I am looking to certify myself into Infosec
My current play is as follows:
>Getting a CCNA then a CCNP security
>Getting a CISSP
>Studying ethical hacking on my own with platforms such as Google Gruyere
>Improving my Bash/Linux knowledge
What do you think? Is this a good plan or should I look into other certs?
meme image, it's funny to pretend being Elliot
too much work, what's your end goal? a job?
you can get that now if you just social engineer your way in.
I mostly wanna stop being a webdev and focus on an infosec position. I am hoping to get a mid tier post with those certifications, but I also feel a need to get better at networking and security, because my college courses were kinda lacking on that end.
infosec as a hobby is fine, but between the two careers infosec is more at risk of becoming obsolete to automation. as it is now every career in the field is mostly just a glorified writing job.
wrong
writing is for gays unless you're writing exploits
learn to code, learn to find bugs in code, learn to exploit bugs, take control
do not
do NOT
seek out a fake cert riddled email job
Sadly those are the only ones I have seen. I have been interviewed a few times through a tech interview, but most of the time is an HR lady who reads the requirements she was given.
Infosec sounds comfier than dev, mainly because you can overwork yourself while deving, which I hope isn't as common in infosec.
I do expect to do overtime if shit hits the fan, though.
( Not OP here, but a lurker. )
What's the best way of doing that?
Youtube tutorials are full of garbage and don't teach real skills, and the tech scene on social media is bloated with clickbait bullshit.
I want to put in the reps, but I don't know the exercise routine.
Where can I pump that iron, or how?
You want to do vulnerability research?
Find bugs in software and write exploits for them?
ost.fyi - https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Vulns1001_C-family+2023_v1/about + Any other courses that seem interesting to you.
That + googling can get you far.
Look up sanboxescaper's writeup on vuln research. If this thread is alive in 30min I'll post it since I saved a copy.
https://web.archive.org/web/20200215060101/https://sandboxescaper.blogspot.com/2019/12/chasing-polar-bears-part-one.html
https://web.archive.org/web/20200204163406/https://sandboxescaper.blogspot.com/2019/10/hunting-for-filesystem-bugs.html
remember that people have posted what you're looking for already and if you can learn how to help yourself, you can ignore the majority of the morons and idiots.
Anon Delivers.
I'll get to reading those links right away.
My contribution: About the CISSP, there's a practical portion after you take the exam, so it assumes you already have a job lined up. Only take CISSP if you're already in some kind of job and your employer wants it.
That being said, you can study for it on your own and pass the exam with about 3 weeks of study, 1 hr a day (this was my schedule when I got the CISSP cert)
Also, in no way did the CISSP help me with job hunting after attaining it. Still job hunting here.
idk sounds pretty vague
how do you envision yourself, are you looking for a job?
certs are fake and gay
join a team and win a ctf
This, i got my first job as a cybersec exec for a bank because i won a dgse (French equivalent of nsa) ctf.
How do you find these, and more importantly, how do you train for them?
I've read around 60 writeups for the various gimmicks needed to get through different parts of CTFs. Walkthroughs and then going through the motions myself didn't leave me with much of an impression.
Felt like it didn't teach how you know what to do at any given point, and shit felt like I'm just going through the motions of a digital Macarena.
How'd you train?
(Désolé si j'ai eu l'air direct. S'il te plaît sois patient, je suis autiste)
How did you find other people or otherwise network to become part of a team?
How do you get connected and train together with others? I'm totally blind to the communities that are "just out there, bro, trust me".
Well, to get those certificates you gotta have a lot of experience with computers (im talking autistic hyperfixation) and a solid motivation, DO NOT think like Elliot because you'd think you're bad at CS, a field where no one is good (except for terry davis), so If you want to start, you gotta get familiar with Linux, Networking and learn a good language like C or
Yep, I went to college for CS, it's just that I have become annoyed at being a frontend dev, and being a backend one is not any more fun.
In frontend the main complaint I have is needing to interact with the clients. In backend I might actually be better off, but some of the tech stacks are fricking bad and I would rather do something else tbh.
Security Engineer, 10yoe.
1. What role do you want to do?
2. What do job postings for that position require?
3. Look up the words you dont recognize
4. Look for and speak to someone working in the industry. Learn the reality of it. (Speak to more than one person)
5. Decide if you still want to do it.
6. Skill up for the specific position/subfield you'd like to work in.
CISSP is for managers.
CCNA - Why?
CCNP Security - Why?
Do you plan on securing cisco devices?
