Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!
You must log in or register to comment.
I’ve always been curious if command centers are a thing in cyber security. Is there a room full of people at every major bank monitoring infrastructure health and network traffic for signs of infiltration or compromise, ready to pounce? And if so, is that as cool of a job as it sounds or am I delusional?
From my experience, all of this is mostly done remotely now, SOC / cybersecurity / threat intelligence analyst is probably the title you are looking for.
And it’s boring as fuck, most of the things are already set up, all alerting in your log aggregators, SIEMs and SOARs, playbooks for days, nearly 0 agency, just watch the feed, spot stuff and execute like a robot.
That’s being said, it’s where a lot of security engineers start, and if you get through this you may actually get to the part that is more interesting and requires actual experience and knowledge.
But imho you are far better off getting into security via software development / sysadmin /devops routes, it’s just way more interesting that way.
Something I don’t think is talked about enough in offensive cybersecurity training / skill development are communication skills. Too often we are seeing folks try to enter these roles without the ability to write reports and give presentations to audiences with a mix of technical and business attendees. My recommendation to folks considering these roles is to put in the time to get communication skills to a very professional level. Train it just like report writing or public speaking was a new shiny hacking certification. It will improve your chances of landing the job.
Double that, no engagement I’ve been a part of involved less than 3 days of report writing after, potentially, a week of actual work and 2 weeks worth of scope discussion and expectation setting.
Agree, when I have held talks for cybersecurity students I usually tell them that a lot of the work time goes into writing report. Because the customer (be that internal or external) does not care about what cool thing you did during the test, they care about the risk and your findings have to reflect that.
Agreed, and I think this goes for a lot of technical professions. You’re better at your job if you can walk the business walk and talk the business talk. I sit at the nexus of business and data, and working on being fluent in both makes me better at both.
I am hosting multiple services, but my application/web security knowledge is lacking. Is there a guide or framework to check for common or risky mistakes? Is there a list of things I should check every application for, or guide on how to harden hosted applications? That is a topic that I am going to tackle in the near future, and would appreciate some tips in advance.
OWASP is arguably the standard for web application assessments. They cover most of the areas and testing guidance. Burp Suite web academy offers labs that cover many web application security issues. For secure coding, you’d need to look for references aligned with your language of choice.
Thank you!
There’s a browser extension you can use by owasp, I think it’s “Penetration Tool Kit” or ptk
I stopped using it because it was slow (being a browser extension and all) but I do like how easy it was to use while needing to be logged in or get past captchas
Owasp zap is good for reconnaissance scanning
I really like burp suite for reverse engineering a web app. You can use the proxy to intercept http packets and see what every change illicits
Thank you!
Having minimal professional IT experience, yet an IT degree, what should I focus on to get into the cybersecurity field?
Which part of it-security do you want to become a part of? It’s a huge field with loads of roles and specialities. For entry level, a soc is probably the easiest. Pentesting is the most popular, but also not a jr. Role in my eyes.
Definitely pentesting, but looking at this job market, I can’t even land a helpdesk role. At this point anything…but I’d prefer remote, as there’s nothing near me.
Got your 3 C’s right here --> Code, Cloud, Collection (and by collection I mean document what you learn in a blog or GitHub or something). For coding, I’d say go with Python and for cloud, get a free AWS account and learn the basics.
Familiar with the 2, just need to create now I guess
General question but how do y’all actually find a mentor? I feel like there’s probably a local group nearby me or something that I could look into but are there places/people that are more likely to say “yes, I will mentor you” in y’all’s experience?
For free? Youre probably best finding help on forums like this. Hacker news is decent also
If you’re willing to pay, well then obviously there’s a market for it
That makes sense, thanks! Have you ever hired a mentor before? I imagine it’d be a lot like hiring a coach but how would you know that they’re not just being kind of a “yes man” or at the very least kind of reputable?
Yeah, check out David Bombal on YouTube. He interviews hackers. I recommend looking at those and the channels of people he interviews
I pay @three_cubed AKA master OTW [occupy the web]. It’s good information, but what’s your academic background like? I came in with an advanced degree and felt the tier that was right for me was the most expensive (subscriber pro)
My day job isn’t infosec related, but when I do find time to better those skills I’ve found this loop pretty fun:
Vulnerability scan websites (like with owasp zap) Find a most severe vulnerabilities I haven’t done before (XSS for example)
Play capture the flag targeting that vulnerability.
Similar process works with nmap or shodan to get information about what services are running on an IPs port. Then using metasploit to try and run scans/fuzz inputs, deliver payload, run exploit, and perform post exploitation activities (typically data infiltration/exfoliation)
Eventually I’m gonna try and get into reverse engineering malware
write_that_down.jpeg
This is amazing info, thank you! So I have a BS in comp sci and applied math but all my experience is from ~10 years in different roles in IT from helpdesk to now cloud engineering/devops. I’ve had been doing some CTF’s and Juice Shop for a bit but fell off because things got busy (as they always do). Lately I’ve been looking at reversing DRM for old shareware games just to get more familiar with the concepts but it’s been mostly looking rather than doing so far lol. What I really want to get better at are namely two things:
- Container security and exploiting it
- Getting better at understanding how things work at lower levels to be better at reverse engineering
Really appreciate the insight and hope that everything goes well with your plans!
Tanya Janca (https://infosec.exchange/@SheHacksPurple) has a thread for mentoring on her Mastodon weekly (https://infosec.exchange/@SheHacksPurple/110690887324427507). There’s a ton of communities (https://shellsharks.com/getting-into-information-security#online-communities) to ask around too. What type of mentorship are you looking for?
@shellsharks@infosec.pub Sorry, was offline for a few days! Not really sure what I’m looking for, honestly? Mostly someone to kind of push me for doing more/exploring more? I’d like to focus in on AI security as well as container security and I know I can start that work on my own – I just know it’s easier/more likely for me to do things if I have someone filling in the blanks on things I don’t know that I don’t know. I’ll start with those there (been following She Hacks Purple and InfoSec Sherpa for a bit) and see if any long hanging fruit shakes lose from the tree, thanks again!
I’ve seen some good AI-related security things out of OWASP lately and some container security stuff from DataDog if you want to do a little googling.
Looking for resources (books/blogs/videos) on how to get started with getting into cyber security. I’ve got 13 years of work experience of which 10 as a Linux sysadmin/SRE/DevOps (it’s a culture, not a role) and 3 years as a software developer. I understand the field is wide and there’s many positions I could look getting into.
I get along with people well and have worked as a consultant before, so I could see doing that at some point as a contractor once I’ve got more experiencing in the field. Generally I’m not a big fan of working at big companies, but don’t mind doing gigs for them.
I guess familiarizing myself with pentest and other tooling would be a good start?
I wrote this up a few years ago on the topic of breaking into the field. Maybe it could be useful to you! https://shellsharks.com/getting-into-information-security
Thank you! It’s definitely a useful resource and I can get started from here :)
I have around 6 years of experience in different fields like vulnerability management, web penetration testing, SAST, DAST, secure architecture reviews and threat modeling.
What is a career path suitable for someone with this background? Security architect? Principal security engineer? I am not sure what steps I should be taking to progress. I am considering taking CISSP or CCSP as a major cert in the coming year.
What is “progress” to you? Where are you trying to go? Is there something you want to learn to do? A title you want? A salary you want? Responsibilities you want? Working for a specific company or industry?
I feel like I’m a bit lacking when it comes to finding race condition vulnerabilities. Any tips on that?
Honestly would have to Google resources myself haha
