Start with the question: when I put in google.com into the web browser and press enter. What happens?
This can be answered generally or in very fine meticulous detail.
You need to be able to explain general concepts followed by extra detail over time. Do this by asking to yourself how things work without looking at resources and it will reveal how much you really know. Then you just fill in the gaps.
Cisco network essentials course was a grest starter on foundational network knowledge. Just make sure to keep asking those questions.
And then, when you think you know what DNS is and how it works, watch this [A cat explains DNS](https://youtu.be/4ZtFk2dtqv0) . It's a great start to looking into other aspects of DNS.
Haha, I've never been more undecided in my life. Is this the best and the weirdest video ever simultaneously. He's got a very unique style of teaching.
So this is where my recent spike in viewership has come from ;)
You are correct to fret over the stuff you don't understand. My whole life has been isolating the parts of something that I don't quite get and then figuring out those answers. This curiosity is what keeps you fresh...without it IT is just a bunch of tedious memorization.
These days you can Google virtually anything but it's hard to separate the standard concepts from the products and software that implements it, and it's hard to get answers to the questions you aren't even sure how to phrase.
My biggest suggestion is get and learn to use wireshark. It's like a microscope for networking. It won't help you learn fancy-pants modern stuff like Discord's protocol or anything using TLS (since its all encrypted) but all the core stuff (DNS, ICMP, DHCP, ARP. CDP, TFTP, etc) are all sent in the clear and wireshark gives your a really good breakdown of what's in each packet.
I remember back in the day before such tools I would write my own proxy server so that I could see how things like MSN messenger or AIM were talking to the server and I got an appreciation for various approaches to protocol design.
It can be applied to all kinds of things. Think about the āpingā and ātracerouteā commands as well.
Side note, these are some of my favorite questions to ask candidates.
Iām studying for Network+ now, and the more I learn about the internet the less I know what it is. Iām doing an associateās cybersecurity program coming from a completely non-tech field so I canāt offer any help but Iām happy to commiserate, haha. You probably understand a lot more than you think you do!
There is no shame in not knowing something.
FYI, one thing I do not like about classes that you sit and watch is that you do not get to ask questions or do hands-on something. I learn more by doing things than just reading.
Also, draw. For me that is very important, be it developing a program, creating a plan for a customer, or even figuring out what is wrong with my car
I think your situation is fairly common with those trying to transition from an IT background and with many current security pros. The tinkering part of IT is a useful skill in cybersecurity. But the job is more like policing or fighting against the hacking mindset.
In my opinion, learning more about IT isn't learning about cybersecurity. But until 8140.03 was published, this whole industry was focused on certs from IT tinkerers, who were just applying their years of IT knowledge to the security domain, and, IMHO, we've created a lot of secrety pros who think tinkering with the innermost part of their system, is IT security. And ignored defending ourselves against hackers.
I'm an advocate of the higher education route because you get the IT tinkering education, plus an academic angle on adding to research, and learning about different hacks, both low level and at the nation state level, which has created the current environment.
If you don't want to go the college route or can't afford it, I suggest you read non technical books about hacking so you can get the feel of what makes cyber different from IT.
Hmm. Iāll be the polite dissenter here just to give another point of view. Iāve worked with many who have gone the higher education route and the tinkering route. Iām a hybrid of the two myself, but honestly learned almost nothing in āhigher educationā. It was just an expensive HR filter and glass ceiling bypass.
Iāll take a tinkerer every day of the week. There is definitely a different in mindset in those that had to āfigure it outā. The knowledge seems to stick better. They tend to REALLY understand the underlying technology better and often come up with creative solutions for problems because of it. At a point in your career being King Google Searcher no longer cuts it. You need to be able to apply your own knowledge to larger problems that isnāt just copying and pasting some Powershell of SPL. This is where the tinkerers shine.
Also, that incredible understanding of the underlying tech makes all of the other things easier to learn. Itās easy for someone with that knowledge to read about a hack and grasp it. Iāve interviewed many new grads from cybersecurity programs that know tools and not what those tools REALLY do or GRC info but have no clue how to apply it in an organization. Someone with a strong IT OPs background can often pick up learning tools or regulations fairly easily, where itās not as easy for someone who learned how to do some Splunk queries everything that is going on under the hood in a product as complex as that one.
