
Thinking of a Cybersecurity Career? - zdw
https://krebsonsecurity.com/2020/07/thinking-of-a-cybersecurity-career-read-this/
======
GekkePrutser
I think the cybersecurity (I hate the term cyber btw as it's usually used by
people who don't know what they're talking about), is very focused on the
'think like a hacker' skillset right now.

While I do agree this is important in various roles in the security realm,
there are also many jobs where this doesn't really add value. A lot of work is
about implementing things like MFA, role-based-access etc where knowledge of
the platform used (e.g. Microsoft) and internal processes are more important.
After all, most companies already fail at the 'fix the obvious' stage, it's
not necessary to go looking for clever ways in when there are many doors left
open.

Just to elaborate: A lot of discussions go like this. A pentest or random scan
finds obvious issue. Ticket is raised to the security team. They go like "WTF
why do we still have Windows 95?? Kill it.". Then their boss goes like "Sorry,
Bill the manufacturing VP lobbied with the CEO, we have to leave that one
alone". Of course when it actually gets hacked, Bill is nowhere to be found.
This is why internal influencing skills are so important in real everyday
security jobs.

Of course in the pentesting role this kind of thinking is absolutely
necessary. However even there the kind of training given right now is too much
in the realm of 'scriptkiddie'ism. Hacking is about inventing and true mastery
of technology, not about using the tools everyone uses. Being able to run
metasploit and wireshark does not make one a hacker. By doing this, pentesters
test for yesterday's hacks, not tomorrow's.

~~~
movedx
> Being able to run metasploit and wireshark does not make one a hacker. By
> doing this, pentesters test for yesterday's hacks, not tomorrow's.

Be careful here. This is bordering on elitism.

Having someone come into a business and check for "yesterday's hacks" is
better than no one doing any checks at all, therefore such skills are still
valuable and worthwhile.

In learning how networking works; how operating systems are designed and
implemented; why and how the OWASP Top Ten work; and knowing solutions to
these problems is still a valuable skill set.

What you're suggesting is everyone has to be willing and able to write fresh
exploitation on the spot when they're testing a client's network when in fact
there's a lot that can be discovered (and resolved) with basic scans and
simple questions based off of Security+ grade knowledge.

~~~
GekkePrutser
I know, but most of these "hacks" are identified by internal scans already.
The pentest doesn't add much value then. The issue is more internal resistance
to change in the management team.

Like I said I know most companies already fail at the basics. But these are
normally well known already, just not fixed due to political pressure. Having
the security team's management be better at influencing would pre-empt these
issues. Pentests serve to bring these known issues under discussion again, but
they often don't bring any unknown issues to light.

Also, they tend to be too artificial. In one example: In a recent pentest I
know of, they sent some remote access malware to the admins, which they all
ignored and reported. However as they couldn't continue they called one
admin's manager and asked him to tell the admin to click on the link so that
they could proceed. The outcome of the pentest was that _if_ a malicious actor
sent a malicious remote access malware and _if_ it was clicked on, they would
have remote access. Well duh.

Of course this could be mitigated by having separate workstations for email
and admin activity, which was an issue that was already understood and a
mitigation in progress. This is what I mean by pentesting not raising new
issues. Another example: The company in question already test new web apps for
known attacks, and is quite successful (in fact I've never seen a new app come
through the certification process in the first round). What I'd expect from a
pentest is to tell us something we don't know :) It's an interesting second-
opinion but it's not the amazing X-ray it's promised to be.

> What you're suggesting is everyone has to be willing and able to write fresh
> exploitation on the spot when they're testing a client's network

Which is exactly what a serious adversary would be doing in a targeted hack!

~~~
OminousWeapons
> I know, but most of these "hacks" are identified by internal scans already.
> The pentest doesn't add much value then. The issue is more internal
> resistance to change in the management team.

This sounds like management's fault for using a service they don't need yet.
If there are glaring, obvious vulns that are repeatedly pointed out but aren't
getting fixed then how useful is it to point out additional more subtle vulns?
I understand the point you are trying to make about pentests telling you data
you already know, but how many people are going to take the time to enumerate
subtle vulns when there are basic ones that can be hit to great effect?

> Which is exactly what a serious adversary would be doing in a targeted hack!

I don't think it makes sense to worry about what a serious adversary could do
when a moderately skilled one can already wreck you with known exploits.

