Ex-NSA hacker tells us how to get into hacking!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

BTW, this guy was really employed by the US Air Force. So why did he do all this work for the NSA? That's because the NSA is part of the military. So when the NSA hacks you, it's really the US military.

👍︎︎ 1 👤︎︎ u/TomDC777 📅︎︎ Jan 19 2021 🗫︎ replies
👍︎︎ 1 👤︎︎ u/TomDC777 📅︎︎ Jan 19 2021 🗫︎ replies
Captions
- It's always a problem. How do I get in? How do I get experience without a job to give me experience? And you've basically given us the roadmap for that. - Yes. - I mean, that's fantastic because it sounds like what you're giving everyone who's watching is a way to break in without making the mistake, and I think a lot of people make this mistake. They think they have to leave their job and be unemployed to get a degree or get a cert before they can actually break in. - That's absolutely not the case. I am vehemently opposed to that. I think cyber security is an amazing industry and, you know I've found gold and I wanna share it with literally everybody because it's not outside the region. And I'll tell you this you can cut it in or out if you want to. I didn't get accepted into college. When I graduated high school I got turned down to go into college - But tell me, how do I do this? Gimme the path. - And here are Neil's top three things. Neil's top three things are... (playful electronic music) Hi, everyone, it's David Bombal. I haven't done one of these in a while, but I've been asked so many times to talk about the top certifications to get if you wanna get into ethical hacking. And to help me answer that question, I've got Neil. Neil, welcome. - Thank you. Thank you, David, it's good to be here. - So Neil, tell us a bit about yourself. I mean, you've told me a little bit about who you are, we've recently met, but you know give us the, sort of the quick overview of your experience and why you can talk about the subject. - Yeah, absolutely. And thanks very much for having me on, it's an honor to be here. My name is Neil Bridges. I've been 20 years plus in the cybersecurity space. 10 years of that, I spent doing offensive hacking for the United States Air Force as part of the National Security Agency. I've built the first functional training unit for Air Force Cyber basically training all of the hackers that have gone to the NSA to go be hackers over at the NSA. Since being out of the Air Force I've had multiple gigs as building up a pen testing of red teams with Fortune 100 companies. I've been a consultant for PricewaterhouseCoopers, one of the largest consulting firms in the world where I led a lot of their incident threat management out of the Midwest. And I've built multiple security operations teams for Fortune 100 companies. Spent five years as a SANS instructor. I'm a notable author. I've done appearances on Bloomberg, and I've spoken at numerous, numerous conferences and by invitation, guest for a lot of the vendors and vendor events inside the cybersecurity arena. - Yeah. I mean, didn't you speak at Black Hat? Is that right? - I did speak at Black Hat. I've also spoken at DEFCON. I've spoken at BSides, spoken at a lot of smaller events and things like that. I've been asked to come and consult with the FBI. Been keynote for a lot of vendor events, such as Proofpoint, Carbon Black, Splunk and things like that. - Yeah. I mean, that's really great. When I was thinking about this today I was thinking one of the great things that I really like about you is you're not just working on like the Black Hat side, if you like. So you're not all the, you know, the penetration testing. You're not trying to just break in. You're also working with companies, you're working with the NSA, you're working with government organizations to protect themselves, is that right? - That is, and one of the things that, you know, I've always been into hacking and I've always loved the offensive side of things. One of the things I quickly realized is everybody loves the offensive hacking. It really is the cool, sexy about our industry and about what it is that we do. But at the same time, you know, the thing that helps most organizations is the ability to protect those organizations from hackers. And there's not enough of those unsung heroes, and so I give a lot of credit and I try to spend a lot of my time working on the defense of networks and putting that hacker mindset to work, to defend networks, to help blue teams, to train threat hunting teams, to help try to protect a lot of these larger organizations because we're lacking that mindset on the blue side because everybody wants to gravitate over to the ethical hacking piece of things. - Now, I wanna bring the level down on this video because I wanna give people who are starting on a path to get into this industry. And as I said to you earlier, I want to show them how they can get to where you are, you know, learn your knowledge. So first thing is what's a blue team, what's a red team, can you just explain some of the basics? And, you know, you've mentioned that term. - 100%, so when you're talking about ethical hacking, when you're talking about the ability to look for vulnerabilities inside of systems, and whether those systems are people or computers, buildings, if you're talking about physical penetration testing, when you're looking at those systems, a red team or the red side of our cybersecurity industry is oftentimes looking for ways to find those vulnerabilities and then to turn those vulnerabilities into access, if you will, for the bad guy, whether that's in the term of like set of physical penetration tests where you're looking for access to a building, whether you're, you know, penetrating a computer, trying to gain access to systems or data that's oftentimes what we refer to on the red side or the offensive side. On the blue side, those are really the network defenders, and I'm not just talking about the IT folks who are sitting in the NOC or the network operation center doing, you know, routing and switching and firewalling. When we think about blue teamers, we're really talking about folks who sit inside of a security operation center. These are your incident responders. These are your threat hunters. These are folks who are, you know, looking at your alerting and monitoring on your SIEM system or your security information and event management system. Something like Splunk, QRadar, or LogRhythm or something like that. These are the guys, and I equate this, and when I talk to CSO's and CIO's and CEO's on the regular, you know I equate the blue teamers. You know, those are your frontline soldiers. Those are the folks who are on the battlefield on a day-to-day basis actively fighting the adversaries that are attacking corporations. They're looking at alerts, they're running down malware, they're, you know, hunting for the adversary inside of your corporate network. And so while red team is very sexy and everybody loves to do red team because we've created kind of a hype culture around the coolness of hacking. It truly is the frontline soldiers, the blue team that make a company tick. - And I mean, what about jobs? 