Career help/advice needed for a recent college graduate dummie

That's a long road to travel my friend. I've been doing this for a while...and I still wouldn't consider myself a "cyber security expert"

NovaHax wrote: »

That's a long road to travel my friend. I've been doing this for a while...and I still wouldn't consider myself a "cyber security expert"

Thank you NovaHax for your prompt reply..yes i know this a huge different world and one becomes a pro with experience and hard work.
I really dont know where to start or what to start . Can you please give me some light

A professional is very different than an expert.

Honestly, its a pretty broad question. Any idea what are of cybersecurity you are looking to get into?

Compliance / Audits
Digital Forensics
Incident Response
Security Engineering
Pentesting
Malware Analysis
Secure Software / Web Development
Exploit Development

NovaHax wrote: »

A professional is very different than an expert.

Honestly, its a pretty broad question. Any idea what are of cybersecurity you are looking to get into?

Compliance / Audits
Digital Forensics
Incident Response
Security Engineering
Pentesting
Malware Analysis
Secure Software / Web Development
Exploit Development

After searching the given list in wikipedia.I can say that i am intrested in incident response/management**,security Engineering,pentesting and exploit development.

Do you think it is late for me to start learning after my ug ?

docrice

Not late, but one thing I will caution you is that your potential as a security professional is highly dependent on your ability to research on your own. This forum has tons of threads on career advice in the infosec space. Spend some days going through them.

docrice wrote: »

Not late, but one thing I will caution you is that your potential as a security professional is highly dependent on your ability to research on your own. This forum has tons of threads on career advice in the infosec space. Spend some days going through them.

thanks a lot sir !! Yes i have already started and will go through them

Samy909 wrote: »

Do you think it is late for me to start learning after my ug ?

Not at all. I didn't do my undergrad in security.

[Deleted User]

Getting some experience with scripting languges is key. Learning Python or Perl would be a great start! In regards to certificaions to get you a good leap into the industry, I posted this in a prevoius post, but here i the link anyway. CompTIA Career Pathways. You could start off with your Security+ certification and then work you way up to your CISSP. Stay away from the CEH certification. The cost is rediclious $100 application fee and $500 if they deem you are worthy! You could just go to Udemy and purchase the Hacking course and get the same amount of training as CEH. They are just money hungry.

The udemy course is an odd suggestion that I don't hear a lot. Why do you recommend that one? Have you taken it?

Khaos1911

I'll speak quite honestly here, with no intent of offending anyone on this site. Just what I've seen from my time on this board.....Going for the CEH is totally up to you and what you would use the knowledge/cert for. I'd much rather you learned something and actually get a cert that will help you in a job search than simply being a poster who "fits in" on this board. *side bar* CCNA will usually be heavily "Suggested" around these parts to, but if you don't give a crap about configuring switches and routers it is not necessary with you wanting to be in InfoSec, but knowing the in and outs of how a network works is vital to your goal of being in InfoSec. As you can tell with a brief browsing of this site, CEH is "frowned" upon around here, but I personally learned quite a bit from the official study material which goes pretty in depth in alot of cases. It's overkill for the actual exam, but if you want to learn some interesting aspects of InfoSec and Malware and such, the official study materials are pretty awesome. Also, obtaining the CEH with Sec +will also give you a leg up in job searches, believe me. Finding an "entry level"or introductory job or internship into InfoSec isn't as impossible as many around here would make you believe.

Khaos1911 wrote: »

if you don't give a crap about configuring switches and routers it is not necessary with you wanting to be in InfoSec, but knowing the in and outs of how a network works is vital to your goal of being in InfoSec.

Does this seem like a contradiction to anyone else? So it is not critical to understand configurations for switches and routers...but it is critical to understand the ins and outs of how a network works. What do you think networks are built on??? I'll give you a hint...it rhymes with retworks and nouters.

Khaos1911 wrote: »

As you can tell with a brief browsing of this site, CEH is "frowned" upon around here, but I personally learned quite a bit from the official study material which goes pretty in depth in alot of cases. It's overkill for the actual exam, but if you want to learn some interesting aspects of InfoSec and Malware and such, the official study materials are pretty awesome.

I don't think anyone here would argue that you will get some benefit out of taking the course. Its not a question of whether you will learn something...its a question of what you are paying for.

1. You can pay $600 just to take a test. And a test written by an organization that apparently lacks enough self-respect to even hire some quality-assurance guys to make sure that the entire test isn't laden with spelling errors, grammatical errors and accuracy errors.

