This is the ideal time to skill up in cyber security
With work for developers, contractors and others in flux, now is the ideal opportunity to think about using downtime to hone or acquire new skills. There’s been a flurry of articles online and off about studying new languages, memorising poetry, learning a musical instrument and the like.
These are all commendable pursuits, of course (and it’s great to follow your passions) but for most people, mastering “Stairway to Heaven” won’t do much to improve your career prospects once this pandemic passes and you’re looking for your next job (or – in the case of recent school, college and university leavers – your first).
TL:DR: we’ve put links at the bottom of this blog to some excellent resources if you have a yen for the technical but aren’t sure where to start. If you’re an experienced security hand, take a look too – and suggest your own favourite resources for beginners, improvers and those who are accomplished but want to stay up to date.
If you have a passion for technology, then why not use the time to develop skills in cyber security? The industry’s always on the lookout for passionate newcomers, whether existing tech professionals, people looking to change direction or those at the start of their careers. The pandemic and its aftermath won’t dampen that need – quite the opposite. As everyone adapts to the need for virtual working, the importance of ensuring businesses’ and individuals’ networks, systems and devices are secure from the burgeoning threats of scammers, spammers, hackers and cyberterrorists is only going to grow.
Not only does cyber security offer a huge diversity of roles and specialisms suited to all personality types – from head-down coders to hands-on ‘people people’ – there’s also a vast array of (mostly free and online) resources that allow anyone with time on their hands to gain the necessary skills and experience they need to break into whatever part of the industry most excites and attracts them.
Tinker with tech
Playing around with technology will help you understand which areas you enjoy, as well as equipping you with vital skills by osmosis. Building a website, setting up a server, developing a mobile app – doing these things will help you understand the mistakes people make. Then you can switch to thinking like an attacker, learning how you can exploit such mistakes to infiltrate systems. That in turn will push you to discover how you can practically mitigate such issues.
You can easily set up a cyber security lab at home – whether that’s a handful of virtual machines running on a single laptop or a full network of whatever computers and devices you have knocking about. We’ve included links to some of our favourite resources at the end of this blog, and the netsec community at Reddit have also compiled an extensive list at http://www.reddit.com/r/netsec/wiki/start.
Be a bug bounty-hunter
Once you’re up to speed, a fun way to gain more of the practical experience you need is to become a bug bounty-hunter. Some companies actively encourage people to assess their own products and systems for security vulnerabilities, offering money and prizes to those who uncover bugs.
Not only can such challenges be rewarding, fun and teach you valuable skills, participation is also great for your CV and for demonstrating your passion and talent to potential future employers. A good place to start if you’re unsure is bugcrowd [bugcrowd.com] which has a large number of bug bounty programmes running all the time. Just remember to stay within the permitted remit of any given hacking challenge or you could wind up breaking the law!
In normal times, we’d also recommend attending security conferences, but these aren’t normal times and this year’s premier cybersecurity events are all likely to be cancelled. However, we’ve included a list of some of the best anyway, in the hope things return to relative normality after the summer.
Books, however, can still be useful. You’ll have plenty of time for reading, after all. Many cyber security books are weighty, pricey tomes that can quickly become out-of-date – and it can be hard for a beginner to know which are worthwhile reading. So in the links below we’ve highlighted some of the industry ‘bibles’ and more widely-praised books that have stood the test of time as good starting points for those wishing to soak up essential cybersecurity skills.
Finally, don’t obsess about qualifications. You’ll see plenty of firms offering expensive courses that will lead to some formal cybersec qualification or other, but no one will expect you to have these as a new entrant to the industry – don’t waste your money on them. Once you’ve landed your first cybersec job, your employer should offer you the chance to study for any formal qualifications that may help you in your role. Until then, you’ll gain far more relevant skills and experience following the advice above, without having to dip into your pocket.
So while we’re all locked in, get your head down and we look forward to seeing you apply for your first cybersec role on the other side. Stay safe!
For those of you looking for something more technical, head over to F-Secure LABS.
Resources we rate
PortSwigger has a great web security academy: https://portswigger.net/web-security
CobaltStrike’s training videos offer a fantastic primer for red team work: https://www.cobaltstrike.com/training
Get started in cyber security with Cybrary: https://www.cybrary.it/catalog/cybersecurity/
What’s Threat Hunting? Well, you can read our paper – and then set up your own pentesting (ahem) threat hunting lab: https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat.html
HackerOne is a fantastic, peer-updated service that can keep you up to date with the latest vulnerabilities and exploits: https://hackerone.com/hacktivity
Ippsec’s video content is really good – check the Youtube channel or go to https://ippsec.rocks/ https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
Fancy sharpening your skills? https://hackthebox.eu is incredible, and even if you don’t manage to pop a box, there’s the writeups and tutorials to learn the techniques for the future. Attack Defense is pretty good too – lots of virtualised machines and different degrees of difficulty, but you’ll need a Google account to sign in: https://attackdefense.com/