'Cause I mean, at the end of the day you wanna be paid to do this stuff. Do you see that there's more jobs for the blue team like for companies or are there more jobs for like offensive stuff? - There are way more jobs for blue team. As a matter of fact, in every organization the amount of blue, you know, the ratio between blue jobs of red jobs is almost 10 to one. I've built some of the largest security operations teams you know, in the United States of America, and I can tell you that even on some of those teams you struggle to have one or two pen testers engaged full time. Pen testing is often remanded to a lot of the consulting agencies, so like your PWC's, your KPMG's, your EY's, maybe an Accenture or something like that if you're familiar with Accenture. And sure they do a lot of engagement but you're going to be as part of that consulting ecosystem. If you have aspirations of working for Microsoft or Google or an Amazon or an Apple or somebody like that, of course, they do employ pen testers and those pen testing jobs are there, but those are also very, very hard to get to and to achieve. - Is it possible for someone to start out as a blue team member and then move to the red team once they, you know, learn more skills and get more well-known? - 100%, absolutely, that is one of the biggest things that I mentor folks on all the time. And, as a matter of fact, it is not uncommon. And one of the things that I talk about when we talk about teaching students, and we talk about bringing people into this career field is you'll get an individual who's come right out of college or maybe if he doesn't even have any college, just come out of high school with some experience or some you know, maybe a handful of certifications where they've taken videos like yours, David, or, you know other videos on YouTube to learn about cybersecurity or ethical hacking, but they can only either get like a help desk job or maybe like a very, very junior level security analyst sitting on a blue team looking at alerts on a SIEM. They'll come in, they'll see their first penetration tester or they'll see their first penetration test inside that company, and they'll immediately gravitate to that and be like how do I get into this career field? You absolutely, you can absolutely go from security analyst on a blue team. You can go from help desk. Trust me when I tell you that I've seen people go from construction workers and business degrees and law degrees to penetration testing as well. And there's, you know, there's no end to where you can get into this career field as long as you've got the mindset and you've got the heart to do it. - Okay, so now I've got to ask you a number of things 'cause you've mentioned a few things there. Firstly, do we need degrees? And then the big question that I wanted to talk about is certifications and which certifications. So do I need a degree, first thing. Secondly, do I need certifications? And if so, which certifications would you recommend? - Do you need a degree? No, this is the biggest thing that I love to debunk. I've talked to several recruiters. I'm gonna give you an opportunity to cut something here if you want to. - No, go for it, just go for it. - I've had several recruiters that I've interviewed on my stream before. We've talked about the way the industry is going when it comes to certifications versus degrees versus experience, and the industry as a whole is very much moving away from the need for degrees. As a matter of fact, if you start to look at a lot of the job descriptions, especially in some of the higher technical skilled roles, especially on the ethical hacking side on the incident response side, on the threat hunting side, you'll see that a lot of the job descriptions are changing from four year degree or certifications or some combination of those and experience, and so that's a huge shift. As a matter of fact, if you look across the tech industry you'll see companies like PricewaterhouseCoopers, KPMG, EY, they're all starting to drop their four year degree requirement to start to bring in more talent who may have a vocational degree, may have an associates degree, may not have any degree, but some certifications, or even may not have any certifications and has just been able to prove themselves through, you know, heart and the interview process that they're capable and qualified to be sitting in that role. - So I'm gonna get to the certifications in a moment, but you mentioned you've got a Twitch stream. Can you, you know, at this point tell us a bit about, you know, what are you doing on Twitch and what's your, you know, how can people contact you 'cause I'm assuming you're on Twitter, places like that as well? - Yeah, absolutely. So we run a Twitch stream called Cyber_Insecurity. It's just cyber underscore insecurity if you go to Twitch.TV. We stream every Monday, Wednesday, and Saturday seven central in the U.S. central standard time. And we regularly have guests from all across the industry appear on the stream. We've had the chief strategist from Anomaly Threat Intelligence appear on the stream. We've had the chief strategist from VMware, Carbon Black appear on the stream. We've had a former two-star general who ran cyber command appear on the stream. And we talk about everything from red team to blue team. It's tailored for whether you're tactical level, whether you're at the CSO level, whether you're trying to get into CSO, we've done on-stream resume reviews, we've done on-stream report reviews, actual pen testing reports. And we've talked about how, you know, pen testing reports get interpreted at the CSO level, at the board level and how you can tweak your writing so that you can write better for the folks who are gonna read your audience. And so it's a very well-rounded stream that kind of seeks to try to do a lot of on-stream mentorship for a lot of folks in the industry as well. We cover the latest and greatest in news and topics, and we bring industry experts on to do that. So Cyber_Insecurity on Twitch, and you can follow me on Twitter at IT Junkie. - So I'm gonna recommend that all of you, you know, go and follow Neil's Twitch stream and follow him on Twitter. But just going back now. So I'm 17 years old, or I wish, but if I - (chuckles) - let's say I'm 17 years old. - Man, here we go, we're going 17 again. - Yeah, there we go. - (laughing) - We can dream. Okay. What do you recommend? I wanna get into this field. I wanna perhaps go red team, blue