The % breakdown table was for candidates, I'm presuming that a decent fraction of the candidates might not have been "experienced candidates" but could have been entry level.
Also, the weakest candidates are generally going to apply to the most job openings, so they may be counted multiple times here.
I used to do interviews for pentesters at an old job, and I was suprised as well. I think it's because CyberSecurity is relatively new, so companies have no idea how to hire for it, and end up hiring whoever can talk the best. I interviewed a lot of people with titles like "Senior Cybersecurity Engineer" who had no security knowledge beyond how to run an automated scan against an IP range, and put the findings it printed out into a report for management.
That's also the kind of report that management would like to hear instead of the real report, which should say things like "every single person on teams X-Z should use a password manager and 2-FA for everything they access both in business and in private".
Security is a bother at best, and disruptive at worst. It's a tough sell, and it's so much easier to point at some badly configured network devices.
> Security is a bother at best, and disruptive at worst.
Yep, the devs where I work actually went to my manager and said that me reporting security findings that need to be remediated is messing up their timeline, so they wanted all testing to be put on hold until the app was already in production. Luckily my manager pushed back and said that if they don't want their timeline messed up by constantly having to remediate findings, they should stop including basic vulnerabilities in their code.
And yet here I am with half a decade actual experience in 'Cyber Security', can write passable Golang, C, C++, Python, hands on, real world knowledge and experience of threat actors and APT TTPs, for Blue team threat hunting, IDS/IPS signature creation, incident response... etc.
And I can't even get a callback from any other company, because I don't check the "Bachelor degree required" box.
That's very surprising. I don't have a degree and at Dropbox, the last company I worked for, dropouts were more common than those who held a bachelors.
* overthewire.org Similar to HTS, but you don't need an account. The subject matter covered is also slightly different.
* https://0x00sec.org/ A forum dedicated to security. There's a lot of script kiddies, but also some gold.
* https://www.hackerone.com/ What better way to learn then practice on live targets? That being said, I would do some of the others first.
...
I do a lot of learning through reading, so books:
* Network Security Assessment by Chris McNab. I have second edition, which is a good and instructive read, but quite outdated.
* Real-World Bug Hunting by Peter Yaworski. Web security 101. Good read, and fairly useful.
* Advanced Penetration Testing by Wil Allsop. Outdated, but interesting. You will never use flash again after reading this.
* Social Engineering, The Science of Human Hacking by Christopher Hadnagy. This is a very interesting read. Also, one of the few that can't go out of date.
...
This should be enough to get you started. There's a couple more books I can think of, but they tend to be more specialized into certain fields of security and less approachable/generally applicable. If you want these recommendations as well, feel free to email me, my email's in my bio.
Very interesting article, but at the same time it depicts a very sad truth...
[Disclaimer: also not a certified security professional, but I do follow the topic and practice it hands-on from time-to-time...]
However I think there are multiple (sometimes non-overlapping) types of cyber-security professionals / roles:
* the policy maker / enforcer -- which is what some companies want, and what the most well known people out there (including Schneier, Krebs, etc.) are blogging and speaking about; (to put it metaphorically they are the ones in charge of designing an IT "hygiene", and making sure everyone "washes their hands" properly;) :)
* the operations security -- which should make sure systems and networks are well locked down, patches properly installed, watches out for suspicious activity, and if he is capable enough tries to check the boundaries and limits the firms security; this is another role most companies want, what some courses train for, and what usual bloggers write about;
* "applied cryptography / security" developer (for the lack of a better name) -- which (if he knows better) should make sure proper well-known techniques and best practices are used throughout the developed applications, and when necessary (if not already covered by existing solutions) is capable enough to mix cryptographic primitives;
* "high budget zero-day" researcher (also for the lack of a better name) -- which is mostly employed by state level actors to discover zero-day vulnerabilities, and on the other side employed by large corporations (e.g. Google, Microsoft, etc.) to make sure their most valuable systems aren't vulnerable to those types of attacks; these are the guys that come up with Spectre and Meltdown and other very low-level hardware related vulnerabilities;
* (many others that escape me at this moment...)
Each of these roles require some different traits and focus areas, which most of the time aren't strictly related to IT or security; for example:
* the policy maker should be well versed in social sciences and human behavior, as in the end he has to work with people;
* the operations security person should be as capable (if not more) than any of its "normal" peers in all matters of network and systems administration;
* all of them must understand that in the end security is a spectrum (i.e. from air-gapped-system to no-authentication-internet-connected) and it has to take into account a balance between internal cost (development, operations, etc), end-user costs (e.g. how cumbersome is for the end-user to login), risks (e.g. is the data valuable enough to protect it with 2FA), time-to-market, etc.
So in the end I think the underlying problem is that most companies want "one cybersecurity guy", and most candidates see themselves as that "one guy", when in reality there is no real person that can actually fulfill all these roles. Just like nobody wants to hire "a developer", but a "web developer", or an "embedded developer", so should companies specify what kind of security professional they are looking for...
> * (many others that escape me at this moment...)
* Threat hunting / attribution
Familiarity with clustering incidents and pivoting between actors by attack signatures.
Or before that, do you even know what an APT is? (Probably only a small percentage of CS grads.)
* Malware re
* Post incident forensics
Random tools and skills that come up...
SQL keeps coming up even though I try to avoid it. There's generally an "SQL person" on the team that drives simple queries but having the basics down will be faster.
Visualization tools that help diagram clusters of incidents, though these might be declining in importance.
Beyond the network stack, understanding common network services, how people (criminals) register for domains and set up virtual services, techniques for c2.
You can play around with riskiq as a free user. You can read some reports from FireEye, Symantec, Crowdstrike, etc. for free to see how they do it. The MITRE attack framework collects a lot of it. Most CS students probably don't know those names though or where to start.
An understanding of criminal law and/or geopolitics doesn't hurt.
You might be grouping this in "policy", but I'd break out "compliance".
Getting a company certified under PCI, HIPAA, and friends is a specific and important role in cybersecurity that doesn't require advanced hands on technical knowledge.
It's important to note that while there are a lot of skills which can be useful, it's fairly rare to find a job which requires them all.
For example, if you have a mobile application specialist, they probably don't need to worry about, say, VLAN configuration on a regular basis. It's quite likely that even if they do know it, the lack of use will result in them not showing that knowledge well in an interview situation. If you give them a few hours and an internet connection, though, they may well be able to refamiliarise themselves easily. Alternatively, you just need to hire someone who specialises in network architecture and segregation - this does rely on the person doing the hiring to know vaguely what they need, though, which is not always the case.
I work in the industry, and there are people who are well known as experts in specific fields, but who I would never expect to be able to do some other aspects of my job, just as I would struggle to do things they can do without any difficulty.
I think the cyber security industry is at the stage where the web was 15-20 years ago, where a company would hire a "webmaster" who did all the web related stuff, rather than getting a combination of people in different roles each specialising in one area. It's slowly getting better, but it's still common for companies to look for a jack of all trades security person, rather than getting the specific knowledge they need.
>I think the cyber security industry is at the stage where the web was 15-20 years ago, where a company would hire a "webmaster" who did all the web related stuff, rather than getting a combination of people in different roles each specialising in one area
This is an interesting view. You really think so? The use case of the "web" /website industry is so much wider. I feel like cybersecurity companies are struggling a lot more to come up with an actual product and continues to be more of a consultancy type business. I know in China a lot of the smaller cybersecurity startups have eventually been folded into either alibaba or tencent cause it's so hard to come up with a product that people want to buy.
Totally agree, it's not really possible for a hacker or security specialist to excel at all categories. Some people become an expert in web injection, others in buffer overflows, network attacks or crypto. The field has become way too wide for one person to have expert knowledge in everything.
I find this article very interesting. I'm coming at this from the other way around. I am a Site Reliability Engineer, so I've been writing code, architecting systems, building networks etc for 8 years professionally; I am however eyeing a more security oriented position so only now I am looking at courses and training.
