How to prepare for and thrive in cybersecurity

If you are reading this before or on November 4, 2024, this learning path CONTEST may interest you!

This is for those who are new to cybersecurity and want hands on, depending on your focus.

First, don’t let anyone who claims to be a professional or expert tell you “cybersecurity is not entry level”. That makes zero sense, and is pure negativity, gatekeeping and deception. Cybersecurity is an industry, not a job or career. There are many different types of entry level jobs in any industry, depending on the category/subcategory of interest, including cybersecurity. How does one learn to be a SOC without an internship or being hired at the company’s lowest level? I have zero work experience, zero industry certification, and zero degrees yet, but I was asked to apply for a job as a lowest level analyst just for speaking up and sharing my passion in a meeting. I personally know at least three people who were also given entry level or above SOC jobs right after of graduation or even before graduating.

How to get noticed? Be a self-starter! Show your passion!

Utilize try hack me, hack the box and other similar free and low cost online learning sites. Search engines are your friends, learn to be a “Google Dork“. Try hack me is what I use most, many rooms are in the free subscription, and paid is less than $20 (US) per month, or less if you get their student discount! Sign up for CTFs and do them, even if you have no idea what you are doing. There are walkthroughs, write-ups and tutorials that can help you learn principles, even if there isn’t one exactly like what you are facing.

If you don’t know what you would like to specialize in, I recommend try hack me, as you won’t be locked into any particular speciality. There you can do the beginner/easy rooms in many different categories to start learning. I recommend the Linux, Windows, networking, and python rooms to get the basics down. After beginner rooms, you could choose a learning path, which you may decide you like or not, then you can choose another path to try if not. The wide variety of rooms can help you decide what you like, therefore what to keep learning.

SoloLearn has free courses, mostly for coding, but if you want their certificates for the deeper training, there is a cost. I don’t think it’s unfairly high, but that is IMHO.

Codecademy has some free courses too. Just scroll down that page until you find the filter for “Price” and select “Free”.

If you can afford it, a bachelor degree in CS, Cybersecurity, CIT etc. won’t hurt your chances of landing a job in cybersecurity.

NEVER STOP LEARNING! “Education is not something you can finish” says Isaac Asimov. He also says “Self-education is, I firmly believe, the only kind of education there is.” Further, in any technology-based industry, you will NEED to keep learning, because the tech is always changing. In 1980, Asimov predicted free learning what one is interested in via YouTube, schools using Zoom, etc.

Show what you are passionate about! These are two qualities that employers look for! Create a portfolio site listing your education and provable skills you have learned. Do projects like create a home network (or a virtual one if physical equipment isn’t in your budget) to practice with, list badges earned from the online learning sites, and/or a GitHub repository if you like coding. Promote cybersecurity awareness on all your social media accounts. The cybersecurity community isn’t just out to make money, we are here to help others too!

Check out Network Chuck and do the tutorials he puts out on YouTube. They are truly fast, easy and instructional. And fun!!! He has a great video on how to quickly create a virtual vulnerable network to practice pentesting and defense using Docker containers. Even the ones about networks are fun! Professor Messer is another great teacher on YouTube.

Follow RSS feeds or sign up for newsletter emails about cybersecurity news to keep your knowledge current.

If you are into coding, build your own portfolio website, scripts and tools from scratch, or at least build on what others have built so you understand how they work. Github is a great resource to find tools to clone and improve/add features.

LinkedIn is a great place to network and interact with proven professionals, and to gain knowledge and insights. It’s also a great place to showcase your own education and skills (aka certificates/diplomas) so prospective employers can find you. Be sure to interact often (daily) by commenting and sharing the latest cybersecurity news and technology. They also have lots of educational videos, which are sometimes covered by post-secondary institutes, such as my school, BYU-Idaho.

In your spare time, wait, “spare time”? What is that? Anyway, take time to get familiar with the NIST framework.

IMHO, although many employers require or recommend them, I’m not fond of the big name certifications, as I feel they are too focused on their own financial gain instead of training new cybersecurity warriors. If you are lucky, however, your employer, especially government jobs, may even pay for the most expensive certifications like SANS, Cisco, etc. I especially dislike the super-expensive, short-term bootcamps that literally exaggerate their promises of how much you will earn after graduating.

