Security Testing | Security 4 No0bs - Finding Your Path

The Video: How To Find YOUR career path in Cybersecurity - 2023 (Live) Ed.

hosted by: @monicatalkscyber & @mikemillercyber | Streamed live on Feb 8, 2023 | https://www.youtube.com/live/ikzsvxR0T5Q

“He who has a Why can endure any How.” ― Frederick Nietzsche

I wanted to pivot from my promised discussion on Burp Suite to discuss the purpose of having a path (based on a video I watched). It was about an hour or so discussion on a wide range of Cybersecurity themes around the topic of "getting started", namely how. Here's what I learned:

1. Know Your Why

As I discussed in my previous post, having a "why" is essential to the journey. When you know the purpose of what you are doing you can go about taking the necessary steps to make it happen. I won't belabor the point of the "why", but I know why I want to get into Cybersecurity. My question now is how to get where I'm going. It can be easy to get lost in the noise. There are so many things that are cool to know and do.

2. Find A Niche That Aligns With Your Passion

Reigning in the varied interests has been the hardest part my learning so far. I know I need to know about Networking, but it gets boring. I know I need to pay attention to Security+ topics, but understanding tooling is just as important. Then there's topics like Threat Modelling and Threat Hunting that speak to me. As someone with a background in testing, the foundation is in place, but deciding what to choose is tough when everything speaks to me. I'm still on the fence between actual Pen Testing or Threat Hunting.

3. Know How To Communicate

Another key topic in the video that was greatly emphasized was communication skills. Rather than call them "soft" skills, it was stressed that this should be regarded as a required skill.Being able to discuss complex topics to non-technical individuals, reporting findings, or selling the need for a particular tool is essential to the job.

4. Have People Skills

Along with solid Communication skills are "People skills". Knowing your audience is a talent. Making friends and influencing others is truly an art that is also essential to the job. People skills can mean anything from knowing whom to approach when an incident occurs, to knowing how to take initiative and deliver instructions in the event of a natural emergency. Cybersecurity is way more than just the 1s and 0s in a terminal.

5. Choose A Specialty & Expand Outward

Bringing it back to the topic of a specialty, the hosts of the video recommended choosing a specific specialty, learn it, and work to expand onto other fields. It's not far fetch to imagine someone starting out as an Auditor and eventually pivot to Risk Assesment, or "Blue Teaming". The take-away: there is no linear trajectory.

6. Work On Your Brand

The hosts - Monica & Mike - mentioned the idea of selling yourself as a "brand". A brand - a product or service - consists of a recognizable name and a reputation. I have a hard time with this as I am actively working to repair my reputation from previous instances of past mistakes and what-not! The brand that is me is long overdue for a revamp. And orienting myself towards this new endeavor is a great way to start. As someone that needs to get started in Cybersecurity, being a service to the company implies adding value and being indispensible. That's the goal. Answer the questions, "who are you?" and "what can you do for me?"

7. Showcase Your Knowledge

When you have an established brand, and set of skills, the next thing they mentioned was "selling your knowledge." The dichotomy of showcasing your talent is coming off like you need attention. You have to highlight what you know, but do it in a manner that doesn't appear vain. Personally, I prefer being the "silent option" - get in, do the job, get out .. no need for accolades or glory.

8. Network, Network, Network

As stated earlier, along with the need to build a brand is exposure. Getting started in Cybersecurity is equal parts what you know and who you know. The hosts in the video stressed the idea of networking as the key to get started. Follow companies, interact with posts, promote your own knowledge, even attend meet-ups and the like. Anything to interface with professionals in the industry is fundamental to getting noticed and even bypassing the traditional HR routes. This is something I'm actively working through.

9. Get Certified

The topic of certification is somewhat contraversial. On the one hand, it's not about the paper certification but rather the experience. On the other hand, certification is proof of competency. One thing is certain, there are definite certifications I plan to pursue and when money get's good, they will happen.

10. Pay It Forward

Paying it forward was not discussed in the video, but it is something I promised myself I would do when I get proficient in my craft. As I have been mentored, I have also done a lot of self-paced education and marking down the things I have learned. If nothing else, this has helped reign in the many many ideas I have to want to learn. It is important to know where you are going and why. I would love to pass on this knowledge to the next person who decides they want to pursue this career.

Conclusion: Your Path Is Not A Straight Line, But Rather A Long Windy Road!

Overall it was a great video. There was a lot I already know, and a couple of new things I learned. The greatest take-away of all was the idea that there is no linear path. There is no explicit time-table for getting started. There is nothing to hold you back from your passions except you. You have to know your why and you have to grind. There will be times when doubt creeps in. When Imposter Syndrome rears it's ugly head. Those are the times you have to get your mind right. When you now your why, you can endure any how. You can get after it! And I plan to get after it.

Til next time ... Ciao For Now!