~~~
GekkePrutser
Well, the issue is that these vulnerabilities can't be hit to great effect,
because they're usually well understood and mitigated by other means (see the
admins being very conscious of email malware). In many cases the pentesters
cheat by asking for special permissions or for someone to click something they
wouldn't normally have done. Just so they can be seen to 'have found
something'.

I think a targeted adversary is more worrying because they usually are driven
by high gains, which means something that's a big risk to the company. Like
strategic information that can cripple the company. Whereas a more moderate
adversary will usually trigger a ransomware campaign on some low-secured
laptops or something which can be mitigated in a day or 2 by restoring
backups. Big interruption yes. Company-killer no.

Also an advanced adversary will usually operate unseen altogether and
penetrate the highest levels of security. A ransomware attack is much more
obvious. I would view them as different things altogether. An advanced
adversary might use the same techniques for their initial access but due to
the many layers of security this won't be enough to reach the most critical
information.

------
user5994461
CyberSecurity, the domain that doesn't recruit yet has a shortage.

What cybersecurity is to most people is automated security scans. This can be
done by interns with a week of training to run the tools. (Interpreting and
remediating the findings is another matter).

Besides that, security is mainly about authentication. That's done by setting
up LDAP, active directory, openid connect and co, and integrating in
applications. A tremendous amount of setup and integration work for
administrators/developers. (Not cyber security engineers)

There are cyber aspects around infrastructure and networking for
sysadmin/devops/sre/developers. Setting up firewalls and 2FA in AWS,
configuring TLS, upgrading OS and abandoned libraries. (Still, no permanent
cyber security roles in sight)

Last is a couple of researchers finding vulnerabilities, concentrated in the
likes of the NSA, NSO Group, project zero. Highly technical work that very few
companies recruit for. These are full time jobs, offensive cyber security
(vulnerability researcher) but extremely few in the world.

When I see people looking for cyber security engineers or trying to break into
security. I can't help but think what do they mean by that? Just become a
developer or a sysadmin/devops.

~~~
vsareto
> CyberSecurity, the domain that doesn't recruit yet has a shortage.

Yes, they are 100% lying about this. Any time you see an article about skills
shortage, it's complete bullshit. It is cheap for them to create the illusion
of a skills shortage via articles and blog spam. What they really want is
people to spend their own money on training vs. them training their own
talent. Then, once you've spent your money on training, you'll still run
similar gauntlets in interviews that developers like to complain about.

This is why some of the certs are kind of useless at getting a job _despite_
industry advice to get them. Some places will see something like OSCP and then
still give you a time-limited CTF to do before they'll even talk to you about
an entry-level position. Other larger companies will praise you for your
certs, saying certs + programming skills is what they look for with new
people, then just ghost you.

The interviewing process in pentesting is just as bad, if not worse, than
development.

Plus, despite most pentesting gigs being more difficult day-to-day than
regular web development jobs, they pay much, MUCH less, sometimes as much as
$40k less (80k vs. 120k in a large metro area).

All of this is kind of countered by the fact that you can really do bug
bounties on your own now, so you may not really need a traditional job. IMHO,
you're better off being a developer first before going down that route.

~~~
raghava
> Yes, they are 100% lying about this. Any time you see an article about
> skills shortage, it's complete bullshit. It is cheap for them to create the
> illusion of a skills shortage via articles and blog spam. What they really
> want is people to spend their own money on training vs. them training their
> own talent. Then, once you've spent your money on training, you'll still run
> similar gauntlets in interviews that developers like to complain about.

This is so true. It is now common with most undergrads in India now, that they
cannot even apply for a fresher job without such additional
courses/certificates.

Training, learning and skill development budgets mobilized by CXOs for "other
purposes"(may be for their vacation in the Swiss Alps that they promised to
their spouse).

------
mpettitt
It's important to note that while there are a lot of skills which can be
useful, it's fairly rare to find a job which requires them all.

