Background

Hi, I'm Ashley Kang! Here are my 2¢ on getting started in cybersecurity. My perspective is shaped by my experiences being a grad student in computer science, interviewing for cybersecurity internships in 2020 and 2021, and interning as a security engineer (product security) at a start-up and a security consultant (application security) at a Big 4 accounting firm. While there may be a lot I cover here, there's a lot more to be explored!

Information security (infosec) professionals are often categorized into red team (penetration testing, etc.), blue team (DFIR, malware analysis, threat hunting, etc.), purple team, governance/risk/compliance (GRC), privacy, and so on, so what to learn to become a cybersecurity professional may vary! Perhaps a start is to consider whether you'd be interested in an offensive or defensive approach to cybersecurity problems. Also, depending on the maturity of security at a company, you may see different types of security teams like offensive security, application security, detection and incident response, product security, infrastructure security, and corporate/enterprise security. Whatever you end up doing, it will be helpful to understand how your work fits into business needs. Asking what the security organization looks like at a company is a great question for the team you are interviewing with. Some security teams at companies like Google, Bishop Fox, and Cloudflare have public blogs that can give you a better idea of what someone in a security role does there (and what you might like to do)! I also recommend looking at security job postings and noting what kind of job descriptions sound interesting to you.

Foundation

An approach I heard from a former coworker and mentor (who transitioned from software to security engineering) is to build off what you know already. My background is in web development, creative computing, and software engineering, and cybersecurity has without a doubt strengthened my understanding of these technologies! My formal introduction to cybersecurity has been through my MS in CS program, specifically my elective coursework in network security and web security (and soon digital forensics), so I can't really vouch for the quality of classes outside of my degree program other than by word on the street. However, I believe it's important to start with high-level concepts and from there, dive deep into a topic at a time and build your toolbox. Sometimes, the tools won't catch everything, but you can.

• Network security
  • OSI and TCP/IP models - Protocols (DNS, HTTP, TCP/IP, etc.) and vulnerabilities of each layer
  • Resources: The TCP/IP Guide (book), Julia Evans' comics
  • Tools: Wireshark, Nmap, Bash, etc.
• Web security
  • OWASP Top 10 - OWASP Cheatsheet Series, Cloudflare
  • Resources: The Web Application Hacker's Handbook (book), The Tangled Web (book), HackerOne Hacker101 CTF (exercise), PortSwigger Web Security Academy (exercise)
  • Tools: Burp Suite, ZAP, etc.
    • Check out this thread
• Other suggestions to find your niche
  • Intro Sec Con talks on security foundations
  • Non-exhaustive list of security areas: Malware analysis/reverse engineering, cloud security, cryptography, mobile security, AR/VR/mixed reality security, IoT security, social engineering/OSINT, digital forensics, industrial (ICS) security
  • Red team (attacker approach)
    • Security Queens blog - This is like a great introduction to concepts as well as tools.
    • Hella Secure blog
    • This thread
  • Blue team (defender approach)
    • Kinga Kieczkowska's blog
    • DFIR Diva's list of training resources
  • Purple team (offensive + defensive)
    • Tanya Janca's "Purple is the New Black" talk
  • Common early career roles
    • Security Analyst
    • SOC Analyst
    • Security Consultant
    • Security Engineer
• Technology stack
  • Operating system - Kali Linux and Parrot OS come packaged with security tools. Instead of going into why you should use one OS over another for hacking, I believe understanding the pros and cons of any operating system (Windows, macOS, Linux) from a security POV is helpful as well as working with virtual machines like VirtualBox. Getting really comfortable with the command line and setting up your own home lab for hacking within a contained environment would be worthwhile practice!
  • Programming languages - In security engineer job descriptions, I've seen languages like Python, Go, C/C++, and JavaScript as well as nice-to-haves like AWS and Kubernetes. I've used Python and JavaScript (Node.js) in my security projects. You may see more languages out there like Java, Ruby, even Assembly. The point is that no two security teams have the exact same technology stack. This is a great question to ask a team you are interviewing with! 😉 Coding should not be treated as a requirement to be a successful infosec professional, but it only helps a security engineer to know how to write and review code for security decisions.
• How others have done it
  • Ashley Ruiz's blog post (Ashley is a computer science recent grad who got her security consulting internship converted into a full-time offer)
  • Gregg Horton's blog post (Gregg is a security engineer who transitioned from software engineering)
  • Lesley Carhart's blog posts (Lesley is an incident responder for industrial security)
  • Breanne Boland's blog post (Breanne is a security engineer who transitioned from site reliability engineering)
  • Kelly Albrink interview (Kelly is a security consultant who transitioned from the art world)

Experience

These suggestions are inspired by the Friday Hack Days that were hosted by my campus club, Offensive Security Society, in 2019. Also, I've often been encouraged to blog. I recognize that keeping a blog is not an option everyone should be expected to have capacity for, but it may help you keep track of your learning better than anything else. This may also serve to help you stay ready for interviews so you don't have to get ready!

• Capture-the-flag competitions
  • Beginner-friendly CTFs - Ian Coldwater's thread
  • Stay tuned for infosec conferences like DEFCON and Diana Initiative, many of them come with CTFs and have moved online given the pandemonium
• Bug bounty hunting
  • HackerOne, Bugcrowd
  • Katie Paxton-Fear's video tutorials
• Penetration testing
  • Hack the Box, PentesterLab, TryHackMe, PortSwigger Web Security Academy
• Security research
  • Pick an area of security and get to know its attack vectors and defenses. My interest in cybersecurity actually began in undergrad with a research project on digital security products like PGP email!
• Certifications
  • Security+ to start may help you bypass the HR firewall, namely for government jobs
• Classes, workshops, and trainings
  • Community college courses in cybersecurity (like Merritt College in the Bay Area) - Sam Bowne's free courses
  • Udemy courses - Heath Adams, Ben Sadeghipour
  • BSides local chapters - They often post recordings on YouTube!
  • OWASP local chapters
  • DFIR Diva's resource roundup
  • On Twitter, I often find some amazing class or training offerings that are free or affordable (Black Hills Information Security, etc.)
• Communities
  • Day of Shecurity (for women) - October 2021 registration
  • Women's Society of Cyberjutsu (WSC) have been leading quality workshops since pre-pandemic times!
  • We Open Tech - They have members-only workshops!
  • WiCyS and local chapters
  • WISP
  • WoSEC
• Conferences
  • SANS New to Cyber Summit 2021
  • ShellCon - October 8-9, 2021