Jump to content

Infosec Education


devrand0m

Recommended Posts

Kind of a weird question...what kind of education is available/recommended for mid-career career change to information security/pen-testing/etc.?

I'm in totally non-IT field, but seriously thinking about IT.  

Is taking courses and getting certified or getting a degree from places like SANS Institute worth it?  Anybody know anything about them?

How about certification from Offensive Security?  

Any other schools, courses, programs out there worth looking at?

Community colleges?  Those "for profit" technical colleges?  

Any advice other than "give it up" would be appreciated.

Thanks.

Link to comment
Share on other sites

  • 2 weeks later...

Where are you living?

In the UK there are a number of cyber information courses run by universities which teaches all students with zero knowledge of the subject and by the end of the degree you have gained a solid understanding of networks, crypto, pen testing, policy....

Link to comment
Share on other sites

If you don't have a background in Information Technology, ie: no formal training, at a minimum, get some basic classes in. If you truly know your networking and sysadmin stuff, then sure, take a gander at SANS and Offsec, but don't just jump in, if you don't have some sort of foundational grasp of things. Comptia Network+, Linux+(even an A+ class, but not required) and a basic windows MCP class, should be enough to grasp most things needed for the security side, but most people in penetration testing started on the LAN side or as System Administrators and networking backgrounds before going the other side. Not a requirement, but will make your life much easier before trying a pentesting course. Knowing TCP/IP basics, the OSI model, and some form of file sharing and network administration, ie: Active Directory, SMB/Samba, and Windows and Linux OS command line use, will greatly help you in the long run.

Offsec's PWK, is more or less entry level pentesting, but I wouldn't consider it an easy course by any means. It's very foundational, and very instructional, but it's a 100% hands on, you need to physically do the task, to pass. Part video, part text instructional, you'll spend most of your times, in a VPN'ed virtual lab, performing real attacks against actual installed machines setup with real world vulnerabilities or mis-configurations, and all networked, like a real corporate network, allowing you to attack one machine and pivot through the network to others. SANS is also a really good class, but I wouldn't consider either theirs or offsec to be, hey, took the class, now I'm a pro. It will definitely build the mindset needed to be a pentester, and both will allow you to physically do the things you would in a pentest, SANS being a number of courses some of which may only be instructional and multiple choice questions, OSCP and other offsec courses are all hands-on, you have to perform actual hacking tasks, to pass, and no multiple choice questions. You also have to write an actual pentest report, which is a part of your passing grade as well, so don't just pass that part up, because it's what you would need to know and do well in the real world if doing the same thing for your job.

If you have no background in any of the above I mentioned, start out gradually and build on the basics. Cybrary, Youtube, Google and Security Tub can help. Look into the following materials, which you don't have to take the vertifications, but can still read the books on the topics to get more well rounded:

CompTIA Network+

CompTIA Linux+

CompTIA Security+

Microsft MCP books for MCSA/MCSE

Setup a home lab with some virtual machines, setup a domain controller with windows server, an Active Directory domain, network some client computers to it, and try out some CTF's from places like Vulnhub or Hack The Box, as well as Pentester Academy. Then I'd work on PWk/OSCP and then maybe SANS.

Link to comment
Share on other sites

  • 2 weeks later...

@WaterRideI'm in US so I can find a lot of on/offline courses, but can't tell which ones are worth the money.  Also not sure what I need to study.  Can't decide if I need to go back to school or study/take online courses on my own

@digip Thanks for the detailed reply.  I've been a Mac guy all my life (started with the original Mac).  I think I'm just as capable as those Geniuses at Mac stores, but totally lost in Windows environment.  I'm OK with Linux given the similarities with Mac, and have been getting better with Kali use.  I'll look into your suggestions.   I'm from hospital background.  Totally amazed at how hospitals just completely trust the vendors;  if Citrix or VMWare says everything is safe, that's good enough for them.  I've never seen them do any pentest.  Log in consists of first initial_last name followed by a number.  Initial password is hospital name followed by some digits.  Not required to change password after initial log in.  How many people, do you think, didn't bother to change the initial password?  I could probably find an account to log into with 20 min. of Hydra.  Medical field really need pentesters, network security people, security minded CIO's (I've never seen any CIS0's in the local hospitals).  I just wanted to go into hospital/medical information security in some capacity (haven't decided exactly what capacity).

Link to comment
Share on other sites

On 10/13/2017 at 2:48 PM, devrand0m said:

@WaterRideI'm in US so I can find a lot of on/offline courses, but can't tell which ones are worth the money.  Also not sure what I need to study.  Can't decide if I need to go back to school or study/take online courses on my own

@digip Thanks for the detailed reply.  I've been a Mac guy all my life (started with the original Mac).  I think I'm just as capable as those Geniuses at Mac stores, but totally lost in Windows environment.  I'm OK with Linux given the similarities with Mac, and have been getting better with Kali use.  I'll look into your suggestions.   I'm from hospital background.  Totally amazed at how hospitals just completely trust the vendors;  if Citrix or VMWare says everything is safe, that's good enough for them.  I've never seen them do any pentest.  Log in consists of first initial_last name followed by a number.  Initial password is hospital name followed by some digits.  Not required to change password after initial log in.  How many people, do you think, didn't bother to change the initial password?  I could probably find an account to log into with 20 min. of Hydra.  Medical field really need pentesters, network security people, security minded CIO's (I've never seen any CIS0's in the local hospitals).  I just wanted to go into hospital/medical information security in some capacity (haven't decided exactly what capacity).

Wow, that is very insecure..But for people who just use computers as a tool rather than a daily-use kind-of-thing it's easy to see how people need simple, easy-to-remember usernames/passwords in a simple environment. When you see a computer as something as simple as a calculator or a glorified notepad it's easy to forget that you need security for all the data stored on them. It's inconvenient for people to see them like that though, as that means they have to pay lots of money and put more effort into their systems but they still do the same thing, essentially.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...