For example, if you have a mobile application specialist, they probably don't
need to worry about, say, VLAN configuration on a regular basis. It's quite
likely that even if they do know it, the lack of use will result in them not
showing that knowledge well in an interview situation. If you give them a few
hours and an internet connection, though, they may well be able to
refamiliarise themselves easily. Alternatively, you just need to hire someone
who specialises in network architecture and segregation - this does rely on
the person doing the hiring to know vaguely what they need, though, which is
not always the case.

I work in the industry, and there are people who are well known as experts in
specific fields, but who I would never expect to be able to do some other
aspects of my job, just as I would struggle to do things they can do without
any difficulty.

I think the cyber security industry is at the stage where the web was 15-20
years ago, where a company would hire a "webmaster" who did all the web
related stuff, rather than getting a combination of people in different roles
each specialising in one area. It's slowly getting better, but it's still
common for companies to look for a jack of all trades security person, rather
than getting the specific knowledge they need.

~~~
GekkePrutser
Totally agree, it's not really possible for a hacker or security specialist to
excel at all categories. Some people become an expert in web injection, others
in buffer overflows, network attacks or crypto. The field has become way too
wide for one person to have expert knowledge in everything.

------
wjnc
In my experience many jobs in "risk management" (under which I'd file a large
part of cybersecurity from an organisational perspective) are 'second career
jobs'. You first need to have done the job yourself before you start learning
how to properly comment, guide, influence and teach colleagues and teams.
People are notoriously resistant to outside critique even when you are part of
the same organisation and principally on the same boat. So I would advise
companies to let medior to senior staff that are not management material but
can lead by example to take on more risk management roles.

So how to get into cybersecurity? Don't. Do what you like (programming,
systems administration or even IT-procurement) and after a few years start
transitioning to cybersecurity. An exception would be the hardcore whitehats
but firms usually don't have those on board and rely on consulting. So
programmer-consultant is another route. But you won't get hired without quite
the demonstrated homework, so you'll need to love it.

------
Shared404
Seems like a good place to copy/paste one of my comments from a different
thread.

Disclaimer: I'm not particularly good at this, so whatever comments I make are
well intentioned but may be of varying accuracy.

...

Online sources:

* OWASP.org is a good place to find info. If you look something up, there's a good chance you will find it here.

* [https://owasp.org/www-project-web-security-testing-guide/](https://owasp.org/www-project-web-security-testing-guide/) Thanks to redis_mic for this one, I didn't know it existed until today.

* overthewire.org Similar to HTS, but you don't need an account. The subject matter covered is also slightly different.

* [https://0x00sec.org/](https://0x00sec.org/) A forum dedicated to security. There's a lot of script kiddies, but also some gold.

* [https://www.hackerone.com/](https://www.hackerone.com/) What better way to learn then practice on live targets? That being said, I would do some of the others first.

...

I do a lot of learning through reading, so books:

* Network Security Assessment by Chris McNab. I have second edition, which is a good and instructive read, but quite outdated.

* Real-World Bug Hunting by Peter Yaworski. Web security 101. Good read, and fairly useful.

* Advanced Penetration Testing by Wil Allsop. Outdated, but interesting. You will never use flash again after reading this.

* Social Engineering, The Science of Human Hacking by Christopher Hadnagy. This is a very interesting read. Also, one of the few that can't go out of date.

...

This should be enough to get you started. There's a couple more books I can
think of, but they tend to be more specialized into certain fields of security
and less approachable/generally applicable. If you want these recommendations
as well, feel free to email me, my email's in my bio.

------
bane
Cybersecurity, as a field, is in desperate need of identifying different roles
within it. These roles are notionally understood within the field, but what
they are called and what exactly they do hasn't really crystallized quite yet.
You still see job postings for "Cyber-security SME" or whatever and the
organization has almost no idea what exactly they want out or the person they
hire. So they end up with bored, highly skilled, reverse engineers and
pentesters running automated scans, or overwhelmed "security guys" who's
career was running compliance checklists being asked to build a defensive
intelligence platform.

I call this the "Cyber Dash" problem where there's many different kinds of
Cyber-<insert job> but the industry hasn't figured out what those are, what to
call them, what they do, and what the requirements are beyond maybe a handful
of roles.

