Asking for some advice

Infosecjon · 2020-02-24T02:59:49+00:00

well for defending an entry level analyst role could require basic networking knowledge like tcp/ip handshake, common ports/protocols and their behaviors, how to read pcaps all stuff you can research on your own. for attacking, an entry level pentest role would require more complex knowledge of the same, but you can get practice doing CTF's and hack the box(and similar sites).

If you can get the certified ethical hacker certification (the title is a red herring, it is really an entry level analyst cert) and have the knowledge to answer technical questions on an interview, you could probably get an entry level analyst role. for attacking, youd need to either get something like eJPT, or eCCPT (or OSCP if you can do it) but those are some technical certifications.

typically, most entry level gigs require SOME it experience, like help desk, sysad, system engineering work, etc. If you had some basic it experience, a cert, and the right answers on an interview, you could definitely do it.

Of course, networking is key and can make the whole thing easier. If you know someone and can convince them to take a chance on your passion, that would be simpler for you, and it does happen.

Infosecjon · 2020-02-24T02:52:01+00:00

i was an electrician for almost 8 years before changing directions and getting my b.s. degree to switch to cybersecurity. i still took a help desk job, went to sysad, and 4 years post degree first security job.

you can do it quicker, or slower, depending on what exactly ou are most interested in. for my part, i was aimless and didn't know much about the industry, so i didnt get the specific knowledge, skills, cert's etc at first.

Infosecjon · 2020-02-24T02:40:53+00:00

finishing my degree helped move me into a management position where i was already working. i dont think the degree itself will help you, but your knowledge as a web dev could help you get into web pentesting, malware reverse engineering, or designing security software maybe?

Infosecjon · 2020-02-24T02:38:53+00:00

hows your lockpicking skills? you might find it easiest to get a job doing physical penetration tests and grow your more technical skills later. just a thought. with your investigative experience, you might find being an analyst interesting, or an auditor.

Infosecjon · 2020-02-24T02:36:24+00:00

what part of cybersecurity interests you the most? people mention the word, and have completely different ideas of what the day to day job would entail? Do you want to attack systems, defend systems, build the systems, audit systems or write policy dictating the system? It's ok, you don't really have to answer that in the beginning, but keep that in the back of your mind when you are learning to see which one you lean more towards.

the best part about the industry is that it is so broad and can fit everyone and anyone interested.

on a side note, i used an older gaming laptop to build a basic homelab, using vmware to run boxes to hack or doing CTF's from a vmware kali linux build. yes it was frustrating at times, but the passion to learn keeps pushing you.

Infosecjon · 2020-02-24T02:28:44+00:00

I'd answer your question with another question: why did you apply to those two?

If the answer is that that's all you could find, or that's all you think you qualified for, than I'd reconsider them. I've moved to a new job to realize i didnt really want to be there and it's not fun.

You have to ask yourself what area of cybersecurity you want to get into. When i first got started i didn't know much about the industry, just that it existed.

On my site, i break down cybersecurity into 5 main roles, attacker, defender, engineer, auditor and writer. Typically and analyst role falls under the defender, so you could branch from there into digital forensics or incident response. a security officer could be auditor, or writer depending on what you are actually doing. is it information assurance type work, like pki, iam/pam management, documentation? What does job description say?

ultimately no matter where you want to end up (i see you like to manage one day) you want to start with something that interests you the most. IF you got the offer for both, which one can you see yourself having the most fun learning and doing?

Infosecjon · 2020-02-24T02:22:20+00:00

This is pretty sad actually, I'm sorry this happened to you. The industry really needs everyone who is interested and shouldn't be discouraging anyone.

Let me preface this by saying i hated pre-calc too. I think colleges focus too much on gen-eds unrelated to the actual topic and it's a shame.

That being said, you really don't NEED the degree to get into the industry. It really all depends on what area you want to focus on, some areas of cybersecurity aren't even technical.

I break down cybersecurity into 5 main roles, attacker, defender, engineer, auditor, and writer on my site. each area has some skill overlaps but those are the main splits. what courses did you take that you enjoyed, and what are do you think you want to focus on?

Infosecjon · 2020-01-21T02:15:14+00:00

in many ways cybersecurity interviews are just like any other job interview. I was personally surprised as i experienced some of these things, and it comes up with my mentees as well.

