As a counterpoint for this fluff piece for Pluralsight (mentioned 29 times), I'd like to offer the following links with very good information by well respected people in the industry:
The point is to learn development / infrastructure first, then study attacks and defense to develop a security mindset. Get involved in bug bounties, but learn how to fix, don't let your code skills rust. Then learn more security concepts, how to build a corporate security program and keep moving :)
There's also a very famous book in the area: "The Web Application Hacker's Handbook" http://mdsec.net/wahh/
As a hiring security manager: go break shit. I don't care if you have a CEH, I care if you can bring me good vulns. Show me you can break things I care about and that you're not a horrible person and you'll go straight to the top of the list. It's that simple.
How do you get started breaking shit? Github has tons of shit. Go break it. More interested in hardware? Go buy some crappy iot gear and break it. Vulns are not rare and they do not require a damn piece of paper to find. Find them, and you will have no problem finding jobs.
If you are reading this and still don't know where to start, I am happy to help you find things to break and suggest approaches that might help. But seriously,don't waste your time and money getting certified. I don't care at all.
To this point, bug bounties, bug bounties, bug bounties. If someone is applying to be a security developer, consultant, or anything beyond a security help desk operator my expectation is that they can tell me about bounties they've collected. In lieu of that, I'll accept them telling me about their ethical disclosures. Also playing CTF's, even without winning is a good sign. It shows passion and that's what matters at this point as we need people in security not because of the money, but because they passionately want to make the world a safer place and enjoy the work as a bonus.
I want to push back against this a bit because you used the word "expectation." Yes, I strongly agree that bug bounties are one way to achieve and demonstrate a certain level of expertise in information security, especially if you are trying to break in. However, don't make it more than a job for people who just want to do the job, and don't arbitrarily make it the whiteboard of the security industry.
My best colleagues, the people I most deeply respect and the people who inspired me to work in this industry all neglect bug bounties. They mostly don't participate in them at all. Bug bounties are usually pursued by people who have the free time and bandwidth for them. For the most part, most security consultants and engineers do not actually engage in them because they are already highly paid. This is why you most frequently see bug bounty participants from countries other than the United States and Western Europe.
Those that do have a full-time position and also engage in bug bounties certainly have a commendable passion for the work (or sometimes more accurately a workable formula for getting to low hanging fruit in new programs first), but please don't expect all or even most skilled security talent to adhere to this rule. Many people enjoy being skilled without sacrificing work-life balance. Just as not every software engineer needs to contribute to open source or have a GitHub profile, not every security engineer needs to have badgers for every company they've hacked.
I agree with you on your assessment, but those people you respect and inspired you are the one's who are already in the field. They already have accomplishments and have done things to earn that respect. I've found that it's near impossible to differentiate "posers" from actual security people when it comes to hiring someone without a long, formal, and vouched for by others security career. This is where bounties and ethical disclosure come into play. Also note the careful choosing of long, formal, and vouched for wording above. There are certainly people in our industry who are here because they are good at social engineering rather than here because of their technical skills or work ethic. Those individuals are very damaging to our field.
Can you clarify what you mean by "good at social engineering"? Do you mean they try to specialize in that and pass it off as actual security rigor ("hacking")?
Exaggerating their skill-set, claiming to have skills when they don't. Yes, it could be the Dunning–Kruger effect in action but more than not I think there is careful plotting involved to deceive. It's actually odd if you think about it a bit. I've been going to DEFCON for the last 11 years, have done the CTF thing, the speaking thing, etc., and it strikes me in many ways as a tale of two cities. You've got your highly skilled and technical security professionals who are talking and sharing but then you have all of the roadies, the fans, the people who watched Hackers and want that lifestyle. We don't see this in any other technical field that I'm aware of - I mean I'm pretty sure there aren't blue-haired database administrator wannabe's showing up to DBCon, are there? What ends up happening is that people like the idea. They want to be a "hacker" but want it as a day job but don't have the technical skill so they must figure out ways to social engineer their way into the field.
The folks at Attrition tend to cover it a bit more when it comes to "security rockstars":
Saw a talk about bug bounties that had some data. Bug bounties mainly go to people in so-called "third world" counties; those are the people who appear to be the ones most interested in them.
