#cyber-and-careers

Part time. I'm still doing my undergrad primarily (officially).

Best wifi adapter for hacking cheapest price

Plz suggest

The alpha is cheap and has monitor mode

Alpha is costly

Wifi adapter for beginner

Alfa Network AWUS036NHA – USB WiFi Adapter, 150 Mbps, 802.11b/g/n, RP-SMA, AR9271L Atheros Chipset https://www.amazon.co.uk/dp/B004Y6MIXS/ref=cm_sw_r_apan_glt_fabc_GXFJTDA3HZ56HHVGMMA3

It's 30 quid here in UK

It's the one I use and has worked fantastic on parrot and kali

Ok

6000 in indian coranci

Is that a good price ??

You can get some MT7601 for very very cheap

Where to learn hacking for free

Plz suggest

tryhackme.com

what did you learn from there

But he is not fullly free

Plz guide

It is approximately 80% free content
I learned most of what I know there

Ok

Thanks

After this course

!docs free-path

I just said that. You'd still need to be familiar with the basics to be able to move around on a linux web app server. Not sure if their organisation uses Windows servers but honestly I'm still gonna wonder how someone got to that level without touching linux/using kali linux once.

Name one tool on Kali that you'd need for webapp testing that you can't run on Windows?

Chances of getting RCE irl are slim to none. Even if you do, you don't do anything with it -- you speak to your point of contact immediately and that's it

I see. So would you say that someone that senior shouldn't be familiar with Linux?

It's no particular benefit for them to be, although being familiar with different technologies is always a bonus if they're in a technical role. The more managerial the role, the less it matters as a requirement 🤷‍♂️

I'm not going to go in depth about said person's origins but at some point they were an app sec analyst. It may not be as useful to them now but that doesn't stop me from being surprised so I guess that's the end of that. You could use windows for pentesting but imo that's a bother and a time sink I'm not sure most pentesters would want

I mean, for app sec you don't exactly need much, and installing a few tools on Windows is easier than learning an entirely new operating system

Most people are a hell of a lot more comfortable with Windows than Linux -- especially if they've got into security through development or another area of tech, rather than the "hacker" route

Yeah for app sec but they apparently do fully fledged pentesting as well. It's just learning bash if we're honest so not that hard but to each their own I guess. If they don't want to learn linux and it's exploitation or don't need it. More power to them.

Again, fully fledged pentesting doesn't necessarily involve Linux, and either way it's a hell of a lot more than learning bash 😆
I would hope that a pentester was comfortable in both, but it's not necessary for every role. Hell, I know jack about exploiting MacOS/iOS rn (other than basic Unix stuff), but I'd hope that wouldn't stop me from getting a pentesting job.
Learning to debug Kali when it breaks is an art form.

Idk about you but that's pretty much the only difference I've seen in usage aside things like file structure.

They are very different beasts in terms of workflows and intended usage. Hell, they are built completely differently: Windows is a lot more integrated whereas Linux is effectively a pile of interchangeable components that interact with each other. If you use Kali like you would use Windows then you're doing something wrong. That's not to say that one or the other is better, they are just different.

Linux is just an OS with a GUI and a CLI. People game on linux, write reports on linux, watch netflix. The intended usage is to interact with your hardware. The only thing I've gleaned from this conversation is apparently learning linux is a waste of time and not as foundational as others say according to what you've said and that's the end of it.

i've been pentesting for about ~8 months now and i've seen about 5% linux servers? the rest have been windows

And that's taking it to an extreme.
Listen to what people are actually saying. It's not weird or a problem that a web application tester hasn't tocuhed Kali. They might even have stopped doing webapp testing long ago when Kali was backtrack.

Maybe you should take your own advice. I never said it was a problem. Just that I was surprised. Also you don't know their background like I do. Kali had been out for 4 years by the time they started.

Why do you care so much @stuck rover ?

I honestly do not.

I'm honestly ready to move on and have said so.

fair enough 🙂

the person being mentioned doesnt do the testing themselves at all, they said in a comment it was outsourced and they do the reviews. that just makes it weird that application security and penetration testing are even in their job title

"Head of application security"

"cybersecurity isn't entry level, you need years of being a linux sysadmin or similar" "you don't need to know how to use linux"

sounds like you guys like contradicting yourselves every few months

Not really. CompSci has a much broader knowledge base to draw from. It depends on the aims and goals of the org that has opened the req to determine how similar different degrees are considered.

It's true that linux sysadmin is 1 path into cybersecurity. So is network admin, developer or any other IT role.

It's not inconsistent to say that 1 path is possible, and that it isn't necessary.

I agree, I am just saying they were working too hard to downplay the importance of knowing it

I've never been a sysadmin but I can't imagine pentesting from windows even really with burp suite

It seems to me that you are stretching it to make it sound like someone is using a logical fallacy.

if all you need to know is how to use burp suite to be head of appsec then I should stop learning other things now shouldn't I

I mean, I have been in security for a long time without really knowing Windows... really didn't need to do so til recently

I have done it. I had to, for a web assessment of a product that was on a segment that I couldn't access with my normal Kali VM.

you can focus on various things and be in security, if you want a well rounded base understanding Linux, Windows and MacOS goes far for that, at least on some level

It's discouraging to look at the people in well paid places who don't know very much

why do you think they don't know very much?

they said so, and theres no point posting what they said directly

well we can't talk about some random people or what they are talking about

it's the head of application security at an insurance holdings company, but they outsource

so the person is effectively someone who reads reports

their linkedin also has "penetration testing" in their title

well linkedin titles can be whatever you put, there are people who can sell themselves well and can skirt by or they provide value in some different way

all you really need to focus on is yourself, not other people

Right, but it's more a popularity contest than anything else

learning how things work is secondary to just getting in

its not a popularity contest but networking can help you get a job/foot in the door

if it wasn't one then how could you have the job title without ever doing the work yourself

easy, go to linkedin, put job title

I see you've never had to recover from any Kali messups, or integrate any weird tools 😆
There's a reason Linux is a hobbyist thing rather than an actual front-runner

You would be amazed at how many managerial security positions are held by people who aren't technical

but they actually do work at this company in that capacity, only the company doesnt actually have them do that work

well thats something between them and their company, not your concern

Nothing necessarily bad about it either, considering they could just as easily have spent 40 years doing compliance beforehand

I feel similarly about the managerial class as the section about them in hitchhikers guide where they're launched into space

Well that sounds like a "you" problem

Unfortunately for you, you're gonna have to listen to them for a few years, so I'd suggest you suck it up 🤷‍♂️

Professional paperwork reader

Who's gonna read the paperwork if they don't?

You?

That makes you the professional paperwork reader

I did my managers work at my last job so it doesnt really apply

they probably don't care what you think of them, I would stop worrying about other people

Someone has to make the overall decisions 🤷‍♂️

its especially heinous at companies with like 7 managers to one person

Good managers shield you from the nonsense

Well they'll be going bust soon, won't they

I look forward to meeting one of those

You already have. He's sitting at the top of the server rn 🤷‍♂️

I have. I googled my way out of it and every time something broke it has been an absolute pain in the arse. Occasionally, windows has a problem and you do the same.

I mean where I have to interact with them as my manager

Very occasionally.
Windows is designed to be user friendly -- that's why it's so commonly used.
Linux doesn't have quite so much abstraction

Then find a better job

But that's not the point now, is it?

the point was you guys dogpiled sleepy when he was right

??

you shouldnt be called head of application security without actually doing work on it lol

The point is: why would you learn to use a whole new operating system, with a very different UX, when the one you're used to is just as good for what you're working on?

