Breaking Into Cybersecurity

2019 Edition

Mark Davis, Managing Director of Fullstack Cyber Bootcamp

If you’re reading this book, then you’re probably exploring cybersecurity
as a possible career path. But at this point, you’ve probably got more
questions than answers.

Where would I start?

What would I need to learn?
How “hard” would it be?
Would I like the day-to-day work?
What would my career path look like?

These are smart questions, and they get asked often. And that’s exactly
why I wrote this book. I want to de-mystify the world of cybersecurity, so
you can see what it’s <really> like to work in this fast-moving (and head-
line-grabbing) field.

Then you’ll be able to decide

if this might be a good career
path...for you.

2
 How this book works.

In this book, I’m going to give you some advice on starting a career in cybersecurity. I’ll put the advice within a step-
by-step, 5 year timeline that looks like this:

It’s basically a 5 year plan for being successful in this field and (most importantly) having some fun while doing so.
Throughout the book, I’ll sprinkle in advice from some of the most respected hackers in the world, in the form of
quotes and related YouTube videos. But before we get started, let’s take a look at three key concepts in terms of
cybersecurity careers...
3
KEY CONCEPT 1: To hack something, you need to know how it works.

One of things about cybersecurity is that it draws heavily from

the world of IT. That is, you need to have solid IT skills if you’re
going to do well in cybersecurity.

Why?

Because you won’t be able to hack

networks if you don’t know how
they work. And you won’t be able to
defend against attacks either.

The same goes for hacking computers, web apps, wireless

networks... you name it.

So as you begin your journey, keep in mind that you’ll need to

build your IT muscles as a first step. We’ll describe how to do
that later in this book.

4
 KEY CONCEPT 2: Red Team vs Blue Team.

In infosec we have something called “red team” and “blue team”.

The distinction is simple...red team is offense, and blue team is
defense.

Most infosec practitioners think of themselves as one or the other,

and most infosec jobs can be categorized as either red or blue
team. As a general rule, about 85% of cybersecurity jobs are blue
team and about 15% are red team.

You will need to decide which team you want to work on. How
should you make that decision? It’s simple. Choose whichever
sounds more interesting and fun to you. This will become clear as
you work through your initial technical training.

In terms of that training, though, you should plan to learn both red
team and blue team skills.

Why?

Because knowing offense will make you a better defender, and vice versa.
5
 KEY CONCEPT 3: Infosec is all about niches.

Now let’s take a quick tour of the timeline, before we start diving into the
Example niches in cybersecurity
details...

Footprinting and reconnaissance

Niches are actually one of the coolest things about the world of
Social engineering cybersecurity.
Hacking web servers
Hacking web applications
Hacking wireless networks Here’s an analogy: In the world of medicine, doctors specialize
Hacking mobile platforms in one particular area (e.g. cancer treatment) because there’s
Intrusion detection systems (IDS) such a vast amount of knowledge that it’s not possible to be an
expert in all areas. The same thing happens in cyber.
Malware analysis
Digital forensics
Incident response
Cloud security As you go through your technical training, you’ll be exposed to all sorts of
Cryptography different concepts, tools and methods. You will naturally gravitate to what-
ever is most interesting and fun to you. And that’s the niche you should
choose career-wise.

6
 Now let’s take a quick tour of the
timeline, before we start diving
into the details...

Months

TIP: This book uses animat-

ed builds to help tell the
story (as you’re about to
see on the next few pages).
For the optimal reading ex-
perience, make sure to read
the book on a PC or laptop,
in full-screen mode, and use
the right or down arrow to
advance each page.

7
Training for 1st job Training for 1st job

8
Job Search Job Search

9
 SOC Analyst
SOC Analyst ~ $85,000

At this point, we start

looking at example job roles
(and average salaries)

10
Penetration Tester

Penetration Tester ~ $102,000

11
Cybersecurity Engineer

Cybersecurity Engineer ~ $108,000

12
Cybersecurity Architect

Cybersecurity Architect ~ $129,000

13
 Training for 1st job
Training for 1st job

Now let’s start our journey.

The first thing you’ll need

to do is learn the technical
skills you’ll need to get
hired as a cybersecurity
professional.

14
 Training for 1st job

How long will it will take to learn the required skills?

