Anyone work in Cyber Security?

[reflux]

Hello all

I'm thinking of making the move across to Cyber Security after 10 years in web design. I'm currently a design manager with a decent salary and I enjoy what I do, but the higher earning potential and opportunity to work more closely with computers interests me. At the moment I'm trying to work out what qualifications I need and figure out what area I might want to move into.

I've been speaking to a training provider called Learning People. They gave me two options:

• Four course package - COMPTIA A+, Security+, Network+ and Certified Ethical Hacker. £3795.
• Three course package - COMPTIA A+, Security+, Network+. £2395.

These include all the training material, labs, exams, exam resits, career guidance etc.

So the questions:

1. Do I need to take a the 'training package' from a big vendor or can I really learn it all from a few books? Bearing in mind I've got a lot of experience in IT at an enthusiast level.
   
2. Do I need all of the above qualifications, or are some more important than others? I was thinking Security+ is the main one but happy to look into any others.
3. It looks like Security+ gets revised every 3 years by COMPTIA. It was last issued in October 2017. If that's the case, and it gets revised in October this year, would I need to do it again?

Happy to take any advice anyone might have

 

[malachi]

Hello all

I'm thinking of making the move across to Cyber Security after 10 years in web design. I'm currently a design manager with a decent salary and I enjoy what I do, but the higher earning potential and opportunity to work more closely with computers interests me. At the moment I'm trying to work out what qualifications I need and figure out what area I might want to move into.

I've been speaking to a training provider called Learning People. They gave me two options:

• Four course package - COMPTIA A+, Security+, Network+ and Certified Ethical Hacker. £3795.
• Three course package - COMPTIA A+, Security+, Network+. £2395.

These include all the training material, labs, exams, exam resits, career guidance etc.

So the questions:

1. Do I need to take a the 'training package' from a big vendor or can I really learn it all from a few books? Bearing in mind I've got a lot of experience in IT at an enthusiast level.
   
2. Do I need all of the above qualifications, or are some more important than others? I was thinking Security+ is the main one but happy to look into any others.
3. It looks like Security+ gets revised every 3 years by COMPTIA. It was last issued in October 2017. If that's the case, and it gets revised in October this year, would I need to do it again?

Happy to take any advice anyone might have

I don't work in cyber security (yet) but I am currently studying security + so I understand the basics. I want to get it done this year because yes, the new revision is due out in October. So that leaves SY0-501, six months left after revision is out before its retired.

Personally, its cheaper to buy the materials yourself and self study instead of going a training provider.

 

[Conanius]

Background - I have built and led Cyber Security teams, but I've never been at the 'working level' like Incident Response/Malware Analysis/etc. I formed & led our function, and was part of the sift team & interview panel for people applying to be either Senior or Principal Analysts.

Maybe this is sheer snobbery, but the only courses that anyone rated were SANS ones. They aren't cheap, but they are brilliant. We would send new and experienced Analysts on these courses.

The roadmap is here - https://www.sans.org/cyber-security-skills-roadmap/?msc=main-nav

Starting with SEC401 shouldn't be an absurd challenge for you if you've got 10 years in IT already. That said, usual caveat, you've said Cyber Security and not given much of a clue what you want to do. Reading the roadmap on the SANS site will give you an idea of the breadth of options.

Those courses you linked in your OP won't hurt you, but to give perspective, those 3 CompTIA courses were what I sent guys from the Service Desk in year 2 & 3 of their time with us at another one of my employers (They would all pass).

 

[ivrytwr3]

Hello all


I've been speaking to a training provider called Learning People. They gave me two options:

• Four course package - COMPTIA A+, Security+, Network+ and Certified Ethical Hacker. £3795.
• Three course package - COMPTIA A+, Security+, Network+. £2395.

These include all the training material, labs, exams, exam resits, career guidance etc.

So the questions:

1. Do I need to take a the 'training package' from a big vendor or can I really learn it all from a few books? Bearing in mind I've got a lot of experience in IT at an enthusiast level.
   
2. Do I need all of the above qualifications, or are some more important than others? I was thinking Security+ is the main one but happy to look into any others.
3. It looks like Security+ gets revised every 3 years by COMPTIA. It was last issued in October 2017. If that's the case, and it gets revised in October this year, would I need to do it again?

Happy to take any advice anyone might have

Those courses sound too expensive, a quick google and the CompTIA exams are around $219 with CEH $600?

Also, the CompTIA ones are very basic and the bottom rung of the Cyber Security ladder - you could do these much cheaper via Udemy etc when they have their sales on.

Conanius is right with SANS - SEC401 leading to GIAC, but not cheap at all. Think it copst my company around £6k. 2 weeks in a lovely London hotel with a top instructor and very nice refreshment breaks That didn't include accommodation, but there was quite a bit of evening activity, Capture the Flag etc.