~~~
aiisjustanif
Identifying roles? SANS has done this 10 times over.

------
beardedwizard
I'm a senior level security leader and hiring manager. I focus on software
security. Ask me anything about what I see, or don't, in candidates.

~~~
allanbreyes
Can you talk about your interview process? e.g. types of interviews, screens
vs. on-sites, distributions, etc. What are the shortcomings that keeps a
candidate from an offer in the final steps, e.g. the candidate passes
screening interviews, but falls short on an on-site interview. What are the
indicators you observe that differentiate a senior candidate? How do you go
about evaluating entry-level and junior candidates? Thank you!

~~~
beardedwizard
We do a few screens, starting with general security discussion - something
like: intro, light tech/coding - just to make sure we aren't completely
wasting our time

The main interview centers on software security, and is focused on real world
scenarios. We avoid "explain this OWASP top 10 blah blah blah" kind of
questions. The goal is to see if you can reach the outcomes we expect,
regardless of how you may approach them. I don't care if you can explain SQLi
to me, you should be able to approach exploiting it on a live system.

We will:

* Give you a sample system and ask you to threat model it. Maybe you will use STRIDE, maybe you wont, but we hope you will find some threats using structured techniques.

* Ask you about secure systems you have designed, why you made the choices you made, and how you would make them differently today. We want to know if you have a methodology, a structured approach, and experience.

* Expose you to vulnerable code implementations, and running systems. We hope you will discover vulnerabilities.

* Show you examples of our systems, and ask you how you would secure them. We want to understand if you can see, and discuss security architecture.

* Role play developer interaction scenarios. Can you handle soft skills?

* Have you done any of this at scale? Do you understand how to make it work for 10, and 1000 developers? Explain your experience, how would you do it differently?

I can go on, but again the emphasis is evaluating whether or not you can do
the tasks we need you to do, with a high degree of quality in whichever way
works best for you, while also being able to completely ignore your resume if
we want.

It is extremely difficult for us to consider hiring junior candidates, and we
frequently encounter candidates with no deep experience. While it is unfair to
expect candidates to have spent time at home treating this as a passion
project, those are the ones im going to hire because they can deliver the
outcomes in an interview. To combat the hiring difficulty, we have arrived at
this approach which allows us to send candidates through the machinery
quickly, with low bias.

~~~
bawolff
> I don't care if you can explain SQLi to me

Huh interesting. I work in infosec (but not a hiring person). I would normally
rank this as an important skill. Not because i actually care about getting an
explanation but because half the job is getting non security devs to care
about security issues/fix them/not make them in the future. In my experience
it is really difficult to do that if you can't explain the vulnerability to
them.

~~~
beardedwizard
I think you misunderstood. Almost anyone can tell you what sqli is, few can
demonstrate an exploit. You need to be much closer to the latter than the
former.

~~~
bawolff
That's fair. Proof of concepts definitely get the point across better than a
natural language explanation.

------
jonny383
During my degree, I had a crossover unit for cryptography. The unit was a mix
of computer science majors, and also a new "cyber security" degree the
university had recently started. This was a third year unit.

Holy-moly, did the cyber security students flop from the first class. It was
immediately clear that the new "degree" they had signed up for had not given
them even elementary math skills in comp. sci related fields (discrete math,
linear algebra). A few of them put in the hard yards, studied about a year's
worth of math and did okay. But the majority flopped out hard and failed.

The "degree" was dropped a year later. Poor kids.

------
danmg
This is a predictable pattern at this point:

1) Employers don't like the fact that the labour they require has skills that
a lot of time to become competent at and the labour wants to be compensated
accordingly.

2) They get universities to start offering degree programs tailored to churn
out new graduates who are willing to work for entry level wages.

3) Employers complain that the grads who come out of these programs are
unprepared to do the same job as the old guard.

Using Metasploit, Nessus, and nmap should be a 1 credit elective course in a
CS degree. Not top billing.

