HiddenText Ltd

So you wanna be a hacker ? Well, this is not the blog for you I’m afraid. I say that because a hacker is very different to a criminal which is very different to cyber security. There is some cross over but I recommend you have a read of Steve Levy Hackers and you’ll get what I mean.

So you wanna cyber then ? Well, keep reading but beware of feeding the trolls – cyber, sheesh what a word, it covers many sins – it’s a marketing buzz word so don’t cyber.

So you wanna be in security ? Better !! But, I hear you say, but I don’t want to stand in a warehouse all night with a flashlight making sure there are no burglars … correct, although I can’t promise you wont end up in a warehouse in a uniform holding a flashlight (see social engineering!!).

Yep Information Security (infosec is a better phrase for cyber) is a really broad topic and getting a career in it is as hard to fathom out as working out which bit you fit in to.

I’ve laid out some steps below which I think are a fairly good road-map to get you in the right ball park. As with everything, you only get out what you put in, so if you really are after a career in infosec then you’ll be doing this in a year, if you are just dabbling .. come back in a couple of years !

So here are my steps :

1. Play,
   • Find online games to play – we generally call them CTFs (capture the flags) whereby you test your skills at certain challenges.
   • There are loads of competitions : Captf and StackExchange and they are happening all the time Captf and CTFTime
   • I recommend not playing them to win, but to work out where your strengths and weaknesses are and what your passion is. All too often I see people wanting to be a ‘hacker’ when actually they are really good at forensics or cryptography.
2. Tool up !
   • When you have found your niche then find the resources, the tools. Most organisations give 30 day trials / limited community versions. Use them. Try installing the tools without Kali, configuring them, get to know them.
   • At this point there is a danger in thinking you’re some leet hacker with skillz because you can use Kali a bit … when in fact the majority saying this are just script kiddies who have no clue what is actually going on. You still have a long way, so keep practising with those tools !
     1. Enaqx
     2. SecTools
     3. Concise-Courses
3. Create a home lab.
   • So this shouldnt be costing a great deal, you just need old computers from lofts and garages of friends. This will help them as they empty some space, you get your hands on hardware so you learn that side too and then you get the kit for your testing lab.
   • Get familiar with virtual machines, I’ll let you work out which is best between VMWare player, esxi and virtual box.
   • Always keep a base copy of your machines so if you screw it up you can roll back !
   • Spin up virtual machines and install your tools in there to create pen testing machines to work with. This will also help building your technical knowledge of networks.
4. Use a known pen test methodology
   • OSSTMM the open source standard for pen testing.
   • CREST, CHECK, CEH – these are qualifications you’ll be looking at in the future so get used to how they operate while you are learning.
5.  Training
   • there are loads of great training schemes out there from :
     • free (SecurityTube, Cybrary)
     • books (loads of Amazon lists)
     • low cost entry formal training (Infosec Skills)
     • full corporate level qualifications (PGI, ISC2 and 7Safe).
6. Ethics
   • At this point, you’re going on a path, a great journey, you’re finding out tons of information and learning about vulnerabilities that can get you places. Do not be tempted to go Black Hat … the movie was terrible and the reality of black hat lifestyle is not great. Not when you think you can be earning 60k+ to do it properly and having some recognition for that work!
   • It’s a tough call the ethics piece. I mean, you could if you wanted to get yourself a reputation for breaking in to stuff but just remember all that you learned above, someone else is learning it to catch you. Looking over your shoulder and have enemies as friends doesn’t sound conducive to a great day at the keyboard.
7. Your online presence
   • Technically, this would flow through the whole thing. I would recommend you create the following profiles and keep them up to date (p.s. leet names are not cool! so use handles that relate back to you) :
     • LinkedIn – a professional profile of who you are, what you are currently working on, which bits of your learning you’re doing, what you’re enjoying, CTFs played and most importantly – how people can reach you. People are going to connect to you so ensure they are connecting to reach you and not your connection base.
     • Twitter – social media is a great way to show off the work you are doing, what CTFs you are entering, conferences you want to attend and are attending. It is also the key place to ask questions, learn and connect. If someone helps you out – say thanks. Connect to them and filter the people you follow into lists.
     • Blog – buy a domain, stick WordPress on it and blog … a lot ! all you thoughts on the stuff you’re working on, what you like, what you find hard, when you hit a wall how you think you are going to approach getting around that wall.
     • Youtube – yes you need video blogs these days. Spend a little time creating a 20 minute video on a how-to use a tool. This will help you longer term be able to communicate effectively and to be able to explain technical matters easily plus give you confidence at speaking
     • GitHub – if you are going to create some new tools etc, use a central repo to keep it in.

You also need to keep your personal life separate to your ‘work’ life. No point in having some great infosec friends then ranting for 20 minutes on Twitter how your latté came with the wrong type of milk !

You should be about a year away now at this stage from where you started with commitment and passion driving you forward keep going. It’s just getting to the good bits.

• When you are competent that you may have some skill set, you enter CTFs and feel like you know what you are doing and getting OK scores, I recommend to start looking at the career paths you might want to look at – internships, junior pen test work. There are quite a lot great schemes BT, Northrop Grumman, ProCheckUp etc.
• Consider playing the technical challenges on the Cyber Security Challenge website.
• Conferences – be a part of the scene. Go to the smaller cons – BSides, SteelCon, Securi-tay and do a Rookie track presentation. Find a good topic and present it well. Don’t keep writing new talks (unless yours sucks), stick with one topic and present well. I have seen the same presentation by Freaky Clown around 8 times now ?!
• To advance up the career ladder you’ll need to gain qualifications. CREST is the current industry favourite. If you are in a company this will be much easier as they will probably support you in that.
• Then give back .. you were a rookie once so become a mentor. Help out the next wave of talent. This, I can assure you, you will not look back on – give back.

I hope that helps – infosec as a career is a really interesting prospect. It is very broad, from secure coding, securing hardware, OS hardening, cryptography, forensics, malware analysis, the list seems to endless and seems to grow daily ! I’m sure you are going to find your own niche in there.

Good luck and keep in touch, let me know how you get on. If you want to follow me on Twitter I am @spcoulson and I have some lists already created for infosec people, companies news etc that you can quickly use.

Feedback :

[contact-form][contact-field label=’Name’ type=’name’ required=’1’/][contact-field label=’Email’ type=’email’ required=’1’/][contact-field label=’Twitter Handle’ type=’text’/][contact-field label=’Feedback’ type=’textarea’ required=’1’/][/contact-form]