 

[Zefan]

Why specifically security? This is quite key really, you'll be competing with people who have years of foundational helpdesk/1st/2nd/3rd line/infrastructure/cloud/applications support roles so it's why aren't you looking at those instead? Why not the more foundational support roles? Do you mean generic security (not amazing money/doesn't really exist in the same way the others do per se) or do you mean network security (infrastructure wise) or network security as an analyst in a SOC (they're quite different disciplines) , systems security (windows? Linux?) pen testing (blue team? Red team?), application security (for want of a better phrase, be a programmer), security assurance/policy/compliance stuff? I ask this not to come across as irritating, but because although you seemed to have focused on IT security, know that you are far from specialised at that point, and that's where the money is. All IT fields will require an active interest to keep you firstly sane, but secondly competent/competitive over time as things move on switfly. It is big and you should ideally be pursuing the Venn diagram of what you're good at/what you're interested in/what's going to make you money. Most people work out the first two of those through experience in the field first. If you want to skip this, and haven't done a serious amount of research on it, I suggest you return to it and find a reason better than it's good money, because it sort of isn't that amazing unless you're experienced and doing what you love. Don't forget that security - slightly more so than other sides of things - has the capacity to become stressful and thankless very, very quickly.

I'm going to point you towards this thread in the careers subforum I replied to a while back. https://forums.overclockers.co.uk/threads/professional-it-quals.18884617/#post-33543438

:edit: Certifications "refreshing" won't affect the validity of any you hold, it's really more an exam change. Yours will remain valid until their expiry date regardless, just a new exam is released/the old one retired.

 

[Ev0]

Why specifically security?

Becuase it's awesome?

With a background in web design you could already know some stuff that would help if looking at web app security.

Looking at the certs, A+ and Network+, unless you have very little IT knowledge to begin with I wouldn't necessarily recommend those although having the basic grounding will be important.

Security+ is a good intro into things, as Conanius has said it's one that I'd say everyone can benefit from not just someone working in security.

As Zefan has mentioned, try and narrow down what area of security you want to be in as there's different areas out there that all require different skills/knowledge.

I've been working in security specific roles about 12 years now and have done a variety of things, some roles have more of a focus on certs than others.

I don't rate the CEH course that much, seemed to be more of a memorising tools thing than really learning fundementals.

As also said above the SANS courses are highly regarded, if you want to go into pen testing then you'd ultimately be looking to work towards something like CREST certifications in that area, and to beat CV sifts stuff like CISSP, CISA, CISM all help but come with experience requirements to attain (and they dont' really give you much knowledge, more a validation of what you know).

 

[reflux]

Why specifically security? This is quite key really, you'll be competing with people who have years of foundational helpdesk/1st/2nd/3rd line/infrastructure/cloud/applications support roles so it's why aren't you looking at those instead? Why not the more foundational support roles?

Basically because, whilst there's nothing wrong with being in IT support as a career, I do it enough for friends and relatives. I want to do something more advanced, and I've always been interested in the expertise and technology involved in securing computer systems. Another part of my interest comes from a very good friend who has a great role in vulnerability analysis and has encouraged me to investigate the field. Certainly there's a case to say that it's a good idea to work up to more advanced roles from doing some foundational ones, but then there's a bigger pay gap to contend with, so that's where the idea of doing a load of training comes in.

Most people work out the first two of those through experience in the field first. If you want to skip this, and haven't done a serious amount of research on it, I suggest you return to it and find a reason better than it's good money, because it sort of isn't that amazing unless you're experienced and doing what you love. Don't forget that security - slightly more so than other sides of things - has the capacity to become stressful and thankless very, very quickly.

Yeah, I definitely have no issue with continuing to research the field. I suppose my questions above were really trying to get to the heart of what I need to take to skill up to a level of understanding that opens some doors not only in terms of understanding but also knowledge. Maybe I should have phrased it better. Also no worries about it having the potential to be stressful... my current role feels almost totally thankless and can be very difficult. I'm sure it won't be quite the same but I'm used to dealing with pressure.

I'm going to point you towards this thread in the careers subforum I replied to a while back. https://forums.overclockers.co.uk/threads/professional-it-quals.18884617/#post-33543438

:edit: Certifications "refreshing" won't affect the validity of any you hold, it's really more an exam change. Yours will remain valid until their expiry date regardless, just a new exam is released/the old one retired.

Thanks, that's handy and good to know about the certification validity

------------------------

Thanks for all the responses. It's been tricky narrowing down what specifically I want to do in IT security, but that's partly because it's a wide field and there don't seem to be essential qualifications that can guide you in a particular direction. Unlike web design, for example, where most of us went to uni and did a design related course which narrowed the funnel a lot. So I've been doing some research, speaking to friends, and also talking to this training provider.

