We are hackers and cybersecurity experts with years of experience in the cyber field. Ask Us Anything about cybersecurity careers and pathways!

How can I convince my relatives that things they say in front of my Alexa is not making ads pop up on their Facebook?

Jen: You can't, it's a lost cause!

Bob: Generally speaking, it's almost impossible to change minds for these types of beliefs. Folks have their own confirmation biases and our brains are wired to make correlations/causations (which are usually wrong).

How does someone train in cyhersecurity? How does one become a hacker? Do you learn programming and then what? And how do you you fix bad security over lots of accounts that you have mostly forgot you have ever had or used.

Bob: There are diverse pathways into a career in cyber. You can, now, go to university in a cybersecurity career path all the way to PhD if that's how you learn best. You can get into systems administration or coding and start incorporating cybersecurity-specific specialities into your daily routines until you have a solid skillset in those disciplines and then specialize in IT operations security or application security. If you like to take things apart to see how they work, you can do the same for computers, applications, or all of the IoT devices proliferating into our lives and work over towards a pen-test career.

Bob: With regards to fixing bad security across many online accounts there are sites like "just delte me" (https://backgroundchecks.org/justdeleteme/) which can help you identify old accounts so you can then login to them (or delete them) and manage your settings.

Allan: There is a famous quote (at least according to Sister Act 2 - where I get all my wisdom) that says if you write, you are a writer. The same thing applies to “hacking.” If you hack things, you are a hacker. I don’t mean breaking into networks and doing anything illegal, I mean if you enjoy taking thing apart and understanding how they work or how you can make them better or put them to different use you are hacker.

Allan: As far as fixing bad security over your existing accounts, take a weekend to go back through every one you can find and fix it. You will, inevitably, miss some. But, honestly, that sets you up well for a life in security. No network or organization is pristine and you will always be cleaning up things you missed.

James: There isn't "one path" to train in cybersecurity. The field now is large and encompasses many different skill sets and disciplines. My advice is to focus on the areas of knowledge where you gravitate. Follow your passions, then explore the security implications of that domain of knowledge. Think about how things can break, and explore that thread until you understand the security implications of things breaking.

You see those hackers who hack unhackable things such as presidents social media accounts, banks, and playstation network back in the day, how do they do it and what makes other ‘hackers’ unable to do it too?

Allan: Nothing is unhackable as long as there is technology and people behind it.

Jen: Clearly these things were not unhackable. In many cases it comes down to one of two things - either there is a bug or vulnerability in the system that can be used to gain entry, or, more likely, there is a human that provides an opportunity in. For example, I'm pretty sure the president's social media account was easily accessed because he didn't have a strong password or a second factor of authentication. For the others, it's likely someone was phished and that gave attackers a way in.

Bob: Lots (most) of those "hacks" were phished or guessed credentials. Most folks aren't great at socially engineering others or running tools to crack passwords.

Are there any important non-technical skills in cyber security? Can someone without IT knowledge/experience work in cyber security?

Bob: We desperately need better communicators in cybersecurity as well as experienced project managers, program coordinators. If you are good at training/educating or building materials for those areas, that is also a viable cyber career path (and, another desperately needed one).

Jen: Hi, I am not at all technical. I actually think my cat may be more technical than me. But I still somehow ended up being roped into this AMA and helping to chair the Ransomware Task Force. There are all sorts of non-technical jobs in security.

You will need to learn about the security domain, but that's true for any area you choose to work in, and you can do it without being hands on with the technology. The important thing is talking to people and asking questions, which you are already doing.

Marc: I started in Cybersecurity after studying Genetics and Spending 10 years as a bouncer in Manchester. I have no formal "degree" in cybersecurity, but have done pretty well if I don't say my self. At the end of the day qualifications are great but experience trumps everything. if you are passionate, build your domain knowledge and keep working on your skillset cybersecurity is open top everyone.

I have seen people transition out of military service straight into cybersecurity, and even out of archaeology into cybersecurity. They all had one thing in common a passion for the end goal amnd dedication to build the knowledge and skillset.

Allan: Yes! Writing and communication are so important. It is not enough to have good security ideas you have to be able to effectively share those ideas. Also, people withy backgrounds in specific sectors are critical. We can’t properly secure, healthcare facilities, for example, without having people who understand the unique set up of healthcare networks.

If a hacker were to steal 600million in cryptocurrency - but returns it - how much trouble do they get in?

