Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!

  • dipbeneaththelasers@kbin.social
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    I’ve always been curious if command centers are a thing in cyber security. Is there a room full of people at every major bank monitoring infrastructure health and network traffic for signs of infiltration or compromise, ready to pounce? And if so, is that as cool of a job as it sounds or am I delusional?

  • vpz@infosec.pub
    link
    fedilink
    English
    arrow-up
    3
    ·
    1 year ago

    Something I don’t think is talked about enough in offensive cybersecurity training / skill development are communication skills. Too often we are seeing folks try to enter these roles without the ability to write reports and give presentations to audiences with a mix of technical and business attendees. My recommendation to folks considering these roles is to put in the time to get communication skills to a very professional level. Train it just like report writing or public speaking was a new shiny hacking certification. It will improve your chances of landing the job.

    • nechered@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Agree, when I have held talks for cybersecurity students I usually tell them that a lot of the work time goes into writing report. Because the customer (be that internal or external) does not care about what cool thing you did during the test, they care about the risk and your findings have to reflect that.

    • dipbeneaththelasers@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Agreed, and I think this goes for a lot of technical professions. You’re better at your job if you can walk the business walk and talk the business talk. I sit at the nexus of business and data, and working on being fluent in both makes me better at both.

  • wop@infosec.pub
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    I am hosting multiple services, but my application/web security knowledge is lacking. Is there a guide or framework to check for common or risky mistakes? Is there a list of things I should check every application for, or guide on how to harden hosted applications? That is a topic that I am going to tackle in the near future, and would appreciate some tips in advance.

    • ComradeKhoumrag@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      There’s a browser extension you can use by owasp, I think it’s “Penetration Tool Kit” or ptk

      I stopped using it because it was slow (being a browser extension and all) but I do like how easy it was to use while needing to be logged in or get past captchas

      Owasp zap is good for reconnaissance scanning

      I really like burp suite for reverse engineering a web app. You can use the proxy to intercept http packets and see what every change illicits

    • unashamedgeek@infosec.pub
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      OWASP is arguably the standard for web application assessments. They cover most of the areas and testing guidance. Burp Suite web academy offers labs that cover many web application security issues. For secure coding, you’d need to look for references aligned with your language of choice.

  • br3ad@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I have around 6 years of experience in different fields like vulnerability management, web penetration testing, SAST, DAST, secure architecture reviews and threat modeling.

    What is a career path suitable for someone with this background? Security architect? Principal security engineer? I am not sure what steps I should be taking to progress. I am considering taking CISSP or CCSP as a major cert in the coming year.

  • sumikko@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Looking for resources (books/blogs/videos) on how to get started with getting into cyber security. I’ve got 13 years of work experience of which 10 as a Linux sysadmin/SRE/DevOps (it’s a culture, not a role) and 3 years as a software developer. I understand the field is wide and there’s many positions I could look getting into.

    I get along with people well and have worked as a consultant before, so I could see doing that at some point as a contractor once I’ve got more experiencing in the field. Generally I’m not a big fan of working at big companies, but don’t mind doing gigs for them.

    I guess familiarizing myself with pentest and other tooling would be a good start?

  • angrynomad@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Having minimal professional IT experience, yet an IT degree, what should I focus on to get into the cybersecurity field?

    • shellsharks@infosec.pubOPM
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Got your 3 C’s right here --> Code, Cloud, Collection (and by collection I mean document what you learn in a blog or GitHub or something). For coding, I’d say go with Python and for cloud, get a free AWS account and learn the basics.

  • solidsnail@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    I feel like I’m a bit lacking when it comes to finding race condition vulnerabilities. Any tips on that?

  • matt@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    General question but how do y’all actually find a mentor? I feel like there’s probably a local group nearby me or something that I could look into but are there places/people that are more likely to say “yes, I will mentor you” in y’all’s experience?

      • matt@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        @shellsharks@infosec.pub Sorry, was offline for a few days! Not really sure what I’m looking for, honestly? Mostly someone to kind of push me for doing more/exploring more? I’d like to focus in on AI security as well as container security and I know I can start that work on my own – I just know it’s easier/more likely for me to do things if I have someone filling in the blanks on things I don’t know that I don’t know. I’ll start with those there (been following She Hacks Purple and InfoSec Sherpa for a bit) and see if any long hanging fruit shakes lose from the tree, thanks again!

        • shellsharks@infosec.pubOPM
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          I’ve seen some good AI-related security things out of OWASP lately and some container security stuff from DataDog if you want to do a little googling.

    • ComradeKhoumrag@infosec.pub
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      For free? Youre probably best finding help on forums like this. Hacker news is decent also

      If you’re willing to pay, well then obviously there’s a market for it

      • matt@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        That makes sense, thanks! Have you ever hired a mentor before? I imagine it’d be a lot like hiring a coach but how would you know that they’re not just being kind of a “yes man” or at the very least kind of reputable?

        • ComradeKhoumrag@infosec.pub
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          Yeah, check out David Bombal on YouTube. He interviews hackers. I recommend looking at those and the channels of people he interviews

          I pay @three_cubed AKA master OTW [occupy the web]. It’s good information, but what’s your academic background like? I came in with an advanced degree and felt the tier that was right for me was the most expensive (subscriber pro)

          My day job isn’t infosec related, but when I do find time to better those skills I’ve found this loop pretty fun:

          Vulnerability scan websites (like with owasp zap) Find a most severe vulnerabilities I haven’t done before (XSS for example)

          Play capture the flag targeting that vulnerability.

          Similar process works with nmap or shodan to get information about what services are running on an IPs port. Then using metasploit to try and run scans/fuzz inputs, deliver payload, run exploit, and perform post exploitation activities (typically data infiltration/exfoliation)

          Eventually I’m gonna try and get into reverse engineering malware

          • matt@infosec.pub
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            write_that_down.jpeg

            This is amazing info, thank you! So I have a BS in comp sci and applied math but all my experience is from ~10 years in different roles in IT from helpdesk to now cloud engineering/devops. I’ve had been doing some CTF’s and Juice Shop for a bit but fell off because things got busy (as they always do). Lately I’ve been looking at reversing DRM for old shareware games just to get more familiar with the concepts but it’s been mostly looking rather than doing so far lol. What I really want to get better at are namely two things:

            • Container security and exploiting it
            • Getting better at understanding how things work at lower levels to be better at reverse engineering

            Really appreciate the insight and hope that everything goes well with your plans!