team, whatever. Degree, you're saying don't do that or get a certification or just try and get experience because I'll just preface it with this. I've seen guys bash degrees. I've seen guys bash certifications. So what would you advise me? I'm trying to get into this industry. I might be young. I might be old. Like you said, it's great to hear the stories of like construction workers getting into this field, but let's say I'm trying to break into this field. What would you recommend I do in 2021? - Absolutely. So in 2021, let me make one thing clear. I'm not bashing a degree at all. You don't need a degree, but, you know, I've got folks that I mentor that are going for a master's degree. I've got one guy that I mentioned that's going for a PhD in cybersecurity. They all know that they don't have to do that. As a matter of fact, they're not gonna make any more money by simply going for a master's degree or a PhD. It is about personal goals and personal objectives for them. And so what I would tell you if you were 17 years old is if you want a degree, if that is a passion of yours to have a degree and to be able to have that piece of paper then I absolutely think you should achieve one, but don't ever feel like you have to have one to be inside of this field, I think those two points are vastly different. What I would tell you, if you wanna break into this field, HR folks and recruiters are looking for folks who have hands-on experience. And so, you know, if you're familiar with, you know, like what David talks about when he does some of his demonstrations of ethical hacking or, you know, any of the other, you know, technical stuff that he does, building your own home lab, doing your own type of think tanky type stuff is absolutely critical. Make sure you're going out there and you're participating in capture the flags especially on the ethical hacking side. David, I don't know if you wanna mention CTF time.org, but that's a great website where people can go and find a huge central location of capture the flags that are out there. And you don't have to have any level of knowledge. You can literally just start there and just start that learning process and just keep track of the CTF's that you do. Go out there and participate in the communities, in the discords, make your name out there. Start to network with folks like David and other peers in your organization. And then as you develop that learning skill, yes, start to pursue certifications at the same time. And when you look at these certifications, look at certifications and I may sound a little cynical when I say this, but you have to realize that there are certifications that help you get knowledge and make you smarter. And there are certifications that help you get past the gatekeepers in HR. And I've spoken frequently on the gatekeepers of HR, and it is something that is a reality, we all have to acknowledge that HR is a gatekeeper in this industry. And so I'm not a fan of CEH. I've taken multiple CEH's throughout my career. I won't bash EC-Council, you know, openly like this, you know there are definitely better things out there, but it is a language that HR speaks that I think is an inevitable reality. OSCP, you know, is a good cert, but, you know, there are better certs out there, and there are better hands on labs out there, but it is a language that HR speaks. And so I think when you look at certifications you have to divide your time, money, and effort up between the ones that are gonna help you get past HR as a gatekeeper and the ones that are actually gonna make you smart and marketable in this industry. And I think that those two things are vastly different in this industry. - I think that's a great point. I mean, so give me first certification. If I'm starting out, what should I do first? What should I do second? I mean, is there kind of a path or a roadmap of sorts that you would recommend? I mean, some guys I'd say, just go and do OSCP. But to me that seems like too much of a jump for a lot of people - It is a jump. And I don't necessarily recommend people to jump straight to OSCP. The people who say go straight to OSCP are the people that know that OSCP is a gatekeeper for some of the most prestigious organizations that are out there that are looking for penetration testers. But if you're looking to get in on the ground floor, you know, you can go take something like the INE, the former eLearn Security, penetration testing student or junior penetration testing course. And those courses will not only give you a certification but they will also give you the hands-on skills and cognitive knowledge that you need to not only get past the gatekeepers, but to also make you incredibly successful when you land on the field. And so I think if you're starting out, you've got to get as much knowledge into your head. You've got to realize that it may be two to three years before you get that first job as a penetration tester. And so whether you go to college or not is really irrelevant, you've still got to go out there and you've got to get the degree, or no, not to get the degree, get the cert, work on the labs, work on building your knowledge set up so that you can get that first job. I wanna make that really clear. You're not gonna be able to say one day I wanna be an ethical hacker and therefore go out and get you a junior level ethical hacker job. You're gonna have to put in a year, two or three, get, you know, an INE, eLearn Security, you know, certification. You know, potentially start looking at your OSCP, start to build out your extracurricular activities whether it's your home lab, whether it's working on Try Hack Me's or Hack the Box's, participating in CTF's. But if I saw a resume today, and here's what I tell folks all the time, if I'm hiring for pen tester job, and I had a junior pen tester on my team or a pen tester level one on my team, and I saw an INE eLearn security degree and then nothing else but hands-on, Hack the Box, Try Hack Me, CTF time, home labs on a resume, I'd hire that kid in a heartbeat. Absolutely 100%, because it's the hands on stuff that isn't being taught outside of just a handful of certifications, you know, that are going on out there. - That's great advice. I mean, it's, if I was hiring someone for a network position, it's the same thing. You wanna have examples of knowledge and of workin'. Hands-on is always gonna be much better. So I'm gonna push you on this now, so forgive me. - Go for it. - So the eJPT from INE, are you saying that's the first certification that you would recommend someone would get? - Or would it be like CEH? Or what about like CompTia Security Plus? what would you suggest? I mean, this is your opinion. - Yeah. - So what would you suggest me to go and do if I wanna break into this field? - And again, my opinion, I think