Says you, who has precisely no input in that company 🤷‍♂️

Let 'em do what they like. It's their money

can we get a "Head of Application Security" badge on THM for completing the burp suite trainings

Sure. I'll ask Skidy to add that today

you know, you really need to focus on yourself and not others

maybe we need a 'focused on myself' badge

I am, it was just noticing some absurdity

everyone does that occasionally

What in your eyes is absurd may be perfectly normal in the real world 🤷‍♂️

absurdity is perfectly common in the real world

I can't comment at all at what other companies do based on LinkedIn profiles

The difference is whether you argue it when you're given evidence from people who actually work in the industry that you're wrong

would you hire that person

depends on the job

head of appsec, they've never touched the tools

To do the job they're actually doing? Assuming the background checks out, sure

For daily use, I've found it to be similar. It only broke when I was trying to install weird tools which were for when I needed to hack a box.

In this case then really all your saying is I've wasted my time learning linux, innit?

You don't need a technical background to manage projects/resources, and read executive summaries

No, because it is a very useful skill to have. Being able to use Linux is very definitely a bonus, but that doesn't make it integral

sounds like a good reason as to why no one ever understands those reports

and why the same things go unfixed or misconfigured constantly

Again, that's up to the companies in question -- it's not your concern

This is the world of tech. Get used to it

sure, but the infrastructure of my country sure does directly affect me

Is this person in a role to do with CNI?

what

Are they managing your country's critical national infrastructure?

No, but the noncritical infra doesn't really matter less

It kinda does -- that's why it's designated non-critical...

insurance companies handle PII

If it wasn't integral then I'm sure it wouldn't be on the five pillars. In any case, this conversation isn't going anywhere. Perhaps we should move on?

If this company goes down, will it have any effect whatsoever on you?

is the point you're trying to get across that we shouldn't care about things becoming more secure over time

Ultimately, if your job requires it, you do it.
This is the same as saying that you should learn every programming language when your job needs you to know C.

If his job has never required him to learn Linux (which I can't see any reason for it to have), then why waste the time doing it?

It's a tool. Same as any other.

And either way, his suitability for the job is a choice made by his managers -- not either of you, or anyone else for that matter

people are entitled to independent thought about their surroundings

no one said it was their choice

How do you think he'd feel if he saw random people on the internet telling him that he's unfit to do his job?

How would you feel?

there's a reason why we didnt name the company or person

How would you feel

how I felt would not really matter if the criticism was based in reality

And is it?

feelings are secondary

It's based on some comments and a very much incomplete knowledge of his employment history and experience

their employment history is listed

In other words: it's you bitching about someone you've never met having a job that you don't feel that they're entitled to have

many years ago, I learned Unix/Linux did part time Unix (Solaris) sysadmin work... when I got into Cyber Security, didn't see Unix for 10ish years, then Cloud came around and Linux became relevant again... I would say (like Muiri said) Linux is a useful skill to have even if your job won't require it

no one is entitled to anything, you're like 5 years younger than me and lecturing me about the job market lol

No, it's not. If pentesting and app sec doesn't require you to know how to use kali or linux as a whole then why do you use it?

I agree with Muiri and I'm older than you

you didn't see the posts in question

Why would you learn a completely unfamiliar OS with a different OS when you could do the same with Windows?

I don't have to

but I don't blame you and yes, you're right we should not dwell on it either way

Because it has its uses. I could get by just fine without it. As I said earlier: 0day literally did get by just fine without it for however many years, and he's quite literally one of the best around

I learnt it because I like it, and because it makes some things easier

I'm pretty sure 0day knew how to exploit a linux machine

I learnt it because it gives me a more balanced knowledge

the mistake you're making is thinking they do the work in windows alternatively

Even when using windows

they dont do any of it

Of course he did, because he had reason to learn it when he was younger

And that's a problem?

so why do you stress the importance of learning linux to newcomers

since they don't need to learn it

They do the job that they've been given, presumably well or they'd have been fired. That's all there is to it

sounds like faith

Because it's the industry standard for beginner pentesting, and it's a useful skill to have

There you go then. Glad we agree.

That doesn't make it exclusively the only route

but not for managerial pentesting

No, that's the facts behind it

Because it's free to use, it's very common, and it's a great way to gain basic skills needed. There are other ways to gain those skills, but those other ways require much more outlay of time and resources.

He does the job he's been asked to do

with the wrong job title associated

you're just anti-criticism wholesale when it comes to anything

wrong job title? have you seen cyber security job titles? they are all over the place

and again, it is a company that needs to determine the right job titles for the given job

what is application security and penetration testing

You find me a criticism that's based on something other than your own opinions and I'll accept it 🤷‍♂️

depends on the company and how they define it

So a good pentester would know how to exploit it. That makes it key to being good at your job. Not sure why this is a debate. Which is again leading nowhere.

putting forward the evidence would require inappropriately doxxing someone, but it was quite silly to look at

thats it

its silly

No, a good hacker (remembering that 0day started as blackhat) may need to attack it.
A good pentester who works with Linux would know how to exploit it, and that would make it the key to being good at their job

A good pentester who is employed purely to deal with AD or webapps would never need to touch it

fact: if you have a CISSP then you're safe from all APT units that don't have someone with a CISSP

Sure, it would help, but it wouldn't make them any less good at their jobs

What in the cinnamon toast fuck does cissp have to do with the discussion?

it's on a good number of entry and mid level job postings

what is the future of cyber security experts ? Will they be affected by the advancement in AI ?

I just happen to value knowledge itself

I think a lot of the CISSP/entry level stuff is because Indeed.com is a weird website and recruiters accidentally leave the default (entry level) so people think jobs are entry level but aren't

probably so

IT is always changing, cyber security people will always be required, our roles just may change over time

but HR doesn't really know the difference

Either way it's not overly relevant to the discussion, is it?

the discussion is qualifications per job title

Ok

job titles are all over the place in Cyber, don't go by the job title

apparently knowing how to do the thing in your title is expecting too much and ridiculous

What's the difference there, Muiri? And last I checked we were talking about pentesting not cybercrime.

there is no industry standard for cyber or even IT job titles

right, a penetration tester might be a janitor at some places

and they are doing the same job

Didn't we establish that they had the skills for their job title?

you don't know who it is

you established conclusions you decided to make

I've been trying really hard to stay out of it - but that "pentester == janitor" argument is one of the least honest ways of approaching this entire subject I can think of.

None of us are going to budge. I think it's better to stop the discussion rather than waste each of our hours.

The point was that if you don't need to attack Linux then why would you learn to do it?
It's fun to do, sure, but not essential

ok, I gotta go but how long have you been arguing about job titles when you could've been improving your skills / learning something?

would you call someone who reads reports a pentester, or head of appsec at your company?

Possibly. It depends on what the rest of their duties as assigned actually means. Management doesn't have to be able to do the work, just understand what work was done, why it was done and report it appropriately to upper management.

Pentesters shouldn't be reading reports, they should be writing reports.

so you agree with me then

No.

I wouldn't expect the director of a SOC to do threat hunting, they have analysts for that. I do expect the head of a SOC to understand the threat hunting reports they are given.

they were asked what they do, they said the company outsourced the testing and they read the reports

If I'd agreed with you, I'd say. You presented two options, I agreed with neither.

you said pentesters shouldn't be reading reports

How many web app servers use linux then? That's all I'll ask before I walk away.

And how often is the underlying OS actually meaningful?

I wonder how many companies have something called a red team which equates to using nessus and excel

If the underlying OSs aren't meaningful then we've all wasted time learning privesc innit?

The convo is going to go on a loop again.

As a webapp tester, you're not there for the underlying OS...

About half and half iirc.
Counter question: when was the last time the underlying os was relevant?

If you're testing a webapp and you get RCE, you stop immediately

Regardless of OS

its just offputting to see someone generally not interested in the field

If you didn't get the memo, they aren't just a web app tester.

Anecdotally, seeing as that seems to be the standard of evidence, I see wayyyyy more IIS than I should

They're the head of application security, right?

And apparently a pentester.

penetration testing also in the title

but they do neither

Eh. Let them get fired if they're not doing what their job entails.

That said. I'm gonna go back to doing something actually useful.

