#cyber-and-careers

what sort of employee support for certs/education are in place etc.

your personal experience and knowledge is what matters after HR okays your resume.

it doesn't matter how old you are, what your sex or gender is, what matters is what you know.

and your confidence level too

@spice yacht in my country, employee support is not even a thing, cyber security too, so i wanna get the oscp and try to get a job abroad

@languid hearth that's why i'm insisting on organising my learning journey, to make sure my knowledge level is on point.

completely understandable

There's something very important that I learned along the way

the more you learn the more you realize you don't know

it's going to be incredibly difficult organizing around that.

it's a big thing to have confidence to ack that in interviews too

I've always come clean about not knowing stuff but will state "if I have to guess...."

oh 100%

I've been on the other side when people try to BS their way through questions and it's a car wreck

never lie about things you don't know, hiring managers appreciate honesty more than anything

I'd much prefer someone come clean when they don't know... coz if we're dealing with an incident I want to be able to know what people's limits are so we can get it sorted asap

I've had to 86 a couple of interviewees when they came in because they had no clue what was even on their resume

it was like they had found a couple samples online and mashed them together

Hey ! Just wanted to ask that is there any way that i can have a mock of eJPT.. just to see how the exam is done and what to expect and of course practice too.

the Black Box Hera labs are a pretty good representation of the exam difficulty. the offsec path (besides Windows rooms) on THM also has some relevant boxes that are pretty close to the exam as well

Okay so i have done begineers path and 46% of the offsec path... so do i need to get this black box labs or this is enough ?

Can u get the eJPT being under 18 years of age?

You should be able to I didn't know think they had an age limit I thought that was only offsec

Elearn doesn’t care

Thx

I'd say you're most likely ready. If you have retakes I'd say just go for it. Not sure if the Black Box Hera labs are free but I would 100% recommend doing those because they really are excellent labs on par with some of the better THM/HTB machines.

Thanks...!!!

yes they are free and i deffo recommend doing all of the labs associated with the course

Well i was thinking of not buying the course.. only the exam voucher for the exam

it's free with the ine starter pass

Ohh.. let me look into that

https://youtu.be/4YBxeDN4tbk

Was intrested in how easy to make a jump from testing (an IT profession) to Pentesting? Is it like being an outsider or is there some overlap?

what kind of testing do you do? User acceptance test, bug finding, etc? (i probably cant give u a good answer but good info for the others).

Oh, i am learning to do all of those, right now, mostly bug finding, now at the manual testing part of the course, but we did usability testing also

I am still learning at school of testers

Looking forward to automation part of the course, we will learn python, to automate testing, this is a very popular among recruiters right now :D

Also you apparently have to learn Linux for testing too, which is a transferable skill

Anyway, you can ask me about testing, i can answer to the best of my ability

If you do application or web app testing , there's a good chunk of overlap with pentesting in general, since mis-configurations or command injections for example tend to be ways to get in to a system

Thanks!

Interesting

Most of what testers can do to test security is look if passport form covers up the password

Not much

Similar crossover with SAST. Understanding bad patterns can give insight into went specific vulnerability types exist

Nice

hey guys, i am a computer science student who has to do a R&d for a sem, and i would like to do it on any cybersec topic as that is way interesting than any topic that our univ gave us so can someone suggest some good topics for it cause i found 4 till now and have to suggest to our professor for the same.

Hi. I would like to get some security cert. Is eJPT is a good start?

The eJPT is a great start if you want to a easy step into pentesting, I passed the exam last month. I would recommend first obtaining the comptia security + as this is a good prerequisite to the eJPT. After you have the security +, then go for the eJPT. This is my personal opinion, others may disagree.

Should I include courses that I took but didn't take the exam in a job resume? For example the comptia A+ or Network +? (I just couldn't stand the physical cable speeds and specifications required for the exam. I'm a software person.)

Yea and doing those fundamentals certs at the beginning, youll then figure out what path u wanna take whether its incident response, red team operations, security analysts etc

@ornate night I would just mention it at an appropriate time if a question of certs or proof of knowledge is asked

@flint pilot Thank you!

@ornate night at the end of the day, u wanna sell urself and stand out. So adding some appropriate certs verbally is fine. Ur welcome

There's a lot of good options. What particularly are you and the school looking for? I've seen a lot of universities focus on AI applications of cyber, that would be cool if you are into that. Reverse engineering is a good one. You could focus on malware analysis, or exploit dev. Memory forensics seems like a cool topic, that could be worth research.

well our university isn't focusing in any as such, but i am trying to do on some red-teaming related topic and thank you for the options you gave, got something to think about so thanks again.

I was taking a look around cybersecurity jobs to see what people mostly ask but i see different skills everytime. What are the most basic skills someone should have in order to be able to apply for a cybersecurity job (except of the skills that companies individually ask)?

it really depends on the job, but if you look at the pins, you'll see some questions that may be useful

okkkk

for example SQL security database ect

could u please post the black box hera labs url?

thanx!

basic networking knowledge will be needed for most if not all domains in cyber security, and lots of junior type roles might focus on web vulnerabilities

basic linux stuff i guess

so make sure you know what sqli, xss, csrf etc are and how to exploit them, as well as how they can be mitigated

cool

basic linux yeah, and windows admin

i'll search it more deeply but i wanted a small taste of that

again depends, like my area, for entry level/junior, we wouldn't expect them to know linux or windows admin, we also wouldn't expect them to know how to exploit specific vulnerabilities

we would expect them to be able to explain what a threat, a vulnerability and a risk are and be able to talk about those. We would expect them to understand some idea of each. So you could talk about common web vulnerabilities for example and threats surrounding those

Not directly related, and not a dealbreaker for getting hired, but if you want to stand out a good thing to have for a cybersecurity position is understanding of office productivity software, word processor, spreadsheet, presentation, etc. Either MS office an open source option, or really anything. You don't need to get super advanced and write macros etc, but you will want to be able to put together a decent report, do some basic calculations or be able to pick which systems have the most vunerabilities/log entries and how many, and also to be able to put together a short slide show for a meeting.

its not free so its not frequently used but 50% of my job is done in visio, 30% in powerpoint ha

20% ?

paint

I don't want to be that one person with the boring questions but i really need to know, is it possible ( i'm talking about availability and opportunities here not legally) to have a cybersec job/internships while living abroad ?

sure

just have to work remote

I mean, is it something that is casual and regularly encountered or is it a one in a million thing ?

remote jobs currently are fairly common

Yeah but if companies are offering remote jobs, do they not care where are you from or where do you live ? Because it's still relevant even when working remotely

i work 100% remote, I could move halfway across the world with 0 impact on my job as long as I have an internet connection

Yeah i've wondered that - so will American companys hire remote workers in the UK, I doubt it

This is what i'm talking about

I believe that gets really complicated for tax reasons + Visas, way easier for a US company to hire a US citizen

for the right candidate, US companies will def bend-over backwards for some accommodations

Yeah this is basically my question, like it would be amazing if that was possible

absolutely possible, with cloud services set to boom in the next 10 years the work-from-home sector is bound to increase a lot

The stipulation of my job is I can work anywhere within the US

Ideally i'd be working for a UK/US company whilst on a beautiful beach somewhere in Asia haha

yeah I would definitely have to give some heads up if I was gonna move drastically but its nice having the freedom

This is not what i'm saying, @ancient prairie you're talking about current employees who are sent to work from home, i'm talking about getting hired to work from home + being a foreign citizen

Also when they hire from outside the US, they pay in local currency

I know what you're saying, its definitely possible and happens a lot, commonly these foreign workers don't get salaried and are contracted

I will say that generally security jobs in the US frown on foreign nationals

security is different too, definitely harder

For the experience gained, i'd definitely accept that

Unless it’s for work in that country

So to conclude, it is possible but legislations and politics makes it super hard 😌

I am from India is oscp enough??

don't let anything discourage you though, the right candidates for a job will always stand out, never hurts to apply to US companies regardless, just don't lie about your location and see if they will work with you or the very least offer some advice

Thank you for the advice, i'll try to apply ❤️

Does thm actually help in finding a job?

you could have an 8 year college degree and it could not be enough. It depends on what you know and what you've learned.