eJPT, most people can do, eJPT. What I would even say is INE offers their PTS or their pen-testing student which is really kind of the super entry level. It's almost the, you know, I don't wanna degrade the PTS by saying it's the CEH of the career field, but, you know they've recognized that there's a need to have a truly entry-level, you know, certification that's completely free. You can go to the INE website today, you can sign up, and you can take the PTS completely and totally free from INE. - Right. - Yeah. And so that gets you, you know, kind of to your point, the SEC Plus the Net Plus, the CEH kind of fundamentals foundational, and then, you know, then after that you can graduate up into like the eJPT which then helps you start to build on top of that foundation and continue to grow up from there. But there's no reason why you have to go take a CEH and pay for that course when there's content out there especially through INE that you can take without, you know without paying for. - Is that as well known in the industry? So, I mean, we spoke about gatekeepers and recruiters, I mean, that's normally the big problem. If you do a search on a job website, will recruiters be looking for that cert or are they actually gonna be looking for CEH or something else? - So that's the tricky part. Most recruiters are going to be looking for CEH because that's what they know. What I get, I have to table myself on this, 'cause I can go on a high horse about bashing HR, and we've had several recruiters on stream and we have gone on tangents on bashing HR because HR doesn't know the difference between CHE, eJPT, or anything else. What HR does is HR asks the hiring manager what are you looking for? That's why people jump straight into OSCP is because most hiring managers say, well, I know OSCP, so OSCP is the bar to entry. But quite honestly, if they make it to HR because there's so few pen testers, just the sheer process of, you know, getting to HR. Most HR folks will either have a conversation with you so that you can come to an interview and say, well, no, I don't have CEH, but I have eJPT, PTS, and all of these other things, and the recruiter doesn't know enough. He just says, well, this looks good enough and I need to fill this rec. And so they're gonna pass your rec on over to the hiring manager anyway. And so I hate to be a little flippant and a little cynical about that, but... - Well, this is a technical audience so be as be as real as you can. So if you have to swear at HR that's fine because - (laughing) - Let's be honest, we're trying to help all the viewers here try and break in. So tell us, don't mince your words as they say, - (laughing) - tell us exactly what do I need to do to get past these guys. And I'm sure there'll be a lot of comments about HR. How do I get past these wonderful people? - These wonderful human resources (chuckling). - To get that job. And I mean, I'm really glad, you know, that you've had all this experience with the military. We need to talk about NSA 'cause that's very interesting. - Absolutely. - We need to talk about like corporate, but if I wanna break into this field, I mean, I might wanna go and work for a corporate first and then perhaps later go to the NSA or military or go red team, but tell me, how do I do this? Give me the path. - And here are Neil's top three things. Neil's top three things are go to INE, get in the ecosystem, start to take the stuff that's available to you that's on INE. They've IT essentials that you can take. They've got, you know, a pen testing essentials. They've got a networking essentials. They've got a lot of foundational level course, a lot of fundamental courses, - And that's free, yeah? - And that's free, that you can go and you can take that will help you build up a good basis set of knowledge. From there, I would then advise you to continue your certification or your degree journey, whatever your heart's content is. And if that means go to eJPT next, if that means go to OSCP next, if that means go to any of the blue team certifications blue team ranges like Cyber Blue Range or something like that and get some of the hands on skill there, proceed down that route. But at the same time, you should be doing the hands-on piece. And this is where the Hack the Box, the Try Hack Me's, the CTF times, all of these put your hands on mechanisms come into play and document that hands on mechanism because I can tell you the HR folks and hiring managers are looking for that hands on mechanisms in their new entry, in their junior level folks. And then the third thing, the thing that you can't, you know, you're not gonna be able to find at any organization this is something that you've got to do yourself. You have to network. I can tell you that most of the jobs, entry level to senior level that happen in the cybersecurity industry, come with you networking. And I can tell you that I've had people reach out to me on LinkedIn and, you know, I've welcomed them into the community. I'm like, hey, I see that you're... I actually have a campaign where I go out and I look for people who are brand new to cybersecurity, and I invite them into my LinkedIn network to try to help provide them with mentoring. And, you know, oftentimes their idea of mentoring is they simply send me a message like, hey, I'm two years from graduating. Can you help me find a job? (chuckling) - That's not networking. That's not networking. This industry is so close knit that most people know each other. Most people, when they're looking for stuff, you pick up the phone and you call a friend or you call a CSO or you call another red team operator or you call another penetration tester, and you say, hey, I need a pen tester for this or I'm looking for an analyst for that. And so you have to build up that network and you have to participate. You truly have to embrace that about our industry. And those are the three things that I would say that if you're looking to break into this, that's your 2021 and your 2022 strategy is to focus on those things. I think if you're on LinkedIn and you don't have, you know, 1,000 followers in the cybersecurity industry by the end of 2021, you're behind on the networking curve. - So I'm really glad 'cause now you've changed the title of this video because I was gonna talk about five top certifications, but now we're gonna call it the top three things to break into this industry or something like that. So can you just repeat that again so that it's clear for everyone? - Absolutely. - What are the top three things they need to do? - So Neil's top three things that they need to do to get into cybersecurity. First and foremost, you need to go to, you know, INE's website and you need to sign up for the available training that's there for free. That that'll get you the basics for IT