Asking for a friend.

Allan: Theft is still theft. That question should probably be directed to your favorite lawyer though.

Jen: Oof, well that would depend on a lot of additional contextual information. I agree with Allan, you probably want to direct that to a lawyer and if you don't know any, maybe the EFF lawyers could help.

Jen: Also, stealing and returning money is probably not the easiest way to get yourself noticed for a career in cybersecurity ;)

James: Hahaha! Kudos for the great and timely question. It's never good to steal, but it would be better to return it than wait to get caught. Judges and prosecutors may be inclined to be merciful should the assets be returned.

I am into n a Network engineering role but I would prefer to be more security focused. Ideally doing something like malware analysis or reverse engineering. I am definitely not a programmer and really struggle with writing tools. Is there still a need for that old school skill set or has it been mostly automated away?

Thank you.

Allan: Have you tried analyzing any malware? Places like MalwareBazaar (https://bazaar.abuse.ch/) make samples freely available (use at your own risk, don’t infect yourself). You do need to understand how the underlying operating system works, what the calls are doing. There are a lot of great tools that automate much of this, but if you don’t understand what the tool is telling you it is easy to misuse it — I have seen a lot of bad malware analysis done this way.

Bob: Both malware analysis and reverse engineering require deep knowledge of low-level programming concepts and also how operating systems work. You can definitely learn those skills (even if it feels like struggling), but you may be better off building on your existing skillset. There are so many pathways into network security and many specializations there that do not require coding (or only require minimal scripting capability). We desperately need more network security folks, too!

James: Malware analysis and reverse engineering are still both very much in demand. There is some automation in this space, but most of the automation is more aimed at classification and categorizing things, not understanding new and emerging techniques, tools, campaigns, actors, and the like.

There are still several security needs in the network operations space. If you come from a networking background, this may be a more direct transition. Understanding networking well will be a genuine asset to you in the cybersecurity space. This is a much needed skill too!

Jen: There are definitely still opportunities for careers in these areas. Lots of companies have security researchers working for them, either inhouse or as a paid-for service. Or some people go the independent route and participate in bug bounties and competitions to make a living off these skills. You can maybe look into some of those opportunities to start building your experience and skills while keeping your day job.

One thing though - always check the legal situation! If you own a device and are reversing it in a non-production environment, you should be OK, but I'm not a lawyer, so you should check out the rules for yourself. Most bug bounties and competitions will provide boundaries for what is considered acceptable.

Are there any bountie programs you would recommend? Most of the ones I've seen are web application focused.

Jen: I don't have anything specific in mind, but maybe reach out to some of the main bug bounty companies to see if they can point you towards some (Bugcrowd, HackerOne, Synack). I know the US military has run some bounties and competitions that have been more device centric (e.g. Hack-a-Sat), but you probably want to work you way up to those kinds of things or find a CTF team to join.

I'm currently pursuing a degree (minor) in "cyber security applications", but do you have any recommendations for courses or certifications I should be working towards on the side? So far my coursework doesn't seem programing heavy (just finding out hash, imaging disks, etc so far), but it seems like to get a decent paying job you still need to become proficient with programming.

Bob: W00t! The first opporuntity to pimp CyBOK (Cybersecurity Body of Knowledge) — https://www.cybok.org/. They have great information on various areas, including application security. SANS (sans.org) has some decent courses on appsec as well.

Jen: I really love Bob's enthusiasm for CyBOK, and I will echo his recommendation. Plus, I agree with what Allan said. Again, I'm not at all technical and I do just fine working in security.

Know what your strengths and interest areas are and focus on building those. Be honest about the stuff you're not so great at and if it doesn't interest you, focus on roles that don't require it.

Allan: That’s a myth, and I wish it was one we would stop promoting as an industry. You don’t need programming experience to work in cybersecurity. I am a crap programmer and I have managed to survive. Progeramming is a good skill to have, but it should not prevent you from getting a job.

Bob: Aye (Re: what Allan said). You don't rly need programming skills even to do application security evaluations. Just the ability to follow application workflows and configurations plus ask good questions

Marc: I have the worst programming skills. I can read code because that became useful at one point, but did pretty fine without it. there are very few things you "absolutely mist have" in order to do well at cybersecurity. As far as I am concerned all the best cybersecurity professionals have the following in common.

