#cyber-and-careers

Is cybersecurity math heavy?

Some parts. Mostly in crypto.

and networking

those maths are far easier by comparison

Hey guys I just had an interview for a Security analyst and they asked me how can red teamers avoid IPS/Firewalls and I wasn't too sure. What would have been a valid answer?

that's a whole chapter. but here's a simple example as an answer. a company might have a firewall to only allow outgoing traffic through port 80. you can still get a session in one of those machines if you configure it to use port 80 while connecting back to you.

that's as far as the firewall's concerned of course, cause otherwise you would will have to exploit a system.

yeah i did not know that

i did like 70/30

i knew most of the stuff but some questions just i did not know

Thank you tryhackme btw taught me so much stuff

and depends if they are considering physical security as well because if you can walk into a building into a network room...

ohhh i did not even consider haha

just ask them for their credentials

i think i said something along the lines of that

but i just said i wasn't too sure and id have to look into it

well wish me luck 24-48 hours I see if I can actually take my first step into security

good luck

regardless gotta keep learning :p

don't we all

wish you the best 😄

🙂

I've seen/heard of some crazy traffic egress using unsecured standard ports

Shady u got a degree in cybersec or did u built ur way up with certs?

• Encryption (mainly)
• Hiding througu known good protocols like HTTPS or DNS (although most IPS are trained to pick up on excessive null record queries and stuff. In a world of Encryption, evading IPS/IDS is becoming increasingly easier

@trail granite certs and self learning using tryhackme

@languid hearth is there a room where i can learn more about this? or just like some website or video that you recommend

not really, its just kinda stuff you learn over time

for sure yeah that one threw me off for sure also some port scanning questions but everything else i knew somewhat decently

Nice Shady unfortunately most companys seek a uni diploma

In my country

oh yeah I have a bachelors for CIS

forgot to put

Ohh nice

Then its kinda equal i suposse

If anyone in London is interested in a job:

I came across your profile whilst searching for suitable candidates for a permanent Vulnerability Management Specialist role I am currently recruiting for my Investment Management client based in London.
This is a brand new role in a growing global information security function. You will lead the global vulnerability management capability both technically and in process. The role is key in supporting the information security risk management in the identification and management of risk and will be key in providing support and remediation strategies to IT. Globally responsible for tracking security weaknesses and improvements and helping the organisation be protected.

Skills and knowledge required;
Experience in managing and configuring commercial vulnerability scanning technology.
Experienced in setting up scanning profiles, conducting routine scans of security environments, overseeing remediation efforts.
Experienced in agent and appliance based vulnerability assessments.
Background in security threat analysis ability to determine risk level of identified threats and necessary urgency in remediation.
Possess strong technical understanding of common network and system vulnerabilities. Understanding of networking principles (OSI Model, routing, TCP/IP).
Experience of network infrastructure.
Ability to present risks and propose countermeasures to senior technology executives (CISO, CTO).
Experience of regulatory compliance and policy enforcement.
Excellent communication and interpersonal skills.
Desirable certifications: CEH, CISM, CompTIA Security, CompTIA A+, and MCITP.

My client is offering a base salary of £60,000 - £70,000 + bonus + pension + excellent benefits

If you are interested please forward me a copy of your CV to andy.macewan@merakitalent.com or alternatively call me on 07383 436 721 for full job

hello

normally how much time i will need if i practice 4 hours to 6 hours every day to get to OSCP

precisely 4.6 months

on THM

You will want more than just THM

not a day more than Blob said

if you're over it, then your not ready

Don't limit yourself to just a single platform.

Do VHL and stuff too

the OSCP in reality is not a difficult certification. it seems big and scary, but its designed to be an intro course to pentesting

if i am a complete beginner then to?

especially if youre a complete beginner

if you were only somewhat a beginner I would've appended it to exactly 4.7 months

i have done CEH thats it

its an inverse relationship unfortunately

if you have prior networking, IT, and Sys Admin knowledge, you're good to start the certification today

and when I say prior knowledge i mean like you actually know it. Not kinda know it

how many people here have done oscp?

lots

cool thanks a lot everyone for the help

do anyone here know OSCP dealer who sell it in less price?

well that doesn't sound too legal

i meant there are some official venders i am talking about that

i am taking about official vendors who can give the PWK course and exam voucher in less price as i want to take 3 months

Only offensive security

VHL - what does it mean exactly , I might ask 🤔

Virtual Hacking Labs

Another training provider

If you typed into google 'VHL hacking' you'd find it

any specific you have in mind or all in overall ?

Hacking is 99% research. Get good at google, and get good at refining it.

@quick plover VHL literally stands for Virtual Hacking Labs

They were answering your question.

yeah... as ARZ said. only Offensive Security sells vouchers. It's not like CompTIA. People register for the course (using the voucher), go through their labs, use their exam attempt, pass or fail, buy a retake voucher, and so on.
There's no other way around it. You gotta pay the $1,000 minimum.

Unless you win it through THM etc

ok thanks for the info all

Hi

Sup

Why did u add me ?

i'm doing AoC to try to get a voucher

Just remember there's loads of people doing it

Approaching 20,000 someone was saying earlier.

https://www.gov.uk/guidance/the-uks-points-based-immigration-system-information-for-eu-citizens dropping this here for anyone interested

[somewhat a career question] should I transfer to a university in order to form connections/network/more opportunities (skill/leadership workshops and whatnot) but will lose some time doing cybersec learning (ctfs, thm, etc) or should I stay in a college where I'm doing well and have a lot of time on my hands to improve and learn more about hacking but have none of the aforementioned benefits of transferring to a uni.

if your current university is working well do not transfer

Im a high school student and have more connections and networking than a majority of adults, fully online. Its just about how you connect and communicate

Soft skills are severely under rated when job hunting. If you think the opportunities at a different university are better for you, go for it. Don't be afraid to do the networking events with alumni and ask your professors and instructors if they know any working professionals you could talk to about your career path - something like 70% of jobs are found through social networking.

Being able to have a better network/connections/opportunities is one of the reasons I consider transferring. The college I am currently enrolled at only has a small student body to begin with and my assessment of the students here are meh. The uni I plan to transfer to however not only has more students but have more of them activities, clubs, opportunities, more 'like-minded' people per se. They have a comsci society which promotes learning and growth of its students whereas ours does not.

The second being the subjects being taught. Currently at 2nd year (1st semester), the major subjects we have are c# programming and java data structures and algorithms. Java data structures - where they just teach us how to initialize Queue<>() objects etc instead of teaching us from creating simple node structures to making them into trees, etc. (I thought myself the latter in order to better understand how those data structures since I've gathered from reading online that most interview questions when applying to jobs focus on implementations of those data structures). Meanwhile the uni I plan to transfer to already teaches its 2nd year (1st semester) students data structures, digital design, and database systems. Speaking with the people I know there, they certainly have the better quality of education in comparison to ours.

i went to a 3rd tier school for CS - not the greatest, but it has a very strong alumni community. I actually found both my current job and my previous job as a result of networking at that school. FWIW.

yea my school doesn't have that luxury

I get that EU Citizens will be treated like the rest of the world's citizens and will need a work visa, but otherwise...how exactly is this different than needing a Tier 2 Visa like before? With this new points system, you'd need to find a company who is on the sponsor list, and they'd still need to go through the trouble of sponsoring you, right?

hey so i'll be attempting for my security+ cert in 4-5 months from now. Right now i am focusing on Professor Messer's playlist and GCGA. I was wondering if anyone has any other resources which they found useful?

Get a set of practice questions/exams. Jason Dion's set on Udemy is solid

Other than that I think you're already using the most popular resources

Thank you for the recommendation!