Yeah but for a company to know what you know and what you've learned, it must consider you as a candidate in the first place, and that's where the oscp/8 year college degree etc .. kicks in 😌

sure, but you can meet someone at some meetup, shake their hand, chat with them and hand them your resume and that can be enough as well

its a subjective.

the only right answer is to look at what jobs want what and try to meet those requirements.

I wanna get that one^ it'll help for my job.

However, with the way it's structured now I'll wait till I have more experience and knock out eCPPT, eWPT, and eWPTX, with 1 subscription. Maybe another 1 idk.

My friend got eCPPT rather quickly.

hello guys, I want to ask a question, I'm kind of having trouble. cyber security jobs in our area is scarce and no entry level jobs. but cloud engineering/analyst have some opening. im thinking of applying for cloud engr but having doubts cause i want to pursue a career on cyber sec. a lil background about me is currently have a job as a full stack webdev for 4yrs.

Honestly having cloud experience would be a boost for any security career right now, I'd keep looking for entry level security jobs but this wouldn't be a bad pivot

Hello guys

I'm a junior

How to gettin cyber security field

I have done CEH and CCNA

Please give me suggestions

@neat wing offensive or defense preferably?

offensive @warm hinge

@neat wing ofc thm Offensive path, uhh cert wise, eJPT to get ur feet wet in pen-testing methodology and more, OSCP of course. Self-projects are great to learn new stuff

I mean it really depends what topic of offense u wanna touch on, network, web app etc. if u want web app, nahamsecs beginner guide on his github will help u out too

yes

Thm web path and Portswiggger academy will help ya out with learning web app if u like that stuff

really

now i'm doind penetration testing

Network pentesting is good

web app i don't know

Okay so dive into active directory, wifi hacking, and u can practice on the throwback machine as well

Mess with firewalls also

sure @warm hinge

A good tool u can mess with ofc is wireshark

one dout

wifi pentesting

wifi pentesting without handshake we can't acess wifi??

What do you mean by junior?

begginer @polar rock

Handshakes are for cracking WPA2 passwords

That's only one type of attack.

without handshake access wifi ?

Wat

I recommend taking some time to read up about it

Read up about the types of attack, the impacts, and how they work technically

Im getting into cyber sec

What should i do first after ive learnt kali linux

You don't learn Kali Linux

The commands i mean

I need to learn them and get used to the OS

You learn linux not kali

Ah ok

I'd start with the Linux Fundamentals room. Teaches you how to navigate the system

So basically ive tried n+ and ccna

Then you start learning how stuff works. That's how you learn to hack.

But i didnt do good in those

They were too difficult

So are you trying to learn networking or linux first?

Linux

Will i have to do networking in the future

Yes

Because il instantly give up on it

Then hacking might not be for you

You don't have to do networking as a career, but knowing netowrking is necessary for cybersec

No like

The networking on the course is more of a network engineer thing

Like they complicate a subnet

You still need to know how networking works

The subnet has too much math and all that

^ Esp if you start going for certs

I gave up on that bit

Subnets aren't too bad, there's charts and calculators online

Subnetting is easy once you learn how it works

Are u allowed to use calculators on it?

Not even any maths other than simple addition

Even during the test

"the test" what

Ccna test

Not sure what test. I haven't taken any certs yet outside of my education

Do ppl use calculators when doing a test for the cert

No

Or do they acc get a piece of paper and work it all out

Type into google "can you use a calculator for ccna"

Bruh

They want u to memorize a whole chart

Calculators arent allowed

Ig they really do like putting ppl off

you just need to know base 2 to understand the subnet, and you can't go above 255

True but i forget how to work it out

Even if i constantly repeat it

This honestly sounds like you don't want to do it. Not that you can't. You realise tryhackme is entirely self motivated right?

I wont remember it

Then you need to study more 😄

I dont mind the other things but is just networking

Dont overcomplicate or worry about memorization. U dont learn based off memorization anyways

Just practice and practice

Network+ was twice as hard as ccna

How long did you study for Net+?

I got CCNA about 1.5 years ago, no calculator allowed

2 months

just learn up to 8 bit binary, that's all you really need for subnetting

I have done networking for years, I still have to double check myself

Again, hacking does involve networking. It's kinda core especially as you go more advanced.

True but i got put off by the networking videos i watched

You really seem intent on putting up your own barriers

!docs free-path

Just follow that

No like the networking videos show things a full time networkers would do

Ok

Do you have a version for paid members? haha

Yeah there are actual paths on the site

True I'm dumb lol

Heath adams legit has a great networking vid(s), not too complicated, to the point and easy to follow. Idk if he has them on youtube but its part of his PEH course @warm hinge I feel like the videos u watch are bland and not the most intriguing which I understand

I watched some guy called professer messer

https://youtu.be/ecCuyq-Wprc|
Sunny was my GOAT in my networking classes

He did n+

I watched that guy too

He kinda overcomplicates it too

Il try watcjin heath

But even beyond the videos stuff. In infosec, there will be things ur gonna be put off buy, but u need to know at least the basics of some stuff

Thing is when ur put off, u cant learn it

Well thats how it works for me

Okay that can be fixed then

Just so u know i easily give up aswell and please dont pick on me for that

I gave up after 2 months on n+

Jeremy Cioara on CBT Nuggets is great for networking

I dont judge, ur good

And only started doing this stuff today

Then again, this might not be for you.

It's something that's entirely self motivated

It is but that networking is a full time networker's tutorial

Something that you need to have persistence with

Not a hackers

Thats more for a network engineer

Those certs

You still need to learn networking.

You still need to have persistence

You still need to be motivated to learn hacking

Agreeing with James. The fundamentals don't change regardless of career in IT

I am but it just has too much to it

And these people over complicate it

If they could keep it simple

Maybe i would be put off

Ok, stop complaining about it

Im not

Im just saying

These are my experiences

Id say its a mind barrier thing that Ninja mentioned in the beginning, once u develop a strategy to overcome this, youll be more consistent and persistent like Ninja said

You are. And you've done that constantly for the last however long

i hate networking too, it's confusing af. But you have to keep trying to find a medium that suits you. Maybe YT vids aren't the best way for you

How do i find a stratergy

I would say maybe don't sweat learning Cisco command line and stuff but you still need to know how a network works in detail, OS-agnostic

Do i have to do ccna tho

Well i cant guide u there, like Ninja said, self-motivation. U know how u operate ofc. So you need to figure out an alternative

Thats wat i ask

That depends on the person. Im more hands on so I love sites like THM and HTB. I'd use programs like cisco packet tracer to practise networking

Ccna and n+ im not ever doing those again

Google it

OSI model, how a router forwards packets and changes the next hop MAC, etc

Google is your best friend.

Net+, Sec+, and A+ are the 'trifecta' for CompTIA before moving onwards

Il try all those with n+ cut out

Unless you have work experience or a degree or something, those are the ones you should be studying for

I mean for infosec not so much

Best way to deal with this, if u want an opinion is too reflect. Just take time and find all the stuff that isnt working and how to change that @warm hinge

For general IT sure

Look what jobs are asking for

Get those certs

I'd agree James, but it's a good general foothold esp for someone that is struggling with ccna and new to unix

Think ur right about this

I tried for 3 years but is too difficult

@warm hinge reflect before building a mindset like that. Obv we cant ignore reality, but dont give up

Tried 3 years tho :/

Im better off not doing this ninjas right

@warm hinge U know whats best for u in the end. Good luck doe, I still think u can pull through!