2. Even worse, you can do what I did and pay $5,000 to get a whole bunch slide shows and recordings of someone reading you the slides. Yeah...they list some good tools...but for the most part, don't tell you how to use them.

**One year later, I spent $900ish on OSCP and then $700ish on eWPT and learned 100x as much with each of those, than I did with EC-Council. And I paid EC-Council more than 5x as much money**

There is a reason why people on these forums try to steer other people away from EC-Council. And that is because the value that you get relative to the amount that you spend is not worth it...compared to many other industry alternatives. Its not because we are just jumping on an EC-Council bashing bandwagon.

Khaos1911 wrote: »

Also, obtaining the CEH with Sec +will also give you a leg up in job searches, believe me.

No disagreement here. But just because something looks good to HR...doesn't mean it actually provides any real world skills. Sometimes you have to make a choice between the cert that's going to get you the job, and the cert that you are going to get something out of. Throughout my career, I've tried to do a fair balance of each of these. Everybody has to play the HR game from time to time. I will never judge someone for getting a cert because its an HR expectation...and if that's the reason you want CEH...then more power to you. But when somebody asks me where they can learn good InfoSec skills (rather than just fluff their resume)...I'm not going to point them to EC-Council.

Khaos1911 wrote: »

Finding an "entry level"or introductory job or internship into InfoSec isn't as impossible as many around here would make you believe.

I hope you aren't referring to my earlier comments on this. The guy asked how he could become a "cybersecurity expert", not how he could grab an "entry level" position. I would never discourage anyone from trying to get into InfoSec. To excel in this field, however, you are going to need more than certs or training programs. You are going to need to love it...even when you hate to love it. And even when you eat, sleep and breathe security...you sill will always feel like you are never going to catch up. And if you can learn to love that too...then you might be a good candidate for the field.

docrice

NovaHax wrote: »

Does this seem like a contradiction to anyone else? So it is not critical to understand configurations for switches and routers...but it is critical to understand the ins and outs of how a network works.

I generally don't recommend a lot of vendor certifications for infosec training, but the CCNA is one of the few exceptions. While it is Cisco-focused, there are many fundamental topics providing good insights into the types of challenges network engineers must deal with when designing networks. Those concepts apply to virtually any other vendor including Juniper, Brocade, etc.. Since Cisco has such a large penetration into the market, learning Cisco nomenclature and approach is a good thing to have, in my opinion. The CCNA content is certainly incomplete when it comes to networking knowledge as a whole, but it's designed as an introduction to the field (beyond Network+ anyway).

NovaHax wrote: »

To excel in this field, however, you are going to need more than certs or training programs. You are going to need to love it...even when you hate to love it. And even when you eat, sleep and breathe security...you sill will always feel like you are never going to catch up. And if you can learn to love that too...then you might be a good candidate for the field.

Yup, yup, and yup. Certs and training gets you to point A, but then applying it is what really hardens the knowledge into you as a professional. Information security is akin to informational overload. It hurts so ... good. More, please?

Two qualities I look for in candidates when I interview them is 1) mindset and 2) maturity. It's hard to find people who have a good mindset in how they view the playing field and naturally scrutinize things with some inner suspicion. This is difficult to teach as it requires an additional layer of cognitive processing, although training can help begin instilling the basics.

Maturity is another thing that really makes a difference when selecting candidates, and this almost always comes from experience in the field. Too many candidates focus on tools rather than process, methodology, and other overall "physics" of the domain (the actual protocols, bits, host behavior, human emotion, potential intent, and so on). If one cannot look beyond the tool or appliance, then that person will be limited by the faith put into the vendor who made that tool, which itself will have its share of defects and limitations. Often the ones lacking some maturity will focus more on the controls rather than the goals of the mission scope.

Khaos1911

NovaHax wrote: »

Does this seem like a contradiction to anyone else? So it is not critical to understand configurations for switches and routers...but it is critical to understand the ins and outs of how a network works. What do you think networks are built on??? I'll give you a hint...it rhymes with retworks and nouters.

I don't think anyone here would argue that you will get some benefit out of taking the course. Its not a question of whether you will learn something...its a question of what you are paying for.

1. You can pay $600 just to take a test. And a test written by an organization that apparently lacks enough self-respect to even hire some quality-assurance guys to make sure that the entire test isn't laden with spelling errors, grammatical errors and accuracy errors.

2. Even worse, you can do what I did and pay $5,000 to get a whole bunch slide shows and recordings of someone reading you the slides. Yeah...they list some good tools...but for the most part, don't tell you how to use them.

