My Starting Point
One year ago I finally decided to make a dream come true for myself and to get into the field of cyber security. At this point, I was 36, happily married, father of two kids and had a good job working as a product owner for a large German based e-commerce company.
I already had some practical experience with hacking tools, like nmap, John the Ripper and the like and also had a solid foundation on IT concepts like networks, system architecture, programming languages, APIs and so on from former jobs.
But since I’ve written my first lines of code in QBasic and Turbo Pascal for the first time, I always wanted to become something like a “Hacker”. So because, I already knew that I was unhappy with my job at this point and that it was time for a change, I decided to give my old a dream a chance to become true.
At this time I’ve had a somekind romantic imagination of what it would be to work in IT security. I had hoped for hacking all kind of things and becoming something like a cyber ninja warrior or black magic cyber wizard that could hack into any system and do all kind of crazy things.
And it took me a while to get rid of this idea…
Where to start?
I played around with Hack The Box and OverTheWire Wargames to ensure, that I was realy intrested in learning more about information security and whether I was even able to learn stuff like this. Both are great options, to play around for a while without investing any money. All I needed was time and mental will. (I’ didn’t know Web Security Academy at this moment.) After two weeks I decided to continue this path and to take my initial idea more seriously.
From Noob to OSCP
I’ve read tons of blog posts about the Offensive Security OSCP certification and decided to take this cert for three reasons:
- OSCP has a very good reputation and is valued among experts.
- I was sure to learn a lot from it.
- Paying for this training from my own savings ensured that I got fully involved over a longer period of time.
Since I had a family, a job and a real life I decided for the biggest package with 90 days of virtual lab time. — And during the next months, I’ve learned sooo many things about the in-security of computer systems, about other people and also about myself and how my brain works.
But I’ve learned even more from it:
- Getting the mindset of a hacker.
“Trying harder” is only one small part of it. — Changing your perspectives over and over, escaping from rabbit holes, googling everything you don’t know and how to document your progress is the bigger part.
I’ve seen this video so many times during these days and it still makes me smile today.
- The InfoSec community is absolutly awesome!
I’ve met so many kind and helpful people on the InfoSec Prep discord server and nearly everyone was ready to help me in one or another way. Someone even teached me via video call and screensharing how to do buffer overflows. And even now not a day goes by, that I don’t learn something new, because a member of the community is ready to share knowledge with me, for free.
- Virtual Hacking Labs is a great addition to the OSCP learning materials and to the lab offered be Offensive Security. I’m sure that I only was able to pass the OSCP exam on my first approach, because I’ve spent an additional month to train my skills and methodology on VHL.
- Having the OSCP certification dosn’t mean everything in the world, but it helps a lot in finding a job (at least in Germany). — But the OSCP is by far not the the end of your learning path, it’s just one of the first steps.
Becoming a Certified Ethical Hacker
I actually wanted to do the Certified Ethical Hacker course before the OSCP, but at this point the certification course was to expensive for me. The price was around 4.000 Euro for five days of on site training and an exam attempt. Then after the OSCP I catched an offer to do the training online over a period of 12 months, for only the half of the original price.
I wanted to get this certification for two main reasons:
- At least in Germany, this cert helps to get recognized by HR people.
- I didn’t had any practical experience working in IT security and so I thought I needed something like an extra booster to pimp my CV and to make clear that I’m highly motivated to get into this field.
Lessons learned from doing the CEH:
- It’s good to show possible employers that you have a very good understanding of IT security basics, networking and general tools like nmap. But for me it was very boring after doing the OSCP, because of it’s heavy theoretical approach.
- I only glimpsed through aproximatly 3 percentage of the courseware and have heavily worked through this book instead. It contains everything I needed to know and in combination with this app I was able to prepare for passing the exam.
- You can save a lot of money by doing the exam without attending an official CEH training, if you already have at least 2 years of information security related job experience. Official prices can be found here.
Where to go from here? — Focus Daniel-san, focus!
A friend of mine is working at Google and in his early days in this small search-enginge company one of his colleagues told him, that if you want to be succesful, you just need to focus on one thing and be dedicated to it.
That’s an easy saying but hard to do, especially if you work in IT and even more especially in the field of IT security. For me as a creative minded person, who always strives to learn something new, working in IT security is like being that little child in toy paradise. There are so many options and cool things to play with. So many things to learn and so many ways to become better. — But my time is limited and I’m not payed for playing around with all this cool stuff, so I need to focus for at least certain areas.
I’ve created this, not comprehensive (!), overview of possible areas I could pick a topic from to become something like a master, or at least an experienced practitioner, if I would focus on it long enough.
I personally decided to focus on Web Application Security and AWS Cloud Security until the end of 2021. That’s why I’ve chosen to achieve the eLearnSecurity Web application Penetration Tester and Offensive Security Web Expert certification in 2021.
One lesson along the road is to don’t get crazy about certifications. There are many companies, which business model is based on the trust in IT certifications and the belief in a growing need for cyber security experts. And I see a lot of promotional campaigns that offers big discounts for security trainings. — Don’t freak out and avoid to become a cert hunter! Spend your hard earned money, your time and health only into those trainings you realy need to become an expert in the field you have chosen.
Benefit from the Boom
I’ve already mentioned the growing demand for IT security experts above. And with a more and more connected world, the Internet of Everything, hacked elections , industrial spionage and events like the SolarWind hack happening, there is a big growth in this industry for years.
That’s why I personally, beside other ETFs, invest monthly into L&G Cyber Security UCITS ETF.
It has a growth rate of 118% during the last 5 years, almost 33% during the last 12 months and is a good chance to participate in the cyber security boom.
Difference between Hackers and Managers
There is a big difference between the management perspective on IT security and the Hackers perspective on it. If you want to get paid for doing things you love and if you want to be successful, you need to learn to switch between both perspectives.
The ability to communicate the things you know to different audiences and to explain more sophisticated topics in simple words and especially to point out why they are important for the management and their organization is crucial for you to succeed in your job to secure the systems.
Yes there is not much glory in prevention. But there is absolute none glory for not being able to get the resources which you need, to secure the company that pays your salary.
Some general Learnings
- Don’t get obsessed by tools, learn fundamentals instead.
- Threat Modeling is a great exercise for all kind of IT teams.
- Teaching the stuff, you’ve learned is a great way to become better.
- You don’t need to know everything. That’s totally okay and the ability to admit a lack of knowledge, is a strength. That is far better than pretending to know everything and to lose the trust of others at the end.
- There are so many good books out there you can learn from. These are my favourites: The Ultimate CyberSecurity Reading List for 2021
I hope this article was helpful and you could learn something from my experiences.