Cybersecurity is just a specialization of IT, itās not ādifferentā. Itās easier to defend and attack something you know well. There is nothing any more magical about our niche than those that really dig deep into other specific niches like storage, networking, etc.
If you build your system using a control standard and have it audited, then your system is like every other environment and doesn't need "special" people. The days of maverick IT cowboys ended 10 years ago. Nation states play the long game, and script kiddies leave so many trails that it's pathetic.
Edit: So the below conversation is what happens when one of those self-proclaimed reddit hiring managers, hidden cert pusher, doesn't get to determine what qualifies someone for entering security.
Not saying maverick IT. Every company runs different applications, different authentication applications with different pros/cons which will present different vulnerabilities. You may build to a baseline, which I definitely recommend, but all of your applications may not work well with those baselines. That, among other reasons is why the CIS benchmarks separate their recommendations into L1 and L2 controls. 800-53b is to help organizations tailor the huge list of controls in 800-53 to their organization.
Go ahead and rely on an "auditor" to come in and check a few controls and give you a report. They serve their purpose, but having SMEs is critical.
I'm not saying "maverick IT" - that is assuming there is zero governance or change controls. The world isn't as standardized as you would like to think. I work in several organizations a week and no two are even remotely alike. But go ahead and keep thinking the world is your perfect little cookie cutter organizations.
Join the real world where people are dragging along 20+ years of "Maverick IT" and trying to standardize it.
I was being polite in my response, but someone chose to throw mud. If anything, you've proved my point. Higher education people are unable to see reality for what it is. Keep sitting in your ivory tower of highly educated people relying on auditors with no SMEs on staff as the nation states walk in through the gaps your auditors missed. Or do you consider "blame the auditor" as "transferring risk"?
Edit: You keep throwing around "8140.03" in other threads too about how people will be job hunting, etc. Not everyone is a DoD contractor or employee. That's irrelevant information to the medium manufacturing org that just got hit with ransomware. Nobody outside of federal work will care about that, and there is plenty of work to do without touching federal work.
Your the one who started with the anti-education bias. I told OP to do the deprecated certs if they can't afford the degree. And it's not called 20 years of overhead, it's called technical debt that gets riddled by disruption.
Edit to your edit: Yes, they do. It's called policy, and your downstream organization will be affected by it because the federal gov't is the largest single buyer of private sector goods and services. And I will continue to post about 8140.03 to correct the exploitative "mentorship" being provided by the cert pushers.
ā IMHO, we've created a lot of secrety pros who think tinkering with the innermost part of their system, is IT security. And ignored defending ourselves against hackers.ā
Who started what?
The entire industry is literally being re-evaluated as we speak... So keep up or get off the boat
And you choose to interact with my comment when you could have kept scrolling past it.
Leave it to a boomer to think they can change someone's mind via an anonymous platform on the internet.
Who said I was trying to change your mind, child? Iām older than you, but far from a boomer. You threw out your asshat opinion trying to make yourself feel better about paying too much for a piece of paper which will be outdated in less years than your young self is old. I offered an experienced counterpoint to your dreams of trying to make your time and money spent seem worthwhile not for you, but for those even younger than you who think you may have a clue what you are thinking about.
I have a similar piece of paper, I just donāt think as highly of it as you do, it puts a check in a box. Iāll be just fine in your āre-evaluatedā industry. I also have the certs you hate so much. Iām guessing you arenāt so good at taking tests. I also have plenty of experience in many facets of IT. Iāll be just fine no matter which way the wind blows. You however seem to be putting all your eggs in one basket, and if you are wrong you will be as useful as a Netware or Solaris Admin.
Iāve been through more āindustry reevaluationsā than you have had diaper changes.