**One year later, I spent $900ish on OSCP and then $700ish on eWPT and learned 100x as much with each of those, than I did with EC-Council. And I paid EC-Council more than 5x as much money**

There is a reason why people on these forums try to steer other people away from EC-Council. And that is because the value that you get relative to the amount that you spend is not worth it...compared to many other industry alternatives. Its not because we are just jumping on an EC-Council bashing bandwagon.

No disagreement here. But just because something looks good to HR...doesn't mean it actually provides any real world skills. Sometimes you have to make a choice between the cert that's going to get you the job, and the cert that you are going to get something out of. Throughout my career, I've tried to do a fair balance of each of these. Everybody has to play the HR game from time to time. I will never judge someone for getting a cert because its an HR expectation...and if that's the reason you want CEH...then more power to you. But when somebody asks me where they can learn good InfoSec skills (rather than just fluff their resume)...I'm not going to point them to EC-Council.

I hope you aren't referring to my earlier comments on this. The guy asked how he could become a "cybersecurity expert", not how he could grab an "entry level" position. I would never discourage anyone from trying to get into InfoSec. To excel in this field, however, you are going to need more than certs or training programs. You are going to need to love it...even when you hate to love it. And even when you eat, sleep and breathe security...you sill will always feel like you are never going to catch up. And if you can learn to love that too...then you might be a good candidate for the field.

*Yawn* Nora, I'm not trying to read all that, but from a brief glance you appear to be getting quite emotional. I wasn't referring to you at all, because I didn't read your previous post, or any other post from you in this thread for that matter. I'm not gonna argue with you and go back and forth, simply because I don't care what you are babbling about. But if you really paid $5000 for some training that didn't come from SANS, you're a fool.

Master Of Puppets

^ ...

Anyway, I'm gonna be the one questioning the OP's idea of getting into this in the first place. Basing your career on a wikipedia search might not be the smartest thing anyone has ever done

. Take your time, learn a little about IT in general and what it is and go from there.

I agree with Master of Puppets on taking time and learning IT in general, especially if you want to become a cybersecurity expert. Basics are important, very important.

How do you define cybersecurity expert? As NovaHax pointed out, InfoSec is a very broad field.

You are interested in incident response/management, security engineering, pentesting and exploit development. That's a long and deep road to walk, especially security engineering. Start from the basic. I am going way above your head now and recommend you Ross Anderson's Security Engineering book (Security Engineering - A Guide to Building Dependable Distributed Systems). But it may be better for you to start with reading materials for Security+ certification to give you a foundation.

Khaos1911 wrote: »

I'm not trying to read all that, but from a brief glance you appear to be getting quite emotional.

Not getting emotional at all. Just pointing out some inconsistencies and making some observations.

Khaos1911 wrote: »

But if you really paid $5000 for some training that didn't come from SANS, you're a fool.

This was kind of the whole point...that spending the money on EC-Council's official training is not worth it...when compared to other industry alternatives.

philz1982

NovaHax wrote: »

But when somebody asks me where they can learn good InfoSec skills (rather than just fluff their resume)...I'm not going to point them to EC-Council.

Well don't hold back then Nova, where would you point me

. I am curious as I haven't gotten feedback on my other thread (no shame in thread jacking here

)

My question is what about ...

What about

eCPPT

OSCP

OSCE

OSWE

??

In the case of these certs, they are affordable enough for me. Are the classes/training worthwhile? In what order would you rank them knowing that the majority of my testing is conducted against building automation systems with either Java UI's and core C# code running on Windows or Linux boxes or C# UI's with core c# running on windows boxes. The DB's are typically SQL but I have seen some Access DB's.

The interface between the layer 1 RS-485/RS-232 ports is typically C++ to C# or C++ to Java.

Of the courses you listed, the only one I can speak to personally is OSCP. Awesome course, and well worth the money.

Don't know much about eCPPT...but I do have some experience with eLearnSecurity (specifically the eWPT course). Also a very good course, and well worth the money.

OSWE doesn't really seem to belong in this list of otherwise affordable certs (since it is currently only available at BlackHat in the area of about $5,000...not including your stay in Vegas).

Personally, I wouldn't recommend anyone even think about OSCE or OSWE, if you haven't already endured OSCP. While not a pre-requisite...everyone I've ever talked to who has done multiple OffSec certs (OSWP not included) have indicated that OSCP is critical in developing an understanding of the OffSec way of learning.