In my experience many jobs in "risk management" (under which I'd file a large part of cybersecurity from an organisational perspective) are 'second career jobs'. You first need to have done the job yourself before you start learning how to properly comment, guide, influence and teach colleagues and teams. People are notoriously resistant to outside critique even when you are part of the same organisation and principally on the same boat. So I would advise companies to let medior to senior staff that are not management material but can lead by example to take on more risk management roles.
So how to get into cybersecurity? Don't. Do what you like (programming, systems administration or even IT-procurement) and after a few years start transitioning to cybersecurity. An exception would be the hardcore whitehats but firms usually don't have those on board and rely on consulting. So programmer-consultant is another route. But you won't get hired without quite the demonstrated homework, so you'll need to love it.
Krebs does not work in Cybersecurity, does not come from a position of knowledge or experience in Cybersecurity and his only skill relating to Cybersecurity is doxxing people.
I could understand if this was "Thinking of a Cybersecurity journalism career" but there are better people to learn from.
I do incident response for a living and the general idea of his article was accurate. His message is that many candidates lack the technical capability to do the job but its easy to acquire those skills on your own using resources from the web if you are really interested in it.
He even added a disclaimer that he's not a technical expert.
I feel like it's hard to teach cybersecurity formally. It deals with hacking and by nature the spirit of hacking is hard to teach. I have learnt cybersecurity as a hobby and have competed with our university team in some online well known attack/defense style competitions (we sucked) and a lot of this stuff is really hard to formalize. I guess you could teach the basics like overflows, aslr, stack canaries, basic assembly, but in the end it's up to the hacker to string everything together to overflow a buffer, control the return pointer, leak the canary, string together a rop chain and pwn the system, and this takes a lot of tinkering and discovery rather than prior knowledge, although experience definitely helps. I guess it's also why some random high school teenager could be going up against the hacking team from Tencent in these competitions. And this is only for binary exploitation mind you. If you look at some of the crazy talks from defcon, the stuff they do draws upon a lot of random knowledge, and it comes down more to the act of piecing everything together than knowing anything before hand, hence the "hacking". And that's also why I love it :)
As someone undertaking a Master's in Cybersecurity, that table is totally true.
Most of my courses have a programming alternative for assignments yet the students alongside me have very little interest.
I've been doing this a while so maybe I'm just an outlier as I've always been the guy who is the jack of all trades, but I can't help but see something unknown as something to learn.
It's a similar story in my cybersecurity Master's program. Many students seem to lack any dev or administration skills and are basically locked out of the high quality, practical classes because of it. Everyone that seems to be succeeding in my program and in the job market either has a formal CS background or is a motivated, self-taught dev or admin.
As with most positions, the largest obstacle to getting a job in security is overcoming the HR Gatekeepers. The hiring system is broken. Those who successfully attained job are those who generally have networked their way around the first line HR personnel.
Get your name out there so that hiring managers know who you are. Blog, go to meet-ups, make friends, do capture-the-flags, create a website, create a Git repo, and a home lab that you write about.
TBH while a lot of people say the shortage is a myth, I am not so convinced. I wouldn't personally hire most people in infosec because I think the industry has the wrong idea of what the career should look like.
Most people in infosec have no coding skills. That isn't their fault, they aren't told it's important. I think it is, so I won't hire them. That just cut out the vast majority of candidates with a single criteria, and I believe a lot of the criteria is broken.
I think the cybersecurity (I hate the term cyber btw as it's usually used by people who don't know what they're talking about), is very focused on the 'think like a hacker' skillset right now.
While I do agree this is important in various roles in the security realm, there are also many jobs where this doesn't really add value. A lot of work is about implementing things like MFA, role-based-access etc where knowledge of the platform used (e.g. Microsoft) and internal processes are more important. After all, most companies already fail at the 'fix the obvious' stage, it's not necessary to go looking for clever ways in when there are many doors left open.
Just to elaborate: A lot of discussions go like this. A pentest or random scan finds obvious issue. Ticket is raised to the security team. They go like "WTF why do we still have Windows 95?? Kill it.". Then their boss goes like "Sorry, Bill the manufacturing VP lobbied with the CEO, we have to leave that one alone". Of course when it actually gets hacked, Bill is nowhere to be found. This is why internal influencing skills are so important in real everyday security jobs.
Of course in the pentesting role this kind of thinking is absolutely necessary. However even there the kind of training given right now is too much in the realm of 'scriptkiddie'ism. Hacking is about inventing and true mastery of technology, not about using the tools everyone uses. Being able to run metasploit and wireshark does not make one a hacker. By doing this, pentesters test for yesterday's hacks, not tomorrow's.
> Being able to run metasploit and wireshark does not make one a hacker. By doing this, pentesters test for yesterday's hacks, not tomorrow's.
Be careful here. This is bordering on elitism.
Having someone come into a business and check for "yesterday's hacks" is better than no one doing any checks at all, therefore such skills are still valuable and worthwhile.
In learning how networking works; how operating systems are designed and implemented; why and how the OWASP Top Ten work; and knowing solutions to these problems is still a valuable skill set.
What you're suggesting is everyone has to be willing and able to write fresh exploitation on the spot when they're testing a client's network when in fact there's a lot that can be discovered (and resolved) with basic scans and simple questions based off of Security+ grade knowledge.
I know, but most of these "hacks" are identified by internal scans already. The pentest doesn't add much value then. The issue is more internal resistance to change in the management team.
Like I said I know most companies already fail at the basics. But these are normally well known already, just not fixed due to political pressure. Having the security team's management be better at influencing would pre-empt these issues. Pentests serve to bring these known issues under discussion again, but they often don't bring any unknown issues to light.
Also, they tend to be too artificial. In one example: In a recent pentest I know of, they sent some remote access malware to the admins, which they all ignored and reported. However as they couldn't continue they called one admin's manager and asked him to tell the admin to click on the link so that they could proceed. The outcome of the pentest was that if a malicious actor sent a malicious remote access malware and if it was clicked on, they would have remote access. Well duh.
Of course this could be mitigated by having separate workstations for email and admin activity, which was an issue that was already understood and a mitigation in progress. This is what I mean by pentesting not raising new issues. Another example: The company in question already test new web apps for known attacks, and is quite successful (in fact I've never seen a new app come through the certification process in the first round). What I'd expect from a pentest is to tell us something we don't know :) It's an interesting second-opinion but it's not the amazing X-ray it's promised to be.
> What you're suggesting is everyone has to be willing and able to write fresh exploitation on the spot when they're testing a client's network
Which is exactly what a serious adversary would be doing in a targeted hack!
> I know, but most of these "hacks" are identified by internal scans already. The pentest doesn't add much value then. The issue is more internal resistance to change in the management team.
This sounds like management's fault for using a service they don't need yet. If there are glaring, obvious vulns that are repeatedly pointed out but aren't getting fixed then how useful is it to point out additional more subtle vulns? I understand the point you are trying to make about pentests telling you data you already know, but how many people are going to take the time to enumerate subtle vulns when there are basic ones that can be hit to great effect?
> Which is exactly what a serious adversary would be doing in a targeted hack!
I don't think it makes sense to worry about what a serious adversary could do when a moderately skilled one can already wreck you with known exploits.
Well, the issue is that these vulnerabilities can't be hit to great effect, because they're usually well understood and mitigated by other means (see the admins being very conscious of email malware). In many cases the pentesters cheat by asking for special permissions or for someone to click something they wouldn't normally have done. Just so they can be seen to 'have found something'.
I think a targeted adversary is more worrying because they usually are driven by high gains, which means something that's a big risk to the company. Like strategic information that can cripple the company. Whereas a more moderate adversary will usually trigger a ransomware campaign on some low-secured laptops or something which can be mitigated in a day or 2 by restoring backups. Big interruption yes. Company-killer no.
Also an advanced adversary will usually operate unseen altogether and penetrate the highest levels of security. A ransomware attack is much more obvious. I would view them as different things altogether. An advanced adversary might use the same techniques for their initial access but due to the many layers of security this won't be enough to reach the most critical information.
