Estimated difficulty: ๐๐ค๐ค๐ค๐ค
Welcome to week four of government-mandated sourdough-baking and Netflix-binging, and my first post on Security Queens. ๐
I’m asked quite often how I managed to get into the security industry, coming from a non-technical background, and for useful resources for people just starting out. My journey is quite short and simple – I’ve included some tips (from hiring managers I’ve spoken to) about the common mistakes people make when applying for entry-level security positions. I’ve also put together a list of learning resources on a few different topics underneath – some I’ve used, and a few recommend by the security community. I’ve done my best to check these out beforehand to make sure they’re safe for work/young people, but be mindful there might be some content intended for more mature audiences.
How I Got Into Security ๐ค
(If you’re not here for this part feel free to skip ahead to the learning resource section below. ๐)
So, I graduated a few years ago with a BA in English literature, and was lucky enough to pretty much jump straight onto a security-focused, rotational IT graduate programme in the finance sector.
I had a genuine, demonstrable interest in security beforehand – even though I didn’t know a lot, they were looking for the kind of person who fit with their culture and values, and could develop technical knowledge over time. Something I’ve heard repeatedly so far is; “You can teach technical skills, but you can’t teach passion or culture.”
I’d dabbled with some of the resources below – and also had the added bonus that my dad’s worked in IT for as long as I can remember, and is generally a cool person. (Thanks Dad – and sorry about that time I got mascara on your Oculus Rift when you let me try it.) ๐
I’d also been going to conferences here and there for a few years, so I had a bit of an idea which areas I was most interested in at the time, had done a bit of networking, and tended to keep an eye on security news out of interest. On the subject of conferences – if you can find the right kind of event and are comfortable attending, I’d highly recommend going along. I’ve met some excellent people and learned about some super interesting research at conferences, and they really can add fun back into what can be a high-stress career at times.
I soaked up all the opportunities I was offered during my grad scheme, and tried to get as well-rounded an experience as I could. When I identified an area I was weaker in (which for me is technical skills, and likely will be for quite a while), I tried to engineer opportunities to work on those areas. After about 18 months, I did some Amazon Web Services training, and moved into a more technical role so I could build on these skills a little more. A while after that, I found my current internal security consultancy role. ๐ฅณ
So what do hiring managers say? ๐ค
Firstly – soft skills are way more important than you realise. You might have a first-class technical degree from a good university, but if you don’t seem like a team player, or don’t interview well, the chances are you won’t land your dream job. Do your research on the company, make sure you have questions prepared to ask your interviewer, and get comfortable talking about yourself. For some people, mock interviews, or preparing with a friend or a mentor can really help. On the other side of this, be honest about your technical skills. If you overstate your abilities in an interview and are offered a role, it’ll become apparent quickly.
Secondly, not all employers place the same level of value and importance on having a degree. For some people (career-changers, people from non-academic pathways like apprenticeships, and college leavers) this is good news, but it might be a disappointing revelation if you’ve just spent three or four years working your tush off at university. Try to find job adverts that roughly line up with your skills, experience, and qualifications when you’re just entering the field – it gives employers (and you) more confidence that you’re capable of doing the job. That said, don’t be afraid of applying for the odd wild-card role that seems like a bit of a stretch once you’ve found your feet and got a bit of experience – challenges can help you grow, if that’s your goal. โ๏ธ
Thirdly – and this one is important – be realistic when it comes to what you ask for. A lot of employers cite interviewing really promising candidates whose salary expectations immediately disqualify them as a serious option, because they’re asking to be paid the same as someone with three or four years of experience. Do some research – if the salary band isn’t listed, it’s relatively easy to find out what the average salary is for a particular role with your level of experience. If you’re really not sure, I’d suggest having a friend or someone in industry sense-check what you’re thinking of asking for. If you’re able to negotiate, don’t be afraid to have the conversation (tactfully).
Hiring managers – if you have any other advice for people looking to move into the industry – please leave a comment below. ๐
Learning Resources ๐
Phew! Now for the interesting part…
Here’s a list of useful resources to help keep you occupied during lockdown – I’ve tried to include different kinds (some blogs, some YouTube videos and podcasts, and some more interactive, task-based training or challenges), in case you learn best in a particular format. There’s a reasonable range of content at varying difficulty and technicality levels here, too – from fundamental tools, generalist security knowledge, and social engineering to penetration testing, networking, programming, cloud infrastructure, application security, and so on.
If you try any of these out, leave a comment and let me know what you found most helpful! Alternatively, if you have any other suggestions for things you’d like included here, leave a note and I’ll check them out!
Thank you for reading.
