We're a group of InfoSec professionals (hackers, cyber security experts, etc), hoping to share our experiences, and inspire new people to enter the field, Ask us anything!

Hey. Thanks for doing this AMA, it’s very helpful :). I have a couple of questions:

1. What subject would you recommend for a beginner? Assuming he knows the underlying tech (e.g. android development concepts for android security, C for memory corruption, JS and Node for web), what subject is the most beginner friendly, yet applicable these days? For example, I believe kernel security is not a field to which it’s easy to start.

2. Is hacking harder these days to get into than before? Since tech and security awareness has increased, is it harder for newcomers to start?

3. How could you practice when you started? How can one practice before he is proficient enough to be hired as a security expert? I’m not talking only about old, well known vulnerabilities, that can be practiced in wargames, but the practice of finding real, modern and relevant ones.

4. Do you feel that the security community has changed? If so, how?

5. What are some communities that you’ll recommend for learning, progressing and consulting?

Again, thank you!

1)What path would you recommend for someone who wants to pursue a career in something Cyber security/Ethical Hacking related.

2)For someone with zero experience,and wants to get their foot into the field(Something related to Information Security) what certificates would you recommend for a beginner?

B: https://www.amazon.com/Basics-Hacking-Penetration-Testing-Second/dp/0124116442

This book was my bible

1) Watch CSI Cyber - kidding. Read...read...read. Stay current and know and understand the basics. Build on a strong foundation of understanding OS internals; learn how to code in C than go to Python, but understand it and not superficially. If you are a student and are preparing for university, look for a credible Cyber Security program, but also put the time in and explore on your own.

2) Certifications are not for everyone and some may not find them to be credible, practical, or relevant; however, there are a few that are strong and those are the certs that test your practical understanding of the subject matter, such as the OSCP or some of the SANS training offered for our field.

You've mentioned several times that you suggest practical, hands-on stuff rather than certifications. Like some of the other users posting here, I'm currently:

• Studying for my Security+ Certification
• Actively playing wargames and CTF
• Going to security conferences
• Playing with Kali on vulnerable virtual machines
• Learning C, Assembly and Python
• (Trying) to contribute to open source
• Looking for internships
• Creating virtual machine networks and hardening them

Can you help me add more to the list? I'm studying and reading all the time and doing the things above, but I'd like find more ways to gain practical experience. What's the next step?

We actually don't have much to add to that, because that list is pretty comprehensive! Just make sure you follow through!

Many hacking/netsec subReddits seem to recommend breaking into infosec by becoming a pentester. My impression is that this specialty represents a rather small (though undoubtedly sexy) slice of infosec employment. Do you agree?

What infosec specializations seem to be currently in demand relative to the number of qualified job-seekers?

J: I joined a security team by being interested in security. I was on a devops team and anytime I saw something that appeared to be a security concern I brought it up with our security team. I then later joined the team when they had an opening. So, depending on the company, one way you can break into the field is by being interested in security and working closely with the team. What sort of security role you move into will depend on your skills.

B: Offensive Security is undoubtedly one of the 'sexiest' fields in security. It is incredibly important, but mind that a company is more likely to hire a Blue Teamer (defensive security) than a Red Teamer (offensive security), and as there are more MegaCorps than consulting firms that's something to be aware of.

Specializations in Demand: Honestly, the whole fucking thing's in demand. Blue-Teamers that can double as sysadmins/IT professionals are going to have the best shot, but they're also going to have the shittiest time - they'll have to pull double duty, but they'll also have twice as many people clamoring for their skills. Plus, as you noted, everybody wants to Red Team (to be fair, there's nothing quite like the rush of popping a box) and nobody wants to work on firewall management and outbound filtering and asset inventory. The trick is to look at it from your potential employer's perspective: they want someone who can provide value and not just somebody who 'does the fun stuff.'

What are the 3 most common security best-practice fails you see on a regular basis?

Most common fails: Configuration management - lack of automation - lack of understanding of your assets (inventory) and how critical they are to your business.

"and cut bad guys off at the proverbial knees. "

Can you elaborate on this?

W: One of the most satisfying feelings in incident response is watching the bad guy moving from machine to machine looking for treasure, and once you understand their objective and methods, killing their connection and giving them a bad day.

What's the deal with those "cyber security" degree/certification programs? How many people that come out of them are actually qualified?

B: I came out of one of those. Guy I graduated with didn't know what netcat was. Other classmates work at google, facebook, have started their own business.

You get out of it what you put in.

J: It depends on where you go, how much love and effort you put into it. Look at National Centers of Academic Excellence in Cyber Defense https://www.nsa.gov/resources/educators/centers-academic-excellence/cyber-defense/

Hey thank you for doing this AMA. first year computer science student here.

You mentioned all of you have had a passion project/white whale. Who of you would you says has the most interesting/weird one? What was it exactly?

W: I got my start uncapping cable modems, and decoding free to air television. Everyone has a little miscreant in them.

So, I've been wanting to get into learning a language, and I don't know which one to pick. Do you guys know which one I should? (I mean programming language, in case any of you feel like getting smart)

Start with C, take it from there!