The demand for skilled workers is constantly growing and if you are a beginner in infosec/cybersecurity, you need to find ways to acquire relevant experience. So how to get cybersecurity experience as a beginner?
Companies around the world are desperate for cybersecurity workers. More than 700k positions need to be filled, according to Fortune. This huge demand though is outstripping the supply of skilled cybersecurity professionals, according to a study from Burning Glass.
Not all “beginners” are at the same level
There are different levels of “beginners” wanting to get into cybersecurity.
One may call himself a “beginner” but has already been working in the IT industry and another may be coming from an entirely different industry. Getting cybersecurity experience is not so difficult in our time.
Free resources are everywhere around us. You just need focus, time, and a mindset for continuous learning.
A beginner’s guide is practically impossible to fit every professional’s profile. There are so many ways and job positions to pursue, when it comes to cybersecurity, that you can write an entire book about such a guide.
This guide is for people without cybersecurity experience, to try and guide them on a track of continuous learning. Experienced infosec professionals can also benefit from some of the resources presented in this article.
Gain a foundational understanding of operating systems and networks
Practice your knowledge of operating systems and networks at home where you can test whatever you want without the risk of damaging a corporate network.
Don’t mess around with your primary operating system, build home labs with virtual machines and the all-powerful Raspberry Pi.
VirtualBox is a great tool to manage and run different operating system versions from Linux (Ubuntu, Mint, Debian, Kali), to Windows (Client and Server). On your Raspberry Pi, you can have multiple SD cards, which are fairly cheap, with different installations of operating systems to play around with.
For networking experience, use GNS3, which is a free network simulator. It allows you to build networks without the need for hardware.
You can practice your skills in router configuration, security hardening, setup ACLs, network segregation, and even connecting VMs created on VirtualBox.
Read through industry best practices
CIS has published many guides, otherwise “CIS Benchmarks“, which help you safeguard networks, systems, and software.
Going through those guides will help you understand how these systems work through the process of securing them. You will then be able to identify areas that if not configured securely could potentially be exploited by attackers.
I would advise you to set up the technologies described in the CIS Benchmarks in your home lab environment and start following the guidance to secure them.
Setting up and performing secure configuration on an Apache HTTP Server, Docker, Mongo DB, MySQL, etc., on your Raspberry Pi will help you understand the inner workings of the software.
Practice the basics of a scripting language
Bash is great and fairly easy to learn so you can build your own programs and mini-projects but also for automating tasks.
- LearnShell is great to start learning to program with Unix/Linux shell interpreters.
- Bash Academy is great for beginners but also for more experienced users.
- Practice on your own machine while reading through this FREE “Advanced Bash-Scripting Guide”
Gain hands-on cybersecurity experience from online resources
There are great free resources online to use and practice your tech skills and gain new ones.
To try yourself in such labs and competitions, you must first get familiar with operating system usage, especially Linux, and at least basic networking knowledge.
Try to earn some certifications
Certificates like eJTP and Comptia Security+ are great as entry-level certificates.
By studying to sit for the exams for certificates in infosec/cybersecurity, you will certainly acquire new skills and knowledge.
Hands-on experience for many scenarios can be acquired through home labs.
Read through security frameworks and standards
Be familiar with security frameworks and standards like ISO 27001 and PCI DSS.
Companies who are already certified or want to get certified in the future will surely appreciate that you understand what is required to achieve such certification and maintain it.
You will also benefit greatly by understanding the holistic and strategic approach to corporate security strategy and security governance.
ITGovernance website has several free resources on ISO27k1 and PCI DSS can be downloaded for free from the official website.
Connect with cybersecurity professionals online
You can get so many ideas and learn even more when you follow experienced professionals working on different areas of infosec/cybersec. From penetration testing, malware analysis, incident response, and GRC, to security audits, you practically have so many mentors for your journey in infosec to choose from, it is just amazing!
The lists below are by no means exhaustive of course. There are hundreds of accounts worth following and reading their posts every day. Start with some, and you will know who else to follow as you go along.
Accounts to follow on Twitter
It is very useful to make connections on LinkedIn and follow them to keep up with industry news and learn from expert opinions on cybersecurity.
Join professional groups, make new connections, and start meaningful conversations in relevant groups. People on LinkedIn are usually very keen on helping other professionals.
Learn to ask questions
Train your mind to constantly ask questions.
Question everything you learn, then ask more questions. This is the way to dig deeper and learn more.
Be certain that there will always be something more to learn. You will never reach a point where you will know everything. No one knows everything.
Curiosity and passion to learn are key in this industry.
The man who asks a question is a fool for a minute, the man who does not ask is a fool for life.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.