I suggest you all do the same.

did you get a word? :))

No, I’m hoping today , but I have another interview today.

Good luck with the interview. 🙏

i'm excited 😄 good luck!!

Just spent time reading thru the arguments and left a room on the off pentesting path running 😅

I think it went well. I’ll find out next week 🙏🏻

Didn't expect so much top tier comedy from this channel

Hello everyone

I'd like to ask you to take some 5-6 minutes of your time and take a look a this post of mine regarding my career switch to cybersecurity:
https://old.reddit.com/r/SecurityCareerAdvice/comments/mn0v8c/leaving_years_of_frontend_css_development_and/

I left all the relevant questions at the end of the post. What do you think about my plan and the roadmap itself? Does any of this make sense or my head is stuck up high in the clouds?

Thank you

I mean, since the post was made 8 months ago, how much have u achieved from that list u created?

I had some health problems since then and I've been stable for the last couple of months. I paid for pro membership on THM last week and just started. Luckily, it appears that I will still have about the same amount of time for learning, as I mentioned in my post.

Got ya. Glad ur health is better now. And you are still doing front-end dev work correct?

Yes, gotta pay the bills and eat food.

Ahaha yea, just wanted to confirm. So ur roadmap is not bad. Ur web dev experience will speed up the process being u probably have a solid understanding of how the web works. Definitely learn python but also incorporate the learning process with projects or ctfs that require u to script something up. Then u can throw that on ur github and ur resume. Definitely, do the pre-security if u want to brush up on the fundamentals and the jr pt path ofc. And im guessing u probably want to jump ship to a cyber job in the next year or so. So getting a cert would def help ur case. The known, safe bets would be sec+, and oscp. And from there u are honestly good to go, start applying, keep practicing and start networking. Best way is by giving back to the community through blogs, tools, etc. Then yea, after u land a job, whether its on the blue side or red side off the bat, then ofc supplement the knowledge with higher level certs and htb, etc

In the “I’m willing” section that you wouldnt mind going from helpdesk to a cyber role. Tbh, i think a better alternative is building a network or landing the simple soc 1 role and work ur way up or pivot to the red side

Um, no, you misread that. I said that I am NOT WILLING to do that. 🙂

Oh

Oops

Alrighty lovely

At least we agree 😆

🙂

What do you think about CCNA on my roadmap? Would Network+ suffice for start or should I improve my networking knowledge and expertise with CCNA or something similar?

Imo, dont only listen to my input ofc, but i think network+ is more than enough networking knowledge you need for any cyber role

I feel like, based on what I read so far all over the web, that Network+, Security+, eJPT and some basic BASH and Python skills should be enough for me to start looking for an entry level cybersecurity role. Does this make sense?

Agreed. Oh yea, the net+ and sec+, if u remain consistent, day to day, should be learned, and understood in 1.5 to 2 months tops

Python and bash, it depends. The more u apply it, the quicker you will pick it up

What about eJPT? Would networking knowledge gained from Network+ be enough in order to follow the course for eJPT?

Oh, no doubt, the network+ provides a lot more knowledge then the ejpt. So youd be doing yourself a favor if u did net+ and then read over the ejpt networking section

And finally, at the very end of my post, I mentioned my age, which worries me a bit.

Should I be concerned?

Not one bit

Age doesnt exist in this space

Lots of folks switch over at any age tbh. And they do it successfully. U just need to be persistent

Well, I'm afraid I'll have to disagree with that when it comes to software development. I really noticed (at least in the country that I live in), how IT companies are getting more and more transparent in regard to not wanting "old" people for entry level roles. If you're in your 30s, you're out of luck.

Though I'm glad if that is not true for cybersecurity.

Other people can also provide comments too about this. But in cybersecurity, jobs need to be filled especially on the blue side and regardless of that, they dont look at you for ur age. Only ur skills, how you can be valuable and help with the growth of the company, etc.

Don’t worry about how old you are, trust me, if u follow this roadmap you created and remain focused, you will be rewarded with a foot in the door and land a job in cyber

I know someone who is 55 years old, was also a developer, then went to get his phd and decided now to apply for the nsa internship for 2022 and hopefully land a full time job at the agency

Thank you very much for taking the time to read my post and answer my questions, @warm hinge!
Take care and keep up the good work! 🙂

Gave +1 Rep to @elfin tendon

@orchid ivy no problem. Good luck on ur journey. Stay positive and remain focused 👍🏼

hey, is anyone here following web3, crypto or DAOs? would love to be part of some infosec DAOs, existing ones or anyone interested in learning more & creating a new one. i'm learning smart contract security right now & curious to know how else i can contribute in web3. hope someone point to the right circles please. thanks!

I'm actually on a very similar roadmap (age, also giving up another good career), so I can give some input I think.
1a) I think you can move homelab further down the road, so it serves a clear purpose
1c) Consider adding Powershell scripting. For Python - find projects you can contribute to. It's a good learning tool + you'll have github to show. Simple problems are often tagged as 'good first issue'.
2a) I'd pick either Net+ or CCNA, I think getting both is diminishing value.
4a) Move it to step 2 IMO, the sooner the better. Even if you'll struggle, it's a good learning experience.

Get a Twitter account if you don't have one already. It's a good tool to stay up to date and you might get to know some people, which can be very valuable depending on your location. It might be annoying at first but once you filter out the usual drama/useless stuff, it's pretty cool.
Once you start doing boxes - do writeups. Even if nobody reads them, it's still a good way to learn taking good notes.
Cloud knowledge will be useful sooner or later, so that's something to consider. AWS cert is cheap and easy.
You'll inevitably run into the problem of 'why the fuck is there so much stuff to know'. That's fine, you don't need to know everything and don't let it get to you. IMO by far the most important thing is 'if I don't know that right now, can I google it and figure it out'. Burnout while learning is also very real.

With that all being said IMO by far the biggest problem you'll run into is "at what point am I ready to actually do it for a living?". And I don't think there's an answer to be honest, I've already skipped on some job posting that seemed written for me due to lack of confidence. For the sake of yourself don't ask other people about it or you'll get completely insane answers aka 'you need 10 years of sysadmin experience'.

Overall, looks good, GL : )

Thank you for reading my post and getting back to me. 🙂

I feel like, based on what I read so far all over the web, that Network+, Security+, eJPT and some basic BASH and Python skills should be enough for me to start looking for an entry level cybersecurity role (of any kind for now). Does this make sense?

Which I should be able to achieve within a year? On work days, I am usually able to spare 2-3 hours after work to learn for certifications or whatever needed. On weekends, I usually have around 20 hours of time to learn.

Gave +1 Rep to @velvet spindle

Easily done in a year. Net, Sec and eJPT can be done in <6 months.

Sorry if this has been already asked or answered. I am new to learning this and am going through the complete beginner on THM and then was planning on going to the cyber defense pathway. After that was planning to study for Network + and then do Security + as well. Are there any helpful tips for when studying for those or useful resources?

Tips.. take good notes, use varied study methods (labs, videos, pdf, flash cards, practice exams, etc.) For Net/Sec, get a good book for each and use it as your primary resource tho. Supplement things you learn in theory in those books with practical on THM. You can search for specific things in 'All Rooms'

Thank you! Mike Meyers Network + Exam guide good?

@velvet spindle @native elm
Would networking knowledge gained from Network+ be enough in order to follow the course for eJPT?

Yea

You don't need it though

All you need is in the course

How about networking knowledge for PNPT, eCPPT and OSCP?

Again, PNPT gives you all you need to know. The networking knowledge built in eJPT and PNPT is all you need for OSCP and eCPPT

(Although tbh I'd just pick one out of those instead of wasting money. You can cut it down to just PNPT then OSCP if you're that keen on it.)