• A Passion for the career / Discipline
• willingness and dedication to work at building out the skills
• Inquiring or hacker mindsets - willingness to challenge the norms, to understand how things work and how they don't work.
• an ability to express the complex in simple terms so they can be understood by other people.
• Ethics.

Everything else comes out of these core areas. Yes there are jobs that REQUIRE specifics and you will have to learn them to get into those jobs, but they are job specific needs due to a company's chosen path, not requirements to be a good practitioner.

Plenty of information available on getting into pentesting, but very little on what skills and knowledge will take a junior to senior/lead. Any recommendations?

Bob: The ability to communicate technical findings into something material, understandable, and actionable by the recipient is a must for higher-level roles (well, in a decent pen-test org, anyway). Being willing to mentor other junior folk is also a sign of being ready for senior, as is not resting on existing knowledge and continuing to learn new aspects of the trade.

A "lead", by definition, is a leader of others, so developing soft skills to help others be successful in their career paths and being able to do "systems thinking" will be a sign that you're ready for a position like that.

Marc: Pentesting is easy to get into buy hard to do well.

if you want to be good at pentesting you should decide what parts of it you like, for example Application focused pentesting is an entire discipline in its own right. If you want to be more the sort of generalist who walks into a bank and gains access to the ATMs then you are going to need to develop a skill for analysis. Step one is reconnaissance - understand how everything works and how it hangs together. Learn to find the whole of the attack surface - especially things people don't consider to be attack surfaces. I have owned supermarkets via EPOS (cash register systems) especially using barcode scanners or RFID tags. Lastly you need access to (whether its in memory or elsewhere) a really good database of tools, vulns and techniques. When I was pentesting I would spend a lot of time wargaming theoretical scenarios, playing with things like Damn Vulnerable Web App to keep my skills sharp and relevant.

Last you need to have confidence and passion. The best pentesters can do half the work by walking into a location and looking like they belong.

its a really fun career but there are two many push button pentesters and you need to stand out from them. A secret skill I think that helps is to also be able to give the client a broader set of guidance. So instead of just saying I found X ways in and did Y, to be able to guide them holistically to a more secure position.

What are some of the skills expected or required from a student who has just graduated? What to expect during the interview? Any tips on looking for a job in this field?

Marc: As above, it really depends on the role. When hiring I expect my junior roles to have a good grasp of the basics. how things like DNS works, how the internet as a whole works. I expect you to show you stay current with cybersecurity knowledge - the top breaches and most relevant vulns etc. Next i will dig into the role specific knowledge. Every role is different and most require a baseline of a particular set of skills or demonstration of aptitude to learn them.

Last I want to see if you can think outside the box - often with very hard or impossible questions. It also helps me see how you respond under pressure.

Bob: It rly depends on what you want to do. Cybersecurity careers are in the moderately- to highly-specialized categories these days and — apart from immense curiosity, good comms skills, and a willingness to never stop learning — there isn't a "universal" bit of guidance. You should look for positions that "scratch an itch", be honest about your current skillset, and ask how willing the organizations is to ensure you have opportunity for training/education/mentoring.

Would you recommend HackTheBox or TryHackMe for a complete beginner? What skills should I seek to develop in order to utilize these sites effectively?

Bob: I'm more familiar with HTB and their resources run the gamut from beginner to expert, and they provide pointers of where to look for resources to accomplish the tasks.

Marc: I consume all of them personally. Find the one you enjoy most and stick with it.

What all skill sets and knowledge should I have to get a entry level job in Blue team, SOC L1 or Incident response?

Bob: "blue team" covers a ton of ground. If you want to be in incident response, you will need a basic understanding of how to triage events/alerts, which will include knowledge of the operating systems that a particular organization runs as well as basic networking concepts. You can run Snort/Suricata/Zeek at home to begin to get a feel for what this looks like as well as run through labs over at CyberDefenders (https://cyberdefenders.org/labs/).

Marc: Basic Knowledge of how everything works is foundational. Next is understanding what best practice looks like for the environment you will be working in - or if pre job what common best practices look like. Then you should understand the common threats and learn how the best practice controls mitigate them, Learn how to monitor those controls and how effective they are.

Last know that everything breaks. learn about threats that may break through, how to detect them and what the appropriate responses are. Be prepared. be calm, be reactive. having a passion for understanding automation and the evolution of defensive technologies is a big bonus that will carry you further.

Is it normal for a device to change its name on the network?