~~~
jrott
Totally it's the same pattern over and over again we don't want to pay
technical talent that can actually do stuff, and won't or can't train the
people that are willing to work cheap.

~~~
danmg
Step 4, in the US at least, is to lobby for more H1B bodies.

While they may or may not have the skills that are actually needed, the H1B
system makes feudal servants bound to the corporation.

------
ackbar03
I feel like it's hard to teach cybersecurity formally. It deals with hacking
and by nature the spirit of hacking is hard to teach. I have learnt
cybersecurity as a hobby and have competed with our university team in some
online well known attack/defense style competitions (we sucked) and a lot of
this stuff is really hard to formalize. I guess you could teach the basics
like overflows, aslr, stack canaries, basic assembly, but in the end it's up
to the hacker to string everything together to overflow a buffer, control the
return pointer, leak the canary, string together a rop chain and pwn the
system, and this takes a lot of tinkering and discovery rather than prior
knowledge, although experience definitely helps. I guess it's also why some
random high school teenager could be going up against the hacking team from
Tencent in these competitions. And this is only for binary exploitation mind
you. If you look at some of the crazy talks from defcon, the stuff they do
draws upon a lot of random knowledge, and it comes down more to the act of
piecing everything together than knowing anything before hand, hence the
"hacking". And that's also why I love it :)

~~~
scollet
Sounds like they need to bring apprenticeships to the field.

------
mettamage
Call me naive, but isn't simply completing every live hackthebox.eu box a good
way to get some practice in to apply for certain security roles? Hacking 20
boxes on various levels to me seems that you have what it takes. The easy ones
are Metasploit and so on. The medium ones are attacks like SQLi or injection
into MongoDB. The hard ones are simply a chain of those things with a lot less
intelligence to go on. The insane ones also put some binary analysis or C
vulnerabilities in there (e.g. heap overflows or ROP attacks of stripped
binaries).

Then again, I'm far too early in my career to know whether simply rooting all
live boxes is good enough. Doing so myself has definitely helped me at my job
as a full-stack developer to make the company I work at more secure.

Here's an example of an "insane" box:
[https://www.youtube.com/watch?v=p8XkVDRtTQg](https://www.youtube.com/watch?v=p8XkVDRtTQg)

And this is a "medium" one:
[https://www.youtube.com/watch?v=7QXzebQHEWA](https://www.youtube.com/watch?v=7QXzebQHEWA)

------
jamescun
I find this article very interesting. I'm coming at this from the other way
around. I am a Site Reliability Engineer, so I've been writing code,
architecting systems, building networks etc for 8 years professionally; I am
however eyeing a more security oriented position so only now I am looking at
courses and training.

------
jtdev
In my experience, c level folks just want someone who can produce a dashboard
or executive report with a bunch of green check marks that basically say “yay!
We’re secure”. They don’t care about the why, how, if the check marks are
actually meaningful, etc. This mindset is then reinforced by vendors selling
security snake oil - the entire infosec domain is a shit show; if infosec
practitioners ever want to be taken seriously, they need to collectively get
their shit together and organize around some real tangible standards.

~~~
Izmaki
There's the MITRE ATT&CK Framework
[https://attack.mitre.org/](https://attack.mitre.org/) which is gaining
attention and seems very promising (although it of course isn't the golden
answer to all questions, it goes a long way to cover the basics).

------
Whinner
I’m in Georgia Techs online MS in cybersecurity program and have argued these
points a few times. Most of the cybersecurity classes are just CS classes. I
think it was just a money grab to repackage their existing CS degree into a
more marketable package.

I’ve argued that we should have some type of network and OS hardening classes.
There is a required network security And secure computer communication class
but they are much more about programming vs implementation. The counter
arguments I get are that what I’m suggesting is more aligned with a vendor
cert. But a lot of cyber security is doing the hardening of os and proper user
access.

A lot of the cyber students end up switching to the policy track instead of
the information security track. They are admitting students with almost no
prior CS experience. They get away with only having to take an intro to cyber
security CS class. Their remaining classes are all management classes
marginally related to security.

I’m going to use this article to backup my arguments that there is more to
cybersecurity than programming.

------
WrtCdEvrydy
As someone undertaking a Master's in Cybersecurity, that table is totally
true.

Most of my courses have a programming alternative for assignments yet the
students alongside me have very little interest.

I've been doing this a while so maybe I'm just an outlier as I've always been
the guy who is the jack of all trades, but I can't help but see something
unknown as something to learn.