Specific Resources:

(For hackthebox.com rooms, you may need to login before using any of these direct links to rooms)

Blue Team (Defense):

https://tryhackme.com/room/openvpn how to set up open vpn with tryhackme to work on rooms

https://tryhackme.com/r/room/tutorial tutorial for how to work through a room on try hack me

Full learning paths
https://app.hackthebox.com/starting-point
https://tryhackme.com/path-action/beginner/join (core skills, well rounded)
https://tryhackme.com/path-action/web/join (web security)
https://tryhackme.com/path-action/presecurity/join (basics)

Smaller modules
https://tryhackme.com/module/cyber-security-awareness
https://tryhackme.com/module/introduction-to-cyber-security
https://tryhackme.com/module/linux-fundamentals
https://tryhackme.com/module/windows-fundamentals
https://tryhackme.com/module/network-fundamentals
https://tryhackme.com/module/how-the-web-works
https://tryhackme.com/module/cryptography

REVIEW USER ACCOUNTS TO VERIFY LEAST PRIVILEGE
https://tryhackme.com/room/commonlinuxprivesc
https://tryhackme.com/room/authenticationbypass
https://tryhackme.com/room/crackthehash
https://tryhackme.com/room/lazyadmin
https://tryhackme.com/room/investigatingwindows
https://tryhackme.com/room/linuxmodules
https://tryhackme.com/room/ffuf https://app.hackthebox.com/machines/list/active?sort_type=desc&difficulty=easy&show_completed=incomplete

LinkedIn Learning courses:

It is highly recommended to take lots of notes and screenshots as you go through the rooms in tryhackme and hackthebox. The habit will come in handy when you are in the competitions!

tryhackme.com

hackthebox.com

hackthebox Starting Point

What is NOT recommended? Bootcamps. Why?

Many bootcamps are no better than the hackers they claim to train students to prevent. They are invariably well overpriced for the skills they teach, and their marketing practices are unethical at best. They promise you will get a job after graduation, for example, they boast that 93% of their graduates find jobs, and/or insinuate high salaries or turning IT beginners into cybersecurity experts in 2 months, but they can’t fulfill those promises. Entry level jobs have entry level salaries! Cybersecurity experts are only such after years of training and experience! If they don’t give a money-back guarantee for their promise that you will find a job in cybersecurity right after graduation, then they are probably lying.

Read this review:
“Misleading Promises: The central premise of the program—that someone with no IT background could become a cybersecurity expert in under two months—is profoundly deceptive. The “training” provided consists of pre-recorded videos that are far from sufficient for the profound understanding and skills required in cybersecurity.

Hidden Costs and Unethical Practices: After completing the video courses, I was shocked to be informed that to obtain certification, I would need to pay additional fees for a “mercenary” from India. This individual would supposedly use a software called Ultraview to take the certification exam remotely on my behalf. This practice is not only unethical but likely illegal, compromising the integrity of the certification process and potentially the careers of those involved.

Fabricated Professional Histories: Perhaps most alarmingly, [name redacted] offers to fabricate resumes for students, including fake work history, fake degrees attained and school they never attended on LinkedIn. This is a deceitful practice that can have serious ramifications for individuals’ professional reputations and integrity.”
Another review:
” I have done everything by the book as far as this camp goes. They say oh yeah you can be a SOC guy when you are done that is super realistic. Well I got an SOC interview and the guy essentially laughed me out of the room. I carry myself the proper way and all of that, but the guy said I had learned nothing related to cyber security and just general networking and IT stuff. I did land a help desk position at an MSP so all is well, i just do not want anyone to spend $20k like I did when you could very easily educate yourself or just get certified in a few things. I am super unhappy about this but at least I have entered the field. I cannot stress enough if you are going to do a boot camp, at least make sure it is not through thrive dx. I have learned some valuable skills but NOT for cyber security like they advertised. I’ve said my piece.”

What else is NOT recommended? EC Council. Why?

EC Council has gone through the following ethics controversies:

Marketing employees spamming blog comments
Description of misogynistic beliefs and practices
First plagiarism accusation
Admitted plagiarism: Response to EC Council plagiarism “investigation” statement

EC Council’s website issues:

EC Council website found with XSS vulnerability (June 2011)
EC Council website found with more XSS vulnerabilities (Dec 2011)
EC Council website more XSS vulnerabilities, again (2013)
EC Council website defaced with Snowden passport (2014)
EC Council website delivering malware and ignored it for 3 days (2016)
A more comprehensive list of website issues and plagiarism by attrition.org
A write up by cybersecurity expert and teacher Thor Pedersen

How can a company that teaches ethics and security be trusted when their own site contained unethically obtained content (until caught) and has not been secure?