#cyber-and-careers

That's right. I knew the last name was blanchard. For some reason I thought the first name was eric

Wait, do you not need to be cleared to search on there?

I know USAjobs doesn't require clearance

but I thought the other two did

As far as I am aware I don't think you do for clearancejobs. Cleared jobs you may. Clearance jobs has jobs that don't require clearances or allow you to get one within a designated time period

I thought clearance was required, too! Game changer.

I may be wrong so don't quote me. I was cleared when I signed up

I've checked it out very briefly and you can filter "public trust" or "confidential", which don't require more than a background check, but then I don't know if the job postings will say otherwise.

I'm going to a career fair end of the month that is partially sponsored by ClearanceJobs, so I guess I could just ask then too.

Yeah don't lie about anything. Public trust while easy to get is still a form of clearance

Is the only way to get a clearance through a job that requires one?

Yup

Not always the rule but generally

I was put up by my internship just because

I'm also a numpty because the FSO was like "what are we putting you up for? A insert level" . And I said "no, x said insert lower level". And he responded with "are you sure?" and I absolutely r/whoosh

I would consider an internship to be a job... Like my company likes people with clearances so they will sponsor people even if your specific job doesn't require it but you have to get it through an employer

You could also join the military. Often times you won't actually NEED a clearance, but you'll generally get one (even just a low level one), just in case.

Doh!

Oh, I see. I guess I'll be looking for jobs with orgs that offer that

I'm a little hesitant to join the military since a lot of the listings look like they'd want me to enlist

and I don't think I could do enough push ups to get through basic

definitely a potential option though

Yeah, it's definitely a bigger commitment, just throwing out that option :). It's one way of getting some "free" training and your foot in the door to some tightly controlled places/job networks

That's a good point

There are a lot of companies/jobs that can hire you for a job that requires a clearance, even if you don't have one. You can get an interim clearance while you wait for the full process to go through. Your access is a little bit limited at first, but it's a viable option

Oh huh

Are those the ones that ask if you're "eligible" for a clearance?

As opposed to ones that just list a clearance requirement?

Different companies/job postings probably word it differently, but yeah, that's probably what they are saying

Ah okay. I've seen some that ask for "active clearances", which sounds like they want someone who has a clearance right now. I'm not too clear on if I should be applying to listings that just show a clearance for the position.

you'd apply, interview, go through a basic background check, get hired, start working (either on an unclassified project, or a classified one with an interim clearance), and then wait a few years for the full background check

most jobs in the military will get Secret clearance

Cyber space operations officers get TS (bachelors degree job) and then the CWO which is enlisted cyber warfare operator get TS as well if I'm not mistaken

Worst case, you can apply and get rejected- worth a shot, but you could also irritate the recruiters potentially

a lot don't care if you meet what they need, they just want to filter people

You can do TS work with an interim clearance. Beyond that (SCI/etc.) requires completed clearance

I see

Should I be worried about irritating recruiters and getting blacklisted from the company as an applicant? I'm not sure if that's a thing companies do

I'm in the military and if you plan on working with the goverment, expect 0 to no job unless you get fully cleared, most if not all the work is done in SCIFS

It's also easier to get a clearance if your background check is easy. If you lived in smalltown, middle of nowhere your whole life, that's a lot easier to check than if you travelled all over asia/iran/etc.

nah, you should be fine, they would probably just toss you aside

Ooh okay

you can also do clearances by step

You can get into TS SCIFS with an interim.

secret clearance job, then look for a top secret clearance job

can you look through the information with the interim though? I haven't checked much on that tbh

Yep

interesting, I know there's some menial jobs people can do within a SCIF while waiting for their clearance to be done, wasn't sure if they could hear classified information though (haven't been in that long)

things may have changed, but that's the information I had

you can also just be escorted into the SCIF, but you can't really do anything within the SCIF

true- so with an interim, you do require an escort

but otherwise, you're treated as being cleared at the level your interim is

of course, I have no idea what would happen if the full check got denied

going back to the clearances by step, one of the easier ways to get higher clearances is by step, you get a secret clearance, go through all the paperwork and stuff for that and then find something (new job) for top secret and get upgraded, the next tier investigation they do isn't that much more once the secret is completed

I've actually heard the opposite

going TS instead of secret?

that a TS and above basically starts from zero, even if you already had a secret

I mean they look for more information, but I wouldn't say start from 0

I thought they had to re-check everything too, even if the secret was still active

you submit a whole new "package" which is essentially your old one, plus some new information, and they (to my understanding) verify all the new information

so having a secret didn't make it any faster/easier

every few years they conduct a new investigation regardless

yeah

I never said it was faster, just easier, it still takes a few months

or years

I think mine took around 6 months?

for TS?

yeah

I think you get secret just for being in

I know most do, not sure if all that's why I said most

wow. THey must've cleared the backlog, then

it was required for my job so they bump you up

or maybe it was because it was a .mil clearance as opposed to a civvy company sponsoring it

Yee. I know some FA guys and they all had to go through clearance training as well as some infantry and MP bros

or maybe it was because it was a .mil clearance as opposed to a civvy company sponsoring it (for the quick turnaround)

Mil goes through a different process from my understanding

they probably have specific people that work the military ones

I went through ROTC as well so we had 1 person do all of our college ones

maybe. That I don't know. I'd always assumed it was the same investigators, but 🤷‍♂️

he would do around 20-30 a semester if I'm not mistaken for us

Yeah you can get a clearance a lot faster in the military. I think my boss at my internship said he got a top level TS in 3 days

TS has too many different sub designations 🤣

Which is wild

I know right

I'm excited I have 2 job interviews coming up, one tomorrow and one Monday

Why can't they just name it super duper secret

Eyy congrats and good luck

thanks, they are just to see if I can get a specific job within my career after tech school, they are interview locked jobs. 🤞
if not I get some pretty cool ones regardless

the only 'interview' I've heard of within the mil is SFAS.

special forces?

yeah

I got a friend that got picked up for a special forces squadron the other month

everything else is pretty much contracted

super exciting stuff, I got no idea what they do 🤣

a lot of exercise

some squadrons within the air force, more specific in technical jobs won't take anyone without an interview

ah, that makes sense

Air Force

to see if they are a good fit for you more than you for them

well, that seems like a reasonable idea. Hope it works out 🙂

thanks

When I was doing ROTC one of our alumni came back on block leave when he was in the pipe for PJ. Dude was absolutely tapped

wait PJ's can be in ROTC? I thought that was enlisted only

I know a couple that went through CRO and they came back different after the training

I've trained with PJ's. Tough SOBs

Worked a kid out so hard he pooed himself

they take the motto "so that others may live" very seriously

Anything in the special operations sphere is that way

I think he dropped ROTC and enlisted after graduation. Either that or he was in the CRO pipe

he was probably in the CRO or STO pipe

they don't look for people who are physically fit- they look for people who will never quit, no matter how bad it hurts

you can be the most physically fit but not mentally fit

Yeah i cant remember if he was enlisted or not. I know he graduated from the uni but not sure about the ROTC

can you go until your body breaks, then keep going or do you quit halfway through when you're body breaks

hence the 'interview' part- acceptance AND selection. You can pass the quals, and still not get selected

Oh wait I remember now

I ruptured my achilles tendon and broke a foot and kept going

the Special operations group doesn't do regular type "interviews" though, they do training time type interviews where they go through specific trainings and have to pass them to continue at least from what I've seen

you were special operations?

He graduated from my SMC and then enlisted in. Someone in the Det knew him and asked him to come back and give a presentation to the Det

So yeah he was straight up PJ pipe

nice, those guys are crazy too, I've heard some wild stories

nearly all special operation stories are wild

I think there are sub 500 PJs right now

But yeah my school has some wild alumni. For instance, one of the main dudes in Blackhawk down or one of the dudes involved in Operation Red Wings

your school being a PJ school, or ?

