Over time, I have received multiple messages in social media platforms such as Twitter and LinkedIn, and here on my website, asking me for advice/tips on getting started in the Cybersecurity field. Much of the confusion about getting started in this field seems to be stemming from the overwhelming information out there which prevents some from forming a clear game plan on how to go about it. For example, there is confusion about the importance of degrees and certifications, if they are actually needed or not, and if so, which ones to go for and such.
While there are multiple amazing resources and articles for anyone looking for advice on this topic, I remember that I used to search for stories from professionals in this field so I can take notes from their experiences in getting started. Unfortunately, I couldn’t find much. So I have decided to tell the story of my journey into information security. I believe that reading about how other professionals in this field got their start, what they did and did not do; all such inputs can help one learn and write their own story.
As such, today, on September 17th of 2020, exactly two years after I joined my first and current job, I am excited to publish this article which comes from my own experience of getting into the cybersecurity field as an Information Security Analyst at the age of 26 after spending years pursuing a different subject altogether. Hopefully, this article can help clear up some confusion out there and be useful to some new members in our highly exciting community.
These are stories from my life, my experience and should be treated just as such. While everyone has different stories, something I did or learned during my journey might be helpful to you. Please note that I am not writing this as a Bible for all freshers in Cybersecurity, although I will mention God a couple of times. ๐
Something from the very very early days
[NOTE] You might want to skip this section if you are in a rush. Just some stories from my childhood that got me started in what became my career.
I got my first computer sometime between 2001 and 2002. It was an IBM Pentium II machine, something that was instrumental in my early growth with respect to all things IT.
With the slow dial up internet connection available to us back then, this is where I started building my knowledge base. Almost every other week, i would try different stuff and mess up the machine and would format and reinstall Windows 98 all over again. Yeah, I had a bit of an OCD situation going on back then. Even a single error in the system would add a “need to format and do a fresh install” instruction in the back of my mind. Couple of times, my parents had to spend extra out of their already tight budget for the hardware work that was needed because i decided to open up the CPU box. But I digress.
The term hacking always had that “do something exciting, what others cannot” vibe to it that gets a kid learning new things about computers everyday very much hooked onto it. So naturally, that was the topic of my research a.k.a google searches. It was on this machine where I gathered up information or “hacking tutorials” and tools to do various hacking related activities. While there was not much hacking I was doing in the those early years, I had this hunger to take in all the knowledge I can get and use it. The earliest bit of dirty work (and perhaps the only one) I did was this social engineering scheme that was popular at the time. It was the “send your email id, password and the victim’s email id to us and we will get you their password” email scam. Yes, I was never one of the cool kids who hacked into NASA at the age of 14. It was a successful little plot that worked well among my friends at school and some people who tried it from some forum post of mine, as I remember. But I had to stop it when it turned out to be a bit too successful among my friends to the point that I was invited to a friend’s house, fed well and then, one of his parents wanted me to get the password to their spouse’s email account. Within a few years, I had to choose another subject for my future education and thus drifted away from most things hacking. But just when it seemed like I was gonna end up doing a job I didn’t really like, I was given a second chance. Thank God.
Back to the more recent days
College Education and Certification
Throughout my Bachelor’s degree in Computer Security, I was introduced to various topics in the cybersecurity domain with some practical experience in developing tools, securing servers, web application security testing, etc. While I thoroughly enjoyed this phase of my education taking in as much information as I could, it was nowhere near the things I learned on the actual job, which shouldn’t be a surprise. But the point here is, the reason I was able to quickly get on with the real world penetration testing aspect of it is the strong foundation that was built into me during my time at college. After graduation, I also did Certified Ethical Hacker v10 certification from EC-Council as it was advertised to be an intermediate-level course. While CEH certification itself is behind many alternate certifications in value these days, the course gave me a more hands on approach with the tools that I use for my work these days. Being certified certainly got me a couple of calls from hiring teams, as most of the security certifications out there does a good job of acting as a special power that gets you to interviews.
Of course there are educative values to these certifications as well, however, not much more than what you can learn by yourself if you do the research and take the effort. Same can be said of college education of course, which is why there are many successful people in our field who do not have a degree. It’s all about your ambition, drive and hard work. For me, college kept me committed to the cause and gave me the push to build up the drive required to be successful in this field.
Job Interviews
As mentioned above, I started getting serious job interviews soon. Now would be a good time to mention that I also got an interview call from “IBM”, asking for some kind of initial deposit to be made. Obvious scam. Back to the actual job interviews, my very first one was for the role of an Application Security Engineer. While the job responsibilities for this role were different from the kind of job I wanted, I still wanted to go through the interview experience and boy, was it the right choice!