For the time being, I decided that what Learning People are charging for their courses is too high based on feedback from this thread, so I've bought a Security+ book and I'm going to see if I get on with it.

Doing further research and looking at the roadmap that @Conanius posted definitely points me in the direction of pen testing. Anyone do that on a regular basis?

 

[jimjam81]

I have been working in cyber security for 8 years.

Started as BAU 3rd line support and then into project engineering and now I am a TA.

I would recommend getting the CISSP official study guide even if you don’t take the exam as the book is very good and gives good overview of the different security domains.

I have worked with a few external pen testers, they would do there tests and produce a report a few days laters with the vulnerabilities listed and what threat level they are.

As a web designer have you ever used Qualys ssl server test on your sites?

quite a few of the engineers I work with are doing AWS or Azure certifications as a lot of services are moving into the cloud.

Also I am noticing a lot of technical roles in support being off shored over the last few years, so if you are eligible or already have SC clearance that would help in getting a job, but that is another topic.

 

[reflux]

I have been working in cyber security for 8 years.

Started as BAU 3rd line support and then into project engineering and now I am a TA.

I would recommend getting the CISSP official study guide even if you don’t take the exam as the book is very good and gives good overview of the different security domains.

I have worked with a few external pen testers, they would do there tests and produce a report a few days laters with the vulnerabilities listed and what threat level they are.

As a web designer have you ever used Qualys ssl server test on your sites?

Thanks, that's all good to know.

Nope, never used Qualys ssl server test on our sites. That's more the domain of our dev team really.

 

[Stu999]

Prices for those course are way too high, I self-studied A+ and passed first time just using course books and practice exams. Think it was around £600 for both exams.

Thinking of doing Security+ myself. I’m really interested in SIEM so if anyone has any tips on that I’d be grateful. I’m currently an Internal Auditor with IT audit experience.

 

[Zefan]

Thinking of doing Security+ myself. I’m really interested in SIEM so if anyone has any tips on that I’d be grateful. I’m currently an Internal Auditor with IT audit experience.

I'd take a look at the syllabus for Cisco's "CyberOps" and CompTIA's CySA+. From what I gather the CySA+ is more recognised within industry (have a Google about) but they are roughly equivalent as far as I can tell. When I did CyberOps it was very heavy on SIEM.

 

[Stu999]

I'd take a look at the syllabus for Cisco's "CyberOps" and CompTIA's CySA+. From what I gather the CySA+ is more recognised within industry (have a Google about) but they are roughly equivalent as far as I can tell. When I did CyberOps it was very heavy on SIEM.

Thanks, it’s good to get advice from someone in the industry. Security+ and CySA+ seems like a good path but I’ll also check out the Cisco qual too.

 

[dowie]

Have you got a degree? I’m not in the security industry but as with most things in IT there can be various entry points and roles within certain fields.

A specialist MSc might be worth a look... possibly security related or possibly some other field but which can apply to security. For example data science - I know someone who did a dissertation for a Govt entity, required getting vetting early on in his course.

Various universities have depts with people actively researching various security related areas... can be much broader than regular IT security certificate stuff - like image recognition projects related to airport scanners etc.. social network data to connect extremists etc..

Another approach - do you already work in a large company? Reach out to the security manager/team and see if you can work on something with them, look at making a lateral move perhaps (also means you perhaps don’t need to drop salary etc...).

 

[Narj]

If you're looking at the pentesting/research side, I would look at OSCP as entry-level instead of spending so much money on other stuff + CEH. If you want to know if the hacking side of things is for you I would really recommend 3 months on VirtualHackingLabs (https://www.virtualhackinglabs.com/) and then on to the OSCP (https://www.offensive-security.com/) which will pretty much guarantee you a job. It's amazing fun turning things upside down and breaking/subverting them instead of fixing them

As a web designer you will have a head-start in web apps, plus a good understanding of databases is a huge help.

The CyberMentor Pentesting course on Udemy is also very good for filling in Active Directory and some other stuff. There's also free learning materials on PortSwigger (https://portswigger.net/web-security)

I've done a lot of pentesting stuff to round out my security knowledge on top of what I do already and may look to make a lateral move down the line myself.

 

[jimjam81]

Prices for those course are way too high, I self-studied A+ and passed first time just using course books and practice exams. Think it was around £600 for both exams.

Thinking of doing Security+ myself. I’m really interested in SIEM so if anyone has any tips on that I’d be grateful. I’m currently an Internal Auditor with IT audit experience.

Check out Logrhythm, splunk and exabeam websites.

Other certs worth doing are AWS and Azure as a lot of companies are moving into the cloud.

i hope to get some of these certs towards end of the year.