No my school as in my Uni

that's crazy

and here I am just trying to survive the Cyber space operations pipeline 🤣

Its one of the SMCs so I got to play military dress-up for 4 years

ah, okay. But you said you went to a military academy, right?

yeah, that's not surprising then, tbh

if you went to a military academy having people that have been or done pretty much everything is pretty normal

I was ROTC but had things going on and did not know if officership was for me. Now I'm graduated and seeing if I can get a warrant slot in the Army and if not I'll probably just enlist FA or go over to the Marines

FA?

Field Artillery

😮

you 13 series?

I had doubts about officership the whole way through ROTC, I can't lie about it, however, it's been great so far and I don't regret the choices I made

you're an officer now, @tawdry frost ?

yeah

It would be 13 series but I'm not in and haven't signed anything yet

We should talk, then

you and moose or you and me?

sure 🙂

but that was directed at Moose

There are so many MOS' lol

they keep making more as well 🤣

now there are also the space force ones

My primary objective is to get a WOFT slot

nice :). that always looked like fun

don't you have to be enlisted to apply for warrant?

Not WOFT

I'm not sure. I think you can get warrant straight off the street, but that might not be true anymore

I don't know much about them since the AF doesn't have them

WOFT is the Army's "street to seat program" though it's mainly directed at high schoolers

It's their pipe to get more aviators

There was a while they were taking people off the street into SF programs as well, but I think that might have been stopped. Not sure about the street to WOFT thing. It depends on their manpower quotas

Street to SF still alive and popular

h

Hello,
I'm currently working in network security infrastructure and I plan to move to offsec field.
I plan to improve my skill doing some boxes but I don't have mental energy a day of work during the week to study offsec.
Any advice ?

First of all, don't overcommit. Try to reserve some time for practice during the weekends. But do not overdo that either.

I personally find physical activity helpful. Go for a walk, run, bike ride or whatever. It's a good way to reset.

Take a 5 minute walk every hour if you work at a desk

If you have the option for a standing desk do that as well

Physical activity is a great way to wake yourself up. i keep a kettlebell and small medicine ball nearby just for that purpose

Also get enough sleep and make sure you are getting the appropriate nutrients in your diet

And water.

Tiredness can be a sign of dehydration as well

Most peoples diets are incredibly imbalanced

I usually drink 1-2 gallons of water at my desk during the day, more if i'm taking hourly walking breaks

Yes water as well and maybe reduce caffeine intake if you are consuming any

Personally I can't recommend going over 1 gallon a day. If you would like to do that consult your doctor

This sounds like something that makes you have those walking breaks 😄

It removes to many nutrients from the body and flushes the system. It can, in some cases, be doing more harm than good

Water poisoning for over drinking water

Ive mentioned posting a redacted copy of my resume for a while now so here it is for anyone interested

There is stuff missing from this but its just to give a general picture

Nice to meet you, First Last

I already leak enough PII on here lol

I always pictured you more as a Frank than a First. Hm.

i'd put your IDS/IPS and SIEM experience (specifically which ones too) under skills; e.g. Splunk and zeek/snort would be two big keyword identifiers for HR

also, you have experience with Active Directory, homelabbing, and campus wide networks so you should definitely have "Experience with TCP/IP stack, network configurations" somewhere in there too, otherwise pretty solid!
would definitely be enough to get you a decent job by me

i agree with this, put in some specific technologies you used

Yeah i currently have a job which is nice. I mainly just posted this for others but I will make those changes honestly. I like them

Format looks good, the light text looks a bit too light.

Skills - Drop Microsoft Office, spell out FTK, Just put IDA and not IDA Freweware. Based on the rest of your resume, your skills is too light, look at what you have done otherwise and move that to skills even if it is something you did in a homelab.

I'm gonna disagree with Droogy slightly, I would add networking, but I don't think TCP/IP should be on a resume.

Unless you have deep experience on it.

well true, like if you talk about generic networking stuff, wireshark, etc, I assume you have a base understanding of TCP/IP

I'd expect to see TCP/IP only if a candidate can start quoting from relevant RFCs

I've at times asked if I should get to PDU level when asked about networking with "tell in detail..." 🙂

I started getting selected more often once I put "Network administrator" up at the top in bold letters. Probably because whatever script the company has running on the resume picks out a bunch of key words fist

Yeah like I said this is a redacted and edited old copy. It's missing some things completely but I think posting it here will give others a good reference point and also allow others to see how a critique is done

Once I go back on the market the skills section will probably be rebuilt and some other changes

on a cv, if i have for example, CCNA R&S and CCNP R&S, should i put both? or just CCNP R&S since CCNA R&S is implied

i know it's probably best to have both, but takes it onto two pages :/

I think it’s fine just to have CCNP listed

i'd put them both. Companies do value all ur certs 🙂

Wondering if anyone has any info on this concept...and this isn't just US based as I am sure multiple nations have this...but is there an industry or company that provides like a security compliance rating for data that is not considered protected or if it is this could be supplementary that would provide more comprehensive auditing for companies to say they get a "A rating" on PCI-DSS+ or HIPAA+. I'm wondering from a consulting standpoint is there's a market for this

Essentially like the US Better Business Bureau where you could give more in depth auditing...as someone who works for a place with PCI-DSS and GLB, I'm often concerned with how light and not in depth th auditing is lol

With those two specifically, HIPPA and PCI, it's you're either compliant or you're not. If you're not you get levied huge fines against you

And both are taken seriously. PCI audits are pretty hardcore from my understanding

Maybe since I'm only being ran through very specific items they seem to be more concerned about the "buzz words" of data governance and not the larger environment picture. Without disparaging my workplace too much we get asked about like patching compliance against specific threats or these one ticket items, but never about like possible lateral movements etc.

Some real threat intel would have to go into that but I guess I understand why it isn't...that's a ton of data to get from larger enterprise's

My only experience is through the eyes of others though so I may be wrong

One person I knew was a CISO of a large hospital network and they were terrified of HIPPA audits and took their stuff seriously

Was wondering if it'd be worth offering up a supplemental service like I just added "+" to PCI to say you're compliant with these AND these noted supplemental items and give like a list of shit to check off

See, I deal with a lot of our threat stuff and patching and all that shit and we deal with PCI, GBL but I never feel concerned

They never press but yeah I've not dealt with HIPPA but even so...I know of a pharmacy here that doesn't use any VPN solution for their systems so it's all open on a network lmao

Yeah while I think the + designation would be good you have to be able to "sell it" to these orgs. Nothing will change without teeth and at that point why not update the requirements

Yeah, it would have to be bought into pretty heavily but my intention has been for awhile to do like small/medium local business auditing/pen testing and see if like a local council would pick it up as an accreditation

well I believe the Fed just proposed some sort of security rating based on risk

Interesting if true!

For me I see another layer of possible waste and ways for it to be exploited which is why I'm apprehensive

ah okay close, its actually a software security grade, not organizational grade
https://www.cyberscoop.com/biden-administration-cybersecurity-ratings-solarwinds-microsoft-update/

I have mixed feelings about it as the BBB is a joke and has a similar premise

Understandably so. It would definitely be hard to scale but was really a concept I was messing with

Agreed. It seems like it could just be "bought" essentially, and it could just be arbitrary too, if we don't know exactly what's measured and an improvement roadmap it's kind of pointless

Yeah security is already hard enough to sell to businesses as it costs a lot and doesn't have a return

It's like selling insurance lol. Which is disappointing to say but it's unfortunately true

Because it basically is insurance

good security will always be an organizational culture thing, need everyone to buy in

Yep

Not going to lie it's kind of weird being on the userland side

Appreciate the input, knew we'd would have some good feedback here

then you end up with my situation, where im basically the only security-minded person in the entire org and have to "sell" certain controls and pretty much restricted to open-source/free solutions, which is still very doable but harder

Personally while I like having free and open source things, "you get what you pay for" is an incredibly real statement lol

It's not a good situation to be in @ancient prairie but it's the same in a lot of places.. I am in the same situation mostly lol

Idk if the Solarwinds shit just made more prevalent or more reported on but way more supply chain attacks have come across my feed too, speaking of open source

yeah luckily I don't get much pushback (except for setting up 2FA lol) and my bosses kinda let me run wild

It's because people are actually looking now lol

ideally I would like a MSP to set-up a SOC for off hours but thats a tough sell

The SolarWinds attack was kind of an eye opener and people started to look at their own stuff

We are setting up a SOC now...gotta say it fucking sucks when your company is cheap as fuck and wants fresh college CS grads to handle security response lmao

I mean as long as you have some higher level talent as well to guide them is that an issue?