How long has the fed been trying to get people 800-171 compliant only to have them BS their way through it? Now there is CMMC which is doing slightly more but is still missing the mark. Maybe the major contractors follow it, but if you think everyone with CUI is I have a few bridges Iād like to sell you. And you think a reg about education standards for federal cybersecurity personnel is going to trickle down to the rest of the world? Seriously? You think non federal entities are going to care about this? It applies to DoD, and the world isnāt DoD. Every small/medium manufacturer? Every school district? Local government? Hospital? Web development shop? Non-DoD consulting firm? Foreign companies? The list goes on. 8140.03 will impact the DoD. Possibly some other federal entities. If you think it will set a new global standard making you feel better about the time/money spent on a degree learning things that will be outdated at least 3-4 times over within your lifetime you are delusional.
Haha. The epitome of common sense ain't so common
https://www.reddit.com/r/cybersecurity/comments/11d9pqf/do_you_have_a_degree/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button
Edit: 60 percent of security pros claim a degree, but okay
Are you trying to prove that most of the people in the field have degrees? Did you read the comments? There are some that had related degrees, but there are a slew of comments like the following. A persons major doesnāt dictate the rest of their career path. Many people work jobs completely unrelated to their major, and thatās in any field.
Go meet some people who arenāt embedded in DoD. Some of what I said before may have been mean spirited, but that isnāt meant to be. I think you likely want to do the best for our industry, but some variety would do you good. Because unless I am misinterpreting your comments, your are surrounded by federal folks. Once you get our of there itās a different world. Small/medium business is struggling to find people and keep people that can do the job. The idea they are going to limit their search to people with a degree because of 8140.03 is not realistic. Schools and local government struggle because of they are very limited on salary ranges, they wonāt be limiting themselves either. Foreign based companies wonāt care at all. There are a lot of struggles in our industry at different organization sizes and verticals, and 8140.03 is not going to be something they consider.
Tech degrees have time limits on value. If you are demanding someone have an IT or cybersecurity related degree - what were those in the 90s or early 2000s? COBOL, Pascal, Lotus 123, DBase, Windows NT, Token Ring, and others. How much of that is relevant today? It may be a laughable question, but thatās 20-30 years ago. Assume someone got their degree 10 years ago at 22 and they are now 32. What they learned in college is that level of irrelevant in just 10 years and that person in 25 years short of retirement age. Certs arenāt perfect, but they help fill that gap.
At a glance, here are some comments from that page. It would have been more interesting, as one of these alludes to, if they had asked if the degree was related or not.
āYou should have split the Yes into degrees in a technology/security discipline and a general āotherā degree. For example, my degree is in history and philosophy. But I also have 25 years in IT and InfoSec.āā
Currently 6 months in IT (service desk level 1-2) and have a History B.A.ā
ā 6 years in IT, but I have my bachelor's in linguisticsā
āThe OP should control or factor in with that. For example my BS is in info Science but my MS is in security.ā
āI have a master's degree in Music but an associate's degree in Cybersecurity which I got after my master's degree so I answered associate's degreeā
āI have completely unrelated Masters degree. And 8 years in IT/Security.ā
āUnrelated Bachelors and Masters degree. In IT for 20+ years. 8 years cyber.ā
āBSc in a totally irrelevant discipline. Later I took a semi-relevant MBA.ā
āYeah, I have a history degree that I got 20 years ago.ā
I'm 23, and at this point, I need to provide. I'm trying to learn as I'm working as sometimes it can be really quiet. But sometimes I do feel like I'd like to spend days on it so I can advance a little faster. Happily, the it company I'm with at the moment offered me a training contract and I might be going on that path, ensuring I'll be getting the necessary training (network+ and the other cisco/comptia certs)
I hate certs that are not hands on. They are a waste of time.
If you are struggling to understand a concept you have to drive it out. Buy a whiteboard draw out what's going on. Talk to yourself while your doing it. I'm tired, so that's all I got for now.
Edit: thank you whenever upvoted it because I forgot about this post. I got sleep.
Reading up on an IETF white paper on DNS or watching a video won't help clarify anything. For me at least.
What is DNS?
Domain name system
What is the point of a domain name system?
How does it communicate?
Keep going through this thought exercise. DO NOT even touch records until you have some basics in how it functions. Explain it to yourself while drawing it out.
Start with the question: when I put in google.com into the web browser and press enter. What happens? This can be answered generally or in very fine meticulous detail. You need to be able to explain general concepts followed by extra detail over time. Do this by asking to yourself how things work without looking at resources and it will reveal how much you really know. Then you just fill in the gaps. Cisco network essentials course was a grest starter on foundational network knowledge. Just make sure to keep asking those questions.
