Tips and Advice For Your Early Journey in Cybersecurity

thank you ashley so yeah hello everyone uh thank you for attending my talk um i hope you guys have been enjoying the conference so far um my name is josh dominguez and i'll be talking about the tips and insights for people who are in their early journey of their cyber security career let's see okay yeah my my talk will be short and sweet um i'll do up first i'll do a short introduction about myself and then i'll go over my motivation why i wanted to do the stock and then we'll go right over to the tips and insights that i have and at the end if we have time we'll go over some q and a's

so yeah a little bit about myself um i'm an application security analyst at mira security i've been with mirai for almost a year now and mirai is one of the leading cyber security consultancy in vancouver slash global mainland and yeah here in mirai we help different clients from different sectors uh in security bus and securing their business operations so we have clients from financial health mining education and real estate and so on as for my education background i hold a bachelor of science degree i graduated from sfu last year um during the heat wave actually i had my on online convocation and i majored in computing science and i also hold a security plus certification from comptia

and before being an analyst i just played a bunch of uh capture the flags attended workshops and conferences like this one um and outside cyber security i love outdoors um explore bc and i play a bunch of musical instruments so as part of our appsec team we do different kinds of security assessments for our clients we do a lot of of application penetration testing engagements um especially web application security testing um we're also like a multi-talented team so we also do a vulnerability assessment for our clients rt infrastructure and part of our engagements um aside from testing is we do a lot of client communications so meetings calls and emails and reports we write a lot of reports

i once wrote a 100 page report for one of our vulnerability assessment engagements and yeah client presentation as well and other things that i've been personally involved um are things like leading a vulnerability management program for one of our clients so like managing assets for our clients and making sure that the high severity vulnerabilities on the systems or patch i have also been involved in an early security investigation for one of our clients so like during one of the assessments that we had we found strong evidence that there is a malware implant on some of the machines so yeah i was i was part of that early investigation of that incident and that was on a link on a long weekend

too so that was interesting i've also hosted an information session for one of our clients so i had to talk about what happens after a corporate-owned laptop that is connected to their it network gets compromised by threat actor so how the attacker can do maximum damage after that initial access and the business impact and implication of that to the whole organization and as well as helping build internal tools for our team to help us assessments

and yeah so why did i want to do this talk because i've been there i've experienced the same struggles of being into the field or just you know breaking into our industry so yeah i know what it's like and you know i've seen and learned a lot of valuable things from my time as a security analyst and so i just thought of sharing some of these with you to help you guys have a more smooth sailing um in your early cyber career and with that let's get right into it so for my first tip actually a pre-tip um it's about taking notes and yeah it's a simple one um sounds obvious to you but it is important and a lot of juniors

or a lot of people who are in the early of their cyber security career they usually don't get into this habit of taking notes and i'm guilty of this as well and yeah um the problem is um you will forget a lot of things you know it'll happen because there's just too many things to remember too many information to process um but if you keep asking your teammates your team is or whoever um thinks like oh hey sorry um i forgot to do this uh can you explain to me can you explain this to me again oh hey um what did the client say again i'm sorry i forgot um if you keep doing that it'll just

it'll just cause unnecessary friction time will just not be well spent for you um and the other person yeah by taking notes you can just you can save a lot of time and effort for you and the other person and because you just have you have something to refer back to so that's easy enough now for my first actual tip take advantage of free resources um you might find that a lot of times you need to fill in the gaps of your hacking slash penetration testing skills as i did as well and the good news is there's tons of free resources out there and i use these a lot still just quickly going over this table and

feel free to take a screenshot and by the way uh this this table is not an exhaustive list so yeah from ctf so actually capture the flags for for those of you who are not familiar with uh what ctf is they're essentially like um events where you can solve different cyber security challenges and yeah there are tons of ctfs happening each week you can check that out on this website ctf.org this ctf called picocdf i really like this one because it's focused for beginners they have advanced challenges as well but um i've used this a lot in the past and they leave their challenges on the page even after the event so people can practice

so yeah check that out as well labs and training grounds so hack the box is really a good one um they have challenges from beginner to advanced uh skill level over the wire um it's a really good resources they cover a lot of basic stuff um learning materials there there's a bunch out there um from try hack me and hack the box academy um this one i really like um the one from ports figure it's called web security academy it is focused obviously on web application security but yeah they have tons of labs and tons of learning materials um and yeah i still use this a lot even now and it's free if you're interested in certifications

