Mentorship Monday - Discussions for career and learning!
from shellsharks@infosec.pub to cybersecurity@infosec.pub on 13 May 2024 13:09
https://infosec.pub/post/12237727
from shellsharks@infosec.pub to cybersecurity@infosec.pub on 13 May 2024 13:09
https://infosec.pub/post/12237727
Weekly thread for any and all career, learning and general guidance questions. Thinking of taking a training or going for a cert? Wondering how to level up your career? Wondering what NOT to do? Got other questions? This is the time and place to ask!
threaded - newest
This thread randomly came across my timeline, so yeah why not!
Does anyone have any good resources on “general” cyber security information? Like total Cybersecurity 101 stuff, especially for mid to large sized company infrastructure? I’ve done a bit in school but I could totally use a refresher on all of the concepts.
Officially, I was put into the Role of “Cloud Security Engineer” at work. No one really knows what that means yet, the Roles were handed out last August. There are some AWS specific resources on that and they’re nice and all, but they kind of assume that general security knowledge already exists. I’m a bit in over my head I think lol
We’re all in a bit over our heads. I suspect that ayone who doesn’t feel that way is unaware of the threat landscape, or just isn’t paid enough to care.
That’s a big topic.
It’s hard to go wrong with a well reviewed “Security+” study guide. Hack the Box, SANS, and Cloud Academy have good resources.
Personally, of the paid resources, Cloud Academy is my current favorite.
You’re in luck! Cybersec people, for the most part, love sharing what they know/have done with each other. Many believe in freedom of information and find value in open collaboration. We just wanna show you the whacky thing we did with what we had.
The biggest resource I’ll share with you is membership with ISAAC. Find whatever category you fit into here and push to get your org membership, if you don’t already. This puts you into a huge working group with your industries’ peers and they will have all sorts of resources for you to use including discussions, meetings with pros, etc.
There’s also SANS who has some free stuff (check their Reading Room) but also has classes (paid, expensive, but veeery worth it imo, again if you can get buy-in)
Outside of the paid membership options, there’s still a lot of good options:
MISP is a great threat intel sharing platform, but will require some setup as a product (free && opensource). Take this one slow, you don’t want data leakage. Start small and locked down, gradually open up as you gain buy-in/trust/confidence.
Cybrary IT is a free+paid learning platform, good stuff here - lots of diversity including business stuff
OWASP - more so for web-app security, still good knowledge to add to that toolbox
OpenSecurityTraining - heard some good things about this site, I think you may enjoy it - I have not used it myself, but please let me know if you have any problems/reasons you don’t like it.
Then there’s always the classic CTF/Hack Challenges websites out there which let you get real experience with red-teaming/bolstering your knowledge of attacker TTPs (Techniques, Tactics, Procedures):
HackTheBox - challenges for practicing your skills. No hand-holding, just a sandbox for you to play in. They have academy offerings (paid, and a new service, recommend skipping unless you can get buy in from the company/have a team who would benefit from a bulk-license purchase), regular free boxes to challenge yourself with, etc
TryHackMe - this one is also CTFs but its more so lesson based/training stuff
Heard good things about KC7 as well, seems to be more threat hunting/blue team focused (blue team = defend, red team = attack)
LetsDefend - Free + paid options, more blue team stuff, great for SOCs which may or may not hit your mark.
Hope this helps you out, biggest thing is getting integrated with the community, reading the news (religiously), and managing burn out. Security is an uphill battle, but we roll this boulder for others who cannot. Respect your body and take care of your mental, or you will burn out and scar yourself. LMK if you need anything!
Forgot to mention the NIST Framework, oy vey. This one is pretty good and is an excellent resource, albeit rather scary lookin’ on the surface. Very good resource, and will definitely net you some cred in your org.
@stevedidwhat_infosec@infosec.pub dropped some great resources. I also typically direct people to this resource I wrote a few years back in terms of “getting into infosec” shellsharks.com/getting-into-information-security.
I could use a resume review.
I’m a security architect in the public sector, state government. I started as an entry level sysadmin around 2000. I’m being strongly encouraged to apply for the CISO position here. I’m 46, and currently lead a team of 3.
Every time I apply for the private sector, including lower level jobs, it’s crickets. If I apply for govt work, I get people banging on my door.
How do I get a resume review, or someone to point out what I need to make the jump from govt to private sector?
It’s an odd position to be in; I work in the private sector but my company deals almost exclusively with government and NGO contracts, so at times I feel like I’m public sector.
What I’ve noticed is that even though the desired outcome is nearly identical for both sectors, the buzz words associated with each is what determines who responds to my job applications. As an example:
Private: IaC and Policy-as-Code, supply chain and software composition analysis, SAST, DAST, etc.
Public: Compliance automation, risk management frameworks, risk quantification (this one has generated a lot of excitement recently), etc.
This is purely anecdotal, but you may find adjusting your resume to include some of these buzzwords as applicable to the industry to which you are applying may help you get your foot in the door.
To reiterate, yes I know in the end all of these companies strive toward the same goals, whether it be passing audits or being able to demonstrate prudent security practices to clients, sometimes the hiring manager is looking for specific terminology and will discard any applications that exclude it.