Which is exactly why I was saying pentesters should be more inventive :) The level of external pentesters I've seen, has not exceeded the "scriptkiddie" level.
Most pentesters / offensive security professionals have to operate with their hands tied behind their backs. Management generally has no interest in a real report of what happens if someone actually tried to break in. Generally speaking pentests are often so limited in scope and what is allowed to be engaged that you might have a group of people perfectly capable of robbing you unable to show you how because the company doesn’t want to know the truth.
Especially pre-Wannacry, since then things have improved somewhat, when top management woke up to the thought that these things do in fact actually happen.
Scriptkiddie level people should just be honest that they are doing checklist audits to see if administrators are doing their job.
But unfortunately we are on the hype train where everyone needs to be "cybersec/offensive/pentester/ethical hacker". In the end, cannot really blame them entirely because otherwise CEO and CFO types are not going to hire them and they won't earn money.
You haven't seen good pentesters then, I suppose. I personally know a lot better than the level you described and I'm not near as experienced as some of the people I know. Question is whether or not whoever holds the purse is willing to pay for the higher quality work.
Dirt cheap programmers from low-economy countries aren't always the best either, just saying.
Yes good point. The ones I know come across as "box tickers". They're from a very high profile IT company but that doesn't say much. I assumed they were all like that but I admit that was an assumption.
> But these are normally well known already, just not fixed due to political pressure.
This is just not true. Plenty of developers don't really know much about these. Juniors are basically glad they done the task or tend to focus on like two risks they know. And from experience, many seniors sorta kinda vaguely heard about these.
The fault is absolutely not just in management. And even management that is at fault is often acting on advice or with validation of developers who don't care about these much.
Many companies don't know how to even run internal scans. Even when they have interest in it.
> I know, but most of these "hacks" are identified by internal scans already. The pentest doesn't add much value then.
As I said above in to another comment: pentesting isn't the job in the field and the article wasn't specifically aimed at pentesters.
> Which is exactly what a serious adversary would be doing in a targeted hack!
Sure, and that's when you bring in someone who can do the same for you but ahead of time before the bad guys get there. But to say someone who can't do that isn't in a cybersecurity position or has no value is wrong :)
I didn't say that! If you see my first post, I agree with you that in many 'cyber'security jobs other skills (like politics/influencing) are much more important and unfortunately often lacking in key people. I actually don't like the strong focus on the CEH/OCSP certs as most HR depts seem to apply them to all areas of security. Not just pentesting and auditing.
And especially for pentesters, I'd want them to have more initiative than just running through some standard textbook operations. At least that's what I've seen. But as another poster mentioned, what they do at this company is more like an audit, just under the flag of a pentest which sounds cooler.
Be careful about the soft bigotry of low expectations.
A generation has grown up thinking that skill/knowledge elitism is a real thing and that it's oppressive. Instead we should learn to identify people who do difficult things, recognise how they do difficult things well, systematically emulate their methods as we attempt difficult things, and constantly work at the edge of our ability.
The only thing that happens if we don't do difficult things is that we become people who can't do difficult/valuable things.
What part of my response led you to believe I inferred we shouldn't learn difficult things? I'm simply try to show that people who haven't mastered the industry are still valuable.
> What part of my response led you to believe I inferred we shouldn't learn difficult things?
The first sentence, and its emphasis on calling out elitism (and concomitant gate-keeping).
> I'm simply try to show that people who haven't mastered the industry are still valuable.
Despite your noble intentions, I don't think such comforting statements are useful, and they are probably harmful: On the one hand, the market will decide what skills and what level of skills it wants to pay for (and how brutal when, after often being comforted, consoled, and reassured, I find no one willing to pay me for my meagre skills), and on the other hand, there are more than enough people who are confidently happy to run metasploit and burp, shut their laptops, and demand a pay-cheque.
Decent sysadmin should be able to setup automated scanning, know about OWASP, keep systems patched. That should be absolute baseline for sysadmin work. Checking for yesterdays hacks is valuable but that is called auditing and you should have checklist for that.
Pentesting should be focusing on hacking and uncovering stuff that was not in audits like making custom exploits on the spot.
Problem is that running scanners and checking basic stuff should be an audit but that does not sound as cool as "pentest" and "white hat hacker"/"cybersecurity specialists" sounds way cooler than auditor.
I think I see the problem. You're assuming several things here. Firstly you're assuming that pentesting is the definition of cyber security when in fact it's one aspect of a huge area. Secondly you're implying that everyone wants to be a pentester. And finally I feel like you read the article and came to the conclusion it was only about becoming a pentester, when in fact it was about getting into a much larger field that contains maybe jobs with many different objectives.
System administrator should be main actor in security. Thing is no one wants to be system administrator now, everyone wants to be "cybersecurity expert/ethical hacker". Which in my opinion "ethical hacker" should be something that we call pentesters and we don't need system administrators to be "ethical hackers".
I do not equate pentesting with all security, it is that people don't want to do boring job of sysadmins. People don't want to spend all day going through logs, going through alerts and sorting out false positives. Which is real job there and is boring and that is not what "hackers do".
If that article would have title "How to become system administrator" no one would read it or comment it.
Pentesting is really small part of security that should be an elite, because most of the work is in system administration.
Also, metasploit isn't used just for yesterdays hacks, it's great for ever your 0days to manage sessions and do some of the repetitive/boring leg work for you
The term "cyber" has been part of the information security lexicon and if you work in the industry you accept it as reality. Especially if you work for government or a government contractor. Claiming that people who use the word cyber don't know what they are talking about is just ignorance at this point.
It's called "infosec" in the private sector and "cybersecurity" in the public sector (and adjacent).
"Cyber" can have negative connotations in the private sector only because, well, the best people in this business would never pass a security clearance so the public sector can only hire the leavings...
> Being able to run metasploit and wireshark does not make one a hacker. By doing this, pentesters test for yesterday's hacks, not tomorrow's.
Funny enough, this thought process shows a failure to understand process and internal influencing. Quite often, the things found by a basic pen-test are known internally. Research will reveal long, boring discussions that end with someone like Bill dismissing things as not important and the risk acceptable.
What the paid-for report does it makes the risk visible, documented, and something the company may have to show to customers or partners. Now it's gone from something that can be shrugged off to something expensive and embarrassing. Bill has to explain why his opinion should matter more than those of the biggest customers. Now it's something that is much easier to prioritize.
Big management often doesn't value unpleasant or critical feedback from below. Once it's advice that's been paid for, its value jumps. After all, if you're not going to listen then why did the company pay the big bucks for it?
Sometimes it crops up in vendor review or similar. I've definitely found myself reviewing pen-test reports for exactly that reason without a lawsuit or discovery.
Needless to say, having a bad pen-test report and then burying it would look extremely bad.
In that case, I have good news! Well, good-ish. If this happens often enough, higher-ups sometimes get sick of being blind-sided by it. They start being pro-active about addressing security issues and planning projects to pay down tech debt.
Doesn't always work, but it's more likely to work with a far-sighted exec than a quarterly-minded one.
Over time every security executive learns that there’s only three important things in security:
- How big is our cyber policy?
- How do we make sure the insurance company pays out?
- Will our financial growth and policy offset the maximum potential losses if we decide not to roll out security tool X or patch Y?
That’s really it. When growth and insurance won’t cover it then you’re plugging holes until the equation balances itself out. Everything else is theater.
Doing anything other than the above ends your career...quickly.
Pentests are a joke - a compliance activity and nothing more. As the client I get to pick the vendor, determine scope and influence the criticality of findings in the final report.
Insurers don’t care about anything until you have a breach and a claim. They look to see whether you have the controls mandated in the policy and...
Whether your attacker used a nation-state toolkit if so then they don’t have to pay.
Most cyber policies will not protect against “acts of god” or “acts of war” without paying top dollar and having a cap on damages.
They will also look for gross negligence. The worm hit out-of-support Windows XP machines that the company couldn't bother to upgrade in the past 10 years. No compensation.
> Whether your attacker used a nation-state toolkit if so then they don’t have to pay.