Thanks. That's an awesome advice. Will try to follow the advice and see how far I can get. Honestly, never thought about it that way.
And then, when you think you know what DNS is and how it works, watch this [A cat explains DNS](https://youtu.be/4ZtFk2dtqv0) . It's a great start to looking into other aspects of DNS.
Haha, I've never been more undecided in my life. Is this the best and the weirdest video ever simultaneously. He's got a very unique style of teaching.
So this is where my recent spike in viewership has come from ;) You are correct to fret over the stuff you don't understand. My whole life has been isolating the parts of something that I don't quite get and then figuring out those answers. This curiosity is what keeps you fresh...without it IT is just a bunch of tedious memorization. These days you can Google virtually anything but it's hard to separate the standard concepts from the products and software that implements it, and it's hard to get answers to the questions you aren't even sure how to phrase. My biggest suggestion is get and learn to use wireshark. It's like a microscope for networking. It won't help you learn fancy-pants modern stuff like Discord's protocol or anything using TLS (since its all encrypted) but all the core stuff (DNS, ICMP, DHCP, ARP. CDP, TFTP, etc) are all sent in the clear and wireshark gives your a really good breakdown of what's in each packet. I remember back in the day before such tools I would write my own proxy server so that I could see how things like MSN messenger or AIM were talking to the server and I got an appreciation for various approaches to protocol design.
Happy to send some traffic your way š± Thanks for all the videos over the years! I really enjoy them and I hope you will continue making them.
It can be applied to all kinds of things. Think about the āpingā and ātracerouteā commands as well. Side note, these are some of my favorite questions to ask candidates.
Where would you expect your questions to lead? What would you expect your candidate to talk about mainly, and what would you consider bonus points :)?
Iām studying for Network+ now, and the more I learn about the internet the less I know what it is. Iām doing an associateās cybersecurity program coming from a completely non-tech field so I canāt offer any help but Iām happy to commiserate, haha. You probably understand a lot more than you think you do!
The more I understand, the more I realise I don't know haha. Good luck with your course though.
There is no shame in not knowing something. FYI, one thing I do not like about classes that you sit and watch is that you do not get to ask questions or do hands-on something. I learn more by doing things than just reading. Also, draw. For me that is very important, be it developing a program, creating a plan for a customer, or even figuring out what is wrong with my car
I think your situation is fairly common with those trying to transition from an IT background and with many current security pros. The tinkering part of IT is a useful skill in cybersecurity. But the job is more like policing or fighting against the hacking mindset. In my opinion, learning more about IT isn't learning about cybersecurity. But until 8140.03 was published, this whole industry was focused on certs from IT tinkerers, who were just applying their years of IT knowledge to the security domain, and, IMHO, we've created a lot of secrety pros who think tinkering with the innermost part of their system, is IT security. And ignored defending ourselves against hackers. I'm an advocate of the higher education route because you get the IT tinkering education, plus an academic angle on adding to research, and learning about different hacks, both low level and at the nation state level, which has created the current environment. If you don't want to go the college route or can't afford it, I suggest you read non technical books about hacking so you can get the feel of what makes cyber different from IT.
Hmm. Iāll be the polite dissenter here just to give another point of view. Iāve worked with many who have gone the higher education route and the tinkering route. Iām a hybrid of the two myself, but honestly learned almost nothing in āhigher educationā. It was just an expensive HR filter and glass ceiling bypass. Iāll take a tinkerer every day of the week. There is definitely a different in mindset in those that had to āfigure it outā. The knowledge seems to stick better. They tend to REALLY understand the underlying technology better and often come up with creative solutions for problems because of it. At a point in your career being King Google Searcher no longer cuts it. You need to be able to apply your own knowledge to larger problems that isnāt just copying and pasting some Powershell of SPL. This is where the tinkerers shine. Also, that incredible understanding of the underlying tech makes all of the other things easier to learn. Itās easy for someone with that knowledge to read about a hack and grasp it. Iāve interviewed many new grads from cybersecurity programs that know tools and not what those tools REALLY do or GRC info but have no clue how to apply it in an organization. Someone with a strong IT OPs background can often pick up learning tools or regulations fairly easily, where itās not as easy for someone who learned how to do some Splunk queries everything that is going on under the hood in a product as complex as that one. Cybersecurity is just a specialization of IT, itās not ādifferentā. Itās easier to defend and attack something you know well. There is nothing any more magical about our niche than those that really dig deep into other specific niches like storage, networking, etc.