It depends on how you do it:

University under-graduate degree (in cybersecurity)

4 years

University masters degree (in cybersecurity)

2 years

Self study
12-18 months

Cybersecurity bootcamp (part-time)

6 months

Cybersecurity bootcamp (full-time)

3 mos

15
 Training for 1st job

How long will it will take to learn the required skills?

It depends on how you do it:

University under-graduate degree (in cybersecurity)

4 years

University masters degree (in cybersecurity)

2 years

Self study
12-18 months
In the rest of this book,
Cybersecurity bootcamp (part-time) I’ll assume you go to
6 months a part-time bootcamp
(so you spend 6
Cybersecurity bootcamp (full-time) months training)
3 mos

16
Training for 1st job

These are the 3 things you need to do in training

Build your foundation

Learn offense
Learn defense

17
 Training for 1st job

Build your foundation

The first thing you need to do is build your foundation, by studying these 4 areas:

Computing Foundations Network Foundations Security Foundations Basic Programming Skills

~ 20 hours ~ 40 hours ~ 40 hours ~ 40 hours

18
 Training for 1st job

Build your foundation

Computing Foundations Network Foundations Security Foundations Basic Programming Skills

~ 20 hours ~ 40 hours ~ 40 hours ~ 40 hours

A good way to learn it:

What you need to learn:

Hardware (components, memory hierarchy, BIOS) Watch free training videos from Professor Messer:
Networking (IPv4/IPv6, TCP & UDP ports, protocols)
Wireless (standards, encryption) The videos shown above
Network devices are from the course for the
Windows OS familiarity CompTIA A+ exam.
Linux OS familiarity I recommend watching the
Virtualization and cloud related Professor Messer
General security threats & practices videos from the list on the left,
Software troubleshooting but not taking the certification
exam.
19
 Training for 1st job

Build your foundation

Computing Foundations Network Foundations Security Foundations Basic Programming Skills

~ 20 hours ~ 40 hours ~ 40 hours ~ 40 hours

A good way to learn it:

What you need to learn:

OSI Model Watch the free training

…then earn your first certification:
Addressing topologies videos from
How routing works
How switching works
Networking devices
Various networking protocols

20
 Training for 1st job

Build your foundation

Computing Foundations Network Foundations Security Foundations Basic Programming Skills

~ 20 hours ~ 40 hours ~ 40 hours ~ 40 hours

A good way to learn it:

What you need to learn:

Threats, attacks, & vulnerabilities Watch the free training

…then earn your 2nd certification:
Security tools and components videos from
Identity and access management
Cryptography & PKI
Data encoding
Cryptography (encryption, hashes)
Introduction to digital forensics
Introduction to malware analysis
and reverse engineering

21
 Training for 1st job

Build your foundation

Computing Foundations Network Foundations Security Foundations Basic Programming Skills

~ 20 hours ~ 40 hours ~ 40 hours ~ 40 hours

A good way to learn it:

What you need to learn:

Basic programming (in Python) There are quite a few free resources available online...just
Basic scripting (in Bash) Automating make sure to choose resources that teach these topics
with PowerShell Automating web with a focus on cybersecurity.
crawling

22
 Training for 1st job

Learn offense

Now that you’ve built your foundation, you’re ready

to start learning offense. At this point, you’ll want to
develop something called the “security mindset”.

Here’s a video from security researcher Bruce

Schneier explaining how it works:

https://www.youtube.com/watch?v=eZNzMKS7zjo

Bruce Schneier: The Security Mindset.

23
 Training for 1st job

Learn offense

Ethical Hacking (red team)

Then you’ll start Network and Web Application Advanced Penetration Testing and
Penetration Testing Exploit Development
learning a bunch of
tools and methods,
layering on more Penetration Testing Phases Buffer Overflows (Win32 / Linux)
skills as you go. Kali Linux Advanced BOF (ret2libc, defeating
These are the types Active / Passive Information Gathering stack protection, defeating ASLR, ROP
(e.g. enumerating) chains)
of things you need to
Attack Frameworks (Metasploit) Crypto Attacks (bit flipping, hash exten-
learn:
Shells sion, padding oracle)
Privilege Escalation Network Attacks (ARP and CDP Spoof-
Server Side Attacks ing)
Password Attacks IPv6 scanning
What’s the best way
Client Attacks Web Frameworks (PHP, Flask)
to learn this stuff?
Post-Exploitation Web Application Filter & Firewall By-
I recommend… pass
Anti-Virus Evasion
Persistence

24
 Training for 1st job

Learn offense

…an online course called Penetration Also called This course is pretty much the “gold standard” for learning offensive
Testing with Kali Linux. “PWK” security.

