How to Build a Cybersecurity Career

CyberSecurity
, ,

How to Build a Cybersecurity Career

So this article is an answer to that question, with all the various aspects of the question presented in one place. It should give you the knowledge to go from complete novice, to getting your first job, to reaching the top of the industry.

Education

Information Security is an advanced discipline, meaning you should ideally be good at some other area of tech before entering it. This isn’t required, but it’s common and it’s ideal. The three areas that infosec people normally come from are:

  • System Administration

  • Networking

  • Development

Those are in order of most common entry points, not the best. Best would be development, then system administration, then networking.

But let’s assume you don’t have a background in any of those, and that you need to start from nothing. We need to learn you up, and there are three main ways of doing this:

  • University

  • Trade School

  • Certifications

I recommend doing a four-year program in Computer Science or Computer Information Systems or Information Technology with a decent university as the best option. But while you do it you need to be doing everything else in this article.

What you learn in college depends on the class content and your interaction with others, and the content you can likely get many different places. Hanging out and building stuff with a bunch of other smart people is the real benefit of university.

There are many who go to university for CS or Security and never become successful in the industry, and there are many who never go and reach the highest levels. University is not everything.

If you can’t do university you’ll need to learn another way, e.g., trade school or certifications. Any of these will do as long as you have the curiosity and self-discipline to complete what you start.

Here are the basic areas you need to get from either university, trade school, or self study/certification:

  • Networking (TCP/IP/switching/routing/protocols,etc.)

  • System Administration (Windows/Linux/Active Directory/hardening,etc.)

  • Programming (programming concepts/scripting/object orientation basics)

Database is in there as well, mixed in with system administration and programming.

If you don’t have a good foundation in all three of these, and ideally some decent strength in one of them, then it’s going to be hard for you to progress past the early stages of an information security career. The key at this point is to not have major holes in your game, and being weak in any of those is a major hole.

I’m going to talk more about certifications later, but I mention them above for one reason: you can use the certification study books as teaching guides. They’re quite good at showing you the basics. Here are some examples:

  • A+
  • Security+
  • Linux+*
  • CCNA

There are great books out there (just Google for the best one) that can show you the basics of a topic quite rapidly. It’s a good way to make sure you don’t have any major gaps in your knowledge.

Programming

Programming is important enough to mention on its own. If you do not nurture your programming skills you will be severely limited in your information security career.

See the differences between programmer types here.

You can get a job without being a programmer. You can even get a good job. And you can even get promoted to management. But you won’t ever hit the elite levels of infosec if you cannot build things. Websites. Tools. Proofs of concept. Etc.

If you can’t code, you’ll always be dependent on those who can.

Learn to code.

Input sources

One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.

This has traditionally been done with a list of preferred news sources based on the type of security the person is into. There are sites focused on network security, application security, OPSEC, OSINT.

Increasingly, though, Twitter is replacing the following of websites. The primary reason for this is the freshness of data. Twitter is real-time, which gives it and advantage over traditional sources.

Follow people on Twitter who can expose you to new ways of thinking, new ways of learning things, and new knowledge for you to consume. And find all their sources and track those in your RSS reader.

I recommend Feedly for RSS.

Building Your Lab

Having a lab is essential. It’s actually one of the first things I ask when I’m looking at candidates during interviews. I ask what kind of lab or network they have to play with, and if they reply that they don’t have either I thank them for their time.

The lab is where you learn. The lab is where you run your projects. The lab is where you grow.

There are a few options for lab setups.

  1. VMware (or similar) on a laptop or desktop

  2. VMware (or similar) on a laptop or desktop that’s now a server

  3. A real server with VMware (or similar) on it

  4. VPS systems online (EC2, Linode, Digital Ocean, LightSail, etc.)

I recommend a combination of #3 and #4 if you have the money, with #3 coming first. Here are some of the things you want to be able to do in such a lab:

  • Build an Active Directory forest for your house

  • Run your own DNS from Active Directory

  • Run your own DHCP server from Active Directory

  • Have multiple zones in your network, including a DMZ if you’re going to serve services out of the house

  • Graduate up to a real firewall as soon as possible. Using Sohpos for example.

