looking for people who just wanted "the title", I was looking for people who looked at the big picture, and no matter how insignificant their role was, they knew how to innovate and excel in it to stand out

Knowing your value is very important- and knowing exactly how to purposefully make yourself valuable to a team is the most important skill employers look for

and then they see the company name

mcdonalds ftw

Dammit spooks, they're closed and I'm hungry now

they're open here

hey guys, is it ok to ask some advice about ITsec certificate in this channel?

yes

I am 2nd Computer Science student, i have learned about basic computer network, os system. I also self-learned serveral mounth about pentesting and ITsec, and can some easy box myselft. The problem is i am confused to choose between choosing CCNA (which i already have knowledge in comp net) or Comptia Sec + (cause i heard we need more 2 years exp to learn this)?

Can some one give me some advice?

Having your CCNA makes you much more valuable

especially in Security

and CompTIA doesn't have any formal pre-reqs

they're mearly a suggestion.

I though that CCNA is more focused on network than security, am i right about this?

yep

understand BGP and ACLs are some pretty key things in CyberSec

same with switching concepts (VLANs) and Subnetting

May i ask is there any ceritficate should be learned (just for begginer and intermediate level) ?

so CCNA + Security+ is a good start to get a job in a SOC, in your spare time I would work towards the OSCP or something similar

A network certification like the CCNA is good for security. It can be considered part of an individual's groundwork, as the knowledge is transferable and it helps in getting a job.

Depending on your interest in networking, Juniper, Cisco's competitor, currently has free associate certification vouchers (earned upon completion of course and assessment test) which includes a vendor-specific security exam. They're beginner / intermediate level certifications.

Thanks all for the advices, that help me a lot.

@summer stone CCNA is networking for cisco. It gives you a nice base for netowrking and router and switch configuration. In febuary they released new CCNAs and a new CCNA CyberOps certificate. Theyre both very good but it gets to the point where every line says Cisco is the best so yea that i do not like :,D.

Can anyone recommend some good courses for getting up to speed with Active Directory? Preferably with a hands-on/own lab perspective. Especially from a security (offensive and defensive) perspective.

in: resources active directory type this is this server's search filed 🙂, there are couple shared resources if that helps

Cybersecurity enthusiast here looking for an entry level job in cybersecurity. Am open to any location in the US. Will be graduating in December 2020 with a BS in Cybersecurity and Information Assurance. Currently have my SSCP and Security+
Am a US citizen. Any leads would be greatly appreciated.

Hey! this channels more for discussion of careers rather than finding a job :)

Hey! this channels more for discussion of careers rather than finding a job :)
@rugged sable Dark's clarified it's both

ohhhh

okiii~

thanks!!

Also jesus christ bee

i have been rocking this cosplay all day

i cant wait to get rid of it

it better be worth it

Apply to as many jobs as you can

you're in range for gov jobs

be open to relocation

thats basically the best advice I can give

Anyone know if the OSCP bof is guaranteed to be a Windows bof? Couldn’t find anything concrete

https://discordapp.com/channels/521382216299839518/680459914828972076/741740405237874719

Anyone know if the OSCP bof is guaranteed to be a Windows bof? Couldn’t find anything concrete
@somber bramble PWK is very Windows oriented

Although there are a lot of Linux lab boxes

Gotcha, but I saw they recently added a Linux bof section in pwk so I didn’t know if it was guaranteed to be a Windows bof

There is a Linux BoF section, but it's very small in comparison

As far as I know, it will always be a Windows BoF

That said, they're pretty much identical at that level anyway

Like, no difference. Just EDB vs Immunity

Granted, but I have no experience with EDB

They're the same

EDB is essentially a Linux clone of Immunity, minus Mona

How do you find the jmp op code without Mona tho that’s the most useful part haha

Oh, it does come with its own plugins

Just, not mona

I guess I should do 1 or 2 with EDB just to learn the syntax to copy the immunity method

Nothing stopping you from using GDB if you prefer it 🤷‍♂️

Same issue with not knowing how to get the address of jmp opcodes

For me @undone shore

Is it ever too soon to buy and be studying for the OSCP? I've been doing THM rooms for about 2 to 3 months now, and I'm wondering if I'm familiar with things in general enough to start studying for the exam.

*/If I'm going to understand what I'm looking at when I study the OSCP

It's a lot less "guided" than THM. If you feel comfortable with your methodology, I'd give it a shot. If not, keep working on THM/HTB and maybe PTP until you get to that point.

The PWK material is pretty dang good, although a bit dated in places

I will say that you'll be a lot better served if you already know vaguely what you're looking at

Research skills are absolutely essential, as are debugging skills

Some of the labs will be impossible, even with the PWK material, if you don't have those two skills already

Do Malware Analysis and Reverse Engineering jobs exist outside of governmental roles?

Yes, I'm personally aware of a few companies that do

I’m very interested in it, but am worried about pigeon holing my self into only government jobs with very few in the private sector

Malware Analysis and Reverse Engineering are very valuable in a lot of AV, IDS, and IPS based companies

Not the place

Please ask in tech support or the koth specific chat

I have an interview for a security internship tomorrow that focuses on web application pentesting/software development. Its my first interview where I'll be speaking with someone technically inclined....can anyone offer some tips/advice? im also nervous as hell

SDLC, know it. Know Agile, and other things like that, waterfall, all that fun stuff

if it's software dev, they'll 100% ask you about those types of things

be prepared to get asked on OWASP top 10

know how each attack works (xss, rce, lfi, rfi, sqli, xxe, deserialization, etc.) what input sanitization is, how it's used, when and where

thanks @languid hearth

Got a question...what would be the most underrated section under the cybersecurity umbrella?

underrated as in? 👀

Career position

Deception

Looking to learn more in depth about cybersecurity and the job roles in it

there's more roles in Cyber Security than I can even name.

Looking to get out of my current role and challenge myself.

The most underrated section of cybersecurity is whatever happens to be the primary attack vector in modern cybersecurity attacks

I would say, just find something that seems remotely interesting to you conceptwise (i.e. malware, IDS/blue team, pentesting, etc.) and just focus on that

And seriously, try things out

Find out what you like and what you don't like

You're not always restricted to one thing- the cool thing about infosec and cybersecurity is that it's always evolving, and you can always focus on one thing until it becomes less and less of a threat, then you can transition into something else when that time comes.

Ccie security scope?

ccie exams are some of the hardest IT exams

Is it for professionals or beginners

experts lol

if you want to do cisco exams, start with the ccna

💯

yeah, I'm not ever touching an ie

i know the cert has been retired, but has anyone taken this exam/read this book?
https://www.amazon.co.uk/Exam-70-698-Installing-Configuring-Windows-ebook/dp/B07FTVVLHX/ref=sr_1_2?dchild=1&keywords=70-698+Installing+and+Configuring+Windows+10&qid=1597005479&sr=8-2

my windows knowledge is pretty surface level and i wanna dive deep

ive not read it or taken the exam, but if you can download the windows iso and virtual box, you'll learn a lot more by installing and breaking things. Playing with the settings. https://www.techradar.com/news/software/operating-systems/52-windows-problems-and-solutions-716020 this seems like a decent enough link to read through. My point is that since its a retired cert i feel like its not worth spending 20$ on the book

@midnight sparrow some basic ideas about their approach. i'm new in pentesting

Oh god

You are typing all sorts of wrong stuff in wrong channels. This is for career guidance so post your questions about ceh practical and stuff here @robust flame

For anything else, #general is your best bet

@midnight sparrow that's what i though. i'll go back in #general