Can anyone with experience in cyber security attest to the value of the recommendations given in the article? Are certificates really that important? Is the roadmap a good roadmap to follow if one wants to get into cyber security? Any other recommendations for a beginner?
I've been in security for the better part of a decade. I have none of these certs (I have no security certs at all). The OSCP is the only certification in this list that I've ever even heard of being part of hiring discussions, and even then I've really only ever seen it required/desired in penetration testing roles.
In fact, this article is very narrowly focused on penetration testing-type roles. There are a whole host of other security roles that require all kinds of different skillsets which aren't even mentioned here.
If you do want a penetration testing role, I don't see anything wrong with this roadmap other than the fact that it over-emphasizes the need for certs. Like all other types of roles, some hiring managers might be part of the "certification chaser" crowd and might require certs for candidates, but IME most don't care and someone not having a cert has never stopped me from hiring them, and quite frankly if someone does have certs it doesn't make me any more inclined to hire them.
I've spent much of the last 15 years hiring pentesters and not only have I never considered OSCP, I've never talked to a peer that did either. It may be a big thing with body shop netpen firms; don't work for those.
you’re probably in a tech company. most security jobs (most software jobs period) are in non tech companies. insurance, healthcare, auto parts, you name it. in most of those roles, certs are very helpful if not mandatory to even get your foot in the door.
As someone who’s gone deep down the rabbit hole of trying to learn this stuff, I’ll give this advice. Focus on learning computer science, computer architecture and networks as a foundation.
Learning all this technology without understanding the fundamentals is a waste of time.
Most certs are overrated. They don’t actually test your understanding that well. The people who care a lot about certs are people who you probably don’t want to work with. They’re just a way for the IT guys who run the cert programs to make extra cash. By all means, if your company is willing to pay for cert training get it but don’t waste too much time studying for them.
Absolutely echo this. You need to really start with the basics, and focus on understanding (i.e. asking yourself) *how* and *why* everything works and happens.
In order to find vulnerabilities, you need to understand how a system works, and how all the parts that lead up to it work. You'll ultimately want to understand how $high_level_language ends up as bytecode that executes on the CPU, and if/how you can modify/manipulate that. And a bit about the underlying hardware and electronics never does any harm for some rowhammer type attacks.
If you want to defend and secure a system, you need to understand it, and all its dependencies, and the assumptions it makes. You'll want to understand the hardware, and how it's secured etc.
For networked systems, get a really good understanding of TCP, UDP and IP. Learn how firewalls work.
The aim is to get to a point where you know the fundamentals and how things work to the point there's no "magic" in how the computer works - you know enough to explain a PC from reset vector through to UEFI, bootloader, OS load, software load, network exchanges, etc. And similar for an IP network - you want to know everything about subnets, how VLANs work, how tagging works, how 802.1x works, how WiFi works, etc. And this is just the start!
You'll struggle to secure something you don't understand - this is why $bigcompany can't secure their basic IT network - those responsible didn't understand the basic principles, or how the moving parts worked (either on their own or as part of the bigger system), and it ends up compromised by someone who does understand those principles.
> "Cyber Security is one of the most expensive fields, You are required to do a number of exams and certification. Unlike Software Development, These certifications are very crucial, They are more or less like a "Get out of jail free" Card."
This is terrible advice. You don't need lots of BS certs to get into security.
The only cert here worth doing is OSCP, and even that has lost respect/value in recent years to rampant cheating and answer sharing.
Agreed, and I have a variety of these (certifications).
Most of the top tier people that I know in cyber security are not certified professionals, but rather people that have deep knowledge in their area of expertise with the ability to apply security knowledge to it.
The list of certifications is bad because:
- it only focuses on offensive security work, which is a small part of the actual field (there is the entire blue side as an example)
- it focuses heavily on the software side of the house which is once again not the entire field (more than a few places have been popped due to infrastructure misconfigurations and issues)
- it ignores many common enterprise environments that use things like Active Directory, Otka, EUA, SSO, etc. These are things that you will encounter and must know how to work with or secure if you are a generalist in the field (if you're specialized you may never touch these things at all).
In short, this is good if you want to be a consultant doing generic penetration testing but not much more than that. They may also serve as HR checkboxes for recruiters that do not understand the job requirements.
Certifications are far less important than this article makes out - this roadmap seems to really just be a roadmap of certifications for some reason, rather than a true roadmap for a beginner. If you focus on certificates, you won't gain the rounded knowledge you'll need.
You don't need certifications at all to do well in the sector - people are still judged on their merits (and previous gigs), as there's a broad recognition, by those who are any good at least, that certifications are very prescriptive and don't signal quality. I have none, nobody has ever asked about them.
The recent scandal around some large security companies sharing cheat-sheets and answers to certification exams [0] shows one reason people don't trust certifications.
Some "customers" will want certifications, generally those that have no clue about cyber security, and who therefore have no clue what they want. You might find it hard to break into those kinds of roles in the first instance without some kind of certification, however once you've got some experience and track record, you tend to find they go away.