 

[Ev0]

Both Splunk and IBM's QRadar have free versions of their SIEM tools you could play about with, guessing other vendors also have this but those are the only two I know of for sure.

Plenty of eductional material out there on both of those, lots of online learning and YouTube stuff available for free.

If you're looking at the pentesting/research side, I would look at OSCP as entry-level

I wouldn't necessarily call OSCP an entry level cert, although granted might be seen as a start on the pen testing side but it's a tricky thing and will need a whole lot of learning to undertake.

With the ultimate goal on pen testing certs, personally speaking, being the CREST certifications.

As we've both said though, if the OP is a web designer now then I'd have thought that would be a great segue into web app testing, get a copy of Kali Linux installed and start messing about with the likes of Burp!

Also take a look at Hack the Box https://www.hackthebox.eu/, thought this was pretty well done.

 

[Narj]

Also take a look at Hack the Box https://www.hackthebox.eu/, thought this was pretty well done.

Heh, well OSCP is an "Entry level cert into an expert field" I suppose. CREST is necessary if you want to do government engagements for example. right?

Yeah TryHackMe, HTB, Juice Shop and XSS Game are fun 'tis fun using python/bash skills to automate the boring stuff like SQL Blind injection attacks too.

It's amazing how many issues I've found at work after going down the rabbit hole. I have a great relationship with the security guys at work now.

OP: Nesuss has a free version as well, stay away from that OpenVAS rubbish. Watch some ippsec videos on YouTube as well to get a feel for the thought processes and how it works if it interests you.

 

[Ev0]

CREST is necessary if you want to do government engagements for example. right?

It's usually a requirement for gov work yes, but a lot of non-gov places will use it as a filter for who they will use when bringing in 3rd party testing companies.

A reasonable time ago I was an in house tester for a UK bank, moved on before hitting the certs down that path though.

Now work for a security vendor in tech sales and love it, best move I ever made.

 

[Guest2]

I have been working in cyber security for 8 years.

Started as BAU 3rd line support and then into project engineering and now I am a TA.

I would recommend getting the CISSP official study guide even if you don’t take the exam as the book is very good and gives good overview of the different security domains.

I have worked with a few external pen testers, they would do there tests and produce a report a few days laters with the vulnerabilities listed and what threat level they are.

As a web designer have you ever used Qualys ssl server test on your sites?

quite a few of the engineers I work with are doing AWS or Azure certifications as a lot of services are moving into the cloud.

Also I am noticing a lot of technical roles in support being off shored over the last few years, so if you are eligible or already have SC clearance that would help in getting a job, but that is another topic.

Similar sort of story for myself, thought not 8 years.

I just sort of fell into Cyber security as part of what I do - look after a number of the external services our company employees use.
Due to the nature of the work, these external services come under a lot of scrutity and we (our IT security team) need to make sure we pass a number checks.
I get sent reports with security risks we need to address then depending on the service, do a bit of digging, test in our preprod environment and implement the fixes on our live environment so the reports come back good.

Hated it a first because it was very technical but now find it quite interesting, probably because I know where to start looking to fix the vulnerabilities. Some our out of our hands e.g. awaiting vendors to release new versions or hotfixes for products, some we can easily fix, some take a lot of investigation and testing

My background.
BTEC in Computing, BSc Business Computing, Citrix CCA cert from a few years ago and the most important thing, 15 years in IT (service desk, 2nd line, 3rd line including project, manily BAU and some technical architecture where I build some test environments)
I've been on a number of courses but non Cyber security related.
There was some work with SANS a few years back but then it was all way over my head and I was seconded from service desk.

The past 5 have been the most important though, working with security teams, networks, developers, firewalls etc. aswell as directly with Apple, Citrix and other vendors. Not to mention restoring services after a 'quite big' incident.

My networking knowledge isnt great but there are other people/teams that build networks, sort the firewall rules, manage unified comms etc.
I was never banking on managing pure network appliances to secure services but due to the nature of my job, it just sort of happened.

+1 for Qualsys SSL labs. I now quite enjoy working on something where for example our service got a C grade rating, but now gets an A+

 

[Megahurtz400]

Sorry to hijack the thread but i've been thinking the same of late.

I've got a great job now which pays great but it's not something i'm passionate about.

I have a friend who works in Cyber Security and talking to him about pen testing and listening to a few podcasts it seems like something i'd be really interested in doing and something which would bring new challenges everyday, especially the red time side of things with the social engineering aspect.

I currently have no IT qualifications (or A Levels), so am wondering where the best place to start would be. My current role isn't in IT but I have a very basic understanding of Networking and have been building hardware since I was 10 so can handle the concepts without too much difficulty.

@Zefan you seem to be in this industry or very clued up about it, any advice would be greatly appreciated!