Definitely seen that one.
I'm curious as to why an insurer wouldn't look at a bottom-tier pen-test for signs of gross negligence. They'll readily turn up things like failing to have authentication on key file shares, no access controls on the network, or no MFA in use. The sort of stuff that's easily exploited and shows utter neglect on the part of the insured.
Basically, it's been my experience that a tick-box pen-test exercise does a reasonable amount to check if the supposed controls are actually there.
During my degree, I had a crossover unit for cryptography. The unit was a mix of computer science majors, and also a new "cyber security" degree the university had recently started. This was a third year unit.
Holy-moly, did the cyber security students flop from the first class. It was immediately clear that the new "degree" they had signed up for had not given them even elementary math skills in comp. sci related fields (discrete math, linear algebra). A few of them put in the hard yards, studied about a year's worth of math and did okay. But the majority flopped out hard and failed.
I do not value CEH or OSCP at all. The candidate will need to demonstrate they can apply that skill against a real world situation. I wont be more likely to interview you by having these on your resume, but it may help a recruiter put it in front of me (though I will never tell them to look for these keywords)
Good!! That's the right approach. I also think these certifications are forcing students to think in the direction intended by the underlying company, whereas hacking is about looking for the unexpected. It's about mastery of technology, not about ticking some boxes and knowing command-line parameters of common tools by heart.
Indeed there is a major issue with HR focusing too strongly on certificates because they lack the knowledge to evaluate a candidate any other way.
GekkePrutser:
> Good!! That's the right approach. I also think these certifications are forcing students to think in the direction intended by the underlying company, whereas hacking is about looking for the unexpected. It's about mastery of technology, not about ticking some boxes and knowing command-line parameters of common tools by heart.
CEH is box ticking. OSCP is breaking into stuff. That hacking is about "mastery of technology" I don't agree with. The latest major vulnerabilities identified this month were very low hanging fruits, and I bet you there's still way too many unpatched instances of BIG-IP, NetScaler and Windows DNS out there right this moment.
...two of which have available POCs online for any scriptkiddie to get their hands on. If not all three... the researchers who found the Windows DNS vulnerability have agreed to hold their horses for a while, letting admins patch their systems before releasing all details.
Latteral movement in an Active Directory environment is trickier than looking up a version number and trying your luck with a POC, sure, but you give too much credit to hackers, man. :P
> See my earlier comment regarding the relative strength of candidates with OSCP.
Have you been through the course and exam yourself, or are you basing this on something else? If you've been through the experience, which parts of it contribute to you not valuing it?
I have not, and have no plan to take OSCP - though im familiar with it.
I'm relating the facts about candidates who applied to my roles with OSCP certifications. I did not hire any of them.
I do not specifically dislike OSCP, its that I do not value any of the certs merely because someone possesses them.
Certs are a marginal signal to me about your potential for discipline, may inform how deep I go on questioning, and thats it. Conversely, certs may lead to bias, particularly for some very lame ones.
I don't think it's very fair to weight letters on a resume so heavily, it's about what you can do in the role I have for you.
Having them is not something that will make a big difference to me.
I have to be blunt - many of my weakest candidates came with these certs. Im impressed when you are already amazing at these things, and then show the discipline to get the cert anyway.
Im passing on your candidacy when you have the cert, but put me to sleep with the practical application. I'm less interested if you can study, and more interested if you can LEARN.
Can you talk about your interview process? e.g. types of interviews, screens vs. on-sites, distributions, etc. What are the shortcomings that keeps a candidate from an offer in the final steps, e.g. the candidate passes screening interviews, but falls short on an on-site interview. What are the indicators you observe that differentiate a senior candidate? How do you go about evaluating entry-level and junior candidates? Thank you!
We do a few screens, starting with general security discussion - something like: intro, light tech/coding - just to make sure we aren't completely wasting our time
The main interview centers on software security, and is focused on real world scenarios. We avoid "explain this OWASP top 10 blah blah blah" kind of questions. The goal is to see if you can reach the outcomes we expect, regardless of how you may approach them. I don't care if you can explain SQLi to me, you should be able to approach exploiting it on a live system.
We will:
* Give you a sample system and ask you to threat model it. Maybe you will use STRIDE, maybe you wont, but we hope you will find some threats using structured techniques.
* Ask you about secure systems you have designed, why you made the choices you made, and how you would make them differently today. We want to know if you have a methodology, a structured approach, and experience.
* Expose you to vulnerable code implementations, and running systems. We hope you will discover vulnerabilities.
* Show you examples of our systems, and ask you how you would secure them. We want to understand if you can see, and discuss security architecture.
* Role play developer interaction scenarios. Can you handle soft skills?
* Have you done any of this at scale? Do you understand how to make it work for 10, and 1000 developers? Explain your experience, how would you do it differently?
I can go on, but again the emphasis is evaluating whether or not you can do the tasks we need you to do, with a high degree of quality in whichever way works best for you, while also being able to completely ignore your resume if we want.
It is extremely difficult for us to consider hiring junior candidates, and we frequently encounter candidates with no deep experience. While it is unfair to expect candidates to have spent time at home treating this as a passion project, those are the ones im going to hire because they can deliver the outcomes in an interview. To combat the hiring difficulty, we have arrived at this approach which allows us to send candidates through the machinery quickly, with low bias.
Really? Your interview sounds pretty par for the course. I did this work for ~$140k, but was not in the bay area. I knew I was underpaid but not THAT underpaid.
It is sfbay. Senior security folks are at or above $200k in the majority of cases. As with all sfbay salaries, it is not representative of any other market.
Huh interesting. I work in infosec (but not a hiring person). I would normally rank this as an important skill. Not because i actually care about getting an explanation but because half the job is getting non security devs to care about security issues/fix them/not make them in the future. In my experience it is really difficult to do that if you can't explain the vulnerability to them.
In my experience it's too complicated to explain or they don't want to understand (the software has to ship yesterday). Have to show them.
api.example.com/;SELECT * FROM customers
See. This is allowing anybody to dump all customers or delete customers (show the next query). Developers understand that this is not an intended feature.
I think you misunderstood. Almost anyone can tell you what sqli is, few can demonstrate an exploit. You need to be much closer to the latter than the former.
I notice in your other replies you have several interview questions that seem to be targeted at previous experience. What kind of side projects, cybersecurity or just programming related, do you find the most appealing in a candidate?
I love to hear about the tools people have created. There is almost always a good story about a problem and a solution.
However, this is not really what I mean. If you are interviewing for a role in software security, you should be current on the industry and ready to talk sources and research. At a minimum, you should have areas of interest that you are passionate about discussing, even if you are still ignorant about the deep details.
You wont do well if security is something you only do 9-5, but I don't want you working for me after hours.
I think I've got a good example of a tool that I created that comes with a good story about a problem and a solution.
Would love your feedback as I'm a recent CS grad struggling along.
In my experience, c level folks just want someone who can produce a dashboard or executive report with a bunch of green check marks that basically say “yay! We’re secure”. They don’t care about the why, how, if the check marks are actually meaningful, etc. This mindset is then reinforced by vendors selling security snake oil - the entire infosec domain is a shit show; if infosec practitioners ever want to be taken seriously, they need to collectively get their shit together and organize around some real tangible standards.
There's the MITRE ATT&CK Framework https://attack.mitre.org/ which is gaining attention and seems very promising (although it of course isn't the golden answer to all questions, it goes a long way to cover the basics).
CyberSecurity, the domain that doesn't recruit yet has a shortage.
What cybersecurity is to most people is automated security scans. This can be done by interns with a week of training to run the tools. (Interpreting and remediating the findings is another matter).
Besides that, security is mainly about authentication. That's done by setting up LDAP, active directory, openid connect and co, and integrating in applications. A tremendous amount of setup and integration work for administrators/developers. (Not cyber security engineers)
There are cyber aspects around infrastructure and networking for sysadmin/devops/sre/developers. Setting up firewalls and 2FA in AWS, configuring TLS, upgrading OS and abandoned libraries. (Still, no permanent cyber security roles in sight)
Last is a couple of researchers finding vulnerabilities, concentrated in the likes of the NSA, NSO Group, project zero. Highly technical work that very few companies recruit for. These are full time jobs, offensive cyber security (vulnerability researcher) but extremely few in the world.
