One question that I frequently get asked is how should one go about building a career in cybersecurity? Having hired and overseen the careers of thousands of cybersecurity professionals at the company I am the Founder & CEO of, I thought I would jot down some ideas that may prove helpful to folks seeking to make their careers in this very exciting domain.
Must-have Technical Knowledge and Skills
I think a good understanding of the fundamental principles of networks, operating systems and databases is very important. Beginners should understand to a fair level the following concepts:
Networks and Network Security
1. TCP and UDP protocols, including how their headers look like and the functions of the different parts of these headers. For instance, if you don’t understand what is the TTL value, then you would not grasp how traceroute works and why it doesn’t work in some networks. Similarly, without a good understanding of TCP flags, you would have a tough time figuring out how to get the most out of tools like Nmap.
2. IP, ICMP, DNS, ARP, RARP, FTP, and HTTP are some of the other important foundational protocols of the Internet. A strong know-how of how these protocols helps you get more out of various scanning tools and interpret their results more effectively.
3. A good book to get started is Computer Networks by Tanenbaum. One of the other books that made me fall in love with networks and socket programming is UNIX Network Programming by W. Richard Stevens, who also wrote the very popular TCP/IP Illustrated series. I only did socket programming once as a paid assignment but learning how to do this can clear up so many concepts related to networking.
4. Network architecture. The ability to read and analyze a network diagram is very critical. The first time you look at a network diagram, it might seem overwhelming. My usual tactic is to simply ask the network administrator to walk me through the diagram. One of the easiest ways is to look for the Internet cloud in the diagram and then traverse your way to the core switch and then to the other links. Once you’ve done this a few times, it becomes fairly easy. All networks are built up from the same elements — firewalls, switches, routers, WANs, LANs, VLANs, etc.
5. Firewalls. The first firewall I played around with was iptables on Unix, which was later called ipchains. Many commercial firewalls back in the day were built on top of ipchains. Nowadays, you not only have UTMs and Layer 7 firewalls, but also firewalling capability is present in the cloud via things like Amazon’s Virtual Private Cloud and Security Groups.
6. Windows knowledge is very important. Even if you love working on a Linux or a Mac system, many of the systems you’ll be attacking and securing would be Windows PCs and Windows servers. A good knowledge of startup programs, the structure of the Windows registry, services, users and groups, file system access control, the Event Viewer, etc., are very important.
7. Cleaning an infected system by hand is probably the best way to learn how malware infect a Windows system. Of course, you can do this only for low-tech malware, and not file-less memory-only malware. But doing this repeatedly can quickly help you understand many important concepts about Windows security.
8. Unix is one of the most powerful operating systems and grasping important security concepts such as startup programs, connecting open ports to running processes (say using lsof or netstat), knowing log locations and log formats, pluggable authentication modules, bash history, etc. would go a long way in trying to attack Unix system or escalate privileges. This is also very helpful when investigating a hacked Unix system. My favorite Unix fundamentals and security book is Practical Unix and Internet Security.
9. Among the popular databases — Oracle, Microsoft SQL Server, MySQL, etc. — I would suggest you play around with at least one of them. Again, numerous online and offline resources are available to learn the security principles of these technologies. Database security is one topic that tends to put off security professionals, but I feel it is one of the most important elements to be conversant with.
10. The workings of web applications, basics of MVC frameworks, utility of stuff like AngularJS, etc., is important if you’re going to be able to test and secure web applications. But don’t stop there, it would be a good idea to explore the building blocks of Android and iOS mobile apps. To really understand iOS apps, you might need a Mac, but that should definitely not stop you from learning as much as you can theoretically. There’s tons of material on the official Google and Apple sites dedicated to Android and iOS — including security how-to’s.
11. APIs and containers. With the world having moved to DevOps and micro-services architecture, it is an added advantage if you’re also conversant with the workings of APIs and containers and their security risks. Again, you need not be an expert here, but a fair bit of working knowledge would definitely go a long way.
