Career help/advice needed for a recent college graduate dummie
Samy909
Member Posts: 7 ■□□□□□□□□□
Hello seniors and experts !!
i have completed my Bachelors (information technology)India
I want to start my career in cybersecurity but dont know a bit on what to do.I am a complete dummie.I used to read articles related to security/hack in my b.s thats all i know.but never did practically as there is no one to guide me in which way to go.
How to become a cybersecurity expert ?
what certifications/trainings should i do ?
Can i get a job by having certifications ?
what programming languages should i know to become a cybersecurity expert ?
I want to get deep insight on how to become expert.please help me out.
i have completed my Bachelors (information technology)India
I want to start my career in cybersecurity but dont know a bit on what to do.I am a complete dummie.I used to read articles related to security/hack in my b.s thats all i know.but never did practically as there is no one to guide me in which way to go.
How to become a cybersecurity expert ?
what certifications/trainings should i do ?
Can i get a job by having certifications ?
what programming languages should i know to become a cybersecurity expert ?
I want to get deep insight on how to become expert.please help me out.
Comments
Thank you NovaHax for your prompt reply..yes i know this a huge different world and one becomes a pro with experience and hard work.
I really dont know where to start or what to start . Can you please give me some light
Honestly, its a pretty broad question. Any idea what are of cybersecurity you are looking to get into?
Compliance / Audits
Digital Forensics
Incident Response
Security Engineering
Pentesting
Malware Analysis
Secure Software / Web Development
Exploit Development
After searching the given list in wikipedia.I can say that i am intrested in incident response/management**,security Engineering,pentesting and exploit development.
Do you think it is late for me to start learning after my ug ?
thanks a lot sir !! Yes i have already started and will go through them
Not at all. I didn't do my undergrad in security.
Does this seem like a contradiction to anyone else? So it is not critical to understand configurations for switches and routers...but it is critical to understand the ins and outs of how a network works. What do you think networks are built on??? I'll give you a hint...it rhymes with retworks and nouters.
I don't think anyone here would argue that you will get some benefit out of taking the course. Its not a question of whether you will learn something...its a question of what you are paying for.
1. You can pay $600 just to take a test. And a test written by an organization that apparently lacks enough self-respect to even hire some quality-assurance guys to make sure that the entire test isn't laden with spelling errors, grammatical errors and accuracy errors.
2. Even worse, you can do what I did and pay $5,000 to get a whole bunch slide shows and recordings of someone reading you the slides. Yeah...they list some good tools...but for the most part, don't tell you how to use them.
**One year later, I spent $900ish on OSCP and then $700ish on eWPT and learned 100x as much with each of those, than I did with EC-Council. And I paid EC-Council more than 5x as much money**
There is a reason why people on these forums try to steer other people away from EC-Council. And that is because the value that you get relative to the amount that you spend is not worth it...compared to many other industry alternatives. Its not because we are just jumping on an EC-Council bashing bandwagon.
No disagreement here. But just because something looks good to HR...doesn't mean it actually provides any real world skills. Sometimes you have to make a choice between the cert that's going to get you the job, and the cert that you are going to get something out of. Throughout my career, I've tried to do a fair balance of each of these. Everybody has to play the HR game from time to time. I will never judge someone for getting a cert because its an HR expectation...and if that's the reason you want CEH...then more power to you. But when somebody asks me where they can learn good InfoSec skills (rather than just fluff their resume)...I'm not going to point them to EC-Council.
I hope you aren't referring to my earlier comments on this. The guy asked how he could become a "cybersecurity expert", not how he could grab an "entry level" position. I would never discourage anyone from trying to get into InfoSec. To excel in this field, however, you are going to need more than certs or training programs. You are going to need to love it...even when you hate to love it. And even when you eat, sleep and breathe security...you sill will always feel like you are never going to catch up. And if you can learn to love that too...then you might be a good candidate for the field.
I generally don't recommend a lot of vendor certifications for infosec training, but the CCNA is one of the few exceptions. While it is Cisco-focused, there are many fundamental topics providing good insights into the types of challenges network engineers must deal with when designing networks. Those concepts apply to virtually any other vendor including Juniper, Brocade, etc.. Since Cisco has such a large penetration into the market, learning Cisco nomenclature and approach is a good thing to have, in my opinion. The CCNA content is certainly incomplete when it comes to networking knowledge as a whole, but it's designed as an introduction to the field (beyond Network+ anyway).
Yup, yup, and yup. Certs and training gets you to point A, but then applying it is what really hardens the knowledge into you as a professional. Information security is akin to informational overload. It hurts so ... good. More, please?
Two qualities I look for in candidates when I interview them is 1) mindset and 2) maturity. It's hard to find people who have a good mindset in how they view the playing field and naturally scrutinize things with some inner suspicion. This is difficult to teach as it requires an additional layer of cognitive processing, although training can help begin instilling the basics.
