My name is Stephen Chapendama and I am currently an Assistant Systems Consultant for the University of Hertfordshire and also a Technology Consultant for Foundervine. I studied Computer Science (Networks) at the University of Hertfordshire and now currently focus on cybersecurity within the Infrastructure Development team.
In February 2018, I wrote a blog post about how I got a job in cybersecurity. At the time I didn’t know what an impact the post would have and the number of people who would reach out. Fast forward to April 2019, I had the pleasure of expanding more on this topic at Afrotech Fest with a talk titled, “Cyber Security: It’s not all doom and gloom!” Afrotech Fest is a tech festival by and for Black people of African and Caribbean heritage and it was great to engage with people from tech and non-tech backgrounds all interested in finding out more about cybersecurity.
Cybersecurity is one of the most interesting fields in tech, as it’s ever evolving. Threats are discovered daily, attackers find new ways to cause havoc and those defending have to consistently stay on top of this. From the outside looking in, it can be difficult to see how you can make your way into information security. But like every tech role, one of the most important skills to have in infosec (information security) is the eagerness to learn. Practise makes perfect, and with security, there’s always more than one ways to carry out a task, so by practising and honing your skills, it will make transitioning to infosec easier.
How do I get involved?
Certifications are always a good indicator and a great way to put yourself ahead of other candidates. If you’re already working in tech, one of the best certifications to get at entry level to show your understanding of security is the ISC: Systems Security Certified Practioner(SSCP). It covers topics such as:
- Access Controls
- Security Operations and Administration
- Risk Identification, Monitoring, and Analysis
- Incident Response, and Recovery
- Networks and Communications Security
- Systems and Applications Security
If you have access to resources like Pluralsight, LinkedIn Learning or other e-Learning platforms, you’ll find they tend to have course material for SSCP.
For BAME women looking to get support in their journey into cybersecurity, highly recommend Seidea, who offer support through lectures and webinars by industry experts.
Other entry-level certificates to look into:
- Microsoft Technology Associate (MTA) Security Fundamentals
- CompTIA Security+
- GIAC Information Security Fundamentals (GISF)
Good practise begins at home
Having a test environment will help on your journey into infosec. Recently the NSA released one of their internally developed cyber tools, Ghidra. For any security enthusiasts, it presents an opportunity to test out what this tool does and knowing what an attacker has in his tool kit, makes you a better defender. If you have an old laptop you no longer actively use, it’s always great to install Linux on it and use it as part of your testing environment. If you have never used Linux before and are looking to learn, highly recommend OpenSUSE or Ubuntu, as a start off point. This will make you comfortable using Linux, especially the command line. Once comfortable with Linux, I recommend using one of the following security operating systems:
- Kali — is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.
- Parrot Security — is a GNU/Linux distribution based on Debian Testing and designed with Security, Development and Privacy in mind. It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own software or protect your privacy while surfing the net.
These can be run as a virtual machine on your computer using VirtualBox.
But what if I can’t set up a home environment?
This is fine, services such as HackTheBox.eu exist for this reason. If you are developer, you will enjoy the challenge of getting an account on HackTheBox as using the dev tools, you have to hack your way into getting an account, fun right? Well, this method isn’t for everyone. If you are not so confident in making an account, they recommend you focus back on improving your skills as it only gets harder after that. TryHackMe.com, however, offers a cloud solution where you can practise on their labs and improve your skills without the need to purchase anything. The more confident you get, you will be able to design your own labs for others to practise on.
But why is practising so important?
An interesting cybersecurity statistic recently reported by tech company Proband was that there are more cyber breaches in the UK than we have rainy days in a year!
43 per cent of UK businesses have had some kind of cyber breach or attack in the past year, meaning that since 36.4 per cent of days have some rainfall on average, security breaches are more common than rainy days on these shores.
The need for more infosec professionals is increasing and for a lot of businesses, they are filling these roles internally. Having an environment to practise your skill set, be it virtual or your own labs, you are able to learn new skills quickly and then utilize some of these at work. If interviewing for a role in security, talking about the tools you are using is a great way to put yourself ahead of other candidates. And using tools like HackTheBox, you will find there are job boards linked to your account where employers can see your scores and the challenges you’ve attempted which lets your penetration testing do the talking. This is becoming very common as often employers now want candidates to demonstrate their skill set. I guess we are finally moving on writing code on a whiteboard.
Is there another way for me to get in?
The UK Government is currently funding cybersecurity apprenticeships in critical national infrastructure. This includes sectors such as:
- Civil nuclear industry
- Electricity generators
- Oil and gas
- Transport infrastructure
If you are wondering what kind of cyber threats happen in these industries, it is worth researching Stuxnet, a malicious computer worm which targetted Irans nuclear program. It is still deemed one of the most complex and sophisticated digital weapons as rather than simply hijacking targetted computers like ransomware or stealing information from them, it escaped the digital realm and caused physical destruction (causing a machine to overheat) on the equipment controlled by the computers.
Critical infrastructure is often the targets of malicious actors (some state-sponsored), so there will always be a demand for positions in these sectors. Apprenticeships such as these are great ways to transition into a different field as you get practical experience and if you are already coming from a different background, it makes your skillset unique. Universities have also recently started pushing towards degree apprenticeships to help fill the skill gap but so far this has proved more popular in America than the United Kingdom.
Companies are taking cyber security more seriously and as such bug bounty programs are becoming more common. Companies are willing to reward ethical hackers with money for finding vulnerabilities in their websites or apps. Starting your journey on your own virtual environment and then progressing through environments like HackTheBox & TryHackMe will lead you onto trying bug bounties and it can be a lucrative and exciting revenue stream.
If you are interested in finding out more definitely reach out to the Xuntos community, there are members from a range of tech and cybersecurity streams who can be able to help answer any questions.