this post was submitted on 12 Jul 2023
4 points (100.0% liked)

cybersecurity

3242 readers
2 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Enjoy!

founded 1 year ago
MODERATORS
 

Hello! My name is Mike and I am an infosec engineer with 10+ years experience. I've worked in GRC, Vulnerability Management, PenTesting & AppSec. I have 17 SANS certs (I have a serious problem) and I'm also an infosec community enthusiast and creator/mod for /c/cybersecurity. AMA!

top 8 comments
sorted by: hot top controversial new old
[–] cooopsspace@infosec.pub 1 points 1 year ago* (last edited 1 year ago) (1 children)

How do you get your work to pay for certs? 17 certs would be like 100k for me. And I don't mean salary.

[–] shellsharks@infosec.pub 1 points 1 year ago

My old work place had a relatively progressive training policy and a decently healthy budget. The real beauty of it was that the budget was a departmental pool. The IT department did NOT take a lot of training so those few of us who did want to take advantage of it had access to a huge pool of money. Think, 10 people accessing money meant for 100 people kinda thing…

[–] humanreader@infosec.pub 0 points 1 year ago (2 children)

Hi Mike, I recently started working as programming intern for a company doing webapps. I've worked part-time gigs in a completely different field before, that means I got no certs, no job experience in IT to speak of, I'm not the young guy fresh out of school anymore. However, my interests have always been to break into cybersecurity and have slowly added some relevant knowledge as bare minimum... linux bash scripting, selfhosting, networking and etc. I've been checking out the certs usually recommended plus all the specializations out there and gotta say this is no easy commitment, but I do want to learn.

The thing is, what I'm currently seeing as intern is very different from what people in this field usually speak of online: For example, I was expecting the latest tools and whistles, but the company I'm at uses very old (10 years) frameworks for maintenance and support for corporate clients, windows only, proprietary stuff with very little documentation online. It gets... demotivating? It's still a job and I have bills to pay, but I'm wondering how many years of experience do I need as a regular web developer (if my contract is renewed, even) to even attempt branching into infosec?

I know this gets asked a lot. Sorry for the long text. TL;DR: just started as intern programmer, company works with ancient dinosaurs instead of latest stuff, years of experience needed to become hackerman (or jumping from first one to others shown here)?

[–] shellsharks@infosec.pub 0 points 1 year ago (1 children)

I don’t think there’s some minimum XP (in terms of YoE) bar to hit. You just need to be able to demonstrate your practical XP in some manner. Some people get this through work in IT/cyber, others through academics and others still through personal projects and doing things at home. There is a TON of self-teaching options these days through online trainings, CTFs, cons, meet-ups, etc… And lots of ways to document and market your experience and know-how (blogs, social media, podcast, etc…). Personally, I suggest learning a bit of coding, some cloud XP, start a small blog or post about what you’re learning on a micro-blogging platform and network network network.

As for your current place of employment, having a VERY legacy environment can actually be somewhat good for security as it may be “easier” in some respects to find misconfigurations and Vulns. Does your company have any security resources? If not, try to volunteer to help in that area, if they do, introduce yourself and ask to shadow/help/learn from them.

[–] humanreader@infosec.pub 2 points 1 year ago

I see. I will have to document my progress and remind myself the company isn't actually financing this. I should start by creating a blog.

Haven't personally talked to the IT dep yet - I am in a small dev team for internal webapps and the last time we contacted them was because of printer problems, hah. Will try contacting them once I feel ready.

Thank you for the insights. Sorry I took too long to respond.

[–] Doe@infosec.pub 0 points 1 year ago (1 children)

If anything that’s a great learning environment. Offensive security is a lot of reverse engineering, figuring out how stuff works based off (extremely) limited information and understanding how best to attack it.

Moreover, as these are old systems, they’re more likely to be outdated and vulnerable - not that you should try without permission or a clear understanding of what you are doing, particularly on production gear.

At any rate, no company will pay you to learn a completely different job to the one they hired you for. So you’re going to have to spend some of your own time learning about security. Where to start has been repeated ad nauseam online so I won’t attempt it.

[–] humanreader@infosec.pub 1 points 1 year ago

Sorry for the late answer.

I haven't thought of it that way - if I can convince my boss to test my skills on the legacy systems the company is running, it could be beneficial for both... assuming I get permission and enough actual skills to assess vulnerabilities.

Thank you for the perspective. I agree that intro posts are repeated ad nauseam, I will find my own way.

[–] thundergun@infosec.pub 0 points 1 year ago

Hey there Mike. Thanks for doing this. With AI/ML changing the face of infosec, what do you predict infosec will look like in 5 years?

Also as a fellow SANS enjoyer, it's great training. What are your top 5 SANS courses and why is GREM number 1?