~~~
Izmaki
Don't ditch programming. Knowing how programs are made will in some situations
help you understand how they can be abused as well.

~~~
WrtCdEvrydy
Of course not... after 11 years as a software engineer, it would be difficult
to not do it.

------
iuguy
Krebs does not work in Cybersecurity, does not come from a position of
knowledge or experience in Cybersecurity and his only skill relating to
Cybersecurity is doxxing people.

I could understand if this was "Thinking of a Cybersecurity journalism career"
but there are better people to learn from.

~~~
pentae
Perhaps instead of going after the author you could go after his ideas? It
seems like quite a well written essay imo

~~~
iuguy
Shall I do that for everyone who _does not work in the industry they are
advising people on_?

------
lormayna
In my opinion (working as security architect for an US Fortune500) technical
skills are mandatory, but they are not enough for a successful career on
cybersecurity. You need to have great communication skills (writing a great
pentest report is probably the most important and difficult part), negotiation
and persuasive abilities (sometimes you have to accept risks against budget,
deadlines and business requirements). In the cybersecurity community I see a
certain degree of elitism (don't use Kali, don't use Metasploit, etc.), but we
need to understand that they are just tools, so anyone is free to use the tool
that is more confident and more appropriate for the tasks.

------
leafboi
If it can be done without a degree and largely by self study than most of it
can be packaged into a course or a book with practice problems and labs that
anyone with dedication can finish can complete and come out competent.

Maybe such a course that covers what's needed to get into that top 10% doesn't
exist yet but I'm sure it can exist and I would gladly pay for such a course
to attain the required mastery rather than explore the space haphazardly
myself.

Do any professional security experts know of such a course? Are any of you
willing to start one?

------
bawolff
So this article is not what i expected.

I agree that hands on skills are important. And i agree that candidates often
lack them.

But im not sure that the skills in the article are really hands-on skills.

For example, the article talks about picking up a book on tcp/ip. That's not
hands-on, that is theory. I also question what type of cybersecurity degree
program this is, where you don't learn how the internet works?

All the things in the article sound like stuff i would expect a
"cybersecurity" degree to cover. They don't sound like things that need to be
taught practically.

------
aiisjustanif
The amount of people completely forgetting and not even mentioning:

\- Cybersecurity Incident Response, \- The behemoth that is SIEM (nowadays
called security analytics platforms) and everything else Blue Team \- The role
of centralized Vulnerability team and Threat Intelligence team. \- And Red
Team for in-house vulnerability detection to support the previous bullet.

Is alarming.

------
ciprian_craciun
Very interesting article, but at the same time it depicts a very sad truth...

[Disclaimer: also not a certified security professional, but I do follow the
topic and practice it hands-on from time-to-time...]

However I think there are multiple (sometimes non-overlapping) types of cyber-
security professionals / roles:

* the policy maker / enforcer -- which is what some companies want, and what the most well known people out there (including Schneier, Krebs, etc.) are blogging and speaking about; (to put it metaphorically they are the ones in charge of designing an IT "hygiene", and making sure everyone "washes their hands" properly;) :)

* the operations security -- which should make sure systems and networks are well locked down, patches properly installed, watches out for suspicious activity, and if he is capable enough tries to check the boundaries and limits the firms security; this is another role most companies want, what some courses train for, and what usual bloggers write about;

* "applied cryptography / security" developer (for the lack of a better name) -- which (if he knows better) should make sure proper well-known techniques and best practices are used throughout the developed applications, and when necessary (if not already covered by existing solutions) is capable enough to mix cryptographic primitives;

* "high budget zero-day" researcher (also for the lack of a better name) -- which is mostly employed by state level actors to discover zero-day vulnerabilities, and on the other side employed by large corporations (e.g. Google, Microsoft, etc.) to make sure their most valuable systems aren't vulnerable to those types of attacks; these are the guys that come up with Spectre and Meltdown and other very low-level hardware related vulnerabilities;

* (many others that escape me at this moment...)

Each of these roles require some different traits and focus areas, which most
of the time aren't strictly related to IT or security; for example:

* the policy maker should be well versed in social sciences and human behavior, as in the end he has to work with people;

* the operations security person should be as capable (if not more) than any of its "normal" peers in all matters of network and systems administration;

* all of them must understand that in the end security is a spectrum (i.e. from air-gapped-system to no-authentication-internet-connected) and it has to take into account a balance between internal cost (development, operations, etc), end-user costs (e.g. how cumbersome is for the end-user to login), risks (e.g. is the data valuable enough to protect it with 2FA), time-to-market, etc.

So in the end I think the underlying problem is that most companies want "one
cybersecurity guy", and most candidates see themselves as that "one guy", when
in reality there is no real person that can actually fulfill all these roles.
Just like nobody wants to hire "a developer", but a "web developer", or an
"embedded developer", so should companies specify what kind of security
professional they are looking for...