I've never been in a SOC so idk

It's the same issue for us, too much work not enough resources

yeah thats another thing, I have a bootleg ass "SOC" that I manage and set-up myself but I would love to have a senior person to shadow and learn from obviously

I literally work in a hole lol

We underwent an internal audit for all our work and functionality and the auditor said we needed 50% more bodies to meet expectations lol

A hole that doubles as a storage space

Like bare min?

Oof

CEO: "50% more bodies? Okay we'll just make the people we have work 50% harder instead "

Yep....but my team is like a Sys Admin/Security ops team so we are stretched but it is what it is...they're so hard in for automation so we can do other shit. Our org is fucking weird as hell lol

It's upsetting how fucking true this is lmao

I feel like I have it good over in the Goob sector lol

well cheers to the many hats club, I don't hate it entirely atm just bc im getting exposed to and experience with a lot of things

I clock in at 9 and leave at 5

Makes your resume look good as hell

same, thankfully im never on call or have irregular hours - i need that divide in my life between personal vs. professional

I am on the worst schedule, in the fact that it's random dealing with global stuff...but I get to travel(non pandemic) so it's a good tradeoff

For now at least lol

ah okay gotcha, yeah we're global too but thankfully i just manage the US stuff, more specifically our HQ

I'm global as well just a little different work than y'all

You just gotta learn to fuck off...my boss is Australian and they are way more lax than in the US

Global presence whether people want it or not

Pretty much just meet deliverables, respond as needed and you can do whatever lol. I may or may not take naps in the middle of the day where possible

Yeah the server closet i work in is a little loud for that

Some dev group decided to spin up the loudest servers/switches known to man last week

And didn't adjust the air system to compensate so it got incredibly hot with a few of us in there

I remember seeing our Ops sitting area for our data center on the east coast. They had the best chairs, huge TVs for server monitoring in real time and for watching other shit

I was envious

Yeah i have a folding table

In our first data center where I started was pretty much what you describe...had a crash cart and a folding chair and a permanent workstation at a table

The good ole days lol

I just got to install a new pressure and biometric based mantrap at our new DC though, that thing is badass lol

That's cool

Oh that reminds me of one man trap Ive been through. It's at the Reichstag and it is probably the coolest thing

At first glance you don't even realize it's a man trap until you're in it

Not gonna lie a mantrap at the reichstag sounds pretty fucking metal and I'd love to check it out

Maybe they'll let me test their physical security there

Yeah ive been inside the Reichstag twice and each time I got to see something new

Wow thanks autocorrect lol

The second time I went we got to see a wall that they didn't renovate post WWII and it still has all of the graffiti from the soldiers that captured it

Which were the Red Army and I think specifically it was a tank brigade

Let's just say they weren't fans of the Germans

The worst part of the capture of the Reichstag was that the Germans faked intelligence and fooled the Red Army into thinking it was a target they couldn't lose. As such the Red Army threw a ton of men at it and a lot of them died

@bronze lodge Compliance is a hugely complicated issue, especially where mapping requirements across frameworks is concerned. Remember too, that the vast majority of frameworks are industry and not government. Even HIPAA isn't really a set of technical requirements, it is a set of regulations mandating protection of PHI and PII within healthcare systems.

HiTRUST CSF does provide a lot of common controls, but getting that accreditation is a very strict process that is time bound. If an organization doesn't come close passing criteria before that audit process begins, it's extremely unlikely to remediate in the allowed timeframe

That's a great distinction, regulation vs technical controls/compliance. That was the distinction I needed

What jobs do you guys think are most likely to be remote in the future even after coronoa stuff is gone? The obvious ones I think are like web app pentesters/bug bounty but are there any others?

well, anything that people worked remotely for prior to covid would still be remote possible, it's largely down to company policy and standards and level of position

yeah it seems like its largely up to the company but Im guessing there are some jobs which are inherently more "remote". like server guys need to be in the data centre at least occasionally while there are some other people that can be completely remote

Server admins (which is a job filled by men and women) is a job that is changing due to cloud technologies, which means you aren't onsite.

Lots of security jobs can be remote, may be easier to ask which ones can't be such as SOC analyst and NOC analyst maybe not.

I've been fully remote for 6 years myself and work in security.

just wondering why a SOC analyst wouldnt be, Ive recently started a soc analyst role and its basically fully remote

they prefer you to go in once a week or so but I think thats to get you to see the team etc

I guess it depends, I would think if you are in an envirionment where you are monitoring and have to quickly collaborate with other team members, some management types may not see remote as an option.

I'll also say as someone who has worked in various offices, worked remote or partly remote, etc, remote work hinders growth of junior team members. Its great for senior team members but not so great for junior

I can see how that may be the case

although not having to travel 2 hours per day is to good

thoughts on https://www.white-hat-hacker.com/certified-whitehat-hacker-associate-cwa

Currently a soc analyst, done ccna, sec+ and GCIH.
Got 20 oscp like boxes from vulnhub to do over the next couple months then book 90 days pwk, does that sound reasonable? Done most the offensive pathway on thm too

it seems like you've got a solid background, I don't know if I'd go 90 days right off the bat, depending on how fast you work, you can get a good grip on most of the PWK boxes with 30-60 days

what is the requirements to be a cyber security analyst?

@stoic cave I got it

search job listings in your area and see what they say?

The jerb?

Yes sir

I'm hoping for new jerb

Nice!

time for a change? looking for new type of work?

Are you cleared? I forget

a change is imminent, company is restructuring stuff, just trying to get ahead of it

now now, that would be telling... I have 0 interest in non WFH jobs

Ok well im not sure if they are all in person but I was just reached out to about a myriad of positions that are becoming available

just an opportunity popped up within my company and my job is likely going to change sooner or later so

Lockheed, Sierra Nevada Corp, etc

yeah recruiters get in touch with me daily, AWS has been persistent lately about their AWSome opportunities

Say no

I just ignore

Amazon is just as bad as Google

I'm aware, lots of people from my company have been attracted by $$$ to go to AWS

the total workaholics seem happy, the ones that weren't, are miserable

ah wow, good luck with the restructure

I'd land in a good position, but maybe not the exact position I'd want

i'm trying to bridge the massive divide from my team to the red team at my workplace but it might be another 6 months before i get anywhere

lots of churn

hard to explain but I was in a security consulting type position for quite a few years, I watched for various opportunities and was passed by for a while but then finally made the bridge to more of a security engineering/design position

just applying, gaining skills, etc, etc

don't give up, it'll happen

What state/region?

I think most were NOVA and DMV

I'm getting tired of where I'm at. Thinking of making the move to D.C area in the coming year or so.

It's expensive AF

I'm an hour outside of DC ish and I'm paying $1400 for a 1 bedroom apartment

Almost as much as my parents mortgage

Maryland is cheaper than Virginia and less crowded

Well I'm out west, so I'm in an "affordable" $1400/month while my friends in other states are above $2000

Come on down

What kind of position you looking for? How many years work experience do you have?

I'm coming from a background in hospitality and just recently moved to a NOC technician. But I would rather do security. Studying all the things right now. THM, INE, PentesterLabs.

Unfortunately there weren't any places to rent in Maryland near where I work

@pseudo creek Do you have a current clearance? IIRC you said you had one.... I might be able to help you make a move, DM me please.