Today i finished the report of eCPTX exam and i can said you that is hard , hard , hard. You need so much advanced knowledge about networking, scripting like c++ , debugging, create own exploit, windows OS e powershell scripting lang. Is crazy and without googling i never passed this exam. But now i got the final flag and i'm so happy

I hope i will pass :S

you needed to know c++? I didn't find that even remotely necessary lol.

same with debugging. honestly I found it to be intermediate ad at best

let a guy enjoy his achievment

you dont have to say its easy when someone who just gave it said it was super hard for him, It seems like you are devaulting his achievment, it might be super easy for you, but not for others

good job my dude, I am sure you will pass

I hope

gonan give it at some point next year as well, course seems very noice

next exam is OSCP

ahh damn

you gave it before OSCP

sheeeesh

i got the OSCP some time ago

very good exam with a nice learning curve

They advised me to do eCPTX before doing OSCP. Because in the new year he will be AD

truee truee, i did it before that

eCPTX is only active directory so i done first this and new years i will go for oscp

good going mahn, i am sure you will ace OSCP ezpz

i hope 🙂

Yes i think is more easier then eCPTX , this exam make me crazy is so hard

i sleeped 4hours for night, and elearning send me continuously message to finish, only 4 days for complete exam + report

it's stressful. 4 days of pure stress

hahahahah

ikr

i heard that as well

OSCP is way less intense

yep , i waiting my salary ahaha because cost so much then ecptx

xD

400$ against 1300$

i will buy it for Jenuary

https://tenor.com/view/it-is-what-it-is-it-is-eet-eet-iz-iz-gif-17896182

it do be hella expensive

i won it in hackahton thats why gave it because optherwise hella expensive

omg

how u won it?

so luckyyyyyyyyyyyyyyyyy

i won a development hackathon

about devlepiung a cyber security product

after which i got hired in the company and got this voucher for 1000$ Cyber sec certs

https://tenor.com/view/cat-dance-cat-party-gif-18150510

Congratulations bro

thanks bro

congrats!

https://tenor.com/view/the-office-bow-michael-scott-steve-carell-office-gif-14973267

here's what you've observed just happened - this person set out to hike a trail and climbed a mountain and by doing so, their goal of hiking the trail became useless. OSCP is an entry level pentesting certification; ecptx, as you should know, is well above that. They've effectively throwing <insert 1k USD equiv in whatever your currency is> away because of how they've done things.

This is something I see far too often. They're at 300-Level OffSec; not 200.

it is what it is

Most people do OSCP for clearance

if they do a easier cert for clearance and hr knowledge

i dont see it as a big issue though its very true he is at 300 level

For... Clearance?

I was guessing they meant HR gate

yes i meant to get through hr

yup

Curiosity on everyones opinion who's taken this exam or both:
If I plan on taking the CEH v11 sometime in the next couple months would it be worth going through the pluralsight training from 2018 (they don't have any course on v11 that I can find) that covers the v10 exam prep?

Only reason I ask is because my work covers a pluralsight subscription so it's a free resource.

Are you in India? Outside of India, CEH isn't exactly respected

US based

Yeah CEH isn't the cert you want

are you trying to fill DOD reqs?

Really? Could be the reason why it's not one of the certs I gain from degree lol

I've already gotten (through college) A+, Network+, a few others. Will soon be taking ccna, pentest+, and a few others before I graduate

Yeah, CEH would be a waste

Gotcha, can I ask why in your opinion?

I stupidly didn't take the Security+ exam through school which is kicking me in the butt now so I may go back and take that soon as well

The certs you're already taking cover a majority of the content and job wise CEH isn't respected/accepted as much as it was previously

Gotcha ok that makes sense

Any reason to/not to take the pentest+? It is optional and the cert exam itself comes out of pocket (not covered with tuition)

Personally? No

Others may disagree

So basically where I want to go after graduating?

But OSCP is the entry into pentesting

oscp is on my exam list that I should be taking in the next year

You have to keep in mind, Security isn't entry level

Yup, I work as software engineer and a mix of sys/network admin already. I'm transitioning next year into a possible security admin role in the current company

Cool

Which after a couple years I'd like to transition into a more security consultant type role

Basically taking the free education and seeing where it takes me in 3-4 years 🤣
But don't have a full grasp of the certs I want to take versus the ones that are optional

Security+, oscp, ccna, a few others I want to go out of my way to get. The rest are extras I'm debating are worth it at the moment

If you don't want to get into pentesting then I don't think you need oscp

It's covered and gets paid for through tuition anyways

Gotcha

So through the college some cert exams are paid for with the class while others classes are more "exam prep" with the option to pay out of pocket after for the exam

I actually think my school added Linux+ to my lineup recently as well which isn't required for the degree but I think it'd be cool to take that and then see after if I want to take the cert for it

but thank you @stoic cave for the insight 🙂
I'm off to do christmasy stuffs now

Gave +1 Rep to @stoic cave

Hey all hope you having a nice day so i was wondering if someone can help me with an advice i haven't decided to go into offensive or defensive yet and at the start I wanted to be a mix of both but then i remembered my nature and i am better at specialising in one thing i know you can't be one without a knowledge of the other but i am talking about specialization in the offensive field or the defensive field. I was wondering if anyone have an advice can tell me the pros and cons of each and what's the big differences between them

Defense analyst: https://niccs.cisa.gov/workforce-development/cyber-security-workforce-framework/workroles?name=Cyber+Defense+Analyst&id=All

Operator: https://niccs.cisa.gov/workforce-development/cyber-security-workforce-framework/workroles?name=Cyber+Operator&id=All

Overlap of the two: https://niccs.cisa.gov/workforce-development/career-pathway-roadmap

Where would be the best place to find high school IT internships?

@hard haven You can google "tech" or "cybersecurity interships" and you'll see posting similar to job postings. Likely the same on linkedin and i'm sure there's sites dedicated to this. You can reach out to a local community college or university and see if they have programs as well.

Seems like all of them are for people currently enrolled in a university.

@hard haven I would just reach out to the university and ask about potential opportunities

Principle information security: appsec:
Check out this job at BNY Mellon: https://www.linkedin.com/jobs/view/2846149564

in my country EU is required for job CEH, i've CEH Master at moment

read this, guys ADS of indeed.com

This the best certification for jobs from ADS indeed.com

I talked with my high school art teacher to create my own class. It was an Independent Study where I managed the schools website and created an art gallery. This was in Web 1.0 days, so your mileage may vary

Required != good

I'm going to also bet that a lot of the jobs that require it on LinkedIn are DOD 8570

Yes sure! But i'm going to take certification for job necessary

Hey folks!
Need some guidance here:
What are the certifications recommended if: I don't want to transition into cyber security as a career, but maintain high level of security awareness as a software developer?

Hrm...take a secure programming course and perhaps dip into a web application pentest course. Learn about binary exploitation but my "advice" should be taken with a grain of salt as I'm not sure myself.

I actually think your best bet is to learn about DevSecOps perhaps

Just sanitize your inputs

for our developers, we are trying to get them all security+ just so they have a base understanding of security

securing software is way more than this

yes

But not trusting your user,customer is the first step of it

not really, assuming that anyone who is able to use your application has good intentions is really the first step

Thanks folks, any certificates you recommend?

its not your user/customer that you have to worry about mostly

Security+ is what I said we are using for our devs

thanks

Gave +1 Rep to @pseudo creek

you mean not assuming ig

yes pretty much

anyone who is able to your application goes into user

thats not how we define it

I am sorry, I don't know the formal definitions.