~~~
brownbat
> * (many others that escape me at this moment...)

* Threat hunting / attribution

Familiarity with clustering incidents and pivoting between actors by attack
signatures.

Or before that, do you even know what an APT is? (Probably only a small
percentage of CS grads.)

* Malware re

* Post incident forensics

Random tools and skills that come up...

SQL keeps coming up even though I try to avoid it. There's generally an "SQL
person" on the team that drives simple queries but having the basics down will
be faster.

Visualization tools that help diagram clusters of incidents, though these
might be declining in importance.

Beyond the network stack, understanding common network services, how people
(criminals) register for domains and set up virtual services, techniques for
c2.

You can play around with riskiq as a free user. You can read _some_ reports
from FireEye, Symantec, Crowdstrike, etc. for free to see how they do it. The
MITRE attack framework collects a lot of it. Most CS students probably don't
know those names though or where to start.

An understanding of criminal law and/or geopolitics doesn't hurt.

~~~
saagarjha
> Or before that, do you even know what an APT is?

You mean that Linux command thing? ;)

------
cyberbanjo
That's surprising to someone not in CyberSec that so few can do basic tasks of
their job. I wonder how they declare the bar for basic or not.

~~~
dx87
I used to do interviews for pentesters at an old job, and I was suprised as
well. I think it's because CyberSecurity is relatively new, so companies have
no idea how to hire for it, and end up hiring whoever can talk the best. I
interviewed a lot of people with titles like "Senior Cybersecurity Engineer"
who had no security knowledge beyond how to run an automated scan against an
IP range, and put the findings it printed out into a report for management.

~~~
PenguinCoder
And yet here I am with half a decade actual experience in 'Cyber Security',
can write passable Golang, C, C++, Python, hands on, real world knowledge and
experience of threat actors and APT TTPs, for Blue team threat hunting,
IDS/IPS signature creation, incident response... etc.

And I can't even get a callback from any other company, because I don't check
the "Bachelor degree required" box.

Fucking, awesome.

~~~
staticassertion
That's very surprising. I don't have a degree and at Dropbox, the last company
I worked for, dropouts were more common than those who held a bachelors.

Maybe there's something else going on?

~~~
user5994461
Location most likely.

Search cyber security jobs on indeed in London and there is hardly anything
coming up. I can't imagine what it's like in a small city.

------
7174n6
As with most positions, the largest obstacle to getting a job in security is
overcoming the HR Gatekeepers. The hiring system is broken. Those who
successfully attained job are those who generally have networked their way
around the first line HR personnel. Get your name out there so that hiring
managers know who you are. Blog, go to meet-ups, make friends, do capture-the-
flags, create a website, create a Git repo, and a home lab that you write
about.

~~~
staticassertion
TBH while a lot of people say the shortage is a myth, I am not so convinced. I
wouldn't personally hire most people in infosec because I think the industry
has the wrong idea of what the career should look like.

 _Most_ people in infosec have no coding skills. That isn't their fault, they
aren't told it's important. I think it is, so I won't hire them. That just cut
out the vast majority of candidates with a single criteria, and I believe a
_lot_ of the criteria is broken.

