Hacking Your Way Into Cyber Security

Photo by Hunters Race on Unsplash

Are you interested in pursuing a cyber security career and don’t know where to start? Studying for your first certification and feel overwhelmed? Don’t worry these feelings are natural. I have found the more I learn about cyber, the more I don’t know. This endless journey of learning is why I enjoy what I do. If you are just starting out, I am writing this blog to share some of my own thoughts and recommendations from my experiences starting in the field. I hope it can help some of you kickstart your career or at least point you in the right direction.

My Background

Like many of you, my undergraduate degree was not in cyber security. My degree was in Electrical and Computer Engineering. I took a Supervisory Control and Data Acquisition (SCADA) course my senior year of college where I was first introduced to the world of cyber and it drew me in. I was fortunate enough to get accepted for an internship program that was a hybrid between Computer Engineering and Cyber Security. This internship and connections I made while attending college opened the doors for my first job as a Cyber Security Analyst.

Networking

I cannot overstate how important building a strong network is. As you meet people in the security world stay connected with them through Twitter, LinkedIn, or if they create good content follow their YouTube or Twitch channels. Many people will share their company’s job postings on social media and may be willing to give referrals for people they know. I am not saying to blindly send friend requests, interact and share with your connections as well. Spend a few minutes each day reading and responding to content. Post your thoughts on friends blogs, like and share posts that resonate with you. Leading security experts share technical blogs and updated news stories on their feed daily. You will be learning about current events and attack patterns, while networking at the same time. Create meaningful connections and give back to the community.

Networking will continue your entire career. When you attend a conference, take the time to walk around and meet different people there. After taking a new job, reach out to other members in your organization. Ask to take time to meet with them and learn about what they do for the organization. Again this mindset both helps you learn and grows your connections. You might even make some lifelong friends along the way.

Certifications

Certifications are widely discussed in Cyber Security. What certification should I get? Are certifications worth it? I have found the answers to these questions vary wildly depending on who you speak to, so this is my own perspective on it. Granted I have never been a hiring manager or recruiter. This is from my own experience and what I have seen during my short time in cyber.

Many jobs require baseline certifications, degrees, or experience to get your resume on the hiring managers desk. DoD 8570 is a prime example, requiring specific certifications based on the job role being you are applying for. This also applies to jobs in the private and public sectors, many requiring similar certifications (Security+, Certified Ethical Hacker, A+, etc).Agree with it or not, attaining these certifications is a way to get your foot in the door so to speak. When a recruiter looks at your resume and you have security+, you met the baseline requirement for the position. With the referral from someone in your network you may get an interview with the hiring manager. I will give a brief overview of my experience with some of the different certifications in the industry.

Comptia Training

Coming into Cyber Security with no experience, Security+ was overwhelming for me. I studied for about 3 months on my own and failed the exam the first time by a few questions. I kept studying and retook the exam about a month or two later with a passing score. Security+ is a fairly good entry level exam. It covers a broad range of topics and is relatively cheap compared to other certifications (I believe it was around $330 or so when I took it a few years ago). Comptia has a variety of other certifications covering a wide range of topics. They offer good entry level certifications, but I would recommend you research on your own before taking an exam.

Certified Ethical Hacker (CEH)

I took a CEH bootcamp a few months after passing the Security+ exam. CEH is another entry level certification commonly found on job requirements. The certification is more expensive than Security+ and focuses on more penetration testing content (at the time I think the exam alone was $500-700). The course/exam will not train you to be a penetration tester. It is designed to introduce you to penetration testing terms and concepts. I personally enjoyed the class and learned alot of new material from the exam. I think this certification will help you meet minimum job requirements, but there are other more hands on certifications that may be a better fit. If you are just entering cyber security, this is a good certification to have.

Certified Information Systems Security Professional (CISSP)

CISSP is considered the gold standard certification in Cyber Security. The exam covers a broad range of domains and is really focused more on the management side of Cyber Security. I would recommend this certification when you have a few years of experience in the industry. The test is more expensive than security+ and the certification process is more intense (About $700 for the exam). After passing the exam they provide you with directions to apply for CISSP associate or the full CISSP certification. The full certification requires 5 years of work experience or four years of work experience with additional education (degree or holding certain certifications will waive the 5th year). CISSP is a management focused certification that shows you have general understanding of different Security Domains. It does not prove you are an expert in security, but it will help open doors for you during your career.

