(Part 2) Best products from r/ITCareerQuestions

I'd say stop focusing on certifications and start focusing on learning how to do things.

How extensive is your Home Lab?

Have you built out any VM's yet?
Have you built a Windows domain yet?

Have you built a Squid proxy on Linux yet? (Not that Squid is super-useful anymore, but its a decent project with clear results.)

Have you built a pfSense firewall yet?

Have you bought a Raspberry Pi yet (the cheapest Linux Server on the planet)?

When you apply for that next-level job you have in mind, in the interview I am not going to ask you questions that might appear on a certification exam. I am going to ask you questions related to real-world scenarios of problems I think you are likely to encounter in the job under discussion. And I need to see how well you are ready to deal with them.

-----

"I can't afford any of those things..."

If you are trying to learn everything on just one computer or laptop, that's certainly a problem.
But if you have a second PC, just a $300-500 clunker, it changes everything.

CentOS Linux is free.
KVM Virtual Machine manager is free.

Linux Foundation - Intro to Linux for Free
Linux Foundation - Online Course Catalog - some free some paid
DigitalOcean Linux Tutorials
Docker Self-Paced Training


Windows Server 2012R2 Evaluation is free.
Windows 10 Professional Evaluation is free.

Microsoft Virtual Academy
Microsoft MSDN Product Evaluation Center -- Free Downloads
Microsoft TechNet Product Evaluation Center -- More Free Downloads


If you only have a single computer, and cannot afford a second computer, you still have options:

Amazon Web Services has a free offering for you to build virtual machines to play with:

https://aws.amazon.com/free/

If you want something a little more permanent, Amazon Light Sail now lets you build low-end virtual servers for as low as $5/month:

https://amazonlightsail.com/pricing/

Microsoft also has some free offerings for virtual servers:

Microsoft Azure Cloud Services Free Trial Center
Microsoft Training Info Center
Microsoft Ignite Training Convention Video Center
Microsoft MSDN Video Training Portal

-----

In my opinion:

If you think you are likely to apply for some Government or Contractor positions that require security clearances, go ahead and complete the Security+.

But I think you might want to focus a little more time on combining technologies into scenarios where you learn how to perform business operations tasks, rather than add another narrow-focused skillset.

I also encourage you to make yourself gain comfort with Linux.
YES: you will need to learn a whole new world of syntax and terminology, and learn to do more with syntax and less with icons.
But the benefits are real, and significant.

Buy one of these:

Amazon: Raspberry Pi 3 Complete Kit $75

That's a complete Linux Server. Just add a USB keyboard, mouse & HDMI monitor.


Watch two or three of these videos, and observe that all of the biggest players working on the sexiest of technology projects are all doing it on Linux:

USENIX Site Reliability Enginering Convention 2014 Presentations - Free
USENIX Site Reliability Enginering Convention 2015 Presentations - Free
USENIX Large Installation System Administration Conference 2014 Presentations - Free
USENIX Large Installation System Administration Conference 2015 Presentations - Free


-----

> [MCSA]... But again, how far can I really go trying to learn this with home equipment? I'm sure I could install a Server OS, but I don't know if I can play with the inner workings on a home network enough to familiarize myself with the content.

If you have a small home server, you can install Windows Server 2012 R2 evaluation on it, and add the Hyper-V service, and run at least 2 virtual machines on it.

The Server could become a domain controller. Then you add a guest server and a guest client using Windows 10 evaluation and another Windows server eval license.

Now you join them to a domain together and start writing GPO policies and playing in the Forest...

That can also be done in Azure cloud with virtual machines. The challenge is the short duration of the free period in Azure cloud.

You don't need math, but it's nice to know.

You don't need a degree, but they're nice to have especially when moving into management and job searching.

​

My background:

I transitioned from a role as accountant and CPA to managing the IT resources full-time for the business I worked at. Eventually it became too much to try and balance both, so I made the leap into an MSP. I used to build computers for people in my spare time and set up church networks, so I was a little more seasoned when applying. I've been in one about 3 years. Granted, each MSP is different, but my life has been hectic. Talk about drinking from a fire hose. If anything positive has come from this is lifelong friends and fast knowledge gains. You'll work on lots of different items, different problems, and it will train you to be efficient in time management and a good "Googler." Or you won't and you'll know more about yourself even more so.

​

You won't get 65K a year from a help desk job with no experience. I started at 32K, which was a huge drop from the 60K I was making, but I needed a change. I made up the salary loss within year and half of proving myself.

​

My plan for you, if you're able:

​

1. Lab. Set up an old computer. Test. Old switch. Networking principles. Start with A+ to get your feet wet and knowledge on basic troubleshooting down.
   