um check this website it's called paul jeremy.com and they have a nice shout out of different security certifications um for different cybersecurity domains and their difficulty the difficulty of the certification so check this page out as well blog posts and youtube pages so there's tons out there from various researchers github is a really good resource they have a lot of tutorials guidelines tools you name it reddit is a good good resource as well it can be subjective but still great resources they have a lot of subreddits about cyber security and yeah like youtube pages from null buys and live overflow um clubs in small organizations a lot of a lot of university around the world they

have security clubs that you can join even if even if you don't go to that university um yeah a lot of them have discord service that you can join so check them out as well um local groups um here in vancouver such as defcon 604 and the os vancouver chapter um i believe they hold monthly meetings monthly sessions and yeah they've been really helpful i've been attending a lot of them and yeah go check them out and things like news and podcasts um the one that i really like is the one from darknet diaries they're really good and um they're really compelling in their storytelling so yeah i've i've learned a lot from these resources myself and they've

helped me improving my security cyber security knowledge and skills so go check them out all right moving on so for my second tip it's about not solely focusing on your hacker tools uh slash pen test tools you know uh your toolkit is still definitely important but it's it's not tools are not it's not the part tools um it's not the whole story you know of hacking slash band testing best fan testing and the problem is you know even if you have all the state of the art pentest tools out there you can still have an incomplete assessment or miss important vulnerabilities if you're not looking at the right places or just approaching it the wrong way

you should focus on more important things such as how you think like being creative thinking outside the box observing patterns looking at the bigger picture things like that um things like developing a solid testing approach or solid testing methodology you know like doing a proper recon first so um recon is short for reconnaissance so that's um when you gather as much information as you can about your targets um so doing that first before being before jumping into your testing right away and things like thinking about the root of the problem or root of the vulnerabilities or the security issues that you find sometimes two different issues arise because of the same underlying issue or underlying problem

and i've struggled with this a lot as well i realized my camera my camera just turned off um but yeah i've struggled with this a lot especially when i just started in cyber security industry but shifting away from this tools focus mindset has really helped me a lot in our future engagements became more efficient and i found more vulnerabilities that i wouldn't have found with this you know tools focused mindset there we go hopefully my camera is back and yeah as one example in one of our web application security testing engagement i was able to find a hidden flaw in the application and doing extra maneuvering steps ultimately led me to things like privilege escalation issues

where i could do admin functionalities even if i didn't have an admin admin rights and things like accessing sensitive data of other users such as full name um home address email social insurance numbers or sins things like bank information employment information all those juicy stuff and yeah i would have missed those security issues if i still had that tools focus mindset that was a fun engagement actually but yeah um long story short focus on this quote-unquote hacker mentality and yeah um more than just knowing x amount of tools out there having this mentality will help you more in the long run

all right so for my third tip it's about relating the technical parts technical parts of cyber security to the business side of things and this is really important in our industry one of the most important things that you know you need to understand in in the infosec industry is the business impact of cyber security so when clients and organizations when they bring you on board as a security expert it's to help the business stay secure or be more secure um if you don't understand the business side of things or the deeper essence of cyber security or you know if you can't relate the technical issues that you find um to the business of your clients or your own

organization if you're part of their security team you won't be able to do a true and complete security assessment you know your assessment will just be less valuable to the business of your clients and what's more is that most of the time you'll find that you'll have to speak to people like executives owners and directors about cyber security and yeah they are non-technical folks so if you go all out technical to them give just dump them all the technical details they'll just fly over their heads or just they just won't care about those technical details so you also have to have a common language with those non non-technical folks and speak cyber security in business terms

in order to work in concert with them excuse me and yeah i'm guilty of this as well i struggled with this especially when i just got into the industry i was only focused on the technical stuff but after focusing on this business impact mindset i noticed that i was able to provide more value to our clients so like clients were able to understand better the importance of the security findings that we delivered to them which often resulted in the remediation actions being taken or being put on top of their priority list i also noticed that i was able to provide better business recommendations um in general um so in our assessments not only we provide the security issues

that we find we also provide business recommendations to better guide them in the right direction and increasing their security maturity of their organization and because i understand the business side of things better i'm able to provide a more valuable business recommendation and help them make informed decisions or better informed decisions so yeah once you have this business impact mindset you know ingrained in your mind you'll find that you'll be able to do the same and provide more value to your clients or your own organization so keep this in mind keep this in the back of your mind every time whenever you see a vulnerability ask yourself how does this impact or how does this affect

