Networking for Information Security/Penetration Testing
LonVenu
Member Posts: 44 ■■□□□□□□□□
Hello TechExams' amazing community, this is my first post ever on the internet, so kindly excuse my faults. And I apologize for the long post in advance, but I really need your help, as my whole future depends on your help, and this important post.
I am interested in Information Security, in fact, I have a strong passion in it, and that's why I chose IT Security over Medicine, Passion over Money/Prestigious. So I decided to make it my job field.
I am enrolled in a Computer science program in a university, 1 month and 12 days left for it to start. I plan to have a master degree in CyberSecurity/IT Security if it's worth it. I have prior experience in hacking some machines, but nothing major, I was just a script kiddie unfortunately.
And as I want to be a professional hacker/penetration tester, I am building the right strong skillset, including programming, networking, operation systems...before I start hacking any machine, or studying any security related degree/certification.
I reached the part of my plan where I learn networking, my plan was like this: Network+ > CCENT > CCNA R&S. I was planning to study them now, and take the exams in my last university year. The main reason I wanted to have those certification (or the CCNA R&S) in my resume is to approve that I understand networking.
So, I got the "CompTIA Network+ All-In-One Exam Guide, Sixth Edition(Exam N10-006)" Mike Meyer's book, and got shocked by how much information is need to be memorized in order to pass the exam, and understanding that information (which is the only needed in the real world field) isn't enough to. And, this is just the basic network+ cert., so the CCNA R&S has much more to memorize (probably 1000+ pages). Also, all that memorization is not needed in the security/hacking field, I just need to understand TCP/IP, know how to pivot, understand wireshark, understand how firewalls work..I don't need to know how to configure 100+ switches with 30+ firewalls, and some load balancers, that is the networking man job. I understand that to hack a network protected using a firewall, and an IPS for example, i need to understand both of them in order to hack it, and that's what I am gonna do, I want to understand and memorize what's needed for hacking, but not 4000+ pages of networking at least. And i am gonna deploy that practically in labs. I am gonna configure switches, routers, firewalls, IPS & IDS.., but I am not gonna memorize tons of things, just to pass a certification, that I am not gonna use, neither in the job, nor in my own hacking journey.
Then, I kept thinking, is studying them using "books maybe + cybrary + labs -packet tracer, virtual networks using vmware workstation-" enough to fill this gap ? I checked indeed.com to see some job posts, and what they require, and no one required having those certifications, just a few required understanding TCP/IP.
This same thing applies to Microsoft, and Red Hat, I planned to get some of their certifications, to approve that I understand Windows and Linux, but i think there is no need anymore. I can self-study them without getting a certification, for my knowledge base only, and focus on the security certifications, so I can now achieve the CEH (just to pass the HR), OSCP, maybe elearnsecurity (their courses are good, but their certifications are not well known unfortunately, so I don't know if it will help me getting a good job), and much more.
And I thought, doesn't achieving OSCP approve that I understand the needed knowledge to do a penetration test ? Such as TCP/IP understanding, wireshark, linux, windows, scripting...as this knowledge is required to pass it! So, I can approve it to the employer this way.
So now, I can achieve some important security certifications within my bachelor years, then I can join a master security degree if it's worth it (in USA or EUROPE) OR I will get a good security-related job immediately after graduation (I don't study in USA or Europe currently, but I would like to work there, as the people there appreciate Information Security much more than here), and then, I will start harvesting SANS certifications -i wish i can afford them on my own now-, and after some years, I will get the CISSP, and maybe then I can work as a CISO! Which is my goal, to be a CISO (As I know, it's the most paying and prestigious job in this field).
In the same time, I will study security books as much as I can, I will build my own lab, I will use vulnerable machines such as the vulnhub's ones, i will use ctf365.com, I will stay up to date with security news and vulnerabilities, I will donate to penetration test local companies, i will attend CTFs, conferences, and bug bounty programs, I MAY make a blog, and I will do my best to fill up my resume (I will make a seperate post to gather as much as possible on what things can help my resume).
You may ask, why did I post this if I already made my decision ? I didn't. I am still worried what is the right thing to do, that's why I need your help. I don't know what is better. I don't know if my path will work or not.
I apologize for the long post. I hope you answer my following questions, and I appreciate any additional advice and suggestions. I hope you correct and direct me to the right path. My whole future depends on your help.