Comes with 30-days of access to their offensive labs platform.

Not cheap ($800) but worth it.

You could try and pull together free online resources to learn the
material instead, just make sure they cover the concepts on the
previous page

25
 Training for 1st job

Learn offense

Should you take the OSCP exam? The PWK course is offered by a company called Offensive Security,
who also offer the OSCP certification

The OSCP is the most elite red team certification you can earn

Requires that you pass a grueling 24-hour exam, where you have to
hack into 5 different computers

People with the OSCP certification are like the “Navy Seals” of red
teamers (and are very in demand by employers around the world)

PWK is the official prep course to take the OSCP exam, and the fee
of $800 includes sitting for the exam 1 time

Taking the OSCP exam is optional, but recommended

26
Training for 1st job

Learn defense

At this point, you’ve learned offensive skills and the security mindset.

This is the perfect time to begin learning defense.

You should plan to study the 5 key areas within the NIST
Cybersecurity Framework:

27
 Training for 1st job

Learn defense
Identify

Identify and control who access to your

business information.
Recover Conduct background checks.
Require individual user accounts for each
R ID
E EN employee
Make full backups of imporant business
COV TI Create policies and procedures for
FY
data and information.
Continue to schedule incremental
RE cybersecurity.

backups. NIST
Consider cyber insurance Cyber
Protect

RES
Make improvements to processes/

T
Security

TEC
procedures/ technologies
Framework

PON
Limit employee access to data and

PRO
information.

D
Respond Install Surge Protectors and
Uninterrumpible Power Supplies (UPS).
DETECT Patch your Operating Systems and
Develop a plan for disasters and applications routinely.
information security incidents. Install and activate software and hardware
firewalls on all your business networks.
Secure your wireless access point and
Detect networks.
During this part of your training, it’s good Set up web and email filters.
to study at least 40 hours in each area Install and update anti-virus, anti-spyware,
Use encryption for sensitive business
information
(to learn the key aspects of each). and other anti-malware programs.
Dispose of old computers and media
Maintain and monitor logs.v
safety.
Train your employees.
28
 Training for 1st job

Learn defense

Make sure that you’re studying the most popular defensive

technologies (that are most in-demand by employers) like:

29
Job Search

Now that you’ve completed

your technical training.

You’re ready to begin your

career as a cybersecurity
professional

30
 Job Search
Job Search

With your
newly-acquired
skills, you are now
very in demand.

31
 Job Search

This is a good website for

seeing different types of
infosec roles, and related
data (like averages salaries):

https://www.cyberseek.org/
pathway.html

32
 Job Search

This is a good website for

seeing places with the most
infosec job openings:

https://www.cyberseek.org/
heatmap.html

33
 Job Search

Here’s a great article

about different types
of roles:

https://tisiphone.net/2015/11/08/starting-an-infosec-
career-the-megamix-chapters-4-5/

34
 Job Search

Advanced certifications

Now that you’ve finished your initial technical training, Take the CISSP exam now and get the CISSP Associate, which
you have solid skills on both the red team and blue is basically the CISSP pending 5 years experience. This shows
employers that have the technical chops that they need, which
team. You should get an advanced certification to
means you will be more in demand, more quickly.
demonstrate that to employers.

If you want to pursue a career in red team, then I’d

suggest trying to get the OSCP too. Or you can get
some of the GIAC certifications from SANS, but they
can be expensive (with courses and books in the
I recommend getting the CISSP at this stage, because thousands of dollars and tests in the hundreds). So
it’s the cert that is most in-demand by employers I’d suggest waiting to get any of the SANS certs until
around the world. The problem is that you need 5 later, when you can have an employer pay for them
years of work experience to get a CISSP. But here’s a (employers will often pay for courses and certs as a
little hack you can do: perk to entice you to come work for them).