I always wanted to do this but is been difficult and now, someone acc says this isnt for me so ig im better off doing nothing

Since ive tried a long time

If i couldnt do it in that time

Then i cant do it now

Been great and difficult but ig is time for me to leave it

It's just you've joined, you've tried to start trouble with people intentionally, and then complained that a topic is too hard for you for literally 30 minutes

Ok

Ive been here for a long time acc but ok and also ur right

Goodbye

I hope the same happens to u

Hi, wanted to ask if I can get any advise on where exactly to start learning about cybersec, thinking of subbing to THM but wanted to know if there is also any other source where I can start, got the Google's networking course not to long ago from the IT support specialisation but don't know where to continue.

Honestly THM is an amazing first resource. I found this post on reddit a few days ago, might be a good reference https://www.reddit.com/r/tryhackme/comments/jf0iwy/my_cyber_road_map/

that was a meme btw

Wait really

:((((((

lol xD

CEH at the end is

CEH part I knew haha

I only know one person with CEH and he hates putting it down

But if the rest is legit then will check it out and also, I agree, THM loooks pretty reliable in imo since it has learning paths and everything, will start there then

Thanks btw

Yeah. I just paid for VIP a few days ago and so far has been great

I think I learnt a semester of vuln analysis in the last 48 hours

Nice, will give it a shot then

And even if i'm a complete novice I can still do CTF exercises right?

yes

absolutely, there's plenty of beginner content

Great, thanks to all, good to know that discord has good infosec communities like this one 😄

glad to have you here 🙂 if you have any questions.. don't be shy. 70-80% of the content is free so don't feel pressured to subscribe. however, the learning paths are nice and should give you a nice base 😄

Yeah, and supporting is always good anyway

After learning how to program and stuff I came to realize the effort all the people have placed on their content, either free or paid (or with donations)

So, will deff subbing

thats awesome 🙂 i hope you learn lots!

Howdy, new to the discord (and site) and recently subscribed. I'm transitioning out of an industry that got train-wrecked by the pandemic and am looking into obtaining a position in the cyber security industry, specifically a SOC analyst initially. I do have a couple questions to ask if that's alright.

1. Considering how important networking is with success in the industry, should I get both Network+ and Security+ certifications or can I count on the networking overlap in Security+ to cover what I need on the certification side for entry level SOC analyst positions?

2. I'm attracted to this prospect of playing both sides of the Blue Team/Red Team fence because its flexible and I like the types of challenges where you can play both sides of a problem. Could this approach work as a career focus area long term or would I be better off picking one of them and concentrate on it relatively exclusively?

Thanks in advance for any and all help. 🙂

1.) you’re going to want another networking cert most people recommend CCNA
2.) There’s tons of overlap so most people tend to learn about and participate in both even if they focus on one or the other @upper obsidian

Would you recommend then a competitive entry level applicant have their Net+, Sec+, and CCNA then? I'm trying to plan out my next year or so of cert studying. I'm hoping to do Net+, Sec+, and OSCP if I can study hard enough.

CCNA, Sec+, OSCP.

You'll learn the foundations of networking much more. CCNA requires a lot of practical study like the OSCP does

I've heard that alot honestly. Seems OSCP is definitely on my radar for this time next year

I can see you have alot of certs, do you mind giving me a brief timeline on how/when you obtained them?

A+ - 2018, CCENT - 2018, OSCP - 2019, CCNA R&S, 2019, Sec+ 2019, CySA+ 2019, PenTest+ - 2020, CEH - 2020, OSWP - 2020, Net+ - 2020, GNFA - 2020

A+, CCENT, CCNA, formal study via college
Sec+, Net+, CEH, CySA+, PenTest+, yolo, no formal study
OSCP, OSWP, formal study and training provided by OffSec. I used HTB for prep my foundational knowledge
GNFA, training provided entirely by SANS

@languid hearth Sec+ holds merit after OSCP? Might be mixing them up but is it not the one people often use to ramp up to OSCP?

oh nice, the subreddit -- the guy that runs that has an 8 pack and invented the concept of security!

Would you stop trolling please Bee? smh

Is it advisable to get A+ as first Cert at this point even for cybersec positions?

from what people have said about A+ is that it is to show you understand the very basics of IT and if you can get a sec+ or net+, that is preferable

a+ is more like the basics of how a computer works and os related IIRC, but it is has been a few years since I took mine

Ok, cus I read about it on the networking course from google, thought it was a networking only cert

depends on your background, for someone like me without a college degree or an IT background, getting the A+ was crucial for me to supplement those gaps on a resume

A+ is considered entry level to IT in general, assuming no other academic background in IT or CIS

I might need to get that then, did not went to college or anything and Im going through the Google IT support cert in Coursera

But they mention the A+ cert there

i also finished that google it cert, if you get A+ as well you can get a special badge on linkedin that supposedly will help you stand out to recruiters, not sure how true that is but never hurts

as trash as i think linkedin is, i find more value in linking my certs to linkedin for client-facing and customer-facing reasons

if someone is paying the company i work to have me do stuff, they need to know what my qualifications are

but what about the quotes people put on linkedin they are truly inspirational

truly great

want to try a fun experiment? create a throwaway linkedin, and randomly endorse people in sales you have no clue who they are

like car sales in san diego, or b2b marking in atlanta, and see all the crazy endorsements you get back

"I once saw a homeless man outside my office. He asked me for cash so I beat him to an inch of his life. Just before he passed out, he said "your load balancer isn't working".

Thankfully, to this great soul our mega corporation can now survive. I have since decided to write about this and profit from him even more."

"xxx is a great manager! supports his poeple while being a rockstar with customer sales!"

truly a great story

mostly because of DoD bs theyre also two different certs

10/10

don't forget the comments to

i bet 99% of them are "thank you Tim 🙌 "

Imagine looking to make a few quid to buy some Lego and you have to sit through Bryan, Director of Sales, coaching you on how to scam old people

"So inspirational! 👏"

This twitter account is gold https://twitter.com/CrapOnLinkedIn/status/1311192475277590528/photo/1

i had something similar happen to me.
I sent a connection request to a guy who i use to go to school with. He rejected my connection request. 6 months later, I landed a nice cushy job, connected with his boss, he later sent me a connection request back asking for career help :kekw:

I remember Leggy was saying that he felt like a minor celebrity when he put his OSCP on LinkedIn

Infosec twitter is also a scary thing

Muir found out the hard way

Thank you! Were you completely green at your A+ cert? One year to OSCP seems quite impressive

nope, i was into pc hardware long before

https://www.microsoft.com/en-us/us-partner-blog/2020/10/05/sharpen-your-teams-technical-skills-with-the-cloud-skills-challenge/
^ Free certification vouchers

Is the 365 Security Administration any good? Or is Azure the better play?

365 is everywhere, but you need to be in a job role that requires you to configure it.
Azure, you know, you dont need to be in a cloud role to use it

The O365 certs are usually job specific and aren't really general-purpose ones like CompTIA which are OS-insensitive, in my case I have been strongly encouraged to pursue O365 certs because we use it everyday

A little out of topic question, I started my courses on October and I have gone through Intro to Computer Science, A Python specialisation and I'm halfway through my Google IT support, I can start as a Help desk support even if I want to pursue a Cybersec? Should I wait until I finish my Google cert first?

security usually isn't a 'first job', even at entry level

Well, not in security, but on a Help desk position

Help desk is a foot in the door

yeah help desk is a great first step towards security

what about something like IAM? I got a job in my university as a student assistant for the IAM team although eventually I’d want to become an infosec analyst

IAM as in AWS EC2 management?

But I dunno if I'm ready, like, I have been dealing/working with computers almost my entire life and I worked as tech support for 3 years for Comcast and now I'm going through my IT certifications, is that enough background for a Help Desk position?