Marc: Identities are fluid. In all seriousness it depends on the environment. in a rigid corporation environment probably not. in a public network expect the unexpected.

Bob: That depends on how you are identifying a "device" and who has the capability to change "device" attributes.

James: This is device and network dependent. I don't think we can answer this question for you. This is a question to answer about your environment.

Always pay attention to your "spidey sense". If it doesn't seem right to you, explore the incident and see what you can learn about what happened.

[deleted]

James: These things are most commonly found on red teams. Look for "Red Team" and "Penetration Testing" or "Penetration Tester" in the job title. Sometimes these functions fall under "Security Researcher" sort of jobs as well.

What software antivirus and firewall do you recommend? Also, is Kaspersky to be trusted?

Allan: What Bob said. The most important thing is that you keep your AV updated. I like BitDefender, but use what you are comfortable with.

Bob: The one you'll use and keep updated. For Windows, I'd just double down on the MS security ecosystem (which is technically "free").

Marc: I was just going to say this - one that works. Firewalls are a little overrated, but we have focused on them as an easy tool to accomplish things that can be done in other ways. Having those things accomplished makes you safer (separation of networks, services, systems, filtration and authentication of access and so on). however you achieve these is the right answer.

the one caveat I would bring is if you chose to use a device make sure it will be well supported that it doesn't have a history of being pwned and that the company who builds it will support it for long enough to e useful. There is nothing worse than making your front-door out of a technology that then has a dozen unfixable holes in it.

Marc: The same goes for AV, pick one of the ones that come out on top in things like AVTest. don't get too hung up on features and instead focus on the core functionality. Does it catch malware, does it catch it fast and does it catch stuff thats relatively new. The last consideration is does it turn your computer into a slow block of concrete. over resourceful AV you cant live with isn't going to be something that helps in the long run.

Thank you for the answers, but what about Kaspersky? Are they to be trusted or not?

Jen: I can't tell you whether you should trust Kaspersky, but I can say that they were one of the driving forces behind the No More Ransom Project, which provides free decryption tools to ransomware victims. The project is backed by Europol and has ~170 partners, including law enforcement around the world. I assume the US government had valid reasons for the action they took against Kaspersky, but I similarly assume Europol did their homework before partnering with them.

So I don't know what to make of Kaspersky, but I can definitely tell you that the No More Ransom project is an AMAZING resource for anyone worried about ransomware: https://www.nomoreransom.org/en/index.html

Jen: It's also worth noting that, depending on who you are/what you do, you may not have the same threat model as the US government.

Marc: Just like Jen, I cant comment on the action taken by Governments against Kaspersky. What I can say is I count many of the GReAT team as close colleagues who have worked with me to take down some pretty significant threat actors, who have produced amazing research and who have contributed massively to the cybersecurity community and industry.

Do I trust Kaspersky? Yes I trust them about as much as I trust most other AV software that has direct privileged access to my systems. I take precautions with all of them and have yet personally to see a reason why Kaspersky is any worse than many of the others.

Allan: The team at Kaspersky has done great research over the years. They have been at the forefront of trying to stop ransomware. I would absolutely use their AV on a home network.

Marc: As for their AV engine, it is consistently one of the most effective, picks up malware earlier than many of the others and has never caused me performance headaches.

ultimately you are going to have to make choices based on your personal circumstances. if you work with an org that has dealings with $gov and $gov doesn't like Kaspersky you WILL have to take that into account. that just the nature of geopolitics and doing responsible business.

James: Not all risk profiles are the same. When assessing questions like this, it is helpful to understand who you are, what organization you represent, and who might be interested in targeting you specifically.

If you exist above the "of interest to nation states" level, then understanding how your supply chains may be used by foreign adversaries to accomplish their goals becomes relevant. This has nothing at all to do with Kaspersky, but rather understanding risks. You could change the company name to be any vendor in the technology supply chain and the same holds true.

How has the pandemic broadly affected the industry in your eyes? Has the rapid push to WFH increased our cyber surface area more? or has that been countered by renewed attention?
Has the reduction of in-person conferences and kickass Rapid7 parties slowed the free flow of ideas? or sobered up hackers to do more good work?

Bob: The blended-remote and all-remote quick switch in early 2020 broke many things, including baselines of what was "normal" network and application traffic. It made getting visibility into what was happening on endpoints problematic for many organizations, too. Many orgs didn't do a great job setting up VPNs or cloud/SaaS servies, too. The current return-to-office situation has also introduced challenges for similar reasons.