35
 Job Search

In terms of time management during this phase, you

should plan to spend about

50% 50%
of your time studying for an on job search activities (e.g.
advanced cert interviews).

36
 SOC Analyst
~$85,000

Your first job as a security professional

For many people in infosec, their first job is as a Security

Operations Center (SOC) Analyst

You’ll use tools like Intrusion Detection Systems (IDS) to find

threats, and catch them before they get serious

Watch the video to see what a day in the life of a SOC analyst
looks like

You might work for a SOC service provider (as shown in the
video) or at a SOC within a company (which is more common)

A Day in the Life of a Security Analyst.

37
 Penetration Tester
~ $102,000

Leveling up your career

Maybe your next step is to join the

red team as a penetration tester

Look for vulnerabilities to help

companies improve their security.

You might join a boutique firm that

provides pen testing services to
larger companies, or work for a large
multinational company (as shown in
this video)

This could actually be your first job

A Day in the Life of Sam Kitchen, Penetration Tester at PwC. Listen to this podcast about a company that hires a penetration tester to pose
after completing training, if you https://www.youtube.com/watch?v=HiggqvMl9LI as a new hire, Jeremy from Marketing, to see how much he can hack into in his
particularly enjoy red team work first week on the job. It doesn’t go as planned.
https://darknetdiaries.com/episode/36/

38
 Cybersecurity Engineer
~ $108,000

Getting deeper into engineering

Here are a couple good resources showing what it’s like to work
as a security engineer:

39
Meet Security Engineers ar Google.
 Cybersecurity Architect
~ $129,000

Movin’ on up

Here’s an article describing what it’s like to work as a security

architect:

https://medium.com/secjuice/what-is-a-security-
architect-a65d3b0c9707

40
 Living the infosec lifestyle!

Infosec is not your standard “9 to 5” job.

You have to be passionate about the field and

love working in it. You have to live the “infosec
lifestyle.”

What does that mean?

Let’s take a look at the key aspects of this…

41
 Living the infosec lifestyle!

Have passion

First up, let’s look more at this concept of passion, and why it’s so
important in this field.

Here are some infosec veterans talking about this topic:

Careers in Cybersecurity - New Advice from DEF CON 24

42
 Living the infosec lifestyle!

Have passion

Let’s talk a bit about the key You can do this two different ways: They couldn’t stop doing security if
differentiators between someone they tried.
who gets to the top of this game and Inhuman amounts of self-discipline
who fades out in the middle. enable you to do this They’re up late at night writing a tool
A deep, innate passion compels or a blog post not because it’s the
you to do this scheduled time, but because they’re
Daniel Miessler
@DanielMiessler Curiosity, Interest, and Passion. physically unable to do otherwise.
Not many people can maintain the Ideally, someone wishing to succeed
SECURITY | TECHNOLOGY | HUMANS
first one for that long. It’s hollow. It’s in this world of infosec should have
San Francisco 90% of being successful is simply empty. These types are out there, a lot of self-discipline. It’s important.
danielmiessler.com/podcast getting 100,000 chances to do so. but they often burn out and move on It’s respectable. You need a certain
to something else. The top people amount of it.
You get chances by showing up. By are compelled. Most who stay with
spinning up that VM. By writing that infosec for many years, and who But if you truly want to thrive, and do
https://danielmiessler. proof of concept. By writing that are successful, achieve success so without a frozen soul, you should
com/blog/build-successful- blog post. And you have to do it because they’re powered by an be pulled by passion rather than
infosec-career consistently over a number of years. internal molten core. pushed by discipline.

43
 Living the infosec lifestyle!

Build projects

Another important thing to do is:

Let’s hear from @danielmiessler again…

44
 Living the infosec lifestyle!

Build projects

You Are Your Projects you come up with a tool or utility Projects show that you can
that might be useful to people, and actually apply knowledge, as
This is where the book knowledge you go and make it. opposed to just collecting it.
stops and the creativity begins.
You should always be working on And while you’re learning, don’t
projects. worry too much if someone Don’t think about how many projects
Daniel Miessler
@DanielMiessler has already done something you have. If you approach it that way
As a beginner, or even as an beforehand. It’s fun to create, and it’ll be artificial. Instead, just focus on
SECURITY | TECHNOLOGY | HUMANS
advanced practitioner, nobody you want to get used to the thrill of interesting problems in security, and
San Francisco should ever ask you what you’re going from concept to completion let the ideas and projects come to
danielmiessler.com/podcast/ working on and you say, “Nothing.” you naturally.
Unless you’re taking a break in- The key skill you’re trying to nurture
between, of course. is the ability to identify a problem with In the writing world, there’s a a
https://danielmiessler. the way things are currently done, and maxim that says, “Show, don’t tell”.
com/blog/build-successful- Projects tend to cross significantly then to 1) come up with a solution, and Projects are showing, and collecting
infosec-career into programming. The idea is that 2) create the tool to solve it. knowledge is telling.

45
 Living the infosec lifestyle!

Network with others

Here’s another truism in the cyber world:

Name recognition within the community is absolutely

invaluable when applying for jobs.

That’s why it’s so important to network with others in the space,

especially locally. For example, if you live in New York City, you
could attend the largest infosec meetup, or the local chapter of
ISSA (which is a professional organization with chapters around
the world). These are good places to network with local hiring
managers and security teams.

Attend local events as much as possible. It’s fun to network with

other like-minded people in the space, and you’ll learn a lot.
Plus it will pay off career-wise over the long term.

46
 Living the infosec lifestyle!

Attend conferences like DEFCON

Part of living the infosec lifestyle is You’ll read her descriptions of the There are no substitutes for in- content vary a lot, but there are some
going to industry conferences (or biggest cons, which I have put onto person networking or training events. commonalities. There are normally
“cons”). There are three main reasons a map of the U.S. for easier visual I strongly recommend attending one or more tracks of speaker talks,
for going: reference.* InfoSec / hacking conferences, but selected by the organizers from
I also encourage you to choose the outside call-for-paper submissions.
1) Spend time with other infosec right ones for you. Regrettably, the Capture the Flag type events are fairly
friends who live far away events with the biggest budgets ubiquitous. It’s also not uncommon
2) See the most cutting-edge security often get the most hype. That does to see an option for longer, hands-
research not translate to them being the best on training classes for an additional
3) Learn new skills environments to learn in. Cost is often fee. You’re likely to see some
a factor that bears consideration, as vendors, as well as hobbyist groups
But really #1 is the most important. well. Tickets to InfoSec conferences such as locksport organizations or
Lesley Carhart range from free (or nearly free) to makerspaces sharing their expertise.
What are the biggest conferences, and @hacks4pancakes thousands of dollars. Hotel and airfare Evening parties sponsored by the
which ones are best for you? DFIR @dragosinc TOC, martial
artist, gamer, marksman,
costs vary by venue. All these factors conferences or vendors can provide
humanist, Lv13 Neutral Good should weigh into your decisions, but an opportunity to network and have
rogue. I Write & tweet *very
On the next few pages, you’re going to serious* things about infosec. there’s a conference for everybody. fun.
Thoughts are mine.
hear from respected hacker
Chicago, IL.
@hacks4pancakes about this.

Hacking conference size and

* You can see the original article here: https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/ 47
 Living the infosec lifestyle!

Attend conferences like DEFCON

PROS
Lesley Carhart
@hacks4pancakes
Infosec respected hacker This is where you’ll see some of
the most cutting edge research
released, and meet many top
notch pros. Everybody should
One of the oldest, most famous, and DEF CON at least once, for the
largest hacking conventions in the sheer experience.
world, DEF CON is held in August on
the Las Vegas strip. The attendees
are a mix of everybody from the
most dubious black hats to corporate
security professionals, from journalists
to Generals, from researchers to CONS
federal agents. Events and talks run
the full gambit in every sense of the Over-the-top parties, crowds,
word. The parties are wild and so and hangovers can overwhelm
are the attendees. DEF CON tickets actual learning and networking.
current cost $230, (cash only!).

48
 Living the infosec lifestyle!

Attend conferences like DEFCON

Lesley Carhart
@hacks4pancakes
Infosec respected hacker
hacvker

Black Hat (USA) occurs the week The talks are well vetted. This doesn’t
prior to DEF CON, and offers more come cheap; regular tickets are
structured training opportunities on a currently $2195. Training courses cost
variety of topics. significantly more.