So does that go into guest ?

you have your intended users, then you have the unintended... although you can assume not all your users have the best intentions or even such that they don't need access to everything

hacker, malicious user, malicious person

I see 👍

depends on what we are talking about and to who

For example someone named "><script>alert("thm")</script>

So I should have used malicious user

What do you guys think of Trail of Bits? 🤔

don't know anything about it

@unkempt lark This might be a good starter but I haven't done it myself.
https://www.youtube.com/watch?v=F5KJVuii0Yw&t=483s

Too bad

thanks mate

Gave +1 Rep to @stuck rover

Hello everyone. I'm new to THM and just completed the AoC 3 room. Has anyone managed to successfully submit THM certificates to ISC2 in order to gain CPE credits?

https://www.reddit.com/r/cissp/comments/j39j58/tryhackme_for_cpe/

first result on google tells me that someone did this

Thanks. I saw that too, but not much else. Just trying to see if anyone here has done it to get a better consensus. Also curious about rooms (such as Ao3), that don't list an hour value. Wondering if people (successfully) submitted based on the hours they took.

Gave +1 Rep to @inner elm

As a pentester, how often would social engineering be used? If someone were to be very talented at social engineering (obviously knowing other skills too) would they be able to use primarily people-hacking / physical hacking? as long as it gets the JOB DONE in being able to infiltrate the company.

or would it be where 99% of the time they want you to do everything remotely w.o anything physical / speaking

Not really sure what the question is besides the first sentence but I think it would depend on the type of engagements being performed. As with all things it's a skill that needs to be honed

I've read somewhere (sorry if it sounds corny), but a former pen-tester was giving an example of how they would actually get through the companies security simply pretending to work there / portraying as a delivery man

i was attempting to ask if stuff like that would ever be an option for the job. Just an example, I dont mean literally doing the exact same 'delivery man' scheme over and over

That's textbook social engineering

And it would depend on engagement

i used to be VERY good at this kinda stuff in my past when i was a mess (reformed now) which is why i initially became so interested in pentesting

ah okay, that makes sense. thanks alot man 😄 i feel kinda silly asking these questions ngl so glad you can assist

Gave +1 Rep to @stoic cave

Not silly, it's a rather large scope

But that type of work would be associated with a Red Team in the truest form of the definition

Red Team encompasses both cyber security and physical

yea, ive heard lots about red team offense. In terms of social engineering i seriously think I could do ALOT

ive been looking into the hak5 tools for example, and honestly it makes it seem way too easy in my head, not sure if im overlooking things

It's a lot more difficult in reality

well glad to have had this chat with you, defo just made me alil more excited about going down this career path

thanks again brotha

Hey @flat sedge hope all is well.

Do you know what certs can help me gain the knowledge to design upgrades to existing security infrastructures ?

Cloud, Hybrid, or Standard environment?

I would say Hybrid

CISSP, GIAC, etc

NIIIIIIICEEE xD

I believe AWS has a security infrastructure certification

I thought CISSP was one of them

Or at least a security specialist off their infrastructure cert

But its going to be your higher level certs from anyone

Cybersecurity and Infrastructure Assurance agency probably has a list as well

This seems like a good article as well, sure others will chime in.

https://www.csoonline.com/article/3230154/top-it-security-certifications-for-critical-infrastructure-by-sector.html

That's critical infrastructure which isn't exactly what you were looking for I think but it's a start

Man you're awesome 👌 thank you

Gave +1 Rep to @stoic cave

Oh btw, the reason I asked was because I saw this day-to-day jobs in a job posting I saw 👀

Ah so you would be looking specifically for financial requirements

That's pretty tightly regulated

What do you mean by financial requirements ?

The financial sector is pretty tightly regulated

There is already a lot in place that is required and things you'll need to follow

I can't really speculate more on the specifics for that job without being in the conversation

But if you Google cyber security requirement for financial services you'll see

Ah, thank you I'll Google that right now

Sounds a bit intimidating

Take all of this with a grain of salt

I know pretty much nothing

I would say be familiar with SOC2 compliance requirements as well. Of you are looking to get into financial sector work, knowing ways to implement technical controls for those requirements is a good way to show immediate value

Wow I love this. I was just reading up on all the 16 sectors our economy runs off

This is fascinating, I think I want to gear towards communication and information sector

Yeah, I kind of want to get into ICS with Petroleum or Energy

There's some good postings right now it looks like

Never heard of this organization before, Southern Company, but they do nuclear energy

That's pretty badass. Energy sector is another one that caught my eye

Yeah, it's interesting. Also let's you get expertise and experience in areas that are specialized

Oh wtf, they haven't even commissioned the plant yet

Alright, I'm actually going to apply now haha

Don't necessarily have the qualifications but you never know

So I have about 10 yrs in IT doing sysadmin/networking stuff. I never worked anywhere big enough to have a dedicated security team, but security was baked into everything I did as an administrator. I got my CS degree and started doing more coding & software engineering for a while but I didn't enjoy it. I'm looking to "get back to my roots" in IT, but specialize in security.

The two roles I've seen that seem to be the most applicable to my background and are interesting to me: network security engineering and vulnerability management/analyst. Does that track?

I guess I see myself doing more analytical work than designing/architecting things. I was always a better editor than writer and I feel that applies here too. I like the process of poking and prodding to find ways of improving, almost like quality control.

I've done a lot of things like deploying firewalls, applying secure configs to network devices, implementing monitoring solutions, adjusting our WAF and responding to incidents (my first ever IR was busting a student trying to download JTR to brute force his buddy's windows' password to prank him 😂), etc. I've also used nessus and nmap over the years to scan our networks for issues. Appsec doesn't interest me as it's too similar to SWE for me and I'm trying to get away from that

Do it!! I bet you won't regret 😊

which skills are most demanded in cyber career, Management or Practical??

network security engineering is a good solid path. Also security engineers/sustainment engineers seems like what you would be looking at. Security engineer is a broad title though and can almost mean anything but yes, there are absolutely jobs which you describe, I'd start with network security engineer. I would also start looking at getting into cloud, as there is a lot of what you describe in cloud work.

That’s actually the path I wanna take

I recently started a job as a network technician, studying now for the CCNA then I want to move onto Network Engineer, then Network Security Engineer

Is there any recommended programming languages for Network Engineering?

Python and Bash for automating tasks.

Python for Network Engineers is a great course.

Gotcha, thank you! I’ll check it out

Gave +1 Rep to @stuck rover

Anyone here wanna be an incident responder?

Im sure there are people who do. Do you have a question about the position?

Yes, I completed the cyber careers quiz at tryhackme and I got Incident Responder, got recommended Jr pentester, pre security and cyber defence paths, I wanted to know if there are some other paths or rooms that can make me achieve that goal.

various skill building will help IR but I recommend looking at DFIR Diva's website https://dfirdiva.com/

Thank you so much, Ill bookmark this. 🙏

Gave +1 Rep to @pseudo creek

OSCP or OSWE? (For immediate careers prospects)

OSCP

#cyber-and-careers message

Is this going to be feasible in the near term without having a CCNA? I have a network+ that expired in 2014 and am working on the sec+ right now. I got my degree from a cisco networking academy so I'm familiar with R&S, WAN/LAN, etc and have a lot of experience with general network & system admin but no field experience with BGP or what have you

You have the practical experience to pass HR filters. Adding a cert just adds to that

Ccna is only valuable if working with Cisco devices. Core fundamental knowledge for networking is learned from any provider

It's the harder exam so it's seen better by hr.

All these certs are so nice, if only they aren't too damn expensive lol

That's why comptia rise in value

Accessable and good fundamental

Ccna can be studied without any special shit tho

The documentation is everywhere + Cisco website

Only killer is the exam price

Can't I just show the employer my Advent of Cyber 3 certificate

"you're hired!!!"

wet dream

look I can cyber thing

I can do the hacking, I do the hacking everyday

Hack the company with the knowledge you gain and hire yourself

Big brain time

Why do you think you're a good fit.

I hacked you, and set up this interview myself.