As someone who has done hiring for various cyber security roles I can tell you that I only look at degrees and certs when the role is more junior and I get more excited seeing someone with a personal tech blog than any degree/cert. After junior roles I will usually simply have a conversation with the applicant and ask them what they have worked on in the field, the conversations tend to feel very natural when the person is legit with their knowledge level.
Haven't commented in an extremely long time but I'm popping into voice my opinion here on two specific certs in that list: eJPT and eCPPT
Those certs are for self study only, the applicable value for them in the hiring process is non existent. No one knows who they are or what they do. Used to be a huge advocate of those certs until I actually bought them, then I immediately regretted it. It's been a few years now but I had an awful time with the latter; buggy, filled with errors, typos, non working software. Back then at least, you had to spend hours fiddling with with the settings just to get it to work at a base level. The eJPT itself is extremely basic, it's just using like 5-10 basic techniques to retrieve a few flags worth of info. Really didn't like how the modules were set up. The main resources are powerpoint slides to cover all the text info, then you may have a few minute video occasionally that explains 1 topic barely. The labs would come with lab guides that were all but useless. The authors are Italian so typos and grammatical errors are rampant.
Curiously enough back when I bought them, they sold their courses individually and they were insanely expensive. Looking at them now, it seems they went away from that and now offer a one for all subscription of 2k/year. The eCPPT alone cost me almost that back much when :/
Since then it seems the company has kind of given up. They used to be pretty active on social media trying to advertise themselves, now they barely ever post. It's like they've given up and are just maintaining the content they have until the ship sinks.
If you can get your company to pay for the subscription, go for it. If for nothing else, just the collection of powerpoints and curated information. Other than that, I'd stay away.
Certs are not vital, but OSCP is well known and highly regarded.
I haven't heard of any of the rest, beyond CEH (the "joke"), and OSCE (just next-level OSCP).
A lot of people do get OSCP (for it's perceived value) and CEH (as a box-ticking exercise), and the former is of definite benefit, but I wouldn't call any of them necessities.
The roadmap seems more of a completionists reference rather than anything else.
All that said, they do seem to know what they're talking about (particularly The CEH joke)
Disclaimer: my account is a biased one. With that said, I hope the following comment helps.
Not working there but have a friend that does and looked around a bit myself.
My experience:
- 3 university courses from VUSec (e.g. how to do Rowhammer via JavaScript? How to analyze a binary? How to do a XSRF, XSS or SQLi? <-- is stuff I learned there)
- Hack The Box full-time for 2 months, most difficult machine I pwned was PlayerTwo (making a working heap exploit by poisoning the t-cache).
My friend also did OSCP after that and he rated it between easy to medium level compared to Hack The Box. However, you did need to be faster at finding the easy to medium exploits compared to Hack The Box (since OSCP is time-based and Hack The Box isn't). The levels of Hack The Box are: easy, medium, hard and insane. IMO, this is a false characterization, since the levels are more like:
Easy: metasploit vulnerability
Medium: some payload vulnerability
Hard: harder to find the vulnerabilities, but most vulnerabilties are of level "medium", mixed in with some binary stuff that's quite easy to do (if you know binary, because if you don't, you're gonna cry with how hard it is. I suspect most people don't know how to do it, but VUSec prepped me well for that)
Insane: medium web level vulnerabilities (same as hard), but the binary stuff becomes a lot harder, also mixed in with C vulnerabilities (e.g. heap exploit).
That's it for the education side, now for the work side.
-----
My insight is, there are two types of companies:
- Tech companies (they don't care about things like OSCP)
- Traditional companies (they care a lot about things like OSCP)
The job ads that I saw for tech companies, or tech-related companies (e.g. Airbus [1]) were quite deep. Most of them require deep C/C++ skills with binary stuff and less on the web side.
The job ads that I saw for traditional companies were more web-based, had no clue about binary/low level stuff and terms like OSCP were mentioned quite often but not always.
My friend now works at a traditional company. He noticed a few things that the article doesn't touch (I skimmed it, I might be wrong).
- The level that he needs is at most medium hack the box level (technically)
- The level of social skills that he needs is quite high, because you're always telling some IT team that they didn't secure their shit properly
- The level of political skills that he needs is quite high as well, because not only do you deal with the IT team, you also deal with all the managers relevant to it
So yea, that's what I know. So the resources that this article gave were quite good for getting a job at a traditional company as a pentester, because it's more or less what my friend did. However, if you want to work at Google or something, I think another path is required that probably starts at VUSec.
FYI, VUSec is the systems security department at the Vrije Universiteit Amsterdam.
Btw, I'm for hire as a junior pentester or junior reverse engineer.
I have hired numerous folks in building out a very successful security team. None had certificates, and I didn't even ask. It is better to study deep technical topics rather than to study for certs, e.g., decompilation, how to do SSRF, how to audit AWS, how to get developers to build secure code.
The article focuses exclusively on the technical side. No, certifications are not required. Sure, they will get your resume higher on the list.