Yep. 90% of help desk is asking someone to power cycle three times

that would be really good

uh it’s like doing stuff with CAS

I’m still going through training so I’m not entirely sure

IAM is the same name as AWS but Identify & Access Management

copy

yeah, that's a good start into security

a GREAT first step is to identify the parts of the CIA triangle that deal with your work directly

and try to figure the ways people can try to play silly buggers

would like to check if CISSP will need any verification from my former employers regarding the 5 year experience thing?

they likely will

will ISC be contacting them or i will have to produce a letter and evidence to them?

pretty sure is the latter

you'll need a resume in their format that's also endorsed by another CISSP verifying that the information is truthful

thats a big oof im gonna have to find some contact who has CISSP

https://www.isc2.org/Endorsement

You'll want to read this link. (ISC)2 will act as an endorser for you if you do not know a CISSP. But, they will want to confirm, to the best of their ability, that your experience and standing withing the information security space are accurate.

Mind hitting me up with those? Wanna do some learning prior to purchasing the course. I've got a router ready.

ill dig them out for you later today

Thank you 🙂 much appreciated

Would you mind sending those my way as well @languid hearth ?

Btw good luck @forest knoll, I've got 40-something days left in the labs myself 🙂

router ready? what course you taking

oh OSWP

Yes 🙂

Good luck to u to 🙂

Are there cyber sec/ pentesting jobs in the states that don't require clearance? It seems that almost every job has a clearance requirement.

plenty

yes, most jobs won't require a clearance

but many will want a US citizen

thats kind of how many security jobs are though

wonder if i can find a job in the summer

as intern or full time?

and I'd start applying now, I know many companies in the US cut off their intern hiring for summer in November/December

intern

ive been aplying but i wonder if i have what it takes

Just keep applying, look up college recruiting websites of companies, the big ones will have them, network on LinkedIn and twitter

@agile tinsel interns are there to learn don't sweat it. I did a cisco internship and got let go mid way through, I still got a job as a network engineer like a month later.

moslty going to try to learn alot on the rooms

@polar rock @pseudo creek That is awesome to hear. Thanks

dudes im so confused.......

My end goal is to be a Penetster....but i have no clear path. I'm literally so confused on what im even doing. Last month i was doing some rooms on THM, then i started studying for some certs and now im studying xss so it'll help me find a bug in bug bounties.. Honestly, im not sure if what im doing is gonna get me to where i want to be. It's all over the place and its really demotivating...

@urban crow from what I read ur bouncing from one area to another, and its prob feeling overwhelming because ur taking in so much knowledge from different topic areas which is making it demotivating

Yea, spot on. Since there is no "clear path"...im kind of stuck on where to start. I've begun different things and leave them to start another...really overwhelming

Let me ask u a question

What motivates u currently, what is something u 100 percent can put ur time into without jumping around

Doing recon on machines provided by THM and HTB....ig

and nothing motivates me, I have no passion in life. Hopefully persistance in this field will help spark that feeling.

Okay recon, thats not bad at all. Recon and info gathering is very important in any pentesting phase. However thm rooms are spread out in topics which than put u back to sqaure one cus u could be doing web app and than windows

If anything I would learn recon and info gathering (active and passive) in web app

web app pentesting and bug bounties hmmmmmmm

sounds legit

but then imma need to learn javascript

which then puts me back at square one again

Okay so u see u are creating fundamentals doe

Now u see okay, before i can dive into web app

What do i need to actually create meaning and impact in web app

So why not do the JS thm room, do a mini project afterwards

but shouldnt i be learning python instead of JS??

Python should be ur main like programming/scripting language. And honestly, u really only need to learn for now how to read JS

Once u learn one language or OOP well, its easier to read other languages

hmmmmm youre right, good insight

Like i said u dont need to go all out dev style, just understand the fundamentals and train ur eye when reading code, thats all

soo take a couple weeks learning how to read javascript.....then go in depth on the OWASP top 10 vulnerabilities.........then grasp how to use burpsuite to a good extent.....then try some bug bounties/ web app pentesting?? IDK

POG, that sounds doable

Okay thats good but for the OWASP top 10, pick 2 or even one only for now

ive been studying xss for like 4 days now

Perfect

but that takes JS knowledge to some extent

so it doesnt matter if i know how xss works if i cant come up with a script to run

Ehh u dont always need a script to run, its more so just reading javascript and understanding its functionality

And another thing too, dont rush urself

Learn to understand

yea my head is all over the place

Trust ive been there and tons others

U just need to map out a plan or a goal

Js -> XSS and than practicing and learning from others etc. and than the rest is up to u from there

If u want to lean burp afterwards, learn burp. Spend ur time on that

this spawned another question....how do i know what script ot run.....how do i know .....nvm lmao

ill search them up

THANKS for the help mate

Lol

I know its crazy

imma save those tips

yea it is

its question after question

All these ideas just spin up

YES

Thats good doe, ur developing structure little by little

Not fast enough doeeee

what are u studying

Me, im doing the thm cyber defense path and studying for the CySA+ cus why not

And sadly university starts back in like 5 days, o lovely

Oh mannn, good luck!!!

Blue teaming??

Yurr

POGGGG

But never leave behind offense, try to do offensive ctfs thatll teach me a thing or two thatll benefit on the blue side of things

But yea POGGG

LETS GOOO, well good luck man. Thanks again for the advice!! Really appreciated!

No prob dude. Glad I can help a fellow thmer. Good luck to u as well!

Blue teaming sounds interesting

What do you guys think about the Network+ cert for cybersec jobs ? Worth it or not?

Any indian here who has a lot experience in this field pls reply I have a lot queries related to career in india

It’s good material regardless if you choose to get the cert or not. Networking concepts is a core building block of cybersecurity. Most interviews will be asking about common ports and encryption concepts.

Most people go for CCNA or recommend it over net+ but any foundational networking cert is good

i’d only recommend net+ over ccna if you take cbtnuggets net+ course

not over but, if you don’t wanna deal with cisco stuffs

CCNA is a more robust cert, net+ is a lot lighter lift to understand and pass

im taking a net+ course in like 2 weeks thru my school via TestOut LabSim, I really like their training and its pretty affordable so I'll let y'all know how it is

I heard the new CCNA test format is horrible? I think you can still take the old one until like July or something

I wouldn't know, i'm going to attempt it in February

CCNA isn’t really known for their exam they’re known for their course material

uh pretty sure the old one is over?

i did mine on like the last week it was available

which was february

maybe they extended it due to covid doe

Did you find the time to look for your OSWE notes? @languid hearth

is this a white hat hacker group or black hat

White

ok

good

why?

Nice try FBI

Honestly, It'd be cool to have someone from FBI, especially from a forensics department. That being said, they probably couldnt share much

they are pretty tight lipped

I know that I wasn't allowed to talk about specific cases, but I could talk about the job and stuff when I was in forensics

yeah but FBI is different, I don't think they can talk about anything

I talked to a recruiter once, it was amusing

Having a ||redacted|| conversation ||with the|| FBI about these ||secret topics|| with agent ||Smith||.

"What do you do?"
"Forensic things.. technical things.."

CCNA test format doesn't let you go back and fix an answer. Net+ lets you flag questions and go back to earlier questions if you remember the answer later. CCNA is harder, but also generally more respected. As far as what to take - both exams would suggest to a possible future employer that you know basic networking.

Got caught out with this first time I took my ICND1, nightmare 😡

Hey

Hey

U

thank you for your time

Do you guys use linkedin/twitter?

Need to expand my network.

sure kind of

Dm me your link?

Any tips on getting into info sec as an analyst?

What would I really have to focus on?

I have a lot of knowledge around ISO controls, SOC even performed internal audits and implemented controls.

I’ve performed risk analyst and vendor gap analysis and mitigation strategies

I’m looking to understand things more technically now

What kind of positions could be had with minimal formal IT experience while I study more to move up?

help desk, soc analyst, variety of intern positions, junior sysadmin

i was in the same boat until a couple months ago, got a job as tier 2 support, moved up to tier 3 rather quickly and took on
grunt sysadmin work

Help desk including some customer support positions.