Hello guys, do you know any good source to study for threat hunting? Also which are the actual responsibilities of a threat hunter? I think it isnt that much clear 😋

CCNA is often liked for pentesting positions due to the sheer quantities of Cisco stuff out there. CCNA teaches the fundamentals too.

ofc but its also expensive

and if your just starting out its hard to go that route

just anyone could suggest me some of the top universities to study cybersecurity / ethical hacking . if any ? will be helpful

Country?

canada

or even germany

u can consider

cuz i couldnt get any results

cos traditional education sucks

yup

you arent suddenly hireable because you did a bachelor in cyber security

youll still require certs to prove you can do things

yup

but the thing is i want suggestions

better is to do a cs focus

so you get compfundamentals

and learn to code abit

so could u suggest me some universities

What about masters in cybersec?

idk, its literally any university yo uwanna go to lol

can but

If you have a bachelor in cs

like cs is ok

but much focused on cybertsecurity

you are better off doing cs and then cyber stuff outside of uni

@solar saffron if you are looking for a bachelor in cs/informatics etc better check the curriculum

dont just join uni cos they added the cyber buzz word

oki

99% of them arent preparing you for the real world

and you wont get a job from having it

oki

I agree with that

Too much theory

thanks for helping guys

It depends on the employer, certifications can mean a lot but if you can show your knowledge, then sure

proven history in networking/sys admin already sets you up really well to prove you got good understanding of networking

I wouldn’t say sys admins automatically have a good understanding of networking, certifications can sometimes mean the difference between getting an interview and not. But during an interview is when I’d expect experience to be able to show knowledge and understanding

well they said never worked in a big place

so im guessing SME

which usually you required to do more than just the basic stuff

I was talking in generalities

just to name a few with very good tutors and profs: Ruhr Universität Bochum, Friedrich Alexander Universität Erlangen, Hochschule Offenburg
and (at least in Germany) you can get a job if you finished with a B.Sc or M.Sc

any remote jobs in pentesting?

Yes, there are. I don't have open positions to list.

it depends on where you are located, generally remote jobs in pentesting/cyber require you to be located within a certain country/region and sometimes timezone.

I guess mauritius does not fall into the list

😦

i am really looking forward to start as a pentester

Look out for fully remote companies

What's the best entry job for someone that have just transitioned into CySec. My previous career had me in Government work, but I have a degree in cybersecurity technology and Sec+ certification.

cool, envy you that! i have tones of writing, researching and marketing experience, running projects and did economics cyberneticts + IoT at uni, always working during that!

That's incredible, are you currently in a security role? If so, do you have any advice for someone trying to break in?

nah, not a really real cyber sec job, i am just starting as an independent writer with online publisher in my country, but it more of the writing experience, i am much more on the educating and research side + have some education projects it mind! but i help my friend who work on ZTA with daily tasks so I am learning back the skills i miss kinda at uni, but been using computer ever since, having fun with my geek brother who's good at it!

i mean you have propper background, just dig a bit and find your way into it, cant do it if wont really wanna do that one start, it makes no sense 🙂

there are a ton of Gov work for cyber people, Cybersecurity Analyst/SOC analyst are generally entry level jobs, GRC jobs (which may have a cybersecurity analyst title) are also great for those that understand gov stuff

out of curiousity, where are you at rn? are you actually out of college rn and working full time?

That's great advice and I will definitely concentrate my searches with those in mind. Thanks a bunch

Gave +1 Rep to @pseudo creek

That's definitely a real security job because research and technical writing is all apart of it and I appreciate the chat. That's how it all starts though with a passion.

Well, yeah, I find this ffeld veeeery important, espcecially with tech & science whirl happening now! it crazy what we can get when all the new shit starts working at more mature level, either we will more of design that or thats gonna be a wild ride for a while I guess! open discussion and knowing about this cyber world should be something normal people can know and trust, i guess, but with the crazy politics now, and covid, energy crisis and so much of coming changes ...

That is very true. With IoT, Cloud, and connected systems basically running the world, we must begin shifting our learning and focus to the things that matter. Cyber is definitely the future.

yeah, just add to that qunatumn, AI, lack of visibal credentials and certifications that we should be able to see even now, IIoT, local makers and digital voting, curriences and tones of data flying by even more and tonesmore and more, maybe we should just shadow all of that, i really dont wanna have my all deviecs data and choices being in the constant up-flow circuling in the economy and world that is coming, coming! 😄 not to mention that hugh gap that is between users at different level of knowledge, skills and basic human integrity or sense of resonsiblity seeing that as some magic "Internet" or a tool they just use to click and write staff...

Hi guys, Im just getting started in cyber security and I want to take the OSCP exam this year or the next, do you guys have some advice for me?

Try Harder

What do you mean? Do you mean that I have alot to study or am I to early?

that's just offensive security's motto

I see, but I really needed an advice. I understand if you see me as a beginner and not worth of your time tho

no no not at all

we aim to help everyone here :)

err learn how to research well

the rest will come with time

if you can learn how to effectively google things for yourself it'll take you a long way, and not just specifically in infosec

i have yet to pass oscp too, but my advice is to use all resources available, tryhackme, hackthebox, virtualhackinglabs, don't let anyone tell you "one platform is better than the rest"

@cyan otter if u are just getting started, i would not recommend even thinking about oscp until like 6 months in. Start building knowledge, methodologies and so on and then explore that space of offensive certs

there's many guides people have written out there

but I wouldn't jump straight in certification hunting

just take your time developing foundations and getting experience before you go for it, unless you want to get a job asap 🤷

I completely understand all of you and thank you all for your advices. I asked because before you take the OSCP exam you take the PEN200 course, am I right? And it says that it makes you fit for the OSCP exam or isnt just the PEN200 enough for that?

I honestly wish you the best of luck! And I dont let people tell me that because each platform has something unique to offer

you asked a very generic open ended question, with no real 1 answer

I wanted to thank you guys again for your time and advices!!!!

unless someone really feels in the mood to talk about their personal journey, you're not going to get much from something like that, try to refine your questions, ask specific things

@cyan otter if anything learn windows, linux, networking and web fundamentals

Then explore and practice

https://github.com/DFIRmadness/5pillars/blob/master/5-Pillars.md

Will do that! Thank you! 🙏

Gave +1 Rep to @elfin tendon

I didnt ask no one for their personal journey but just for their advice to start mine. Sorry if I misunderstood you.

Ill bookmark this, thank you! 🙏

that's the point, no one can tell you how to start your own journey, so the answer you're most likely going to get is how people started themselves, I can tell you that I started cyber security with security+ cert and then cybrary, but that would be how I started, not an answer to how you should start yours

You just gave me your advice right now lol :p

the very first place I went to when I got interested in cyber security was offsec's old irc chat, and there I learned that they don't really give the time of day for questions that don't seem like any work was put into finding the answer

"Try Harder" was a common answer

I understand you and thank you for yout time! I just wanted to know if I was too early or not and if just the PEN200 is enough preparation for the OSCP exam

it technically is, but it's always best to supplement your learning from elsewhere

Thank you, Ill keep that in mind 🙏

Gave +1 Rep to @static tide

@cyan otter I'd download the PEN200 syllabus for an overview of what you'll be expected to learn. Then, start filling in those gaps in learning. I wouldn't sign up for the PEN-200 course until I knew for sure that I had the time to make full use of the lab access. I'd actually use my membership here to follow the rooms and modules that align with the PEN-200 syllabus and then, when I know I'll be able to make use of the Offsec labs, sign up.

do you have generic IT experience?

What I'm loving about THM is something I just realized during the AOC, is that the platform motivates me to put in some training a little bit each day.

Thank you, very detailed answer and this is what I thought also 🙏

motivation is a fun thing

seeing my level climb, and the streak go up are indeed good motivators

Im in my senior year of computer science in university

Yeah, this site really gamifies that in a way that engages me. I'm a defender, so I don't have as much experience on the "red" side that I'd like. THM makes this very approachable, IMHO

I have my eyes on the 365 days hacking streak

I'm not even at 30 days and I had to already ask someone to give my streak back to me, 365 is going to be a challenge

Make sure you take some "spa" time, though, @cyan otter . Self-care is important. This is a fun year earning my keep between working Thanksgiving and then the log4j fun, lolol.