CTFs and bug bounties are good. Better is when people have broken something for themselves, and best is when they've made money doing it. I trust that those people know how to think like the attackers I should be really worried about.
Breaking shit is important, so is understanding how to fix them, unless you'll work solely with penetration test. I tell you this because many hiring process for sec engs are around CTF games. From my experience as a security engineer, it's tough to find vulnerabilities, but it's as hard to fix them. Few security guys know how to code to the point of talking to developers or knowing devops to talk to system administrators. Btw, that's I'll write a blog post about this later.
Reading code well is table stakes for me. Writing code well isn't always, but if I hire someone who doesn't write code well it's because I'm betting they can learn to and already have a really solid dev who can pick up the slack.
Ditto this. In my part of the world CEH isn't much, it just states you have a basic idea of the tools and processes needed to be a CEH. Ask a job candidate with a CEH to describe the steps in setting up MiTM server and they probably couldn't. The folks who break shit, like their parents WiFi, are the ones who can answer that.
Having knowledge of C and python helps according to dsacco, where would you recommend starting? Books? Checking others code or how would you go about it?
I like Troy, but I need to put in a word here against pursuing certifications.
There are no employers in security that I know that anyone wants to work for that take certification seriously. The best people working in security --- not just in application security but in network security, red-teaming, exploit development, and cryptography --- don't have certificates.
If you want to work in startups, a hiring process that even asks if you have a certification is a big red flag. This is less true in the broader tech industry, but while it's probably not a good idea to discard a prospective Fortune 500 employer just because they ask if you have any certifications, it is certainly reasonable to pull the ejection lever hard if an employer cares about them.
Every minute you'd spend pursuing certification is better spent building programming skills.
For whatever it's worth, I still stand behind everything in here:
An example: Matasano (I have no affiliation) is a well-respected security company. Their hiring process involves (or involved) taking applications from interested people with interesting resumes, sending them a textbook, and asking them to come back when they felt qualified.
I've seen this sort of outlook (usually without the textbook) across the board. Either a company will train people from scratch, or they want to see applicants with actual records of working security, finding and reporting vulnerabilities, or patching holes in OSS.
"Have a certificate" is nowhere on that list. It probably can't hurt for a candidate, but I certainly don't think it will bridge the gap from inexperienced to experienced the way an actual work record would.
The timing never worked out, but applying to Matasano was tied to the start of my interest in security. It was one of the most welcoming and positive interview processes I've ever seen.
I'm not saying it should be. If you're hiring exploit developers, your process should begin and end at having candidates build model exploits. But almost nobody hires like this; most organizations have tea-leaf-reading hiring processes, and proudly advertising that you have a CISSP or CEH is one of the tea leaves they read.
For what it's worth, Troy's perspective is colored by living in Australia.
My experience is that the Australian tech scene (I don't live there anymore) is in many ways similar to the 1990s in the U.S. Customers and recruiters ask about certificates. Hell, you typically have to go through a professional recruiter in order to get a job; it is often not possible to apply directly to companies.
I am generalizing and also talking about my experience in Australia about 8 years ago. Maybe everything has changed.
While the tech scene in Australia may be behind the times in a few ways (possibly security as well), Troy's view here is in no way affected by living here. This material was created because PluralSight wanted CEH-related material, as their viewers (world-wide) were asking for it. Full stop.
Blog posts like that are designed to steer traffic towards course views and "time watching the content", without which PluralSight authors don't get paid.
As per linkregister's comment, I feel this is regional. Indeed, the big news here in Australia is a disappointing push for a national certification plan[1]. I've been in several conversations with people that have stated they hope this goes ahead, so they "know who to hire".
The most common mandate I currently see is "CCNP Security", which shows up as a hard requirement regularly, even in non-Cisco shops. I could never bring myself to invest time for such a thing - feeling it largely conflates "security" with "buy firewalls".
While I'm talking to you, thank you for the cryptopal challenges. They were a very good departure from the compliance based security I usually have to deal with.
The notion of a national certification plan is being laughed at by anyone who is in the industry for the right reasons. Those involved in the classic commoditised scan-and-bang assessments will love it as it'll continue to keep the cash flow churning.
Some have even suggestion "cyber conscription" to force people to do government work if they're capable. This, and the recent articles indicating that the government wants people to "volunteer" their time goes to show that they want people for the lowest possible price.
