InfoSec Student Advice

josh29josh29 Registered Users Posts: 3 ■□□□□□□□□□
Hey what's up everybody,

I’m a student about to graduate with a BAS in IT Network Administration & Security next June. I’m very interested in more the security side, specifically penetration testing – and not the type that just scans a customer network with Nessus and then hands them the report, or just tries to exploit the "reds". Check out this video:

I got the CompTIA A+, Net+, Sec+ triad out of the way this year and although I know certs can mean nothing and at the end of the day it’s about knowledge, passion, and experience – I feel like as someone trying to break into the industry they are beneficial.

At my current internship, my responsibility is to help create security focused technical documentation relating to the companies product RFIs, and setup/configure a vulnerability management program using Nessus. It’s been a great experience, and I’ve learned a lot about the difference between what’s taught in class and the real world in terms of GRC.

Sorry if this is long winded, just trying to give some context...

So my question is, with about 9 months until graduation and my internship ending in the next couple weeks, I’ll have time outside of class and homework to focus on my home lab and certifications. From your perspective, would you recommend someone with no real sysadmin/netadmin experience to focus on things like eCPPT and OSCP before graduation with a plan to land a junior role? Or would it be better to study for and obtain say an MCSA 2012 and LFCS, get a sysadmin job for a couple years while learning in that space about systems and network administration, keep doing CTFs, home labbing, and doing things like eLearnSecutiy and OffSec certs – then move into a pen test role as it presents itself?

Thanks for any input :)


  • 636-555-3226636-555-3226 Member Posts: 975 ■■■■■□□□□□
    Everybody's hopping on the penetration tester bandwagon! No shortage of people learning that role for sure..... Get a job where you want to get a job. It'll be easier to focus on security right out of school rather than be a sysadmin for 5 years then try to pivot into security. I'd find an entry-level infosec position and train up as much as you can on the job and at home. Lots of youtube, books, vms, vulnerable vms, etc out there.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Gotta walk before you can run. You should have some experience with setting up and securing a technology before you go jumping into breaking into it. Part of your pentesting report is going to cover the remediation of what you discovered. If you don't know how a router or switch work, is configured and the best practices when you get push back you'll have no means by which to make a conducive argument as to why the fix needs to happen and how it can be done while not impacting their operations.

    Thus get a job in whatever you'd like to focus on for pentesting (network admin if network security, system admin if system security, web development if web app security) and then take the eLearnSecurity course for Students to get you started. If you are working and studying in two years you should be in a place where you can jump into pentesting and be an asset to the team.

    I have a bachelors in computer security and thought when I graduated I would be hired right onto a network security team. A major reality check ensued for me. Besides being the end of 2008 when getting a job was extremely difficult, with only some part time support experience I only had three security related interviews from hundreds of resume being sent. One I bombed big time because I lacked any experience, another went really well, but they chose to keep the position as a coop instead of converting it to full time and the last was a government position that didn't pan out. Things really haven't changed since 2008 so heed my advice. It only took me four years of full time support/administration work to get into a security related position and without that experience I would have been a terrible network security admin. Being able to troubleshoot, work through problems and the having the soft skills makes all the difference between success and failure in this field.

    As a recent example, in my current position I am a forensic investigator, but I dabble in the IT side because of my background. Our IT team reached out because they got some concerning information from a vendor for a tool we use and they wanted to confirm what they were told. It was partially correct, but at the same time there were steps we could take to minimize the risks. I confirmed what was true, explained what was incorrect and provided means by which to mitigate their concerns all well speaking their language. Thus I could talk them off the ledge, they know my background and experience so they know I understand where they're coming from and management knows we'll be able to get things in place properly. Wouldn't have been possible if I hadn't used the traditional route to get where I am.
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • m4v3r1ckm4v3r1ck Member Posts: 29 ■■□□□□□□□□
    Take my advice with a grain of salt as I do not currently work in the pen testing field:

    I think you should definitely begin focusing on learning penetration testing skills. The OSCP seems to be the golden ticket to breaking into the field, though many have said they were not able to land a job right away after obtaining it. If you have the time (30+ hours) a week and the dedication (i.e. try harder), then I'd recommend doing the OSCP as soon as you can. While obtaining it might not guarantee a job, it definitely puts your resume in a narrow field almost immediately.

    There are others who will tell you to build a foundation first and then move on. This holds value. Will being a net admin, sys admin, or dev help you be a better penetration tester? Absolutely. In my opinion, however, so will landing a junior pen tester role and slugging it out. Just never lose motivation and have a desire to learn outside of work. The more effort you put in the better you will be.

    I'll give you a brief example. I came into IT full-time less than 2 years ago making $45k. I hated the field I was in before, went and got a masters (and an IT graduate assistantship), and found a full-time help desk role out of college. Since then, I've earned all the certs you see to the left by working hard and studying. I still have a life and make time for my friends. It's not really studying when it's your passion. My co-worker at my help desk job used to tell me experience was everything and that certs didn't matter. Experience absolutely matters, but certs do put you above an equal applicant when comparing resumes.

    This co-worker in particular has no certs. When he gets off of work, he goes home and he chooses to play video games in his free time. That's his choice. IT is a job for him, not a passion. He's been in the field 10+ years and is a great network engineer. His salary right now? 55k.

    Back to me. I used the certifications and motivation to flip my help desk role into a senior network role. My salary now? 80k with less than 2 years experience. I expect that to go up after the OSCP by another 40k (120k is the pay for red team in my company).

    So, if you are truly passionate about pen testing, go all-in for the OSCP. Put in the time and the effort and you will go far in life. If it's something that interests you and you get excited about every single day, then you'll know you're in the right field and money/success will come easy.

    I start my journey tomorrow. If you do start the OSCP, give me a PM and I'll be happy to guide you as best as I can.
Sign In or Register to comment.