Getting Started in CyberSec in Portugal#
For the past week, I saw a few messages in one Portuguese developer community from kids coming out of college wanting to get into Cyber Security and didn't know where to start. Although there are dozens (hundreds? thousands?) resources out there about this, I truly feel they overcomplicate things and this is the right platform to make a list on some plans those folks can consider to get started.
1. Foundational Skills#
I personally advise everyone to know some things about programming. Sooner or later, it will be useful for you to either write your own exploits, tools or scripts, or to simply read code and be comfortable doing so. Python is commonly used in cyber security, as well as in other areas of IT, so I guess that's a good place to start.
2. Certifications Route#
There is a parallel industry for certifications in cyber security which might overwhelm those who are starting. If you wish to get started into pentesting, the eJPT from eLearnSecurity is a great, cheap starting point. Another flagship certification for getting you a job is OSCP but despite being marketed as an entry-level certification, it might not be adequate for newcomers into IT for two reasons: pricing ]nd knowledge. Build your foundation, you can take on this exam later.
TCM Security has 2 certifications that can be a good deal for you: PNPT and PJPT. The internet says knowledge-wise they are superior to eJPT and others, including the OSCP, but they aren't as established in the industry as they are newer. If you have the budget they might be an option for you.
3. Self-practitioner Route#
For some/most Portuguese folks, certifications are way out of budget (unless they are getting company-sponsored but I assume this will not be case as we're referring to fresh-graduates). The alternative is to get your hands in the dirt and put in the time. Start working out through TryHackMe which is great for newbies as it holds your hand and has content for newbies and specific topics. HackTheBox is also a great platform and it can be your next endeavour when you want a more challenging exercise.
The next things you can do in this approach include a bunch of self-taught and self-motivated experiences. You can work your way through bug bounties, CTFs and even do security research of applications/services/libraries you use and like. Who knows what you will encounter. The cherry on top is to find one thing you like and have a vulnerability disclosure program you can securely report your findings, if any, and (maybe) get rewarded for it.
4. Writing#
At this point, you should really start writing things out in the form of blog posts. Even if you haven't found a major 0-day on a big library or you aren't rich through bug bounties, I find people that write their thought process and talk about their failures way more valuable than those who don't. It's simple: you're sharing knowledge and explaining your ideas and ways of looking at things. This will be a great thing for recruiters as they can judge your capabilities through your work.
I personally think people really like to flourish the experiences they have on research and bug bounties, so let me stress out how hard this is and that it is totally okay to not find anything at all. The process and learning you get out of it is 100% what matters in the end. Perhaps you didn't find anything because you didn't know about a system or protocol, but know you can study more. Then after you have some more insights you'll conclude there are no security vulnerabilities there - but at least you learnt a new protocol/service/framework and in the next project of yours you'll be better prepared.
Aim to learn about those systems, and not to make money.
5. Networking#
I can't stress this enough. Cyber security is a niche market within the IT field. Get to know the people in the field, attend meetups, conferences, and even submit talks to those. Introduce yourself, don't be afraid to ask questions and learn from them. From experience, everybody is super welcoming and willing to help you out. Keep in mind is mostly through networking that the greatest opportunities will come to you.
Although I'm no career guru to give you any advice on anything at all, I believe these five simple, yet hardworking steps, will really get you an advantage to get you started in the field. Good luck!