Not just the ”have you tried turning it off and on again” variety.

It may be an easier route to join an MSP who offers security services. You will learn a lot but unlikely to get paid a lot.

This is a good general guide. https://github.com/ED-209-MK7/5pillars/blob/master/5-Pillars.md

Hello, I am planning a career switch into cyber security from the management jobs. I am a bachelor of technology in Computer Science and I will be starting M.Sc. in Computer Science from April in Germany.

It's been quite sometime since I was in touch with the fundamentals of CS such as Digital Logic, Architecture and Organisation, Operating Systems and Networks. I do remember the general concepts, but need to go through them again to be good.

Can some one please guide me through if I should get into learning these, if yes, then to what extent?. Iam aiming for a career in Cyber Security, specifically in pentesting .

Im in forensics but not FBI, just a small fry from APAC region

Yaaay!

Was commenting on cmnatic AMA reddit post about our small possible collab and dropped him an email but he have not gotten back to me.

Honestly, I'm going to point you to the guide I posted above your question https://github.com/ED-209-MK7/5pillars/blob/master/5-Pillars.md
Overall, understanding operating systems and networking is pretty important but cybersecurity is definitely an applied field of study so knowing how to use Linux/Windows/Mac are good but you don't need to know all the details of an OS for that. Some of the architecture pieces may help with that as well. So basically, theory can help some and really depends on the area of cyber security you are going into.

Have gone through it already, and helped to a great deal. Thanks for that.

So how about learning information encoding, entropy etc. Would they be of any help if I want to get into pentesting

Also knowing computers to the level of registers and how information is processed, communicated and parsed, Is it worth knowing as a beginner or am I just wasting time?

information encoding... like hashing? Entropy, you really won't get into it initially, maybe later on. If you are interested in malware analysis/reverse engineering, knowing the architecture pieces, registers and what not will be useful but not so much for pen testing

Yes for BoF and reverse engineering

Knowing the registers and how data is stored in memory

Honestly, THM will give you a taste of the various aspects, the modules on hacktivities are a really good taste of the various aspects of pen testing https://tryhackme.com/hacktivities

So I should start with OS and Networking fundamentals to start with then?

those would be helpful, web application would also be helpful

great

Guys @pseudo creek @quick forum , you have been really helpful. Thank you so much for the guidance

good luck

One thing that I personally dislike is the glamorization of certain certification issuers. Monopoly at its finest

Why?

Because nothing smaller is recognized, despite having equal amount of skill that is being taught

but the 'glamorization' is another way of saying 'Trusted provider', really.

For instance, rangeforce, a beginner company with a cloud based real time training on real time blue team issues | 0 f*** given by the industry

The recognition takes time

That recognition is a money cow

True. But all you need is a syllabus from a big provider, Jam together a bunch of videos with a test at the end and BOOM, you have a 'Cert'. But you could be anyone

And yes - If you've put the effort in to get the cert industry recognised, then of COURSE you're gonna charge more. That's just business.

I generally do not even look at tests or certifications with multiple choice tests

That is just a waste of time

Whys that?

It shows one thing, you can memorize

If everyone gives recognition to smaller vendors then that defeats the point of the cert

Unless the tests are based on reasoning.

You can compare that to generalized testing in schools

Like an MCAT

nah there are plenty of tests that have multiple choice tests that are worth it... the AWS certs for instance

like they provide answers that are similar but sound right so you really have to know your stuff to pass

Multiple choice can also very well be luck when answering

and we can quibble about CISSP which I have my own issues with but how else are you going to pass a theory test without multiple choices

not really

Take 10 people with 0 knowledge and a few will get it right

good luck with that

Maybe.

I highly doubt that logic

But it's unlikley

and they also have multiple choice, possibly multiple answer

Theory of deduction

if you have 0 knowledge, what you going to deduce

You have 4-5 answers

Not 10 or 20

but you have zero clue of direction because you have zero knowledge

Which exams have 4-5 MCQs?

well depends, if you have 4-5 answers, but you have to choose (1 or more), you could have 10 or 20 possibly answers

Thats a different mp question

most certs have those questions on them

To choose 2 or 3 that belongs to x y z

I haven't taken a multiple choice cert which hasn't had (choose 1 or more) on it

Honestly - Have a look at GAMSAT or MCAT questions. They are MCQs but based on reason and logic. they are a lot harder than you thinkk

Not the entire test, is my point. Im not arguing or persuading to change your opinion, merely saying my opinion.

@olive orbit ive studied for mcat

but lets say you have 60 questions you have to pass... say you have 5 possible answers, you need at least 75% to pass... thats a lot of guessing of answers that all seem plausible

Apologies LSAT

here is also the thing, you get a test like OSCP... how many people pass (or even need to pass) a test like OSCP? Its a small percentage

you look at CCNA, AWS, Azure, some other certs... your test takers are in the millions

I totally support OSCP

and honestly, as someone who has done AWS (for example), I can tell you that it is 100% easier how to figure out how to do something if you are physically doing it with the console/system vs taking a test

But in a job, you will be doing it not answering mp choice questions

Exams and tastes rarely reflect what you'd actually be doing in real life.

but in a job, you may be in a meeting and have to speak about a subject without saying 'wait, let me google, look at the console'

But they prove that you have the knowledge

Even if it is just a memorisation skill

Maybe the industry needs to get away from standarized testing environment just like our education system

Nah

'Standardized' within a niche industry is a good thing. Means everyone is a certain minimal level

but honestly, certs are just a simple way to say 'this person has base knowledge of x', the reason we started going more towards that is because the potential work pool has increased

like when we have job listings, we get 60+ applicants, how do we narrow it down to 5-6 to interview

some of them will have very similar experiences

But yet, industry claims to not have enough applicants

no, its an industry that claims not to have enough qualified people, not enough applicants

enough Qualified applicants.

On paper or in general

People who have demonstrated a minimal level of knowledge through standarised testing

If you dont give someone a time of day because they cant get past your hr fitler than its your fault

I see this dilemma on linkedin quite too often.

and honestly, going towards certs may lessen the requirement to have a degree because I'll say my company weighs a degree more heavily than certs

It's something that 'Iamverysmart' moans about 'I'm too smart for school so I didn't try, although I'm smart no-one will give the time of day' - Seems to be a smarter move to bite-the-bullet and participate in the system to get your foot in the door

Many hiring managers are saying to get away from filters but yet they do not...

and that is really it although I understand, I'm a very, very good test taker

but other people are not

Some folks are good test takers and some are not

but again, hiring managers see the effort and know not everyone is a good test taker

like we will have a concern if someone has 20 certs... like what are you doing?

if someone has 2-3 select certs, that is more attractive than 20 certs

Not working

Or have any responsibilities

did you just up arrow yourself?

I did

👀

Cert stacking?

obvs will depend on the certs

But if they're similar then 👀

yeah I'm talking about different certs

What exactly is cert stacking?

They have to though. Maybe you are an awesome hacker, but you have no certs or profile/presence in the community. You apply for the same job as 100 other people, but 10 of them have OSCP and 10 have CEH. As a hiring manager who has a finite amount of time to fill a role, why on earth would you 'give the time of day' to the other 80 when you already have people who've proven that they are more likely to be suited to the role

I think cert stacking (or I've seen) is something CompTia does

Getting a bunch of certs that overlap, so instead of doing the certs for the knowledge you're getting it for another set of letters on your CV

Ahhhhhhhh I see

So like OSCP, CEH practical, eCPPT, in a short span usually

Would you day eCPTT is = OSCP

Or not even close?

