Chapter 3

17 Tips on How to Land Your First Cybersecurity Job

Abstract

We offer 17 tips on how to network and land your first cybersecurity job.

Keywords

CyberPatriot

National Youth Cyber Education Program

CyberCamps

Elementary School Cyber Education Initiative

hacker groups

BSides

capture the flag (CTF)

Kali Linux

bug bounty

open-source projects

Let us first establish whether or not you have the right temperament to perform well in a penetration-testing role, and then, let us take a look at 17 tips to help you hone your skills and employability.

3.1. Tip 1: develop the right attitude

It is unlikely that you will be a competent penetration tester if you are not passionate about IT security and technology. Owing to the relentless onslaught of attack and identification of new attack vectors, a penetration tester has to constantly learn new tools, processes, and methodologies.

3.2. Tip 2: curiosity is key

You purchased this book because you are, at the very least, curious about finding a cybersecurity-related job. Hackers are, by their nature, curious people, but why is curiosity important for someone interested in starting a career in cybersecurity?

Consider the following four reasons:

Being curious makes your mind active instead of passive! Curious people ask questions and search for answers. A hacker’s mind is always active. Think of your mind as a muscle that becomes stronger through constant exercise and mental stimulation. Set yourself the goal of continuously learning about cybersecurity and you will make your mind stronger.

Curiosity trains your mind to be more observant to new concepts! Being curious about technologies that interest you will make your mind expect and anticipate new concepts. When new concepts and ideas arise, you will be better placed to understand them. Just think how many great ideas and security preventions have been lost through a lack of curiosity.

Open up new worlds and possibilities! By being curious you will see new possibilities that are normally invisible to the average end user. They are hidden behind the surface of normal life, and it takes a curious mind to find them.

Curiosity brings excitement to your life! The life of curious people (Hackers!) is far from boring and certainly never routine. There are always new challenges and opportunities that attract their attention, and there are always new cybersecurity “toys” to play with.

3.3. Tip 3: develop technical prowess

Penetration testing is an extremely technical discipline. You must be able to understand not only how technologies work at a low level but you must also be able to subvert controls in a repeatable and methodical way, and learn constantly as new software and hardware updates are released.

3.4. Tip 4: get involved in your local community

Needless to say, getting involved with hacker groups or Linux user clubs in your local town or city is a great way to start laying the foundations of your cybersecurity career. Meetup.com for example is a great resource. We counted 250 hacker groups with 45,000 members in the United States alone. Not only will it be fun to meet like-minded people but joining the group will also facilitate networking opportunities. At the very least, you stand to make new friends who will offer you free advice on how to break into the industry. Volunteer to present a tutorial or specific piece of research at your club. That is a great way to force yourself to become an “expert” within a particular technology.

Look to see if there are any BSides¹ events near you. BSides is an excellent organization that has chapters in every major city in the United States. BSides has come to be known as a “conference by the community for the community” and events are generally free to attend.

3.5. Tip 5: take part in competitions

Extending from Tip 4, you might likely discover that your local hacking club or group submits teams for competitions. Competitions like “capture the flag (CTF)” are an excellent way to improve your penetration skills, social communicative skills, and of course, to network. Incidentally, it is also very common for recruitment agents to be present at CTF events. Here is a list of resources to get you started:

CTF Time (https://ctftime.org/event/list/)

List of cyber competitions in the USA (http://niccs.us-cert.gov/education/cyber-competitions-repository)

Another excellent list of competitions (http://ctf.forgottensec.com/wiki/index.php?title=Main_Page)

Cyber attack and defense training range (http://threatspace.net/)

Capture the flag puzzles (https://sb2.threatspace.net/)

Fall National Cyber League Competition (http://www.nationalcyberleague.org/registration.shtml)

National Collegiate Cyber Defense Competition (http://www.nationalccdc.org/)

3.6. Tip 6: join newsletters and read blogs

Email lists have been around since the early days of the Internet but they are still an excellent way to stay abreast of what is happening in cybersecurity. Here are some newsletters that you should consider signing up to.