When I see people looking for cyber security engineers or trying to break into security. I can't help but think what do they mean by that? Just become a developer or a sysadmin/devops.
Unless you’re going the vulnerability/malware research, reverse engineering, or something equally specialized don’t paint yourself into a corner and limit your options with over specific signaling.
And realize that the above are tough roles to get paid for. There aren’t many of them, you have to have intense technical skills across many domains to be effective. All things considered you are unlikely to be able to make as much money as a developer (with just a little business savvy) putting in the same amount of effort.
Don’t get me wrong, I’m still an old hacker at heart and infosec has a lot of amazing aspects of it. It is one of the last holdouts of the old community-driven cultures around computing, but know what you’re getting into with open eyes. Recruiters and businesses have been working hard to commoditize it for years, and will continue to. In addition it’s been a “hot” job track for a while now, similar to “devops” a few years ago, so you’ll find a lot of folks in it without a particular interest or understanding beyond the surface level resume fodder.
> CyberSecurity, the domain that doesn't recruit yet has a shortage.
Yes, they are 100% lying about this. Any time you see an article about skills shortage, it's complete bullshit. It is cheap for them to create the illusion of a skills shortage via articles and blog spam. What they really want is people to spend their own money on training vs. them training their own talent. Then, once you've spent your money on training, you'll still run similar gauntlets in interviews that developers like to complain about.
This is why some of the certs are kind of useless at getting a job despite industry advice to get them. Some places will see something like OSCP and then still give you a time-limited CTF to do before they'll even talk to you about an entry-level position. Other larger companies will praise you for your certs, saying certs + programming skills is what they look for with new people, then just ghost you.
The interviewing process in pentesting is just as bad, if not worse, than development.
Plus, despite most pentesting gigs being more difficult day-to-day than regular web development jobs, they pay much, MUCH less, sometimes as much as $40k less (80k vs. 120k in a large metro area).
All of this is kind of countered by the fact that you can really do bug bounties on your own now, so you may not really need a traditional job. IMHO, you're better off being a developer first before going down that route.
> Yes, they are 100% lying about this. Any time you see an article about skills shortage, it's complete bullshit. It is cheap for them to create the illusion of a skills shortage via articles and blog spam. What they really want is people to spend their own money on training vs. them training their own talent. Then, once you've spent your money on training, you'll still run similar gauntlets in interviews that developers like to complain about.
This is so true. It is now common with most undergrads in India now, that they cannot even apply for a fresher job without such additional courses/certificates.
Training, learning and skill development budgets mobilized by CXOs for "other purposes"(may be for their vacation in the Swiss Alps that they promised to their spouse).
> Besides that, security is mainly about authentication. That's done by setting up LDAP, active directory, openid connect and co, and integrating in applications.
You've phrased this to hit a pet peeve. A huge, ongoing security issue is people checking for authentication when they should be checking for authorization.
I mean the domain is so large you literally left out all of incident response and blue team, centralized threat analysts and red team, and all the engineers in those areas.
Cybersecurity, as a field, is in desperate need of identifying different roles within it. These roles are notionally understood within the field, but what they are called and what exactly they do hasn't really crystallized quite yet. You still see job postings for "Cyber-security SME" or whatever and the organization has almost no idea what exactly they want out or the person they hire. So they end up with bored, highly skilled, reverse engineers and pentesters running automated scans, or overwhelmed "security guys" who's career was running compliance checklists being asked to build a defensive intelligence platform.
I call this the "Cyber Dash" problem where there's many different kinds of Cyber-<insert job> but the industry hasn't figured out what those are, what to call them, what they do, and what the requirements are beyond maybe a handful of roles.
1) Employers don't like the fact that the labour they require has skills that a lot of time to become competent at and the labour wants to be compensated accordingly.
2) They get universities to start offering degree programs tailored to churn out new graduates who are willing to work for entry level wages.
3) Employers complain that the grads who come out of these programs are unprepared to do the same job as the old guard.
Using Metasploit, Nessus, and nmap should be a 1 credit elective course in a CS degree. Not top billing.
Totally it's the same pattern over and over again we don't want to pay technical talent that can actually do stuff, and won't or can't train the people that are willing to work cheap.
I’m in Georgia Techs online MS in cybersecurity program and have argued these points a few times. Most of the cybersecurity classes are just CS classes. I think it was just a money grab to repackage their existing CS degree into a more marketable package.
I’ve argued that we should have some type of network and OS hardening classes. There is a required network security And secure computer communication class but they are much more about programming vs implementation. The counter arguments I get are that what I’m suggesting is more aligned with a vendor cert. But a lot of cyber security is doing the hardening of os and proper user access.
A lot of the cyber students end up switching to the policy track instead of the information security track. They are admitting students with almost no prior CS experience. They get away with only having to take an intro to cyber security CS class. Their remaining classes are all management classes marginally related to security.
I’m going to use this article to backup my arguments that there is more to cybersecurity than programming.
I agree that hands on skills are important. And i agree that candidates often lack them.
But im not sure that the skills in the article are really hands-on skills.
For example, the article talks about picking up a book on tcp/ip. That's not hands-on, that is theory. I also question what type of cybersecurity degree program this is, where you don't learn how the internet works?
All the things in the article sound like stuff i would expect a "cybersecurity" degree to cover. They don't sound like things that need to be taught practically.
In my opinion (working as security architect for an US Fortune500) technical skills are mandatory, but they are not enough for a successful career on cybersecurity. You need to have great communication skills (writing a great pentest report is probably the most important and difficult part), negotiation and persuasive abilities (sometimes you have to accept risks against budget, deadlines and business requirements).
In the cybersecurity community I see a certain degree of elitism (don't use Kali, don't use Metasploit, etc.), but we need to understand that they are just tools, so anyone is free to use the tool that is more confident and more appropriate for the tasks.
128 comments
[ 3.7 ms ] story [ 223 ms ] threadAlso, the weakest candidates are generally going to apply to the most job openings, so they may be counted multiple times here.
Security is a bother at best, and disruptive at worst. It's a tough sell, and it's so much easier to point at some badly configured network devices.
Yep, the devs where I work actually went to my manager and said that me reporting security findings that need to be remediated is messing up their timeline, so they wanted all testing to be put on hold until the app was already in production. Luckily my manager pushed back and said that if they don't want their timeline messed up by constantly having to remediate findings, they should stop including basic vulnerabilities in their code.
And I can't even get a callback from any other company, because I don't check the "Bachelor degree required" box.
Fucking, awesome.
Maybe there's something else going on?
Search cyber security jobs on indeed in London and there is hardly anything coming up. I can't imagine what it's like in a small city.
Disclaimer: I'm not particularly good at this, so whatever comments I make are well intentioned but may be of varying accuracy.
...
Online sources:
* OWASP.org is a good place to find info. If you look something up, there's a good chance you will find it here.
* https://owasp.org/www-project-web-security-testing-guide/ Thanks to redis_mic for this one, I didn't know it existed until today.
* overthewire.org Similar to HTS, but you don't need an account. The subject matter covered is also slightly different.
* https://0x00sec.org/ A forum dedicated to security. There's a lot of script kiddies, but also some gold.
* https://www.hackerone.com/ What better way to learn then practice on live targets? That being said, I would do some of the others first.
...
I do a lot of learning through reading, so books:
* Network Security Assessment by Chris McNab. I have second edition, which is a good and instructive read, but quite outdated.
* Real-World Bug Hunting by Peter Yaworski. Web security 101. Good read, and fairly useful.
* Advanced Penetration Testing by Wil Allsop. Outdated, but interesting. You will never use flash again after reading this.
* Social Engineering, The Science of Human Hacking by Christopher Hadnagy. This is a very interesting read. Also, one of the few that can't go out of date.
...