Hi. What do you think about COMPTIA PENTEST+ certificate? Is it hard? Worth to get?

depends on the company on how it gets weighted, but certs are always worth obtaining in most cases

and what about difficulity?

comparing with OSCP for example

That's really not true

Cert stacking is frowned upon, and a lot of certs are not worth the money at all

Wait why?

including comptia pentest+ ? 😄

Isn't more == better?

it depends on what sector you are in sometimes, I know DOD has different cert requirements based off job level

from offensive pentesting perspective

What are the different kind of careers in cybersecurity?

Cert stacking is taking very similar certs. Spooks can explain more

So is cert stacking like getting CEH, Pentest+, eJPT, and OSCP?

Security Analyst, Security Engineer, Security Architect, SOC Analyst, Digital Forensics Analyst, Incident Response, Threat Hunting, Red Team Specialist, etc..

It's getting a lot of certifications in a short time span without having work experience, which might be frowned upon, as it can be seen as compensating the lack of work experience in the field with loading up with certifications.

eCPPT rather than ejpt really

Ejpt is a lot more entry level

Oh, so if you have lots of experience it's okay?

Ah yea, forgot about the eCPPT

Many places just use the title "Security Engineer" for anything from SOC, to pen testing, to policy, to code analysis, you'll see many companies use just "Security Engineer" for all their roles.

It's certs at the same level covering the same knowledge

The idea is certs for the sake of certs, rather than certs for the sake of learning

It depends on the recruiter/hiring manager. It's weird to see someone getting many certifications in a short time span, as if they are cert collectors, instead of gaining the skills.

Ah I see

So it's not the certs, it's the learning

Got it, thanks

Also don't be that guy that lists all 196 Udemy courses he's taken.

Indeed. Which is highly annoying for new people in the cyber security field, when looking for job postings.

yeah my job title for most of my career has been security engineer and my jobs were vastly different, although generally security engineer we consider people that work to develop secure solution for various projects, its a very visio focused job

Going to start my internship as threat intelligence

if yall have any good resource

lets me know

Don't see many source cover about this 😦

feels overwhelmed

How about asking in #resources?

thanks

@loud marsh if youre going to start an internship theyre going to groom you the way they want I almost 100% gurantee more than half of what you will learn will be thrown out of the windows because they have their own methodology and tools they use

I 100% suggest following tryhackme as we will be releasing a lot of blue team rooms all this year

But at least I will get some experience... for my next job. Better than nothing

I want to do malware analyst but they told me it not an entry level role. I need to start at bottom then escalate to malware analyst

💀

lmao what threat intelligence isnt an entry level role either

what

bunch of crackheads

So he wants me to work with their API, then learn about IOC , write blog... reasearch. It sound pretty intense

crack

I mean threat intel is a very interesting thing with not a lot of documentation

I would get familiar with things like redline, IOCe, YARA, any mandiant tools specifically advantage (requires email access), familiarity with ISACs (AlienVault OTX, ThreatConnect, USCERT, etc.)

there Ive given you some key words and tools that you can go and research now

yup those are the tool that they used daily. The company deal with maldoc mainly.

Thank for the info

My brain about to explodeeeeee

If you really want to invest and learn you can drop some money on an INE pass and learn a bunch about threat hunting, intel, DFIR, malware analysis, etc.

I wonder if all internships are actually for noob anymore

I hope in the next few year they don't require 4 years experience on internship

depends on the company and expectations

for cybersecurity internships it is assumed you have a genuine passion and pursue the topic a lot in your free time

for example an internship I have with a very large company is basically just a 6 week long project that you are guided by the other teams and then present at the end.

I know several that want people who can code for the interships and that is how they measure them

I wish they would offer the Cyber Pass monthly

they did it for like a month

And then realized everybody wanted that and not to pay 2k a year

And so they took the monthly away

I understand it's a business but it felt scammy

IIRC you can email and ask?

Oh interesting, I'll give that a try, thanks

@final goblet you sure about that one? I dont even know if its been out for a month

its in the plans it just has yet to be implemented

Do you mean the INE Cyber Pass?

yes

They released it October 20th and there was complaining on reddit

Everybody loved the Vera Labs

And felt this was pay to play now

I tried doing the trick to see the monthly option that somebody mentioned, and it was no longer available

https://www.reddit.com/r/eLearnSecurity/comments/jfi9a0/an_open_letter_to_ine_about_cyber_security_pass/

This is what I'm on about

so it never actually released

again its in the plans its just not out right now

Hmm maybe I misunderstood what you meant

CC: @exotic epoch any updates on when the monthly pass will be out?

@final goblet If u send them an email explaining you want to do a particular course and certification monthly, I believe they will allow it

thanks for the info everybody

yeah I got the $1200 for 2 years deal, which is a great value imo

i believe they offer the monthly if A) you ask nicely and B) have taken a course with them(i think, dont quote me on that)

but I was offered the monthly and have taken a course with them for reference

Yeah the 1200 deal is good for sure

I agree

i'm using INE starter pass

the sql injection study guide seems like a much longer slide deck than the pts barebones sql injection slide deck

Im skimming over xss and sqi. As I dont think its on the exam. Instead, portswigger academy is a better resource for both of those subjects

^ i can second that

Hey I just wanted to ask "is it possible to change interest field after few years of work in MNC?

Are there certifications for INE ??

yes

you pay for the certifications sepearetely

MNC = multinational corporation or something else? It is always possible to change interest field

Yeah

@pseudo creek

but like I said, yes you can obviously change your field of interest, IT is very fluid, Cyber is very fluid

Is it true that there are more jobs in blue teaming than there are in red teaming ?

yeah tons more

Oh

but you can take red teaming knowledge and apply it to blue team principles though

yeah lots of information is tranferable

I'm an architect but planning to do OSCP next year just because

im completing my Graduation next year
i want work in this cyber security industry
can anyone guide me from where i should get started ?

whats your major? are you starting from 0? Do you have any certs?

i dont have any cert

im a student of BCA
Bachelor of Computer Applications

im not starting from 0

i have basic knowledge of Web Application pentesting

where in the world are you located (what country)

India

Certs then.

what?

You'll want to look at getting certs

Get certs my dood

which certs?

Look on LinkedIn at jobs you would want

Look what they are asking for.

https://blog.spookysec.net/certifications/

holy F

they are expensice

expensive*

Yes certs are expensive

so is a degree

Think about the cost / benefit

any guidance where to get started without certs ?

maybe i'll do it in near future

i want to afford these certs myself

Without certs? Get an unrelated IT job and pivot

There are pentest consulting services with offices in Inidia - FireEye, Synopsys, etc. – find job postings from them and see what they look for in a candidate.

a $800 investment two years ago is currently netting me 100k/year~

Congrats

that is the best course of action, I can say for I've done it myself from dev to pentester

Wowww

Okay

Even if there are so many benefits of the certification , it very hard to convince parents. .

Because that 800USD sometimes is equal to yearly fees of the college.

Make your own money, if you’re motivated enough you will figure it out

I made things work for a long time with out getting certs. I am not sitting in a boot camp to get certs 🙂 luckily my work is paying for them but i still am here.

That's what most of the people do, get a job save money do security certification and change field.

Yes. Even with certs it would be hard to get into pentesting if you don't have a confirmed background in IT

How do you like the change? I'm a dev and considering a career change

I think it was the best choice I've ever made

Any recommendations for someone considering making the same move?

well, I got lucky, the company I work on had a pentest team, and still took over a year the transition, if you are in a similar spot I'd recommend you to talk with your boss, if not then go get some CTF experience and start sending resumees, I'd put level of Portswigger/HackTheBox/Tryhackme on it as well on the extras part

right on, thanks. Unfortunately my current place has turned absolutely miserable so I'm on the job hunt, so maybe the next place will have a pentest team I can try to work with

Where are you located? geographically speaking?