There’s a heavy vendor If money is a factor, I certainly

wouldn’t recommend paying your
presence. Black Hat is more
own way to Black Hat unless there
targeted towards security is a course you desperately want to
professionals and executives, take that isn’t offered anywhere else.
and offers organized networking Wait for a scholarship or corporate
events and a bevy of courses sponsor.
and high profile speakers.

49
 Living the infosec lifestyle!

Attend conferences like DEFCON

Lesley Carhart
@hacks4pancakes
Infosec respected hacker

If you missed that RSA occurs in They have the biggest vendor expos,
February in San Francisco, you’re not and often boast high profile speakers.
tuned into information security news.
I don’t recommend RSA to entry
I can draw a lot of parallels between level infosec folks, even if the
RSA Conf and BlackHat, but
price tag is in your budget.
personally favor Black Hat as an
event. They’re both targeted at For the money, I’d attend a
executives and professionals, throw course at Black Hat.
star-studded vendor parties, come
with a hefty price tag (standard RSA The glitz and glamour do not make
tickets are currently $2,295), and get this the best environment to learn
plenty of press. fundamentals or network.

50
 Living the infosec lifestyle!

Attend conferences like DEFCON

Lesley Carhart Due to its DC location and

@hacks4pancakes educational reputation, it’s
Infosec respected hacker popular with federal government,
military, and federal contractors,
and the networking, vendors, and
Shmoocon was founded by a talks can reflect this a bit.
husband and wife team to become a
relatively small, friendly, community
and education focused conference.
The downside is that Shmoocon has
It occurs in January, and costs $150,
grown much more popular than its
making it the most affordable of the
size allows, and tickets sell out quickly
‘big name con’ admissions.
– very quickly – a matter of seconds,
making attendance a bit of a lottery.
If you plan to attend Shmoocon, (I do
recommend it), read up on the ticket
purchase process well ahead of time.

51
 Living the infosec lifestyle!

Attend conferences like DEFCON

Lesley Carhart Tickets are currently $150 and

@hacks4pancakes include optional training classes,
Infosec respected hacker aside from any required materials.

Circle City Con is newer than Circle City Con is another safe bet
Shmoocon, but fills the same for a first conference, and for family
educational / community friendly participation.
conference niche. Circle City Con
occurs in June, near the Indianapolis
Convention Center.

52
 Living the infosec lifestyle!

Attend conferences like DEFCON

Lesley Carhart
@hacks4pancakes
Infosec respected hacker

GrrCON specifically states their goal GrrCON occurs in October in Grand

of avoiding elitism, and as a result Rapids MI, and regular tickets are
they’ve earned a reputation as a currently $150. Another location with
positive and friendly environment very reasonable room and board, it
which is heavily geared towards great would be a great choice for a first con.
networking and security education. GrrCON also offers opportunities for
family participation.

53
 Living the infosec lifestyle!

Attend conferences like DEFCON

Lesley Carhart
@hacks4pancakes
Infosec respected hacker

Hackers On Planet Earth is still a bit of HOPE offers some of the most unique
a ‘hidden gem’. Although it’s one of the and varied events of any conference
oldest annual hacking cons, it remains outside DEF CON, and boasts film
reasonably small and attended by festivals, art, and robotics along with
industry greats. the usual offerings. It’s a bit more
eclectic and nuanced than other
conferences.
HOPE occurs in New York City in
July, and tickets are currently $150. HOPE is worth serious consideration,
especially for East Coast folks.

54
 Living the infosec lifestyle!

Attend conferences like DEFCON

BSides also tend to be smaller

Lesley Carhart
Lesly Carhart and less expensive, with tickets
@hacks4pancakes
@hacks4pancakes
Infosec respected hacker usually ranging from $0-50.
Infosec respected hacker

Perhaps you looked at this long list There’s rarely a good excuse to
of conferences, and balked at the miss your local BSides – it’s a great
locations, travel costs, and ticket opportunity to network with security
prices. All is not lost.  folks in your area for a nominal fee.
Seek out your local BSides event, BSides events also make a great
which occur in many metropolitan excuse to travel to cities on your
areas. BSides events tend to be bucket list across the world, learn
organized by local hacker groups, and about hacking, network with people,
most are one or occasionally two days. while enjoying the local culture, sights,
and cuisine.