I'm not interested in leaving my company at this time

ahh ok, I'll keep on the lookout

@meager sandal I'd ask that question in here 🙂

ooh ok dude

Learning Cybersecurity
I am a newbie here can I know which course is the best if am just starting out (OSCP or OSWP)

I pasted my response in here @meager sandal sorry for the double ping:
an exam from eLearn, maybe if you're just starting out OSCP and OSWP may not be the right choice in your instance. I would advise to either start with eJPT - eLearn Junior Penetration Tester or wait for a bit longer before venturing into the likes of the certifications above as they require you to have more than just basic understanding of the subject 🙂 but that is my opinion. the rest is up to you

OSWP is also very specific

I see now for take the EcPPT by elearnsecurity elearn want 400 euros , plus, if you want to study on material or on the labs, you must pay the subscription to INE organizations....

When i took the eJPT i pay only 400 euros , with two retake , and unlimited labs...

-warn @tacit gate Asking for exam question dumps is against all exam vendors terms of service, including EC-Councils. Please refrain from asking for them.

⚠ Warned Dante#2384

Sorry

I'm new here

Welcome

Hello everyone... I'm glad to join

Thanks man

Gave +1 Rep to @glad cipher

Have you tried any rooms yet?

Yes

I rooted rootme yesterday... It was fun actually

I am trying overpass and I got stucked

At the login page

Awesome! If you have any questions there is tons of knowledge in here. This channel is specific to careers and certs but ask away if you need anything

Thank @COLONEL

Noob question here. I'm transitioning away from a 20 year career in another technical industry. My initial plan was to get my Security+ and CySA+ certifications to prepare for a SOC analyst role. I spoke to someone the other day at a large cyber security firm and he recommended I get CEH to stand out from everyone else, but the research I've done says it's not well-regarded in the industry anymore apart from HR. Since my career goal is blue team, what would any of you recommend for certs beyond Security+ and CySA+ to help stand out when I start looking for job. All of this of course in addition to the practical skills I am developing here on THM. Any advice would be appreciated.

Sec+ and CySA+ are great certs to start with to get a base understanding, CEH has been around for many years and is a recognized cert but you could also to CompTIA's Pentest+ and get similar knowledge

In my view, CEH basically certifies that the holder has a basic understanding of the ethical considerations of security

Cost is also a factor to me. Don’t get me wrong, I’m willing to invest in my education. But also trying to get maximal results. My contact at EC Council recommended a learning path that would be $3,000, and I just have to believe the other certs are worth looking at since the knowledge base seems similar and yet they are much, much more affordable

sec+ and cysa+ are both good certs, and if you're going for a junior soc analyst, they will most likely get you the interviews, then it's up to you to impress

networking certs are also highly valued in blue teaming, so maybe look at the ccna (200-301) too

tryhackme has lots of blue team content and a path dedicated to giving you the skills a soc analyst needs, and interviewers would love to hear you've been doing them

Thanks!

you're welcome :)

Speaking of blue team, anyone with experience in BlueTeamLabs? I was thinking of checking them out, but with it being a British company (I think, price was in pounds), I'm wondering if it's even well-known in America.

from my understanding its a really good and technical course, but yeah it gets no love unfortunately but still could be a foot in the door thing

I've done a bunch of labs on their new platform if you want to check it out, supposedly the labs align somewhat with what the course teaches

The certificate isnt really known yet, a lot of potential when level 2 and 3 comes out. Probally worthit to get they cover like main enterprise software (not 100% sure) so a nice way to get some knowledge on it!

Thanks!

Hi! For someone such as myself looking to get certified is the security+ certificate a good start or should I look at the OSCP ? Or maybe another ?

Sec+ is a good general security cert. OSCP is a pentest cert, much much less general

Thank you, I guess then that getting an all-round grasp on cyber security is better so I can decide what exactly I want to do like pentedting or security researcher for example ?

Well, the responses to my post above were encouraging. I had already bought books for a few certs just to give myself some reading material. And just now the new Security+ book arrived in the mail. So between this, some Udemy courses I bought, and THM, I've got a lot to keep me busy. Thanks again!

I can highly recommend sec+ as an entry point!

That sounds like a good plan. I'd definitely say Sec+ would be a good cert for that goal.

Thanks guys!!

recently, codecademy has launched Intro to cybersecurity and they're aiming for more on web app pentesting...
here anyone eligible can apply for it , hope it helps

https://www.codecademy.com/about/jobs?gh_jid=5167365002

What are some entry level Information Security job titles?

Junior SOC Analyst is a big one

I somehow skipped the junior titling but in all honesty look at the requirements and see what you match

@quick forum What does SOC stand for?

Security Operation Center

Does Junior imply entry level? I feel like i've seen a lot of those that want 2-5 years experience

Usually, but it will vary on company. You can also try to relate other experience to overcome a time requirement sometimes

What other job board sites would people recommend?

I went through ziprecruiter and searched by the title I want in a few years as I gain more experience, then went directly to those company's websites and looked for entry-level positions. I can't say that it actually worked as I ended up getting a job somewhere else, and I'm still wondering if I should have held out for something more security-related, but here we are. I did get a technical interview with FireEye that way but then failed for not having enough Linux experience.

I think the job board depends on country, I think LinkedIn has global, but not sure if others do as well

LinkedIn is great for OSINT style job hunting

The other thing to keep in mind is that usually job descriptions are written by some HR person with a degree in art history or music appreciation or something, who has no idea what the job even is. And they are all looking for ALL the skills, and 100 years of experience in each. So don't be afraid to apply for something you're a little underqualified for on paper.

My job had no description

Lol

not always

True, there are exceptions to every rule

but I have seen many a year or two later and the information in it is the same

"be knowledgeable in current Cybersecurity practices" and "familiarity DOD manuals x. X. X" that was it

well, often cleared jobs won't go into detail because you're not cleared to know what the job is yet :). But that's kinda different

I have seen a few with minimal details, but most will say has or able to get clearance

Yeah i know. Jokes on me though because I have done nothing that has required said cleared level

I was more just responding to the "junior role requires 2-5yrs experience" comment from above

well, technically, neither does the janitor sweeping the floor. But to get into the space, you gotta be trustworthy, so a clearance ye shall have/require

I was listening to some talk and the person had created a program that was only about a year old and they were seeing job posts asking for 5 - 10 yrs experience in the program

I've been cleared for 2 years now and I've never actually used it

I saw some postings like that

clearance is sometimes more about possible access vs real access

Yeah, there's a post along those lines that went viral, where the creator was turned down for a job because he didn't have 12yrs exp with the tool he'd only created 8-10 years ago or something like that

Actually I have used it once. Only to check if I had access to certain systems and that was it

Speaking of clearance what is everyone's thoughts about military intelligence analyst positions (USA).

And using that to get a clearanbce

Like enlisting into MI?

if you enlist and can't pass clearance requirements, you get re-assigned

Specifically was looking at this https://jobs.nationalguard.com/job/198029/35f-intelligence-analyst/?utm_campaign=2020mosprogram&utm_source=5&utm_medium=indeed7663849intelligence&utm_content=web

Was wondering if it was not an optimal path to take if you have a college degree

Yes so you realize that this requires an oath of enlistment

yes

And once you sign the dotted line there is no backing out

you are literally government property

Yeah.

Empty can talk more to this than I can

wasn't in the Army so I can't comment

at least on the job post

National guard is not a bad way to go, IMO. Your commitment is generally 1 weekend a month and 2 weeks a year. Plus a few months (or so) of initial training

Natty has a different culture than big army but it's still the military

And i would be 100% sure it's what you want before you commit

here's the kicker, though- you can and WILL get called to active duty at the worst times, and you have zero choice in the matter

until deployed for short period of time

This

Half my school is getting deployed at the end of this year

I saw a lot of folks who were called away from good jobs to go 'play in the sandbox' overseas

it can be incredibly disruptive to your life, your job, your family, your finances, if you are not prepared for it

I'm not trying to talk you out of it as I am preparing for the same thing but you need to be certain

You would get deployed doing tasks that relate to your position though right? Sorry I'm just not seeing the part that is bad.

yes and no

It depends as with everything in the military

Most contracts are 4 years right?

yes, you would get activated because there is a need for your job. But there's also the distinct possibility you'd spend half your time painting rocks or sitting on a live grenade or something equally stupid

Used to be that all are 8, but not all 8 have to be active

Again depends but 6 is generally the norm for the recruiting station at my Uni

variable on the job, but usually 4 -5 yrs

For reference, it was the VT national guard and they are under 10th Mountain

So they have a higher operational temp than most guard units

part of that time is active duty or ready reserve, the rest would be inactive ready reserve; but it is only the initial contract

correct

but IRR can also be called to active duty at any time. So just keep that in mind

I am more so just wondering if you think it is worth it from a money point of view / or being able to attain a clearance. As apposed to working as a civilian where it seems you will have a hard time getting into government.

you're "out", but you can be back in tomorrow

Really depends. If you have skills, you can get hired at a civvy defense contractor and they will get you the clearance.