As central US as possible, Kansas City

I see, well, I don't know much about the US market at all so wish I could help you a bit more

Haha no worries, but if you have any leads on companies looking to bring over american devs, lmk!

for sure

But I would not recommend come to my country nowadays, violence is rampant hahahaha I live in Brazil

I actually am looking to relocate to Germany in a couple years

That's fair. I've actually been there! Visited people in Araraquara and Ubatuba

Would getting a master comp science + teaching cyber security on free time, be better than a master of cyber security ? Happen to able to get bachelor+ master in 5 years

I mean it doesn't really matter that much

🤔

I guess what is your goal?

Hardware/Software Reverse Engineer, Malware Analyst

Comp Engineer is also an option

i'm Comp Eng and Electrical Eng major

not sure if I should just go an extra mile to expand my Comp Eng knowledge

I guess whats the purpose of getting a masters? I guess are you trying to get a masters either way and trying to figure if CS or Cyber is better?

@pseudo creek yeah for a long run

i heard there is shortage of people who know how to code in depth in cyber security

not really

developers come into cyber security as a frequent path, it really depends

CS master would teach heavily in algorithm, Cyber Security degree would teach me all the Network/System/Web security

honestly, in the US, I don't find cyber security masters to be much use unless you are already in a cyber role and trying to go towards a management role

That make sense

and even CS masters is something you could wait on unless you really are burning to go that path

my friend did master cyber security but he also held OSCP cert

certs are better investment than MS degree, at least in the beginning

so it hard to tell which one prepare him better

I looks up plenty of Malware and Reverse Eng position, didn't see cert mention

so I guess I will stick with the generalist degree

yeah if malware/rev engineering, you can do a lot of self study, there are a few certs like GREM

and I think eLearn has 1

there are some BS and MS that also help get certs or include them in course work

Sans and INE

Sans will probably be out of your price range but INE has some good stuff

How come nobody sell Reverse Eng/Malware on udemy. Didn't see any good course about it in the platform.
Ya'll would make good money from it

there are RE courses on the platform

oh yeah there are some now. Last time I check, most of them are below 3.0 rating

RE is just a lot of practice, there are some things out there like this https://opensecuritytraining.info/IntroductionToReverseEngineering.html and https://beginners.re/

but RE seems partially to be a dying field unless you do vulnerability research at a company specifically looking for vulnerabilities

Because it’s super specialty and Udemy isn’t really for professional courses

i see

@pseudo creek how is it a dying field?

Pretty sure it's pretty good field to be in. Not many people want to do it so if a person get good at it. S/he can get job easily.

RE is not a dying field.

It's definitely getting harder now. but never a dying field.

I use RE every day to hunt bugs in android and iOS apps.

Thing is re can be used in alot of different fields

Yea

Exploit development to more

It's just a good skill to have

If you mean like a job where you ONLY do RE hard core, then yea I think those are pretty rare unless you work for companies like FireEye.

True

I think due to automation and information sharing, RE has definitely lessened in the amount of people you need to do it, which is why I say it is a dying field. That isn't to say there will eventually be no people that do it, just the amount of jobs will be pretty rare. And honestly that is a good thing for security, not the best thing for finding a job. If you want to focus on finding a job, time learning RE may be better spent elsewhere unless you use it as a hobby like I do.

and should say that I would differentiate RE from things like application analysis, which generally don't need RE to perform. Application security is its own bucket I feel, but again there are a lot of really good tools and automation out there for that as well.

yeep

should I take the Google IT Professional Certificate with Comptia+ certification?

I think I should so i can fix my own computer like MacBook pro when i do my graphic design work and if my macbook pro goes haywire

I would say if you are looking for entry level job, Comptia+ is best option

how much is the Google IT pro certificate course?

Google IT pro certificate course has where people can use their financial aid for it

@pseudo creek i've been thinking about taking Google and Comptia+ certs so i can fix my own pc while I am doing my graphic design work

well basic troubleshooting for a PC is something you could easily learn online without having to take a certification specifically

it really depends on what your career aspirations are

if you want to do graphic design then this is the completely wrong community for you unfortunately

I love Information technology since when I took an IT class in HS

also the IT pro cert seems to be a survey of IT topics without much depth

mhm

thats good!
but IT is such a huge field you really need to narrow your interests a bit - which is often the hardest part

but if you think you can get the course free, it wouldn't hurt to take it

yeah Zojja it's essentially Google's take on A+ (minus the annoying printer stuff)

the labs in it are actually kinda cool

also when I google the IT professional cert, they said they no longer offer financial aid?

unless they added again due to covid

Google IT Support Professional Certificate and Comptia+ certification is my backup career path if I have a hard time finding a job in graphic design.

graphic design is a tough field, I know someone who works in it

I've been looking at certs in Cybersecurity too. really wow cool

yeah its possible Zojja, I got mine back in July through my college - all paid for

well know a few people but doesn't mean its impossible/out of reach

also know a person who does Graphic Design - incredible artist but deals with a lot of crap

like what?

it just may take a while to get a graphic design job, if that is your dream, you could just keep applying, keep doing skills and maybe do IT on the side

mhm

not to discourage at all but graphic design is difficult and competitive - probably moreso than Cyber Security

but just build up a solid portfolio and take lots of art classes

I've been thinking about taking Google IT Support Professional Certificate and Comptia+ certification maybe a cybersecurity certificate too lol

so yeah

Yeah im planning to do RE free time and focus on malware analyst. :P

@warm hinge you dont need a certificate to fix macbook. I repair mine myself. There are some good youtuber know macbook in and out

ok

I just want to have the certification on the safe side

so yeah

@warm hinge if you want to do graphic design then i would skip both of those. Get a udemy course on design, start build your portfolio

I am pursuing a degree in graphic design at my technical college

School taught mostly basic and the foundation of the topic. They never get in depth anything. I would suggest you get a udemy course. You would surprise how much you learn from it.

ok

Can I ask you guys something
CEH or eCPPT for career
Which one you guys prefer?

If you want to land something in the US government, then CEH. If anything else, go for eCPPT

PenTest+ literally just became another option for US Government this week it looks like

PenTest+ is also a very good cert

I'm from Myanmar
Thanks anyway 😊

No problem 🙂

PT+ now ticks the same box that CEH did

That's good that it's PenTest+ now

It's either

But PT+ is the better course

I have some doubts

Regarding career in cyber security
Like is it promising?

Need a lot of passion, it not like black hat stuff. There are law and order

Oh okayyyyy

Thank you so much

So it’s more of a side income and passion than a job intensive field?

Cyber security as a field is very promising for a career

Oh okay

100%

security isn't going anywhere

bug bounty though is more of a side hustle

I think it might all become automated in a few years

I think Google IT Support and Comptia+ professional certification won't help me find a job.

getting an entry level job isn't easy, certifications are definitely the better way. Are you trying to get a job while going to college?

I have a part time job as a youth/high school sports official

are you trying to get a full time job right now?

I am but with Covid-19 going on i don't want to take a chance to get hired and get let go because of covid-19 pandemic

well if you want a full time job, I'd definitely look at the sec+ or net+, and then start applying

ok after I complete the Google IT Support Specialist Professional certificate then the Comptia sec+ or net+ certification which I know i have to be recertified every 2 years

yeah sure or while you are doing it, whatever works

ok

why do I have to get recertified for comptia certification?

honestly, I wouldn't worry about the recertification, don't stress about it

ok

because things change and they keep the test up to date

ppl who complete the Compita sec+ cert gets $81K per year damn

i would take marketing materials with a grain of salt but entry level IT with a college degree is usually around the $80k mark

geez

say I got the google IT Support Specialist Professional certificate and Comptia sec+ and net+ certification would it hurt me pursuing a degree in IT?

no, why do you think it'd hurt you?

idk I think it would help do better if I worked at IT firm and get a lot experienced and knowledge I would get a degree in IT.

