Is cybersecurity/pen-testing an easy career? See a lot of women and normies doing it

doesnt matter when they call over the phone

I'm studying to go into that field right now. I've been meeting a lot of professionals... and things I can say:

1) most tech people don't know shit about security. AT ALL. This means you have to tack security on after the fact and this is much harder
2) most executives don't understand it either, or they don't care
3) security is a MASSIVE problem, especially in america.

and yeah, you'll see a lot of shit people working in the field, that's because it has an employment shortage and 0% unemployment rate. One survey said execs feel 80% of their security employees are underqualified,

So basically, the autists here won't understand it. But its an amazing field to go in to, if you've got the talent. Hackers are a massive problem. 1trillion a year is lost in america because of cybercrime.

and, to quote Vice Admiral Mike McConnell at a cybersec conference I went to recently "give me 12 men and a six pack of beer, and I can bring down the financial system in an afternoon"

Apparently the US financial system is woefully underprotected, and in the panel "The next 9/11, cybersecurity and terrorism" they basically said it was a matter of time.

because of points 1, and 2, most organizations are severely vulnerable and very understaffed. If you know your shit, you will be paid well. Very, very well. Same goes for working hard.

HOWEVER

to be in security, look at it as knowing everything an average tech guy knows, plus some. It's very in-depth and technical.

>tl;dr - security is an awesome field. Employee's market due to shortages
autists won't understand why its a good field, and they're the reason why it is

if you don't like working for a company, you can just hack your way to riches so either way its a win-win

to add on to what I said, I used to think security and hackers were just a meme. Something that is hyped up and full of dick, however, the more I get into it, the more I'm realizing that it definitely, definitely is not a meme. It's more of a blue team sucking ass than it is of a red team being good. Plus, organizations like the NSA keep breaking everything sooo...

See, everything is so new, and such a tiny, tiny percentage of the population is literate in it. In an age where everyone is getting on the "Hurr ima coder" wagon, this is where the new tech excellence goes.

I hate people so I'm going red team, I'm going to get paid to fuck up these neckbeards, and if normies wanna mess, I'll fuck them up too.

How do I get into the field? I'm a kuso NEET but I have a CS degree and want to do something less production line

>women and normies doing it
Stop right there. Pentesting and cybersecurity is not running LOIC or guessing that your friends password is 123456.

What are the good certs to get for this shit

>this triggered
grow up, all human languages naturally use abbreviation

>There is a shortage of security analysts.
Theres like no jobs in this field tho0ugh in America. Except for senior managers.

CS degree + certs = degree. Security+ is the most common. Grab that and you can get a job.

there are TONS of jobs in america in this field. Hordes, its just that they're mostly blue team in america. That's basic info - but yeah most companies in america are understaffed

I have a report on this... quoting the 2015 jobs report by burningglass

->" Yet we are also seeing multiple signs that demand for these workers is
outstripping supply. Job postings for cybersecurity openings have grown
three times as fast as openings for IT jobs overall and it takes companies
longer to fill cybersecurity positions than other IT jobs. That’s bad for
employers but good news for cybersecurity workers, who can command
an average salary premium of nearly $6,500 per year, or 9% more than
other IT workers."

but to answer your question :

1) CISSP
2) CISA
3) CISM
4) Security+
5)GIAC GSEC

and it goes from there

the reason why I said security+ earlier is that all those other super in-demand certs require experience first. Security+ is entry level and well-respected. It's not as "high-paying" as others, but it gets you in the field.

>I have all this info because I was just researching this for a long time. trying to decide development or security

wow $6,500 a year? that's lower than i expected

Actually government shills want to see stupid machines. Let's see if lib tards change their minds

>"give me 12 men and a six pack of beer, "
Are 11 of them underage?

How do I study for the certs

Any chance of them sponsoring a Canadian?

Dude it'd hard because, aside from sec+ which is a pisseasy joke, it's a fucking mafia.

You need a foot in the door AT Blue team places, and that shit for somw fucked up reason needs a cissp. In order to even GET that you need 2 years in field AND your work has to vouch for it

Can I do this thing on my own freelance, or do I need a billion certs etc.