I quickly realized my preparation for an interview up to that point had been wrong as I was not nearly ready. Once done with the call, I prepared myself and did much better in the next two interviews which were for the web application vulnerability assessment and penetration testing role that I actually was looking for. Speaking of preparation, while I was familiar with most of the topics that I am gonna list out shortly, I found myself getting a bit confused during the time sensitive phone interview I had. So I decided to focus on these topics to do a more thorough job keeping the interview in mind. I started revising and learning more theoretically about the tools used, for example: Nmap and it’s different switches, scenarios where they are used, etc. Furthermore, in addition to tools, I also revised on the various kinds of vulnerabilities in details, the TCP/IP Protocol Suite, the different encryption methods, advantages, disadvantages, algorithms, cryptography, networks, attack possibilities at each of the OSI layer, etc.
Getting back to the next two interviews, one interview got me the job I am currently at while the other one required me to travel a good distance for the final round of interview, which wasn’t feasible at the time due to a state-wide natural disaster situation that was going on. As the team at my current job were understanding to the situation, all interviews were carried out remotely and I was asked to perform a security audit on a particular web application. While the audit I did as part of the interview process was nowhere near as good or professional as it is two years later; by God’s grace, the team decided to give me a shot considering my educational journey which showed the interest I had in learning and growing in this field. As things would have it, I ended up working at a startup as the second person to join the team on a permanent role, which I believe was the best thing that could have happened in my young career. Thus began my InfoSec story.
At the Job
Once I started at my job, the things I learned in college and via other courses started revealing themselves to be more and more useful; and I started building upon this foundation and with each day and with each project, I was able to quickly learn and handle things beyond my expectation. By God’s grace, things went really well and I was able to capitalize on the massive learning opportunities available when working in a quickly growing startup with a small team. Naturally, I was given more responsibilities and exposure to different kinds of security audits, resulting in a level of work experience I perhaps might not have experienced at a larger company with a larger security team.
It started with web/network/mobile VAPT, which then extended to malware cleanups (a skill I never thought I would acquire), developing signatures for in-house malware scanner to detect malicious content, creating rules for our web application firewall product to defend against various attacks such as XSS, SQLi, etc and more. Shortly, I was doing Infrastructure audits for large companies, testing their network devices, connections, internal web applications, etc. I also started testing different kinds of software and hardware components, hunting for vulnerabilities in them and as a result, have published nine CVEs at the time of writing.
Whenever a new security related challenge came my way that seemed outside my strength, I tried to do it without worrying about my lack of exposure to it and I can gladly say that every such decision contributed heavily to my growth, as I was by the grace of God able to learn and perform them. I was also doing work as late as 4 AM on a number of nights during that initial phase because that was my chance to go above and beyond to expand my skillset, get more experience and help out my team. Because I got to work at a startup with a highly supportive team behind me, the growth I experienced as a cybersecurity professional was beyond anything I had imagined.
The Future
As they say, you never stop learning in this field. Even to this day, I make it a point to watch and re-watch videos or re-read articles on topics I am already familiar with because you can always pick up something new that you may have missed earlier on. Additionally, I am always trying to expand my skillset by finding areas I am weak at, learning about them during my free time and practicing as much as I can. My end goal is to expand into as many cybersecurity domains as I can and learn as much as possible so I never have to answer “I don’t know how to do that” or “sorry I can’t help you with that” due to the lack of knowledge or experience.
Maintaining this website, trying the various exercises in PentesterLab, completing rooms in TryHackMe, putting together the VAPT Toolkit as a Docker image and then a Homebrew package, writing scripts to automate testing and other time conceiving activities, are few of the other steps that contributed to my growth so far. I look forward to expanding on these activities as well.
My Regrets
I feel like I am being a bit ungrateful here, but hear me out. Many people get into information security after starting out at help desk or as a system administrator, all of which contributes towards building a foundation for the security education they receive later on.
While I was lucky enough to get into a cybersecurity role directly as a fresher, I kind of regret that I did not have that sysadmin experience. At the same time, the role I am currently at and the activities I have done in my free time has given me a good exposure to the sysadmin role. But I may never know if it is the complete experience. So it remains a minor regret for me. What I am doing to deal with it is train myself and gain the experience during my free time until it is no longer a regret.
Lessons To Be Learned From My Experience:
- While college degrees/certifications are not an absolute necessity as there are many people who have come far in this field without them, they will certainly benefit you by requiring you to stay committed, learn and practice. Plus, in today’s growingly competitive world, they will set you apart, at least to the hiring teams.
Not having them shouldn’t put you down either, as you can take advantage of the various opportunities available today (which were not easily available to others in earlier times) to show your strengths via the multiple bug bounty platforms, CTFs, easy to set-up personal portfolios showing your works, etc. - Certifications, as of today, are considered a good asset to have for freshers that will increase their chances to get to an interview. While they have their educational value, I am currently in the mindset of wanting to let my experience speak for me over paid certifications.
For those who ask for recommendations, the ones from CompTIA (like Network+) are good for beginner/intermediate level, and the ones from Offensive Security and (ISC)ยฒ are good for advanced level.
But for those who want certifications for covering all grounds, for their educative value, let’s remember a few things:
1. Windows services are widely used
2. Cloud computing is on the rise
So any Microsoft certification that gets you familiarized with Windows Server, Active Directory, etc from a security standpoint will be worth it. Similarly, AWS/Google Cloud/Azure certifications would also be a good asset. - Getting that interview experience will do you good. Do not sweat too much over it if that first one does not go too well. It was a needed experience to learn from, to better prepare for the next one.
- At the job, never give up on a chance to learn a new skill. Does not matter if it’s outside your strength. Read, watch, practice and do it. Of course, for highly sensitive projects which require experience, don’t jump the gun and sign up for it only to have it affect you and your company negatively. But in most cases, the wide array of resources available on the internet should be able to help you learn and prepare for new kinds of challenges. With a supportive team behind you, it is doable. Being a good judge of your own skills set and learning pace will help in such situations.
- In that initial phase of your career, be ready to sacrifice your time and sleep for the completion of your work, meeting your responsibilities and the growth of the team. As the team grows, you will grow. No hard work goes unpaid. Be patient. Final note on this is that, even though the situation eases up on you and you have more colleagues helping you out, never lose this commitment, no matter what stage you are in your career or what company. That’s how you will stand out.
- Have a clear game plan. A goal. A path and a timeline on your mind. Let not your colleagues, family or friends affect this plan. Do everything while keeping this plan in mind. Stay away from office politics and unnecessary drama where emotions can get the better of you and sway you away from the path to your goal. If it does happen, there is little chance of your partners-in-crime being there to help you out from the repercussions and get you back on track.
- Always be learning. Re-read or re-watch when you have nothing else in queue. To put it simply, the learning never stops. Read from others’ experiences, as each person has their own path, a path taken differently, their own stories, methods, mistakes and their own mindsets. You never know what may help you. Then again, I don’t need to tell you this, otherwise you wouldn’t be here. ๐
Additional Tips
- Regarding your resume, try to represent your skills and experience as accurate as possible by only mentioning what you are strong at.
Do not list down every IT related buzzword you have heard of in your skills list but only the ones that you can back up with your knowledge. Come the moment, you should be able to walk the talk.
Do mention advanced skills even if they were picked up during a side project experience.
Also, it is important to not just know the various types of attacks, but the fixes to them as well. Learn and show that you understand how to prevent and mitigate these attacks. - I have come to believe from personal experience as well as the experiences of other professionals that people who are genuinely passionate about all things cybersecurity will make it easier in this field. For example, keeping up with the latest cyber events/incidents, understanding what happened, how it happened, how it could have been prevented, etc. out of sheer interest, speaking from examples of such incidents, etc. can only work towards your good, both in an interview and in the long run. In an interview, the knowledge of such points towards what any company would be looking for in an employee: passion, commitment, enthusiasm, motivation.
- Programming isn’t a necessity, but if you know it, you will be all the more a better hacker. Understanding how an application was written helps you find weaknesses in it and break it. Learning the basics of PHP and javascript at the very least in the case of web application security testing, would be very helpful to you.
- Being able to write quick scripts is a highly valuable asset. Be it in Python/Bash/Perl or another, I would recommend having some handle on scripting as well.
The Story Continues
My story has just begun. From hitting rock bottom during an earlier phase of my education, being looked down and being doomed to work in a job which I would have hated, I was brought back into the field where I dreamed of working as a kid. Today, as I realize my dreams, as I cross two years as a cybersecurity professional, I thank my God above all, my colleagues at Astra Security and my family for all the opportunities, all the success/failures which helped me grow and all the support.
As I said in the beginning, I hope my origin story will be helpful to someone new in our field looking for some answers. Please feel free to contact me if you have any questions about getting started. I will try to help as best as I can.
This is my story, the path I have followed so far.
Thank you for sharing your story with the rest of us. God bless you in your journey
Thank you. ๐