I know I love being on computers all the time lol

I guess I'm confused at what you are trying to ask?

about what

so why do you think getting certs would hurt you?

I think certs wouldn't let me get a degree in IT

no that makes no sense, certs and a degree are complementary

ok

if you were pursuing a degree, I'd tell you to get a cert as well

mhm I would get the certs first and work at a IT firm and get a feel of it until I am ready to get a degree in IT or cybersecurity.

sure, but its not just a guarantee you'll get a job, it will still take a lot of work, self learning, etc

I thought professional certs in IT helps me to get a IT job?

they do but not a guarantee

ok

it could take many months, many applications, many interviews, etc

mhm some start their Computer repair shops with IT professional certs

@warm hinge yeah it could get you job as a technician support

IT help desk??

yea

I looked into the position before

yes IT help desk is a good entry level position

Mhm like helping people with if they are in a DDoS(distrubuting denial of service) attack, troubleshooting their PC etc

yes or things like password resets and what not

Okay

That sounds fuuuunnnnn Google IT Support Specialist cert program would get me a job in the lol 😁😁

@warm hinge if you are young, just use your free time and teach yourself ahead of time then attend college if you can afford it.

Lot brilliant hackers didnt even need their college degree and cert.

thats a lie if I ever heard of one

Guys need a bit help. Im still new to hacking & i really want to learn cyber forensics & cyber warrior any help is much appreciated

name one well known hacker that ethically gained a career without a single cert or degree

George hotz

he started his own company thats a bit different

he also didnt do things the most legal

He is the first person hack the iphone thou

I dont care what he hacked first

its unsustainable to use him as an example

Id rather use @languid hearth as an example of someone who doesnt have a degree and worked their asses off to make 6 figures a year

naw he is well-known and gained a career without single cert and degree. He worked at google, tesla before founded his own

can you give me more than one very specific example?

I think that model is asinine and unsustainable to be a role model for young people

those would be in jail 😂 before get a full time

as I said

name one well known hacker that ethically gained a career without a single cert or degree

the key word being ethically

well, the iphone hack wasn't illegal back then

so

but lets me see

tavis ormandis, he is in google project zero now.. he discovered the cloudbleed vuln from cloudflare

hes has multiple lawsuits the dude was doing some sketchy crap

never read of those

yall are giving very specific people which congrats to them, but it is going to be very hard to get anything stable with that path. I dont see why you would want to push a young person in that path

pretty sure he quits hack because hack law start to passing around. Most of his works are reverse engineer

there is malware tech as well

Marcus Hutchins

he doesnt have a career lol he got hella lucky and I dont even know if he has a job now?

It would be fun hacking my own iPhone lol

After he stopped wanacry, he got arrest so

lol

because he also did sketchy ass crap

Would I be arrested for hacking my own iPhone

part of the reason he doesnt have anything sustainable

@warm hinge could be, a youtuber was sue by apple for fixing macbook

Geez

His name is Louis Rossmann on youtube

you can looks him up and learn how to fix your own macbook

Look Ma I hacked my MacBook pro lol

He's got a job still. But he didn't get put in prison as he was young and dumb and then got blackmailed into doing it. But even still, nice guy, but still unethical

While some good points were made here, IMHO when someone is wondering whether a uni education is worth it, this isn't the best way to go about it. I believe they should ask themselves how valuable that education will be, and if it's worth spending a few years of their time for this reason. From my experience the answer is a huge yes to both of those questions. Some people might be asking because they're in a tough financial situation, and I can understand that. But I would go so far as to say, if it's possible for you to even move to another country to get an education, do it. Universities and study programs aren't perfect, but they're a good way to get a solid background in a structured way in the field you want to pursue a career in. Also, a great chance to learn from people who know a ton more stuff than we do. Sometimes it's hard to appreciate that fact if you haven't gone to uni, but even if it's possible to make it without going, you will have gaps, and most likely huge ones. IMHO, uni is much preferable to diving immediately into doing what you like, and then coming back to fill your gaps as you go. It's useful to know that some people have made it without going, but not a great way to think and plan the rest of your life/career upon.

on the the topic of training and certification, i was hoping to get some opinions from the certified people here on the training they used. I've been on this site about a month and love it, been on HTB, in a SANS course, been on INE for eLearnSecurity, CompTIA, and had a few specific pentesting courses elsewhere. I just wanted to know what people thought of the training they used and any recommendations.

There is a lot out there and I just wanted to get a more clear picture of some of the resources

i also have and read a lot of books from nostarchpress. i actually really like those.

What exactly are you asking, what's the best resource to study for each of those things, or what's the best among them? It's a very general question.

it was a little open ended yeah. Im just looking for peoples opinions of the resources they used. im not sure there is a correct answer to whats best, or at least i doubt there is.

as in what resources you found most helpful/useful.

or which ones you tried and steered away from

#resources. A ton of useful stuff in there, as well as opinions on them 🙂

ill check that out thank you.

I hadnt even looked in that room to be honest

so i appreciate the pointer

Np, it will quickly become one of your favourites 😄

i love resource pages so i believe you. the number question i've asked instructors/trainers was what there common resources were. its hard to learn/catchup/keepup if you dont know where to go to learn it

It's also easy to get lost in tutorial hell though, so it's best to work through a few resources and then move on to others, than jumping from one to the next and back again

ask me how I know 😄

lol im notorious for that. i cant NOT do the tutorial and starter stuff for some reason. fortunately THM has more or less had my attention of late so ive been in that situation since starting

well, until i got on INE. because i learned about it here

I want to learn about malware analysis and develop in this field, do you know any roadmaps on this subject? thanx

I wonder can I be a graphic designer and a web developer?

@warm hinge if you want to become graphic designer and web dev. Freecodecamp community would be a better place to ask

ok

ok

@loud marsh what is Freecodecamp

https://www.freecodecamp.org/

ok what code can I learn?

MERN stack

ok

HTML CSS JAVACSRIPT, mongodb, react, nodejs

don't eremember what e stands for

ok

what code do web or software devs use?

Front end, HTML+CSS+JS, maybe frameworks like electron or react

Vue is very good

I'd suggest Vue over react for someone new to the field

It's also the most popular GitHub repo of all time 😄

Free code camp will help me develop good coding skills?

Kaney

it will give you the basics, you still have to practice

Okay, this is the class I am taking at my two-year college

Sounds like Wordpress or wix ngl

I wanna say... Adobe Dreamweaver?

Mhm

I might want to try free code camp

https://www.adobe.com/products/dreamweaver.html

Quickly create and publish web pages almost anywhere with web design software that supports HTML, CSS, JavaScript, and more.

Create, code, and manage dynamic websites easily with a smart, simplified coding engine. Access code hints to quickly learn and edit HTML, CSS, and other web standards. And use visual aids to reduce errors and speed up site development.

This might be a bit far fetched, but is there anyone who is working in the cyber field who is working at senior level/as a recruiter who would find time to review my CV as part of my uni assignment? I've been let down by a few people and trying to find someone last minute

???

https://www.freecodecamp.org/ I made an account on here

I'll be using Adobe XD and Adobe Portfolio to create web sites.

Hi all, I was wondering what does it take to be a security analyst

I have seen security analyst defined differently by many companies, most perform threat hunting of some sort, ticket management, SIEM watching, etc

Is threat hunting like pen testing @golden ore

I took two security courses in university but I didn’t learn anything

not really, most threat hunting is understanding TTP's and then being able to identify them in logs

Ohhh

So I should study TTPs? @golden ore

it's good to know TTP's no matter what field in cyber you are in

Ohh

How do I be prepared to be a security analyst?

I would look at the job boards and see what companies are looking for in a security analyst, like I said companies define the role differently and it's hard to say what one company is looking for

thanks!