I dont really take any days off

it's less about taking days off, and more about being so busy I forgot about thm completely on christmas day lol

Anyone here have done an interview for any cyber security degree apprenticeships? (UK)
Ping me pls

Yes I always find time for self-care as its most important to do so but I also dont take any days off because I see myself pretty much behind of all of you

I was doing AoC3 even on my birthday, Christmas is nothing for me lol :p

I have a cruise this weekend, I'm debating between begging to keep my streak again, or paying a rediculous amount for ship-wifi just to do the minimum for streak

A repost from General, Would you spend 6 years getting a bachelors or spend 6 years self study/certs for a Network Admin/ Cyber Security job?

Connect to your laptop via RDP and keep the streak from the cruise lol :p

I'd spend 6 years getting a bachelors and studying for certs in between classes

the problem is wifi isn't free on the cruise, it's actually very expensive

You really have it tough in this situation fr

How long is the cruise?

What do you want to be when you grow up? What degree are/were you considering? Are you already enrolled?

@frank crane depends if u want to go the gov route or not and if u have a stable enough income to carry urself those 6 years while woking

3 day cruise, and you pay by the MB used

I do front end dev now. Have a few certs, Trying to get into cyber security but employers want more experience as network admin or degree

Well if you go on that cruise you cant keep the streak, unless a friend sends you MB

Have them pay for it

don't worry about breaking a streak... you can restart it

if you have the knowledge to back it up, lie about your experience

although a cruise right now seems like a really really bad idea

but I want 365555555

A man of culture

Purple flame goes brrrrrrrrrr

Yeah well a computer science degree isnt gonna teach much about cyber security tbh

I meant more learning it yourself

We on the same boat

computer science degree teaches you the foundation for cyber

The curriculum should include computer architecture which is vital to infosec, though.

yeah I know what you ment.

@pseudo creek is right tho

I grossly embellished my experience for the last two jobs I got, and I'm doing fine, as long as you know you can back it up

foundation is great don't me wrong

I mean in reality a bachelors degree isn't meant to prepare you for a job after college...

...

so you have to supplement yourself, add in a couple certs, get some IT experience through internship / part time job

prepares you for a 30+k plus student loans

hey, that's not fair. it's pretty good at preparing you for a job if you go into research

that is academia, which you would need further school for

but I'd say a bachelor's degree doesn't teach you for a job in research either

if it helps, my company doesn't require degrees, just that the candidate knows their stuff

Sheeeeeeeeesh, dm me the company bro

I heard of guys starting at help desk and moving all the way up through network admin to specialized security roles/cloud security

I feel like my research job was pretty much like a class, just you don't have a textbook

Well, that's just for my group...If you're applying to be an accountant, well that's another story

and instead of exams you have progress reports

you could do that although sometimes you will encounter prejudice / bias without a degree

Agreed

@frank crane that does happen quite often, especially with companies that promote from within

Im aspire to be an Incident Responder so maybe they dont care about my degree?

no, just that you have the skills to back it up. 😄

IR is semi customer facing though, so you need good soft skills

Can you share with me the company name or am I asking too much?

too much, sorry

there's lots of them, though, so don't be discouraged

😭

Sorry if I made you feel uncomfortable

We good?

totally

Ok thats good cause you look like a nice guy, didnt want any bad blood between us

no worries, i'm insanely introverted, but like helping when and where i can

I have you beat about being introverted

I dont speak on the phone even with food delivery

let alone other people 💀

I wonder if people in cybersecurity care about the legal aspect of it all or just about security itself.

And when I go to order food in person I practice the order 500 times in my head before I speak and it turns out in hexadecimal

legality will always be a factor, just depends how big the security team is and what your role is, but there will always be some sort of aspect.

I'm a law student writing a thesis about cybersecurity in public administration and I usually feel like a lot of things are done just for a sake of being "in compliance with the law" and not really secure by the set standards.

Ahhh, yes, we call those "check-boxes".

it depends on the country, US is big on that

Got my IDS/IPS deployed. Oh, we're supposed to tune those?!?!?! Whooops...

I'm in EU and defense and healthcare is "big on that", otherwise is just a noise in the background. I probably use "checkboxes" somewhere in the thesis, thanks for the inspiration 😄

Gave +1 Rep to @ivory nest

some countries maintain a minimum level of compliance where you really get to avoid fault for many security incidences if you meet it, while other countries don't really force a minimum compliance, but your responsible for what happens to your systems no matter what

My countries has low legal requirements for data compliance

Interesting, I thought EU was really big on leaving it up to the companies

It was, until recently

GDPR for EU

Now we are getting new EU regulation, and countries are more focused to setting very specific requirements for any company that works with any government data

well privacy is an aspect of security, but not really the same thing in this topic

I guess the controls that secure privacy is part of this

I'll say something that made a lot of stuff click for me. "Security is not a revenue generating area".
Security is about reducing losses, mostly. Compliance is part of that.

I think that forcing companies to use specific technology might not be the most secure idea, compatible, but not secure.

A valid response to a risk is "Ok, we'll accept it, and put money aside"

regulation is good on stopping a very predictable set of incidents, makes it less likely that someone forgets a stupid setting and an old, basic attack is used to steal data, but terrible at stopping anything new/complicated

Everyone uses AES-256. What's insecure about that?

What's the issue with uniformity?

I cannot emphasize how right this is.

I'm actually curious why you think this

I dunno about immediately less secure, but I think it's a bit stifling. Better implementations, solutions, and ideas can come out of companies having to do their own thing, to what degree I have no idea

For some reason, I can't find the new requirements of the Czech national cybersecurity center. It wasn't only about encryption, it was an extremely detailed set of rules that had to be applied before starting to work with government data. In my opinion, the regulation should focus on best practices in case any of the required technology has any security deficiency. Extremely specific regulation does create way to narrow focus on specific things and limit ability of entities to defend itself

then again, US is huge on compliance, but we have companies like Google who constantly create their own tools for things instead of just using whatever is the standard, so maybe cheap/lazy teams will always be cheap/lazy and those who want to push the boundaries will do so as well

But it's government data. Isn't it on them to regulate how they want it used?

Also, are they setting out exact tooling required, or are they just recommending things that are compliant?

If you're not willing to operate under those terms, they'll find someone who is. They get to set their own rules for doing business with them.

I think you're talking reality, while matotu is talking ideals here

sure, the government gets to dictate how their data is used, doesn't mean whatever they decide is the best option

data is used/secured

Government data surely should be under the regulation of government, but it should also be on companies to have freedom about the technologies they want to use.

Otherwise it might cause discrimination in certain ways

I disagree fundamentally. It's a business decision, a clause in a contract.

GDPR is for example built on "best practice" and not specifics

They can mandate AES-256 disk encryption etc

256bit encryption I get, but what might be the reasoning to specifically mandate the use of Camellia for example?

Camelia is considered to be not feasible to brute force. Everything is eventually breakable, the question is 'what is the estimated time using X hardware'

The question is, where are you seeing that?
What's the bet that's a guideline that gives examples of how to be compliant with policy?

Also I have never heard of camellia and can't find enough about it to speak for it's security

It could be a regulatory or compliance standard - that's totally normal to sometimes demand specifics.

Camelia is included in OpenSSL, and from what I can find, it is accepted for ISO and IEC certifications.

https://en.wikipedia.org/wiki/Camellia_(cipher) This?
It's considered secure. What's the issue?

It's said to be comparable in strength etc to AES.

That's the one that I found for it

I was working as sys admin at SME msp, studied network security. Now currently at coding school and getting official certs for work in appsecurity /exploit dev.

What would be a good "first cert" to go for pertaining to penetration testing and ethical hacking? It seems like there's a mountain of "certifiers" and certs to go along with them. Initially I'd think to target to OSCP as a "baby's first cert" into pentesting, but would it be worth it to get stuff like the eJPT or CEH certs first?

