Breaking Into Information Security Career
Recently someone posted on /r/netsecstudents asking how to land a job in infosec but he wasn’t sure what the specific field was. He asked about incident response without knowing the specific name. Of course me being someone that works on an Incident Response team I chimed in with the names of the career path.
- Security Incident Response Team
- Cyber Incident Response Team
- Blue Team
I started thinking about how I finally got a career into information security and my journey. Also reading others responses I realized I wasn’t just lucky but others followed a similar path. So I wanted to shed some light on your way to get into information security.
First and foremost be passionate about information security. If you’re not truly passionate about it, it’s not going to be easy to break into and you’ll likely be miserable since it’s very demanding.
My journey started when I was really young as I’m sure many of the readers also started this same way. I was maybe 11 or 12 years old. My family didn’t have a computer but my Aunt and Uncle did. My Cousin showed me the ropes with AOL. I couldn’t get enough of it! Punters, scrollers, Sub7, this stuff was mind blowing to my little mind. Fast forward to when I was about 16 my family got their first computer. Curiosity, and want for knowledge grew. Now in my 30’s I’m still passionate about computers.
Get experience in the IT field. Doesn’t have to be anything crazy but IT experience will help you on your journey. I started as a Service Desk agent with no schooling background. Your drive and passion for computers will show and you’ll move up rather quickly.
Having knowledge of the “other” side of technology will aid in your journey. Could be things as to why the company has a certain naming convention, or what the IP scheme is, common viruses the users get, policy, etc. It’ll give you a leg up on someone fresh out of college.
Let that passion show outside of work. Learn a programming language and start making shit. Don’t let assholes tell you not to reinvent the wheel, you’ll never learn if you’re always trying to invent something new because so much is already out there. Make some CLI based games, tic-tac-toe, battleship, etc. Make a client/server chat application, then add encryption to it. Just learn to program or script and make a Github. This will show your passion as well as that you have a certain perseverance that a fuck ton don’t.
Look at certifications. Not just the bullshit ones either. Find out what’s credible and if need be take out a loan to get it. Most managers don’t give a flying fuck about certifications but it doesn’t hurt to have if you don’t have experience and there are a few that hold some merit. To name a couple
People typically sell SANs books on ebay, you can skip the class and read the books and pay a lot less for just the exam and practice tests.
Learn other operating systems. You play games and don’t want to leave Microsoft Windows because of it? Cool, pay $10 a month and get yourself a VPS to play with. Better yet get yourself a free Google Cloud shell account and learn linux/bash/python. Dual boot or learn to use a Virtual Machine.
Capture the flags (CTFs). Go to Vulnhub grab an easy level vulnerable OS, download Kali Linux, and start learning metasploit, nmap, and ncat. Metasploitable is a great start. A lot of them have walk throughs if you get stuck but struggle before you cave and look at the walk through. Write your own walk throughs.
Find local meetups. 2600 is usually a good start. Go to them and meet people. Learn shit and realize not everyone is an asshat, only dipshit elitests that are usually so insecure with themselves that they still live in moms basements are asshats. No local meetups? Make one! You might be the only one there for a while but use that time to study more. Who knows maybe you’ll find a mentor at a meetup.
Create a blog cough and just post about shit you’re learning, learned, or made. Get feed back, don’t let assholes get to you. Post it on reddit for feedback, most will be supportive and give good feedback or direct you to where you should go.
- All of them combined
Don’t be an asshat unless it’s to someone being an asshat. Be humble, meet people, be nice and respectful, help when you can, and don’t be afraid to ask questions. It might be ass kissing at time but fuck it you’ll get to where you want as a career and you’ll do it by not having a degree pissing away money on a college education you could get with dedications and motivation.
If your company has an information security department reach out to the managers and workers. Pick their brains, express interest. What tools do they use? What SEIM? What can you work on that would help you get on that team when there’s another opening? What challenges do they face that keeps them awake at night? Where is there a gap that needs filled? Do they know of any meetups? Lunch and learns? Would it be possible to job shadow? Would one of them be interested in mentoring you? Make yourself and your interest known!
Interview Pro Tips
- ICMP/Ping does is portless don’t fall for that trick question
- Know in at least small detail what happens on the network side when you go to www.somewebsite.com
- Problem solving and analyzing is a MAJOR part of infosec. Be prepared to answer situational questions like “Director shows up and says he’s got a virus, what do you do?” The point of this is to gather as much information as you can to make your life easier.
- Why do you think you have a virus?
- What symptoms?
- When did you first notice this? Date/Time?
- What websites did you visit, what browser?
- Did it ask you for your username or password? Did you enter it?
- Was it from an email? Did it have an attachment, or a link?
- Admit when you don’t know but also let the interviewer know you can find out and give examples of how you would find out.
- Have a Github and contribute to projects even if it’s just documentation
- Current events! I can’t stress this enough! Current breaches, new malware, stay informed!
- Be able to explain big recent vulnerabilities.