There are a huge number of resources available on the Internet – literally thousands of blogs, pages, vulnerability databases, research information conference proceedings, articles...
However there is no substitute for direct, hands-on skills and experience. Many security companies and even individual penetration testers or network/systems technicians will create their own labs in which they can configure and reconfigure systems, try out exploits, compromise the security of boxes and then try and harden defences and attack them all over again.
This might sound expensive but you can build this up over time if you have the resources (and space) and various Internet auction sites and local recycling groups are a great source of cheap hardware. Linux flavours that run on lower specification systems can be found and virtualisation can also enable you to run several virtual servers on a single physical host (and to recover them easily if you end up breaking the operating system).
The best way is to try things out and practice in a safe way and of course the Challenge games provides an opportunity to do this. However, clearly this type of activity is normally illegal if carried out against systems in the public internet or on a corporate or campus network without permission.
If you are on a tight budget, see if any of your friends, family or local companies are disposing of any computers and ask if you can take those off their hands. It might be interesting to try and find out what data they have left stored on them – but be responsible about this, tell them (See http://www.sans.org/reading_room/whitepapers/threats/define-responsible-disclosure_932) and DON’T view or misuse the data.
One thing to watch out for, there are many legitimate sources of information, research and tools on the web but there are also others that are less scrupulous – be aware that information, web sites and tools you might be offered could have effects or contain content that you might not expect or want.
There are many routes, but as ideas:
If you enter the competitions and are successful, especially if you progress to the face-to-face stages you are likely to meet people in the same boat and those who can advise you on options. So get involved!
Most of the challenge sponsors who attend the Challenge events are interested in identifying candidates with talent to add to their own ranks – many past competitors have found new roles through this route.
It is advisable to get a LinkedIN Account and develop your profile in order that you interact with the Information Security demographic.
Many membership bodies run regular events, sessions and lectures for their members and this would be a good way to meet with people inside the industry: such as
(ISC)2 has free networking opportunities; as anyone seriously involved in the information security profession can attest, peer networking is an invaluable resource so join an (ISC)2 Chapter now: https://www.isc2.org/chapters/default.aspx
There are a range of private sector courses which might be suitable, some of which lead to certificates and accreditations.
Some examples of providers are:
And of course there are a number of academic courses at a variety of Universities.
There are many specialist information security job sites and recruitment agencies so it is advisable to set up a profile on LinkedIN and develop your links to Information Security, accessing the rights groups and getting involved in the discussions to find out more about the many companies and membership bodies that can provide careers and job pages. It is worth reading up about the Challenges sponsor companies to see what they offer too. (See https://cybersecuritychallenge.org.uk/careers-with-sponsors.php)
The Internet is full of research and views on this topic... there are even dozens of notable bloggers and many companies such as:
General news feeds from the BBC News or The Register http://www.theregister.co.uk/ show how cyber security breaches regularly make their pages and virus threats are often decomposed by anti-virus software vendors like Symantec’s: http://www.symantec.com/about/news/release/article.jsp?prid=20130415_01 and Microsoft: http://www.microsoft.com/en-gb/business/news/UK-failing-to-combat-cyber-crime-effectively-MPs-warn-801618744.aspx
CREST is an assessment and certification process for companies and their penetration testers. Several of its member companies such as PwC, IRM, 7Safe, QinetiQ and KPMG support the Cyber Security Challenge. Taking part in the Challenge process and becoming a penetration tester by trade will probably mean looking at progressing through the specific qualifications in that field such as CREST or the Tiger Scheme at some point. CREST awards the cost of its exam as one of the Challenge prizes.
A background in IT will always be useful in cyber security, information security, penetration testing and forensics. However, it is not essential and some people enter the profession from backgrounds like Theology, Business Studies or Geography. Key qualities are the ability to think outside of the box and to enjoy solving problems. Many disciplines are specialisms that can be learnt, developed or progressed into – for example a networking professional might find a niche in network security or forensics, an application developer could move into application security testing and a systems administrator could develop forensics skills.
You can research IT security and related skills on the Internet and try out skills in a lab or test environment – it is easier than ever to get hold of second hand IT and networking hardware on various Internet auction sites or through local recycling groups.
There are many specialist information security job sites and recruitment agencies so it is advisable to set up a profile on LinkedIN and develop your links to Information Security, accessing the rights groups and getting involved in the discussions to find out more about the many companies and membership bodies that can provide careers and job pages.
Mathematics has a part to play in several areas of computer science and security – base conversions (Unicode characters and IP subnet calculations), algorithms (in computer programming), statistics (in anomaly detection, traffic analysis and risk analysis), modular arithmetic and number theory (in cryptography), electro-magnetics (disk drive and flash memory operation) and even game theory.
It would be worth developing IT and IT security skills as well as more general information security awareness from a variety of sources or books on the subject and then see what opportunities allow you to move in your chosen discipline – the challenges are an excellent way to improve and develop these skills and several people have used these to move into a cyber security career.
There are several qualifications and accreditations that have value. Several MSc course offer specialised and well regarded Masters Programmes in computer and information security, and lots of BSc programmes in IT and related disciplines will have computer or network security modules.
Then there are specialist qualifications and professional memberships – some operate at a level where some competence and experience exists and others have a more graduated path.
Then in the UK government space:
CLAS – the CESG Listed Adviser Scheme; a partnership linking the unique Information Assurance knowledge of CESG with the expertise and resources of the private sector. The Scheme aims to satisfy this demand by creating a pool of high quality consultants approved by CESG to provide Information Assurance advice to government departments and other organisations who provide vital services for the United Kingdom. Details of CLAS are provided at http://www.cesg.gov.uk/servicecatalogue/CLAS/Pages/CLAS.aspx
There are a number of academic courses at a variety of Universities.
If you like our Facebook page you will see that we have started to follow the universities that deliver these courses.
Specifically our main academic sponsors are listed here:
There are several skill areas that you could research, read up on or learn – these range from IT systems operation, operating systems and security models, application development and modern programming languages, networking and communications – there are also specific security areas such as penetration testing, reverse engineering, protocol analysis and computer forensics that are more advanced but may be of use particularly if you are already working in a technical discipline. (See DEVELOPMENT PATHWAYS https://cybersecuritychallenge.org.uk/development-paths.php)
There will typically be a demand for both; some engineering type roles will place a greater emphasis on raw technical talent, ability, skills or qualifications – others, perhaps those which could be consultancy based or client facing, will require the ability to communicate widely, give exposure to different people from different backgrounds.
In some roles the ability to convey highly technical information to a non-technical audience is one of the greatest attributes. Even in a deeply technical role you will benefit from the ability to work individually and as part of a team, to show enthusiasm and creativity, to be able to clearly document findings, results or designs in document or presentation format. However the course of your career could place a greater or lesser emphasis on all these aspects based on what you enjoy and are good at.
The purpose of the Challenge is to help identify talent, irrespective of what you may or may not have done in the past, as many cyber security roles give opportunity to enter the workforce based on skills, aptitudes and capability; rather that academic track record. Some companies and employers will inevitably draw candidates from the graduate community, and some will look even closer and seek out those with specific security components in courses studied, whether private, degree or at MSc level.
YES. There is a lot of information on IT apprenticeships available:
On the e-skills UK website: http://www.eskills.com/apprenticeships/individuals/ and through, The National Apprenticeship Service: http://www.apprenticeships.org.uk/ with more focussed cyber security initiatives in this area being developed – so watch this space.
(Here are a few answers from the Challenge Alumni LinkedIN Group, and are opinions based on their experience only)