Guidance needed from the InfoSec Gurus

I am currently looking at breaking into the InfoSec field, but I am having something of a information overload. I am trying to land my first security related job,have had one interview so far, but I dont think I "speak the language " as yet.
I have studied and passed the sec+ exam, and I am currently studying the CEH material, however I find myself knowing the material once its fresh, but not working in the field is hurting me, as i soon forget alot of this info after a few weeks.

Questions
1. What are the fundamentals I need to drill down on, the must knows for a security analyst or pentest type role?
2. what are the softwares, security forums etc that I need to familiarize myself with?
3. Whats a good next step certification after Sec+ ?(I am having a hard time finding one and sticking with it)

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

philz1982

Techguru365 wrote: »

I am currently looking at breaking into the InfoSec field, but I am having something of a information overload. I am trying to land my first security related job,have had one interview so far, but I dont think I "speak the language " as yet.
I have studied and passed the sec+ exam, and I am currently studying the CEH material, however I find myself knowing the material once its fresh, but not working in the field is hurting me, as i soon forget alot of this info after a few weeks.

Questions
1. What are the fundamentals I need to drill down on, the must knows for a security analyst or pentest type role?
2. what are the softwares, security forums etc that I need to familiarize myself with?
3. Whats a good next step certification after Sec+ ?(I am having a hard time finding one and sticking with it)

Here ya go brother this should help you out

http://www.sans.org/reading-room/whitepapers/testing/penetration-101-introduction-penetration-tester-266
10 things you need to know before hiring penetration testers | ZDNet
Ideal Skill Set For the Penetration Testing - InfoSec Institute
PenTesticles: What You Need To Know to Become a Penetration Tester

Techguru365

Thanks Philz I will give that a read right away

wd40

I am having a similar problem, I think the main issue that I am facing is that I have no one to discuss IT security related issues with.

Depending on reading and forums helps but I think having a direct conversation with a person or group interested in IT security will be more beneficial.

philz1982

Feel free to PM me, if I can't answer your questions I can point you in the right direction.

wd40

Thanks Phil (if your comment was directed to me

)

I will give you an example, like Techguru365 I passed Security + (2 weeks of study) I knew the exam contents inside out, but then information started to disappear.

If I could discuss Security+ topics with coworkers or friends then it will stick.

And thanks for the links.

philz1982

Yes that was directed at you, also you could find a non-profit and actually do the concepts for them probono?

Techguru365

Is there a windows suite alternative to Kali Linux?

seigex

You can get the windows-based version of Metasploit and add to that to make your own framework, but nothing like Kali Linux specifically that I know about.

I would learn the main tools, metasploit, nmap (ZenMap GUI), winpcap/aircrack, there's lots. I use Kali, but IMHO It's better to build your own toolbag so you learn all the tools that are out there.

Like with anything else, fundamentals fundamentals fundamentals. Based on your CERT list it appears you have them, or at least the basics, but you need to drill down on the theory behind different hacks and cracks so you can apply them to new stuff and know which tools you need. Also set up boxes in your house and try out different exploits on them. Walk through some buffer overflow tutorials. Monitor CVE (Common Vulnerabilities & Exposures), NVD (Nist's National Vulnerability Database), MS's vulnerability database, Bugtraq, etc so you can learn what's out there and how they work.

philz1982

Techguru365 wrote: »

Is there a windows suite alternative to Kali Linux?

Yes it's called virtualbox running a Kali VM.

Tom Servo

I have a security job, yet still suffer from information overload. I want to do more offensive pentest/red team typer activities, but currently my role is focused on defensive data and application security. I also hit the issue of 'use it or lose it' with what I study. Here is my current approach to develop tech skills outside of work:

Build a virtual lab. I am using this book as a reference guide. https://www.packtpub.com/networking-and-servers/building-virtual-pentesting-labs-advanced-penetration-testing. Even with this book, I have had to do additional digging to figure out why things aren't working. If you're anything like me, you'll learn something going through the pain. This book explains how to do things cheap/free - or with a little bit of $$$ (or you could use unlicensed software... which of course you wouldn't....).

Try things in your virtual environment. Expect to get unreasonably frustrated. Spend hours dissecting what you are doing wrong, and understanding what is working. Consider going through this book: https://www.packtpub.com/networking-and-servers/advanced-penetration-testing-highly-secured-environments-ultimate-security-gu if you need guidance/structure on what to do. Consider going through the free Metasploit unleashed course at www.offensive-security.com/metasploit-unleashed/Main_Page. For web app pen testing - consider doing the exercises in OWASP Broken Web App, Web Goat, and Multilldae. Remember - if it is easy, you aren't learning.

If you are comfortable with all of these items - consider signing up for OSCP. It is the most in-depth pen test training I've encountered for the price. If you want to be great at security, or you want to get into a part of security that you don't have experience, plan to work 15+ hours a week at home beating your head against a keyboard.

Danielm7

Tom Servo wrote: »

I have a security job, yet still suffer from information overload.

This is so true! There just aren't enough hours in the day.

aspiringsoul

Does anybody else here feel that they suffer from information leakage?

The more I learn, the more I seem to forget it seems...I mean there are concepts that get beat into your head so much, and so often that you're not able to forget...but with the rapid pace of technology, and just how quickly a lot of the material is deprecated, it just seems like it's too much at times.

One of the reasons I would like to specialize in something, rather than be a Generalist...

Tom Servo

@aspiringsoul - not only do I constantly feel like I am forgetting things; for each thing I finally understand, I discover 2 or 3 other things I know nothing about. The more I learn, the more I realize I don't know stuff. I have a OneNote file I use for my notes, tips, hints, reference, etc - written so I can understand/find the info I need when I inevitably forget a concept or tool. I find that to be helpful.

seigex

Tom Servo wrote: »

The more I learn, the more I realize I don't know stuff.

The key to a successful IT career.

Cyberscum

@OP

Depends on what part of INFOSEC are you interested in?

dou2ble

seigex wrote: »

The key to a successful IT career.

Agreed. Be an expert and a life long learner.

Techguru365

@cyberscum I mostly see jobs for pentesters or security analyst in my area,so I would like to learn the concepts that apply to those, get my feet in the door and maybe evolve to other areas down the road.

Danielm7

Techguru365 wrote: »

@cyberscum I mostly see jobs for pentesters or security analyst in my area,so I would like to learn the concepts that apply to those, get my feet in the door and maybe evolve to other areas down the road.

Look into what both of those jobs entail, they can be very different. Pen testing specifically is not something you're going to just pick up from doing a cert unless you do the OSCP, and that isn't something you just work on casually. You'd probably have more luck getting an analyst position. Do you have other IT experience to leverage or are you trying to make this your first job?

aspiringsoul

Tom,

Thumbs up on using OneNote as a note taking tool. That's what I've used in the past, but a friend just recently introduced me to Evernote and I like it much better.

The more I learn, the more humble I become.

Cyberscum

Techguru365 wrote: »

@cyberscum I mostly see jobs for pentesters or security analyst in my area,so I would like to learn the concepts that apply to those, get my feet in the door and maybe evolve to other areas down the road.

Again, what part of INFOSEC are YOU interested in? If you do something you are interested the rest will fall into place.

E Double U

aspiringsoul wrote: »

The more I learn, the more I seem to forget it seems...

Reminds me of a Married with Children episode.