12. The OWASP Top Ten Web Application Security Risks is also a non-negotiable element of your repertoire. Being able to explain each of the Top Ten issues would go a long way in setting you apart from the crowd. Being able to explain the mitigation measures for each of the issues would nearly seal the deal during an interview.
Hacking Tools and Techniques
So far, I have not emphasized on the hacking side of things. While, it is exciting to run tools like Nmap and SQLMap, it is far more important to understand how systems work. This will help you execute the right steps against the given target and analyze the output of your tools properly. It will also help you give the right recommendations to the client. So, once you have a decent grasp of the fundamentals, you should seek to now understand and have hands-on practice with:
13. Port scanning. Being conversant with Nmap and the various scanning options is a fundamental skill-set. A typical question sequence I use is as follows:
a. Explain port-scanning?
b. How many ports will you scan against a given target?
c. Which tool would you use?
d. What type of scan options will you select, and why?
If they’ve managed to answer correctly so far, I would ask:
e. How does Nmap’s OS fingerprinting work? Can you explain with an example?
A correct answer here would also demonstrate that you not only understand Nmap well, but you also have a fair idea of network fundamentals.
14. Application proxies like Burp Suite are the go-to tools for any application security tester. While, I would not expect a beginner to know all of the advanced capabilities of Burp Suite, but knowing how to set up a proxy, what is it used for, and how you might use it to test for say SQL Injection would be good.
Good-to-have Technical Knowledge and Skills
Logs can seem overwhelming the first time you come across them. But all you must do is confront the bully head-on! In my training workshops, I always throw different log file formats on the screen and ask the students to analyze what’s going on. At first, there’s a typical sigh across the whole class, but soon people begin to interpret the different fields and what they could mean. There are numerous tools out there — some that support multiple log formats, others which do a great job at a specific log format. With experience, you will figure out which tool works best for which type of log format, but nothing beats being able to look at raw logs and not be intimidated.
As exotic as this topic sounds, the basics of analyzing any executable are not that difficult. I would not expect a fresher to be able to analyze disassembled code, but knowing how to run Sysinternals tools to monitor the behavior of an exe or even basic tools like PEStudio would be impressive coming from a beginner.
I was debating whether I should keep cloud security in the optional section or not. I would suggest that firing up an AWS account might even be a good way to learn the fundamentals. Back in the day, we had to struggle to get a copy of and install say the Oracle database. Today, all you need is a credit card and you can fire up all sorts of operating systems and databases and other technologies up and running in a matter of minutes. And playing around with these technologies is really the best way to learn. No amount of reading will give you the confidence that trying out the commands and security steps will give you. Also, while you’re playing around in the cloud, you will also be able to understand various cloud security concepts, such as VPCs, Security Groups, S3 bucket security, etc.
This is a controversial subject within the security community. I would say, while it is not mandatory that you know a programming language, but it helps a lot. During the interview process, unless it is mentioned on your resume, I would not ask about your programming know-how. But from personal experience, I can vouch for the power of programming when solving real-world technical issues. Again, which language you know is not important. Even C is fine. Shell scripting is possibly even better. Python is awesome. In college, we were taught Basic and C. We taught ourselves C++ and Java on the side. After college, I used Visual Basic to create some of the early set of tools that would help us conduct security audits. I taught myself HTML and CSS when building the company’s first website. I also taught myself Perl because it seemed cool. And finally, a forensics project I did a few years back forced me to learn Unix shell scripting because the client would simply not let us install any tools to analyze the gigabytes of logs.
You carried out an awesome pen-test, you got root on the company’s main eCommerce server, you got Domain Admin on their Active Directory, but when you presented your findings the final reaction in the room was ‘meh’. Yes, this has happened to me and it proves that while the quality of your work is very important, it is equally important to be able to present your findings in the right way. One common mistake that many security professionals make is to fill up their report with jargon such that only another security professional would be able to understand what’s going on, if that.