  • Have a Kali Linux installation always ready to go

  • Set up a proxy server

  • Build and run your own VPN on a VPS

  • Build and configure an email server that can send email to the Internet using Postfix, Qmail, or Sendmail

These are the basics. Most people who are hardcore into infosec have done the list above dozens or hundreds of times over the years.

The advantage of a lab is that you now have a place to experiment. You hear about something from your news intake, and you can hop onto your lab, spin up a box, and muck about with it. That’s invaluable for a growing infosec mind.

Now that you have that list going, you can start focusing on your own projects.

You Are Your Projects

This is where the book knowledge stops and creativity begins. You should always be working on projects.

As a beginner, or even as an advanced practitioner, nobody should ever ask you what you’re working on and you say, “Nothing.” Unless you’re taking a break in-between, of course.

Projects tend to cross significantly into programming. The idea is that you come up with a tool or utility that might be useful to people, and you go and make it.

And while you’re learning, don’t worry too much if someone has already done something beforehand. It’s fun to create, and you want to get used to the thrill of going from concept to completion using code.

The key skill you’re trying to nurture is the ability to identify a problem with the way things are currently done, and then to 1) come up with a solution, and 2) create the tool to solve it.

Projects show that you can actually apply knowledge, as opposed to just collecting it.

Don’t think about how many projects you have. If you approach it that way it’ll be artificial. Instead, just focus on interesting problems in security, and let the ideas and projects come to you naturally.

In the writing world, there’s a maximum that says, “Show, don’t tell”. Projects are showing, and collecting knowledge is telling.

Practicing with Bounties

Now that you have a lab, have some solid skills, and some projects you’ve been hacking on, you may want to work on some bug bounties.

The reason for this is best summarized as a fast track to real experience, which is the #1 ask of anyone looking to give you a job. So in addition to coding experience (with your projects), with bounties you can also gain testing experience.

There are two main platforms you can do bounties on: BugCrowd, and HackerOne. There are many more but those have the most programs and the most maturity.

The process is that you register on the site, look for a program you’re interested in looking for bugs on, and then you jump right in. Here are a few things to keep in mind:

  • Read the rules and limitations associated with each program very carefully. You don’t want to run afoul of either the platform or the customer.

  • There are multiple types of bounty program. Some pay money and are higher scrutiny and competition, and others are more for Karma, or Kudos, and are better opportunities for beginners to practice.

The world is quite nuanced, with a number of rules and a unique etiquette that you should learn. So be respectful of that and you’ll be more efficient and less likely to step on toes.

For both programming on GitHub and doing bounties, the goal is to gain professional experience before you get a job, or before you get a job in the field you want. It’s the way to show rather than tell.

Having an active GitHub and having some solid bug finds in your bounty profiles is a way to set yourself far apart from someone who is still pure theory, and can easily help you get your first position, or a new position in a field you’re not yet established in.

Having Passion

Up until now we’ve been talking about the tangibles. Now let’s talk a bit about the other—and arguably the most important—key differentiators between someone who gets to the top of this game and who fades out in the middle.

Curiosity, Interest, and Passion.

90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up. By spinning up that VM. By writing that proof of concept. By writing that blog post. And you have to do it consistently over a number of years.

You can do this two different ways:

  1. Inhuman amounts of self-discipline enable you to do this

  2. A deep, innate passion compels you to do this

Not many people can maintain the first one for that long. It’s hollow. It’s empty. These types are out there, but they often burn out and move on to something else. The top people are compelled.

Most who stay with infosec for many years, and who are successful, achieve success because they’re powered by an internal molten core. They couldn’t stop doing security if they tried.

They’re up late at night writing a tool or a blog post not because it’s the scheduled time, but because they’re physically unable to do otherwise.

Ideally, someone wishing to succeed in this world of infosec should have a lot of self-discipline. It’s important. It’s respectable. You need a certain amount of it.

But if you truly want to thrive, and do so without a frozen soul, you should be pulled by passion rather than pushed by discipline.

© 2024 - Sofiane Hamlaooui - Making the world a better place 🌎