1. Can I get a security-related job immediately after graduation (I mean my first job is security-related one) with a CS BA degree, CEH cert., OSCP cert., and the self-study stuff that can be put on the resume (such as: books, online courses, achievements, donations, a blog, CTFs, conferences, bug bountry programs...) ?
2. Is my plan/path realistic ?
3. Can the CISO level be achieved this path ? (I think I need a management/Business certification to be a CISO)
4. Additional notes, advice, and suggestions are appreciated.
Thanks in advance.
-LonVenu | TechExams
I am interested in Information Security, in fact, I have a strong passion in it, and that's why I chose IT Security over Medicine, Passion over Money/Prestigious. So I decided to make it my job field.
I am enrolled in a Computer science program in a university, 1 month and 12 days left for it to start. I plan to have a master degree in CyberSecurity/IT Security if it's worth it. I have prior experience in hacking some machines, but nothing major, I was just a script kiddie unfortunately.
And as I want to be a professional hacker/penetration tester, I am building the right strong skillset, including programming, networking, operation systems...before I start hacking any machine, or studying any security related degree/certification.
I reached the part of my plan where I learn networking, my plan was like this: Network+ > CCENT > CCNA R&S. I was planning to study them now, and take the exams in my last university year. The main reason I wanted to have those certification (or the CCNA R&S) in my resume is to approve that I understand networking.
So, I got the "CompTIA Network+ All-In-One Exam Guide, Sixth Edition(Exam N10-006)" Mike Meyer's book, and got shocked by how much information is need to be memorized in order to pass the exam, and understanding that information (which is the only needed in the real world field) isn't enough to. And, this is just the basic network+ cert., so the CCNA R&S has much more to memorize (probably 1000+ pages). Also, all that memorization is not needed in the security/hacking field, I just need to understand TCP/IP, know how to pivot, understand wireshark, understand how firewalls work..I don't need to know how to configure 100+ switches with 30+ firewalls, and some load balancers, that is the networking man job. I understand that to hack a network protected using a firewall, and an IPS for example, i need to understand both of them in order to hack it, and that's what I am gonna do, I want to understand and memorize what's needed for hacking, but not 4000+ pages of networking at least. And i am gonna deploy that practically in labs. I am gonna configure switches, routers, firewalls, IPS & IDS.., but I am not gonna memorize tons of things, just to pass a certification, that I am not gonna use, neither in the job, nor in my own hacking journey.
Then, I kept thinking, is studying them using "books maybe + cybrary + labs -packet tracer, virtual networks using vmware workstation-" enough to fill this gap ? I checked indeed.com to see some job posts, and what they require, and no one required having those certifications, just a few required understanding TCP/IP.
This same thing applies to Microsoft, and Red Hat, I planned to get some of their certifications, to approve that I understand Windows and Linux, but i think there is no need anymore. I can self-study them without getting a certification, for my knowledge base only, and focus on the security certifications, so I can now achieve the CEH (just to pass the HR), OSCP, maybe elearnsecurity (their courses are good, but their certifications are not well known unfortunately, so I don't know if it will help me getting a good job), and much more.
And I thought, doesn't achieving OSCP approve that I understand the needed knowledge to do a penetration test ? Such as TCP/IP understanding, wireshark, linux, windows, scripting...as this knowledge is required to pass it! So, I can approve it to the employer this way.
So now, I can achieve some important security certifications within my bachelor years, then I can join a master security degree if it's worth it (in USA or EUROPE) OR I will get a good security-related job immediately after graduation (I don't study in USA or Europe currently, but I would like to work there, as the people there appreciate Information Security much more than here), and then, I will start harvesting SANS certifications -i wish i can afford them on my own now-, and after some years, I will get the CISSP, and maybe then I can work as a CISO! Which is my goal, to be a CISO (As I know, it's the most paying and prestigious job in this field).
In the same time, I will study security books as much as I can, I will build my own lab, I will use vulnerable machines such as the vulnhub's ones, i will use ctf365.com, I will stay up to date with security news and vulnerabilities, I will donate to penetration test local companies, i will attend CTFs, conferences, and bug bounty programs, I MAY make a blog, and I will do my best to fill up my resume (I will make a seperate post to gather as much as possible on what things can help my resume).