   
2. Some same Net+, Sec+. I always recommend CCENT. It's doable with some dedication, and industry leader, and Cisco is always good to have. Labs are easy and cheap to build to learn on. https://www.amazon.com/Complete-Cisco-Certified-Network-Professional/dp/B0089E0JBE
   
   
3. Put yourself out there. Apply for the entry level positions and make the leap, but if financially you can't, labbing and volunteering are two ways to get knowledge. Churches, shelters, animal shelters, etc. can always use a helping hand. I work with a LOT of nonprofit organizations and if they can save a dime, they will.
   
   
4. Keep learning. Always.
   
   
5. Way later down the line (or sooner)- MIS degree . Many can disagree, but I've had plenty of my help desk people put the bill on the company. They got a quality education, paid for, and a raise. If anything, it will teach you focus and better set you up for a leadership role in the future elsewhere. It's the same as certs- gets you noticed. Not an indicator of your talent, but certainly an indicator of your ability to follow through (that's how I saw it when I was doing hiring for salaried positions).
   
   ​
   
   Anyone can disagree, or agree, but my small circle of IT professionals here (about 60 of us in same clubs, professional organizations, etc.), most of us have had similar paths and successes by doing most of these.

I’ve been working on this for a while, so I might as well drop it here. It should provide an authoritative answer for “How do I get started in CyberSecurity”

Before I get started, there are a few things I need to explain about cybersecurity - There are a ton of different areas of “CyberSecurity”.

This post is specifically catered around the core concepts of cybersecurity.

The most basic thing you need to understand about cybersecurity: It revolves around stuff communicating with other stuff. Anything from side-channel attacks to large-scale DDoS’ - stuff is insecure because stuff communicates with other stuff. Communication can be hard understand and even harder to define (let alone secure). I know this is a very vague statement, but it’s one of the core, fundamental concepts of cybersecurity.

The second most basic thing about cybersecurity you need to understand - “hacking” (I hate that word) as it’s known is not some bond-villain type activity. It’s intentionally mis-using something that already exists in a way that introduces a security flaw into the environment. Sometimes the right circumstances line up and this flaw can be leveraged into something, but sometimes it can’t.

I split up my resources into offensive-based and defensive-based because it’s important for you to understand that while each of these groups are individually important, each knowledge area is not as effective without the an understanding of the other one.

One other thing to note - Certifications are great, but you need to de-couple the idea that certifications=knowledge/skills in this field. There are certainly certifications that break out of that mold, but for the most part, this holds true. I’ve ordered them in the order in which I used/learned with these resources, so you can follow-along directly in order (if you want to). I learned offense first, so that’s the way I’m laying it out here.


Offensive-Based:


I started my career in InfoSec by studying for the most basic, foundational certification: The Security+. This is the best beginner-level cert that says “I know something about security.”

I learned by going through Professor Messer’s entire course, and I felt pretty ready after I went through it all. Here’s the link to his Sec+ course

Now, lets get into some practical stuff. OverTheWire. These are war-games, or CTF’s - challenges designed to test your practical ability in security, but also designed to help you learn new things. CTF’s are the absolute best way I’ve found to learn security. Here’s the link to OverTheWire in case Google is down. If you get stuck, here are some helpful write-up’s.

Do them in this order:

• Bandit
  
• Leviathan
  
• Natas
  
• Narnia.
  
  At this point, you should be set to start with the books and Hacking Labs.
  
  
• Penetration Testing (Book, Follow-along labs)
  
  
  
• Hacking, the Art of Exploitation (2nd Edition, Book, follow-along labs)
  
  
  At this point, I’d recommend going for another certification - CEH. Once you have the CEH, you’re ready to move into more practical-based certifications. Here's what I used to learn and practice the CEH:
  
  Now, lets get into some more practical exploitation. PentesterLabs focuses a bit more on WebApp stuff, but I’ve found its the best intro-environment (as it is relatively scripted scenarios, and you don’t have to do as much recon). They're fairly explanatory, and will walk you through the solution if you get stuck.
  
  
• PentesterLabs
  
  
  Next, lets get into HackTheBox (Exploitable virtual machines, ranging in difficulty. You’re going in mostly blind here, so you have to do your own recon and enumeration): HackTheBox
  
  Here are some helpful write-ups (Written Explanations):
  
  
• GitHub
  
  
• 0xRick Webiste
  
  Also, there’s some super awesome video explanations by IppSec
  
  
  After you get through most of these, you should be set to start on your OSCP. The OSCP contains a course (Penetration Testing with Kali), a lab environment (~50-60 vulnerable boxes), and a practical lab test at the end. OSCP
  
  After you’ve completed the OSCP, then you have enough knowledge to continue directly down the cert path, and the courses (in combination with the certs) put out by Offensive Security contain enough good content to where you don’t have to study other resources. The certification path from here on out splits into two different areas: Technical, and management.
  