Security is much more than simply breaking stuff. You need to understand the fundamentals, CIA triad, risk, misunderstandings that arise from the fundamentals, issues that generally arise with security due to the context etc. Debunk also some common myths around security. Fundamentals can land you in tables that technical skills won't. It is one thing to land bugs and another to be able to sit in a meeting with a guy from engineering and reason with his team and reach an agreement. Generally, working with non-security folks is hard and knowing the fundamentals helps. This also requires soft skills. Know your limits and be honest about them. Also, it is good to listen to people and their concerns. Generally, soft skills are super important in security because in most cases your opening statement is going to be one of the following:
- I found some bugs that I want to discuss with you.
- You did X which violated that policy and it rang an alarm in SOC.
- We have this issue and I came up with this plan to build this to address it.
Being able to calm the other side is crucial or you risk derailing the conversation. Also, being able to write code helps a lot. As a matter of fact, I forced team-members to work for other teams for two months. Not only they brought skills back, my team now had an understanding of their work and potential pain points.
Being able to understand the pain of the other side and also come up with solutions (incl. writing code)
If I started again, I'd do the following:
1) Understand the fundamentals and the limitations
2) Build stuff. It helps relate with people.
3) Break stuff. It's fun and useful to understand what went wrong.
4) Have a broad knowledge but focus on specific fields. Some people like defending, some people like attacking, some like building stuff.
5) As every job, it has its laundry list and boring tasks that people need to make. Yes, Excel spreadsheets are a thing in infosec.
6) Don't focus too much on certifications.
Edit: Saw this[3] comment. That comment reminded me of something. We've had, time and time, candidates with certificates that could do exploit stuff but couldn't use SSH. One of my first hiring questions was "How do you use SSH" and "How do you delete files from the terminal". I wasn't sure whether this guy was making fun of me or my resume sucked. Apparently, the guy was fed up with people not knowing to use a system that he started asking such questions regardless if you had a Ph.D. in Computer Science.
[3] https://news.ycombinator.com/reply?id=25814333&goto=item%3Fi...
Certs are not that important to people in the industry, but they are important to HR.
As a beginner who wants to get into infosec, very very often a cert or two is the difference between the resume being thrown out or getting an interview.
As an experienced security professional with years of experience, a cert is literally never the reason you do or do not get an interview.
I have mentored 4 people into security within the last 3 years, 3 from IT and one from general sales (of golf carts), and my advice is always the same to them all.
1. Start the networking game immediately. If I was to guess, I would say 2/4 or 3/4 infosec hires are because the new hire knows someone on the infosec team before applying. Find your local infosec meet ups, (They still meet virtually, and soon in person again). Start going to local infosec conferences (look into bsides), and look for community hosted events. Infosec is full of nut jobs who think its a good time to spend hundreds of hours hosting a CTF for no freakin reason other than it is fun. Go to these, get to know the local infosec community.
2. While doing #1, Start Getting a general understanding of all areas of IT. Know what helpdesk does, what windows admins do, what nix admins do, what developers do, what network admins do, and of course what security analyst/engineers do. Develop the skills necessary so that you could confidently do the entry level job of the IT vertical.
3. While Doing #1 and #2 Focus heavily on identifying what aspect of security you want. Like all IT verticals, once you get into it, there are a million specializations, identify if you want to go Offensive, or Defensive. If you are into Risk and Compliance, SOC analyst, Solutions Engineer, pretesting, red team, exploit development, the list goes on and on and on. For the most part, identifying Offensive or Defensive will be enough. There are probably 5 Defensive Infosec jobs for every 1 offensive job. And there is plenty of opportunity to switch to 'the other team' during your career. And just because you are defensive doesnt mean you will NEVER do any offensive work, you will dabble in it weekly/monthly, you just will be like 90% focused on defense. And for those reasons I usually recommend people trying to get into infosec to try and land a defensive infosec role for their first infosec job, even if they know they ultimately want to go offensive.
4. Pick up at least one cert focused on either offensive or defensive infosec (depending on what you want). I specifically recommend OSCP for offensive, and I recommend Sec+ for defense. This is not to develop skills, but for those other 1/4 or 2/4 hires that are not placed by networking. The reality of our world is that Certs get you past the HR filter. These certs are specifically for landing you interviews, no amount of certs will help you perform well in an interview, and if you only do certs for training, you will 100% fail every single interview. Getting a cert almost always increases the number of interviews to places where you do not know someone.
5. While doing #1 and #4, and after #2, #3, focus in on what you find interesting about infosec. Try to become an expert on that area. Not only should you learn about that area, you should learn about every technology that supports that area. If you think webapp security is interesting, learn every single piece of technology that is even peripheral to webapp (A lot of stuff). Security is a mindset, not a skill set. The knowledge a nix admin has and the security engineer have are similar, the difference is mindset and priority.
Once you are working on #5, you should start applying full force. You 100% can apply while you still know absolutely nothing, but odds are against you, but still dont let an opportunity pass you up. The first infosec job is the hardest one to get.