Security Testing Journal Entry | w/e Friday February 10, 2023

Highlights for the week

Another quiet week, with a few wins. I cannot stress enough how important it is to have a mentor that can be the wind in your sails. Learned about threat hunting and how the process is closely related to the QA process. I guess my +12 years have not gone to waste.

What We Loved

1. Had another round of interviews with a potential job lead. Over-preparation was good, and the results were worth it.
2. Meeting with my mentor is always the greatest part of my Fridays.
3. Working on the QA Automation Strategy for iHeart Radio proved invaluable for a few other opportunities that presented themselves.

What We Learned

1. For Network+: On the networking side, spent a good bit on learning about protocols and ports.
2. For Security (Ed.): Read a quick write-up titled "Hunting Evil: Your Practical Guide To Threat Hunting" by SQRRL. A fascinating read. The process was identical to testing.
3. For Security (Tooling): Spent a day with Burp Suite, learing about exploiting "password reset" cookie.
4. For QA: Got a little more advanced on API testing. Fixed the failing test for registering a new customer.
5. For QA: Also learned something new regarding automation strategy, namely the testing quadrants that make up test types that add value.

What We Longed For

1. More time. There are days when there are simply not enough hours to get things done.
2. Need more time to write my book.

What We Loathed

1. Owing the state tax money sucked.
2. 5.5 months of unemployment has been "educational" but the money is slowly running out. I have projected 2.4 months left before tapping into my retirement.

Security Testing | Security 4 No0bs - The Importance of Your "Why"

Knowing your why can determine your how

Hello Reader,
I rececntly came across a post on my LinkedIn feed in which the author wrote about a few questions that were introspective. I wanted to take a few minutes from my usual posts about tools and tactics to discuss why we are doing what we do. Why am I learning Cybersecurity? What are my goals? How will I get where I want to go?

Knowing our why is super-critical to determining the how. As I progress through this learning journey, I am often overwhelmed with the amount of information being disseminated. Things like "40 YouTube channels to checkout", "33 Websites to learn Cybersecurity for free", add 500 new connections today. OMFG! way too noisy!. It is critical to silence the noise and get to what is real. Here are the questions posted that you can ask yourself. I will post my answer below.

“I want to go into cyber because _______”

I never considered Cybersecurity as a career path. I stepped in it as a choice when selecting a track to focus while studying at Devry IT. I enrolled with the pretext of learning some basic computer skills, perhaps web development. This was all before boot camps like Flat Iron or General Assembly. There was a call for people to sign up and choose a particular path rather than general studies. Been in love since.

Sadly the school was inadequate in terms of teaching professionals, and to have made the most of my learning I would have had to continue in their 'Masters' program. I was already disappointed with the last year in school, and had to take out a bunch of loans just to finish.

To answer the question concretely, I want to get into cyber because (a) it will be a lateral move from my current station as a QA Engineer, and (b) I absolutely love the learning process and hunting for exploits.

“I want this company because _______”

I have yet to hang my hat on any one company, but there are several companies that speak to me in terms of what they do. BrightSec is a company that specializes in dynamic application security testing (DAST). They would be cool to learn from. Red Balloon is legit! Gremlin is a company I just interviewed for that employs different attacks to test site reliability. Overall, any company that is cool and can teach me something is the one for me.

“I want this role because _______”

I am still working through the exact role I want to occupy, but Pen Tester seems like the obvious choice. The start to Cyber seems to be in compliance, but threat modelling intrigues me. Overall, I would answer this question by saying I want the role of Pen Tester because it is a natural fit for skills and experience .. plus it is just too damn fun! Purple Team is the dream.

Conclusion:

Knowing your why is like having a latern in a dark forest. It will guide you. Structure your learning, orient your goals, and align your career objectives to those goals. When you know your why, those late nights grinding through boring lessons and tedious acronyms will make sense.

Ciao For Now!

Tune in next week, I will give a brief write-up on Burp Suite and some of the cool things I have learned.

Security Testing Journal Entry | w/e Friday February 3, 2023

Highlights for the week

Since my last entry, it was an uneventful week in terms of the security learnings and job search. A couple of days were practically unproductive.

1. A fairly quite week. Not much to report in terms of anything major.

What We Loved

1. Connections to new job prospect look promising.
2. Working with a connection on a QA Automation Strategy project was instrumental in my interview for another opportunity

What We Learned

1. So Network+ has been a great learning. Struggled a bit on IP subnetting. I understand the "why"
2. Started my Security+ journey .. again.
3. Completed the first set of MFA labs in burp suite. On to the next lab: Vulnerabilities In Other Auth. Mech.

What We Longed For

1. I need to get back to my Hack The Box training modules. Wasting $20, but I need more cubes to move forward.

What We Loathed

1. Another week where there was no meeting with my mentor. Not sure how much longer I will keep this going. She's great people, but flaky!