I was tempted to do eCPPT tbf

I have neither

I heard that it's not as hard, but covers more material

The point is a bunch of similar certs at the same level that cover mostly the same content

From my limited Indeed job searching OSCP comes up a lot more than eCPPT

Like Man In The Middle attacks or ARP Spoofing

Elearn is not as recognized

You'll learn more on eCPTT, but find more jobs with OSCP

Brings back to earlier discussion

It shouldnt be that way...

But it is.

And OSCP have worked really hard to ensure their cert is known as a good 'un

I understand your disdain towards certs and educational PR filtering. I was once like it, it's EXTREMELY hard to get a specialised job without them. I needed to get my head down and just do them.

Maybe eLearn will grow bigger, but for now it's really fresh and not many hiring managers recognize it

Brand name doesn't come out of nowhere though

Its not the issuers fault really. Its up to the hiring managers to maybe do some research on their own...idk

There are other ways into the industry, that don't need certs to start with. You'll just start higher up the ladder if you invest in the certs (and yourself) beforehand

INE and eLearn are not brand new

Compared to OffSec they are

Both sides offer practical tests

They have a really good strategy to pierce into the market that's controlled by OffSec currently, so it's only a matter of time until eLearn and their certs will get more recognised

Hiring managers at an infosec or pentesting companies - Sure. They'd know. But if a non-tech company is looking for a security manager - They're gonna go with what they know, do enough research to know what a good security manager should have and roll with it. They don't have time to go on Offsec, Elearn, INE and other places like, then check your rank on THM and HTB....It's not really in their wheelhouse. Easiest and most efficient option - See what Good Certs are out there, then advertise that as a requirement. done.

All Im saying is this, in a way, is a total monopoly.

The whole world is a monopoly and we can't really fight with that

Sure we can.

Of course. Most things are. You just have to decide what level of participation you are willing to do in order to progress in the way you want to

It all starts by not "biting the bullet or simply giving in"

Spending £100-400-900 on a cert and learning to get urself job that averages a £45k a year is an investment.

Im not saying it is not

It shows willing and self learning. Both skills required in the role

It is simply not realistic for everyone

No, but nor is law school. But if u want it u can do it

Thats a very generalised statement

Heck, in my area, barely anyone hiring for entry levels.

what area?

So change your area.

Get good, do bug bounties earn £100 which isn't thhaattt hard get a cert

Repeat

I saw 1 soc job and I didnt get it....in past 6 months

Find one that will hire people at entry level with 0 certs or verifiable experience

On other hand, i see dozen of soc jobs in other states

Everyday

Waiittt ur in the US?

So Move to another state.

Yes

the closest IT job to me is 26 miles away, which is where i worked before, commuting everyday. after i got made redundant due to covid, i got a job in london so i am moving there now, so if you want something you have to compromise 🤷‍♂️

Thats not as easy as it sounds@olive orbit

Why not?

You don't need to move tomorrow.

Thats the land of the free and golden opportunities

Family, partners career, house etc.

"Here's a problem, but I'm not willing to do anything about it"

You can spend a year working out your affairs so that you can go to where the work is. If you are cemented to where you are, and the industry isnt there, then I'm afraid you need to look for another industry.

Start up your own infosec company. Start freelancing.

This was a mere discussion not a rant about another

Offer services to random companies

Im totally fine with what Im doing and do this for fun, with potentially doing it as a job

Excellent 🙂

This was a discussion that showed me 1 thing

One sided coin....

back to your original statement though, i think in about 5 years, elearnsecurity might have the same recognition as offsec

if they continue what they're doing

Check out your local BSides group. Connect with them. It will open doors when you get noticed, as it is a pathway to the local companies who sponsor their events.

because the first oscp was back in 2006, elearn was only founded in 2014

You can look at it as a one-sided coin, but you are simply projecting your personal situation. In the bigger picture, the industry is what it is, and has developed and evolved that way

unfortunatley the way it's progressed isn't ideas for your personal situation.

If your not willing to do it, somebody else is. Somebody else with a bigger passion and love for the job.

In no shape or form i projected this out of my personal situation

You need to be willing to play the game

The game varies from company to company

It was a discussion, is all.

You said there was 1 infosec job in the last 6 months in your state and there there are loads of infosec jobs in nearby states.

As an example

Not next door nearby

So in your state, they can be waaaaay more selective and this is where you are. in the other states, the applicant will hold a few more cards

email the hiring manager for the soc role again, see if they have any other vacancies they might consider you for

I already have ;)

As per usual, you going out of your way yields no response

But that is not just this field, any field

Then as mentioned earlier best get your head down and earn your stripes with certs etc.

Ive been holding off on applying anywhere really. Not until I get a few certs to bridge the salary gap. Im not willing to accept a job that pays me McDonalds wages

What do you do now, are you in IT?

Law enforcement

Thank you for your service. Does your work offer any technical division that relates to cyber security?

We have a big CSI department, but honestly If Im going to do a switch , it will be away from Law enforcement industry

A lot of cyber crimes gets piped to the feds

Automatically

Is there not a way you can get 'cross-trained' using the CSI department and resources?

Because it is non-state situations.

@olive orbit Doing crime scene sure, that does not quite relate to this

I have yet to see an IT job posting. Quite certain its 3rd party

Only one way to find out 🙂

Since you're in law enforcement, I would recommend starting on a Blue Team role. Use that as a pivot point to get into offensive security down the line. There are about 3x more Blue jobs than Red ones.

I know here (UK) many forces have their own Hi-Tech crime units, but they still outsource to third party companies, like one that I worked for 🙂

Honestly, blue teaming interests me more as a career

Red team for fun :)

Feds have cybersec, but jeez, super competetive

Its competetive for regular special agent role.

I already tried once, made it half way 👀

Not sure how UK job industry is but US loves to have people do multiple roles to save money

Anywho, enough of discussion, too open ended

Look into DHS CTMS. I think they launched a new cyber security recruiting platform recently.

Read about that, its great in theory. Waiting to see if it actually gets implemented and followed

Like someone here said, gotta walk the walk and not just talk the talk

I have no doubt many entities want to change, evolve but it comes down to budget and overall support of the upper-upper management

Read the book by Evan Francen, titled Unsecurity: Information security is failing. Breaches are epidemic. How can we fix this broken industry? It's a long way to where we want to be as an industry. @gleaming basin

I will look into that for sure. Will add that to 'books to read' section. Thank you

Looking forward to graduating from MHCC with a cyber sec/networking degree in march. I have done a total career change, getting my resume revamped professionally. Any tips on where to start looking and or applying?

anywhere and everywhere

Network with alumni from your school and program. Many colleges and universities have programs to assist with placement, post graduation. Start contacting recruiters.

yes generally companies are hiring new grads in the fall for summer start, so I'd definitely start applying now, get your Linkedin profile up to date, put expected graduation date. Look for any entry level IT/Security position, this usually means SOC analyst, IT help desk, junior network admin type positions

Sorry! I have been super super inundated to say the least. I will get back to you ASAP -- I am excited (:

I appreciate that ain't fair on you...trying to work through the backlog as I can (:

Understood and no worries on that. No rush on it too :)

Hi, I have a question about elearnsecurity's eCTHP course. I have completed my eJPT and am currently pursuing my OSCP. I thought of completing the eCTHP before my next OSCP Attempt.
If anyone has taken the course and completed it or if they know someone who has and can connect me towards them, I would very much appreciate it. Thank you. My questions are regarding the Exam and the reporting templates, objectives of the exam. I am not able to find much information about these on the internet.

Cryllic can help, but OSCP and eTHP cover completely opposite stuff. One covers topics offensively and obv eTHP covers blue team topics

why would you take eCTHP before your next OSCP attempt? I am currently taking the course and preparing to sit my exam soon

I have 2 months before I can take my next OSCP attempt. I am actually a SOC analyst and I want to get into Blue Teaming and Cloud Security. The reason why I am taking OSCP is because that is what the HR and Management wants me to have inorder for them to take me seriously. I have already completed my Security+, eJPT and AZ-900.

