Jump to content

How to get started in Cyber Security?


Cyber_AI
 Share

Recommended Posts

Hi I'm very new to the tech world in the sense I don't know much about cyber security. I want to get into the cyber security industry but I'm not exactly sure on how to go about it. I've sign up for some udemy courses to learn what I am assuming are the basics and fundamentals, but what I need to know is how to get the real world experience so I can actually start a career in this industry. I've heard some people say to volunteer on your own, others say start your own side business till you build up enough experience. So any advice I can get on here will be greatly appreciated!  

Link to comment
Share on other sites

You aren't going to get any meaningful experience or do a good job for clients if you go out on your own straight away. You need to work with someone who knows their stuff to pick up the real world stuff. I'd say you need at least a couple of years working with others before trying to do anything on your own.

The type of company is up to you, someone big like NCC would probably have a graduate, new starter training program that would get you up to speed quickly but would also be fairly generic or a smaller boutique firm which would get you more hands on with skilled testers but probably a little less breadth.

  • Like 2
Link to comment
Share on other sites

I'm with digininja on this one. I have worked for 16 years as a web dev and IT administrator. Due to my ever itching interest in hacking and pentesting though I just took a chance last December and applied at a small company that is on the red teaming side of things. During my interview I clearly stated that I had no relative hacking experience what so ever, just coding and hardware skills.

Now six months later I have learned a lot of things on the job, and still learning every day. I can say it is challenging and sometimes even hard, and mistakes have been made during the last six months. But it is also very exciting to do, as you get into real world situations on a daily basis.

With certainty I can say that learning on the job is the best way of learning, but you have to be lucky to find an employer that is willing to take chances. ?

Also I would suggest to follow courses on cybrary.it, which is free, but offers certificates on many subjects that are relative in the pentesting / hacking world. It are just the basics, and real world scenarios will test your ability to find new solutions to the challenges you will encounter (tech keeps changing on a day to day basis).

In my opinion, being able to adept on the go and being able to quickly find solutions to problems, are the main skills needed in the field (next to of course knowing the fundamentals).

Keep focus, keep learning, and stay open minded, and I am sure you will succeed ?

Link to comment
Share on other sites

Hi Al, set yourself up with the right tools to start. You need to learn to walk before you can run!

Dedicate a laptop to Kali Linux as an attack machine, then on another 'networked' machine, set up some vunerable VM's as a testing lab for you to polish your skills. I recommend Virtualbox. (bridge your adaptor connections)

Here are a couple of purpose built vulnerable operating systems as a start for your testing lab. Run your test lab on Windows or Linux, whatever you prefer, but i recommend your attack machine be kali based. 

Metasploitable 2 (linux based) and Metasploitable 3 (Windows server 2008 R2)

https://www.hackingtutorials.org/metasploit-tutorials/setup-metasploitable-3-windows-10/

Google your questions and learn from the 'University of Youtube' (watch videos on using the Metasploit Framework which is packaged with Kali Linux)

Learn how to fingerprint, gather information on your target and execute exploits and payloads.

If you can figure out this outlined structure, the pathways to further development will open up for you!

Good Luck.

 

Link to comment
Share on other sites

A change I'd suggest to this is to use a different distro and install your own tools. To many people rely on Kali and have no idea how to install a tool from source, debug dependencies and keep it up to date. If you take ownership of the tools you are using you'll understand them a lot better and you get the bonus of additional Linux admin skills.

  • Like 1
Link to comment
Share on other sites

I had a bad reaction to Backtrack 3 that put me off relying on anyone else packaging tools that I rely on.

Things are a lot better now and Kali has come a long way since then but at that point I made the decision to roll my own and have been doing it ever since.

Link to comment
Share on other sites

I first started out with Kali, just to learn about the tools and get familiar with some of them. Now I mainly work from Ubuntu, with the packages installed that I use most of the time. And if I do need something new, I google about them and test them as I go in a virtual testing lab.

  • Like 1
Link to comment
Share on other sites

Thats true dig, its a sad fact that the young up-comers to the industry nowadays want the fastest route to their given desires, they cant be bothered compiling when its all done for them.

I thought you made a very pertinent point in saying " If you take ownership of the tools you are using you'll understand them a lot better"

If you cant grasp the principles behind what your doing, its very hard to understand why things go wrong along the trail.

