1

At the moment, I am going into my Sophomore year majoring in Cybersecurity at a state university. Overall, the learning process has felt comparatively slow with others my age. While the courses I am taking at college are teaching me many of the fundamentals of infosec, such as networking and data organization, it seems like I am missing out on the element of real-world experience that so many people my age seem to have.

For example, three years back, I met a guy at a Cybersecurity Camp who was already well versed in subjects like vulnerability testing and cryptology, or at least for his age. I had asked him how he had already acquired so much skill by just his senior year in high school, and he recommended that I go to as many "competitions" as possible. The problem is, most of these "competitions" seem to have some sort of prerequisite skillset needed for entrance.

Another example is the NSA's requirements for employment on their website. They allude to only accepting the "best and the brightest." For a summer program they offer, the description reads:

The Cyber Summer Program (CSP) is the National Security Agency's (NSA) premier outreach effort to the very best undergraduate and graduate computer science, engineering, mathematics, network security and information assurance students in the country. Each summer we invite up to 24 exceptional students to participate in a 12-week program where they work together, and in teams, directly with NSA technical professionals on mission-critical cyber-related problems.

Where on earth do these people get the experience necessary for something like that? I understand that I have a lot more to learn in my college career, but it just feels like I am stuck in a rut compared with so many others out there.

schroeder
  • 123,438
  • 55
  • 284
  • 319
roscoe_turner
  • 19
  • 2
  • 4
    I've seen this theme quite often regarding hackers and infosec folk not being able to specify where they learned what they learned, and I think it's because no one resource is being used. It's often as simple as looking things up and being eager to learn more. – forest Jul 26 '18 at 01:46
  • You can never catch up. – Shurmajee Jul 26 '18 at 04:17
  • It depends on exactly what do you want to learn. CTF? Pentest? Incident Response? – isopach Jul 26 '18 at 05:12
  • 6
    The answer is simple: they spend countless hours studying far beyond their coursework in certain areas that interest them. – schroeder Jul 26 '18 at 08:30
  • 1
    While everyone here feels for you (and have likely felt the same way at some point (or multiple points in their career)) this question is not a good fit here. How those people gained experience? We do not know. How the NSA expects people to get experience? We do not know. How did we gain our experience? In a million different ways. The common point is that we picked 1 or 2 areas that interested us and that became our lives while we went to school, worked, had families, etc. – schroeder Jul 26 '18 at 08:42
  • If you search the [professiona-education] tag here, you will get a lot of answers and comments that might help. Like https://security.stackexchange.com/questions/7726/how-to-improve-as-a-security-expert – schroeder Jul 26 '18 at 08:45

3 Answers3

1

Getting the skills in an area like this is 90% personal effort. My courses in Computer Science gave me a basis, networks, coding, databases, virtual machines, setting up simple web services etc.

Coming to security-specific approaches, we had some mentions or some tasks we had to do over some assignments (sql prepared statements, ssl certs, learn how to apply a rule in iptables, etc.). Those little things could give someone a kick-start, but becoming more than a hobbyist needs more. I needed a challenge, something to make me start thinking "how do I use all these?"

I found sites with security challenges and live machines I could attack. I tried. I was failing, googling, failing again, googling again until at some point, I found a solution! 1, 2, 3 times you learn a few tools and create a methodology. You keep on playing and expand it and learn something new all the time. And someone could say "yeah, its a ctf challenge, you don't see those things in real life". True (you usually see even worse). But it's the way to get a grasp on things, so when you join a team or a company you can have a basis to get learning even more technical stuff.

Make yourself a lab, join a few CTF sites and learn how it works.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Chris Tsiakoulas
  • 1,757
  • 1
  • 9
  • 9
0

Not sure if this question is in scope here, but I will offer my experience.

At my last job I was our hiring filter for our team, so I was the first technical person who interviewed all 6 people who joined our team during that time (and about 30 more) and read dozens of resumes. It was a 100% red team, which is rare, and a bit of a cyber dream job. Before that I worked for a huge fortune 100 in their online business, so network security for 15k servers across 2 data centers working hand in hand with the infrastructure teams. Before that I worked in a NOC for that same company. I feel I have a solid view across the industry.

All of that said, while doing interviews and hiring, we turned away 2 doctors of cybersecurity, multiple masters, an many many others. From a technology standpoint, I've got a surprise for you: I was not interested in "cyber."

One of, if not the, major complaint about Sec. professionals is that they run tools and don't understand technology. I personally know many Sec Profs like this. Getting into "cyber" because you want a good job in a field that is lacking people is -the wrong reason to be in cyber-

This field requires a huge knowledge across multiple areas of technology. If you are a puzzler, hardware nerd, coding freak, you're already ahead of a lot of cyber pro's. If you have a Dr. in Security but don't understand how curl works or have never logged into a switch, there is a huge problem.

My advice: Stop worrying about "cyber." If you've never stood up DNS and DHCP, if you don't understand how TCP/IP protocols work and networking, if you can't build a computer--don't bother with competitions. Get your A+, learn to code on code academy (I recommend python, but if you've got the guts C++ will teach you way more), buy a few raspberry pi's and a small switch and set up your own home network. Set up a DNS server and create your own URL's to point at a webserver you stood up. Use another server to build python middleware. Stand up a mysql database. Read up on LAMP. Etc. There is so much you can do and so many ways to make it really fun and interesting.

We (the industry) will teach you the tools. Learn the tech. Have fun. Don't count on your college to teach you what you need to know. I've seen a lot programs that are sub-par and exist because of the job market and not the technical need. Get obsessed about tech and the rest will take care of itself.

Edit: if you haven't already stood up a metasploit vm and blown it apart, that is also helpful, fun, and inline with what you're learning. Just make sure to keep digging till you understand how these attacks work. Good luck! You got this, we've all felt behind in tech at some point.

bashCypher
  • 1,839
  • 11
  • 21
  • "If you are a medical doctor who has never picked up a scalpel, there is a huge problem." ... unless you are a psychologist. "cyber" is a massive field and there is far too much to study to expect such specific experience in any one thing. I get that certain job roles require particular experience (e.g. surgeons and scalpels) but be careful making such sweeping statements. – schroeder Jul 26 '18 at 08:34
  • @schroeder I never said -not- to do his classes. They are already in "cyber training." They asked how to "catch up." Also my response is directly in line with "is a massive field and there is far too much study" so honestly, I'm confused about this comment. – bashCypher Jul 26 '18 at 16:08
-1

You won't become a cybersecurity professional by doing a college or participating in camps. That will make you a beginner at most. You should do some cybersecurity courses that offer professional certifications.

Here you can find a good list of them.

CCNA-Security and GISP may be a good start.

Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 3
    Certifications make you a non-beginner? Did you really mean to imply that? – schroeder Jul 26 '18 at 08:37
  • 2
    Can I also note if you take anything higher than CCNA Security (as per the course list) you will actually end up learning mostly Cisco products as it is a Cisco exam which can be helpful but only when working in a Cisco environment, specialised knowledge is good when you're not a beginner. As for the CCNA Security itself, it's okay for "beginners" but again a lot of the questions you will get in the exam will be about Cisco products so I am not sure if that will be that useful to someone starting out. Also +1 on Schroeders comment. –  Jul 26 '18 at 08:39
  • 1
    Of course everyone orients their certifications towards what they need and want, but it's a good start point and way above any college material. – Overmind Jul 26 '18 at 11:56