Are there any rooms specifically to assist with ecppt? I already know about gatekeeper

I have security+ network+ and ejpt are there any networking or cyber security jobs I would qualify for? I also have general IT experience

yes you could easily get a job as a security analyst or network engineer with those certs

could you tell me which certification is good for beginners in cyber security ?

https://twitter.com/rana__khalil/status/1343759138837434368
@spiral yacht
This thread could be helpful to you

@zealous frost thanks

How?

Thanks for sharing this. Would love to see THM version of this. There are a lot of guides on how to prepare for OSCP using HTB, but very few (read none) when using THM.

Quite easy - apply for every job you see. Everything depends on how you are as a person of course. Many times job seekers doesn't fill requirements for the job, but get hired anyway. If you are a great colleague, helping person and most importantly a driven person you will be attractive for most employers.

Absolutely right.

Also, depending on where you are located there are different types of tests you need to pass to get hired. A lot of companies use Matrigma tests (IQ) in combination with technical and personality tests.

9 of 10 interviews I attended to here in Sweden included IQ tests,followed by technical tests. You may face questions such as "describe 3-way handshake", "which protocol is used by DNS" and so on.

I can send you over all questions I got during my interviews, it might help, even if they may differ from what you may get

Yes please send me

I DM you

Never heard of Matrigma tests before - is it mainly a Swedish thing or used more broadly?

Used almost everywhere here in Sweden (of course, depending on your resume and where you worked previously). Cannot tell if it is used in the rest of Europe tho.

I get a few hits in .fi, but not a lot.

Never went to an interview where I was not subjected to Matrigma test, which is kinda sad tho. Seen a lot of skilled people fail those.

@jovial ibex Not appropriate. Keep it PG13.

3

e

e

e

ee

e

e

ee

e

e

e

ee

e

e

e

e

e

e

e

e

nice

e

e

e

ee

e

e

eeee

e

-mute @jovial ibex

🔇 Muted Moses#3960 for 1 day

You have to be above score of 5 to get the chance for further interviews here in Sweden. It's broadly known that you are below 5, then you have some type of mental illness or are incapable of handling the job.

I don’t think big tech companies use that kind of tests, but they have their own peculiarities.

Yes, that's true. What I know is they use more real work-like scenarios.

Well, well 🙂 kind of.

If you consider whiteboard coding more real work like

😆 God no!

Nowadays whiteboard is naturally a shared doc or coderpad or what else.

But isn't it more related to problem-solving? You have to talk loud and describe how you think about different pieces of the problem, no? I'm not coder myself, so no idea what those tests are about.

That, as well as algorithms and data structures or system design bundled in the same session

Must be quite exhausting I guess

They might have five or six 45-minute sessions on one day for a candidate. It can be exhausting.

But they have the $$$ to spend on recruiting 🙂 smaller companies tend to have lighter processes.

I was once faced with "Please describe how Kerberos works, in detail". It took almost 15 minutes and I felt like I have been working out on cardio for 2 hours straight.

True that

Ooh, kerberos. Did you go down to asn.1 level? 😄

Nope. I was told to describe it to "a child". You know, with hands, pens, papers and my cup of water

It was horrible

They needed to see that I understand the subject. The overview worked fine, but I was shot down on hashing part

I’m not sure I would consider details on how hashing is used in a certain protocol a relevant detail to memorize.

Unless the position is mainly about that protocol.

Job I was trying to get was a Pentester

Pentester at Sentor (Google it). They put quite a pressure on each candidate

But I learned a lot from that interview. Which helped me get my close-to-dream job one year later. So, there are some sad parts and good parts of that session

Oh, they have an office in .fi as well

Yes, there are operating in all Nordic countries and have plans to expand further

Very skilled guys and gilrs. I'm working close to them, but from a manager/responsible side 😅

for those who have got the CPSA qualification what else did you study apart from the o'reily book?

Kerberos would be a fairly easy one to explain ngl

It is, but not to a child

Your supposed to know it so you could in a theory describe it to a child

Meaning that you understand it really well

You could easily describe kerberos to a child

Its basically just sending tickets like movie tickets and signing them

Yes, I could, and I did. But it is very usual thing to do. Well, in the end it learned me a lot

Exactly this!

It makes understanding the concept much easier

I don't even know much about kerberos but I'd probably say something, you ask for ticket, you get ticket, someone else wants to see your ticket, so you show them and they let you do 'stuff'

'stuff'

although I really don't know because I think at some point, you show someone your ticket and then they give you a different ticket that lets you do stuff

yeah stuff, authorization for 'stuff' 🙂

You're leaving the auth server from the equation 🙂

well isn't that the thing that gives you the ticket that allows you to do 'stuff'... but again, my knowledge of kerberos is pretty limited, like read a paragraph about it a few years ago

authentication server authenticates you, and gives you a ticket granting ticket, ticket granting server gives the ticket to do stuff.

that is where you are asking for a ticket

oh see I confused my #1 and # 2

in #1, I skipped the step where they give you a ticket where you can get other ticket that let you do stuff

but yeah 🙂

And yes, it's confusing.

although kerberos has been around for a long time, doesn't seem much different than modern SSO schemes, maybe somewhat but seems like same idea

How common is a remote cyber security career and how hard is it to get one ?

At the moment, more common than usual

theyre beginning to become more common. They can be kind of hard to get due to the demand for them

In the future, who knows really. The pandemic has shown a lot more work can be done from home in many industries

my job kind of just evolved into a remote career but the company I work for is very friendly towards remote work

same

I moved into remote work years ago. But it’s more of swe in security than a security role.

Depends on should I say. If you are working as SOC/NOC analyst (or anything that requires physical presence), it's might be hard. But working with incident management, vulnerability scanning, pentesting, consultation and such can be done from home. A lot of people are forced to work from home (me included) so I would guess that it might be norm in the future, i.e. working from home.

Pretty much same across many companies, which is a good thing

security engineering, architecting, etc too, I mean my company has a ton of roles that work from home even some that support a SOC

@warm hinge okay... I've been a software developer for the past 6+ years and started working towards getting into Cyber security... I started out with TryHackMe and then also A LOT of research on my own... Any pathway advice you could give me ? Also, when will you suggest I could start searching for a job in the field ? What Qualifications would I need ? Do companies generally pay for you to get them ?

You usually need certs to start in many positions

Companies probably won't pay for certs before they employ you...

Damn, that's interesting. None of our customers allow access to their data (logs) from unidentified hosts. Basically, you need to check in at work so that everyone can see that you is really that person who logs in to Splunk, QRadar and so on.

I do have a NQF7 Bach Degree in Software Engineering... should count for something @quick forum

Ok, but at least here in the UK you usually need a cert and a degree

that is what 2FA is for, you have to VPN in with 2FA and then to access certain systems you need 2FA

Degree can be swapped for experience. The cert cannot.

A manager I talked to pointed me down the CompTIA route, but bearing in mind I also don’t have any IT experience. It was suggested to start in Service Desk and ‘move across’ once I got experience.

I would recommend looking into code review, penetration testing, SOC/NOC or just plain security consultant roles. To get there (plain security consulting), you often need just basic understanding for security concepts.

True man, I know a bunch of tech guys who are amazing at what they do with no qualifications

?

I personally do not recommend CEH, CompTIA or any of those courses in Udemy

I'm guessing replying to something else...

there are a few good Udemy courses but Udemy courses aren't certs

I do not agree. 2FA, especially phone based ones can be spoofed. Your computer can be stolen during robbery. Your crazy gf or bf can "prank" you. Just because 2FA is there it doesn't mean that you are protected from every threat.

I'm not saying phone based

why dont you rec comptia?

There's no measure that protects you from every threat

The whole infosec field is about mitigating risks. Reducing them to acceptable levels.