Especially looking at a chart like this for what's available out there, makes me scratch my head: https://pauljerimy.com/security-certification-roadmap/

That's a lot of certs 🤯 I only have OSCP, did it last year as a start into security. But still not sure if I should keep developing iOS apps or move into the security field professionally 🤷‍♂️ We'll see 😊

At the very least if you keep with development, you've got a good idea about what people look for to screw with what it is you're making, so that's useful I figure.

Dont use that chart it is not accurate at all.

More using it as a reference to see what's out there. Some certs I've never even heard of are on that list. Not particularly sure what's a good cert for one's dollar to begin with.

For pentesting? Ejpt > OSCP > CRTO > OSEP ?

I am doing OSWE now, which is more of a whitebox/code review course

Those 4 are the main path and then everything else is more or less additional or specialization kind of stuff?

you don't need any certs. just leave your business card on the servers of all the places you want to work

blackhat joke

not nice

I feel like that's more Greyhat.

yeah, grey ineed, less regulated still legal just bypassing some steps or small rules

rules can change 🙂

I do not condone nor endorce anything slightly darker than neon whitehat. That's my official statement and I'm sticking to it.

Not legal. Unauthorized access to a computer system.

i am just taking more about the greyzones that exists anyway, but taking about whta's set then yeah, white is that!

QQ, what is a good starting point for certs?

Sec+/PenTest+?

Sec+ is a pretty solid start or even Net+

Would it be a waste to go for both? Sec+ would line up better with what I want to do, but I could probably just pass Net+ if I took the exam

If you have work experience or a B.Sc, you can skip some of the entry level certs, depending on your coursework and other practical, personal projects. Sec+ is a very common starting point for security though

I have about 4-5 years of network administration experience

Net+ would be a waste, unless it's a checkbox to get the interview

oh yeah I wouldn't do Net+ then

I'll probably go for Sec+

Are you looking to get into a specific sector?

Right now I'm not 100% sure where I want to go. I have some connections I could pull on in healthcare, but I'm pretty sure I don't want to have anything to do with hospital security.

The good thing about healthcare security, from anecdotal sources: anything you do is an improvement over what they do now

I've done some small contracting work for one of the hospitals in the area

windows xp everywhere

and outdated software because "it works"

I've made sure their network is as good as it can be, but god help them if anyone has physical access to anything

Getting healthcare people to understand why that's bad is a tough battle. That will be 99% talking and building bridges and trust before any changes can be made

the problem is the IT budget is practically non-existent

Culture will have to change, and the NP, RN and MDs will see it all as damaging to them providing healthcare

they have no problem getting a high-end x-ray, but a switch from this decade is a tough negotiation

Keeping track of all the HIPAA violations could be a great way to see that budget get allocated. But likely, it'll be a regulatory penalty that forces the updates.

Not to mention the 80s and 90s software that runs the whole thing that doesn't get actively updated very often 🤣 I was a dev for a Healthcare facility for over a year... I can vouch for the dev side lol

oh god don't even get me started

the "but it still works" mentality is strong in healthcare

Very lol

Is the study guide for Sec+ worth having?

Would it cover anything not in any of the THM paths?

people say just to follow Professor Messer's videos

Found them, those look great thanks

Is the Pentest+ cert valuable or should I just save money for OSCP instead?

its good in the sense that it teaches and tests you on some management portions that the OSCP doesn't teach you on. But I wouldn't hold it to as high of a regard as I do OSCP.

If you want to do gov work in the future, it'll be useful. Probably.

Thanks. I'll probably just start saving for OSCP then consider other certifications afterwards

I'll tell you I really enjoyed this book - https://www.amazon.com/GPEN-Certified-Penetration-Tester-Guide/dp/1260456749

significantly better than Pentest+ study guides and has overlap w/ OSCP domains

Have you passed OSCP?

yep

When did you do it?

2019 or so

Cool. I'll probably end up doing it in late 2022

Where do the GIAC certs line up in comparison to other industry certs?

They're pretty sought-after, though, I don't know of any of them that have a challenge style exam. They're open book, but given the time limit, you can't just turn page after page through 5 or so bound books, so making a solid index is a must.

I've only earned GCIH and GNFA, and for what it's worth, I only sat those classes because my company paid for them.

Thanks! That does seem to be the kicker, because that price is something else.

Gave +1 Rep to @mighty tundra

Don't get me wrong, the classes are loaded with info, but yeah, that cost is a huge barrier for those without reimbursement benefits at work

My company won't even pay the $400 or so to re-up for the cert after the three years, so I just let both lapse, lol Edit: fixed my damned grammar.

Certs like that are super useful to hang on to if you expect to have similar roles in the future - I would have paid out of pocket and told the company that they aren't allowed to use them for sales or metrics or anything else

@flat sedge That's a good idea. I've never heard of telling the employer something like that.

I've been fortunate to be with my current employer since 2006, so I don't know what it's like to negotiate new terms.

I think at a certain point, orgs don't want to pay for that stuff, knowing that they can kind of hold you hostage with the goal of not paying raises or promotions. Average tenure across IT as a whole is something like 2.5 years.

That makes sense to me, especially when I was starting out. 4 years was a long tenure for me.

My employer reimbursed me the $749 for the CISSP exam, so maybe they'd do the GCIH ($849) if I didn't ask for the SANS training...

It's really easy to fall into that routine of stability; my mindset is that if my employer doesn't allow me to grow and learn new things, it's time to move on

I agree. My work is very engaging and they do provide good training avenues. I'm very very lucky

Part of that learning new things are things like certifications that add credibilty to my role and task outputs

Oh, nevermind, the GCIH is $2,499 if you don't have the SANS training.

That's a bit of a different beast...

Yeah, that's one thing I love about platforms like this. There are lots of things I don't use everyday in the job, so getting a taste of that at an affordable price makes all the difference to me, especially knowing I'll likely see that in future CTF's and certs like OSCP or the newer one from The Cyber Mentor.

Holy run-on sentences. Apologies, y'all...

Haha no worries, I followed

That actually reminds me. I took GCIH back when it was John Strand teaching, and his Black Hills Information Security (I think?) has affordable training as well. Some of the courses are "Pay-what-you-can" so that's a nice gesture, IMHO.

I guess that's the constant cost-benefit analysis we play in our careers 😄

Ahh, looks like they branched off from Black Hills: https://www.antisyphontraining.com/

Ahhh, that's the one!

This looks like a good resource, thanks!

Sister company/under a different name. They're still owned by it

Ah okay :)

Does anyone know or can recommend soc analyst certifications for beginners 😄

Splunk has a free cert

It's not the most common, but it shows interest and a basic understanding of what a SIEM does

Hello what are good things to research for going in this direction? I have heard master basics first? Like TCP/IP, different OS's

Mind providing a link? Thanks ❤️

Gave +1 Rep to @flat sedge

Any good sites or books or topics to make sure to research? while practising on the side?

https://www.amazon.com/Complete-Guide-Felling-Woodcutting-Methods/dp/0615338798

haha 😄

lol

one of the better books on how to teach a uncommon topic

he didn't specify anything, i guess he meant for soc analysts 😄

howd u know i wanted to be a lumber jack when i grow up

but i was talking about pentesting mainly lol

https://www.splunk.com/en_us/training/free-courses/overview.html

that book is even more fun when you realise how old it is

Im a noob only done a couple beginner HTB but still kinda struggle w those

but still relevant and working

Thank you, juun 😗

@flat sedge Your thoughts on security blue team training (https://securityblue.team/training/) and certs?

Unknown, haven't looked at it

@flat sedge Fair enough. What else can you recommend from certifications, regarding soc analyst position (beginner certs)? Thanks.

Gave +1 Rep to @flat sedge

SOC Analyst 1 is entry level blue team, in my opinion. Should know about system logging and aggregation, having some kind of experience with a SIEM is a big plus. @ancient prairie You are currently closer to this world than I am, any thoughts?