The problem in Australia here is no different to overseas: the focus is on useless certifications and compliance, cheap resources, and security theatre. CEH and CISSP are alive and kicking because of this.
All of the above is beside the point. Troy made CEH PluralSight content because PluralSight's people wanted it. It's really that simple. The blog post is just marketing for that content.
> The notion of a national certification plan is being laughed at by anyone who is in the industry for the right reasons
Yes but the majority of enterprises are not in the industry. These stupid certifications are being pushed by our largest accounting firms (where Arno Brok is connected), and these are influential to business leaders.
> Troy made CEH PluralSight content because PluralSight's people wanted it
I hadn't considered that. Good point.
>the focus is on useless certifications and compliance
It's hard to explain to people in "real" security just how hopeless the current "compliance security" situation really is. Consider this situation. A user goes on holidays for two weeks. Before leaving, they turn off their laptop and lock it in a cupboard.
I've just described a critical incident. I can expect to be writing up incident reports, and reporting to management on "root cause" and how we can avoid this incident recurring. Can anyone in "real security" even see the problem?
Why, after two weeks, their desktop antivirus is out of date.
Agreed. The cross pollination required to get security into organisations correctly isn't there. Orgs see security as a pain in the ass, and not an investment/insurance policy.
I do not find this to be entirely accurate. I work as a penetration tester/run the offensive security practice at a small security firm, and I used to spend a fair amount of time performing malware forensics (and taught it a bit at a local University for graduating students who were interested in a two day crash course... free of course), and I can say with fair amount of certainty that the industry does recognize and sometimes require certificates. I am not saying a certificate will get you the job, or even that they are a good way to spend your time, but they can certainly get you an interview. For instance, I run a team of about 6 penetration testers, and my time is pretty limited because we always have so much on the go. When I am hiring, I usually ask that someone have the OSCP, OSCE, or GXPN if they are going to apply. In the case of the OSCP and OSCE, they are not cost prohibitive, even for someone covering the costs themselves, and they test one's ability to perform actual penetration testing and report writing. You have a certain amount of time (24 hours OSCP and 48 hours OSCE) to hack into some servers and show your technical chops, and then report on what you did and how you did it. In the case of the OSCE, I will know if you passed that you understand disassemblers, debuggers, exploit code writing, and assembly. That gets you in for the interview, and I can further check out your programming skills, security chops etc. I am not saying that if someone has a particularly interesting resume, I won't look at them. But when time is limited, and you aren't a fortune 500, its a good way to filter out some of the candidates. I will say that certs like the CEH and CISSP don't matter in the slightest bit to me. I could care less about how you do on a multiple choice exam, the only exception being the GXPN because that course is actually relatively grueling.
What firm do you work for? Prior to my career as a professional Internet message board commenter, I cofounded Matasano, ran recruiting for Matasano, and then, after they acquired us, ran recruiting for NCC Group --- which is I believe the largest pentest firm in the US. I've got friends at most of the other big firms, and this is a topic of conversation that comes up a lot.
I'm pretty confident in my answer here.
If you want to know whether someone understands disassemblers, debuggers, exploit code writing, and assembly, have them do tasks that involve disassemblers, debuggers, exploit code writing, and assembly. We had that problem, and we built Microcorruption to address it. But you don't need anything that elaborate.
I get that most firms don't hire this way yet (all of them will within the next 10 years). But so far as I know, none of the reputable firms rely on certifications. Of the top, say, 20 "offensive security" people I know, not one of them has any of these certifications.
If there's a major firm that outsources this stuff to certification programs, that would be surprising news for me.
Like I said, its a small firm (also not in the US so I don't have anywhere near the pool to pull from that you have I am sure). I also don't disagree with you like I said, I am just pointing out that it can be a legitimate way for some people to get a foot in the door at a smaller firm, or less 'reputable' one, before moving somewhere else. You need to pay your bills while you wait for other opportunities, or develop your skills.
I am slowly working towards moving us into a position where we have more practical methods of finding out if candidates understand the above, but it takes time for me to develop testing methods etc. while simultaneously completing everything that needs to be completed.
If you have any recommendations, I'm more than open!
Care to elaborate why programming skills are so important in the field of security? Genuinely curious. I have always wanted to take my skills to the next level but have never actually gotten started. This might be the time for me to start.