I'm saying you log into VPN, using a password/token, and then certain systems may require you again to login via password/token

But everything depends on who are the customers. Pretty sure that if you monitor "Johns fastfood", then yeah, you can probably use VPN and 2FA and access logs from home. But banks and every other serious institution will not allow any work from home.

so sure if you write down your token password, have your token easily accessible, have the computer password written down, then someone gets on your system and peruses to various websites, sure they could view thing...

"every other serious institution" are you sure?

i work from home and we have some pretty saucy clients

I work for a 'serious institution'

I think that's massive hyperbole, and banks are banks. Banks are known for being stuck in the past.

That's defintely not true. I know of a couple financial institutions who are 90%+ WFH

yeah I've heard banks don't have the best security

but I can say I work for a company that is known as a leader in cybersecurity

i wanna work for my bank in the future 🥺

they notice if you scrape pennies!

(hopefully)

Banks seem to be moving to the cloud in increasing numbers.

i already work for them. Gib credentials and i can prove it to you

Banks in SA work on Cobol (Super old) and most of our ATMs run on Windows XP which is not even supported anymore ... how crazy is that >

@somber bramble i wanna work for you

thats not surprising

would you mind elaborating on not rec CompTIA?

for or with?

you should see what some gov stuff runs on

i dont have a company

so much cobol...

It's not really WinXP - it's a special embedded version. Medical field devices run on a similar cut down version

Well, I'm not trying to prove anything to you, so no need to prove something for me either. We are working with gov institutions (including HC & LE) and I have never, ever, heard of anyone being allowed to work from home. It more a coffee-break joke, "dude, wouldn't it be fun to just go home, turn on my home PC and continue the work?"

so much XP...

I personally think hospitals are by far the most insecure places. At least where I live... They run on 95 & 98...

you know that certain US gov institutions are piloting working from home for work on classified programs?

I’ve seen vendors working for govt orgs that don’t allow any of the dev hw to leave their special security premises.

Personal opinion, basically never seen it being used to get a job before. Once again, personal opinion.

uh thats really weird

I'm talking purely about unclassified work, which is my area of focus, but I about fell off my chair when they started testing working for home for those that work on classified programs

I see a comptia cert listed on 90% of IT job postings

In the US, Comptia is used a lot for people who support classified programs, they tend to like comptia

Agree with that. That's as crazy as WFH in a SCIF

CompTIA Pentest+ now satisfies the same DoD requirement that CEH does

yeah like what...

like you can't take a pedometer in a SCIF... but sure let's VPN to a classified network

what's next? VPN to a supposedly disconnected network? dogs and cats living together?

https://tenor.com/view/dogs-cats-mass-hysteria-ghost-busaters-bill-murray-gif-10946172

This is why I wrote about personal opinion from someone living in different country. Most valuable certs over here are OSCP, GPen, CISSP and a couple of others. There often regarded as extra benefit when looking for a job in sec area. Some of McAfee certs are also good, because there are a lot companies using their ePO, ATD and EDR solutions.

right thats fair, but you said you wouldn't recommend CompTIA in general, which may be misleading to someone new as they are generally well-regarded and almost universally recommended to people starting out in IT/Infosec

But back to the working from home as SOC/NOC analyst topic. It's cool that some are able to do that! I really like that. I just don't get how you can combine e.g. ISO 27001 which requires you physically verify your identity with working from home. When you enter a building, there are cameras, security staff and locked doors everywhere. You access your workplace by using your personal card and by your manager or fellow colleague recognizing you. There are some rules for what may be installed on work machines, how they may be used, for what purposes and so on.

and security is more than pentesting and although we do recommend CISSP for our junior security analysts, they usually have a few yesrs experience first

we have to meet ISO 27001 as well as NIST 800-53 and our remote access meets both of those

Dude, I wrote "I personally do not recommend CEH, CompTIA or any of those courses in Udemy". This being a chat, there are some rooms for elaboration and discussing. "Well you know, I live here in SWE, never heard of it. But you live in US. Ok, that's cool! Maybe something else over there". You know, art of discussion.

It's good to include the geographical location in which you make a recommendation for or against getting a particular certification.

Well, I do not know what to say. I'm not accusing you of lying. Not for a second. I'm just fascinated how some manage to get this to work but others require you to live your phone when entering red zone.

Ok, that's fair! Let's be more clear about geographical location.

But the way, reason behind not recommending CEH, once again, my own experience, was because of it was outdated. My previous company purchased CEH bundle (study materials + labs) to establish a baseline for all employees. Didn't go well because some things were outdated (e.g. tools used in assessments) and some other were lightly mentioned.

I remember instructor talking more about tool X and Y but not why some attacks were possible.

oh CEH is a horrible cert but honestly, it can be a door opener for some

Purchased in 2018, from E-Council.

you just hold your nose, take it, get the job

I agree! For some, it's an universal key.

people have mentioned that CEH is highly regarded in India and it is also a cert listed on many job listings for those that do government contracts in the US

Interesting. Is it like "you should at least have CEH" or "If you have CEH, we are interested in you"?

I can't speak for India, but for US gov contract work (and James has mentioned that Pentest+ now meets same requirement as CEH, its just not as well known), it is you should have CEH or similar. CISSP would be similar. OSCP would not meet requirement

GPen is also liked but if you are trying to break into the field, GPEN is a bit of a reach

Ok, I get. So, in other words, just a baseline. You show that you are interested in learning some stuff and understand the basics.

or your contract has a contractual obligation to have X amount of people with a certain cert level and CEH meets that

You do not happen be working on your OSCP cert?

not at the moment

there are a quite a few here that are and quite a few OSCP holders

Ok, I'm asking because it has been a long time dream of mine to get OSCP. Yea, I saw few threads about people preparing for OSCP and doing some boxes.

Maybe, one day soon I purchase it and go through it. Need to pop some boxes and get more comfortable with with RE first though.

@warm hinge Pop onto the OffSec Website, and you can download a syllabus for the OSCP. That'll give you a rough guide of things to research and learn, which means you can start the labs with a running start

Thanks mate! Never really realized that there was a syllabus.

It's linked on https://www.offensive-security.com/pwk-oscp/ under 'Course details'

Will go trough it in coming days to see what I have missed and forgot. Haven't be active for over 2 months now and feel like I may forgotten some stuff already.

Always good to dust the cobwebs off. Also remember that the PWK are part of the learning aswell

Once completed, can it be to THM account? I see some people with OSCP badges

Haha, Nah, you just ask one of us and we add it 🙂 It's just a discord role

Lol, ok 😋

damnn a CISSP for junior analysts

that's hectic

yup that is definitely hectic

companies are starting to require more and more and want to give less pay. some bs

my company has been like that for quite a few years, about 15 years ago, they made everyone who is in security test for the CISSP

it was like a super spreader event but for CISSP

they hired a company to teach classes of 30/time, took over a year to get the thousands of tests done

Some years ago the company wanted for everyone working in (b2b) customer support have CEH.

Nothing for developers, though.

Re-read the whole convo. Good info

hey guys! im 24 and finally starting my pursuit in cyber... leaning toward the pentest side but getting my sec+ to get my foot in the door hopefully to learn more and see what i actually enjoy doing before pursuing a route. no degree but pursuing certs

Hi guys

How can I learn kali linux?

https://kali.training/

or Packt book, "Learn Kali Linux 2019"
https://www.packtpub.com/free-ebook/learn-kali-linux-2019/9781789611809

Does anybody have an idea of the entry level salary for a Penetration Tester in the UK/London area?

It looks about £27-35k but i guess it depends where and who you're applying for

Does anyone here activly work as a security architect? I do a decent ammount of architecture in my current sec role but looking to move into a securirt architect role, but i seems like an odd role, what is your day to day like, do you do nothing but stratergy like an enterprise architect? Do you get down into the nitty gritty on most projects coming through dev and operations teams?

Would be really intrested in talking to someone in that position

Thanks for the feedback Blackout, much appreciated