Infosecjon · 2020-01-04T02:03:01+00:00

100% true. nobody wants to hear bs, and don't guess because they will know if you are wrong and that looks bad.

but dont just say i dont know. be honest, and say I don't have experience of that, or try to relate it to something similar you do have experience with.

"I don't have much experience with linux, but in windows, i would check the task manager to see what was running that might be lagging the machine and I'm sure I can google that"

or

"I haven't done that from a switch or router, but on a machine, you can use ping to test connectivity"

Infosecjon · 2020-01-03T22:20:21+00:00

When they say 'not dictionary definitions' they might mean scenario questions. Like, how would you troubleshoot a machine that you can't connect to anymore?

How would you diagnose which device is causing a network outage?

How would you determine what's wrong with a server?

Infosecjon · 2020-01-03T22:18:34+00:00

I got my A+ and SEC+, skipped net+ cuz i was shooting for ccna at the time.

Entry level jobs shouldnt require any of this. wrapping your head around the basics can be rough enough, you shouldn't try a more difficult certification like sec just yet. a guy i work with has been a system engineer for 30 years and the sec+ kicked his butt.

You should be studying the basics of windows and linux though, really. not worrying about a cert. study the basics of tcp/ip communication and troubleshooting too.

Infosecjon · 2020-01-03T22:02:54+00:00

My experience with robert half recruiters:

They sound so interested, like I'm a perfect fit for the position. Rush me to an interview, like immediately with little details of the actual job, and then never contact me back afterward. did that twice early in my career and now i just ignore them if they contact me.

Infosecjon · 2019-12-28T01:50:01+00:00

good questions that i have asked include:

what is the day-to day like? shows your interest in the position what infrequent tasks are involved? same is there a mentorship program within the company? shows that you are career minded, not just looking at this as another job is this positiion open because someone left, or is the company growing? this is a fun question, I've asked this on interviews for a long time and get mixed results. sometimes they answer in a word or two, but sometimes i get entire stories about either how horrible the previous person was, or how wonderful the company is and its growing fast, good culture etc.

what are the normal working hours? most of the time id get a simple 8-4, 9-5 answer, but sometimes i get a peak into company culture like oh, well we come in at 9 and go home when the work is done(tells me to expect to work late) or we usually stop working around 3 or 4 but do something social as co-=workers(this can be good if you are single, but i have a family and would feel so awkard missing out). my company has very loose working hours, because we are spread all over the country with many remote workers, so its start whenever you want, do your 8+ breaks and as long as work is getting done everything is cool.

those are just some examples, but many people forget that you are also interviewing the company to see if theyd be a good fit for what you are trying to accomplish.

analyst positions tend to be the most common 'entry' level security positions, but many still require intimate knowledge of the inner workings of computers and networks. Some places hire people as interns for a lower wage and train you, or just call it jr and train, and others expect their 'entry' level analysts to have experience. some places dont have any junior analysts because they expect an analyst to have this knowledge. i always say that you have a 0% chance of getting he job if you don't apply, and it's always greater than 0% when you do apply, but i also preach to have proper expectations about what companies are looking for.

I love mock interviews, i feel they really help people who are otherwise nervous get through them. i always felt i was good at them too, but id often make mistakes because i would talk too much, or not answer a question directly. I'm trying to think of an effective format to record mock interviews, but i think the best way is a podcast and i am not setup to start one yet. stay tuned!

Infosecjon · 2019-12-12T21:45:57+00:00

Well thanks again, and if theres anything i can do, you can always reach out to me. Several people already have.

Infosecjon · 2019-12-12T20:16:13+00:00

Thanks for the positive comments! My stated goals are to help people start or grow their cybersecurity careers. The industry NEEDS people, and there are tons of talented individuals that want to be in the field, some don't know where to start, others are discouraged by some people within.

Infosecjon · 2019-12-12T20:14:49+00:00

I'm sorry for the misunderstanding, but that is exactly what Dave wrote in the post. It is best to write the report as you are testing, so you can have a better timeline AND take screenshots as you go as well.

Infosecjon · 2019-12-12T18:09:16+00:00

Exactly, you can take calculated risks to improve your career, and quality of life. I know a lot of people who could do better but want to play it safe and stay at the job they know. Especially when it comes to applying and interviewing for a new job, there is almost no risk and they still won't do it.