You don't have to be mentally handicapped in order to work in the field, no.

>all the jobs require a cert that needs experience to get
Guess I'll scratch this career off the list

absolutely none of those certs matter for real security and anyone doing VR will laugh at you for having them

How do I get into VR then?

blue team is for retards
setting up firewalls isn't security
if you can't reverse you aren't security
learn c
learn assembly
find bugs
get hired at a defense contractor

I know assembly and C, but I have no idea how to get into one of those jobs. Especially in Canada.

Whoever the hell that person you linked is, she sure has an ego.

>Calls herself the "Duchess of Cybersecurity"
>Had the audacity to register a trademark for it

do ctfs, a lot of VR people are in that community, go to REcon in montreal, a lot of locals go to it, learn to find bugs via shit like pwnable.kr
idk any of the canadian defense contractors
a lot of companies you don't expect will pay for VR work though, a lot of embedded device places like GE

there's a lot of charlatans in security, she's one of them

I'll gonna do it user, I felt hopeless looking at those cerrs but I know C and assembly and know with practice I'll win CTFs.

I'm going to make it.

Those certs are almost completely irrelevant, they're for IT people who want to larp as a hacker, you can also sell bugs yourself, it's a bit harder to do, but companies like zerodium will facilitate sales for you until you actually establish a relationship with a real defense contractor

This sounds so perfect for me.

Thanks a million, I'm going to sign up for all the events and make a name for myself. I'm an actual engineer not an IT guy, this all felt so tradesman for what it is.

Can confirm, I have my CISSP and Sec+ but I don't know anything too technical. They pay me way more than I'm worth so I guess I'll just keep riding this gravy train until the biscuit wheels fall off.

That sounds boring as hell man, how do you manage to do an easy job like that?

I just don't get it, where is the competition. Don't you want to be the best?

Does anyone know any good forums for learning Vuln Analysis?

So it's impossible to get into this field?

I work in infosec in Minneapolis. Got into it through CCDC where I was scouted.

It's fun, we do a lot of web app testing/sql injection/phishing/etc. Almost all our clients have the same vulnerabilities so it can get pretty repetitive.

PTH, here. Missing CLM there. SMB signing disabled, normie users having local admin access, etc.

Same guy again, my starting salary was 65k if anyone cares.

Is cyber security a better field to go into over networking? Aside from my degree I was honestly going to go all in on networking and try and get as many certs for it as I can...

Ok guys, I'm in a company as a helpdesk dude with a lot of free time in my hands. The company has way too much sensitive information with 0 protection. What should I do/know to make them fire the 3rd party guy responsible for the security and hire me as their in-house security guy?

>6 pack
nah son, I'm gonna need a 30 case if I'm gonna be hacking that kinda shit

How much is that net salary, per month?

I think the best way to illustrate the severity of it is to speak in terms of revenue loss and clients having their private information being stolen.

HR and executives love hearing meme words like "hackers", "viruses", and "ransomware." Just tell them that if a hacker gets a hold of that data, it could cost the company millions and tons of bad PR in the media. If you can coherently communicate that with them, they'll take you seriously and may even promote you.

people who are actually working on eliminating entire classes of exploits are mostly silently ignored
it's a sick world we live in

Well, I'm pretty poor with finances. XD I pay around 1100/month in rent for a relatively small apartment in the city. Also have a muscle car I'm restoring and 2 older motorcycles so I'm content with where I am. No way I could afford a girlfriend right now though. XD

I make just barely under 2k every other week.

Nah it's pretty easy, freenode has a huge security/CTF community to learn to get started
Weaponizing cves is a good way to start too

How do I get in touch with them?