  
• Technical:
  
  • OSCE (OSCP 2, basically)
    
  • OSWE (OSCP but for web exploitation)
    
  • OSEE (OSCP 3, really fucking hard).
    
    If you’re at this point, getting past the OSEE, you can pretty much walk into any offensive-based job, slap you’re cert on the table, and they’ll hire you. You don’t need my help anymore here.
    
    Now, here's the management path:
    
    
• Management:
  
  • CISSP
    
  • PMP
    
  • MBA
    
    Having the technical background of the OSCP, plus a CISSP, PMP, and MBA would create an extremely potent executive - one who can understand the technical details and risk, and who then could translate that into verbiage that other executives could understand.
    
    
    So, you’re overall standard security offensive certification path should look something like:
    
    
• Security+
  
• CEH
  
• OSCP
  
• OSCE
  
• OSWE
  
• OSEE
  
  OR
  
  
• Security+
  
• CEH
  
• OSCP
  
• CISSP
  
• PMP
  
• MBA
  
  Now, for the Defensive-based side.

Congrats! If you feel like you're up for a challenge then I'd say go for it as long as you feel like you've got a good support structure in and out of the company. To answer your question, my transition was somewhat mentored by my old boss followed by an abrupt changeout of new-boss-for-newer boss. If I could do anything differently from that time period, it would've been to force the issue of getting performance metrics on my own terms rather than waiting for someone to tell me what my team's metrics would be.

In case any of these might help I'll offer a couple quick considerations/suggestions:

1. Find out who you're accountable to (which keep in mind, that probably won't be just your boss) and what they define as success. When that definition is vague or unrealistic, help them come to a definition that's specific and attainable. But either way, reach out to them. Meet with them on a regular basis. If they say they don't want to do a standing meeting then set a weekly or monthly or quarterly reminder (depending on how things are going) to reach out to them.
   
2. Depending on the structure and the size of the team, it's important to identify if you're managing individual contributors or if you're managing managers. The two are very different animals; I'd normally expect a director position to be mostly the latter but companies vary.
   
3. I can't recommend reading The First 90 Days enough. It was written for people like us.
   
4. Chances are, you have in your head a handful of experiences that have struck you as good technology leadership and a handful that are not-so-good. Succinctly capture your takeaways from those; those help to define your core principles and it's important not to lose sight of them.
   
5. Don't be bashful about asking what your predecessor did well and what (s)he could have done better. Ask that of your superiors, your peers, and the people on your team.
   
6. Very early on, find out not only what procedures are documented (and how up-to-date they are) but especially find out what kind of emergency response procedures exist. If they don't, get a basic one together asap and do a test activation of it. An emergency will definitely happen during your first year; you have no control over that. What you can control is the degree to which you and your team are prepared to respond to it. Few statements are more reassuring coming from someone in your position than "Okay guys, bad thing X happened and it's going to be a rough day at the office. But we have a plan for responding to it and it's time for us to execute that plan. Let's go to work."
   
7. Most importantly: chances are you're a dependable engineer and the people you've worked for have come to trust you as their go-to guy or gal. You need one of those. Several if possible, for different facets of the team's operations.
   
   Best of luck!

Never lie. That said I have been "unqualified/underqualified" for every position I have held if you look at measures like years of experience. This isn't a deal breaker. Put yourself in the hiring managers shoes. If you want to have a team that is working on bleeding edge technology and projects you have to make some compromises on experience. Particularly if you don't have a enormous budget to throw around. The critical things I look for are below.

Smart - I deal with complex problems everyday. A requirement for working with my team is that you can keep up.
Passion - Am I hiring someone who is passionate about the work and role. Do you work with this stuff in the spare time or just for a paycheck.
Ambition - If their is a gap in skills is the applicant going to work hard to fill the gap as quickly as possible. Would you read books and do research to learn the concepts.
Attitude - Are they a good fit for the team. Can I explain what needs to be done and count on you to solve problems and proactively tell if you are struggling.

Look for smaller companies where you will have the opportunity to wear as many hats as possible. The pay will be lower but your playing a long game with your career :) get the experience and find out which hat you like best.

Here is are two great books on the topic.

https://www.amazon.com/Smart-Gets-Things-Done-Technical/dp/1590598385

https://www.amazon.com/gp/aw/d/1119087252/ref=mp_s_a_1_6?ie=UTF8&qid=1484396909&sr=8-6&pi=SL75_QL70&keywords=stretch+book

Good luck!