Thank you senior !!

kMastaFlash wrote: »

Getting some experience with scripting languges is key. Learning Python or Perl would be a great start! In regards to certificaions to get you a good leap into the industry.

i am taking sql and java classes and will take php,python,perl...
what other languages should i add to my list ?

NovaHax wrote: »

Sometimes you have to make a choice between the cert that's going to get you the job, and the cert that you are going to get something out of. Throughout my career, I've tried to do a fair balance of each of these.

Thank you senior !! This is what i am exactly looking for . I want to know the certs that gives me skill and and certs that brings something out of me.can you please mention them.

apart from certs ..i have been searching for websites / blogs which can help me to learn.but i am dissapointed to find blogs/websites that gives latest updates and infosec news.i found some forums like milworm...can u pls let me know any ?

GarudaMin wrote: »

You are interested in incident response/management, security engineering, pentesting and exploit development. That's a long and deep road to walk, especially security engineering. Start from the basic. I am going way above your head now and recommend you Ross Anderson's Security Engineering book (Security Engineering - A Guide to Building Dependable Distributed Systems). But it may be better for you to start with reading materials for Security+ certification to give you a foundation.

thank you Sir .. Yes have decided to start with sec+ And cissp

philz1982

I would start with SEC+ and CCNA maybe even a Linux cert also.

Those will give you a solid foundation to build on.

-Phil

Samy909 wrote: »

thank you Sir .. Yes have decided to start with sec+ And cissp

You don't want to do CISSP yet, it's still too early for you. I will refer you to keatron's post. It's post#14 of the following link:
http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html

Excellent example, read it.

emerald_octane

Samy909 wrote: »

thank you Sir .. Yes have decided to start with sec+ And cissp

Don't do it. You will gain little traction without the necessary experience. I've seen interviewers raise the bar straight out of the gate because the candidate was a CISSP.

emerald_octane wrote: »

Don't do it. You will gain little traction without the necessary experience. I've seen interviewers raise the bar straight out of the gate because the candidate was a CISSP.

No kidding. Technical vetting can get pretty brutal in this industry.

I recently got asked a XSS (cross site scripting) question about injecting javascript code into already existing HTML script tags if double quotations are escaped and you are injecting inside a double quotation string. Apparently (and I didn't know this...but researched it afterwards), when your browser evaluates HTML content, it runs through everything with an HTML parser first, and then afterwards goes through with a separate parser that interprets any javascript. So you actually don't even have to escape the string with a second double quotation because the HTML parser is oblivious to the operational content within the script tags. That is to say...you can close the script </script> without closing the double-quote and the HTML parser will interpret it as if you weren't even inside a string...then you can inject new script content from there.

By far...the most specific scenario based question I have ever been asked. In my experience though...even if you don't know the exact answer to the question, you can still impress by relating to the subject matter with what you do know (assuming you are still knowledgeable about the topic).

NovaHax wrote: »

No kidding. Technical vetting can get pretty brutal in this industry.

I recently got asked a XSS (cross site scripting) question about injecting javascript code into already existing HTML script tags if double quotations are escaped and you are injecting inside a double quotation string. Apparently (and I didn't know this...but researched it afterwards), when your browser evaluates HTML content, it runs through everything with an HTML parser first, and then afterwards goes through with a separate parser that interprets any javascript. So you actually don't even have to escape the string with a second double quotation because the HTML parser is oblivious to the operational content within the script tags. That is to say...you can close the script </script> without closing the double-quote and the HTML parser will interpret it as if you weren't even inside a string...then you can inject new script content from there.

By far...the most specific scenario based question I have ever been asked. In my experience though...even if you don't know the exact answer to the question, you can still impress by relating to the subject matter with what you do know (assuming you are still knowledgeable about the topic).

What were you interviewing for? The most I have seen is what is XSS, how to protect, etc... just standard.

danny069

My Cyber Security professor says don't claim to be an expert in anything lol. Right now I am currently enrolled in my Bachelor's Degree program - Cyber Security/Digital Forensics. I find it interesting, but my advice would be to learn skills in every aspect of cyber security, ie: incident handling, digital forensics, penetration testing, etc. they all go hand in hand and it looks good if you are prepared to tackle anything.

GarudaMin wrote: »

What were you interviewing for? The most I have seen is what is XSS, how to protect, etc... just standard.

Lead pentesting role for a team of about 10 web-app and mobile pentesters for a big financial firm. They gave me a list of about 5 different scenarios. Different controls for each...and reflection into different locations on each. Then the question was...what payload to use on each to exploit XSS. I got all of them except the one above.