I remember the old days when even Linux was a PITA......driver issues, application compatibility and so on, and so on!

Today we demand increased functionality in our web applications and operating systems, we want our content served super dynamically, we want a push_button app for everything........this is all good and well for us as the end user, however most dont realize that with this comes a heavy price with a massive increase in our attack surface!

Kali has come a long way of recent days and I just thought it an easier start for the OP to cut his teeth on (pardon the pun) ?

Link to comment
Share on other sites

One of the most annoying things I see regularly is people asking for support on DVWA but refusing to put effort into understanding the underlying OS. All they want to do is focus on the"fun" web app vulnerabilities rather than learning about the entire ecosystem which pays off a lot more in the end.

  • Like 2
Link to comment
Share on other sites

I totally agree, I used to work as a network / system admin, and my default first choice for an OS is and has always been Linux, so I kind of grew up with it ?

Also I have basically grown up with the internet, first time I logged in through a 28.8kbps modem was give or take 25 years ago, and I was hooked from the beginning, as where I learned basic webdevelopment in (d)html and javascript 20 years ago. Now six months ago I finally found the road I wanted to travel, and have been working as a pen tester in a small company. Unfortunately, people nowadays really expect a program to run perfectly and smoothly right out of the box, and everything has to look beautiful and such. While I still do most of my work in the terminal ?

 

Link to comment
Share on other sites

Had a mail this weekend from a guy who hasn't any previous IT experience who was planning to set up as a freelance tester, he wanted my opinion on a few things. My first opinion was not to do it. There is no way to go from nothing to tester successfully. I tried to explain one mistake could be very costly, he said it was ok, he would only be testing for small firms. For their sakes, if he goes through it it, I really hope he never gets any clients.

What I recommended was getting a full time job with a testing company for at least a couple of years first to get some experience. He had he had his Comptia certificate and that would be enough.

Link to comment
Share on other sites

1 minute ago, digininja said:

What I recommended was getting a full time job with a testing company for at least a couple of years first to get some experience. He had he had his Comptia certificate and that would be enough.

Out of interest, do such companies even look at candidates with no IT training or experience? or are they holding out for newly qualified students looking for first time work?

Link to comment
Share on other sites

It is very unlikely but if you timed it just right, and caught the owner of a small firm on the right day with the right mix of sob story and enthusiasm, then you might get lucky.

What would be more likely for him, if he tried, he might get an interview or two and during them realise how much he didn't know and then reevaluate his choices.

When I do recruitment for junior positions, I look for enthusiasm and background in relevant areas. Stuff like blogs, helping with conferences, CTFs and participating in hackerspaces.

Link to comment
Share on other sites

  • 3 weeks later...

I'm going to threadjack for a minute, didn't want to start a whole new thread on the subject and clutter up the site.

Would the same suggestions apply to people who have limited time throughout the day to learn? I work long hours (thanks to military background), have 2 kids and a wife, and going to school for cyber security. I've got a hand full of VM's running at any given time trying to learn as much as possible with as little time as I do have for my own time. I've looked through the where to start thread, and dog eared a lot of the references for future use.

Really looking for a solid foundation to start, so I can learn literally as much as possible. Don't be surprised if I ask a few dumb questions, probably like the following.

On 6/4/2018 at 6:33 AM, r3plic4tor said:

Dedicate a laptop to Kali Linux as an attack machine, then on another 'networked' machine, set up some vunerable VM's as a testing lab for you to polish your skills. I recommend Virtualbox. (bridge your adaptor connections)

Is Kali the epitome of where to start? I've looked a little into Parrot and wanted to know if it's worth the time and effort to get started up with Parrot, when the industry standard is Kali.

Link to comment
Share on other sites

The recommendation is the same to everyone, learn as much as you can in as many areas as you can and show your enthusiasm for the subject by blogging, tweeting and getting involved.

As for Kali Vs Parrot Vs anything else, they are just Linux distros with pre installed tools. You don't learn Kali, you learn the tools. My recommendation is to pick a standard distro such as Debian, and install the tools yourself. That way you improve you sys admin skills, understand how the tool works and get to pick the tools you want to use rather than fumbling through a raft of them picked by someone else.