Morgan x
Blogs ๐ง
Azeria Labs was created (by @Fox0x01 on Twitter) to provide educational material about exploitation of ARM devices, and is a really good intro to ARM Assembly and binary exploitation, including walkthroughs for deploying an ARM lab VM.
The HiddenText blog is run by Stuart Coulson (@SPCoulson on Twitter) – he blogs about high profile breaches, security news, useful podcasts and resources he’s come across, as well as more personal topics like mental health during isolation, and the support of the security community. If you’re looking for something human and easy-going – check HiddenText out.
Amanda Rousseau (@MalwareUnicorn on Twitter) is an Offensive Security Researcher at Facebook, specialising in reverse-engineering and malware analysis. Her website features several reverse-engineering workshops and a resource page for useful reverse-engineering tools.
Sean Wright – Software Security Engineer, OWASP Chapter Leader, Beer Farmer, blogger, twitterer. Sean mostly blogs about application security, and his blogs are bite-sized, easy reading, and make astute observations about current events in the tech/security arena. You can follow him on Twitter at @SeanWrightSec.
TheCyberWoman is a collection of stories about and blogs by women in cybersecurity, and aims to address the lack of representation of the women who make up roughly 10% of cybersecurity professionals. It’s run by Evelina Sinkeviciute, and features interviews with some fabulous women in security, including Dr Jessica Barker (of Cygenta), Saskia Coplans (of Digital Interruption), and Jenny Radcliffe (more on her further down).
ZephrSec is run by Andy Gill (@ZephrFish on Twitter), a Senior Security Consultant at PenTest Partners. Andy runs a blog (mostly SFW), regularly presents at conferences, and has written a book on breaking into the security industry (SFW). If you’re new to the technical space, have a look at his ZTH (Zero to Technical Hero) series. ZephrSec also has links to a lot of recordings of talks Andy’s given (NSFW – strong language), and a podcast he co-hosts called WeegieCast (also NSFW – strong language).
Clouds (and stuff) โ๏ธ
ACloudGuru provides online training material (subscription required) for Microsoft Azure, Amazon Web Services (AWS) and Google Cloud Platform (GCP). They have a weekly podcast and updates to the website, covering new releases from Azure and AWS, and monthly updates about GCP services and Kubernetes. They also announced this week that they’ve implemented a Cloud Playground feature – a super popular feature already offered by the Linux Academy – to allow people to deploy test infrastructure and complete the accompanying labs for courses.
Amazon are currently the largest provider of cloud infrastructure in the world, and with organisations increasingly adopting a “Cloud-first” strategy, it’s a good idea to familiarise yourself with cloud technology. AWS provide free-tier infrastructure, so certain resources are cost-free for the first year – which lets you practice deploying basic infrastructure. AWS also provide some free foundational training on their website, which gives you an introduction to some of their services, their billing models, and their Well Architected Framework. There are also annual AWS events, like Re:Invent, (where they announce new services and changes to their existing catalogue) and AWS Summits (where presenters cover a range of topics – like the security services available). I went to a really cool talk at the AWS Summit (London, 2019) called Creating Resiliency Through Destruction – I’d really recommend giving it a watch if you want to learn more about chaos engineering in the cloud.
Cybrary is an online learning platform offering training courses from Introduction to IT & Cybersecurity, to Security+, CISSP, Cisco qualifications, and penetration testing. Some of their courses are free – for others you have to purchase a subscription. They also have an open blog based on user contributions that you can access through the free tier. ๐
Linux Academy is similar to ACloudGuru, but provides a broader range of courses. Linux Academy have a free-tier, Community Edition plan that gives you limited access to their training, or there’s a subscription version that gives you access to the practice labs, Cloud Playground and Sandboxes, and practice exams. Linux Academy and ACloudGuru are pretty similarly priced – Linux Academy is slightly more expensive, but does offer more content at the moment.
Pluralsight have partnered with Microsoft and are offering free Microsoft Azure online training until 2025. They also offer courses on a range of other topics, including (but not limited to) web and mobile development, networking, database administration, malware analysis and penetration testing. At the time of posting, they’ve made all of their courses free for the whole of April. Pluralsight have a useful feature that lets you pick a training pathway and has you do a quick placement test to see how strong your knowledge is, to help you identify which areas to work on.
Coding ๐ป
Codecademy is a catalogue of courses focused on learning to code (as the name suggests) – there are guided tutorials to teach you the key concepts, and you have the option to do mini-projects to cement your learning too. There’s a free membership option that covers quite a lot (about 180 hours) of content, but for their career paths/skills paths feature, projects, and courses like Python 3, you need to upgrade to a Pro membership.