essentials. That'll get you the basis for some networking essentials. That'll get you the basics for some penetration testing essentials. Don't waste your money on CEH. Don't waste your money on SEC plus, instead, go to INE training and start there. Once you're done with that, you need to go out there and you need to look for the hands on training that's available for free or for cheap, and that would be things like Hack the Box, Try Hack Me, CTF time.org, which is a website that aggregates capture the flags. - I'll put a whole bunch of links below so you can send me those after the call, that'd be great. - Absolutely, Cyber Blue Range, all this stuff, get you some hands on experience. Build yourself a home lab, start doing your own stuff at home that you can do pretty easily. There's tons of things out there that you can do yourself. So that's two things. The third thing is you need to network. If you are not on LinkedIn, you need to be on LinkedIn. You need to have a profile that is indicative of what you wanna do in this professional world, and it needs to start to look like your digital resume and you need to treat your LinkedIn profile like your digital resume, and then you need to start networking with folks in this industry. And I'll tell you right now, you can network with me. I'm sure you can network with David on LinkedIn. - Definitely, yeah. - We'd love to have you. And then just start, you know, reaching out to folks that you know. Reaching out to, you know, folks inside the company that you work for. Just start building that network. Start small, but build that network out in this industry, and my goal for you, my goal for anybody who's listening is get you 1,000 connections in LinkedIn in a year. In 2021, there's no reason why you can't make 1,000 connections in 2021. As a matter of fact, I'll tell you this. You can do, I think, it's 72 connections a day on LinkedIn is the max that you can do before LinkedIn starts to raise a red flag. I know, 'cause I've kind of tested that a little bit. (laughing) - And so there's no reason why you can't get you 1,000 solid connections by the end of 2021, and if you focus hard on the cybersecurity industry then when you've done all of the other two things you'll have a network of folks that would die to help you find a job in this industry. - That's great advice. So now I'm gonna play devil's advocate, as they say, I'm gonna push it, so forgive me. Okay, so second thing you said is, you know, we got to try Hack the Box. We've got to try these things. How do I document what I've done? So like you said, you document what you've done, but now explain to me the different websites. How do I actually document what I've done? - Absolutely. No, fantastic, and I've talked about this on my stream before in the past as well. We've had recruiters on stream that have helped back this up, right? And when you look at a person who's come into this career field, if, to your point, right, you're the 17 year old who's trying to decide how to get into this career field. You don't have a whole lot on your resume, right? If you think about a eight and a half by 11 piece of paper you don't have a whole lot. - Or I'm 30, and I've been doing building or I've been a salesman or whatever, you know, how do I break in? - Yeah, yeah, you don't have a lot of that cyber experience that you can put on that eight and a half by 11. And so when you look at that real estate, people oftentimes fill it up with a lot of like you know, clickbaity-type stuff or word jargon where they're like I know Windows 3.1, Windows NT, Windows 95, Windows XP, Windows 2008. - (laughing) You're showing your age. - (laughing) Yeah, exactly. They try to put all that stuff in there to try to get through the computer filters. And I tell people when I mentor people, I tell people strip all that stuff out of your resume, take all of that stuff out of your resume. What your resume can have instead is the Hack the Box, the CTF's, the Try Hack Me website stuff. You can document those as experiences on your resume the same way you would as if you actually did a job where you did those things. So if you achieved level 9,000 for folks who are used to the Dragon Ball Z 9,000 reference, you know, if you achieved level 9,000 in Try Hack Me by the time you started to look for your first pen testing job, you should document, I am in the top 10% or I'm in the top 1% of all people on the Try Hack Me leaderboard. I've achieved level 9,000 on Try Hack Me. I've completed 4,000 challenges in Hack the Box. I've gone to, you know 16 capture the flag events this year and placed in the top five in half of them, right? There are things that you can put on your resume that show your outreach that I think have gone completely unnoticed by, you know, folks who are trying to get into this industry. - So this is great because I come from originally from a networking background, and it's very difficult to prove experience in a networking background. But what you're saying to people here is even if they've doing this part-time, so they're in sales or in some kind of job that's totally different. Is this a way that you're saying to build up experience without actually being in this industry? Is that kind of what we're doing? - Oh, 100%. When you look at some of the entities that are coming up out there, you know, that are doing a lot of these labs online. Cyber Blue Range, Try Hack Me, Hack the Box, even all the CTF's that are out there. Even this year, 2020 was an unprecedented year with the pandemic, but it was the first year that DEFCON had done all of their capture the flags 100% virtual as part of DEFCON safe mode. And so this was a year where you could have participated in the DEFCON capture the flags and documented that and shown that as experience, and you didn't have to pay a dime for DEFCON this year. And so it would have been something that you could have put that on your experience where you participated in the DEFCON CTF and you did whatever else it is. Those are things that show that you're not just trying to get a cert, get a job, which is typically what we see in this industry. You're trying to get a cert, you're learning on your own, you're showing the passion for it, you're showing your ability to think outside of the certification bubble, and that is what hiring managers are looking for. - I mean, I just wanna emphasize this. I mean, this is a roadmap for someone to get experience without actually having a full-time job, and I think that's fantastic 'cause that's very difficult to do in other sort of IT spheres. You know, how do you prove that you've got networking experience if you're not working on corporate networks? But what you're saying here is this is kind of a roadmap to get the relevant experience that someone like you would use to hire someone without actually working full time. So I need to push you on this now. So if I was applying, well, let's assume I'm 17 or 30, it doesn't matter, but I'm new to this industry. I wanna get a job with you. You're recruiting for a corporate position or for the NSA or whatever, but let's start with corporate. Are you saying that you would hire me if I had just some basic certifications or none, but I could prove a whole bunch of experience with Hack the Box and all the others? Are you saying that that's enough? - If we're stipulating that I have an open job rec for penetration tester on my team, and I needed a penetration tester on my team, would I hire somebody who is brand new to the career field who had a cert and a ton of hands-on experience that was demonstrable inside the industry? 