The new year is always a great time to set new resolutions. And a great resolution is to do things that would help on the professional front.
One question that I frequently get asked is how one should build a career in cybersecurity? Having hired and overseen the careers of thousands of cybersecurity professionals at the company I am the Founder & CEO of, I thought I would jot down some ideas that may prove helpful to folks seeking to make their careers in this fascinating domain.
MUST-HAVE TECHNICAL KNOWLEDGE AND SKILLS
A good understanding of the fundamental principles of networks, operating systems and databases is essential. Beginners should understand to an acceptable level the following concepts:
1. TCP and UDP protocols, including how their headers look like and the functions of the different parts of these headers. For instance, if you don’t understand the TTL value, you would not grasp how traceroute works and why it doesn’t work in some networks. Similarly, without a good understanding of TCP flags, you would have difficulty figuring out how to get the most out of tools like Nmap.
2. IP, ICMP, DNS, ARP, RARP, FTP, and HTTP are some of the other critical foundational protocols of the Internet. Strong know-how of how these protocols help you get more out of various scanning tools and interpret their results more effectively.
3. An excellent book to get started is Computer Networks by Tanenbaum. One of the other books that made me fall in love with networks and socket programming in UNIX Network Programming by W. Richard Stevens, who also wrote the top-rated TCP/IP Illustrated series. I only did socket programming once as a paid assignment, but learning how to do this can clear up so many concepts related to networking.
4. Network architecture. The ability to read and analyze a network diagram is very critical. The first time you look at a network diagram, it might seem overwhelming. My usual tactic is to simply ask the network administrator to walk me through the graph. One of the easiest ways is to look for the Internet cloud in the diagram and then traverse your way to the core switch and the other links. Once you’ve done this a few times, it becomes relatively easy. All networks are built up from the same elements — firewalls, switches, routers, WANs, LANs, VLANs, etc.
5. Firewalls. The first firewall I played around with was iptables on Unix, which was later called ipchains. Many commercial firewalls back in the day were built on top of ipchains. Nowadays, you have UTMs and Layer 7 firewalls, and firewalling capability is present in the cloud via things like Amazon’s Virtual Private Cloud and Security Groups.
6. Windows knowledge is essential. Even if you love working on a Linux or a Mac system, many of the systems you’ll be attacking and securing would be Windows PCs and Windows servers. Good knowledge of startup programs, the Windows registry structure, services, users and groups, file system access control, the Event Viewer, etc., are vital.
7. Cleaning an infected system by hand is probably the best way to learn how malware infects Windows. Of course, you can do this only for low-tech malware and not file-less memory-only malware. But doing this repeatedly can quickly help you understand many important concepts about Windows security
8. Unix is one of the most powerful operating systems, and grasping important security concepts such as startup programs, connecting open ports to running processes (say using lsof or netstat), knowing log locations and log formats, pluggable authentication modules, bash history, etc. would go a long way in trying to attack Unix system or escalate privileges. This is also very helpful when investigating a hacked Unix system. My favourite Unix fundamentals and security books are Practical Unix and Internet Security.
9. Among the popular databases — Oracle, Microsoft SQL Server, MySQL, etc. — I suggest you play around with at least one of them. Again, numerous online and offline resources are available to learn the security principles of these technologies. Database security is one topic that tends to put off security professionals, but I feel it is one of the most critical elements to be conversant with.
10. The workings of web applications, basics of MVC frameworks, the utility of stuff like AngularJS, etc., is crucial if you’re going to test and secure web applications. But don’t stop there; it would be a good idea to explore the building blocks of Android and iOS mobile apps. To really understand iOS apps, you might need a Mac, but that should definitely not stop you from learning as much as you can theoretically. There’s tons of material on the official Google and Apple sites dedicated to Android and iOS — including security how-tos.
11. APIs and containers. The world has moved to DevOps and micro-services architecture; it is an advantage if you’re conversant with APIs and containers’ workings and their security risks. Again, you need not be an expert here, but a fair bit of working knowledge would definitely go a long way.
12. The OWASP Top Ten Web Application Security Risks is also a non-negotiable element of your repertoire. Understanding each of the Top Ten issues would go a long way in setting you apart from the crowd. Explaining the mitigation measures for each matter would nearly seal the deal during an interview.