It is very important that you are able to articulate not only the details of the vulnerabilities you have found, but also their risks to the organization, how you found those vulnerabilities, and what are the appropriate recommendations to fix the issues. A recommendation for the Apache web server when the vulnerability was found in an IIS server is a common put-off. SQL injection mitigation measures that only talk about white-listing or black-listing, but not about using strongly typed parameters is another one. Reports that don’t have a management friendly executive summary are also problematic. Over-hyped or under-hyped articulation of risks undermines the excellent work you may have done.
Along with strong written and verbal communication skills, the ability to create decently formatted Word documents and PowerPoint presentations is also important. There are tons of resources online, and I would strongly advise you to spend time on these aspects as well.
Communication skills will also help you overcome challenges during project execution, interact positively with your peers and seniors in the company, and fast track your career progression.
If you’re not solving challenging problems as part of your job, you are soon about to become redundant. If running scans and copy-pasting results is your main job, I have sad news for you — a tool will take over your job shortly. To solve problems, you need to have strong analytics skills. I am not an expert in this field, and I don’t know how best one should go about building one’s analytical skills. But here are some helpful tips:
1. Listening. When a client is articulating the problem, the ability to simply listen, acknowledge what they are saying, take notes, jot down your questions, and await your turn to speak is a key skill. (secret tip: it also makes you appear more knowledgeable on the subject than you might be!)
2. Solving non-work-related problems on a regular basis helps hone your problem-solving muscles. Are you good at Sudoku or crossword puzzles? Then read no further sensei, you are already ahead of the curve.
3. Positing hypotheses and then testing them is the core of problem solving. This is the scientific method that we must apply to our work as well. Given a situation, what could be the possibilities. If you’re faced with a login page, what are the possible vulnerabilities that could exist. Those are hypotheses — or as we call them — test cases. Then you test each and see what the results are and note down your results. This systematic approach to testing an application is often ignored in lieu of the more exciting approach of throwing Nmap, Burp Suite scanner, SQL Map and the kitchen sink at the application.
4. The basic principle that behind every problem is a solution (and possibly multiple solutions), questioning all the baked-in assumptions and exploring unconventional hypotheses is very important. Again, you can teach yourself to become good at problem-solving. And with practice you also become better at it.
Having read all of this, it might scare you to think how long it would take to cover all of these topics to be able to ace your interview. My estimate is that even if you spent two weeks on each of the sub-topics under the must-have section, it still only requires about 28 weeks or about 6 months. Many of you would be able to get there much faster.
Before we conclude, I would also like to share my views on bug bounties. Should you participate in these programs? Sure, go ahead. All practice is good. Are they a serious career option? Absolutely not. Do not get enamored by the few success stories you read on social media; for the majority of people, bug bounties can at best be a hobby or a side income. If during the interview your claim to fame is that you found XSS vulnerabilities in some Content Management System that no one has heard about, it won’t impress me much.
One key topic to cover is do you need to acquire certifications. Honestly, no. If I am interviewing you as a beginner, and you are able to demonstrate confidently your knowledge in the above topics and can clear the practical tests we conduct, the certifications won’t matter at all. You can always acquire them once you are earning a decent salary. So, don’t worry too much about certifications at this stage of your career.
The final point I would like to address is your college degree. Do you need to have a degree in computer science or computer engineering to become good at cybersecurity? Absolutely not. I dropped out of college to start my firm, and thousands of cybersecurity experts come from a non-CS background, many even from a non-tech background. So do not let the lack of the right college degree ever make you think that you can’t make it in this industry. Focus on learning and practicing as much as you can — constantly.
Source: The blog “Cyber security Career Guidance — Part 1 — the Beginner’s Journey’ was published on Medium.com on September 3rd 2020, by our Founder & CEO KK Mookhey.
K. K. Mookhey (CISA, CISSP) is the Founder & CEO of Network Intelligence (www.niiconsulting.com) as well as the Founder of The Institute of Information Security (www.iisecurity.in). He is an internationally well-regarded expert in the field of cybersecurity and privacy. He has published numerous articles, co-authored two books, and presented at Blackhat USA, OWASP Asia, ISACA, Interop, Nullcon and others.
Leave a Comment