Oh and when you land that next position. This book will help get you off on the right foot.

https://www.amazon.com/gp/aw/d/1422188612/ref=mp_s_a_1_1?ie=UTF8&qid=1484397012&sr=8-1&pi=SL75_QL70&keywords=first+ninety+days

Absolutely love being a pentester and the cyber security industry. If you are willing to put in the time and study it can be very rewarding. CEH is a good step in the right direction and should open doors for you.
For entry level positions, pentesting is usually split into two areas, web application and internal/external infrastructure. It's good to have knowledge of both but it's worth choosing which area interests you the most. Personally, I specialise in web applications & API and there is a lot of online resources to help you. (As you have mentioned owasp top 10, I'll assume web apps is your interest)


The best way to learn a vulnerability and get a good understanding is to create vulnerable web pages (this also gives you something to take into an interview). I would suggest doing some basic LAMP stack (Linux, Apache, Mysql, PHP) - Don't let this put you off as it's actually pretty simple. If you can make a few vulnerable pages to display vulnerabilities, you will fly through entry level interviews.


it's really simple to do.. Here is a form that is vulnerable to cross-site scripting. (a few lines of php with some html)
---

<form method="POST" action="">

<p> <input type="text" name="xss"/></p>

<input type="submit">

<?php
$value = $_POST['xss'];
echo $value;
?>

Reading Material:

https://www.amazon.co.uk/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470

https://www.amazon.co.uk/Network-Security-Assessment-Know-Your/dp/149191095X


Practical learning
DVWA (Damn Vulnerable Web App) - Purposely vulnerable web pages to practice exploiting.
http://www.dvwa.co.uk/


Once you have a bit of experience have a look at hackthebox

https://www.hackthebox.eu/

Fiction Books

Cryptonomicon - Very few books make up a cypher system based on playing cards, have a story that spans WW2 through the present day and in large part revolve around creating an alternate digital currency, a data haven and startup life.

Neuromancer - this is the book that created cyberpunk and that inspired all those bad movie ideas about hacking in 3D systems. That being said, it marked a real turning point in SciFi. Without this book "cyber" security specialists would probably be called something else.

Snow Crash - This is much more breezy than the other two but still has very recognizable hacking/security elements to it and is just fun.

Non Fiction

Surely You're Joking Mr. Feynman - This isn't a book about technology so much as deduction and figuring things out (while being hilariously entertaining).

I included all these here in large part because they are what inspired me to get into development and sysadmin work and I bet that I'm about 20 years older than you if you're just getting into the field - so there's a decent chance that your coworkers are into them too.

Powershell in 30 days of Lunches is what I buy for all my team members expressing an interest. It is hands down one of the best books to start with that I have found and my team recommends.

Also check out /r/PowerShell

Pick up Powershell in a month of lunches and grab a free month trial of pluralsight. Two great resources for learning the basics.

For your lab, check on your local craigslist; someone is always getting rid of some gear there. If not there try EBay, can’t swing a dead cat without hitting a CCNA lab kit like these: Cisco Lab Kit

Once you have lab equipment, get some windows servers spun up as that will make learning powershell both applicable and rewarding to you.

Pluralsight has some good videos for the MCSA Server 2012. If you sign up for Visual Studio Dev Essensials, you can get a free 3 months with Pluralsight.

https://www.visualstudio.com/free-developer-offers/

I should add, if you're going for the MCSA cert, I've heard it's Powershell heavy. You can get started with Powershell with Learn Windows PowerShell in a Month of Lunches

I think the Powershell in a Month of Lunches series is considered pretty good.

Learn Linux

http://linuxcommand.org/tlcl.php

Learn Power shell / BASH

https://www.amazon.co.uk/Learn-Windows-PowerShell-Month-Lunches/dp/1617294160/ref=sr_1_1?ie=UTF8&qid=1527669274&sr=8-1&keywords=powershell+in+a+month+of+lunches

Learn Programming in Python

https://www.amazon.co.uk/Python-easy-steps-Mike-McGrath/dp/1840785969/ref=sr_1_1?ie=UTF8&qid=1527669308&sr=8-1&keywords=python+in+easy+steps


I have personally used the Python and the Linux book I highly recommend them.

• Sec + or CISSP
  
• Understand the 5 step troubleshooting steps.
  https://www.educational-business-articles.com/5-step-problem-solving/
  
  
• Learn Powershell in a month of Lunches by Don Jones
  
  
• Get a raspberry pi with Ubuntu/Debian and learn the linux commands. Install a SQL server or apache server.

A lot has come from on the job experience, but it also comes from setting goals for myself.

In December I knew nothing about Windows PowerShell, so I started researching. I bought Learn Windows PowerShell 3 in a Month of Lunches. I used that to start making some automated AD reports.

My other goals for this year are Security+ by June 31st. Then read Learn Windows PowerShell Toolmaking in a Month of Lunches in July. And finally get Linux+ by December 31st.

This is my most aggressive year, mainly because I am starting to feel stagnant in my current job.