I had to do one muster on IRR, mostly for here are some great job offers or are you sure you don't want back in

Basically be ready for a contract negotiation where you have zero leverage

Are you graduated?

Did you mention that?

Graduate in a month

Going in with a degree, you might be better off shooting for officer. But in some ways, that's even less flexible than enlisted

Easiest path to attain clearance is active service. It's a hugely expensive process to get tickets from industry; most companies do not want to invest in that sponsorship from scratch.

Yeah army decides your MOS as officer

Actually, I don't think that's true. I think you can get a guaranteed MOS, if you can pass it

could be wrong though

Hmm really? Maybe that's only ROTC then

We would have a branching ceremony every year for the Army kids

I've seen several that will happily do it for lots of people, so kinda depends on the time/company/contract I guess

And they would get told what BOLC they were going to

Yeah i got lucky and got put up during my internship

I'm sensing the consensus is that it is very possible to attain a clearance without active service and based on the pay i saw for army seems like not that worth it.

I think with army officership coming from ROTC school pecking order plays a role in getting your preferred MOS as well

It depends on a lot of factors. Can you get a clearance without a .mil background? Sure. As long as you have skills that a company needs, and is willing to sponsor you for the clearance.

Is .mil worth it? Again, depends on what your goals are and what you want out of life

Personally, I'd say don't put on the uniform unless you're willing to die for it. Because some day you might have to.

Yeah I have friends in but the money just doesn't seem to be in the right spot.

Generally speaking, most people don't join the military for the money

Nope

you can make a good paycheck as an officer, or senior enlisted, but by then, you've also spent a lot of time doing sh*t jobs probably

What's your degree in?

Information Systems

I'd be willing to bet you can make a lot more money as a civilian than you ever could in the military. Will that look good on a resume? Sure. Will it open doors? Yeah, probably. Will a clearance help get you some "cool" jobs later? Yeah, potentially. But even as just some guy in a server closet at some random tech company, you're going to have more career options.

Right now, tech jobs are a hot commodity. The demand FAR outstrips the supply, pretty much across the board.

Forgive me if this is an inappropriate question on this server, but is it safe to say people in information security in America are generally pro-military, or pro-America i guess?

I can't answer that, really. I would say it's too broad to generalize.

Even within the military, in combat and special operations units, you see a range of people

My job search is just accelerating right now as I look to graduate in a month and these job board postings are all looking similar to me lol. they either want people with 1-5 years experience or 5-10 years. I still apply to the former but nothing is sticking yet.

don't get discouraged, and get used to it

There's a lot of tech jobs, due to a major lack of skilled people to do them. (A lot of people seem to think that because of the massive amount of jobs, it's easy to land them)

I have a set of skills that are in very high demand, and I get contacted by recruiters every day. On average, 5-20 per day, day in, day out. And most of those are junk or don't interest me.

Very true. But I also see many jobs wanting the perfect candidate who can do all things and has tons of experience in all of them, which is basically nonexistent

Job specs will always put the ideal qualifications/experience and are always open to the idea of taking less than the asked skills

@blissful isle job hunts are always a numbers game- it may take you a lot of applications to get an interview, and a lot of interviews to find one you actually like, and that they like you

I would replace "always open" with "hopefully open", but yeah, I agree 🙂

Just gotta show a passion and an employer tends to open up to the idea especially if it's a junior role

yeah. As someone who has done a lot of interviewing and hiring over the years, if I'm hiring for a junior, fresh college grad, I'm not looking for skillsets much, tbh. I'm looking for attitude and enthusiasm. Can I work with this person? Are they a team player? Are they eager to learn? I would gladly take a lesser skilled person that's teachable and easy to work with than a hotshot/rockstar who is arrogant or something

also if you are an aspiring junior, in college, please, please get some job experience, it will only benefit you. Graduating without any work experience will make things so so much harder

Paid internships are really easy to come by if you are in a technical field of study. Start looking in november for summer jobs though. it's too late right now to find an internship for June unless you get very very lucky.

I think he/she said he graduates in a month

But yes, what Zojja and juun said are both 100% correct/I agree

I'm not sure what this means? I have a wide diverse array of friends and coworkers, and they have varied beliefs. In my job (which is very... gov centric), security or not, there are even a wide array of beliefs. I don't know anyone (even people who would love to abolish the military completey) who is anti-military persons. Some people think military spending should be reduced, some people think xyz, I also don't know anyone 'anti-america'. I'm not sure what pro-America means in terms of someone who lives/works in the United States

yeah it is a generic, but I've seen it a lot here. My company hires a ton of entry level people but the common theme is they have some form of work experience, internship, job at college, something

Yeah, an internship as a college kid is a HUGE thing, for both parties. As an employer, I know the kid has some tangible skills. As a student, you can start to learn what you like or dislike

I think there is a bit of Military glorification within certain sectors of infosec, specifically red team operations - just look at Lockheed Martin creating the whole cyber "kill-chain" thing

or certain infosec people prefacing anything they say "well what we did in the Army..." in order to sell their product/pitch

I think the influence is different that glorification

@ancient prairie The cyber killchain isn't as bad as CYBOK imo

(and cyber kill chain was not developed by a red team but a blue one)

fair, but it does put a rather combative spin on hacking by calling it a kill-chain which is military terminology afaik

but like I said, overall in cyber security, you'll find a variety of beliefs/ideals/etc

for sure, and you're most likely to run into people that have well formed opinions on either side, tend to be an analytical bunch :p

Well, a lot of that is being done for defense contractors/military contracts, so it kinda fits

again thats the influence, rather than glorification

agreed

honestly, I've found more people in cyber security to be on the liberal side of the political spectrum than not even in the gov contractor space

Tech tends to attract progressive people

yeah, where you see it not is the people who came from the military and go more into the ISSO type roles for classified programs

but even in the military, you have politically liberal people, my family is full of military veterans, all are super liberal on the political spectrum

that being said, finding pro-America people (whatever that means) in America isn't surprising, kind of expected I think

one of the questions for a security clearance is... do you belong to any organization that wants to overthrow the US government... I'm jusre after Jan 6th, lots of people were like 'well kinda'

Jan 6th?

storming of the US capitol

hahahah okay

its all the Q-anon stuff which I never quite understood but that seemed like their goal

@pseudo creek One popular question for SC is "What do you think of Edward Snowden, or Wikileaks?"

I saw a recent story saying something like 20% of that traffic was coming from overseas.

the scary thing is there's some q-anon people in the military as well

I never heard of that

yeah but what happens when they get to the security clearance questions about overthrowing the US government "I was but not anymore"

Snowden is a good example, actually. Self proclaimed patriot, did something that some people would consider treasonous, others would consider very patriotic and honorable. So like many have said, broad range of opinions/people/attitudes/mindsets/etc.

I'm like Switzerland when it comes to Snowden...

"I plead the 5th"

polygraph usually catches those 🤷‍♂️

Polygraphs are bad tech

yeah when it comes to that type of interview, he breach protocol plain and clear, when it comes to a security role thats a nope

they really are

oh those are ez pz

https://www.youtube.com/watch?v=nyDMoGjKvNk

the guy who helped create them I think taught how to bypass them for years?