100%, I would do that today. - I mean, that's fantastic because it sounds like what you're giving everyone who's watching is a way to break in without making the mistake, and I think a lot of people make this mistake, they think they have to leave their job and be unemployed to get a degree or get a cert before they can actually break in. - That's absolutely not the case. I am vehemently opposed to that. I think this is one... cyber security is an amazing industry, and it's an industry that was born in technology, not to say that IT, you know, networking was not born in technology, but born with some people who are like, I want to practice breaking into systems. It is illegal to break into a system without permission. How do I actually practice breaking into a system? And we, as a community have built companies, we've built, you know, freemium versions of things, we've built entire ecosystems that have challenged the community and been able to provide the community with the ability to practice not only breaking into systems in a legal, ethical, safe fashion that allows you to have fun and show your experience doing it, but also to defend systems and be able to hunt for bad stuff inside of a network, to be able to practice the network defense side of things in a safe easy to accomplish type of hands-on almost OJT without actually having the job type training. And there's no need, to your point, David, quit your job, thinking about going back to school for two to four years, you know, commit yourself to, you know, to the bane of trying to get, you know, 7,000 certs just to get an entry level, you know, penetration tester job. That's not what this industry is about. - I'm really glad you said that because it's always a problem, how do I get experience without a job to give me experience? And you've basically given us the roadmap for that. - Yes. - So next thing, how do I network? 'Cause you said it's important to network. So tell me, you know, I'm a very pragmatic person. Tell me, how would you suggest networking? You mentioned updating LinkedIn profile here, and then like sending you a connection request. Any other tips to sort of network in this community? - Yeah, absolutely. I think, you know, and I wanna preface something on networking. I think the younger generation, you know, if we use your 17 year or 30 year old example, right. I think the younger generation has it easier on the networking side than the older generation like myself and yourself, right. I think when I talk to folks who have been accountants or lawyers or construction workers that wanna get into cyber security, they have a harder time with the LinkedIn story and the networking side of it than the younger generation does. So I think the younger generation knows how to use social media, but one of the things that I wanna focus everybody in on is when you look at social media, when you look at LinkedIn, when you look at Twitter, you know, really focus in on, you know, what your goals and objectives are with that platform, right? LinkedIn is a platform of professional people, and so your picture needs to be not you playing at the beer pong table. - (laughing) - It needs to be, you know, look nice, have a nice shirt on, look kind of professional, you know. and then when you talk about yourself you highlight your successes. You're a student at XYZ university or you're a graduate. Use the headlines to your advantage. Hey, I'm looking for my first cybersecurity job. Talk about the things that you've done, you know, really use that as a platform to highlight, you know, that you're capable and qualified to be in this field. And then when you do that you can participate in groups on LinkedIn. You can engage in other folks. When you see me post something, when you see David post something, when you see somebody you follow post something that's cybersecurity related, take an active effort to comment and to interact and engage in those posts, so that people are used to seeing your name. Your viewers, this may not be an influencer that, you know, many of your viewers may be familiar with, may not be familiar with, but there's a U.S. business person called Gary Vaynerchuk. - I think he's very well known. - Okay, good, just making sure. I was kind of cynical there for that one, - No, go for it. - If you're not following Gary V you should definitely follow Gary V 'cause he's kinda got his strategy when it comes to growing your following on LinkedIn or Twitter. And he talks about, you know, find, you know, six people who are in your industry, comment on all six of their posts every single time that they make a comment. Those types of interactions show that you want to be in this community. You're not just here for the bells and whistles, because it looks cool, because ethical hacking is the new sexy, but you're getting people to see your opinion, you know, thank them for their experience if you want to or say, this is interesting, I never thought about this. Or if there's something that you do have an opinion on like the solar winds thing that just happened last month or the FireEye, you know, incident that happened last month, if you have an opinion on those things, voice your opinion. Let people know your stance. Let people know what you've researched on the matter, right. When you've gone out there and read up on it. You know, really treat those as interactive platforms, and that engagement right there will draw people to you and will let them know that you're active and you're interested in this community. - That's great advice. I never thought I'd hear Gary V on a call like this, - (laughing) - but there's no better person to follow on social media or how to use social media. And I mean, I'll second that, I mean, it's exactly that as Neil said, if you wanna learn how to be good at social media, look at what he does, and he's got a few good books as well. So you've mentioned LinkedIn and you've mentioned Twitter. Are there any other sort of social media platforms that you would suggest someone join and get