Allan: Collaboration is still very much going on, but instead of at conferences it is happening on slack channels, on twitter and over emails. Most of us believe that working together is the only way we are going to eventually put ourselves out of business.

Jen: For all the reasons Bob said, yes, the attack surface probably expanded, but I also think there was an acknowledgement of that and a lot of organizations tried to take steps to address it. In security its a constant battle to keep up with everything that's going on, all the new techniques and trends, while still defending against the stuff that's been around forever. And all of this in an environment that continues to expand and increase in complexity. All of which is why we need a big party sometimes :)

Marc: Consider how many corporate workers, all the way up to executive level are depending on 5 year old consumer routers as their primary networking device to establish connectivity?

The pandemic forced many companies to pivot without being ready. They had no pandemic plan an so they through plans at a wall and hoped they stick. Now we are overwhelmed with technical debt as those companies retrospectively built out plans that incorporate the new architectures.

Worse they have to adapt existing processes to accommodate the new landscape and attack surfaces like employee homes where corporate data may be residing or transiting for the first time. How do you include that in your pen-test plans? your risk assessment model? Is your GDPR compliance only as good as a 7 year old Linksys router?

James: The pandemic expanded or amplified the erosion of the historic network barrier. This has been happening for quite some time, but with so many people shifting to work and school from home, it certainly accelerated it. It's very critical that modern organizations understand that the whole concept of a network perimeter is changing to be a malleable surface instead of a walled enclave.

Modern security practitioners must look external to the enterprise network to understand threats to their environment. Not all teams have these capabilities now, but those that don't should be looking into how to passively audit all devices connected to their enterprise -- and all networks from which these devices connect.

The reduction in face to face time definitely impacted security for 2020. My own opinion is that 2021 security operations learned the lessons from 2020 and now we have an adapted security operations approach. What got delayed or impacted in 2020 picked back up in 2021, and 2021 collaborative operations benefited from everyone being a seasoned remote participant.

I am currently working in IT helpdesk, have been for a couple years. I definitely don't want to be doing this for the rest of my life so I've been looking to Branch out to other careers from here.

Security is a group I work closely with already and I'm very interested in their careers.

What would be the best way to make the move or things to start thinking about it I want to move into that field?

What does most of a work day look like in the security side of things?

How important is a degree vs certificates in this field?

Bob: IT helpdesk is a great stepping stone into cybersecurity. You likely deal with security issues all the time, even if they aren't phrased that way.

You should really think about what you want to do in cyber since it has many areas of specialty. Some jobs can mean your day is interviewing and assessing the security of potential vendors/partners all day. Others can mean you try to break into systems and networks all day. Others can involve analyzing millions of data points collected from the internet or systems/devices on a network. Picking an area or two that you are really curious about will help you focus learning efforts and also thrive in your new profession.

Bob: Some jobs require certifications and most still, unfortunately, require degrees. I'm not a fan of certifications and rly do not like using a college degree as a "you must be this tall to ride the cyber train". If you're willing to work in smaller shops, demonstrated ability to do good work, be curious, and ask alot of good questions will outweigh any degree or certification requirement.

Having said that, if you want to work in (pretty much any) Gov setting, you will need degree(s)/cert(s).

James: This is a great lead in to security operations teams. Learn from this experience!

Be attentive to two things in particular: what interests you and what excites you? Use these to guide your security learning.

The cybersecurity field is in constant flux. Things change all the time and emerging threats sometimes change your entire day with a moments notice. To be successful and happy, it is best to have a passion for staying up to date in your chosen expertise by reading and researching things constantly. Once you know your passion areas, then find a mentor.

Your security team might have some people capable of becoming a mentor. Get to know the security team, then see if anyone will help you out. If you click well, ask them to become your mentor and help you grow your skills and knowledge.

Allan: I started out on the helpdesk (troubleshooting dial up connections). If you have built a good relationship with the security team talk to them about what you would need to do to transfer over. The best way to get a job is via referral, so if you have allies on that team don’t hesitate to use them. But, also make sure you listen to their advice. If they don’t think you are ready, or think you need more training in other areas do that and let them know you are serious.

Jen: First step - go make friends with the security team. Get to know them and ask about what they do, how they got into it, and what they do to keep up to date. Maybe they have internal programs you can get involved in, or maybe you could shadow them, or they may point you to events or trainings they do that you might be interested in.

