Tips for an Information Security Analyst/Pentester career - Episode 1: General hints and initial technical recommendations

 Last Updated: April 6, 2024

 

Guys on Quora ask me all the time tips on how to start a cyber security career.

I find the thing a little hilarious because I'm still figuring it out myself.

I worked as a Security Analyst for a while and I was lucky enough to work for Dave Kennedy but, as of right now, I'm on the job market so I find the thing kinda funny.

 

I've been a penetration tester for 6 years so far and However, I love helping others out, so I decided to come up with a series of posts I hope might be useful for anyone approaching this industry or for who wants to progress their careers into information security.

General considerations

A handbook for a Young Information Security Analyst/Pentester

1. NEVER GIVE UP, NEVER QUIT. NEVER
2. Love what you do. You'll burn out and hate your work, otherwise
3. Be ready to work your as* off (that goes along with the above bullet)
4. Make sure you can read a log or a Wireshark capture and get training wherever you can
5. Learn all the time, even when you're home. Create a home lab.
6. Be humble, don't think you got somewhere. What you know today can be disputed tomorrow
7. Learn your company's SIEM as soon as you can
8. Think of ways to be an asset to your company or a potential employer
   
9. Help your coworkers out, don't throw them under the bus 
10. Don't be a jerk

 
Why do you want to have a career in cyber security?

Right reasons

1. Passion: You're an info sec junkie like myself and that's all you want to do. You can't think of any other careers for yourself. You earned a degree for it (two degrees, in my case), you're constantly learning for it, you're getting certifications for it, you're working your ass off for it. You're ready to go the extra mile for being successful in this field and you'll be taking any possible certifications, training, classes and experiences you need. What you don't you know, you can learn. You love what you do. You're willing to do whatever it takes, help others out, volunteer and get your hands dirty. That's what ultimately matters. In my case, I have a 13 years' experience in IT, but you might start out with no experience. If so, volunteer somewhere and start doing something. 
2. Fun: This work can be a lot of fun, especially as a pentester. Jeez, you're paid to hack! Can there be something more exciting? People in this line of work are very professional but, depending on the companies you're in, the workplace can be laid-back and friendly. If you don't like suit-and-tie corporate cultures (yuck!) that can be really perfect for you. However, quoting Spider-man, great power implies great responsibility, which brings me to the next bullet point.
3. Ethics: You want to be a professional and behave as such, no matter what. Customers ultimately pay you and you want to stick to the highest ethical principles when dealing with their information.You care for their information as if it were yours. Remember, we deal with personal data in our line of work, and such data can be very sensitive at times. We want to make sure not to overlook an attack pattern or sloppy security implementations as analysts, because that could lead to lives being ruined, to bankruptcy or other fatal aftermaths. I wanna sleep at night. You feel an obligation to step up against the bad guys. Someone must stop them from ruining our economy and ultimately our democracy. If you're a would-be pentester, don't be careless with your attack patterns, don't disrupt data without any reasons, don't launch a DoS attack at any time. Yes, I know you're having fun hacking (why would you ever be in this line of work otherwise?), but don't let the excitement from all this carry you away too much. Remember, the reason why you were hired to get a pentest done is to help the business. This should be always in your mind. You're hired to prevent vulnerabilities from being exploited, not to take a business server down.
4. Personality: You like to be challenged, you enjoy seamless learning and training. You're not afraid of taking on new roles and learning new software because, man, it's fun! Info sec changes and you need and want to keep up. You have to, because you'll be out of your job soon otherwise, but you nevertheless love it, because you can always get better.

Wrong reasons

1. Money: You read some blog posts and articles on Forbes or other sources, stating some guys in this industry gain $200,000 per year, and you got all excited about it. If this is the only reason why you're seeking to join this industry, I tell you right away you're wrong and you should switch careers asap. I'm not saying those sources are wrong or false, only they can be misleading. You can reach that level, but it's not so easy, kiddo. It takes a lot of hard work, certifications, talent, skills and sacrifices for you to get there. You need to get top-level certifications (such as CISSP) which are very pricey and require previous experience, to be the best at what you do every single day and to gain experience and seniority, in order to get there. An entry level job will start out much lower than that. More importantly, the learning curve and the work schedule is crazy and, if you don't love what you do, you'll get burned out pretty soon and will start hating your job. Media blindside you, because they only show you a person on top of his/her career, but don't tell you how many sacrifices, setbacks, failures and losses they had to face. The road to success is a very bumpy one and info sec makes no exception to this rule. Don't get into info sec for the money. You'll hate your work, you'll hate your customers and your customers are gonna hate you. You'll do shitty work and you'll hate your life. Please don't. We don't need other jerks in this industry.
2. Fame: Though the best hackers are sometimes featured in the news, most of what you do in info sec is team work and you get rewarded as a team. You need to be a team player, bro, if you're a superstar maybe a freelancing career is better for you, but you're gonna find it hard to get it started because no one knows who you are or what your qualifications might be. You need to play by the rules if you want to succeed here. No one will hire you if you think you're a superstar. You always learn in this industry, ALWAYS, EVERY SINGLE MINUTE of your life, so no one is entitled to feel better than anyone else. Maybe I suck today, but can you tell me where I'm gonna be in 5 years? Maybe not.