Way better to train someone to read body language than to invest in one of those machines haha

Oh I agree, poly's aren't an end-all-be-all. But they can be useful

when they give you the results you want

lmao

its kind of horrible though... like when asked a quesiton, you dig into your mind for the littlest thing... "have you ever stolen anything?" "Well one time, I took a pen from the bank but it was an accident"

BANK ROBBER?

crap, caught me

See, it's people like YOU why all my good pens keep disappearing

all mine do to, so I have to replenish them somehow

:smh:

that is what conferences was good for

I seem to have a large stash of pens now

unless your company has a policy that says you can't accept them, because that counts as a gift

😢

under $25...

they are usually advertising for a product/company so it shouldn't count as a gift typically anyway

but maybe

mine is $10 😢

"SANS - Free ipad with course" cries in gov contractor employee

I have a drawer with a bunch of shirts too

i can accept gifts but i have to go through like a board of gift giving lol

yeah I stopped taking shirts as I don't like wearing logo shirts

but the socks... I got some nice socks

all the socks I got were too small for me

snort, slack, various other companies

Mine was $0 for a while

funny they are usually big on me but I take them

I have size 14 feet, so most socks aren't built for me

and hoodies... I gladly accept any and all hoodies

I gotta say, AWS gives out some pretty nice hoodies

swag bags are always good

yes, I got quite a collection of AWS hoodies at this point

correction: sells for $2500 with your re:Invent ticket

no hoodies, but I do have the notepad

I don't pay for it

oh yeah... moleskine notebooks too

I just applied to their work-study so fingers crossed

I got a ton of moleskine notebooks from various vendors

I don't have any moleskin notebooks. 🙁

boo

usb plugs or cords are becoming common now

one conference, I had so many, I had to leave a few at the hotel room

or screw that. Like I'm trusting anything that plugs into my hardware?

just say no to usb plugs

i used to buy moleskines in high school, i've strongly hinted to my SO that I want a reMarkable tablet

not thumbdrives

it doesn't have to be a thumbdrive

wall plug

have you not seen the charging cables that are rubber duckies or sniffers?

yes even wall plugs are no good, wouldn't trust them

Side note: we've all just spent like that last 10 minutes reveling in the 'glory days' of past conference swag. 🤦‍♂️

ha

I have no conferences planned this year but re:invent is late enough in the year that it might be on the table for me

most are still running virtual

that was a fun one. I wouldn't pay for it myself, but if the boss wants to send me, sure

they always have it at the end of november

yeah, into first week of december

Right before the rodeo comes to town

my husband may be able to go with me this year, we could do some hiking

although one year, the flight was like $1400 or something... I dunno why, maybe my company decided too late in the year who was going

are you a fan of the Cirque shows?

probably not... I had free tickets to one through a ServiceNow conference and skipped it

hah, don't get me started on SN. But you should've gone- they are pretty cool (just my $0.02)

I went to a few last time I was down there

I think I was just tired

I'm not much of a shows person anyway

fair enough. Plenty of other things to do in LV or the area depending on your interests

normally I hate shows too, but I make an exception for cirque. I wanna maybe see some of the big magic acts too if/when I go back

watching the prostitutes work their magic against conference attendees was pretty fun

lol

I didn't see much of that

Maybe we go to different conferences

a group of my coworkers were sitting at one of the bars in a casino and making commentary...

that was AWS

it was like 'she is trying hard... is he going to do it? is he? guess not'

hah. Yeah, I can see why that would be a fun spectator sport

normally when I go to vegas, a lot of people from my company go so they do group events and stuff

but like I said, if my husband comes, we'll go do some hiking if the weather is good, check out some vegan restaurants, etc

I also usually put $100 toward gambling

If you're outdoorsy, there are sight-seeing tours that might interest you also

I don't do helicopters 🙂

no, I meant like hiking or 4x4 tours

but yeah, heli tours too

yeah there are some decent hiking, not sure we'd do a 4x4 tour

And that giant ferris wheel of dome thingy

when I was younger, my parents and I would hike in/around Vegas every few years

Have you been lucky enough to marry a vegan?

its not that easy, I went vegan a year after we got married, he went vegan a month later

Heh, good enough. You're really lucky there

so I 'turned' him

I can't imagine even trying to date someone who wasn't vegan

Disadvantage of already being there

yeah I know, he used to love fish too and I'm bleh about fish

just find a lazy partner and then cook for them, if they are too lazy to cook, they'll probably be like 'ok I'll be vegan'

But then I have to deal with a lazy partner

or find one that hates to cook

Also true. I do love cooking 🤷‍♂️

I cook, he matches socks

(I hate matching socks with a passion)

Too busy to do it often just now unfortunately. I tend to just make stuff in bulk and freeze it

As good an arrangement as any 😁

My grandparents do that. She cooks, he does the washing up. Works a charm

yeah its good to share chores

Heh, I've got friends who are the most incredible team I think I've ever seen. Husband and wife outdoor instructors in their late 50s, been married since before they turned 20. I swear they can read each other's minds

Should see them cooking though -- same arrangement. She cooks, he washes up, but they manage to do it simultaneously with massive batches of food in a really small kitchen. Him predicting which stuff she'll need washed up first for whatever is next on the list, her making the food and passing the stuff back to be washed. Absolutely incredible

I have a few friends who are a married cave diving couple. Similar thing.

Relationship goals 😁

we've 'only' been married 14 years, but its weird how things just become symbiotic

14 years is a long time. Good for the both of you 🙂

Yeah, it's always so nice to see.
I'm still at the stage of being absolutely done with dating 😆

I was done with dating when we started dating... which made for an interesting courtship

Aha, I'll bet

That's how it always works- you find it when you stop looking

I totally didn't get that he was interested because in my mind that wasn't in the cards

Unless there's a pandemic

ha ha

Oh, I'm sure somebody is secretly discord-stalking you, Muiri.

I very much doubt that 😆

c'mon, young, smart, hot vegan... you got it going on

Well then, get back to work making more rooms, then. I have needs.

You say that...
You don't want to see the next one

YotJF was made to procrastinate from my Hummingbird because it's a nightmare to implement

Nah, I do. I'm just sad cuz I know it'll be beyond my abilities (for now...)

YotHB will be... something

they are all far beyond my abilities

I'll be interested to see how people get on with it. It's the first one that I'm actively ranking as hard without prompting

Will be interested to see if YotJF gets force-upgraded from medium to hard though

The last few have been

Imagine if 0day had a vegan wife and had to give up chicken fries

Should see the abuse 0day gives me for being vegan 😆
I doubt he would ever date one

the good thing about vegans is that it's not possible to date a secret vegan, they'll tell you instantly

Is that an automatic ranking thing, or just outvoted by management?

That so? 👀

same with crossfitters

people don't understand how good it is...

The latter 😆

most people I work with don't know I'm vegan, even people I've eaten out with

I tried to do vegan and vegetarian. I can't 😦

its not that I hide it, its just... like I don't bring it up unless I need to

vegans, crossfitters, law students

This ^^

If people are interested I'll happily talk about it, but no point in shoving it in people's faces

I was a crossfitter for a while too... vegan crossfitter

I see the value in it, I'm just too picky of an eater

One of those people 😉

only people who are trying to feed me are people I'd tell... like umm yah

^^

Yeah, I used to do a lot of marathons and ultramarathons and ironmans and such. I see the value from a health and fitness perspective, I just don't like most of the food. And I'm way too lazy to cook/prep it.

even at work, you can direct group meals to restaurants with vegan options pretty easily

Yeah, that's the difficulty. People really struggle to do veganism if they can't/don't like to cook

Not without a vegan helping them

see I'm Mexican (american), I grew up eating beans and lots of veggies so... beans, rice, veggies, bread, tortillas, guacamole, thats all my jam

sadly, I dislike most veggies

and I love making various Asian food dishes (Vietnamese, Thai, Chinese, Indian) whih are either already vegan or easy to do so

stupid, I know, but it is what it is. I've tried

like ... omit fish oil? sure I can do that

I'm actually pretty optimistic about the new trend towards meat substitute type stuff

impossible burgers/etc.