It's of varying importance depending on what field of security you're talking about, but generally it's the chasm that separates entry-level security folks from the rest.
Using systems administration as an analog, there exists a class of sysadmins who can't write even basic scripts. Their ability to troubleshoot or problem solve are limited to using predefined tools. Whole categories of tasks will be infeasible for them to accomplish (mostly because of the amount of time it would take to do them manually, not necessarily because they are technically impossible).
Lacking the ability to do any programming limits their job prospects to the bottom of the sysadmin barrel. That being said, programming isn't necessarily a prerequisite for their job, it's just a ceiling.
Going back to security, most tasks benefit from the ability to automate some part of them. I come from application security, where that frequently manifests in having to quickly piece together tools for interfacing with a specific protocol or API. Application consulting exacerbates that even more, because you'll usually have to do all of this in a very short amount of time, so that you can spend the allotted assessment time actually doing the assessment, and not trying to get your tools to work with the environment.
A lot of security boils down to bugs in software. If you don't have any programming skills, how do you expect to quickly and accurately find bugs in software? Sure you can go around banging on things and you might get lucky with the easy cases, but you will struggle to exploit and pivot out of the difficult cases.
I'll echo what debatem1 and tptacek said here with what I tell everyone:
0. Do not pursue certifications at all.
1. Learn to code. C + Python is a great choice, to start with (or C + Ruby).
2. Start with application security, because it's the easiest place to get your feet wet.
3. Work through The Web Application Hacker's Handbook (don't just read it).
4. Find bug bounties in as many programs on BugCrowd or HackerOne as you can. Extra resume points (and money!) for bug bounties in Google, Facebook etc.
5. Join a reputable security consultancy (NCC Group, Optiv, Bishop Fox, etc.) and mature your skills.
> 2. Start with application security, because it's the easiest place to get your feet wet.
This is true because of the availability of targets, however, the easiest place to get your feet wet is not the same thing as the easiest discipline and people must keep that in mind. Application security is the toughest of the discipline's in my book; far tougher than netsec, oppsec, and many others because it's a world of vast diversity of solutions. It's also a world of vast diversity in attacks from SQLi to XSS, to remote unauthenticated remote code execution, to the identification of logic errors which result in the exposure of sensitive information.
Yes, I agree, and this is a good addendum to my point. I could quibble about it being the most difficult (I specialize in AppSec and I find crypto much more difficult), but you're right.
I somewhat disagree with this statement. While I agree completely that certifications do not equate to ability, education is never a bad thing.
For example, many of the SANS GIAC courses are run by industry experts that have a lot of real world experience. For example, I took the GCIH taught by John Strand (BHS) and the GCIA taught by Mike Poor (InGuardians) with material joinly developed with Judy Novak.
This may be unique for SANS courses, but I personally found combining quality education material with well vetted instructors that have real world experience to be quite useful.
It's certainly not a substitute for having real world experience, but quality education can be worthwhile.
Sure. There are different disciplines in information security. Application security broadly web, mobile and desktop applications. Application security is the easiest to start working with because, as another commenter said, it is ubiquitous. You can find bug bounties for most major tech companies and their application software these days, which means there is a quite a lot to practice with.
Because certifications mean you can read a book and pass a test, unless the certs are similar to the OSCP ones which require some hands-on activity. Working through the Web Application Hacker's Handbook or the OWASP guides is a much better use of your time. When you're interviewing, you can talk about all the success you've had working through those projects, which shows hands-on, practical knowledge.
On a related note, here's a quick guide to infosec in the defense industry:
1. Graduate from any school with a degree in CS/CE/Math/Physics.
2. Solve one crackme in your free time.
3. Apply for all entry level jobs at GENERIC DEFENSE CONTRACTOR that involve keyword "ida pro." Prepare to move to a deserted town in Florida or the DC megalopolis.
4. Die on the inside when you spend years working on unbelievably complicated problems that do nothing else except get a government employee promoted. Have everyone else in the news/online tell you you're evil.
5. Spend several months working for a government employee that is amazing at what he or she does. (part of the 20% of employees doing 80% of the work)
6. Watch as that employee is immediately promoted and replaced by someone else who doesn't care.
7. Try to transition to non-defense and discover that for all the talk about "cyber!!!!" and infosec in the news, all anyone actually wants is an IT professional that took a one week course at Blackhat on exploitation/has meaningless certificates/knows how to buy and install Nessus products and Palo Alto products. That has to be 90% of the job postings out there.