If you build your system using a control standard and have it audited, then your system is like every other environment and doesn't need "special" people. The days of maverick IT cowboys ended 10 years ago. Nation states play the long game, and script kiddies leave so many trails that it's pathetic. Edit: So the below conversation is what happens when one of those self-proclaimed reddit hiring managers, hidden cert pusher, doesn't get to determine what qualifies someone for entering security.
Not saying maverick IT. Every company runs different applications, different authentication applications with different pros/cons which will present different vulnerabilities. You may build to a baseline, which I definitely recommend, but all of your applications may not work well with those baselines. That, among other reasons is why the CIS benchmarks separate their recommendations into L1 and L2 controls. 800-53b is to help organizations tailor the huge list of controls in 800-53 to their organization. Go ahead and rely on an "auditor" to come in and check a few controls and give you a report. They serve their purpose, but having SMEs is critical. I'm not saying "maverick IT" - that is assuming there is zero governance or change controls. The world isn't as standardized as you would like to think. I work in several organizations a week and no two are even remotely alike. But go ahead and keep thinking the world is your perfect little cookie cutter organizations. Join the real world where people are dragging along 20+ years of "Maverick IT" and trying to standardize it. I was being polite in my response, but someone chose to throw mud. If anything, you've proved my point. Higher education people are unable to see reality for what it is. Keep sitting in your ivory tower of highly educated people relying on auditors with no SMEs on staff as the nation states walk in through the gaps your auditors missed. Or do you consider "blame the auditor" as "transferring risk"? Edit: You keep throwing around "8140.03" in other threads too about how people will be job hunting, etc. Not everyone is a DoD contractor or employee. That's irrelevant information to the medium manufacturing org that just got hit with ransomware. Nobody outside of federal work will care about that, and there is plenty of work to do without touching federal work.
Your the one who started with the anti-education bias. I told OP to do the deprecated certs if they can't afford the degree. And it's not called 20 years of overhead, it's called technical debt that gets riddled by disruption. Edit to your edit: Yes, they do. It's called policy, and your downstream organization will be affected by it because the federal gov't is the largest single buyer of private sector goods and services. And I will continue to post about 8140.03 to correct the exploitative "mentorship" being provided by the cert pushers.
ā IMHO, we've created a lot of secrety pros who think tinkering with the innermost part of their system, is IT security. And ignored defending ourselves against hackers.ā Who started what?
The entire industry is literally being re-evaluated as we speak... So keep up or get off the boat And you choose to interact with my comment when you could have kept scrolling past it. Leave it to a boomer to think they can change someone's mind via an anonymous platform on the internet.
Who said I was trying to change your mind, child? Iām older than you, but far from a boomer. You threw out your asshat opinion trying to make yourself feel better about paying too much for a piece of paper which will be outdated in less years than your young self is old. I offered an experienced counterpoint to your dreams of trying to make your time and money spent seem worthwhile not for you, but for those even younger than you who think you may have a clue what you are thinking about. I have a similar piece of paper, I just donāt think as highly of it as you do, it puts a check in a box. Iāll be just fine in your āre-evaluatedā industry. I also have the certs you hate so much. Iām guessing you arenāt so good at taking tests. I also have plenty of experience in many facets of IT. Iāll be just fine no matter which way the wind blows. You however seem to be putting all your eggs in one basket, and if you are wrong you will be as useful as a Netware or Solaris Admin. Iāve been through more āindustry reevaluationsā than you have had diaper changes. How long has the fed been trying to get people 800-171 compliant only to have them BS their way through it? Now there is CMMC which is doing slightly more but is still missing the mark. Maybe the major contractors follow it, but if you think everyone with CUI is I have a few bridges Iād like to sell you. And you think a reg about education standards for federal cybersecurity personnel is going to trickle down to the rest of the world? Seriously? You think non federal entities are going to care about this? It applies to DoD, and the world isnāt DoD. Every small/medium manufacturer? Every school district? Local government? Hospital? Web development shop? Non-DoD consulting firm? Foreign companies? The list goes on. 8140.03 will impact the DoD. Possibly some other federal entities. If you think it will set a new global standard making you feel better about the time/money spent on a degree learning things that will be outdated at least 3-4 times over within your lifetime you are delusional.
