3. Career head start!?

Career head start!?

Those are definitely some big decisions. I think you should do whatever you feel is right for you. I think having a higher degree is awesome and if you have the opportunity to do it and it doesn't put you into a big financial burden go for it. If you worked right after school without going for your masters you would get more experience obviously but that will come eventually. I'd keep working even if it was part-time and go to school for my masters. Guys who have those higher degrees always get promoted faster and are eye'd for management-type positions faster. Basically, you wouldn't see the immediate effect but it will pay off in spades much more down the road plus it is something that helps on the resume for getting your foot in the door.

You said you're in a help desk job right now. I would see about trying to move laterally into another position that is security related, even bargaining by saying you would keep the same pay as long as you can do the job. That way you can get the experience. If that isn't possible see if you can still do the same job but volunteer helping that position. It will show them that you are serious, that you want that type of job, and you can get the experience plus have it on your resume.

Pentesting is a lot of self-taught studies. There are only a handful of schools that are teaching real offensive security. I'm using my GI bill now to go to UAT for the network security course where they teach offensive security type classes. Everyone has their niche' and their specialty. I came from a system administration background. I have my MCSE w/specialization in security, CCNA-S, CEH, OSCP, OSCE, etc etc but my background was always system administration. Some guys come from a coding background, others web or database, etc. You have to know a bit of everything but it is good to specialize in one thing. Pentesting teams are typical diverse with people this way.

After your school I would definitely try to get a Jr. Penetration Testing position right off the bat. I would definitely have my OSCP if I were yo as well. Its a tough course but definitely doable. You'll learn a TON from it. (Sometimes the positions are just called Security Consultants instead of penetration testers.).

As a consultant, you will have customers ask you all types of security questions. It could be system type vulnerabilities or how something is suppose to be configured. You need to know a lot of varied things like system administration, web applications, etc because you need to know how they are suppose to be properly configured / best practices in order to see if they are misconfigured. Misconfigurations are big and I'd say half of the items I find during assessments are misconfigurations and customers will rely on you to point those out.

The route I went was from a System/Network Adminstrator/Engineer to a security analyst position. So I was on the defensive side for a few years. As boring as it was looking at logs and being defensive it helped me immensely later for the attacking side. I knew the type of tools defenders used, how they were deployed, what they looked for, reaction to attacks, are the tools they are using confusing to parse through, etc. Later when I started pentesting, I knew how to evade certain things or throw enough crazy traffic to hide within the chaos while attacking.

Plus, when I started learning pentesting while working as a security analyst I asked my manager if I could do internal pentesting for my company. They were cool with it so I got practice doing that (as long as I'm not bringing things down of course). Obviously it got old quick as I was pentesting the same infrastructure but it helped me and them at the same time. From there I got a job full time as a pentester (Jr position) and then later got bumped up to a senior position.

Pentesting companies want people who not only have the knowledge but the ambition, drive, aptitude and desire to learn new things and someone who loves the job. Personality is HUGE as you will be working with customers weekly on assessments. It could be remote, web applications, social engineering/physical gigs, or on-site internal assessments. Companies look for people who post to blogs (and have their own), who create new tools or scripts, talk at security meetups, conferences, etc. The tools or scripts don't have to be something groundbreaking or something that causes a shakeup in the community, just something. They want someone who gives back to the community basically. If you start doing things like that in the near future, you'll have no problems getting that job.

/r/AskNetsec Thread Parent
Previous
Next

Recently removed from /r/AskNetsec

Pentesters, what web vulnerability scanner do you use? Web App Pentesting Career Path Is a "security engineer" = a software dev focused on security or is it something uniquely different? What subjects would you take in hackerschool? Most reasonable way to protect Windows laptop from BadUSB? Your recommendations, I have an opportunity to learn netsec but I am at the starting line. I will be traveling to one of the countries hosting a great firewall, will only be using my phone to access anything. What kind of modifications and precaution should I be taking to protect myself from both of privacy and security perspective? Anyone interested in Advanced WiFi Pentesting Webinar? if net neutrality fails, could an online company provide a "neutral net" loophole? GCIH - using braindump questions to test my knowledge. Good or bad? Let's say you find an exploit in a vendors application. What's the best way to inquire about a bug bounty if one isn't already listed? Minimum Requirements For Entry Level Pentesting Job Can someone recommend how I can get into malware research/reverse engineering? Security clearance question What can a script kiddie do?

More Random Comments

Why closed registers need to stay closed "Lucky to be broke" Upcoming 200 Mil event?? If you think your progress with trying to make tunes and videos, is not as disciplined as you'd like.. here's what I did to keep track of the slacking off. Britain Refuses to Accept How Islamic Terrorists Really Work - by Patrick Cockburn 1960-2014 The Shrinking of the Aral Sea Weakest, smallest breed of dog that could kill a chimpanzee? Character Scramble VIII Round 0: Jailhouse Rock People who refer to Trump as a fascist are morons. What is the most embarassing thing someone has done, who was interested in you romantically? Rep. Ron DeSantis: Before shooting, man asked if Republicans or Democrats were on field What's the worst thing your family has done to embarrass you? GOP rep: Before shooting, man asked whether we were Dems or GOP A fire fighter I know just sent this about Kensington fire. Please Blizzard, I just want no limits back...