This should be enough to get you started. There's a couple more books I can think of, but they tend to be more specialized into certain fields of security and less approachable/generally applicable. If you want these recommendations as well, feel free to email me, my email's in my bio.
[Disclaimer: also not a certified security professional, but I do follow the topic and practice it hands-on from time-to-time...]
However I think there are multiple (sometimes non-overlapping) types of cyber-security professionals / roles:
* the policy maker / enforcer -- which is what some companies want, and what the most well known people out there (including Schneier, Krebs, etc.) are blogging and speaking about; (to put it metaphorically they are the ones in charge of designing an IT "hygiene", and making sure everyone "washes their hands" properly;) :)
* the operations security -- which should make sure systems and networks are well locked down, patches properly installed, watches out for suspicious activity, and if he is capable enough tries to check the boundaries and limits the firms security; this is another role most companies want, what some courses train for, and what usual bloggers write about;
* "applied cryptography / security" developer (for the lack of a better name) -- which (if he knows better) should make sure proper well-known techniques and best practices are used throughout the developed applications, and when necessary (if not already covered by existing solutions) is capable enough to mix cryptographic primitives;
* "high budget zero-day" researcher (also for the lack of a better name) -- which is mostly employed by state level actors to discover zero-day vulnerabilities, and on the other side employed by large corporations (e.g. Google, Microsoft, etc.) to make sure their most valuable systems aren't vulnerable to those types of attacks; these are the guys that come up with Spectre and Meltdown and other very low-level hardware related vulnerabilities;
* (many others that escape me at this moment...)
Each of these roles require some different traits and focus areas, which most of the time aren't strictly related to IT or security; for example:
* the policy maker should be well versed in social sciences and human behavior, as in the end he has to work with people;
* the operations security person should be as capable (if not more) than any of its "normal" peers in all matters of network and systems administration;
* all of them must understand that in the end security is a spectrum (i.e. from air-gapped-system to no-authentication-internet-connected) and it has to take into account a balance between internal cost (development, operations, etc), end-user costs (e.g. how cumbersome is for the end-user to login), risks (e.g. is the data valuable enough to protect it with 2FA), time-to-market, etc.
So in the end I think the underlying problem is that most companies want "one cybersecurity guy", and most candidates see themselves as that "one guy", when in reality there is no real person that can actually fulfill all these roles. Just like nobody wants to hire "a developer", but a "web developer", or an "embedded developer", so should companies specify what kind of security professional they are looking for...
* Threat hunting / attribution
Familiarity with clustering incidents and pivoting between actors by attack signatures.
Or before that, do you even know what an APT is? (Probably only a small percentage of CS grads.)
* Malware re
* Post incident forensics
Random tools and skills that come up...
SQL keeps coming up even though I try to avoid it. There's generally an "SQL person" on the team that drives simple queries but having the basics down will be faster.
Visualization tools that help diagram clusters of incidents, though these might be declining in importance.
Beyond the network stack, understanding common network services, how people (criminals) register for domains and set up virtual services, techniques for c2.
You can play around with riskiq as a free user. You can read some reports from FireEye, Symantec, Crowdstrike, etc. for free to see how they do it. The MITRE attack framework collects a lot of it. Most CS students probably don't know those names though or where to start.
An understanding of criminal law and/or geopolitics doesn't hurt.
You mean that Linux command thing? ;)
Getting a company certified under PCI, HIPAA, and friends is a specific and important role in cybersecurity that doesn't require advanced hands on technical knowledge.
For example, if you have a mobile application specialist, they probably don't need to worry about, say, VLAN configuration on a regular basis. It's quite likely that even if they do know it, the lack of use will result in them not showing that knowledge well in an interview situation. If you give them a few hours and an internet connection, though, they may well be able to refamiliarise themselves easily. Alternatively, you just need to hire someone who specialises in network architecture and segregation - this does rely on the person doing the hiring to know vaguely what they need, though, which is not always the case.
I work in the industry, and there are people who are well known as experts in specific fields, but who I would never expect to be able to do some other aspects of my job, just as I would struggle to do things they can do without any difficulty.
I think the cyber security industry is at the stage where the web was 15-20 years ago, where a company would hire a "webmaster" who did all the web related stuff, rather than getting a combination of people in different roles each specialising in one area. It's slowly getting better, but it's still common for companies to look for a jack of all trades security person, rather than getting the specific knowledge they need.
This is an interesting view. You really think so? The use case of the "web" /website industry is so much wider. I feel like cybersecurity companies are struggling a lot more to come up with an actual product and continues to be more of a consultancy type business. I know in China a lot of the smaller cybersecurity startups have eventually been folded into either alibaba or tencent cause it's so hard to come up with a product that people want to buy.
So how to get into cybersecurity? Don't. Do what you like (programming, systems administration or even IT-procurement) and after a few years start transitioning to cybersecurity. An exception would be the hardcore whitehats but firms usually don't have those on board and rely on consulting. So programmer-consultant is another route. But you won't get hired without quite the demonstrated homework, so you'll need to love it.
I could understand if this was "Thinking of a Cybersecurity journalism career" but there are better people to learn from.
He even added a disclaimer that he's not a technical expert.
Most of my courses have a programming alternative for assignments yet the students alongside me have very little interest.
I've been doing this a while so maybe I'm just an outlier as I've always been the guy who is the jack of all trades, but I can't help but see something unknown as something to learn.
Most people in infosec have no coding skills. That isn't their fault, they aren't told it's important. I think it is, so I won't hire them. That just cut out the vast majority of candidates with a single criteria, and I believe a lot of the criteria is broken.
While I do agree this is important in various roles in the security realm, there are also many jobs where this doesn't really add value. A lot of work is about implementing things like MFA, role-based-access etc where knowledge of the platform used (e.g. Microsoft) and internal processes are more important. After all, most companies already fail at the 'fix the obvious' stage, it's not necessary to go looking for clever ways in when there are many doors left open.
Just to elaborate: A lot of discussions go like this. A pentest or random scan finds obvious issue. Ticket is raised to the security team. They go like "WTF why do we still have Windows 95?? Kill it.". Then their boss goes like "Sorry, Bill the manufacturing VP lobbied with the CEO, we have to leave that one alone". Of course when it actually gets hacked, Bill is nowhere to be found. This is why internal influencing skills are so important in real everyday security jobs.
Of course in the pentesting role this kind of thinking is absolutely necessary. However even there the kind of training given right now is too much in the realm of 'scriptkiddie'ism. Hacking is about inventing and true mastery of technology, not about using the tools everyone uses. Being able to run metasploit and wireshark does not make one a hacker. By doing this, pentesters test for yesterday's hacks, not tomorrow's.
Be careful here. This is bordering on elitism.
Having someone come into a business and check for "yesterday's hacks" is better than no one doing any checks at all, therefore such skills are still valuable and worthwhile.
In learning how networking works; how operating systems are designed and implemented; why and how the OWASP Top Ten work; and knowing solutions to these problems is still a valuable skill set.
What you're suggesting is everyone has to be willing and able to write fresh exploitation on the spot when they're testing a client's network when in fact there's a lot that can be discovered (and resolved) with basic scans and simple questions based off of Security+ grade knowledge.
Like I said I know most companies already fail at the basics. But these are normally well known already, just not fixed due to political pressure. Having the security team's management be better at influencing would pre-empt these issues. Pentests serve to bring these known issues under discussion again, but they often don't bring any unknown issues to light.
Also, they tend to be too artificial. In one example: In a recent pentest I know of, they sent some remote access malware to the admins, which they all ignored and reported. However as they couldn't continue they called one admin's manager and asked him to tell the admin to click on the link so that they could proceed. The outcome of the pentest was that if a malicious actor sent a malicious remote access malware and if it was clicked on, they would have remote access. Well duh.
Of course this could be mitigated by having separate workstations for email and admin activity, which was an issue that was already understood and a mitigation in progress. This is what I mean by pentesting not raising new issues. Another example: The company in question already test new web apps for known attacks, and is quite successful (in fact I've never seen a new app come through the certification process in the first round). What I'd expect from a pentest is to tell us something we don't know :) It's an interesting second-opinion but it's not the amazing X-ray it's promised to be.