the business of my clients or my own organization

all right for my fourth tip it's about the importance of soft skills they do matter a lot and we often forget to work on them you know and only focus on our technical skills guilty as well here i've had my early struggles because certain areas of my soft skills were lacking and it did slow down some of our engagements that i had early on and yeah soft skills are often overlooked but they're still very important in our industry as a matter of fact as you can see here according to an annual global survey done by asaka in q4 of last year of 2021 one of the things that the survey covered was about the top

top skill gap in our in today's cyber security professionals and what came out on top soft skills and um by the way this the survey was sent to cyber security professionals and managers around the world and yeah 54 of them have answered soft skills as the biggest skill gap in our industry i was surprised by this actually um but it kind of made sense like like i said um we focus so much on our technical skills that you know we set aside our soft skills so yeah you should work and focus on your soft skills as well so things like your communication skills um how you communicate with your clients and with your team whether that's written or verbal or an

in-person setting or remote setting you know even if you're technically bright if you can't communicate your knowledge properly that's no good on things like your writing skills so reports and documentations you will write a lot of reports as a security analyst and they are very important part of any security assessment and things like presentation skills or speaking or speaking skills when you're doing client presentations or hosting workshops or information sessions if you notice some present presentation screw-ups from from my talk or from other speakers learn from my mistakes and do the opposite [Music] and things like your teamwork skills um or your interpersonal skills you know like i said um like working with your clients or your team i'm getting along

with people um if you're a douchebag nobody's gonna want to work with you right and things like time management skills so how you prioritize your tasks like respecting other people's time and things like your organizational skills um focusing in your soft skills will do you wonders for your cybersecurity career at least for me i've noticed how much i became a more well-rounded security analyst after focusing in this area so like report writing doesn't take as long as before anymore i don't struggle as much anymore presentation my presentation and speaking skills i get my points across across clients better and my ideas across my teammates better client presentations have become smoother than when i started and

i'm even able to speak in a conference like this one which is awesome so yeah the importance of soft skills you know might be obvious but it's still easily forgotten in fact so much forgotten that it's still considered one of the top skill gaps in our industry so yeah you should focus on improve your soft skills uh now or sooner rather than later and lastly um you're compassion probably like compassion what the hell is that gonna do with cyber security but i mean by i mean by this is being compassionate to other people um to your co-juniors or to other people who are just learning other people who are just trying to get into the cyber security industry

and obviously to your superiors but and also most importantly to yourself i struggled with this as well where and still do sometimes um where i am being too hard on myself um for making you know silly mistakes small mistakes and for not knowing things but you know um tell yourself that it's okay to make mistakes it's okay to not know things and yeah it's okay to admit that you don't know things nobody's perfect you should have this slogan on a t-shirt or something that says paul but he's nervous yeah um don't be too hard on yourself you know everybody starts somewhere so it's okay if you don't know certain things yet what's more important is taking the

steps to improving them and yeah have confidence and believe in yourself you know you'll find that you can do so much more when you stop doubting yourself or doubt yourself less things might not be a smooth sailing all the time but don't be discouraged um just think that you know don't think that you failed yet just think that you're pretty successful and yeah embrace your shortcomings embrace imperfections while continue continue to improve on them and yeah stay on course uh hold your head up high and enjoy the rollercoaster ride of cyber security

and i believe that is it that is all the tips that i have for you today i hope these have been insightful for you guys just to wrap everything up here's some closing thoughts being in a cyber security industry is more than just hacking and it really is it's it's more than just being almost a robot it involves many things such as translating security to the business risk and business impact putting importance in soft skills and being compassionate to others and to yourself especially throughout your journey and really if you notice these are just simple and basic principles but it doesn't mean that they're less valuable you know they're often overlooked but they are still very valuable in our

industry and that is it that is all i have for this talk thank you so much for listening i hope you guys have learned some valuable insights from what i've shared and i quickly i quickly want to thank the organizers of b-sides for having me as a speaker in this conference this is actually my first time being as a speaker in a conference which is amazing and yeah thank you for thank you for making this event possible it there's a lot of work that gets put into organizing uh could organize a conference like these ones so thank you so much for making this for making this possible and yeah thanks again everyone um feel free to reach out to me on linkedin

um but yeah i'll open the floor for questions i think we have time

did i not have my camera all the time

thank you guys

all right there seems no questions and yeah thanks again everyone for having me thank you for your time and [Music] good luck to everyone's cyber security journey and enjoy the rest of the conference bye now

you