heavily involved in? - For the sole purpose of networking and cybersecurity, not necessarily. I think those two are really the kind of the primary vectors that InfoSec uses to to do communication. You know, discords are, you know, I hate to talk about discords being a dime a dozen, but discords are a dime or dozen out there. Almost everybody and their brother's got a discord out there. Discords can be a little bit of a sea of, you know how do I find the right people if you've got the emotional bandwidth and the mental fortitude to trove through discords, I would definitely encourage that. And then obviously Reddit is sometimes kind of like, you know, the the overly cynical version of social media, but there's some really good subreddits that are out there that I think are worth, you know, perusing through. But I think the majority of InfoSec relies heavily on Twitter for their primary social communication with their peers, but LinkedIn is your digital resume. And so you need to make sure that your digital persona of your professional image is solid on LinkedIn. And then your engagement is active over on Twitter. - Okay, so going back to the first one, because I wanna push you on this. Start with some INE free certs, free training. And if I had to get one certification to open the door it would be OSCP, is that right? - As of right now, I think OSCP is the easiest one to get past the gatekeepers, you know, that's out there. I think we'll see that change. You know, I think, you know, I know this is a longer answer. I usually do yes or no's for questions like this, this is longer. - No, that's great, that's great. No, go for it. - I think we'll see that change. SANS is starting to price itself out of the industry. I've seen so many comments in the Twitter verse and on LinkedIn and in my peer group, and having run security operations teams, I can tell you that paying over $7,000 per person on top of travel and expenses kind of pre-COVID, it crushes your training budget, it crushes your training budget. And so I think the tides are shifting and while I think OSCP was the gold standard, I think INE, you know, is going to surpass them if they haven't already just in terms of that name recognition. - I mean, that's great. I mean, I think we've got a great roadmap, three things that someone can do very practically. And I think the most important piece that you've mentioned is the second part which is get practical experience in your spare time. You don't have to, you know, leave your job, get this on the side, and then build up that experience. And then as you make more and more connections, and that's a great challenge that you gave, you know, get 1,000 followers or contacts on LinkedIn, make 1,000. I've hit 30,000, so apologies to everyone who sends me a connection on LinkedIn. - (laughing) - I can't accept anymore because they limit it at 30,000. It's terrible. Same on Facebook. I mean, I can't take Facebook friends cause I've hit 5,000. - Oh, well. - I can't take anymore. It's amazing. So I wanna talk about that briefly is and see if you agree with me, I used to hate social media and I used to, you know, think I need to keep everything private. But as soon as I started engaging with social media, as soon as I started using it, the doors started opening. Have you had the same experience? - I have, and when I started my LinkedIn, I was in the military and I had a top secret security clearance, and I was doing cyber work in the military. And you know, that was the very paranoid OPSEC days, operational security, days in the military. But I took a stance that was like, you know, I'm going to control what I put onto social media, so that the image that the social world sees of me is the image that I want social people to see of me. And especially when you take that persona on LinkedIn and you realize that your LinkedIn is what your future boss is gonna look at, your future peers are gonna look at, people who are trying to evaluate whether they're going to hire you or not in the recruiting space. When recruiters are out there looking for you, when you realize that that's your audience on LinkedIn you want that to be a digital resume, a testament to how awesome you are in this space, whether you're just starting out or whether you've been in this space for 20 years you want that digital footprint to look like that. I can tell you that since I've been out of the military, since we're on the LinkedIn topic, I think I've gotten two jobs since I've been out of the military by actually looking for a job on a job board and sending out a resume and applying for it. And that was the first job I had when I got out of the military in 2013 and the job that I had immediately after that. Those two jobs were the only two jobs that I've actually ever sent out a resume for that applied for. Everything else has come from recruiters reaching out to me, has come from, you know, partners at a big four reaching out to me, CSO's at other companies reaching out to me. That's how those jobs have come to me is reach-outs over LinkedIn and not actually by applying for jobs in the space. - I mean, it's a great testament. I mean, I know you've taken this to the next level. You've been on TV, is that right? - That's right, I've been on Bloomberg. - So I mean, they were quizzing you about, I didn't see the interview, they were quizzing you about something, I'm assuming some hack or something. - It's the solar winds hack, yeah. - Yeah, and I mean, that obviously opens up a huge opportunity for you because if people see you on television, they're gonna wanna get you involved in their next project, it's exposure. - It is, it's 100% exposure. And make no mistake, I feel ridiculously blessed. I count my blessings every day that I've been able to grow up, and I've been able to be successful in this industry, but it's not, I tell people this all the time, it's like, you know, I've found gold and I wanna share it with literally everybody because it's not outside the region. And I'll tell you this, you can cut it in or out if you want to, I didn't get accepted into college. When I graduated high school I got turned down to go into college. I got my first jobs based solely on the fact that I was a 18 year old kid who had, you know, built some of the first web pages for North Carolina State University, built some of the first web pages for Wake County Public School systems. This is back in the 90's when HTML was first kicking off. I was able to demonstrate for these people that I may not have gone to college, but I demonstrated being able to write HTML. I didn't get my degree until the Air Force handed me a degree, you know, some number of years ago. You know, just because you did your time and service inside the Air Force. And so I don't have a formal, you know, collegiate degree. And so