In all seriousness, if you do think you want to go down the government route, stick to a dedicated research institution or try to get a federal job. There are a very, very small few defense contractors that truly do good work, but they burn too bright and are eventually snuffed out by corporate greed or insane management.
Ha ha ha. That was right on the money. Though it seems a bit too pessimistic. And CCOEs mostly have really boring projects.
Raytheon SI, Mantech, and Booz Allen Hamilton have some decent contracts; yes they are in Melbourne and Annapolis Junction (where else would they be in the U.S?).
It's hard to get involved in the smaller firms, because DoD wants to keep the best employees from going to these contractors to do their current job for 2x the pay.
I'm biased, but I think the better way is to start federal, get into a cool 3-year rotational program for poverty wages, and then go contractor once you've paid your dues for a couple of years.
This is, of course, pretty damn niche for infosec. Most infosec folks I've met in the industry have no exposure to this.
I think that's decent advice. If I was young again, I'd just apply to one of the many security engineering internships out there and skip defense work. Those didn't exist when I was in undergrad.
Federal jobs are pretty awesome everywhere except extraordinarily expensive cities. Unfortunately, a good percentage of them are based exactly there. :) (Also, a bit easier to admire the benefits and stability they offer when you're older. Early 20s me would laugh and then apply to whatever popular corporate grinder was hiring for prestige and 6000 hour weeks.)
I've enjoyed Troy's posts explaining past high-profile hacks, so I assume the content he created for Pluralsight is pretty good, too. I'm glad he didn't directly tailor them to the CEH, because from what I've seen it's not the most esteemed certification. Most managers I've talked to on the security side of things have said something like Security+ is a good starting point for newbie hires, and CISSP or OSCP are a decent indicator for mid-to-senior hires.
In general though, the prevailing sentiment has been that demonstrated experience is the #1 factor. Infosec isn't a career path that begins as a totally oblivious hire after floating around in college. It begins in your bedroom in the evenings poking around bug bounties or playing on hackthissite.org and its forums and that sort of thing. A professional setting isn't required to gain some good real-world experience, so there's no reason you should be inexperienced by the time you're sitting for your first professional interview.
A CISSP is only a good indicator that someone wants a free ride past HR. As a technical certification, or a measure of technical ability, it is worthless.
I wouldn't say worthless, a lot of CISSP's are in management where actual technical ability gets delegated to non-CISSP's. I'm pretty confident that most CISSPs could pick up almost any security-related technical skill if they were motivated to do so.
The context of this thread is that we're talking about technical positions. If you see my other comment, I already mentioned that it's a management cert. Also, if a person with a CISSP is capable of picking up technical skills, that's simply coincidental. The CISSP didn't teach them to learn technical skills, it's completely unrelated. In my experience, motivation is the largest factor in learning anything, so of course a person motivated to spend time learning a specific subject is capable of picking it up.
> A CISSP is only a good indicator that someone wants a free ride past HR.
If you consider HR as a first firewall to get past, that may make CISSP certification not such a terrible option. If you can get past the outermost protection layers, you can start poking at the inner layers that may be more soft and squishy.
Content-wise, CEH is probably one of the worst infosec certifications in existence. And EC-Council is nothing more than a paper mill. This can't be emphasised enough.
Stay away from CEH and EC-Council, don't support these scumbags. They're just a bunch of charlatans that managed to grow their paper mill by spamming and stealing material from others.
10+ year info sec veteran here. I think first order of business is do you want to be a specialist or a generalist? Application security is but one piece (albeit in many cases a very important piece). I chose generalist and I am happy to have done so. Today I am diving into Strict Transport Security, yes, but also working with HR and IT on our employee onboarding and off-boarding process, reviewing vendor and customer contracts and federal compliance requirements. Privacy, Regulations and Law, Compliance, IT and infrastructure security, corporate IT security, and yes application security - every day I deal with all of the above and I love that. And a great foundation into all the things a security person may do, I cannot recommend the CISSP enough go for the CISSP (or, alternatively, CISA) certification.