So far, I have not emphasized the hacking side of things. While it is exciting to run tools like Nmap and SQLMap, understanding how systems work is more critical. This will help you execute the proper steps against the given target and analyze the output of your tools properly. It will also help you provide the appropriate recommendations to the client. So, once you have a decent grasp of the fundamentals, you should seek to now understand and have hands-on practice with:
13. Port scanning. Being conversant with Nmap and the various scanning options is a fundamental skill-set. A typical question sequence I use is as follows:
a. Explain port-scanning?
b. How many ports will you scan against a given target?
c. Which tool would you use?
d. What type of scan options will you select, and why?
If they’ve managed to answer correctly so far, I would ask:
e. How does Nmap’s OS fingerprinting work? Can you explain with an example?
A correct answer here would also demonstrate that you not only understand Nmap well, but you also have a fair idea of network fundamentals.
14. Application proxies like Burp Suite are the go-to tools for any application security tester. While I would not expect a beginner to know all of the advanced capabilities of Burp Suite, but knowing how to set up a proxy, what is it used for, and how you might use it to test for, say, SQL Injection would be suitable.
GOOD-TO-HAVE TECHNICAL KNOWLEDGE AND SKILLS
Logs can seem overwhelming the first time you come across them. But all you must do is confront the bully head-on! In my training workshops, I always throw different log file formats on the screen and ask the students to analyze what’s going on. At first, there’s a typical sight across the whole class, but soon people begin to interpret the different fields and what they could mean. There are numerous tools out there that support multiple log formats, others that do a great job at a specific log format. With experience, you will figure out which tool works best for which type of log format, but nothing beats looking at raw logs and not being intimidated.
As exotic as this topic sounds, the basics of analyzing any executable are not that difficult. I would not expect a fresher to analyze disassembled code, but knowing how to run Sysinternalstools to monitor the behaviour of an exe or even essential tools like PEStudio would be impressive coming from a beginner.
I was debating whether I should keep cloud security in the optional section or not. I suggest that firing up an AWS account might be an excellent way to learn the fundamentals. We had to struggle to get a copy of and install, say, the Oracle database back in the day. Today, all you need is a credit card, and you can fire up all sorts of operating systems and databases and other technologies up and running in a matter of minutes. And playing around with these technologies is really the best way to learn. No reading will give you the confidence that trying out the commands and security steps will provide you with. Also, while you’re playing around in the cloud, you will be able to understand various cloud security concepts, such as VPCs, Security Groups, S3 bucket security, etc.
This is a controversial subject within the security community. I would say, while you don’t need to know a programming language, but it helps a lot. Unless it is mentioned on your resume during the interview process, I would not ask about your programming know-how. But from personal experience, I can vouch for the power of programming when solving real-world technical issues. Again, which language you know is not essential. Even C is acceptable. Shell scripting is possibly even better. Python is awesome. In college, we were taught Basic and C. We taught ourselves C++ and Java on the side. After college, I used Visual Basic to create some of the early set of tools that would help us conduct security audits. I taught myself HTML and CSS when building the company’s first website. I also taught myself, Perl, because it seemed coo! And finally, a forensics project I did a few years back forced me to learn Unix shell scripting because the client would simply not let us install any tools to analyze the gigabytes of logs.
You carried out an awesome pen-test, you got root on the company’s central eCommerce server, you got Domain Admin on their Active Directory, but when you presented your findings, the final reaction in the room was ‘meh’. Yes, this has happened to me, and it proves that while the quality of your work is paramount, it is equally important to present your findings in the right way. One common mistake that many security professionals make is filling up their reports with jargon such that only another security professional would be able to understand what’s going on.
You must be able to articulate the details of the vulnerabilities you have found and their risks to the organization, how you found those vulnerabilities, and the appropriate recommendations to fix the issues. A common put-off was a recommendation for the Apache webserver when the vulnerability was found in an IIS server. Another is SQL injection mitigation measures that only talk about white-listing or black-listing but not about using strongly-typed parameters. Reports that don’t have a management friendly executive summary are also problematic. Over-hyped or under-hyped articulation of risks undermines the excellent work you may have done.