GitHub is a collaborative platform for storing and developing code; it lets you automate deployment and allows other people to contribute to your work (with your approval). GitHub recently announced unlimited repositories and collaborators for their free account tier, and there are tutorials to help you get to grips with it if you’re new.
Stack Overflow is a Q&A platform used for troubleshooting problems you might encounter with coding; if you’re just getting started and hit a snag, chances are somebody’s had the same problem before and there’s an explanation/solution for it on Stack Overflow. If you’re more experienced, you can answer other people’s questions, build points and collect community badges for helping.
Hacking ๐ฉโ๐ป
HackerOne is a platform of resources and challenges, and runs a well-established bug bounty program (if you’ve never heard of these, they’re basically community vulnerability disclosure schemes, where you find a security problem with a provider who’s enrolled in the program, and responsibly disclose – the provider fixes the vulnerability and the finder usually gets a reward of sorts). HackerOne teaches you how to find vulnerabilities and get involved in bug bounty programs.
HackTheBox is an online learning platform that teaches penetration testing techniques. There are new challenges released on a weekly basis, and if you’re a university student you can collaborate with your classmates and compete against other universities for free. HackTheBox is a good place to up-skill and maintain your knowledge between CTF competitions. There’s also a Pro membership option, which gives you access to older machines, as well as walkthroughs for the older challenges.
Immersive Labs is a pretty useful platform and covers a range of topics – there are different subscriptions available, but what’s super cool is that if you’re a student or have a .ac.uk email, you get more access to their training modules and challenges than a lite member. You can select your approximate skill level, desired pathway goals and skills you want to develop, and IL assigns you modules to complete to learn the topics on the pathway. There’s a lot of accessible content on here – if you’re new, it’s not a bad place to start.
TryHackMe is a platform of pre-built courses using cloud-hosted VMs which make deploying a CTF challenge or a workshop quick and easy. TryHackMe also includes tutorials and walkthroughs, and splits challenges into “rooms” dedicated to specific areas (e.g. Windows, web exploitation, Linux, reverse-engineering).
VirtualBox is Oracle’s OS-agnostic virtualisation solution, and lets you deploy free virtual machines – good for learning how to set up and use VMs, and a fair alternative to VMWare if you’re just getting started. (NB: If you’re a computer science/security student in the UK, check with your university to see if you can get free access to VMWare – some universities offer this, as well as free Microsoft Office for students, etc.)
Podcasts and YouTube๐๏ธ
Coding drag queen extraordinaire Anna Lytical produces accessible YouTube tutorials to help you get started with coding. Her videos are in full drag, serving lewks – you can find her on Twitter too (@TheAnnaLytical).
This is one of my firm favourites. Naked Security is a podcast by Sophos covering recent developments and news in the security arena – it’s super accessible and easy to digest. They’re also on Twitter (@NakedSecurity) and Instagram (@NakedSecurity) – this heading links to their website, and you can find their podcast online.
Jenny Radcliffe (@Jenny_Radcliffe on Twitter) specialises in social engineering (“people hacking”), and has a weekly podcast called The Human Factor – voted Best European Security Podcast 2018-2019. Jenny interviews other people in the security arena, and is super active in the security community. The Human Factor is easy listening – give it a whirl.
Smashing Security is a group of podcasts, co-hosted by Carole Theriault (who founded the Sophos Naked Security site) and Graham Cluley (security researcher and blogger). There are over 170 episodes of Smashing Security so far, and they cover everything from WikiLeaks to ransomware, password managers and new vulnerabilities.
That’s all for now! Leave a comment below if you have other recommendations. ๐ฅณ๐
Hey!
That’s an interesting read ! Could you please suggest any good resource on Automotive Security? I did find some blogs and groups but it does not provide any idea in currently adopted sec measures in connected vehicles.
Hey! Glad you enjoyed it. ๐
Sophia is the person to talk to about automotive security – I’ll check in with her and see if she has any good suggestions, but have you looked at the PenTestPartners and NCC blogs?
https://www.pentestpartners.com/automotive-security/
https://www.nccgroup.trust/uk/search/?q=automotive%20security&root=276
There’s some cool content under their automotive sections if not!
Morgan
Sophia suggested a few things that might be helpful:
https://github.com/zombieCraig/ICSim
https://medium.com/@yogeshojha/car-hacking-101-practical-guide-to-exploiting-can-bus-using-instrument-cluster-simulator-part-i-cd88d3eb4a53
https://www.amazon.co.uk/Car-Hackers-Handbook-Penetration-Tester-ebook/dp/B01CLAIL5C
Hope these help!
Thanks Morgan and Sophia for the suggestions. I have been going through Automotive Security research groups for a while.I’ll check out these!