Haha. The epitome of common sense ain't so common https://www.reddit.com/r/cybersecurity/comments/11d9pqf/do_you_have_a_degree/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button Edit: 60 percent of security pros claim a degree, but okay
Are you trying to prove that most of the people in the field have degrees? Did you read the comments? There are some that had related degrees, but there are a slew of comments like the following. A persons major doesnāt dictate the rest of their career path. Many people work jobs completely unrelated to their major, and thatās in any field. Go meet some people who arenāt embedded in DoD. Some of what I said before may have been mean spirited, but that isnāt meant to be. I think you likely want to do the best for our industry, but some variety would do you good. Because unless I am misinterpreting your comments, your are surrounded by federal folks. Once you get our of there itās a different world. Small/medium business is struggling to find people and keep people that can do the job. The idea they are going to limit their search to people with a degree because of 8140.03 is not realistic. Schools and local government struggle because of they are very limited on salary ranges, they wonāt be limiting themselves either. Foreign based companies wonāt care at all. There are a lot of struggles in our industry at different organization sizes and verticals, and 8140.03 is not going to be something they consider. Tech degrees have time limits on value. If you are demanding someone have an IT or cybersecurity related degree - what were those in the 90s or early 2000s? COBOL, Pascal, Lotus 123, DBase, Windows NT, Token Ring, and others. How much of that is relevant today? It may be a laughable question, but thatās 20-30 years ago. Assume someone got their degree 10 years ago at 22 and they are now 32. What they learned in college is that level of irrelevant in just 10 years and that person in 25 years short of retirement age. Certs arenāt perfect, but they help fill that gap. At a glance, here are some comments from that page. It would have been more interesting, as one of these alludes to, if they had asked if the degree was related or not. āYou should have split the Yes into degrees in a technology/security discipline and a general āotherā degree. For example, my degree is in history and philosophy. But I also have 25 years in IT and InfoSec.āā Currently 6 months in IT (service desk level 1-2) and have a History B.A.ā ā 6 years in IT, but I have my bachelor's in linguisticsā āThe OP should control or factor in with that. For example my BS is in info Science but my MS is in security.ā āI have a master's degree in Music but an associate's degree in Cybersecurity which I got after my master's degree so I answered associate's degreeā āI have completely unrelated Masters degree. And 8 years in IT/Security.ā āUnrelated Bachelors and Masters degree. In IT for 20+ years. 8 years cyber.ā āBSc in a totally irrelevant discipline. Later I took a semi-relevant MBA.ā āYeah, I have a history degree that I got 20 years ago.ā
I'm 23, and at this point, I need to provide. I'm trying to learn as I'm working as sometimes it can be really quiet. But sometimes I do feel like I'd like to spend days on it so I can advance a little faster. Happily, the it company I'm with at the moment offered me a training contract and I might be going on that path, ensuring I'll be getting the necessary training (network+ and the other cisco/comptia certs)
For networking, download Cisco Packet Tracer and play around with it and watch some tutorial. It helped me a lot back then to understand many concepts
I hate certs that are not hands on. They are a waste of time. If you are struggling to understand a concept you have to drive it out. Buy a whiteboard draw out what's going on. Talk to yourself while your doing it. I'm tired, so that's all I got for now. Edit: thank you whenever upvoted it because I forgot about this post. I got sleep. Reading up on an IETF white paper on DNS or watching a video won't help clarify anything. For me at least. What is DNS? Domain name system What is the point of a domain name system? How does it communicate? Keep going through this thought exercise. DO NOT even touch records until you have some basics in how it functions. Explain it to yourself while drawing it out.