@golden ore I am gonna learn and practice coding on freecodecamp for web and software design

it's a good place to start

mhm

freecodecamp has professional job certification to people to work at google etc

even for security?

When do you need it by? I can try to review it later. I’m not a recruiter but I am senior level

The deadline is Wednesday 15:00 GMT so I can even just add the feedback on Wednesday morning

Feel free to dm me your resume, pdf please

Thank you so much!

No prob!

does anyone use free code camp

they have their own discord, you may not find a lot of people here that use it https://www.freecodecamp.org/news/freecodecamp-discord-chat-room-server/

yeah I used to. why?

I am learning to program with HTML code on FCC

html is just a markup language. real programming will begin with JavaScript

mhm

I know I am gonna learn javascript and other coding language

cool

keep doing those projects and you can earn those free certificates. you can put them on all your online portfolios/resume/etc

Its gonna take me a while to get used to programming on FCC

mhm

why

because its been awhile since I taken a computer science class when i was in high school

dont worry, you will get used to it

Mhm like learning a new video game u never played before.

all of tech is like that. i started playing modern warfare earlier this year. by now, i am really good at it, have unlocked almost all attachments, i know how to really make people mad, i've only been playing for close to a year. learn code for as long as i've been playing modern warfare, see where it can get you.

good lord i just dug up a dead body over here

Eh only by 4 hours

I've seen people necro stuff from a couple days ago here, or even longer

I think oscp

Definitely not CEH. eCPPT or OSCP. OSCP is better recognised in the industry. eCPPT apparently has better training material. I've not done the eCPPT training material though so I can't really compare

Why do people dislike CEH ? ive heard it alot that people choose oscp over ceh.

Because it's got virtually no learning value. A lot of it is out of date, a lot of it is completely irrelevant

It's good for checking boxes if you want to work for the American DoD (although CompTIA is gaining ground)

It's also apparently sought after in India

But that's all it's good for -- checking a box, getting past HR, or an automated scanner

I see good to know thanks Muiri and congratz on ur oscp btw!

Np, and thanks! ♥️

Pentest+ now checks the same box that CEH does

So that's gonna be the better option for DoD IMO

That's the one. Couldn't remember if it was Sec+ or Pentest+

But either way, CompTIA is now the better provider for DoD

I mean that way you might actually learn something valuable, and have a better cert afterwards

Hey I am just a beginner
Can some experienced pls provide me a path to become good in cyber security

!docs free-path

@fringe spade thnx a lot

is anyone here a security analyst?

Probably

yes

@static tide are you a security analyst?

yes @warm hinge

no but seriously, are you? 😂 😂

yes

why are you doubting me

I was joking, I would've thought the first yes would've been enough 🙂

@undone shore passed oscp?

Mhm

Congrats! Next course?

Pen-300?

I don’t believe you

fight me @somber bramble

Ok come to america

no you come to uk

Me + 0day vs you

Guys, guys
Dont fight

Without a knife

Take this

You can choose a legend to be on your side too

But I have 0day so I automatically win 😎

I hope (I haven’t asked)

Probably OSWE or eWPT tbh

bring him with you blob

muir why ejpt after oscp?

Ok I’ll ask him if he wants to come

good you can come stay with me

Coming!

eWPT

Oh

Oops

Small Typo there

we are fighting?

with knives

Not sure if eWPT contents are covered in pwk guide

I am targeting els 3 course. Wpt, wptx and ptx

oswe is white box though

Is there anyone here who was in the Military in cybersecurity?

And can talk atleast about SOME parts of it?

If they're actively in it, they probably can't.

I've been out for 8 years and there are many parts that I can't discuss still

What's this server about

Learning Cyber Security and Ethical Hacking.

Ohhhhh so it's not what I thought

What did you think?

@deft walrus u wont be finding any dark-web links 😀

@flint pilot why not? nothing wrong with the dark web if used correctly and your country allows it

@static tide is it ok to ask you a couple of questions about security analyst?

sure

ask them here, that way other people can also see the questions/answers

Do you mind describing your career path? How you became a security analyst? @static tide

Ah dang I was hoping this was a ip logging server lmfao

um hi is it worth doing an online course on like udemy or something im interning soon and i dont really have any certs

kinds concerned my chances for internship alone might go down

maybe try some easier certs, if you have some spare cash

um easier like ?

eJPT, PenTest+

ah interesting ok ill take a look into it ty

i got my ccna, did a year of network engineering, then decided i liked network security so i learnt a bit about security which led me into pentesting. after doing htb for a while, i decided to go for the ejpt, and started applying for entry level soc analyst jobs

the 3 big things they liked about me were: networking skills (ccna), offensive mindset (htb, thm, ejpt) and that i created some ctf's on thm

they also loved that you were blobular

He was known, amongst his peers, as the Valued Creator.

both very true

Is anybody familiar with Amazon's Technical Interviews? This is for a Sr. Security Consultant position, and is a role with zero information about it online, nothing on glassdoor, etc. It's just really broad in terms of what they could ask about, and I know the one topic I'm not an expert in, they will drill into it, so trying to be prepared.

I'd try see if anyone on Blind has info... if it's not already posted

wow didn't know about blind

ye, pretty useful and anonymous 🙂

what is blind

?

A social network 🙂

It's quite good

A good place to make yourself feel underpaid

😝

lmao

TC / YoE?

728k 1 YoE, FAANG. 41786 Leetcode questions done, AMA

I fricking love how everyone on Blind signs off with their TC / YoE

Some of my fave r/cscareerquestion posts too why not

https://www.reddit.com/r/cscareerquestions/comments/6ez8ag/accidentally_destroyed_production_database_on/

https://www.reddit.com/r/cscareerquestions/comments/95dgrx/i_am_absolutely_mortified_and_embarrassed_beyond/

https://www.reddit.com/r/cscareerquestions/comments/dpcfns/i_got_fired_over_a_variable_name/

If you ever step on a dog in an interview, killing the CEOs childhood pet in front of a panel interview at least you'll know what to do

What job should someone go for after getting their OSCP? Have 4 years of experience working L3 support + server administration

I’m seeing a lot of pen tester jobs ask for 4+ years of experience. Not sure if that’s specifically with security or?

@open leaf if you feel comfortable with Security and can answer some of the interview questions here:
#cyber-and-careers message
you're ready to apply for a Pentesting position. Server Admin+High level support is stuff they like to see. The only other thing they might want is SOC experience, but honestly, your Sys Admin experiences should trump SOC.

Is anyone aware how a regular day as a Tier 1 SOC Analyst (Alert Analyst) looks like?
Do you just fk around during your shift until you get an alert(s) or what kind of other responsibilities they might have?

What is the average salary for a pentester in sweeden? Is this yearly? https://www.payscale.com/research/SE/Skill=Penetration_Testing/Salary ?

average pentester salary oscillates around $80k yearly (not in sweden, whole word)

you can recalculate that to your currency

average world, or even country pretty much means nothing though

I agree, but he just wanted the average

It can vary from person to person, often luck is needed

Thanks for the info. I got a contract offer for pentest website remotely for a few days. But the rate is too, actually really low.

You can get some experience. If it's for a few days, even if it's low, you're not gonna lose much

I can include that as experiece in my resume... Right?

Yes of course! But if it's really low paid and you feel exploited it's not worth it. If it's not the worst, then I'd take it 🙂

He says he want to prove my skills so that he can work with me for long term. And proved it well by pentesting in few hours. I did not really count the money. But he is coming with another project, and not sure what i should ask for.

If I were you I would try. Even if won't be suitable for you it's still possible to quit the job

Hmm... I understand it is good to market myself and gain experiece.

I will try.

Good luck!

