2022 Cybersecurity roadmap: How to get started?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- Hey everyone, it's David Bumble back with John. John, welcome. - Thanks so much, David. It's great to be here with you. - So John it's 2022. And what I really want to do at the start of this year is get your opinion about, if I'm starting in cybersecurity, I'm just starting out, what should I do? Like if you put yourself in my shoes, what would you advise me to do? - Oh, so it's a super good question. And it is no easy answer, I'll tell you that right off the bat. - [David] Yeah. - Cyber security is a massive field. It's huge, it's ginormous. I am not an expert, I'll be the first to say it. I don't think there really are any experts in cybersecurity. - I disagree with that, but go on. - No, I think there is one common thread that will absolutely help you if you're a new individual, if you want to break into the scene, if you're super excited about this in cybersecurity. In 2022, let me tell you, the absolute first thing that you should do is try and pick up a programming language. There are a lot of questions when people ask, "Hey, do I need to learn how to code to be an ethical hacker or to be a penetration tester, or just be in cybersecurity?" There are a lot of different answers to that, and both of them are honestly kind of right. Some folks might say, "No, you don't have to." Some people say, "Yes, you absolutely should." I would advocate, you're going to be so much stronger with it. So the question is then, I'm sure a lot of you might ask, okay, what? - Yes, which one? Which one? Yeah. - So let me answer this in twofold, if that's okay. - Yeah. - The knee-jerk reaction, and what I know a lot of people will echo is that Python is a fantastic and wonderful language to really get the ball rolling. It's easy to read, it's easy to write, you can rapidly just crank out code to prototype and develop things, and it can do so much. It has wonderful documentation so you can kind of read and find a lay of the land, and it has so many different integrations to do so much stuff with already existing software. Whether you're interested in artificial intelligence or machine learning, et cetera. Maybe if you're, I don't know, interested in the whole blockchain craze, I don't know exactly where Python might land in that but it'll still teach you the programming concepts. It'll teach you the fundamentals of, hey, this is a variable, this is a function, this is a loop, this is a conditional. And you need to know that, you absolutely do. The second part though, the kind of kicker to that answer, if that's all right. Python is a scripting language, which means it's interpreted, which means there's another program kind of waiting in the background reading your code as if it were a script to act out on stage and then performing those actions and going and doing those things. So you aren't a first-class citizen in that realm, right? You're kind of, Hey, secondhand, your code is being executed by something else. - You'd make a lot of people angry, but I know what you mean. - We can cut that off, sorry. - No, no, no, no, we gotta keep it. Go on. - I would think, if you're looking for a compiled language, if you're looking for something that you can have a lot more control over what's happening, some people might say, hey, learn C, or C++, which is a great answer. I would venture that, right now the new hotness is Golang, or the Go programming language. It's crazy fast, it has so much concurrency, ability to do multiple things at once, and it gives you the same expressiveness that Python does, but the same power and core functionality that C or C++, some of those lower languages do. It can cross compile and easily be ran on windows or Linux or Mac. I would really advocate for Golang as something to pick up when you're first getting started. - So, your two programming languages would start with Python and then Go after that, yeah? - Absolutely. - But, I'm gonna push you, John, like I always like to do, you said start with those programming languages, but is there something to do before I do that? Like, let's go right back to the beginning. I think in the past you've recommended this so, would you do Network+? Would you do, like learn about operating systems? What do you need to learn before programming? Or would you just go straight into programming and then do something else after that? So like kind of, what is your path like or steps that you would take, you know, if I was starting out. - Yeah, so in my opinion, and it could be wrong, right? Just again, my kind of John Hammond insight. I think you are going to have a little bit more fun, you know, learning the ropes with the programming language first. That's not to say networking and IP addresses and subnets and routers and all that are, that's still absolutely necessary and you still need to learn them. But I have to think that will come when you start to play with maybe some more experiments you could do in programming languages. Hey, can I write something that will be able to test connectivity between a computer that I have sitting over here on the corner and another computer? Then you'll naturally start to learn the lingo of IP addresses and subnets, et cetera, what can talk to what. That's still absolutely necessary but I think, hey, when you start to explore and open the flood gates it'll come naturally. - You're shocking me John, because I would never have thought that you would advocate or say that someone should start with a programming language. But I understand the way you're thinking. So next question then it would be, how would I learn that? Do you have any recommended resources? You know, what would you recommend? - Oh yeah, this is a bad answer. Google. You know, Google is your best friend. There are great resources. Go specifically, there's a Go by Example resource that'll show you the syntax and kind of explain it side-by-side. Go to the documentation, go to the official source, go to the websites that, hey, this is the legitimate website and we'll give you a tutorial, a getting started guide, a quick start guide. If you don't like to read and have that kind of wall of texts and your eyes glaze over, there are of course, videos on YouTube. There are of course courses you could find online. Truthfully, I like to look for the stuff that's free and accessible so there's an easier barrier of entry. Truthfully, that's just me. - Sure. That's the right way to do it, yeah. Start with free, yeah. - And, I'm trying to think of some other examples, code. - Codecademy, I mean, there's a lot of resources out there, isn't there? - Totally, yes. - Okay. Now let me ask you the one that I'm pretty sure you would recommend, what about like a CTF or Hack the Box and Try Hack Me? Would you recommend that after learning a programming language or would you do it concurrently? I'm just trying to think, you know, okay, I need to learn Python, but Python can be like applied to data science, could be applied to a million different things. So, you still a big advocate of CTF or have you changed your mind this year? - No, so I am absolutely a big advocate and proponent for Capture the Flag. - [David] Yeah. - Capture the Flag, or CTF, really takes computer science and cybersecurity and a lot of technical material and makes it into a game. It turns it into a sport or a puzzle or an activity and it makes it fun, because you have small challenges or tasks that you can work through at your own pace and really kick the tires and test your chops. Like, hey, am I learning everything that I thought I was learning while I was following those tutorials, those guides, and those walkthroughs? It gives you an opportunity to kind of flex your muscles and really put the pedal to the metal and see if you're learning something in a hands-on, application-based, practical learning environment. So I always sound like a broken record when I shout from the rooftops, hey, play, capture the flag, play CTF. But I really do think it's one of the best ways to learn. - I'll always have to push you like, the two big ones, I think in the past you gave us like five different ones, you had Pico CTF, you had Hack the Box, Try Hack Me and a few others, which one would you recommend people start with? Or do you think they should just go to all of those and see which one they like? - Yeah. So if you're an absolute beginner, I would tell you start with Pico CTF. - [David] Yeah. - Slowly introduce you to new things. Sometimes those new things come out of left field and you know, hey, I need to go Google this. I see a word I don't recognize, I want to go look up what that actually is and what that means. I think that slowly builds your chops. And then Try Hack Me and Hack The Box, as you mentioned, are great, just as well. Try Hack Me has an incredible learning path, Hack The Box has a getting starter or starting point that showcases a lot of that great stuff. And there are even plenty of war games like Over the Wire that might introduce you to Linux fundamentals, how to be on the command line. The answer is all of them, which I know is a- But yes, there is an element of like, try everything. Try to see what you like, try to see what's fun. But if you're like, John, I need one clear cut answer, try Pico CTF. Pico CTF advertises itself as for middle schoolers and high schoolers in that it is very beginner friendly but if you are not a middle schooler and high schooler, that's not something to take offense by. That's not something to gate keep you or anything, no, it's just trying to say, "We want to be approachable, we want to be accessible by anyone." - Okay, so I've got to ask these questions and you know this is for this year. And I've asked you this stuff in the past, but what's very interesting about this discussion is you blindsided me with your first answer. So that's good that you like, things have changed. Degrees, certifications, recommended? Not recommended? If so, which ones would you think? Is it required to have degrees and certs in cyber? - Tough question, and I know a lot of different sides to it. In just the John opinion, certifications help, they really do. Industry training, professional certifications, those will get your foot in the door when you're looking for a job, you're trying to start your career and you want to turn this passion into a vocation, that helps, there's no doubt about it. Same thing with a degree, same thing with some formal education. I will offer, formal education and degree is not absolutely necessary. Some places that you talk to, maybe there'll be of the opinion that it is, but there's a large handful of others that are of a different opinion. And hey, if you haven't suffered the four, eight years in school and you don't have the, you know, pretty piece of paper and the receipt at the end of it, that's totally okay. We want to see your merit, we want to know your competency. What can you accomplish? That's a much more valuable to an employer. And oftentimes you prove that with certifications, so that helps. If you aren't at a place to grab certifications, you can't kind of, hey, get the notch on the belt, I always tell people, show your work. Like, you're doing Try Hack Me, you're working through Hack The Box, you're playing in CTF, you have your personal products and projects, you have a GitHub account. Hey, show off your GitHub account, show off your website, show off your blog. All of that, I think really gives a great first impression to an employer when they start to say, "What have you done?" And you give that to them and "Hey, look at all this, look at all that I've accomplished." - It's a hard one, isn't it? I mean, I'm putting in a difficult spot here. A degree, you know, it has lots of value for a lot of employers, but I think CTFs, like you said, just show the work and network, get known, get known by people. There's a lot of advantages to doing that. So, difficult question once again, John, any certs that you would think beginners should look at? Any personal favorites? - Ooh, this is a good talking point, actually. And if it's okay to go on a tangent. Everyone might say, if you want to be an ethical hacker or a penetration tester or any of the cool Hollywood stuff, right? They say go after OSCP, the Offensive Security Certified Professional exam and certification in that course. OSCP has a lot of mystique and lure to it because it's sort of like this ominous thing, a holy grail to get started in security. There's been a very, very recent change. Recent in that, hey, we've decided, offensive security, right? That certifying body has said, the exam, the capstone and culminating challenge for you to get the certification, is going to change in structure. And they've gone and said, we feel that active directory, active directory being the technology that kind of manages windows realm environments between users and computers and groups and organizational units and all of that. You see active directory everywhere in the industry, 90% of businesses, 95, we could talk that high of a number. And if you're doing red team work, if you're doing a penetration test, that really is, there's no lie. You're going to see active directory out in the real world. So I think it's a good thing that they've made that change, but it also might change your focus. If you want to get started in this and make it a career, hey, we're going to do a little bit of learning more in windows and how it's deployed and used in enterprise environments. - So, are they making active directory like a big part of the cert now? - Yes. So in beginning of 2020, which I know is a few years back now, they had changed the course material to have more inclusion of active directory and other scripting and things. I think now, as we enter 2022, they have changed the exam environment to better reflect that modification in the course. So that means active directory is going to be a larger portion of the exam, so much so that it is almost necessary to pass the exam. You need, and if I get too in the weeds here- - No, no, go for it, go for it. - You need 70 points to pass out of a 100, and there are two pools of how you could gain points. There is a kind of classic, original 60 point bucket where if you compromise a machine, another machine, another machine, cool, you've gotten local user access and then you've escalated your privileges to be the administrator. That could net you a possible 60 points, which is less than 70, and the other possible 40 points comes from compromising an active directory environment. And that active directory portion is strictly pass or fail. There is no partial credit, there is no, hey, maybe you could get 10 and squeeze out a 20, no it's 40 or zero. Which means, if you even wanted to reach that 70, you need the 40. There is a little bit of leeway in that. They offer some lab report where if you went through each of the lab machines and the exercises in the course curriculum, you could submit that for 10 points and that could net you, okay, 60 plus 10, you get to 70, but that's a little bit more of a dice roll. So the importance of active directory has really kicked up a notch. - So, I mean, you've done most of the offensive security certs, or all of them, is that right? - Close to all of them. They've got some new stuff out that I'm still trying to chase, but I guess I have a decent number. - You're too humble. Yeah, you've got a huge amount, I would say. Okay, OSCP sounds like scary if I'm starting out, is that the first cert you recommend I go for? Or is there something before that? - No, I honestly would recommend to folks, hey, get your feet wet with something like Security+. That was my first certification. - A lot of people really recommend the CompTIA Security+ stuff. What about like networking certs? I mean, John, this is the thing, you've been doing this for a long time and you know, you've probably made mistakes along the way, are there any other certs that you would get, or would it be like Security+, Pentest+ perhaps, and then go and do OSCP? Do you want to talk around that? Like if you were starting today, if this is you, would you just jump straight to OCP? What would you think? - So, if I knew kind of what I know now, I would take Security+ and then I would dabble with E-learn Security's Junior Penetration Tester, and then tackle OSCP. E-Learn Security's Junior Penetration Tester, or EJPT, is much more practical and hands-on, I believe, then Security+ is, truthfully, but it's not quite the shock and awe of OSCP. Maybe that's a way to say it. It guides you a little bit more. It showcases some fundamental techniques and stuff to really crawl, walk, run in this, I guess, section here. I don't know how EJPT is truthfully doing. I know there's some morph between E-Learn Security and INE, and INE's doing some good stuff. So I don't know how the EJPT course even might look in 2022, truthfully. - Yeah, that's a good point. So I'm starting today. Learn some programming, Python is the first one, Golang is the second one. Do for instance, Security+ and perhaps if you've got no, it's difficult to answer the question, isn't it? Because it's like, where are you at at the moment? If you don't know what a server is, or if you don't know what an IP address is, you're going to probably struggle. So perhaps go and do a Network+, just get a basic understanding of networking, CCNA perhaps. I don't know, it's difficult. It's like, where's your base knowledge, but, okay. So let's say do some programming, Python, Golang, and then if you're up for the challenge, go straight to OSCP, that's what John Hammond would do today, yeah? - Yes. - Yeah, yeah. I mean, it's very respected in the industry, isn't it? So it's like the, would you put it as a beginner cert, or like a medium level cert, where would you put it? - Can I add a caveat? - Of course you can. You can do what you like, yeah. - One thing that we've been discussing when we were talking about how to get started, we mentioned programming, and then we dabbled a little bit in Capture the Flag. And there was one more game that we had mentioned for Over the Wire that showcased Linux. Before you take on OSCP, or maybe even before you go on Security+ you still need a little bit of know-how. You just need to be versed in Linux, the other operating system other than windows and other than Mac. Different representation of the file system, different commands to enter from the command prompt for system administrator work. You will need that in OSCP, especially, and of course, I think Sec+ even might matter just as well. - So we've got programming languages, Python, Golang. We've got Security+, we need to do a Linux course, perhaps like Linux+ or something. And then we go to OSCP, is that right? - Yes. - I mean, that's a path. I mean, it's so difficult to answer because you know, people have different experience levels and different interests. I'm glad you mentioned Capture the Flag because that's a good place to see where you fall short, is that right? - I would agree. Sometimes it's very humbling. And I get that experience all the time where like, oh man, I'm so excited to go try this CTF and I'm just banging my head against the wall and I get nothing done through a whole weekend or something. But you learn, you really go and explore and you Google and you do research and you try different things. I've heard someone say in this kind of pithy mentality for learning is that you read, you write, and then you execute. Much like kind of permissions on a file or things that you could do on a computer because you'll read about it, you'll try it yourself and you play with it, and then you'll experiment. You'll execute, you'll experiment and tinker with, what can I do with this new thing that I've learned? Especially in the realm of tech and computer science and security. - John, is there anything else you want to add? I think we've given everyone watching a great roadmap to get started, is there anything you wish you had known when you were starting out that you know today? - I wish I had a little bit more eyes open to all of the potential and possible things in the realm of cybersecurity. Because something might be cool and attractive and hip to the cool kids that you're with and the folks that you hang out with in today's world, but you might be going against the grain and you think like, no, honestly I'm not at all interested in that. I'm much more fascinated by how cryptography works or I'm really interested in like actually defending against these threats rather than trying to emulate hacking and all that. I'm much more concerned about making sure actual businesses and companies can sleep at night, not too worried about the hackers, right? There's so many different fields. If you're interested in data science, if you're interested in AI, if you're interested in buzzword, et cetera, you know. Do your research and explore and play and do something that you love and you're fascinated and interested in. And you'll be surprised in that they're there very well is kind of a corner and a crevice for just that in cybersecurity. - I think you've hit it on the head there. I get this question a lot, David, what should I do? And the problem with that is, everyone is different and you should do, if at all possible, it's not always possible, but if at all possible do what you love. Like, John, you really shine at CTFs and you're really into the malware stuff, that's the stuff that you love. And I think that's why he's so successful in it, because you enjoy doing it. You know, if you can do what you love, it's going to make a huge difference, do you agree with that? - Oh, absolutely. Yes. Passion is part of the product, I guess. - I mean, you've told me in previous videos, you'd like have to work through your weekends, you have to do all those crazy hours. I mean, if you didn't enjoy doing that, that would be soul destroying. Try and do what you can, or sorry, try and do what you love. And I mean, that could be different for all of us, yeah? - Yeah. And it might take a little bit of time for you to kind of stumble around and like walk into things in the dark until you find what it is that you really enjoy. I don't even know if I'm there yet. Maybe there's something I love even more than what I already do. You have plenty of time. Like, there's no rush. Some folks might say, no, there is a rush, I'm getting older. It's okay. Life is long. Just explore and tinker. I've heard someone say, flow with the go. - Okay. - Rather than go with the flow, right? It's just like, Hey, the world's moving on? Totally okay. You just flow with the go. - And I mean, let's be honest. I mean, the careers of today, the hot careers of today didn't exist perhaps even five years ago or 10 years ago. Things change all the time. Hopefully your career is not going to be two years long, it's going to be much longer than that, and it can change. I mean, I've been in the game a long time and it changes all the time. And that's good. I think my takeaway would be, and I don't know if you agree with this, is you must never stop learning. - You're totally right. - Cause if you stop learning, you're gonna just fall behind. And technology is not the game to be in if you don't want to learn. - It is continuous learning, that's why you gotta love it, that's why it's gotta be a passion. - John, really want to thank you for sharing your knowledge and your experience and, you know, for guiding people who are starting out. Thanks so much. - Thank you, Dave. Been a ton of fun.
Info
Channel: David Bombal
Views: 682,560
Rating: undefined out of 5
Keywords: cyber security, cybersecurity for beginners, cybersecurity careers, cyber security course, david bombal, davidbombal, john hammond, ethical, ethical hacking, information security, careers in cybersecurity, cyber security jobs, cyber security career, cyber security training, cybersecurity jobs, getting into cyber security, hacker, hacking, ceh, ejpt, hack the box, ctf, try hack me, hackthebox, tryhackme, ine, ethical hacker, career in cybersecurity, kali linux, cyber security careers
Id: mS7qWC3CbOU
Channel Id: undefined
Length: 25min 22sec (1522 seconds)
Published: Sat Jan 01 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.