I work in Third Party Risk. Our assessments are not overly technical as they cover a wide range of things from physical security to HR security. Our vendors wouldn't let us get too deep (like pen testing and vulnerability scanning) even if we wanted to.
I understand basic networking and security concepts but never really had to apply it because of the positions I have worked. I am sort of working backwards to cover that though, looking at taking networking classes and maybe CCNA. The only programming class I took in school (Java) made me realize I would never want to get into coding or anything of that nature. I like my job and it's fun to assess different vendors that provide us different services and write findings based on whether they follow our policies or not.

Join the channels for ctfs, talk to people while you play, establish relationships with them, ask to play with them another ctf

I mean more are there any good channels to lurk

I'm in my colleges, ##re, #pwning, a number of CTF event channels, and the binary ninja slack, the main way to find them is to join the channel for the event going on tho

Where is the best way to find events?
I want to get good enough to not do boring cert work and really use my degree.

What's the best way to learn assembly in a practical manner? Don't say "personal projects" because I have none and can't think of any.

Implement the C standard library in assembly.

Code a video game in assembly.

Make pacman, then make doom

Get sec+

Seems like a hard field to get in outside the US

When I look at Jobs on indeed all of them ask for certs

>cybersecurity
CRINNNNNNGE

>pen-testing
CRRRRRIIIIIINNNNNNNGE

Ctftime

ya gotta factor in all the do-nothing military jobs

in case ya'll aren't aware, don't ever go into cybersec directly under the military, its career death

start by taking any dicks out of your ass

"know people, that's how you get hired" - that is what industry professionals have told me. Talk your way into bits. Go to local conventions & conferences. Network

"doesn't matter for real security"
>refers to top qualifying certifications base on data-backed research quanifying thousands of job postings

Blue team isn't security
Setting up firewalls isn't security
If you aren't developing, researching, or weaponizing you aren't doing real work

While I'm studying to be a real security person, do you think I could make money on the side freelancing to local businesses with sec+ and an engineering degree?

Do I even need to waste money on sec+

I work at a fortune 500, dropped out of college, have 0 certs to my name
The majority of my coworkers are college dropouts with 0 certs
You can probably get some side work doing pentesting, it'd be hard to get clients without having something to prove your worth already though, I.e. company name. Doing bug bounties is decent money if you can get good at it, I know a few people making 200k a year from it

How much do you make?

blue team is a lot more than "setting up firewalls" you autist. That's part of network hardening. What about... ya know, the entire rest of their jobs?

Are you stupid or something?

Blue team is literally everyone who catches the reds. Yeah you have your basic fucks who just watch wireshark, but even that takes an in-depth understanding of what a live attack looks like. Hunting for APT's... that takes real time. Sure, nmap will throw errors on an IDS in standard cases, but every "sophisticated attacker" already knows that, so they take that same nmap command, and spread it out over a month. No IDS will detect it then, but a blue team might.

And what about digital forensics? That's incredibly in-depth and they get paid very well too. Are those people not in "real security"

you're a fucking autist

130k

Running software other people wrote is not security sorry
I'm sure you're a great SharePoint admin

So you're telling me you built everything that you work with?

Really? You designed the kernal your computer runs on? The languages... those compilers, you wrote those too?

In tech, everything is just about levels of abstraction.

And when did you hear security was about writing software? What about breaking encryption... ? What about... idk, literally every other job out there. You're fucking retarded.

You're a security researcher, as you've said before. And yeah, that's one field within the security industry. There are many.

And that's the funny thing about security that people don't understand, it's not a field, its an industry. It contains fields.

A weapons researcher like this autist is not the same as the cyber paramilitary who learns how to use that tool and thouands of others. I just wrote a report on cybersecurity's affect on society.

They're estimating 7 trillion/yr in cybercrime damages by 2020. To give you a reference, the World GDP was ~75 million, so that's a significant amount of all money out there being moved around by this force.

That, combined with all the other functions is why I'm going in. It's the perfect market to make money. Lots and LOTS of money.

And if you can't get hired, well, you can always get money somehow

yes, you don't need to be a real hacker, just know about networking, tcp/ip,
windows/linux sys admining and using pentest tools, that's all.

and this right here. the security industry is a joke pretty much.

if you dont have basic creativity then sorry hacking isnt for you and even programming,
it will all be tiresome for you.