The CISSP is a certification designed to give managers a high-level understanding of the different areas of security. For some stupid reason, HR people think it's the gold standard of technical certifications. Unless a person has is an absolute beginner, they probably won't learn anything technical.
I literally can't think of a single person I talk to in security --- and I talk to lots of security people --- who will mount a defense of the CISSP certification. Most of the people I know see it as a plague on the industry.
(I'm 22+ years in the industry, for whatever that's worth.)
There's nothing wrong with the CISSP for what it is, a wide gamut glance into InfoSec, but a lot of hiring managers have been led to believe it holds high technical merit. A few years ago I took a job with my then shiny new CISSP and I was uncomfortably flattered a bit at how much awe it held with people who had no idea what it even was. They assumed I was a master hacker when neither my work nor my resume suggested any such thing.
I think what it tells employers, who don't know better, is that the person is a Certified Information Systems Security Professional, and they might have heard all government security employees must have one, so it must mean that the people are extremely skilled. In this, I'm not qualified to say but my hunch is, not very likely based on a few untechnical people I know in the last few years who passed the test successfully.
What it should tell employers however is that the person is capable of critical thought and has a light familiarity with a wide range of security concepts.
Why should I have to pay a pretty significant amount of money at the start of my career to buy a piece of paper that suggests I'm capable of critical thought? In fact: isn't doing the exact opposite of that actually doing a better job of demonstrating critical thinking skills?
6 months in Iraq isn't enough for vet status. If you didn't live through the Vietnam War of tye 70s, if you never saw the AK-47 in action, you arent a vet.
When we hire skim the list of certifications and look for indications of experience. A list of CVEs, a blog or several years in a serious role rank much higher on our hiring queue. And when we interview, we specifically check for depth on the areas the resume indicates depth on, and we look for breadth everywhere else.
I'm surprised that he didn't mention CSSLP from (ISC)², the same organization that created CISSP. Certified Secure Software Lifecycle Professional (CSSLP) is a certification focused on all phases of software development lifecycle and is for those who want to add security to the whole development lifecycle instead of focusing on 'finding bugs'. It's great to find bugs, but application security is much more than that, so is information security. This is how I become certified https://dadario.com.br/what-it-takes-to-be-csslp/ and more info about the certification https://www.isc2.org/csslp/default.aspx
>That's also reflected in how well rewarded security pros are
>That’s bad for employers but good news for cybersecurity workers, who can command an average salary premium of nearly $6,500 per year, or 9% more than other IT workers.
Why are the technical skills (in this article specifically) so demanding, but yet the salary is only 9% higher?
Same for the other career-starting directions given here -- most of which seem like multi-year time investments. Many of them ask even more of your technical ability than the article before entering the field with a salaried position, and yet that's only worth 9% extra salary?
> That’s bad for employers but good news for cybersecurity workers, who can command an average salary premium of nearly $6,500 per year, or 9% more than other IT workers.
$6,500 / year? Am I misunderstanding the term "salary premium"?
Also the bar graph confuses me. Shouldn't cybersecurity positions be included in "all IT positions"?
Several years ago I was looking for some ranked ordering of IT careers via salary, allowing drilldown to things like different languages and specialities. It's something I slowly figured out via job hopping, but if the list would help people who enjoy X as much as Y realize that Y pays 20% more.
The bar graph is reflecting growth as a percentage. I think it would have been better to plot IT positions vs Cybersecurity positions to show the hockey stick growth that he is trying to illustrate.
I think the problem is that it's not a very useful graph. I think breaking out the overall IT into other areas would make more sense with smaller percentages being shown as "Other".
I believe an area that goes unnoticed by new security analysts looking to work in penetration testing and exploit authoring is that of OpenVMS and VMS-based systems hacking. I've worked on these systems for years and the word floating around out there is that they are "unhackable". While some have arguments against why this would matter in this day and age, why it really does matter can't be discounted. [1] Finding OpenVMS vulnerabilities and discovering ways to own boxes running the system is not only important but a great resume bullet.
"That’s bad for employers but good news for cybersecurity workers, who can command an average salary premium of nearly $6,500 per year, or 9% more than other IT workers."
- https://www.corelan.be/index.php/2015/10/13/how-to-become-a-...
- https://tisiphone.net/2015/10/12/starting-an-infosec-career-...
- https://danielmiessler.com/blog/build-successful-infosec-car...