Marc: I got my first "proper" tech job on the Ocean Software Helpdesk back in the 90's. The answer is you can start from almost anywhere. I just gradually built out my responsibilities by taking on menial security tasks no one wanted to do until I could say I had been doing IT Helpdesk work - Including the following security functions for X years and went from there. In the meantime I used my time on the helpdesk to build my domain knowledge, understand common problems and risks - and to play a ton of games :)

Does an IT background help with getting into a cyber career? Or would something like programming make me stand out more? I am currently workin in my BA in cyber security so anything you can recommend I would appreciate thanks for sharing the resources.

Bob: I think having some experience in the discipline you want to help secure would be a very good idea. Not only will it give you empathy (a skill lacking in many security professionals) but it will also help you understand why it is so difficult to make services/devices/apps safe and resilient.

Jen: I definitely agree with Bob and James, but I also say follow your interests and your opportunities. If you can get experience in IT, that's awesome, but there are other avenues into security if that one isn't open to you.

James: Domain knowledge in IT or programming are both great starting points for cybersecurity careers. The industry needs people that know how to secure (implementation / operation side) IT assets and build architectures that are resilient.

There is also great need for security aware developers, as well as auditors, architects, and engineers. The vast majority of cybersecurity issues start as bugs in software - understanding and creating more secure methods of developing software to start getting ahead of bugs and problems before they arise is a much needed skill, but it may not be recognized as a need by all organizations and enterprises.

Allan: I actually think experience as an IT generalist is more helpful to security than programming (of course, it depends on which path in security you want to take). For defenders, knowing how the network works is really important.

How useful/relevant is OSCP these days?

Bob: The materials covered in OSCP will absolutely make you a better pentest professional (I'm not a fan of certs, as I've said before, but the concepts outlined in that cert are an absolute must IMO).

Allan: Still very relevant

What certificates do you recommend for computer science students who are interested in cybersecurity to get before they graduate?

Katie: I actually loved studying for certs because I'm a freaking NERD. Infosec is so broad and studying for certs helped provide structure for my learning! I would start with SEC+.

Bob: That depends on if you are dead set on getting into a position that requires a certification. Curiosity is the most important trait you can have in cybersecurity IMO and a certificate doesn't mean that an individual has that curiosity gene.

Bob: If you are still set on getting one or more certs, they should be in areas you like/are passionate about. You won't thrive as an individual if you are just checking boxes.

Marc: Start getting as hands on as you can with cybersecurity domain knowledge. Take classes that teach you how things work, take classes that show you pieces of cybersecurity knowledge. whitch current videos from hacker conferences - be careful to choose those at your level.

If you can do some of the certs like work to CISCP or SEC+ while these dont make you a better cybersecurity persom they allow you to built the knowledge base that helps as a foundation and make it easier to get entry level cyber jobs as soon as you graduate.

go to as many cybersecurity meetups as you can and integrate into the community - this is the one biggest benefit I see helping over and over.

What skillsets are most in-demand in the cybersecurity industry? Pen testing? Malware analysis? Controls and policies? Communication?

Katie: I always have the hardest time finding experts in cloud security, application security, and engineers who can automate all the things. Generally because of ye olde supply and demand the salaries for those roles are $$$$$.

Bob: Every. Single. Skillset. is in high demand right now. Pick an area you are passionate in and dive in!

Marc: All skillsets are important. A general baseline of as many skills at a low level will help you dabble and choose what resonates best with you. Try to avoid specializing too early unless you really know what you are passionate about.

James: Bob called it! There is tremendous need for all domains and skill sets! Pursue your passion, then find your place. I also agree on Marc's point. Specialization is best to delay or defer at first. The general concepts and basic understanding will be invaluable for a career in this field.

I'm about to graduate college at the end of the year with a BA in MIS. Next semester I'm taking a cyber security course but all of my classes end up being about broader ideas rather than learning in depth skills. Needless to say, while I know a lot of concepts in business and IT, I don't feel particularly adept in any specific skill as there wasn't much real world skill training. As someone who is interested in cyber security, is there a program or tool I could learn in my spare time that is used in the real world to prepare myself? Thank you!

Bob: If you like pentesting/poking at apps/services, you can learn at home! https://docs.rapid7.com/metasploit/setting-up-a-vulnerable-target/ (this isn't a plug for my employer either, it just happens to be a great resource).