For those that started out as pen testers what are some skills that you brought along with you when changed to a SOC role, and vice versa?

i.e. what are skills that are transferable in the different areas?

most go in a SOC role then a pen tester role

Some things you can bring are TTPs and attack techniques

pentesters can take away ways that the SOC detects to avoid detections

etc

ah ok cool thanks for that!
However, what are TTPs?

Tactics, techniques and procedures

ah ok

thanks again for that

Thank you 🙏 what a brilliant list

I was able to answer most of them on my own. One that stopped me up a bit was “- Without nmap and other standard utilities how could you determine a port is open” my first thought was the Python sockets module, nc and then curl/wget

Another suggestion I found after they posted that is bash can access ports, like cat < /dev/tcp/10.123.123.4/port

does comptia pentest+ have more active directory than linux or the other way around quick question

Download the Pentest+ syllabus from the CompTIA website @dim snow

tyty

the CTO of Leonard Cyber, which is a company that provides a service to screen potential pentest hires, wrote an interesting - yet incredibly biased - discourse on the state of hiring in offensive roles https://medium.com/leonard-cyber/three-ways-not-to-hire-computer-hackers-28a829996cb3

interested in this as well

I am currently an SOC engineer supporting their day to day activities but also curious what they actually do in the SOC

Pretty harsh, but I guess the guy has a point. I see why you would say it is incredibly biased hehe

That's why being the worst pentester and finding no vulns, then writing a report that the company is safe makes the most money

because everyone is constantly engaged in a game to inflate each others' self-importance.

Brutal!

The article is a 10 though

I like the way this company works

They ignore certs and have their own inside exam that will filter the best out of the best

Thats a silly way of doing it though.

We all want the Best of the Best. But the more you filter, then the less of a pool you have to choose from, and the more it's gonna cost you. In my mind, it's better to have one Amazing dude/dudette, then others that are good, but you can direct towards the skills you want/need in your business

But if they're recruiting people and then advertising them to other companies, like a job agency does. The certs like CEH or CISSP may not represent the abilities that they value in their work, so that's probably the reason why they prefer to run the in-house exam

Oh don't get me wrong, the in-house exam is ok. I've done it a few times myself. But personally, If I'm at that high a level (i.e 'best of the best'),companies should be approaching me. I ain't doing no exam to compete for a job.

If I'm mid level and they wanna see my skills, then... eh, I guess it's ok

I did it once before for an IT position. It was kinda cringy to tell the truth

I agree with this, as for example a top 100 Bugcrowd bounty hunter should be approached by the company, but not everyone is let's say "recognisable"

What did they ask you to do if it's not a secret?

Not even close to secret 😄

There was a written bit with a few IT related questions - most/all of it was straightforward.

Then he showed me a computer on the desk and said 'This doesn't turn on. How would you fix it?'

Hahahahah

Turns out he was being tricksy and the plug just wasn't in the socket, but was under a cover so not totally obvious.

Oh god

The company must've been a funny place to work at

Many experienced top-level workers I suppose

Second task was that he had an old router that he wanted me to reset the password. I just move to the computer next to it and googled it. Turns out on that router you needed to hold the reset button for exaclty 8 seconds

That's something your parents would force you to do when you told them that you work in IT 😄

Nah, It was a perfume/derma product company, and they'd expanded really quickly off the back of 1 line of products. Their 'IT guy' was just their web programmer who took on the role

I can feel the data breach in the future

Hence why they needed an IT person 😄

This was going back about 7 years

Did you experience any similar job interviews?

When I applied for Digital Forensics, there were like 8 positions, so there were loads of people there. we had to do a 10 min presentation on anything we wanted in front of all the other applicants, then a normal job interview

What did you present?

Hacking.

😄

How about the others? 😛

So my degree is in Internet Technologies, so I have precisely 0 forensics experience and was in a room of people with degrees and Masters in Forensics.

And I said that.

'.... So I've decided to present a short talk on Hacking'

I was up there for about 30 mins answering questions from the other applicants and the company bosses 😄

Like all really basic stuff. I described a mitm attack, spoke about social engineering, how hollywood is different to the slog of real-life

Did you show them the Threader 3000 haha?

Hahaha, Nah was even more basic.

That must've been the best day of their lives

They felt like they met Kevin Mitnick in person haha

Well, They gave me one of the jobs over some of the Masters graduates

Later on (Like a few months into the job), during a staff night out I drunkenly asked one of the managers why I got the job over those people.. Turns out, one of the skills they were looking for was the ability to be able to stand up in court

And the couple of Masters-students were like... tryhard hyper-nerds

That's something I'd also value over them

Are you still working with them?

No, I got made redundant after a couple of years

That's a pity, hope you found something better

Hehe, Yeah. I'm working for my familys Pizza company 😄

Couldn't have been better 😄

Zactly!

Reading that article is fairly interesting, but boiling everything down it's one giant sales pitch: "You're hiring wrong, license our tools/hire us to vet applicants for you!"

Evening lads, whats up?

Hi, so I am still in school but after that I want to do something with hacking so should I go for a cert or is there something to study in a university for hacking if so which of the two should I choose?

Plenty of certs, and an increasing number of decree courses in hacking

I'm on a BSc (Hons) Ethical Hacking course, for example

Ideally you want a degree and at least OSCP if you're in Britain

Ideally you want a degree and at least OSCP if you're in Britain
I am in Germany

and I am in 11th grade now

I have no idea what the grade system is I'm afraid. Look around at what jobs in your area are wanting, and see if you can get appropriate qualifications for those.

Okay thanks

Just as a info its like 11th and 12th grade and after that I'll finish school

Yep I agree with muiri focus on certs while in school and try looking for internships

It will be hard to get internships being so young but that doesn’t mean you can’t

Aight, I am going to do that thanks

Hey all!! just got myself an interview for a cyber security role!!!! 😮 its a junior role and I'm super excited, any of you got tips for the interview? what sort of questions would be asked and things? this would really help me out!!

questions will depend on what type of cyber security role

look at the pinned message, there are some good interview questions a few messages down

but yup, cyber security is a wide field, depends on the role you are applying for

what type of role is it?

it is more of like a pentesting role.

"We specialise in security testing, using a world-class anti-malware testing framework."

"We work with businesses, technology vendors and magazines to provide accurate and realistic test results that are useful to consumers and vendors' internal teams."

what type of skills does the job ask for?

so an MSP

doesn't give a great deal more of detail than that
skills wise is quite low as they are providing training.
"What we are looking for:

Meticulous attention to detail
Strong interest in information cybersecurity
Self-motivated and enthusiastic
Excellent organisational and interpersonal skills
Basic Penetration testing concepts welcome
Computer Science Degree and knowledge of basic programming concepts would be beneficial"

hmm that doesn't say a lot, I think the pinned topics could help you though

given the job description, it sounds like they are non technical people looking for a technical person

or it could be a consultancy position

does it have a title?

yeah the title is Cyber Security Analyst,
its for a testing company against products and services

but yeah thanks I will have a read through these thanks @pseudo creek

yeah but just because thats what the company does, doesn't mean that is what you do, there are a lot of supportive roles within cyber security

but it is good to see, one question I'd ask is what you expect to be doing within the first year

need some guidance on resources for security in Datacenter for IOT devices ?

like training, methodologies

hacking IOT or securing IOT

securing IOT

i am building a new datacenter

and my focus is on securing it

Hmm I dont know of a lot of resources for securing other than applying your normal security and monitoring methodologies already in place.

also it needs to be monitored

also why are you building a datacenter yourself

so also looking for got tools like solarwinds

huh?

my company is building it

i am in charge of security

It might be best to understand how to hack IOT before you try to secure it

https://nostarch.com/practical-iot-hacking

I would recommend picking up this book and identify where IOT can fall and that should give you a good base to understand what you need to implement

thanks, will check it out

I think that book is offered in the humble bundle that is out till Jan 4th. looks like a good package on there right now can get a few good books at great prices

Hi all!