You may ask, why did I post this if I already made my decision ? I didn't. I am still worried what is the right thing to do, that's why I need your help. I don't know what is better. I don't know if my path will work or not.
I apologize for the long post. I hope you answer my following questions, and I appreciate any additional advice and suggestions. I hope you correct and direct me to the right path. My whole future depends on your help.
1. Can I get a security-related job immediately after graduation (I mean my first job is security-related one) with a CS BA degree, CEH cert., OSCP cert., and the self-study stuff that can be put on the resume (such as: books, online courses, achievements, donations, a blog, CTFs, conferences, bug bountry programs...) ?
2. Is my plan/path realistic ?
3. Can the CISO level be achieved this path ? (I think I need a management/Business certification to be a CISO)
4. Additional notes, advice, and suggestions are appreciated.
Thanks in advance.
-LonVenu | TechExams
Comments
-
the_Grinch Member Posts: 4,165 ■■■■■■■■■■1. Always tough to get into security fresh out of school, I would say it's the exception not the rule.
2. If your plan/path involves never becoming an expert in something before moving into a security position then you are setting yourself up to fail.
"Also, all that memorization is not needed in the security/hacking field, I just need to understand TCP/IP, know how to pivot, understand wireshark, understand how firewalls work..I don't need to know how to configure 100+ switches with 30+ firewalls, and some load balancers, that is the networking man job." - this is a script kiddie mentality and any true professional is going to get a firm foundation in a technology, learn to secure it, and then make the jump to security.
3. CISO = MBA at some point because you will be dealing with budgets, compliance, and other business related issues
4. OSCP does not mean that you have all of the knowledge to start penetesting. It definitely helps, but without experience you will only be so effective.
I think something you need to know about security is experience trumps everything. There are a ton of people in the field of penetesting with any number of initials behind their names. You would be competing with people who have military experience, intelligence community experience, and/or industry experience. My suggestion would be to get a firm foundation in some technology (networking is probably the way to go) and try to get onto a SOC/NOC as an analyst. You mention at some point you thought you would become a doctor and that is a perfect example for becoming a security professional. In the US a doctor goes to school for four years (beyond their bachelors degree) and follows up with at least three years of residency. What can we learn from this? That education alone does not make you a doctor. Thus you start with a firm foundation in medicine and then got out to begin to specialize.
As a side note, it's usually not wise to post the same topic in two different areas.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
wrfortiscue Member Posts: 62 ■■□□□□□□□□the_Grinch wrote: »1. Always tough to get into security fresh out of school, I would say it's the exception not the rule.
2. If your plan/path involves never becoming an expert in something before moving into a security position then you are setting yourself up to fail.
"Also, all that memorization is not needed in the security/hacking field, I just need to understand TCP/IP, know how to pivot, understand wireshark, understand how firewalls work..I don't need to know how to configure 100+ switches with 30+ firewalls, and some load balancers, that is the networking man job." - this is a script kiddie mentality and any true professional is going to get a firm foundation in a technology, learn to secure it, and then make the jump to security.
3. CISO = MBA at some point because you will be dealing with budgets, compliance, and other business related issues
4. OSCP does not mean that you have all of the knowledge to start penetesting. It definitely helps, but without experience you will only be so effective.
I think something you need to know about security is experience trumps everything. There are a ton of people in the field of penetesting with any number of initials behind their names. You would be competing with people who have military experience, intelligence community experience, and/or industry experience. My suggestion would be to get a firm foundation in some technology (networking is probably the way to go) and try to get onto a SOC/NOC as an analyst. You mention at some point you thought you would become a doctor and that is a perfect example for becoming a security professional. In the US a doctor goes to school for four years (beyond their bachelors degree) and follows up with at least three years of residency. What can we learn from this? That education alone does not make you a doctor. Thus you start with a firm foundation in medicine and then got out to begin to specialize.
As a side note, it's usually not wise to post the same topic in two different areas.
Good informative post -
LonVenu Member Posts: 44 ■■□□□□□□□□the_Grinch wrote: »1. Always tough to get into security fresh out of school, I would say it's the exception not the rule.
2. If your plan/path involves never becoming an expert in something before moving into a security position then you are setting yourself up to fail.