> What you're suggesting is everyone has to be willing and able to write fresh exploitation on the spot when they're testing a client's network
Which is exactly what a serious adversary would be doing in a targeted hack!
This sounds like management's fault for using a service they don't need yet. If there are glaring, obvious vulns that are repeatedly pointed out but aren't getting fixed then how useful is it to point out additional more subtle vulns? I understand the point you are trying to make about pentests telling you data you already know, but how many people are going to take the time to enumerate subtle vulns when there are basic ones that can be hit to great effect?
> Which is exactly what a serious adversary would be doing in a targeted hack!
I don't think it makes sense to worry about what a serious adversary could do when a moderately skilled one can already wreck you with known exploits.
I think a targeted adversary is more worrying because they usually are driven by high gains, which means something that's a big risk to the company. Like strategic information that can cripple the company. Whereas a more moderate adversary will usually trigger a ransomware campaign on some low-secured laptops or something which can be mitigated in a day or 2 by restoring backups. Big interruption yes. Company-killer no.
Also an advanced adversary will usually operate unseen altogether and penetrate the highest levels of security. A ransomware attack is much more obvious. I would view them as different things altogether. An advanced adversary might use the same techniques for their initial access but due to the many layers of security this won't be enough to reach the most critical information.
You get what you pay for. I've taken part in security audits that delivered 0days - but they weren't cheap.
Especially pre-Wannacry, since then things have improved somewhat, when top management woke up to the thought that these things do in fact actually happen.
But unfortunately we are on the hype train where everyone needs to be "cybersec/offensive/pentester/ethical hacker". In the end, cannot really blame them entirely because otherwise CEO and CFO types are not going to hire them and they won't earn money.
Dirt cheap programmers from low-economy countries aren't always the best either, just saying.
This is just not true. Plenty of developers don't really know much about these. Juniors are basically glad they done the task or tend to focus on like two risks they know. And from experience, many seniors sorta kinda vaguely heard about these.
The fault is absolutely not just in management. And even management that is at fault is often acting on advice or with validation of developers who don't care about these much.
Many companies don't know how to even run internal scans. Even when they have interest in it.
As I said above in to another comment: pentesting isn't the job in the field and the article wasn't specifically aimed at pentesters.
> Which is exactly what a serious adversary would be doing in a targeted hack!
Sure, and that's when you bring in someone who can do the same for you but ahead of time before the bad guys get there. But to say someone who can't do that isn't in a cybersecurity position or has no value is wrong :)
And especially for pentesters, I'd want them to have more initiative than just running through some standard textbook operations. At least that's what I've seen. But as another poster mentioned, what they do at this company is more like an audit, just under the flag of a pentest which sounds cooler.
Be careful about the soft bigotry of low expectations.
A generation has grown up thinking that skill/knowledge elitism is a real thing and that it's oppressive. Instead we should learn to identify people who do difficult things, recognise how they do difficult things well, systematically emulate their methods as we attempt difficult things, and constantly work at the edge of our ability.
The only thing that happens if we don't do difficult things is that we become people who can't do difficult/valuable things.
The first sentence, and its emphasis on calling out elitism (and concomitant gate-keeping).
> I'm simply try to show that people who haven't mastered the industry are still valuable.
Despite your noble intentions, I don't think such comforting statements are useful, and they are probably harmful: On the one hand, the market will decide what skills and what level of skills it wants to pay for (and how brutal when, after often being comforted, consoled, and reassured, I find no one willing to pay me for my meagre skills), and on the other hand, there are more than enough people who are confidently happy to run metasploit and burp, shut their laptops, and demand a pay-cheque.
Pentesting should be focusing on hacking and uncovering stuff that was not in audits like making custom exploits on the spot.
Problem is that running scanners and checking basic stuff should be an audit but that does not sound as cool as "pentest" and "white hat hacker"/"cybersecurity specialists" sounds way cooler than auditor.
I think I see the problem. You're assuming several things here. Firstly you're assuming that pentesting is the definition of cyber security when in fact it's one aspect of a huge area. Secondly you're implying that everyone wants to be a pentester. And finally I feel like you read the article and came to the conclusion it was only about becoming a pentester, when in fact it was about getting into a much larger field that contains maybe jobs with many different objectives.
I do not equate pentesting with all security, it is that people don't want to do boring job of sysadmins. People don't want to spend all day going through logs, going through alerts and sorting out false positives. Which is real job there and is boring and that is not what "hackers do".
If that article would have title "How to become system administrator" no one would read it or comment it.
Pentesting is really small part of security that should be an elite, because most of the work is in system administration.
That seems to be the issue for me - many people using "cyber" are noticeably out of touch.
"Cyber" can have negative connotations in the private sector only because, well, the best people in this business would never pass a security clearance so the public sector can only hire the leavings...
Funny enough, this thought process shows a failure to understand process and internal influencing. Quite often, the things found by a basic pen-test are known internally. Research will reveal long, boring discussions that end with someone like Bill dismissing things as not important and the risk acceptable.
What the paid-for report does it makes the risk visible, documented, and something the company may have to show to customers or partners. Now it's gone from something that can be shrugged off to something expensive and embarrassing. Bill has to explain why his opinion should matter more than those of the biggest customers. Now it's something that is much easier to prioritize.
Big management often doesn't value unpleasant or critical feedback from below. Once it's advice that's been paid for, its value jumps. After all, if you're not going to listen then why did the company pay the big bucks for it?
Only if there's a lawsuit and it shows up on discovery. Otherwise there isn't really anything preventing it from being buried.
Needless to say, having a bad pen-test report and then burying it would look extremely bad.
I just wish we could get our own point across (at a level higher than myself) sometimes without having to do this :)
Doesn't always work, but it's more likely to work with a far-sighted exec than a quarterly-minded one.
Over time every security executive learns that there’s only three important things in security:
- How big is our cyber policy?
- How do we make sure the insurance company pays out?
- Will our financial growth and policy offset the maximum potential losses if we decide not to roll out security tool X or patch Y?
That’s really it. When growth and insurance won’t cover it then you’re plugging holes until the equation balances itself out. Everything else is theater.
Doing anything other than the above ends your career...quickly.
Pentests are a joke - a compliance activity and nothing more. As the client I get to pick the vendor, determine scope and influence the criticality of findings in the final report.
Insurers don’t care about anything until you have a breach and a claim. They look to see whether you have the controls mandated in the policy and...
Whether your attacker used a nation-state toolkit if so then they don’t have to pay.
Most cyber policies will not protect against “acts of god” or “acts of war” without paying top dollar and having a cap on damages.
Definitely seen that one.
I'm curious as to why an insurer wouldn't look at a bottom-tier pen-test for signs of gross negligence. They'll readily turn up things like failing to have authentication on key file shares, no access controls on the network, or no MFA in use. The sort of stuff that's easily exploited and shows utter neglect on the part of the insured.
Basically, it's been my experience that a tick-box pen-test exercise does a reasonable amount to check if the supposed controls are actually there.
I’m sure insurers understand that if they are proactive in auditing then a company will stay vigilant and probably patch all those old systems.
Holy-moly, did the cyber security students flop from the first class. It was immediately clear that the new "degree" they had signed up for had not given them even elementary math skills in comp. sci related fields (discrete math, linear algebra). A few of them put in the hard yards, studied about a year's worth of math and did okay. But the majority flopped out hard and failed.
The "degree" was dropped a year later. Poor kids.
Indeed there is a major issue with HR focusing too strongly on certificates because they lack the knowledge to evaluate a candidate any other way.
I thought this is exactly what holders of the OSCP certificate has demonstrated during the exam?
See my earlier comment regarding the relative strength of candidates with OSCP.
