Succeeding in Cyber Security
Where to start?
In the past year I have seen quite a few posts asking for advice on where to start when breaking into the cyber security field. Some of the people already have a degree and/or certifications while others may just be graduating high school. To all of them I say the same thing, you need a starting point. There are essentially three types of cyber security that you can pursue, GRC (governance, risk, & compliance), offensive (pentesting), and defensive. Knowing what to study and research is half the battle, the rest is on having a passion for what you are doing and pursuing it even when you aren't in the job you truly want. Do keep in mind that having high-level knowledge of all the fields is a must to truly be successful.
This aspect of cyber security deals more with the business, regulation, policy, and administrative side of things. When entering this field of cyber security you should have at minimum a Security+ certification and a possibly a Bachelor's degree in cyber security. Furthermore, the research of federal regulations and cyber security frameworks can further prove your worth to a prospective company. By all means you do not need to know every framework and every regulation/policy word for word, but being able to touch on the high points and know how they can effect the company you are interviewing with will show you are willing to put in the work to know your industry.
Some of the policies, frameworks, and regulations that are referenced most often in industry are NIST, COBIT, ISO 27001, PCI, and HITRUST. Now depending on the organizations you are interested in will dictate what you should research more heavily, especially before a interview. For instance, if you are looking into jobs that accept credit card payments like banks or other retail markets then having a fair bit of knowledge of PCI and how it effects the company will prove you know what it is your being interviewed for. On the other hand if you are looking at hospitals, or health insurance companies then it would be more beneficial to understand HITRUST. On top of those understanding NIST, COBIT, and ISO 27001 at a high level could help leverage you into any job.
Finally, you must have good business sense. Understand that though security is important businesses still need to make money and so the network must function. It is well known within the security world that the only truly secure computer is one that has no connection to the Internet, is 6 feet underground, and in an area surrounded by concrete and lead. For businesses this is just not feasible. As such you need to be able to guide businesses in such a way that will not only secure their network but also still allow the company to function. Be aware of what the return on investment (ROI) is for your security products and your personnel. If you can explain how the business can save money/reputation in the long run by spending money now on security, then you will be able to talk to executives on their level.
Offensive cyber security goes by a few names and you will often see it as ethical hacking, penetration testing, or consulting. In this particular field, it becomes very difficult to know every way to get into a network so having basic knowledge of the many fields like web app penetration testing, network penetration testing, physical security, and exploitation development are definitely helpful. With that though, it is preferred that you also specialize in at least one if not two of those. For instance being able to work your way through a web application and gain access to the network is great, but can you work your way through the rest of the network without being caught? A lot of times the answer is no and you need to have another member of your team either take over or send you down the right path of what to do. Another, option is to be the one that can create exploits that make it so your team doesn't need to utilize tools like metasploit or veil-evasion. This could be even more helpful as the different signature will help evade signature based anti-virus solutions. In my opinion the best and most successful penetration tests are done in teams. As such, don't try to be an expert in everything as a lot of times you spread yourself so thin you never become an expert in anything.
There are also certifications that help prove your knowledge in this field. One of the first ones many ethical hackers get is the CEH by EC-Council. By many it is considered a baseline ethical hacking certification, but by earning it you let companies know that you at least of the basic knowledge of the different ethical hacking techniques. From there where you go depends on where you want to specialize. If you would like to concentrate on web apps, then study the material provided by companies like OWASP. If you are looking at exploitation development then concentrate your efforts in learning programming languages like C and Assembly as they will allow you to exploit many of the vulnerabilities that are found today. As you get more advanced companies like Offensive Security and SANS offer certifications that will take you down any path that you like. Offensive Security is the organization that created and maintains Kali Linux. This distribution is well known by many in the security industry and is regarded as one of the premier distributions of penetration testing. SANS has training and certifications like GPEN, GSEC, and GCIH that will show you can excel in ethical hacking.
Defensive cyber security is what most companies are looking for, although I have found that many still need guided in the right direction depending on size. When working strictly on the defensive side you will usually be labeled as either a Security Engineer, or Security Analyst. Though these are the titles many companies will still want you to wear multiple hats and as such this could be the hardest discipline to be a part of if you don't know exactly what you want to do either. The knowledge that you can gain by working as an analyst or engineer is immense especially if you aren't siloed into one specific role, i.e. an Arcsight engineer that only works on ArcSight, or an analyst that only looks at logs from a SIEM all day. When a company wants you to work in both the engineer role and analyst role it provides you the opportunity to spread your wings and gain knowledge in the field that others don't get. However, once you find the side that you truly enjoy I would put more effort into learning that then I would trying to master everything. If you can dissect TCP packets and log files and can catch things that others miss then you could be a true asset to any company. However, if that isn't your cup of tea and you prefer to setup the equipment and program the firewalls, proxies, and IDS/IPS' then an engineer concentration would be more your speed.
There are several ways you can go about proving your knowledge and becoming a part of the defensive cyber security workforce. The first is by earning a degree in Networking, Computer Information Systems, or a combination of the two. From there I would work on getting my baseline certifications like the CompTIA Security+, Network+, CCNA-R/S, CCNA-Security, CEH, and/or CCNA-CyberOps. By earning a combination of these certifications you become a commodity to any company.
If you search the Internet you will find resources all over that can help you work your way down the path of cyber security. However, make sure you validate your resources before you use them. Just because a company does has a high pass rate for a certification bootcamp doesn't necessarily mean that they are going to teach you how to perform at a high level. I have found that there many companies out there that know the certification exams so well that they only teach you the test. While at the same time there are other companies that teach you how to truly do the jobs required by the certifications and by doing that you have a better grasp of the content and perform better not only on the test but on the job as well. Degrees are great and I will advocate that you should do everything you can to earn one as the show prospective employers that you are willing to learn and grow as a person.
Here I will leave you with some of the best companies that I have found offer superb training and/or are certification authorities that are worth looking into for certifications:
SANS (Offers GIAC Certifications & Training)
Instructors are extremely knowledgeable and have to be working in the field that they are teaching.
InfoSec Institute/Intense Schools (Offers training for many security tracks)
I personally have attended two different bootcamps one for CCNA-R/S & CCNA-Security, as well as one for my CEHv8 and I have to say it was some of the best taining I have ever received.
EC-Council (Authority over the CEH)
CompTIA (Authority for many baseline certs like Sec+, A+, and Net+)
Offensive Security (Organization that maintains Kali Linux & offers certifications like the OSCP)
Cisco (Networking Organization providing training for their products and services)
Cybrary.IT (Website providing phenomenal security training)
As always I appreciate any comments and/or feedback from those in the community.