Technical recommendations        

1.  Experience (chicken or the egg dilemma): You need to get experience for you to have experience in this industry. No, it's not a tongue twister. Employers are looking for the purple unicorn and require experience, even for entry-level jobs, which is totally wrong, but nonetheless it is what it is (see my previous post Cyber security skill shortage: real problem or result of bad hiring practices? on this). You need to have previous info sec experience, or at least general IT experience for you to get hired, unless they see something special in you. Get experience somewhere, learn all you can, get all the training you can (check below for training recommendations). Build a virtual lab and practice what you can learn theoretically in a virtualized environment by running hands-on stuff. I'm personally following this book to build an advanced virtual pentesting lab and I recommend it (DISCLOSURE: I'm not tied to its author in any way, nor anyone paid me for saying so). It's a great deal of information for $33 (shipment included). I'm going to provide sources for free training below.
2. Education: Most employers require a Bachelor's Degree, but not everyone is so big on that. Experience and/or certifications might supersede that, but it's much up to the employer. If you deal with recruiters, especially if they're not directly working for the company (I could open up another chapter on recruiters, let's not get started on that), it's all about a box-ticking process. I attended a community college and received a very hands-on education, I'm very happy of. I consider it as equally valuable as what you can get from a four-year college education, which is sometimes overly theoretical and doesn't teach you a thing, nonetheless I'm still being mostly discriminated. I talked to a recruiter for a big name University one time and all they had to offer me was Criminal Justice. All due respect to cops and whatnot, I don't have that type of mindset. You can consider going to a credited community college that allows you to transfer to a bigger university or four-year college in order to get your Bachelor's. You'll save money and will develop contacts that will help you with your career and your personal development. I consider my decision to go back to college one of the best in my life. The contacts and collaborations I developed at Stark State have been very important to me. That's my alma mater and it feels like home every time I go back there. I had my job at Binary Defense through my college, for example, and the same could happen to you.

Where to get free learning and training (from my bookmark library)

1. Microsoft Technet: You can download trial versions of any Microsoft products (I just downloaded Windows Server 2016) and get free technical training on each one of them. Most important, there are free online labs available 24/7. They run online on virtual machines and they're awesome! They're as fast as hell and very reliable. You can download the lab manual and study any specific Windows feature you want. There's all sort of stuff but I found server training really valuable. I'm not a Windows lover but, man, those labs really rock!! If you're a student, you can also download free Microsoft software from Microsoft Imagine (formerly known as DreamSpark)
2. Other websites: E-learning is booming in this industry, as it seems everyone wants to be a hacker right now, so I'd always take websites offering free or cheap online training cum grano salis. However, I personally tested specific websites, such as Coursera, Udemy and Cybrary, and I found their classes mostly valuable (Update: I'd add TCM Security and Altered Security here). Anyhow, if you spend $10 for a class and it teaches even one more additional skill, it's worth it. In IT, and especially in info sec, there's always something new to learn and you want to stay on top of the most current technology. 
3. Splunk training: Free Splunk training with several levels, beginner to developer.
4. Microsoft Virtual Academy
5. Cisco Networking Academy
6. Teach yourself computer science
7. Free online courses from top universities
8. GCF LearnFree

Sites where to practice hacking

1. Vulnhub
2. www.hackthissite.org
3. Offsec Proving Grounds
4. Hackthebox
5. VulnLab 
6. TryHackMe
   

Deliberately vulnerable web applications to practice web hacking

1. Metasploitable (Metasploitable 3 , as well)
2. DVWA (Damn Vulnerable Web Application)
3. WebGoat
4. Google Gruyere
5. Owasp Juice Shop
   

Info Sec organizations where to volunteer and network with other professionals

1. ISSA
2. ISACA
3. ISC2

Other ways to stand out

1. Start a tech blog: Once again, it's not a matter of making money, but to showcase your technical skills and have an online presence. Potential employers can have a much clearer idea of what you can do and of your skill level. Showing you can do something is much better than saying you can do something. If I publish a video tutorial where I create a Windows domain controller (which I did. Check my post How to create a Windows domain controller), for example, this is something proving what I can do, compared with telling someone I can create a domain controller. The video I made documents step-by-step how I did it, it proves I can run through a complex installation like that and get it done flawlessly. It's out there on YouTube for everyone to see. I can say whatever I want, I can describe myself as a superstar but, at the end of the day, in this industry it's only about what you can actually do. You can't fake it till you make it here. If you try to fake it, a hiring manager for a potential employer (who can very likely be a guy having 20 years of experience) will bust you right away and you'll look really bad (and dumb). I started this blog in 2013 and I keep it going. It's the outcome of my passion but also allows me to learn more. In fact, when I have to write a post on a certain topic, I need to read about it, run the software, learn from my mistakes and so on. And every time I learn something new, I add a new skill that could help me out in the future with my professional career.

Wrap up

Like you see, there's plenty of stuff to do if you wanna start a career in cyber security. 

This is only the first episode of our journey.

Over coming posts, I'll show you something much more hands-on, such as reconnaissance, OSINT, some basic web app vulnerability assessment, network mapping and port scanning with Nmap and more.

Feel free to post a comment requesting any topics of your interest, and I'll try to come up with a post on it.

It's a good way for me to practice the Security+ material from a hands-on perspective and to have some fun with it, too, at the same time.

Stick around and don't forget to add comments if you're interested in specific topics you want explained in the coming posts!

Episode 2