"Also, all that memorization is not needed in the security/hacking field, I just need to understand TCP/IP, know how to pivot, understand wireshark, understand how firewalls work..I don't need to know how to configure 100+ switches with 30+ firewalls, and some load balancers, that is the networking man job." - this is a script kiddie mentality and any true professional is going to get a firm foundation in a technology, learn to secure it, and then make the jump to security.
3. CISO = MBA at some point because you will be dealing with budgets, compliance, and other business related issues
4. OSCP does not mean that you have all of the knowledge to start penetesting. It definitely helps, but without experience you will only be so effective.
I think something you need to know about security is experience trumps everything. There are a ton of people in the field of penetesting with any number of initials behind their names. You would be competing with people who have military experience, intelligence community experience, and/or industry experience. My suggestion would be to get a firm foundation in some technology (networking is probably the way to go) and try to get onto a SOC/NOC as an analyst. You mention at some point you thought you would become a doctor and that is a perfect example for becoming a security professional. In the US a doctor goes to school for four years (beyond their bachelors degree) and follows up with at least three years of residency. What can we learn from this? That education alone does not make you a doctor. Thus you start with a firm foundation in medicine and then got out to begin to specialize.
As a side note, it's usually not wise to post the same topic in two different areas.
How is it a script kiddie mentality when i say "understand TCP/IP, understand....understand..." !? !?
Thanks a lot. -
LonVenu Member Posts: 44 ■■□□□□□□□□If i say that I decided to get a networking certification, should I go this route: Net+ > CCENT > CCNA R&S , or study CCNA R&S immediately ? in both routes, i will get the ccna certification only. I will probably then get the CCNA Security.
-
the_Grinch Member Posts: 4,165 ■■■■■■■■■■How is it a script kiddie mentality when i say "understand TCP/IP, understand....understand..." !? !?
Thanks a lot.
While I'm not aiming for an argument, we have to look at the totality of your statement. You use understand as your basis, but understanding isn't a strong enough burden. When you go for an interview you are going to be asked detailed questions about any number of topics. As an example, in an interview I was asked to describe a tcp handshake. Simple right? Wrong, after the initial description in came the fully technical questions. How does the sequence numbering work? What is a Window Size? What are the control bits? These are important details.
My assumption is your ultimate goal is to become a solid penetration tester. How do you learn to break into something without first knowing how it works? Does knowing how to drive mean you can become a car thief? Maybe. But more than likely you will need to know exactly how various systems within the car work before you can hope to actually steal it.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
the_Grinch Member Posts: 4,165 ■■■■■■■■■■https://web.archive.org/web/20160310060148/http://infiltrated.net/pentesting101.html <---I'd follow this.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
wrfortiscue Member Posts: 62 ■■□□□□□□□□the_Grinch wrote: »https://web.archive.org/web/20160310060148/http://infiltrated.net/pentesting101.html <---I'd follow this.
Awesome info. I think I am going to look into that hehe. I need to get my feet wet again... I gave up on the security side and tried to do more desktop support/admin work but my true passion is security. I am paranoid and love it. I am willing to work from the bottom, I don't care. -
LonVenu Member Posts: 44 ■■□□□□□□□□the_Grinch wrote: »https://web.archive.org/web/20160310060148/http://infiltrated.net/pentesting101.html <---I'd follow this.
Is there a reason why you gave me archived version of it ? instead of the original link ?! -
LonVenu Member Posts: 44 ■■□□□□□□□□the_Grinch wrote: »While I'm not aiming for an argument, we have to look at the totality of your statement. You use understand as your basis, but understanding isn't a strong enough burden. When you go for an interview you are going to be asked detailed questions about any number of topics. As an example, in an interview I was asked to describe a tcp handshake. Simple right? Wrong, after the initial description in came the fully technical questions. How does the sequence numbering work? What is a Window Size? What are the control bits? These are important details.
My assumption is your ultimate goal is to become a solid penetration tester. How do you learn to break into something without first knowing how it works? Does knowing how to drive mean you can become a car thief? Maybe. But more than likely you will need to know exactly how various systems within the car work before you can hope to actually steal it.
It seems you are right! Thanks for directing me! I appreciate your help -
the_Grinch Member Posts: 4,165 ■■■■■■■■■■The author's site is no longer accessible (if you go to his page it says he's upgrading, but that message has been there for awhile) so I went with the archive version since the info hasn't changed and is definitely good.WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff