- Hey everyone, it's David
Bumble back with John. John, welcome. - Thanks so much, David. It's great to be here with you. - So John it's 2022. And what I really want to
do at the start of this year is get your opinion about, if
I'm starting in cybersecurity, I'm just starting out, what should I do? Like if you put yourself in my shoes, what would you advise me to do? - Oh, so it's a super good question. And it is no easy answer, I'll tell you that right off the bat. - [David] Yeah. - Cyber security is a massive field. It's huge, it's ginormous. I am not an expert, I'll
be the first to say it. I don't think there really are
any experts in cybersecurity. - I disagree with that, but go on. - No, I think there is one common thread that will absolutely help you
if you're a new individual, if you want to break into the scene, if you're super excited
about this in cybersecurity. In 2022, let me tell you, the absolute first
thing that you should do is try and pick up a programming language. There are a lot of
questions when people ask, "Hey, do I need to learn how to code to be an ethical hacker or
to be a penetration tester, or just be in cybersecurity?" There are a lot of
different answers to that, and both of them are
honestly kind of right. Some folks might say,
"No, you don't have to." Some people say, "Yes,
you absolutely should." I would advocate, you're going to be so
much stronger with it. So the question is then, I'm
sure a lot of you might ask, okay, what? - Yes, which one? Which one? Yeah. - So let me answer this in
twofold, if that's okay. - Yeah. - The knee-jerk reaction, and what I know a lot of people will echo is that Python is a fantastic
and wonderful language to really get the ball rolling. It's easy to read, it's easy to write, you can rapidly just crank out code to prototype and develop
things, and it can do so much. It has wonderful documentation so you can kind of read
and find a lay of the land, and it has so many different integrations to do so much stuff with
already existing software. Whether you're interested
in artificial intelligence or machine learning, et cetera. Maybe if you're, I don't know, interested in the whole blockchain craze, I don't know exactly where
Python might land in that but it'll still teach you
the programming concepts. It'll teach you the fundamentals of, hey, this is a variable,
this is a function, this is a loop, this is a conditional. And you need to know
that, you absolutely do. The second part though, the kind of kicker to that
answer, if that's all right. Python is a scripting language, which means it's interpreted, which means there's
another program kind of waiting in the background
reading your code as if it were a script to act out on stage and then performing those actions and going and doing those things. So you aren't a first-class
citizen in that realm, right? You're kind of, Hey, secondhand, your code is being
executed by something else. - You'd make a lot of people angry, but I know what you mean. - We can cut that off, sorry. - No, no, no, no, we gotta keep it. Go on. - I would think, if you're
looking for a compiled language, if you're looking for
something that you can have a lot more control over what's happening, some people might say,
hey, learn C, or C++, which is a great answer. I would venture that, right
now the new hotness is Golang, or the Go programming language. It's crazy fast, it has
so much concurrency, ability to do multiple things at once, and it gives you the same
expressiveness that Python does, but the same power and
core functionality that C or C++, some of those
lower languages do. It can cross compile and
easily be ran on windows or Linux or Mac. I would really advocate for
Golang as something to pick up when you're first getting started. - So, your two programming
languages would start with Python and then Go after that, yeah? - Absolutely. - But, I'm gonna push you, John, like I always like to do, you said start with those
programming languages, but is there something
to do before I do that? Like, let's go right
back to the beginning. I think in the past you've
recommended this so, would you do Network+? Would you do, like learn
about operating systems? What do you need to
learn before programming? Or would you just go
straight into programming and then do something else after that? So like kind of, what is your path like or steps that you would take, you know, if I was starting out. - Yeah, so in my opinion,
and it could be wrong, right? Just again, my kind of
John Hammond insight. I think you are going to
have a little bit more fun, you know, learning the ropes with the programming language first. That's not to say
networking and IP addresses and subnets and routers and all that are, that's still absolutely necessary and you still need to learn them. But I have to think that will come when you start to play with
maybe some more experiments you could do in programming languages. Hey, can I write something
that will be able to test connectivity between a computer that I have sitting
over here on the corner and another computer? Then you'll naturally
start to learn the lingo of IP addresses and subnets, et cetera, what can talk to what. That's still absolutely
necessary but I think, hey, when you start to explore
and open the flood gates it'll come naturally. - You're shocking me John, because I would never have
thought that you would advocate or say that someone should start with a programming language. But I understand the way you're thinking. So next question then it would
be, how would I learn that? Do you have any recommended resources? You know, what would you recommend? - Oh yeah, this is a bad answer. Google. You know, Google
is your best friend. There are great resources. Go specifically, there's
a Go by Example resource that'll show you the syntax and kind of explain it side-by-side. Go to the documentation,
go to the official source, go to the websites that, hey, this is the legitimate website and we'll give you a tutorial, a getting started guide,
a quick start guide. If you don't like to read
and have that kind of wall of texts and your eyes glaze over, there are of course, videos on YouTube. There are of course courses
you could find online. Truthfully, I like to look for the stuff that's free and accessible so there's an easier barrier of entry. Truthfully, that's just me. - Sure. That's the right
way to do it, yeah. Start with free, yeah. - And, I'm trying to think
of some other examples, code. - Codecademy, I mean, there's
a lot of resources out there, isn't there?
- Totally, yes. - Okay. Now let me ask you the one that I'm pretty sure you would recommend, what about like a CTF or
Hack the Box and Try Hack Me? Would you recommend that after learning a programming language or
would you do it concurrently? I'm just trying to think, you know, okay, I need to learn Python, but Python can be like
applied to data science, could be applied to a
million different things. So, you still a big advocate of CTF or have you changed your mind this year? - No, so I am absolutely a
big advocate and proponent for Capture the Flag.
- [David] Yeah. - Capture the Flag, or CTF, really takes computer science and cybersecurity and a lot of technical material
and makes it into a game. It turns it into a sport
or a puzzle or an activity and it makes it fun, because you have small challenges or tasks that you can work through at your own pace and really kick the tires
and test your chops. Like, hey, am I learning everything that I thought I was learning
while I was following those tutorials, those guides,
and those walkthroughs? It gives you an opportunity
to kind of flex your muscles and really put the pedal to the metal and see if you're learning something in a hands-on, application-based, practical learning environment. So I always sound like a broken record when I shout from the rooftops, hey, play, capture the flag, play CTF. But I really do think it's
one of the best ways to learn. - I'll always have to push you like, the two big ones, I think in the past you gave
us like five different ones, you had Pico CTF, you had Hack the Box, Try Hack Me and a few others, which one would you
recommend people start with? Or do you think they should
just go to all of those and see which one they like? - Yeah. So if you're an absolute beginner, I would tell you start with Pico CTF. - [David] Yeah. - Slowly introduce you to new things. Sometimes those new things
come out of left field and you know, hey, I
need to go Google this. I see a word I don't recognize, I want to go look up what that actually is and what that means. I think that slowly builds your chops. And then Try Hack Me and Hack
The Box, as you mentioned, are great, just as well. Try Hack Me has an
incredible learning path, Hack The Box has a getting
starter or starting point that showcases a lot of that great stuff. And there are even plenty of
war games like Over the Wire that might introduce you
to Linux fundamentals, how to be on the command line. The answer is all of
them, which I know is a- But yes, there is an element
of like, try everything. Try to see what you like,
try to see what's fun. But if you're like, John, I
need one clear cut answer, try Pico CTF. Pico CTF advertises itself as for middle schoolers and high schoolers in that it is very beginner friendly but if you are not a middle
schooler and high schooler, that's not something to take offense by. That's not something to
gate keep you or anything, no, it's just trying to say, "We want to be approachable, we want to be accessible by anyone." - Okay, so I've got to ask
these questions and you know this is for this year. And I've asked you this stuff in the past, but what's very interesting
about this discussion is you blindsided me
with your first answer. So that's good that you
like, things have changed. Degrees, certifications,
recommended? Not recommended? If so, which ones would you think? Is it required to have
degrees and certs in cyber? - Tough question, and I know a
lot of different sides to it. In just the John opinion,
certifications help, they really do. Industry training,
professional certifications, those will get your foot in the door when you're looking for a job, you're trying to start your career and you want to turn this
passion into a vocation, that helps, there's no doubt about it. Same thing with a degree, same thing with some formal education. I will offer, formal education and degree
is not absolutely necessary. Some places that you talk to, maybe there'll be of
the opinion that it is, but there's a large handful of others that are of a different opinion. And hey, if you haven't
suffered the four, eight years in school and you don't
have the, you know, pretty piece of paper and
the receipt at the end of it, that's totally okay. We want to see your merit, we
want to know your competency. What can you accomplish? That's a much more
valuable to an employer. And oftentimes you prove
that with certifications, so that helps. If you aren't at a place
to grab certifications, you can't kind of, hey,
get the notch on the belt, I always tell people, show your work. Like, you're doing Try Hack Me, you're working through Hack
The Box, you're playing in CTF, you have your personal
products and projects, you have a GitHub account. Hey, show off your GitHub
account, show off your website, show off your blog. All of that, I think really gives a great first impression to an employer when they start to say,
"What have you done?" And you give that to them
and "Hey, look at all this, look at all that I've accomplished." - It's a hard one, isn't it? I mean, I'm putting in
a difficult spot here. A degree, you know, it has lots of value
for a lot of employers, but I think CTFs, like you said, just show the work and network, get known, get known by people. There's a lot of advantages to doing that. So, difficult question once again, John, any certs that you would think
beginners should look at? Any personal favorites? - Ooh, this is a good
talking point, actually. And if it's okay to go on a tangent. Everyone might say, if you
want to be an ethical hacker or a penetration tester or any of the cool Hollywood stuff, right? They say go after OSCP, the Offensive Security
Certified Professional exam and certification in that course. OSCP has a lot of mystique and lure to it because it's sort of
like this ominous thing, a holy grail to get started in security. There's been a very, very recent change. Recent in that, hey, we've decided, offensive security, right? That certifying body has said, the exam, the capstone
and culminating challenge for you to get the certification, is going to change in structure. And they've gone and said, we feel that active directory, active directory being the technology that kind of manages
windows realm environments between users and computers and groups and organizational units and all of that. You see active directory
everywhere in the industry, 90% of businesses, 95, we could talk that high of a number. And if you're doing red team work, if you're doing a penetration
test, that really is, there's no lie. You're going to see active
directory out in the real world. So I think it's a good thing
that they've made that change, but it also might change your focus. If you want to get started
in this and make it a career, hey, we're going to do
a little bit of learning more in windows and how
it's deployed and used in enterprise environments. - So, are they making
active directory like a big part of the cert now? - Yes. So in beginning of 2020, which I know is a few years back now, they had changed the course material to have more inclusion of active directory and other scripting and things. I think now, as we enter 2022, they have changed the exam environment to better reflect that
modification in the course. So that means active directory is going to be a larger
portion of the exam, so much so that it is almost
necessary to pass the exam. You need, and if I get
too in the weeds here- - No, no, go for it, go for it. - You need 70 points to pass out of a 100, and there are two pools of
how you could gain points. There is a kind of classic,
original 60 point bucket where if you compromise a machine, another machine, another machine, cool, you've gotten local user access and then you've escalated your privileges to be the administrator. That could net you a possible 60 points, which is less than 70, and the other possible 40 points comes from compromising an
active directory environment. And that active directory
portion is strictly pass or fail. There is no partial credit, there is no, hey, maybe you could get
10 and squeeze out a 20, no it's 40 or zero. Which means, if you even
wanted to reach that 70, you need the 40. There is a little bit of leeway in that. They offer some lab
report where if you went through each of the lab
machines and the exercises in the course curriculum, you could submit that for 10 points and that could net you, okay,
60 plus 10, you get to 70, but that's a little bit
more of a dice roll. So the importance of active directory has really kicked up a notch. - So, I mean, you've done most of the offensive security certs, or
all of them, is that right? - Close to all of them. They've got some new stuff out that I'm still trying to chase, but I guess I have a decent number. - You're too humble. Yeah, you've got a huge
amount, I would say. Okay, OSCP sounds like
scary if I'm starting out, is that the first cert
you recommend I go for? Or is there something before that? - No, I honestly would recommend to folks, hey, get your feet wet with
something like Security+. That was my first certification. - A lot of people really recommend the CompTIA Security+ stuff. What about like networking certs? I mean, John, this is the thing, you've been doing this for a long time and you know, you've probably
made mistakes along the way, are there any other
certs that you would get, or would it be like
Security+, Pentest+ perhaps, and then go and do OSCP? Do you want to talk around that? Like if you were starting
today, if this is you, would you just jump straight to OCP? What would you think? - So, if I knew kind of what I know now, I would take Security+ and then I would dabble
with E-learn Security's Junior Penetration Tester,
and then tackle OSCP. E-Learn Security's Junior
Penetration Tester, or EJPT, is much more practical
and hands-on, I believe, then Security+ is, truthfully, but it's not quite the
shock and awe of OSCP. Maybe that's a way to say it. It guides you a little bit more. It showcases some fundamental techniques and stuff to really crawl, walk, run in this, I guess, section here. I don't know how EJPT is truthfully doing. I know there's some morph
between E-Learn Security and INE, and INE's doing some good stuff. So I don't know how the
EJPT course even might look in 2022, truthfully. - Yeah, that's a good point. So I'm starting today. Learn some programming,
Python is the first one, Golang is the second one. Do for instance, Security+
and perhaps if you've got no, it's difficult to answer
the question, isn't it? Because it's like, where
are you at at the moment? If you don't know what a server is, or if you don't know
what an IP address is, you're going to probably struggle. So perhaps go and do a Network+, just get a basic understanding
of networking, CCNA perhaps. I don't know, it's difficult. It's like, where's your
base knowledge, but, okay. So let's say do some
programming, Python, Golang, and then if you're up for the challenge, go straight to OSCP, that's what John Hammond
would do today, yeah? - Yes. - Yeah, yeah. I mean, it's very respected
in the industry, isn't it? So it's like the, would you put it as a beginner cert, or like a medium level cert, where would you put it? - Can I add a caveat? - Of course you can. You can do what you like, yeah. - One thing that we've been discussing when we were talking
about how to get started, we mentioned programming, and then we dabbled a little
bit in Capture the Flag. And there was one more
game that we had mentioned for Over the Wire that showcased Linux. Before you take on OSCP, or maybe even before you go on Security+ you still need a little bit of know-how. You just need to be versed in Linux, the other operating
system other than windows and other than Mac. Different representation
of the file system, different commands to enter
from the command prompt for system administrator work. You will need that in OSCP, especially, and of course, I think Sec+
even might matter just as well. - So we've got programming
languages, Python, Golang. We've got Security+, we
need to do a Linux course, perhaps like Linux+ or something. And then we go to OSCP, is that right? - Yes. - I mean, that's a path. I mean, it's so difficult to answer because you know, people have
different experience levels and different interests. I'm glad you mentioned Capture the Flag because that's a good place
to see where you fall short, is that right? - I would agree. Sometimes it's very humbling. And I get that experience
all the time where like, oh man, I'm so excited to go try this CTF and I'm just banging my
head against the wall and I get nothing done through
a whole weekend or something. But you learn, you really go and explore and you Google and you do research and you try different things. I've heard someone say in this kind of pithy mentality for learning is that you read, you
write, and then you execute. Much like kind of permissions on a file or things that you could do on a computer because you'll read about it, you'll try it yourself
and you play with it, and then you'll experiment. You'll execute, you'll
experiment and tinker with, what can I do with this new
thing that I've learned? Especially in the realm of tech and computer science and security. - John, is there anything
else you want to add? I think we've given everyone watching a great roadmap to get started, is there anything you wish you had known when you were starting
out that you know today? - I wish I had a little bit more eyes open to all of the potential
and possible things in the realm of cybersecurity. Because something might be cool
and attractive and hip to the cool kids that you're with and the folks that you hang
out with in today's world, but you might be going against the grain and you think like, no, honestly I'm not at all interested in that. I'm much more fascinated
by how cryptography works or I'm really interested in like actually defending against these threats rather than trying to
emulate hacking and all that. I'm much more concerned about making sure actual businesses and
companies can sleep at night, not too worried about the hackers, right? There's so many different fields. If you're interested in data science, if you're interested in AI, if you're interested in
buzzword, et cetera, you know. Do your research and explore and play and do something that you love and you're fascinated and interested in. And you'll be surprised in
that they're there very well is kind of a corner and a
crevice for just that in cybersecurity. - I think you've hit it on the head there. I get this question a lot,
David, what should I do? And the problem with that
is, everyone is different and you should do, if at all possible, it's not always possible, but if at all possible do what you love. Like, John, you really shine at CTFs and you're really into the malware stuff, that's the stuff that you love. And I think that's why
he's so successful in it, because you enjoy doing it. You know, if you can do what you love, it's going to make a huge difference, do you agree with that? - Oh, absolutely. Yes. Passion is part of the product, I guess. - I mean, you've told
me in previous videos, you'd like have to work
through your weekends, you have to do all those crazy hours. I mean, if you didn't enjoy doing that, that would be soul destroying. Try and do what you can, or
sorry, try and do what you love. And I mean, that could be
different for all of us, yeah? - Yeah. And it might take a little bit of time for you to kind of stumble around and like walk into things in the dark until you find what it
is that you really enjoy. I don't even know if I'm there yet. Maybe there's something I love even more than what I already do. You have plenty of time. Like, there's no rush. Some folks might say, no, there is a rush, I'm getting older. It's okay. Life is long. Just explore and tinker. I've heard someone say, flow with the go. - Okay. - Rather than go with the flow, right? It's just like, Hey,
the world's moving on? Totally okay. You just flow with the go. - And I mean, let's be honest. I mean, the careers of today,
the hot careers of today didn't exist perhaps even five
years ago or 10 years ago. Things change all the time. Hopefully your career is not
going to be two years long, it's going to be much longer
than that, and it can change. I mean, I've been in the game a long time and it changes all the time. And that's good. I think my takeaway would be, and I don't know if you agree with this, is you must never stop learning. - You're totally right. - Cause if you stop learning,
you're gonna just fall behind. And technology is not the game to be in if you don't want to learn. - It is continuous learning, that's why you gotta love it, that's why it's gotta be a passion. - John, really want to thank
you for sharing your knowledge and your experience and, you know, for guiding people who are starting out. Thanks so much. - Thank you, Dave. Been a ton of fun.