I just graduated recently with my bachelors in Cyber Security along with around 9 months time in the field between an internship and other IT job and I was wondering what the best way to try and get a security job is. I've been applying for the last couple of months for anything from entry to junior level and above sometimes but have had very poor luck. I've reached out to the HR departments via LinkedIn as well as written cover letters for some of them.

What advice would you have for someone who is just starting out in this field? I have no certs or anything like that yet. Any help is very appreciated!

@hardy brook Go on linkedin, look at jobs you would want to get, see what they're asking for. Most likely certs to go with the batchelors.

Do you know of any certs that I should get first @quick forum? Are there any that sort of stand as an entry point or any in particular I should start studying for?

Thank you for the advice btw

Depends where you are.

And depends what jobs are asking for

Here in the UK, generally OSCP and a BSc ticks all the boxes

I'm over in the US trying to most likely go for some entry level security analyst or engineer position

Yeah I'd just look on linkedin at those adverts

See what they ask for.

Yea that's fair enough

@quick forum I'm hearing a lot about CRT over OSCP in the UK. Wouldn't recommend it though, given the limitations from CREST. You can use OSCP to get CRT without actually doing anything, but you're ineligible for CHECK that way, and have to resit OSCP every three years.

No thanks to that. I'll take the much easier CRT exam every three years instead

I've had a lot about CREST during interviews for jr pentesting roles

CPSA slings you right up in my experience coming out of uni and applying (for jr pentesting roles) before THM

I'm just hoping my OSCP (and hopefully at least OSWE or eWPT) does the same thing. Abertay degrees tend to carry a fair bit of weight too, for some reason I can't fathom.

I've already got cyber experience and working towards OSCP - how valuable do you guys see degrees for staying in the industry? Debating doing one remotely but it is a lot of effort, and since im in the industry already not sure if its worth it

It's gonna depend where you are

In the UK, for entry level positions, it tends to be BSc || 4 years exp

Yea fair enough. South E / London I am, SOC analyst currently but want to progress to Pen tester

i'd say don't bother personally since you're already in the industry

I mostly agree with this. There may come a time down the line in your career when a BSc/MSc/MBA may come in useful though.

I know plenty of people who have done amazing without any of them

I didn't have a BSc starting out, still don't ... but working towards MSc right now

sounds good gents... What MSc are you doing @spice yacht

yeee from what i've heard, more managerial positions may want a degree, but if you were to stay completely techy i wouldn't see the point

@inner pine Could you keep the content english please

sorry

Hey guys,

I'm a recent graduate in Master's Cybersecurity in the states, I have been applying for jobs since 2 months now and not a single call.
I'm starting to think it is my resume. Any tips on how a security resume should be drafted.
I'm looking for jobs as Security engineer/analyst, Network security and Penetration tester.

If you want to post a sanitized version of your resume here, I could review it.

Honestly certifications and work experience are the top 2 things employers are going to be looking for so you need to highlight those. Lots of times people omit work experience because its not relevant but any work experience is better than none.

Can i PM you?

Sure but I'd still sanitize your resume

Sure, Thank you.

One thing you can add is relevant coursework - especially if there is a strong practical component. Being light on experience hurts, but if you have a home lab that can help a lot with a first-job straight out of college. Another thing you can do is contact your universities alumni office and see if there are any programs to help with your job search

Oh, i had my relevant course work mentioned but later removed it coz some people told me not to have it on my resume. Sadly, no university programs to help me for my job search.
What do you mean a home lab could help?

if your home lab is set up to deploy and implement security tools, it can help substitute for experience - something is better than nothing

That's true,
How important are projects and what kind of projects can i build on my own to help my resume to be stronger

Target it for the role you are going for

if you are looking to be a soc analyst, set up a couple of dummy machines, FreeIPA, and a Splunk instance

if you want to do networking, build a pfSense firewall or get a prosumer grade off the shelf (like ubiquity) and configure some firewall policy

just to show that you don't just have the theory of how it's done, but you're working on building the practical skillset

That sounds about right, I will definitely look into that.

Also, i have just completed CEH v11, i know it is a beginner cert and not very technical. how much would it actually help me with my job search?

What CEH brings to the table is that you've gone through a basic ethical course on the ethics of security. It shows that you at least understand some of the attitude and mentality needed to be a trusted security professional at an entry level

Having a personal website/blog helps too, hell I had a blog with literally one post and my boss said I stood out at the time because literally no other applicant had a website

I am curious if someone experienced could tell me how you would work homelabbing into a resume? I have a hobbies section I seem to get decent feedback from but not enough room to describe my homelab

Yes, that's right. I have seen a lot of people hating on CEH too. That got me skeptical

Wow, that's good to know.

Even a referral has not helped me get a call and i am starting to think the ATS is filtering my resume out

I'd throw it into special interested - brief description of the purpose for your lab, if it's interesting enough to talk about in the interview, they will ask

ATS?

Applicant tracking System which filters out resume's based on keywords and etc.

Talk to a resume service and see what they say

one of my old co-workers found a really great job by paying the service to help rewrite the resume

Yeah, i paid for linkedin expert resume

the other thing i'd suggest is talk to professors you are on good terms with, and college study buddies

ALL of my IT related jobs have come to me through that kind of networking

Definitely, everyone has some different views on it and i ended up changing my resume countless times

Okay, i will definitely try that. Could you tell me some good services like these so i can look them up

i don't remember; it's been more than a decade

i just know that those services exist and have been helpful to people i know

oh , no problem

another thing to try is to talk to a recruiter for IT and cyber specifically

Thanks for your insight on this

a lot of recruiters don't get paid until they place someone, so helping you is in their best interest

Yes, that is true. Will reach out to them on LinkedIn

talk to someone at a place like TekSystems directly - the recruiters i've talked to off linkedin and cybercoders have been less than useful

True, the recruiters that i reached out on Linkedin were not useful so far.

and in term of projects, a github account with projects where you can point people can be useful

Honestly, I think the website describing your homelab would be useful. I'm not sure you can really get in depth in your resume enough to cover a home lab but you could write a single line about it

Personally my 'home lab' is vms on my computer so...

haha well its better than nothing

good idea though I was leaning towards that approach

Im slowly but surely building up my hardware, just trying to find a cheap micro tower to run pfsense on and Ill be happy

yeah it depends what you have, honestly I saw his resume and its not bad, the certs are good, yeah CEH but whatever. I think it is really a formatting question because (no offence RootBot) but first glance, I didn't even want to read the resume. And also looking for those foothold positions, Network analyst, network security analyst, soc analyst is where I'd focus

yeah formatting can definitely affect you way more than your actual qualifications sometimes, its frustrating but recruiters/hiring managers probably spend less than a minute or two on your resume

I personally use canva, I have a student account which gives me free Pro and their resume designs are quite nice

2-column resume gang

i'm qasi anti-2 columns but depends, I've seen way worse 2 column resumes than single pagers

like if you word wrap on your small column that is a no

Penetratio
N testing

no

That's totally fine, i am open to all kinds of criticism. and now that i see it, i believe you are right.