Maturity is another thing that really makes a difference when selecting candidates, and this almost always comes from experience in the field. Too many candidates focus on tools rather than process, methodology, and other overall "physics" of the domain (the actual protocols, bits, host behavior, human emotion, potential intent, and so on). If one cannot look beyond the tool or appliance, then that person will be limited by the faith put into the vendor who made that tool, which itself will have its share of defects and limitations. Often the ones lacking some maturity will focus more on the controls rather than the goals of the mission scope.
*Yawn* Nora, I'm not trying to read all that, but from a brief glance you appear to be getting quite emotional. I wasn't referring to you at all, because I didn't read your previous post, or any other post from you in this thread for that matter. I'm not gonna argue with you and go back and forth, simply because I don't care what you are babbling about. But if you really paid $5000 for some training that didn't come from SANS, you're a fool.
Anyway, I'm gonna be the one questioning the OP's idea of getting into this in the first place. Basing your career on a wikipedia search might not be the smartest thing anyone has ever done
How do you define cybersecurity expert? As NovaHax pointed out, InfoSec is a very broad field.
You are interested in incident response/management, security engineering, pentesting and exploit development. That's a long and deep road to walk, especially security engineering. Start from the basic. I am going way above your head now and recommend you Ross Anderson's Security Engineering book (Security Engineering - A Guide to Building Dependable Distributed Systems). But it may be better for you to start with reading materials for Security+ certification to give you a foundation.
Not getting emotional at all. Just pointing out some inconsistencies and making some observations.
This was kind of the whole point...that spending the money on EC-Council's official training is not worth it...when compared to other industry alternatives.
Well don't hold back then Nova, where would you point me
My question is what about ...
What about
eCPPT
OSCP
OSCE
OSWE
??
In the case of these certs, they are affordable enough for me. Are the classes/training worthwhile? In what order would you rank them knowing that the majority of my testing is conducted against building automation systems with either Java UI's and core C# code running on Windows or Linux boxes or C# UI's with core c# running on windows boxes. The DB's are typically SQL but I have seen some Access DB's.
The interface between the layer 1 RS-485/RS-232 ports is typically C++ to C# or C++ to Java.
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
Don't know much about eCPPT...but I do have some experience with eLearnSecurity (specifically the eWPT course). Also a very good course, and well worth the money.
OSWE doesn't really seem to belong in this list of otherwise affordable certs (since it is currently only available at BlackHat in the area of about $5,000...not including your stay in Vegas).
Personally, I wouldn't recommend anyone even think about OSCE or OSWE, if you haven't already endured OSCP. While not a pre-requisite...everyone I've ever talked to who has done multiple OffSec certs (OSWP not included) have indicated that OSCP is critical in developing an understanding of the OffSec way of learning.
i am taking sql and java classes and will take php,python,perl...
what other languages should i add to my list ?
Thank you senior !! This is what i am exactly looking for . I want to know the certs that gives me skill and and certs that brings something out of me.can you please mention them.
apart from certs ..i have been searching for websites / blogs which can help me to learn.but i am dissapointed to find blogs/websites that gives latest updates and infosec news.i found some forums like milworm...can u pls let me know any ?
thank you Sir .. Yes have decided to start with sec+ And cissp
Those will give you a solid foundation to build on.
-Phil
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
You don't want to do CISSP yet, it's still too early for you. I will refer you to keatron's post. It's post#14 of the following link:
http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html
Excellent example, read it.
Don't do it. You will gain little traction without the necessary experience. I've seen interviewers raise the bar straight out of the gate because the candidate was a CISSP.
No kidding. Technical vetting can get pretty brutal in this industry.
I recently got asked a XSS (cross site scripting) question about injecting javascript code into already existing HTML script tags if double quotations are escaped and you are injecting inside a double quotation string. Apparently (and I didn't know this...but researched it afterwards), when your browser evaluates HTML content, it runs through everything with an HTML parser first, and then afterwards goes through with a separate parser that interprets any javascript. So you actually don't even have to escape the string with a second double quotation because the HTML parser is oblivious to the operational content within the script tags. That is to say...you can close the script </script> without closing the double-quote and the HTML parser will interpret it as if you weren't even inside a string...then you can inject new script content from there.
By far...the most specific scenario based question I have ever been asked. In my experience though...even if you don't know the exact answer to the question, you can still impress by relating to the subject matter with what you do know (assuming you are still knowledgeable about the topic).
What were you interviewing for? The most I have seen is what is XSS, how to protect, etc... just standard.
Lead pentesting role for a team of about 10 web-app and mobile pentesters for a big financial firm. They gave me a list of about 5 different scenarios. Different controls for each...and reflection into different locations on each. Then the question was...what payload to use on each to exploit XSS. I got all of them except the one above.
That was what I thought. Detail technical questions are typically for jobs that focus specifically on a particular area. I remember in my system admin days, I was asked detail questions regarding DCs and Kerboros errors troubleshooting.
I don't expect to see the level of the question you got in my future job interviews since my responsibilities are those of blue team.
Thanks for sharing scenario, learned something new.