Along with strong written and verbal communication skills, creating decently formatted Word documents and PowerPoint presentations is essential. There are tons of resources online, and I would strongly advise you to spend time on these aspects as well.
Communication skills will also help you overcome challenges during project execution, interact positively with your peers and seniors in the company, and fast track your career progression.
If you’re not solving challenging problems as part of your job, you are soon about to become redundant. If running scans and copy-pasting results are your main job, I have sad news for you — a tool will take over your job shortly. To solve problems, you need to have strong analytics skills. I am not an expert in this field, and I don’t know how best to build analytical skills. But here are some helpful tips:
1. Listening. When a client articulates the problem, the ability to simply listen, acknowledge what they are saying, take notes, jot down your questions, and await your turn to speak is crucial. (secret tip: it also makes you appear more knowledgeable on the subject than you might be!)
2. Solving non-work-related problems regularly helps hone your problem-solving muscles. Are you good at Sudoku or crossword puzzles? Then read no further sensei, you are already ahead of the curve.
3. Positing hypotheses and then testing them is the core of problem-solving. This is the scientific method that we must apply to our work. Given a situation, what could be the possibilities? If you’re faced with a login page, what are the possible vulnerabilities that could exist? Those are hypotheses — or as we call them — test cases. Then you test each, see the results, and note down your results. This systematic approach to testing an application is often ignored in place of the more exciting technique of throwing Nmap, Burp Suite scanner, SQL Map and the kitchen sink at the application.
4. The basic principle that behind every problem is a solution (and possibly multiple solutions), questioning all the baked-in assumptions and exploring unconventional hypotheses is fundamental. Again, you can teach yourself to become good at problem-solving. And with practice, you also become better at it.
Having read all of this, it might scare you to think how long it would take to cover all of these topics to ace your interview. My estimate is that even if you spent two weeks on each sub-topics under the must-have section, it still only requires about 28 weeks or about 6 months. Many of you would be able to get there much faster.
Before we conclude, I would like to share my views on bug bounties. Should you participate in these programs? Sure, go ahead. All practice is good. Are they a serious career option? Absolutely not. Do not get enamoured by the few success stories you read on social media; for the majority of people, bug bounties can at best be a hobby or a side income. If your claim to fame is that you found XSS vulnerabilities in some Content Management System that no one has heard about during the interview, it won’t impress me much.
One key topic to cover do you need to acquire certifications. Honestly, no. If I am interviewing you as a beginner, and you can demonstrate your knowledge confidently in the above topics and clear the practical tests we conduct, the certifications won’t matter at all. You can always acquire them once you are earning a decent salary. So, don’t worry too much about credentials at this stage of your career.
The final point I would like to address is your college degree. Do you need to have a degree in computer science or computer engineering to become good at cybersecurity? Absolutely not. I dropped out of college to start my firm, and thousands of cybersecurity experts come from a non-CS background, many even from a non-tech background. So do not let the lack of the right college degree ever make you think that you can’t make it in this industry. Focus on learning and practising as much as you can — constantly.
Luckily for you, our new year resolves to cater to the industry’s growing demand for cybersecurity professionals. Hence, along with the ones mentioned above, we also provide other trainer-led courses such as Blockchain security, HIPAA, Reverse Engineering Malware, and many more.
Since a new year demands a new you, why not begin the new year with a new job. If you believe you’ve upskilled enough to land a cybersecurity role in the fast-paced industry, check out our Careers page, and explore the myriad of opportunities we provide. You can also send us your resume at firstname.lastname@example.org, and our team will get back to you if any openings befit your profile.
K. K. Mookhey (PCI QSA, CISA, CISSP, CISM) is the Founder Director at Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of IT governance, information risk management, forensic fraud investigations, compliance, and business continuity. He has more than a decade of experience in this field, having worked with prestigious clients in India such as the top 4 private bank, the top 4 public sector banks, the top 5 IT companies, and some of the largest industrial conglomerates. Internationally, he has done consulting and audit engagements for United Nations organizations, numerous Banks and manufacturing firms in the Middle East, as well as various government entities. He has published numerous articles, two books, presented at numerous conferences such as Blackhat, OWASP Asia, ISACA, Interop, and Nullcon.