  • Like 1
Link to comment
Share on other sites

Quote

Really looking for a solid foundation to start, so I can learn literally as much as possible. Don't be surprised if I ask a few dumb questions, probably like the following.

Find where your interests peak......Its a vast field where a lot of play strategies exist.

Is your goal to exploit Web Applications, The Web server itself, Browser hacking processes, Networked machines in a WiFi/Ethernet environment, private or corporate, etc etc. Maybe you prefer coding scripts for automation or injecting malware,  or maybe your preference is Social Engineering and the likes.....Whatever!

Once you find your niche, your time will be better concentrated and better spent.

Kali has the tools for most environments, once you find yours, you will be able to spend the time to learn an application more effectively rather than shoving to and fro from each of them and knowing little about them all!

Know what i mean?

The only thing installing them for yourself will teach you is.......yep! how to install them. To learn them effectively is to utilize them and concentrate them in your particular area of interest. If Web apps are your line, you will learn Burp Suit front to back.......apps such as Wifite will be of little interest to you.

The University of YouTube is a great start and from there, you will fork (branch out)

Regards.

Edit: Learning to master Linux is key, no matter the distro.....know your command line etiquette, how it works, and what its capable of doing.

Im a Debian fan like Dig, that could mean Kali, Ubuntu etc etc

https://www.youtube.com/watch?v=bju_FdCo42w&list=PLtK75qxsQaMLZSo7KL-PmiRarU7hrpnwK

Edited by r3plic4tor
Link to comment
Share on other sites

27 minutes ago, r3plic4tor said:

The only thing installing them for yourself will teach you is.......yep!

That is true, it will teach you how to install them which involves understanding dependencies, versioning, using repos such as GitHub or such as PPA, permissions and all sort of other stuff which is really helpful. If you know how to install all the key tools you use then when you pop a shell on a client's network and need to pivot through it you don't have a sudden learning curve.

It also makes you focus on the tools you actually need. If you are going to spend time installing a tool you may as well be installing the correct one for the job, so do some research, work out what will do what you need, then install that, rather than just looking in a pre-selected list of tools other people use and picking one at random because you need something for X and it is in the X category.

You also need to remember that not all tools are Linux based, I use a lot of Windows tools when I'm testing Windows networks, at that point, if all you've learned to use is Kali you are screwed.

In the DVWA support  team we get loads of people asking how to get it working, the vast majority of the time it is because they are missing a really obvious library or have missed setting the permissions on a file. If you can't install the app that you are trying to hack, it doesn't bode well for your changes on actually hacking it.

Link to comment
Share on other sites

Good points.....I always run a dedicated Win10 machine which actually host all of my testing lab VM's.

One of my best research tools still remains my old trusted mate.......his name is Google! ?

Link to comment
Share on other sites

My mate has a cousin, his name is Binary, but sadly he his ill, and none of the new kids on the block want to know his name, let alone visit him!

But your right, they probably should if they want a part of the inheritance.

Link to comment
Share on other sites

1 hour ago, digininja said:

Are some of your posts done by a bot as this makes no sense at all.

I'm prob wrong but i think i deciphered part of it

Mate = google - "my old trusted mate.......his name is Google!"

Mates Cousin = Binary - "My mate has a cousin, his name is Binary,"

Binary search is a Search engine? or tool? i dunno lol

Edited by Just_a_User
Link to comment
Share on other sites

14 hours ago, digininja said:

The recommendation is the same to everyone, learn as much as you can in as many areas as you can and show your enthusiasm for the subject by blogging, tweeting and getting involved

Sadly enough, the most involved I get with anything (other than friends of mine who share the same likes), is where we are currently sitting. A forum type setting.

9 hours ago, r3plic4tor said:

Is your goal to exploit Web Applications, The Web server itself, Browser hacking processes, Networked machines in a WiFi/Ethernet environment, private or corporate, etc etc. Maybe you prefer coding scripts for automation or injecting malware,  or maybe your preference is Social Engineering and the likes.....Whatever!

I could tell you what would peak my interest, but until I have any kind of hands on application, don't really know if it it will or not. For instance, I love shooting long distance, but I hated reloading my own ammo even though the idea itself peaked my interest.

If I had to choose, it would be network security. How can I get into this machine on this network to do what I have been contracted to do, or how to prevent others from entering my own network. Makes me all riled up inside.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...