Also, google gruyere, so web app sec?
Like dude, you're going all over teh fricking map.
WebAppSec is different from netsec which is gonna be different from OS security/platform security focus.
If you want to learn webappsec, look up the burpsuite academy and OWASP.
Improve bash/linux: overthewire.org and linuxfromscratch.org
>CCNA - Why?
>CCNP Security - Why?
Mainly because those are the certs that the HR people filter through when reading resumes. Those are the ones I have seen in posts related to Infosec.
Going into webappsec is something I would want to learn on the side, not as the primary aspect of my learning.
As for Linux, I might also consider taking certifications from the Linux foundation at some point. Same principle, many times I do not speak with fellow Engineers on the first interview, but rather some HR person who only knows how to pronounce tech terms and even then, barely.
What do you want to do?
Are you just telling yourself you're gonna be mr hackerman?
I literally get paid to hack for a living. What do you want to do? I'm happy to answer your questions or give you advice.
As for the question I made on the OP? I just wanna get certifications to move more into an Infosec post.
As for personal achievements, I wanna get better at networking and network security, as to be better at it.
I would not mind disregarding any paperwork route, because to me they are just glorified nobility titles, however I do want them out of pragmatism, to get better job offers.
I am asking your destination. You are saying 'I want to go to Alaska', I ask 'What city?', you say 'a city in Alaska.'
You honestly sound either ESL, dumb, or a highschooler.
I do not know exactly what you wanna know more specifically. I do not know exactly the field to be more specific. I wanna focus specifically on network security, pertaining the physical switches and routers of a network. However I would also want to get a better understanding of the application layer level hacking. Is that specific enough?
Honestly, no, but it does confirm you have no idea about most of this stuff.
Let me rephrase my advice.
I would first recommend learning more about the field as a whole. That will help you understand how large it is and how small of a section a role would occupy.
Secondly, when you say network security pertaining to physical switches and routers, that to me implies also that you're not that familiar with networking, as to my limited knowledge, enterprise networking gear is going more the way of whitebox switches, https://www.reddit.com/r/networking/comments/s8t683/please_tell_us_about_your_white_box_setups/
If you're looking for SOHO/smaller networking, or larger-scale networking, then you're no longer looking at the security of hte device itself, as that's going to be manufacturer largely.
You have limited control over the software running on the switch/router and therefore are basically at the whims of the manufacturer.
If you're looking at networking protocols and security thereof, I would recommend hte network+ over CCNA. Cisco can burn in a fricking fire, and over half of it is dedicated to cisco specific stuff.
When you say 'application layer level hacking', I am both astounded and confused. You are either a great troll in which case 10/10 or legitimately out of your element by a fricking lot.
Like, that isn't just web apps, that would include everything from the fricking BIOS to a React application. Again, congrats if you're a troll. Otherwise, read some more books and stay in school
( TL;DR Any recommendations on practical hacking labs? )
OP may not have a clear idea, but how about web app pen testing in particular?
I have a lot of familiarity with web dev, kind of like OP, and being able to read HTML and JS has helped in a couple of CTF labs.
But outside of over-the-wire and the bunk-o garbo on Try Hack Me, I don't really see any opportunities to learn about the process.
OWASP and portswiggers webappsec labs
https://portswigger.net/web-security
https://owasp.org/ & https://owasp.org/www-project-web-security-testing-guide/
That will cover the foundations and is good enough to land you a entry-level/jr/mid(with other experience) job as a webapp tester.
Someone comes in, they have the portswigger training, can talk the talk and show competency is a solid entry-level or jr-mid level hire (in regards to skills for the webappsec)
CTFs are puzzles. They aren't meant to be instructive guides (as much as people say they are). They're more for refreshing or exposure to things and then dumping hours into them ot figure them out.
I feel like I'm taking crazy pills hwen people say this shit, and seemingly forget there's an entire fricking discipline dedicated to understanding and improving how people learn. How many ctf hosters/challenge designers do you think have spent studying pedagogy?
Literally follow infosec conversations on twitter, find companies that give talks, a good entry point could be black hills infosec, they have a community thats open and welcoming.
Demonstrate your worth other people's time by bringing something to the table when you strike up conversations with people/ask to join their teams.
this and learn Networking, many ppl skip this and get suprised if they don't get anywhere
homie what is this shit plan.
Just do tryhackme/hackthebox then go from there
Have you considered nepotism?
Learn Rust for Christ sake
https://lngnmn2.github.io/articles/like-haskell-but-imperative/