I've heard good things

I make my own seitan too... and its super easy but if you don't cook, its harder, because people don't have confidence in cooking if they fail once

Tofu is absolutely amazing too

yes... baked tofu is the stuff of my dreams

Virtually nothing you can't do with it

Agreed!

Literally, if I have spare tofu I will pan-crisp it with a little salt, some nutritional yeast, and cumin (or make a satay sauce and miss out the yeast), then just have it as a snack

Sooooooo good

I marinate it and throw it in the toaster oven

slice it up, marinate it for a couple hours, bake in toaster oven, its so good

Nice 😁
What kind of marinade?

... and that's how you get your clearance and get a job in cybersec

Aha, fair point. Should probably shift to #quiet-conversation 😆

usually soy sauce, olive oil, garlic

ha ha

🤷‍♂️

That sounds nice actually. Garlic'd olive oil is so good

Lemme know when you want a job as a personal chef

thats too much work

yo

Hey everyone, can one become a privacy consultant for vulnerable people specifically or is that done only through volonteering work? Trying to figure that out

I feel like getting some kinda privacy cert is the first step anyway

You could. That's going to rough and lonely consulting career. Are you trying to get on with an accredited auditor first?

Not really, please tell me more, i am trying to figure out what i actually want and is there any way to do that realistically :D

accredited auditor as in the cert i have to get? Having a hard time understanding that line

Thanks very much for answering anyway!

usually it's a firm. Deloitte and Coalfire are two firms I know of that perform 3rd party audits and are accredited by a security standards body

honestly, being a personal privacy consultant is going to be really really hard to pay the bills. Unless you happen to be on Oprah and manage to be the privacy expert to the stars

Oh, lol, ok, will think about that

Juun makes a good point. But I also think it's an admirable goal. I don't have suggestions, sadly, but I do wish you luck :).

Thank you very much!

Gave +1 Rep to @light urchin

You're welcome 🙂

May I ask what your goals/needs/interests are?

I am not sure, but I am interested in privacy and want to help people

Also drawing

Programming also, lots of stuff actually

And in terms of career goals/aspirations?

i am really not that familiar with career in cyber security yet can someone help me understand how a person living in india can get a job in usa or canada

after having OSCP cert

I am not sure actually, but privacy stuff and independence would be great

Is this a mid-career career shift, or fresh out of school type thing? I'm thinking you could maybe start a consulting company focused on that, but it'll be an uphill battle at first.

i had a lit bit experience in this field i worked at local place where i learned quiet a lot about Network pentesting. web pentesting and many more and now i feel ready to take OSCP lab and certification

I am bit of confusing after that

how to chose or pursue with companies

Getting a work visa in the US can be challenging. I can't speak to canada

Work for the EFF! Having a background as a Private Investigator or maybe some sort of OSINT Analyst would probably give you some credibility needed to do some privacy-consultation work

@light urchin @ancient prairie thanks for replaying

Gave +1 Rep to @light urchin

but there's also some great organizations or even teams within orgs out there that do a lot for privacy which you could always support in a different capacity - they always need idealists and people that believe in their mission

The question I keep coming back to is how to make it a viable financial/career path. And the options there are either few big customers (corporate) or lots of little customers (selling to 'average joes').

either way, it would change the approach I would take

I'm pretty sure for canada you need someone to sponsor you financially for 10 years

Like github and things right

Microsoft does a ton of great work for open source, i.e. Github, but ehhh not so much for privacy lol

haha

it's not easy, I know the US can be lax on immigration if you have a Phd or some other technical qualifications, either way I'd try and focus on your local job market instead of international if you're new

hmm

anyway thanks guys for replaying i look forward for more quires

🙂

So I’m curious about how folk who are currently working in cybersecurity got their start?

thanks, that would be a dream!

Gave +1 Rep to @ancient prairie

thanks for answering everyone, i think volonteering there then trying to get a job seems like an okay plan? working on open source stuff too

I took the college route. While there I joined and assisted the Advanced computing center and also took additional technical classes as electives instead of art and such. Junior year I got an internship over the summer as an IT intern. It was hell on earth and really wasn't a great fit, all parties involved were guilty in how it went. Then I went back for my senior year and graduated with a BS in Computer Security and Information Assurance concentrating in Digital Forensics and Information Assurance Management. Then I spent the summer applying for jobs this past year and ended getting a job as a Cyber Security Engineer

I also have a Homelab where I teach myself new technologies and techniques. I'm always reading and watching things as well

Feel free to DM me if you want. Volunteering is something good to put on a resume, but the utility can be hit or miss depending on where you are and what you're doing.

Interesting, so you basically went straight from college to a cybersecurity role? I’ve been working in IT for a little over 4 years now, I’m currently in a network admin role but I’m thinking of transitioning over to cybersecurity.

thanks, will do

Gave +1 Rep to @light urchin

Yep. However, I have mentioned before that even though I am titled as a Cyber Security Engineer, I dont think I have really done that yet if that makes sense? Ive done Technical Writing, Code Review, Scripting, Acceptance Testing, hardware testing, Linux System Administration, and many more small things and things that im not sure what they are called

I could tell you, but then I'd have to have somebody kill you.

Yeah I also cant go more in depth than what I just gave you lol

those are all pretty normal cybersec activities, i think.

They are? Cool

I honestly dont know what I expected because my current tasking isnt very security like?

considering we dont patch anything because reasons

hey, winxp is just FINE, quit worrying

I've been in security "for a while"... but I started as a network admin, then moved into network security, then moved into more of a consulting role, then engineer then architect

"for a while" means you're old but put nicely 😛

Right now, my focus is on design secure architectures mostly related to cloud environments (cloud is a great area to look into)

All of those jobs sound fun though

well yeah, when I start to say I've been in security for 18 years, people kind of freak

Ive been in security for 8 months

Im an expert now

Probably the type of progression I’ll take. What were some of the basic requirements for the network security role if you can remember?

knowledge of firewalls, proxies and various network security services, I'd definitely look at job listings searching for "network security" and see what pops up

but honestly networking is a great foundation for any security position

Hey now, be nice to old folks! Never underestimate old age and treachery. Beats youth and vigor more often than not 😉

Zojja- I'd be interested in hearing your thoughts about cloud security. I was pretty underwhelmed with the aws security specialty

One of my favorite quotes (that I am going to misremember) is "beware of the old man in the young mans profession"

I had 0 interest in getting the AWS security speciality since it focuses on AWS security services vs security as a concept

are you saying cyber security is a young persons profession?

Ooh I like that one.

I work with a ton of people who are in their 40s, 50s, 60s who are in cyber

One way to look at it- when you're hiring someone, you're hiring them for the mistakes they made in the past. Let them learn the expensive lessons working for someone else, so they can save your team from making them again.

It wasnt used in the terms of the cyber world

it is funny, so many people have stories of huge mistakes they made early in their career

I brought an entire facilities network down on accident

ditto

I believe the actual quote is "beware of the old man in a profession where men usually die young"

Specifically referencing older soldiers

kinda related to "there are old <X> and bold <X>, but no old, bold <X>

but I like yours. Gonna hafta remember that 🙂

Because A the guy is going to be a pipe hitter and a stone cold killer or B will be a Blue Falcon

"oops" ¯_(ツ)_/¯

Done that a time or two 😅

Are you really a network admin if you haven’t brought down your network once?

it was amusing.. my lead at the time was like 'hey did you do anything' and then a lightbulb went off as I ran to the network room

It's actually a common interview question I ask- something on the order of 'tell me about the most expensive (or worst) mistake you've ever made'

I Imaged 100 Laptops and then realized that I made a mistake in the bios and you have to go back and reimage 100 laptops

If I'm hiring for a senior person and they can't tell me a story of the time they crashed a server, wiped a prod database, turned off the lights in the northeastern seaboard for a few days, etc., then I kinda wonder.

