I've been looking at a career change for a bit and I'm considering Cyber security but its a long term goal as my experience runs to: - building computers and setting up home networks for friends and family - running a home media server and building raspberry pi clients - a bit of friendly IT trouble shooting (again friends and family). My programming experience is: - Writing games for the BBC Micro back in primary school - self taught (1989); - programming in Fortran as part of my BSc Maths with Computing (and teaching all my mates to use it as well so they didn't fail the unit - 1999); - working with the Arduino and Wiring to build a little GPS tracker that could send it's location by radio (2012 - most of the programme was written, I just learned as much as I could and edited/ammended it to do what we wanted and work with our hardware). All hobby stuff. I can also solder, build basic circuits and crimp RJ-11 and RJ45 connectors to a suitable cable. There seem to be so many routes in that I'm a bit lost. I think I'd probably be best getting some network experience and qualifications first but I'm just guessing. I can't do a full time degree (family to support and mortgage to pay) but I could take a job with on the job learning (apprenticeship, etc) and I do have time outside my day job to do online study. Has anyone got any advice on how to get started (I'm based in the West Midlands)?
I'm not in cyber security myself, but have an interest too, and have dealt with a couple of firms in the Midlands-ish area. So.. Here's a bit of brain dump! I wouldn't bother with a degree, to be quite frank. There are certifications you can look into, Offensive-Security do some, CREST do some, there's I think even some cyber security stuff from CompTia. Not sure how vital paper is, though. Most of the time the various government agencies are going to recommend someone CREST approved, so while not mandatory, working for a company with that is probably a good thing. If you'd rather just 'get on with it' then I'd look at what you can do at home. So, if you can, a small homelab that you can set up a dummy Windows network and try breaking into with various pen testing tools. Look into services that host stuff for the express intention of people hacking into it (So as not to break the law. Worth noting that using a VPS is potentially not legal (Terms of Service would clarify I expect), so keep it all in house or on sites explicitly for that activity). HackTheBox is invite only, but you will see a lot of talk about that one. Vulnhub is worth checking out, as is Shellter and Hackthissite. They're free, and focused on learning. Cyber security is a hugely varied subject, so it's worth finding out where you'd find the most interest and entertainment, feels a bit cheap to do it, but the /r/asknetsec wiki is full of links to various resources covering various aspects of it. I've dealt with two companies loosely near you, Cyberis and Nettitude, both were quite capable and both seemed friendly in my limited exposure. I don't know whether they'd be open to talking about whether they had a beginner role or something that you could slot into or not, but. Might be worth a phonecall. I'd suggest getting comfortable with Linux if possible. The majority of pentesting tools, as far as I've seen, are available on Linux. The easiest place to get a view of a lot of them would be Kali Linux (Although there are a lot, and it may be overwhelming what to start with), as the distro provides a very well curated collection of tools. But, it's worth noting, that you don't need Kali to use any of the tools - They can all be installed manually on most/any distro. I've seen a lot of mention of Arch and raw Debian. I like Kali, though. Offensive Security (Group/company behind Kali) also do some pentesting courses and whatnot, which might be of interest. I did briefly look into them, but time has erased those memories. Check out some of the DEFCON talks that're on youtube. There's often a lot that's no longer relevant, but it'll provide some insight into thought processes of people doing things like this on a daily basis. Also some of them are pretty interesting. Links: https://www.youtube.com/user/BlackHatOfficialYT https://www.offensive-security.com/ https://www.reddit.com/r/netsec/wiki/start https://www.hackthebox.eu/ https://www.vulnhub.com/ https://shellterlabs.com/en/ https://www.hackthissite.org/ https://crest-approved.org/
Get a job with an SI/SP or consulting firm (the bigger the better) doing just about anything technical and focus on making internal moves. I wouldn't bother with any formal training, and certainly not a commitment like a degree, before you're in that sort of position. No training is likely to let you walk straight into a cyber security role, and apprenticeship/intern programmes are going to be massively over subscribed. Atos would be worth a look, afaik they still have a few main sites in the west mids.
What part of Cyber Security interests you? I'm TD at a Cyber Sec company (although my background is Infrastructure, Networking & Cloud). For Pen testing etc you need to learn Kali & look at Crest or Tigerscheme certs. Basic courses start at around £5k & the exams are brutal (2 day practicals). This takes a while to build the experience but is where the big money is. For analyst type roles you can start with less experience as you'll mainly be reading logs, working out if it's a genuine threat etc. These sort of roles we generally fill entry positions with Uni leavers. There's also the Information Security route, but you need to love paperwork as you end up running ISO projects for people.