CEH is box ticking. OSCP is breaking into stuff. That hacking is about "mastery of technology" I don't agree with. The latest major vulnerabilities identified this month were very low hanging fruits, and I bet you there's still way too many unpatched instances of BIG-IP, NetScaler and Windows DNS out there right this moment. ...two of which have available POCs online for any scriptkiddie to get their hands on. If not all three... the researchers who found the Windows DNS vulnerability have agreed to hold their horses for a while, letting admins patch their systems before releasing all details.
Latteral movement in an Active Directory environment is trickier than looking up a version number and trying your luck with a POC, sure, but you give too much credit to hackers, man. :P
Have you been through the course and exam yourself, or are you basing this on something else? If you've been through the experience, which parts of it contribute to you not valuing it?
I'm relating the facts about candidates who applied to my roles with OSCP certifications. I did not hire any of them.
I do not specifically dislike OSCP, its that I do not value any of the certs merely because someone possesses them.
Certs are a marginal signal to me about your potential for discipline, may inform how deep I go on questioning, and thats it. Conversely, certs may lead to bias, particularly for some very lame ones.
I don't think it's very fair to weight letters on a resume so heavily, it's about what you can do in the role I have for you.
Having them is not something that will make a big difference to me.
Im passing on your candidacy when you have the cert, but put me to sleep with the practical application. I'm less interested if you can study, and more interested if you can LEARN.
The main interview centers on software security, and is focused on real world scenarios. We avoid "explain this OWASP top 10 blah blah blah" kind of questions. The goal is to see if you can reach the outcomes we expect, regardless of how you may approach them. I don't care if you can explain SQLi to me, you should be able to approach exploiting it on a live system.
We will:
* Give you a sample system and ask you to threat model it. Maybe you will use STRIDE, maybe you wont, but we hope you will find some threats using structured techniques.
* Ask you about secure systems you have designed, why you made the choices you made, and how you would make them differently today. We want to know if you have a methodology, a structured approach, and experience.
* Expose you to vulnerable code implementations, and running systems. We hope you will discover vulnerabilities.
* Show you examples of our systems, and ask you how you would secure them. We want to understand if you can see, and discuss security architecture.
* Role play developer interaction scenarios. Can you handle soft skills?
* Have you done any of this at scale? Do you understand how to make it work for 10, and 1000 developers? Explain your experience, how would you do it differently?
I can go on, but again the emphasis is evaluating whether or not you can do the tasks we need you to do, with a high degree of quality in whichever way works best for you, while also being able to completely ignore your resume if we want.
It is extremely difficult for us to consider hiring junior candidates, and we frequently encounter candidates with no deep experience. While it is unfair to expect candidates to have spent time at home treating this as a passion project, those are the ones im going to hire because they can deliver the outcomes in an interview. To combat the hiring difficulty, we have arrived at this approach which allows us to send candidates through the machinery quickly, with low bias.
Huh interesting. I work in infosec (but not a hiring person). I would normally rank this as an important skill. Not because i actually care about getting an explanation but because half the job is getting non security devs to care about security issues/fix them/not make them in the future. In my experience it is really difficult to do that if you can't explain the vulnerability to them.
However, this is not really what I mean. If you are interviewing for a role in software security, you should be current on the industry and ready to talk sources and research. At a minimum, you should have areas of interest that you are passionate about discussing, even if you are still ignorant about the deep details.
You wont do well if security is something you only do 9-5, but I don't want you working for me after hours.
https://www.gfrom83.xyz/
What cybersecurity is to most people is automated security scans. This can be done by interns with a week of training to run the tools. (Interpreting and remediating the findings is another matter).
Besides that, security is mainly about authentication. That's done by setting up LDAP, active directory, openid connect and co, and integrating in applications. A tremendous amount of setup and integration work for administrators/developers. (Not cyber security engineers)
There are cyber aspects around infrastructure and networking for sysadmin/devops/sre/developers. Setting up firewalls and 2FA in AWS, configuring TLS, upgrading OS and abandoned libraries. (Still, no permanent cyber security roles in sight)
Last is a couple of researchers finding vulnerabilities, concentrated in the likes of the NSA, NSO Group, project zero. Highly technical work that very few companies recruit for. These are full time jobs, offensive cyber security (vulnerability researcher) but extremely few in the world.
When I see people looking for cyber security engineers or trying to break into security. I can't help but think what do they mean by that? Just become a developer or a sysadmin/devops.
Unless you’re going the vulnerability/malware research, reverse engineering, or something equally specialized don’t paint yourself into a corner and limit your options with over specific signaling.
And realize that the above are tough roles to get paid for. There aren’t many of them, you have to have intense technical skills across many domains to be effective. All things considered you are unlikely to be able to make as much money as a developer (with just a little business savvy) putting in the same amount of effort.
Don’t get me wrong, I’m still an old hacker at heart and infosec has a lot of amazing aspects of it. It is one of the last holdouts of the old community-driven cultures around computing, but know what you’re getting into with open eyes. Recruiters and businesses have been working hard to commoditize it for years, and will continue to. In addition it’s been a “hot” job track for a while now, similar to “devops” a few years ago, so you’ll find a lot of folks in it without a particular interest or understanding beyond the surface level resume fodder.
Yes, they are 100% lying about this. Any time you see an article about skills shortage, it's complete bullshit. It is cheap for them to create the illusion of a skills shortage via articles and blog spam. What they really want is people to spend their own money on training vs. them training their own talent. Then, once you've spent your money on training, you'll still run similar gauntlets in interviews that developers like to complain about.
This is why some of the certs are kind of useless at getting a job despite industry advice to get them. Some places will see something like OSCP and then still give you a time-limited CTF to do before they'll even talk to you about an entry-level position. Other larger companies will praise you for your certs, saying certs + programming skills is what they look for with new people, then just ghost you.
The interviewing process in pentesting is just as bad, if not worse, than development.
Plus, despite most pentesting gigs being more difficult day-to-day than regular web development jobs, they pay much, MUCH less, sometimes as much as $40k less (80k vs. 120k in a large metro area).
All of this is kind of countered by the fact that you can really do bug bounties on your own now, so you may not really need a traditional job. IMHO, you're better off being a developer first before going down that route.
This is so true. It is now common with most undergrads in India now, that they cannot even apply for a fresher job without such additional courses/certificates.
Training, learning and skill development budgets mobilized by CXOs for "other purposes"(may be for their vacation in the Swiss Alps that they promised to their spouse).
You've phrased this to hit a pet peeve. A huge, ongoing security issue is people checking for authentication when they should be checking for authorization.
I call this the "Cyber Dash" problem where there's many different kinds of Cyber-<insert job> but the industry hasn't figured out what those are, what to call them, what they do, and what the requirements are beyond maybe a handful of roles.
1) Employers don't like the fact that the labour they require has skills that a lot of time to become competent at and the labour wants to be compensated accordingly.
2) They get universities to start offering degree programs tailored to churn out new graduates who are willing to work for entry level wages.
3) Employers complain that the grads who come out of these programs are unprepared to do the same job as the old guard.
Using Metasploit, Nessus, and nmap should be a 1 credit elective course in a CS degree. Not top billing.
While they may or may not have the skills that are actually needed, the H1B system makes feudal servants bound to the corporation.
I’ve argued that we should have some type of network and OS hardening classes. There is a required network security And secure computer communication class but they are much more about programming vs implementation. The counter arguments I get are that what I’m suggesting is more aligned with a vendor cert. But a lot of cyber security is doing the hardening of os and proper user access.
A lot of the cyber students end up switching to the policy track instead of the information security track. They are admitting students with almost no prior CS experience. They get away with only having to take an intro to cyber security CS class. Their remaining classes are all management classes marginally related to security.
I’m going to use this article to backup my arguments that there is more to cybersecurity than programming.
I agree that hands on skills are important. And i agree that candidates often lack them.
But im not sure that the skills in the article are really hands-on skills.
For example, the article talks about picking up a book on tcp/ip. That's not hands-on, that is theory. I also question what type of cybersecurity degree program this is, where you don't learn how the internet works?
All the things in the article sound like stuff i would expect a "cybersecurity" degree to cover. They don't sound like things that need to be taught practically.