I think my favorite mistake was when I had turned off a phone server thinking it was a different box 😅

Idk why I said you

which reminds me... I don't know if anyone remembers/had this but a few years ago, Verizon FIOS was having a tough time of it, I called the support line, told must be me... they scheduled a tech for the next day, tech told me that all Verizon's traffic was routing through 1 pipe

and there was some news article shortly after that about it... probably someone who made a routing change

Sounds like an ISP

Or how recently Pakistan rerouted YouTube to a blank page

nice

Yeah they modified their DNS and rerouted most of the globe apparently because a Chinese ISP didn't have error checking on

I read a post-mortem a while back of a "simple" regex change that ended up taking down an entire company's prod everything, and they were like a big internet backbone company or something. I can't recall details now.

When services go down I often wonder if someone’s about to lose their jobs

Or if it’s primarily a “haha woops” and some scolding from higher ups.

unless it was gross malfeasance, I wouldn't fire the person. You can be dang sure they just learned a valuable lesson they will NEVER repeat

our company had a major whoops not too long ago, was a junior level person who did it, I just laughed, they were not fired

can't remember specific details, was something like applied a change mid day to the proxy servers or something

Was really trying to find a snippet of it on youtube, this will have to do: https://www.imdb.com/title/tt0453467/characters/nm0000243 search for "my bad"

Eureka! https://youtu.be/JstTw_ZU-BQ?t=2591

"I still say we blame Canada" 🤣

I deleted a whole live site with the click of a button once; had to get vendor involved in restoration. Tech support were kind about it. Realised that I'd have to shelve my 'try it and see' approach to problem solving if I want to get into IT.

Well, 'try it and see' is fine. Just not in prod 🙂

:d

We've all done something stupid once or twice 😄

per day

anyone know of any free systems recruiters use to parse cv's?

wanna run mine through one to ensure it's picking out the right things

good question, actually. I don't know of any though, sorry.

@static tide I've used this one a bit https://www.jobscan.co/

I've used jobscan too but it costs money :-(

Anyone have any tips on obtaining an entry level position, or even an internship for someone who is self taught, but has a development background?

Finding it hard to even get through to first round of interviews, or am dissuaded from even applying, seeing as most roles I see want a degree + 3-5 years practical application.

Any input would be greatly appreciated. Thank you!

Don't be dissuaded from applying regardless of your qualifications, worst they can do is say no or not call back, which many that you are qualified for will do to you anyways

its a really stupid dance you need to do with HR where they overshoot the qualifications in the description, but in reality they'd be more than happy to take you, idk if its a way to weed out people somehow but I was insanely underqualified for my job on paper, managed to get an interview and did a good job there

@ancient prairie Thanks for the input. Yeah thats how it was for me in the Software Dev field as well, because I am self taught in that regard as well. I got kind of lucky with that one though and landed a paid internship which led to a contract role, and build up my resume.

I have been applying to quite a few job posts in the security realm(and even a couple internships) and just keep getting shut down. Just have to keep going at it then I suppose.

Appreciate the feedback though, truly.

Gave +1 Rep to @ancient prairie

It's tough for sure but hang in there, if you're actively on the hunt I can't recommend BanjoCrashland and his job-hunting streams enough, he's helped a bunch of people and has his own discord I believe, check him out https://www.blackhillsinfosec.com/webcast-how-to-hunt-for-jobs-like-a-hacker/

Seriously awesome resource, thanks again!

Yeah Jason blanchard is a good dude and puts on great job hunting streams

He helped me with my job search and now I'm employed so yeah

That is awesome to hear, I joined the discord, and am taking a look at the resources on the website. Pretty cool.

Yeah don't get discouraged. I think I put out 100ish applications each tailored to the position I was applying for

It was also the height of the pandemic though

Okay that’s good to hear, I was worried it was just me haha

Yeah it was a lot of work. I had first sent out a couple of applications here and there between January and March of last year and then really started pushing them out in May. I was offered a job in August so it takes some work and time

For sure, that’s basically where I’m at now, have put out maybe a couple dozen. Going to start pushing harder for it here in the coming weeks. Any tips for good job board platforms for these types of jobs? Or just the typical LinkedIn/indeed/etc?

I like LinkedIn more than indeed as it allows me to see if I have any connections or alumni at the companies I'm applying to. I then network with said people

But I used all of them honestly

LinkedIn, Indeed, USAJobs, ClearedJobs, Clearancejobs, etc

Awesome, thanks for all the input. Truly appreciate it

Gave +1 Rep to @stoic cave

If you knew how underqualified on paper I am for the job I got you'd be amazed but in the end performance trumps paper qualifications if you get in the door

Definitely makes sense, that’s how it was getting into a development job as well. It’s just the getting in the door that can be tricky :p

the hardest part is getting in, once you're in if you can perform, what the paper states is worthless

just don't give up and keep pushing forward @lucid dragon

Hello, I just created my first resume and was wondering if I could get some insight into how to improve it. Thanks!

honestly - for a resume - find a professional resume massager and pay them the 50-100$ to have them polish your resume and load it with the correct HR keywords to get your through the door. Think of it like SEO - you can learn it yourself, but you could also spend a few dollars and let someone who's mastered it do it for you while you focus on stuff that matters to you.

For sure. Do you have any recommendations? I really just want to find that qualified professional to help polish out the rough edges. I want to out shine my competitors, haha.

Sorry mate, I do not. I've been independent running my own gig for a decade now.

haha, for sure. I appreciate the insight, I'll do my due diligence and try to find someone.

You could probably find someone on fiver that's really skilled tho

I'll check it out, glooks. :)

Also if you find and ask on the right reddit sub - you'd likely have good luck

For sure.

if you're a college student, often the college will have a jobs counseling/help person(s) who can give you resume advice as well

I just graduated with a bachelor of IT and I am looking for a job. I was thinking between some certs I should get. Comptia Security or OSCP

Security+

That would be a good choice

Thats what I would go for personally and what I am currently studying for. Once you get in to a new position see if you can get the company to pay for whatever cert you want next

Yeah looking for a job after college is tough

I currently have a job but purchased a Sec+ voucher before I graduated last year

procrastinated and now Im finally taking sec+

Work is paying for OSCP at the end of the year

Then after a little bit Ill start looking again and probably move on to get a nice pay bump

What is your job rn

Are you a security analyst?

Cyber Security Engineer

Its a role of many hats

OSCP if you're aiming for a pentest job, Sec+ if you want a security job but not necessarily pentest

Yeah I’m not what kind of jobs I should be applying for as a fresh graduate

What country credirs?

I don’t know*

Canada

Specifically Toronto

While I agree with that in the US specifically pentesting isnt an entry role most of the time

Ahhh OK, make sure to look at listings for jobs ur interested in and see what they require, always helps.

again thats just my experience

I only found two positions that were looking for fresh college grads to train up themselves for a red team

both government positions

I’m pretty sure that is US

yeah

What job did you get when you graduated

Anybody from Toronto have any guidance on jobs?

Me? My current position, Cyber Security Engineer

What agency?

DOD and DOE

Unfortunately for me, the DOE position was just starting to spin up and looking for applicants when I got an offer for my current position. I wasnt going to wait for the "what if"

I think DoE could be cool, depending on where you end up. The national labs seem to be in pretty nice locations.

It was INL

I actually tried to get on a Cyber Security Think tank/panel for recent graduates at Oak Ridge but when I went to apply it said they werent accepting Computer degrees for the panel

I have a friend who works there! Nuclear engineer PhD candidate.

Yeah seems like a great place to work

I know someone who works at INL

and know a bunch of people at Sandia

Sandia would be my choice for location, but I love New Mexico

im also graduating but really dont know if i should get a security job when i have very little skill

i mean i have to get a job, im just not sure if i fit anywhere

Dont let that slow you down

Im blanking on the name but the feeling that you arent good enough is common

i always feel like im not good enough

Coming out of college companies are arent looking for perfection and understand that there is going to be a learning period

well use that to your advantage then. let it drive you forward by being hungry to learn more instead of holding you back with the "what ifs"

i guess im just a little sad because i still dont know where to go

Cyber is a big field you have plenty of options

imposter syndrome

there it is

20 years in and I still have it

I wouldn’t worry about not being good enough, no one is an expert out of college