If you want to be on the defender side ("blue team") CyberDefenders has a series of labs — https://cyberdefenders.org/labs/ — that lots of folks (including me) post walkthrough to online.

There are loads of free training videos from many security conferences online. A quick search will help you find video tutorials for almost any subject.

I work in Cyber Security after 6 months in a help desk position at a smaller company. I was in hospitality management for almost 20 years. I got the opportunity because I was passionate and truly enjoy what I’m doing. As an analyst wanting to move to engineer, I have so much knowledge to backfill such as networking. I luckily have a great support system but have so many gaps that i find myself in “no idea what this means” moments, any recommendations on best need to know subjects/course that will help in that?

Bob: I'll double down on my CyBOK — https://www.cybok.org/knowledgebase1_1/ — recommendation. That should provide areas to explore in-depth.

You should also consider finding a local cybersecurity group (BSides are everywhere — http://www.securitybsides.com/w/page/12194156/FrontPage) where there will (more than likely) be folks willing to mentor in specific areas so you can go deep to shore up any knowledge gaps)

Marc: See my comment above about starting from helpdesk. I started from helpdesk. the only thing that defines where you go is you.

James: Hmm... it's not clear to me at what level your "no idea what this means" question sits. If it's basic knowledge in an off-expertise area, then learn it as you need it and/or encounter it. If it's specific knowledge about a threat or technique, then you have to learn those as you encounter them.

It's important to remember that what defines expertise isn't having all the answers. It involves an understanding of where your knowledge stops, being forthright and owning your ignorance, then talking with peers / colleagues / experts or researching it on your own to get the answers. Don't count yourself out because you don't know X, Y, or Z. Learn things as the need presents itself, and you'll be doing the same thing all the experts on here do every day.

[deleted]

Katie: Yes! I just hired someone for our security team who started in IT audit! She learned a ton from her time in that role - it was extremely valuable to see how the various organizations she audited successfully (or unsuccessfully) tackled all sorts of security problems. A lot of auditing organizations offer advisory services as well, so if just testing the controls gets old, you can help coach clients on how to build solid security controls/programs.

By the way - don't forget to counter the first offer you got. As third party risk has gotten more attention, more organizations are demanding to review security audits/attestations from their vendors before they will purchase, so the demand for auditing services has skyrocketed. These auditing firms can't hire fast enough! If they have a standard entry level salary, you might consider asking for a signing bonus.

Bob: IT Audit is a great area to jumpstart a cybersecurity career provided you don't just "phone it in" (which is far too easy to do in such a role). You'll be asking questions about controls and getting answers, but if you take the time to dig into why the question is being asked, you'll find many rabbit holes that will fill in technical knowledge.

Most IT auditors also never ask to "play" with test environments. You should! Most teams will gladly let you (so you can also feel their pain) and then you can hands-on experiment with concepts and settings to get in-depth product knowledge as well.

Jen: Yeah, as usual, I agree with Fast Typing Bob. You'd get a great view of the IT ecosystem and how things work (or don't) together, and what the processes, policies, and human factors are that play a role. That is a great foundation for working in security.

James: Absolutely. IT Auditing would be a very natural lead in to several disciplines within cybersecurity. Follow that path if it interests you!

How am I supposed to learn about network security without looking like a hacker trying to cause trouble?

Bob: You can practice in virtual environments on your desktop (or even a raspberry pi). Attacking a live site on the internet without permission or poking at an internal employer/school network without authorization is usually a criminal offense in most regions.

James: Set up your own lab environment and play with it to see what you can do. Keep the scope of your activities to systems you own or have permission to target only and you'll be fine. Crossing over to systems that you don't own or don't have permission to target is where you cross the legal line in most jurisdictions.

For networking devices, look for virtualization platforms that allow you to install local copies of the same code on commodity hardware (or VMs / VPSes). If you really want to play with the real hardware, look for some used older generation models on Ebay or other secondary markets.

Marc: +1 to whats been said above.

learn to build networks in their many glorious intricacies. Look at reference models and architectures released by companies. while you cant get high end networking gear its possible to get hold of older gear for "labs" or to build virtual environments. You can get a LONG way like that. certainly enough to build a really solid foundation. once build look at how to break them, how to detect the break and how to fix them.

do the same from a cybersecurity perspective. try out DNS poisoning, ARP spoofing, IP spoofing, DOS and so on. building the appropriately flawed networks will teach you a lot as will doing the exercises.