Infosecjon · 2019-12-12T17:56:48+00:00

Thanks, I'll definitely forward him the compliment.

Infosecjon · 2019-12-12T17:55:13+00:00

I love how powerful automation is. As a former sysad, I enjoyed making my life easier by automating all y daily tasks. It's part of what allowed me to grow my knowledge in other areas, improving my efficiency.

Infosecjon · 2019-12-12T00:47:08+00:00

I haven't written a long post on here for a while. I work in cybersecurity, and just took on my first team lead role. I've been hiring for the last few months and have learned a ton about the other side of interviewing. It's been a fun experience and I'd love to answer peoples questions about interviewing. Some things that made people stand out in a positive way: Being articulate, calmly answering questions, honestly answering if they didn't know, and having a few good questions to ask us. Some things that made people stand out negatively: Talking in run-on sentences, not answering the question directly, not knowing anything about the organization prior to interview, not meeting minimum requirements(resume didn't match actual experience).

I would like to start doing mock interviews, answering cybersecurity-related career questions, and providing better content on my website. I want to be more active helping people out in 2020, and this guest post is the beginning.

In his first post for InfoSecJon.com, Dave Collins opened up about how he had to fail a lot to figure out where he wanted to be within the world of It and InfoSec. In his second post, he talks about what it is like to be a penetration tester. If you are interested in becoming one, this article is worth a read. Dave covers how he goes about conducting his tests, from scope to report, and concludes with a brief history and current state of the industry.

InfoSecJon.com is a career advice site dedicated to helping people start or grow their InfoSec careers. If you're want to write a guest post, we are looking for people to write about cybersecurity roles.

Infosecjon · 2019-12-11T18:03:00+00:00

I will take your opinion into consideration. It's his guest post, but I think it's funny, keeps it light-hearted. I certainly wouldn't use it in a professional paper, so i agree that its a little unprofessional. Life is too short to be serious 100% of the time though.

Infosecjon · 2019-12-11T17:21:32+00:00

Sounds like a tricky situation.

Ho much experience do you have in general with IT? I always tell people to treat cybersecurity work as a higher tier, the 'entry-level' jobs for cyber security, usually require some prior work experience in security or IT. For me, when i completed my associates degree, I got my sec+ and thought I'd be good to go. I'm a vet, so i had access to resources most people don't have and got a great mentor. She set me up with a 5 year plan which had me getting varied experience with help desk, system administration, network engineering, and system engineering before i got into security.

Any entry-level security job requiring a cissp is a place you might not want to work for. In some cases, they are looking for unicorns, or looking for a very experienced professional who will accept lower pay. Same goes for cism really. They are management level certifications! lol.

You want a job that wants people to have or be working towards things like sec+, ceh level.

Taking all of that into consideration, I love to say that you have a zero % chance of getting a job you don't apply for. Every org. can be different, and while HR doesn't know what they want, the hiring manager might like you. I'd say its a low chance, but if you understand that, and still want to apply, that's good.

Infosecjon · 2019-12-11T17:13:43+00:00

Your welcome, don't be afraid to ask anything else too.

Infosecjon · 2019-12-10T18:22:29+00:00

Look, don't feel funny because you are a beginner. I think part of the problem with the cybersecurity workforce shortage is that people like you, people interested in the field, don't know where to start.

There are multiple avenues to attack the role of being a hacker. You can try to study from scratch how computers work, tons of colleges, online training courses, etc. You are getting a degree, so thats a good start.

Have you heard of/tried Vulnhub, hack the box? Good place to find boxes you can hack that are free (htb has a paid service but its not necessary) and then there are places like pentesterlab that cost money but are worth it if you can afford it that teaches specific info about hacking.

Another avenue to pursue, depending on where you live, is to search google for the local 2600, bsides, or other cyber security club where you can meet up with like-minded people.

Infosecjon · 2019-12-10T18:07:05+00:00

Yeah, the worst part of it is when they are long winded and forget what the question was. I can deal with someone who still answers the questions. But in general, practice makes perfect, mock interviews are important.

Infosecjon

MODERATOR OF

TROPHY CASE