What I’ve learned during my Rookie Year in Cyber Security

My Starting Point

One year ago I finally decided to make a dream come true for myself and to get into the field of cyber security. At this point, I was 36, happily married, father of two kids and had a good job working as a product owner for a large German based e-commerce company.

Where to start?

I played around with Hack The Box and OverTheWire Wargames to ensure, that I was realy intrested in learning more about information security and whether I was even able to learn stuff like this. Both are great options, to play around for a while without investing any money. All I needed was time and mental will. (I’ didn’t know Web Security Academy at this moment.) After two weeks I decided to continue this path and to take my initial idea more seriously.

From Noob to OSCP

I’ve read tons of blog posts about the Offensive Security OSCP certification and decided to take this cert for three reasons:

  1. I was sure to learn a lot from it.
  2. Paying for this training from my own savings ensured that I got fully involved over a longer period of time.
  1. The InfoSec community is absolutly awesome!
    I’ve met so many kind and helpful people on the InfoSec Prep discord server and nearly everyone was ready to help me in one or another way. Someone even teached me via video call and screensharing how to do buffer overflows. And even now not a day goes by, that I don’t learn something new, because a member of the community is ready to share knowledge with me, for free.
  2. Virtual Hacking Labs is a great addition to the OSCP learning materials and to the lab offered be Offensive Security. I’m sure that I only was able to pass the OSCP exam on my first approach, because I’ve spent an additional month to train my skills and methodology on VHL.
  3. Having the OSCP certification dosn’t mean everything in the world, but it helps a lot in finding a job (at least in Germany). — But the OSCP is by far not the the end of your learning path, it’s just one of the first steps.

Becoming a Certified Ethical Hacker

I actually wanted to do the Certified Ethical Hacker course before the OSCP, but at this point the certification course was to expensive for me. The price was around 4.000 Euro for five days of on site training and an exam attempt. Then after the OSCP I catched an offer to do the training online over a period of 12 months, for only the half of the original price.

  1. I didn’t had any practical experience working in IT security and so I thought I needed something like an extra booster to pimp my CV and to make clear that I’m highly motivated to get into this field.
  1. I only glimpsed through aproximatly 3 percentage of the courseware and have heavily worked through this book instead. It contains everything I needed to know and in combination with this app I was able to prepare for passing the exam.
  2. You can save a lot of money by doing the exam without attending an official CEH training, if you already have at least 2 years of information security related job experience. Official prices can be found here.

Where to go from here? — Focus Daniel-san, focus!

A friend of mine is working at Google and in his early days in this small search-enginge company one of his colleagues told him, that if you want to be succesful, you just need to focus on one thing and be dedicated to it.

Benefit from the Boom

I’ve already mentioned the growing demand for IT security experts above. And with a more and more connected world, the Internet of Everything, hacked elections , industrial spionage and events like the SolarWind hack happening, there is a big growth in this industry for years.

Difference between Hackers and Managers

There is a big difference between the management perspective on IT security and the Hackers perspective on it. If you want to get paid for doing things you love and if you want to be successful, you need to learn to switch between both perspectives.

Some general Learnings

  1. Don’t get obsessed by tools, learn fundamentals instead.
  2. Threat Modeling is a great exercise for all kind of IT teams.
  3. Teaching the stuff, you’ve learned is a great way to become better.
  4. You don’t need to know everything. That’s totally okay and the ability to admit a lack of knowledge, is a strength. That is far better than pretending to know everything and to lose the trust of others at the end.
  5. There are so many good books out there you can learn from. These are my favourites: The Ultimate CyberSecurity Reading List for 2021

Well known secret superhero - Cybersecurity enthusiast #OSCP #CEH 🧙‍♂️