Global Security BSides Venues.

55
 Living the infosec lifestyle!

Attend conferences like DEFCON

You should also plan to get involved with your local chapter of OWASP.

Start by attending some meetings to get the lay of the land, then get more
involved by doing things like volunteering.

Then, when you’re ready, see if you can give a talk!

56
 Living the infosec lifestyle!

Attend conferences like DEFCON

To sum up the whole “cons” thing:

Remember that
Apply to give
Go to DEFCON the main goal of
a talk at a conferences is to Participate
at least once
conference as network in local
(the sooner the
soon as you’re and see your events too.
better!).
ready. friends in an
infosec setting.

57
 Living the infosec lifestyle!

Have a presence

Some people in infosec like to This is becoming an increasingly “Do good work and be willing
be “invisible” on the internet, and popular trend in the space. to talk about it. But do so from a
reveal as little personally-identifiable
sharing and collaboration angle,
information (PII) as possible. That The idea is that you have a place
can work, and that’s certainly your to publish updates on the projects not from a position of arrogance.”
prerogative. you’re working on, and/or any
infosec-related thoughts you want to Your online presence should live
But if you want to level up in your share. primarily in two places. On a personal
career more quickly, to middle and website, and on Twitter...
senior levels, then you should plan If you’re an introvert, or don’t want to
to have an online presence for your “brag” about stuff you’re working on,
cybersecurity work. In other words, that’s OK! But you still need to market
you should have an online brand yourself and your work. As Daniel
(even if it’s a low-key one). Miessler says,

58
 Living the infosec lifestyle!

Have a presence

The main thing you need is a simple I recommend hosting your content
website and/or blog. This is the place on your own site, instead of using a
where you talk about your projects service like Medium, so you remain
and give contact information. in control of the content. Then you
can cross-post from your site to other
Make sure to choose a good places like Twitter.
domain name (if you don’t have
one already) as it will be with you
throughout your career.

59
 Living the infosec lifestyle!

Have a presence

People in the cybersecurity world Retweet interesting things, and

communicate with each other, often sometimes post original thoughts to
times, on Twitter. So you should plan start conversations of your own.
to be active there too.
Don’t worry if you only have 3
Follow interesting infosec people (like followers. It doesn’t matter! Just be
these) and join in the conversation a part of the conversation.
when it makes sense.

You should also make sure to have a decent profile on

and update it every once in a while.

60
 Living the infosec lifestyle!

Make contributions

As you progress through your

cybersecurity career, you’ll layer on
where most open source code lives
these days. 1 It’s great practice So making
more and more programming skills. contributions is a
You’ll also work with more open 2
It helps improve the tool (for
you, and for other people in the
great way to “pay it
source tools over time. Every once community) forward”, but it’s also
in a while, you’ll probably find
yourself saying “geez, I wish this The person who runs the a good thing to do
So you’ll be able to “fork” the code
tool could do this…” repository (“repo”) and create your
3 project will be happy because
you helped them out.
career-wise. But don’t
new feature. Then you can submit
Since you’ve got some programming a “pull request” to the person that
force it. Do whatever
skills, you’ll actually be able to code
up some of those ideas yourself, by
runs the project, and ask him or You’ll get credit for the pull comes naturally,
her to merge your feature into the request, which gives you
making a contribution to the tool. main version. When you make a 4 more credibility as an active and is in an area of
This is usually done via an online contribution like this, a few things
platform called GitHub, which is happen:
programmer
interest for you.

61
 Living the infosec lifestyle!

Compete in Capture the Flag (CTF)

Many hacking conferences provide some kind of Capture the

Flag event, where you can test your hacking skills against
challenges and other participants. The goal is to win points
by finding or reaching “flags” that are hidden in the challenges
(which range from simple to very difficult). The key is to have
fun and not be intimidated, as CTF’s are a great way to test what
you’ve learned.

The CTF at DEFCON is one of the most prestigious, with teams

of the world’s best hackers competing against each other. Here’s
what it’s like to compete:

DEF CON CTF 2018 Finals.