Great tip, will use that.

hahaha tbh that was something annoying I had to work around with word wrapping, I feel like people are 50/50 on the two columns but personally I have received pretty good feedback on how my resume looks despite the lackluster qualifications

one trick that has helped me, is that i write my resume in latex and provide source

i'm working on an adoc template as well, as that seems to be the most common markdown style documentation generator right now

Could you please elaborate this

and this as well

One of my biggest 'selling point' items is that I am a documentation guy

LaTex and asciidoc are programming languages to specify typesetting

ohh gotcha

switching to latex has been on my to-do list for a while, tired of fiddling with formatting

if a tool like javadoc or doxygen is being used, a team can store their documentation on a CVS and generate appropriately formatted docs as needed - abstracting content from layout

latex is a tough row to hoe, but IMO worth it

because if you can wrap your head around LaTex, MD and adoc are child's play

if I learned latex years ago I would have saved an insane amount of time writing papers and stuff

yeah

i knew a student who did all her note taking in VIM and latex

her workflow was insane, and she's one of the most talented software engineers i've ever met

I believe it that's probably the most efficient way to type most documents

I should do that just to confuse all my coworkers...

happy to offer any thoughts and whatnot on getting up to speed on LaTex 🙂

it wouldn't do me good at work though, all our docs are created on specific websites

Latex is also super useful because you NEVER have to specify any kind of layout nonsense past the initial template

you can render Latex as an HTML template too

IIRC

nah its not html, its something else, its kind of markdown but kind of not

oh, one of those horrifying language of the week template systems

a lot of those make me feel ill

the saddest part of many of those, is that they are XML based without actually adding anything new to require a new standard

oh and I should say for anyone, I'm pretty willing to review resumes, maybe not same day review depending. And I won't say I'm a savant at it but I've reviewed a lot of resumes through work and know what seems to help and what hurts

Completely agree with that 👍

MGT of IT.... more or less. I'm trying to keep my options open for my career, unsure if I want pure managment or something like program/project management. Happy to upskill on the tech side of things myself

Appreciate that - internships didnt pan out for summer 2021 so going to test the waters in a few months and will need that review

Also, as someone who is working their first job in IT, is there a golden rule for how long I should stick around before looking for something? I like my job but I dont really foresee upwards mobility in terms of security roles, its possible I could pitch something eventually but I dont see the budget for it coming to fruition and I wouldn't have anyone senior to mentor me

being a constant jumper can hurt you over the length of your career but I'd stay at any job for at least a year unless a really great opportunity comes up and you can explain why

if you're jumping laterally a lot and not moving up it would raise concerns I'd imagine.

Fair, I think a year is a good moratorium on job hunting. Im still learning IT in general so I definitely don't even want to hop into a security role just yet but definitely don't want to slip into the career path trajectory I'm on, which would primarily be involved in something non-infosec related

Appreciate the solid advice as always!

yeah but its more like you get to year 7 and you've had 7 employers? the next employer would have a great pause at hiring you

oh yeah for sure, the 1 year thing isnt a hard and fast rule, Im definitely willing to grow into roles as well, which Im hoping I can do here

I left 2 NOC jobs back to back within 12 months... both were shift work and having started a family, they really didn't suit. First was day/night shift, second was 12 hour day shifts. I explained this at the time of leaving the 2nd one and it was np at all. Job after that was 3+ years and current job is almost 2 years

At least a year - things are usually 'easy' until then. Last I checked, most IT professionals stayed in the same role on average for 2 years

So I have no certs yet no (Job) experience in tech either. Been looking for something to do cyber sec related and found a place near where I live. How should I approach them?

Look at the skills you have and the job you want and try to chart a path there, you may not start in the industry where you want but getting experience helps you get there

I thought maybe I could go in and try to start with sales, marketing or help desk or something and then move laterally to pen-testing once I save up for the oscp, oswe, osee, etc.. Just nervous because where I live there's very few cyber-sec firms and I don't want to make a bad impression.

Thanks for the advice blackdragon. Maybe I'll get lucky and win the AOC2 OSCP raffle. Then I can try to do a real application

Sales and marketing will not help you with a pentesting career, its also not a lateral move, pentesting roles requires a lot of general IT experience and tends to favor people from sysadmin/networking/programming backgrounds

also do not worry about location, plenty of remote jobs, and the right employer will fly you out wherever

Hello everyone. Sorry in advance if this is not the right place, but I'm looking for a mentor in AppSec area. My idea is to have someone experienced to share some ideas, ask for appsec-related advice, career, training. I've been working in the industry for a bit over a year now. Anyone interested? I've asked the people I know and are my references, and got turned down. I thought maybe I could be lucky here

💯 IT/cyber security (whatever you want to call it) is not nessecarily an entry level IT position. Whilst many jobs may say "entry level", you potentially need a lot of knowledge to gain a foothold in the area. Same goes for jobs like devops/sre

^ i needed 3 years to get into infosec

however i know people that were luckier and got it as an entry level

Hey guys. I am currently studying computer science and I am really intersted in security. I would like to know what skills and knowledge is needed for somoene to do his first steps at this field and what is better for a beginer like me to learn first?

this is a good general list https://github.com/ED-209-MK7/5pillars/blob/master/5-Pillars.md

what are good certificates to get

for someone looking to get into cyber security

Security+ is the standard entry level cert.

a+ and net+ are good base knowledge certs

got those 2

but security not so much

security+, OSCP and if you are going into other areas of security SSCP

CYSA+ is a good analyst certs

OSCP seems hella hard

I'm not really a high level hacker

as yet

I'm trying be like yall lol

thanks for the info though

what is the best software

to learn?

and tools to know?

For OSCP?

Learn as much as you possibly can

in general, to get a job in cyber

There's no one tool or software to learn

I currently work as an IT Specialist so i'm curious if it's different

You have to learn the techniques

The theory

i see

Are online Certificates good for proof of education of a field?

Are they best left out of a resumes? @pseudo creek

does anyone know when applying for jobs if a PhD is looked at differently to a Dr.Eng or DSc

yes... a PhD would be for research positions

Depends if you have nothing else... like you have a Coursera certification? Its not great but if you have nothing else... like I wouldn't put a certificate of completion there (like PEH) but you could put the course again to show you have done self training

This might help some https://en.wikipedia.org/wiki/Doctor_of_Engineering#:~:text=The Doctor of Engineering degree,a business or technical environment.&text=Research toward the EngD is,the EngD emphasizes applied research

Im aware of the difference but im asking about perception of both when applying for jobs and not what they entail. I think most employers know the difference and are just aware that PhD is "the best" (even if thats not the case)

dont know the difference*

what type of jobs are you looking for?

I guess like we don't see a lot of PhDs in normal industry jobs, we see them in various research positions. I've never seen anyone with a DrEng so I can't speak for that

I haven't decided whether ill be going for research positions or industry jobs yet, and i have the option of choosing either degree type. Because of the lack of visibility of doctoral degrees like DrEng I have the suspision people think there somehow lower than a Ph.D or else they would have heard of them. But I dont have anything concrete to base this on. Although, I think there are actual professor positions which spcificly require a Ph.D which shows the benefit of them for research positions, but was more curious about their public perception.

personally, without looking at it, I would've thought they were a degree that schools churn out to grab money from professionals who went and got their MS and are willing to spend more money to be called Doctor. Like I said, I've never seen anyone with one/claim to have one so...

but it sounds like if you want more flexibility, go for PhD, or maybe even talk to one of the professors who is a DrEng and ask them

I haven't met a professor who isn't a Ph.D. Professional doctorates are more applied than research but don't think the quality is necessary less as long as the school is good. I already know which I'm going to choose, as I said was just wondering about general perception 🙂

so the school you are going to offers a DrEng but doesn't have any DrEng profs?

I havent met any but there could be. Also most professors are middle-aged or over so I don't think applied doctorates would have been considered at the time if applying for research. Eitherway you wouldnt specificly need a DrEng to teach the course to get a DrEng.

I would just expect if a school is offering that degree, they might have professors with it, I would expect all their bios to be online

There may be but its not necessary to teach the course or for the advisor to have one if your going for a DrEng. I taught by any DrEng and am able to get it

wasnt taught*

I'm just offering you a suggestion, if you could talk to someone who has that degree it may help, if you don't want to seek them out then you don't have to

Oh yeah thanks for the suggestion, I might look into it

will certificates compensate well for not having a CS degree?

Is there any certificate you can get being under 18?

It depends on the country, certifications you get

I'm in the US