This shit is hard

Pretty sure he's saying if you're a skiddy you're not a pro.

>Is cyber security a better field to go into over networking? Aside from my degree I was honestly going to go all in on networking
if you like networking, you probably won't like security
it's all policy bullshit and trying to get people in an office to abide by rules they hate

stick with networking, you're rare*, you're valuable
*above ccna, even helpdesk often needs ccna to get hired today

you're fucking retarded
god forbid people use windows or linux because they certainly didn't write that themselves now did they

>LARPing this hard

So which guy is right here?

Is security interesting or just sysadmin+

I love finding exploits in programs and reverse engineering but I dunno if there is a market for that or if I need a bunch of jew certs.

You literally have no understanding of how computers work, you think you do, but you don't
You act like a security professional but you have 0 knowledge of the operating system, you couldn't write a memory manager or scheduler to save your life, you have no idea what an exception is, how kernel passes execution and context to a usermode process occurs, you're literally no different that tier 1 tech support. IT people are literally people too stupid to understand the systems they're offering to diagnose, and that's what you are as blue team, glorified IT
Searching splunk is not security
Setting up gpos is not security
Sorry you can't larp as a hacker when you don't understand what xor eax, eax does

Did you just assume their ability based on their gender?

How do you work red team independently, without breaking the law?

>how kernel passes execution and context to a usermode process occurs
how does it occur tho
when the scheduler switches processes does it just set up different descriptor tables and sysret back in?

Bug bounty, game hacking, 0day vendor, younot give a fuck about what's legal, considering the government does it themselves

>younot give a fuck about what's legal, considering the government does it themselves
I don't want to get arrested user.

It depends what you mean, running scripts that you didn't write and doing analytics/reports would be very easy yeah. The R&D side of it attracts some of the brightest people at the best universities.

bytepointer.com/resources/pietrek_crash_course_depths_of_win32_seh.htm
It's a bit more complex than that, there's a good intro though

redpill me on 4K vs 4M pages

Larger pages = faster tlb lookups
It isn't really relevant in consumer computing

Proffessionally into cybersec here, working for a major company (tech company) under a great guy, 1 year into it so far, here's my experience
>I got easily hired after getting sec+ and an electrical and computer engineering bachelor's, with master's into reverse malware engineering
>You generally get hired easily as FUCK if you have a CS degree and a bunch of technical knowledge and a cert to prove that, but most times you can get hired on a CS degree alone and learn along the way, the field is fucking starved
>there are a bunch of career paths, id suggest NOT working for the government for ethical and salary reasons, and to avoid startups like the plague, unless you're starting it and you get the lions share
Now back to me
>80 hour weeks, that is 50 hour weeks in office, 30 hours monitoring stuff from home
>20 hours a week minimum to git gud
>$80k starting, if you live through it for 5 years or so and can get a senior position you can easily into a security architect and start making $130k+
>As a newbie your team leader more or less places you as a shield against small shitty bugs/attacks/exploits/usual shit, so he and more experienced members can work on the big shit hurting the company
>his job (my hopefully future job) is to research shit that hurts the company and make the execs buy into it, execs generally try not to spend money so you definitely need people skills
>The first year or so is either literal HELL if you dont like the subject, or the next love of your life if you do, as you'll get accustomed as shit on fixing up the day to day stuff and get extremely profficient at it while doing somethingyou love
The long hours and pay dont even matter that much to me, I just love being paid to act like a tinfoil all the time

There are programs where you can do it and get paid. Facebook has a bug bounty program. Github, etc. Also check out bugcrowd.com/

If you didn't know about bug bounty programs, you're far from ready.

I act like a tinfoil all day.

I actually interviewed with the government, but backed out of the process after I realized it would involve being evil. I'm thinking of going private now, I really want to do a startup doing work to secure small businesses, but don't know how to prove to clients that I know what I know.

OSCP
Its the big dick cert for a reason, and any Google search can prove that to anyone within seconds

mofo im Albanian whats ur beef with me?!