SANS Institute

Out of all the certification programs I have personally done, I have found SANS to be the most valuable. SANS offers a variety of certifications in every discipline ranging from penetration testing to reverse engineering. Their coursework is constantly updated and taught by some of the leading experts in the field. The courses are by far the most expensive however, currently cost almost $8,000 a course including the certificate. If you are fortunate enough to have an education budget through work to pay for training, I would highly recommend considering SANS. I have included a link to their certification roadmap below.

SANS Roadmap

Offensive Security

Offensive Security certifications are highly recommended in Cyber Security. Their courses are more expensive than Comptia, but less expensive than Sans depending on how much lab time you purchase. They are not for the faint hearted and are 100% hands on. Unlike the previous certifications mentioned, Offensive Security tests are practical exams. The OSCP exam for instance is a 24 hour proctored exam. During the exam, you will work towards gaining root access to five machines and provide a detailed report writeup for review. OSCP is quite an accomplishment if you are dedicated and up to the challenge. Offensive Security offers several other certification courses and their own lab environments for training.

There are plenty of other certifications and training courses available. I have only listed a few that I am personally familiar with. I recommend gearing your training plan towards the career you want to pursue. As you are learning you discover an interest in cloud technologies, consider pursuing some certifications in Amazon Web Services (AWS) or through another cloud provider for instance. There are so many topics to focus on you can really choose your own adventure.

Interview Skills

Certifications and networking may help you land an interview, but to get the job you need to show case what you know and speak intelligently. Below are some personal interview tips.

  • Be confident in your knowledge and abilities

  • Take a second to think before answering interview questions

  • Dress for success

  • Research the company and position before the interview

  • Be polite and respectful, thank them for their time at the end of the call/meeting

  • If you do not know about a topic be honest, it’s ok to respond with” I have not worked with <insert tool name> in the past, but I am willing to learn”

Cyber Security is constantly changing and evolving. If I were a hiring manager I would look for people that are open to learning, are team players, are respectful of other people, and are passionate about their work. You don’t have to be the smartest person necessarily to get the job. I am not sure where the saying originally comes from, but I am a firm believer that “luck happens when opportunity meets hardwork”. If you put in the time studying, following current events, and earning certifications then when an opportunity arises you will be prepared to take it.

Continuous Training and Education

Regardless of your experience in the industry, training is never ending. I recommend continuing to pursue one or two certifications a year, subscribing to an education platform (Udemy, tryhackme, HacktheBox), or working on your own projects at home to keep your skills fresh. There are a variety of different ways to continue learning and stay up to date with the community. I have listed a few below. Find what works best for you.

  • Attending Conferences

  • Participating in Capture the Flag (CTF) Events

  • Certifications and Bootcamp Courses

  • Subscription and Free Platforms

  • Following Educators and Content Developers

  • Home Lab and Self Taught Training

  • Free Training Sites

  • Reading Books and Tutorials

There are so many ways to keep learning and stay on top of new topicsin the industry. Continuing to learn and develop new skills will helpyou develop and grow in your career. After awhile you will find youknow more than you thought you did. Learning outside of work showsyour dedication and will help you pave your own way in the industry.

Conclusion

If you are trying to get into cyber security and are feeling overwhelmed don’t worry the feeling is natural. Everyone started learning somewhere and no one’s path is exactly the same. About 70% of people I have found in the industry either do not have a college degree or their degree was in a different field of study. If you want to get into cyber the only thing stopping you is the limits you place on yourself. There isa world full of resources available to you. Training courses and certifications are expensive, but think of them as an investment in your career. If a ~$400 dollar Security+ exam helps you get a job making $75,000 as an analyst when your current position is paying $45,000then your investment paid off. Work towards the job you want. Identify what you need to do to get there.

Identify your long term goals. Break your goals down into smaller goals and give yourself a manageable timeline to meet them. Continue networking and speaking with others in the industry. Find out what their recommendations are and follow your passion. I hope some of my thoughts and experiences help you on your journey into cybersecurity. If anyone has other recommendations from their own experiences please share them in the comments.

Previous
Previous

Imposter Syndrome In Cyber Security