62
 Living the infosec lifestyle!

Compete in Capture the Flag (CTF)

Here’s another video showing a large CTF: And here are

some online CTF
platforms that you PICOCTF is a free computer security game. It’s
can practice on: hosted by the Carnegie Mellon CyLab.
https://picoctf.com/

Google Security Blog: https://security.googleblog.com/

WAR GAMES
The wargames offered by the OverTheWire community can help
you to learn and practice security concepts in the form of fun-filled
games. https://security.googleblog.com/

Hacking Competition in Zhengzhou China - Real World CTF Finals 2018.

63
 Living the infosec lifestyle!

Compete in Capture the Flag (CTF)

A good way to practice for CTF competitions (and to generally

sharpen your offensives skills) is to work on a popular online
platform called Hack The Box.

https://www.hackthebox.eu

https://www.youtube.com/embed/4LmSEthRZLU?start=2553&end=2663

64
 Living the infosec lifestyle!

Compete in Capture the Flag (CTF)

Here are some sites that host vulnerable machines you can download and practice on:

VulnHub SEEDLabs Practice Mindmap

https://www.vulnhub.com http://www.cis.syr.edu/~wedu/seed/labs.html https://www.amanhardikar.com/mindmaps/Practice.html

65
 Living the infosec lifestyle!

Continuous learning

Continuous learning is important for people working in cybersecurity. One of the best ways to enable this is to set up a good set of news inputs so you have a
steady stream of updates coming in. There are different kinds of inputs you can use, depending on your preferred method(s) of learning:

Twitter is real-time, which means the I recommend subscribing to leading Here are some of my favorite infosec Here are some respected
data is fresh. infosec Youtubers (like LiveOverflow) podcasts, all available for free: cybersecurity blogs:
so you get alerts when they release
As I described earlier in the book, new videos. Risky Business Podcast Dark Reading
make sure you’re following interesting And if you’re looking to learn a Darknet Diaries Krebs on Security
people who post things that help you particular topic, then it’s probably just Cyber by Motherboard Graham Cluley
learn, or see things in new ways. a keyword search away on Youtube,
Unsupervised Learning Naked Security
where there is a mind-boggling
Security Weekly Troy Hunt
amount of infosec video content.
Watching talks from conferences like Security Now Threatpost
DEFCON is a great way to learn and Defensive Security
stay current on new tools and trends. Brakeing Down

66
 Living the infosec lifestyle!

Continuous learning

They other key aspect of continuous learning is having a home lab, and
spending time regularly working in it. You can learn more about building a Top tips
home lab in this popular post:
1. Don’t get overwhelmed with the number of options! Just
choose 1 and get started, e.g. Wireshark, Netcat, NMAP,
software defined radio or a Metasploit module that sounds
interesting. Whatever is most interesting to you.

2. Tinker in your lab regularly (set aside several time slots

each week)

3. Build your lab in the cloud if possible (e.g. on AWS or

Azure). It may be slightly more expensive, but it will save
you from having lots of hardware in your house.

67
Summary and next steps

68
 Live the infosec life
In this book, we’ve looked
at what it looks like to have
a career in cybersecurity
(which you can see
summarized above) and a
sample career path. Training for 1st job Job Search

Here’s one final piece of

advice…
SOC Analyst ~ $85,000

Don’t go into this field just

for the money. That’s not a Penetration Tester ~ $102,000
recipe for success.

Cybersecurity Engineer ~ $108,000

But if you think you could
become truly passionate
about working in Cybersecurity Architect ~ $129,000
cybersecurity (or already
are!) then I encourage you
to take the next step.

What’s that?

69
 Training for 1st job

NEXT STEP: Decide how you want to train

Do more research on the various options, understand their costs, and choose which one is
best for you.

University under-graduate degree (in cybersecurity) $100k-$300k

4 years

University masters degree (in cybersecurity) $100k-$250k

2 years If you’re looking at bootcamps,
make sure look at their “course
poster” to see a summary of what
Self study Could be free, depending on which resources you use they teach, and make sure they
12-18 months teach the things described in this
book.
Cybersecurity bootcamp (part-time) $12k-$20k
For example, you can see the
6 months course poster for Fullstack Cyber
Bootcamp here.
Cybersecurity bootcamp (full-time) $12k-$20k
3 mos Course Poster

70
Good luck on your journey!