SecureRoot (http://secureroot.com/): It was created in the 1990s and quickly grew with its simple to use and friendly interface.

SecList (http://seclists.org/): SecList provides web archives and RSS feeds (now including message extracts).

SecurityFocus (http://www.securityfocus.com/): SecurityFocus has been a mainstay in the security community. It contains original news content about detailed technical papers and guest columnists.

BugTraq (http://www.securityfocus.com/archive/1): BugTraq is a high-volume, full-disclosure mailing list for the detailed discussion and announcement of computer security vulnerabilities.

United States Computer Emergency Readiness Team (US-CERT) (https://www.us-cert.gov/mailing-lists-and-feeds): The US-CERT offers mailing lists and feeds for a variety of products including the National Cyber Awareness System and Current Activity updates.

oss-security Mailing List Charter (http://oss-security.openwall.org/wiki/mailing-lists/oss-security): The open-source security (oss-security) group encourages public discussion of security flaws, concepts, and practices in the open-source community. The members of this group include, but are not limited to, open-source projects, distributors, researchers, and developers.

Handler’s Diary (https://isc.sans.edu//diary.html): The Handler’s Diary is more of a blog than a mailing list, but it is just as important nonetheless. It is written by various volunteers, and published by SANS.

SANS: Cybersecurity Newsletters (http://www.sans.org/newsletters/): SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security.

Microsoft Security Newsletter (http://technet.microsoft.com/en-us/security/dd162324.aspx): This newsletter will help you stay up to date with security insights, resources, best practices, and events for IT professionals and developers.

CSO Security and Risk Newsletters (http://www.csoonline.com/newsletters): CSO provides news, analysis and research on a broad range of security and risk topics – all taken from a management perspective.

Security News and Articles (http://nakedsecurity.sophos.com/): This award-winning news, opinion, advice, and research newsletter has a wide range of articles and is certainly recommended as a good source of information.

3.7. Tip 7: master popular hacking tools

As we established in Tips 1, 2, and 3 – education and self-learning are vital components to becoming a penetration tester. There are plenty of inexpensive or free online resources to gain basic knowledge around testing and using the tools. Your mastery of these hacking tools will move you up to a level whereby you can hold a competent conversation in an interview, or demonstrate working knowledge of, for example, Metasploit or Burp Suite. Great resources for mastering popular hacking tools can be found on sites like Concise-Courses.com SecurityTube, Udemy, OWASP, and YouTube.

3.8. Tip 8: become a Kali Linux power user

This is an extension of Tip 7, BackTrack was the Linux Pentesting Distro of choice until the developers decided that it was time to relaunch a new distro: Kali Linux. At the last count, there were over 250 penetration-testing tools contained within Kali Linux.

We highly recommended that your Kali Linux installation is hard booted, rather than using a Virtual Machine. In our experience, Wireless Cards such as the Alpha AWU do not work as well when they bridge over the virtualized partition; restrictions which could impact your ability to master some tools (see Tip #7).

3.9. Tip 9: create a home lab

You should already be familiar with the fundamentals of computing, but if you have not done so already, setup a home network or better still, a lab, or as some call it, a “rig.” Installing DVWA (Damn Vulnerable Web App) is an excellent PHP/MySQL insecure web application that you can use to test your skills.

Many IT-security companies and even individual penetration testers or network/systems technicians will create their own labs where they configure and reconfigure systems, try out exploits, compromise the security of computers, and then try and harden defenses and attack them.

This might sound expensive but you can build a lab up over time if you have the resources (and space). Various Internet auction sites and local recycling groups are a great source of inexpensive hardware. Linux favors that run on lower-specification systems can be found and virtualisation can also enable you to run several virtual servers on a single physical host (and to recover them easily if you end up breaking the operating system).

3.10. Tip 10: become a code monkey

The ability to write code or program is always an advantage and it certainly will help you understand web applications. It is not absolutely vital, but learning one or more languages will help. The C programming language has a lot of use within application security, but Java, Python, or Ruby will do just fine.