I can do it. And I know that everybody else out there can do it. And I know that everybody's trying to push degrees and promote degrees because that's the society that we live in, that you have to go to a higher education and you have to go get a degree and you have to be successful. But, you know, this industry is different than engineering, than accounting, than legal, and all of those others out there that that's just not true. - You think I'm not gonna put that in. That's gonna be run in the beginning. - (laughing) - Neil, we're running out of time. I mean, this could go on for a long time and I wanted to quiz you about, you know, solar winds and stuff like that. But, you know, we've only got a few minutes. So tell me, you did work for the NSA. - That's right. - And I think that's something a lot of people may aspire to, or may aspire to be on the other side of the fence, but let's not get into that. - (laughing) - So tell me, is the NSA made of supermen and people who are just like out there intelligent or is it normal people? And you know, if I wanna start out, is it possible for someone like me to work towards working there? - So I'll start with the second question first. Second question is unequivocally yes, 100%. Whether it's the NSA, the FBI, CIA, any, I don't know anybody at GCHQ, but, you know, I imagine GCHQ is obviously looking. Cyber is huge and the governments are looking... - Big push in the UK. I'll just interject that. They're trying to get more and more people involved. Yeah, big push. - Yeah. I mean, the governments recognize the value of getting more people who come up in this space actively involved in offensive security. So, yes, the second question is easy. The NSA would absolutely hire you without you being a superstar. I don't mean that you... You shouldn't be a slacker, but, you know, you don't have to think that you're, you know, Kevin Mitnick reincarnate to go work at the NSA. Trust me when I say you don't have to break the law and get arrested and then go work at the NSA. That's not a career path. That's not a career path. - You're not advocating that then. - I'm not advocating that. I know it's been televised, but that's not a career path. (laughing) If you do the same things that you would do, like what we're talking about, now the NSA being a government entity they're gonna push you into a four year degree. I think the government is working on trying to figure out how to solve that problem. On the U.S. side, that's something that, you know, unfortunately, you may have to fight the system when it comes to doing something like that. You know, we're still not that mature as a cybersecurity industry. Now, to your first question, there are some crazy, crazy smart people that work there. There's a team of folks, and when I was there, it was a couple hundred folks who do all of the exploit development, tool development, capability development, you know, D and T, you know, was the name of it when I was there. Who does all of the things that you read about or the things that you dream about or even some of the crazy stuff that you see in TVs? That's that team. And these are probably some, and especially on the crypto side, not so much on the hacking side, but especially on the math and crypto side. These are some guys who, if you've ever seen the movie Rising Mercury with Bruce Willis and the kid, and you've got this kid, who's got autism but he looks at a page and can figure out that it's like the most complicated cryptographic algorithm out there, and he could break it just by looking at it. They have people like that who, as soon as they turn the legal age of 18, the NSA plucked them right out and put them into a building with no windows, fluorescent lights and a drop ceiling, and that's where they've spent the last 10 to 15 years of their life. And so, yes, they are ridiculously smart and ridiculously weird all at the same time. - I'm sorry, everyone. We're running out of time. Neil's got another meeting in a few minutes. So Neil, I'm afraid I'm gonna have to like twist your arm and get you back 'cause I want to twist your arm to talk about solar winds. - Yeah. - Could I ask everyone to put comments below, you know, what would you like Neil to talk about on another video? And should we do a live? I think he's big on Twitch, but I wanna get him on the channel as well. Neil, I really wanna thank you for your time. I mean, please mention your social media accounts again for everyone so they can follow you. I'll put them below as well. And any closing words? - No, David, thank you so very much for having me. It's an honor to be with somebody like yourself. Your videos are amazing. - Thanks. - The content you put out is really awesome. And so I'm super excited that I had the opportunity to be part of this. Would welcome the opportunity to come back on and do another and talk to your audience. For those who are looking for me, you can find me on Twitter at ITJunkie, all one word. You can find me on LinkedIn under Neil Bridges, or you can find me on Twitch every Monday, Wednesday and Saturday at 7:00 p.m., central standard time in the U.S. at Cyber_Insecurity. Cyber underscore Insecurity. And just to give you a little brief on that, it's a little play on some of the imposter syndrome that is inherent inside the cybersecurity industry. Let's you know that, you know, anybody out there who's listening to this, imposter syndrome isn't just related to you because you're new in the industry or anything like that. I can tell you that I've been in this industry for 20 years, and I can cite instances as recently as a few months ago where I've had my own cases of imposter syndrome. - It happens to us all. - It happens to us all, and so come join a community where we try to break down those barriers. We talk about all aspects of cybersecurity, and you're welcome in a group of people that just wanna see you grow and be the best version of yourself inside this industry that you can be. - Neil, I really appreciate that, man, that's fantastic. Speak to you later, cheers. - Absolutely, cheers, sir. (soft electronic music)
Info
Channel: David Bombal
Views: 869,828
Rating: undefined out of 5
Keywords: hacking, hackers, nsa, ethical hacker, ethical hacking, hacker, hacking course, hacking tutorial, black hat hacking, learn hacking, ethical hacking course, ethical hacking tutorial, ceh, oscp, kali linux, oscp certification, elearnsecurity, ine, ctf, hack the box starting point, ethical hacking tutorials for beginners, ethical hacking full course, how to become a hacker, ethical hacking career, ctf for beginners, how to hack, learn ethical hacking, cyber security course, cybersecurity
Id: SFbV7sTSAlA
Channel Id: undefined
Length: 51min 52sec (3112 seconds)
Published: Thu Jan 14 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.