3.11. Tip 11: find bugs!

Bug bounties are an excellent way to prove your skills and prowess with sites such as “Bugcrowd” paying sizeable amounts to their best bug hunters. Finding and documenting how you found a bug and placing this on your resume will certainly raise heads in the HR/Recruitment Office so sign up to at least one bug bounty site today!

3.12. Tip 12: participate in open-source projects

Stemming on the back of learning how to code is our recommendation to participate on an open-source project. Find a subject or project that you are interested in on Github and get involved! The organizer of the project will almost certainly be grateful for the extra help, and may even be willing to provide a testimonial on the work you submitted (which you can place on your LinkedIn profile).

Furthermore, participating in an open-source project will allow you to differentiate yourself from your peers by acquiring a niche skill. For example, why not find a mobile/cell-phone hacking project – this is a growth area and would further your employment marketability.

3.13. Tip 13: brush up on your written skills

Written skills are vital when applying for a cybersecurity job. Being able to effectively communicate in lay terms is what can separate a serious professional from a script kiddie. If you want to excel at working in cybersecurity, then learn how to write effective audits and reports that detail your penetration test or forensic analysis.

3.14. Tip 14: attend cybersecurity conferences and volunteer

Attending conferences is obviously a fantastic way to network, learn about new technologies and research, and seek opportunities! Although ticket prices can be expensive, think about presenting at a conference. Cybersecurity conferences always need speakers, which they generate through a process known as “call for papers.” Simply submit your research/presentation proposal and wait to see if they accept it. Having your resume mention that you spoke at a conference is a sure-fire way to alert the interest of a recruiter.

Remember, that you can also volunteer at conferences! Volunteering is a great way to impress enthusiasm on your resume and is again an excellent networking opportunity since you will be working with the event organizers who most likely work within the cybersecurity industry. DEF CON is one of the largest conferences on the West Coast, and Shmoocon is a popular conference on the East Coast. Smaller conferences include: Hacktivity, ToorCon, HackFest, and Hacker Halted. For a comprehensive list of cybersecurity conferences visit: http://www.concise-courses.com/security/conferences-of-2015/

3.15. Tip 15: learn Linux!

This is essentially an extension of Tip 8 but nonetheless, understanding Linux will help your career. Nearly all useful hacking tools are developed specifically for Linux, so by extension, understanding shortcut commands and so forth will increase your efficiency and effectiveness.

3.16. Tip 16: get work experience

OK! Likely you are thinking that everything so far is all well and good – but the truth still remains – when applying for a security role you will be asked for experience, or better said, your employer will check your resume to see what kind of experience you have, before inviting you to the next stage.

Here is a solution: Start your own consultancy. Even if it is a part-time security-penetration-testing consultancy. Ask friends and family that run their own businesses if you can audit their networks and computer systems. Once you have done this several times you can create a website and post testimonials to your LinkedIn profile. Your employer (or recruitment consultant) does not need to know that your friends and family gave you a break, rather, they will be satisfied that you have the necessary professional experience and know-how to audit and ethically hack computer systems! So, in one swoop, you no longer have the “but I cannot get experience if I do not have a job” excuse!

3.17. Tip 17: government sponsored initiatives

If you are just starting your career in cybersecurity then you must join this government-sponsored initiative called CyberPatriot (https://www.uscyberpatriot.org/). This initiative is the National Youth Cyber Education Program. If you are not already a member then join today. CyberPatriot was launched to inspire high-school students toward careers in cybersecurity or other science, technology, engineering, and mathematics (STEM) disciplines. Your association alone with CyberPatriot will demonstrate your professionalism and enthusiasm to learn and succeed in cybersecurity.

There are three main programs within CyberPatriot: (1) the National Youth Cyber Defense Competition, (2) CyberCamps, and (3) the Elementary School Cyber Education Initiative.

---

¹ http://www.securitybsides.com/w/page/12194156/FrontPage