Originally published by Switchup.com on 12/6/2018. Read the original article here.
Online business has expanded rapidly over the past several years, and the demand for information safeguarding has increased as well. As demand grows, employers are finding it challenging to hire cyber security specialists with the skills necessary to combat cybercrime.
Evolve Security Academy alum Ryan Le recognized early on that cyber security skills were becoming a valuable commodity in the tech sector. Ryan spent six years as a software developer, where he worked closely with security teams members. He felt frustrated with his lack of security knowledge, and started to learn cyber security on his own. Eventually, Ryan began to look into Evolve Security Academy, and was impressed by their comprehensive curriculum, instructor support, and affordability. He decided to first participate in Evolve's bootcamp, and later signed up for their more specialized penetration testing course.
In a recent Q&A, Ryan tells us about how Evolve's hands-on curriculum helped develop his skills, and how he uses cyber security skills at his new role at Speedbridge.
1. What was your educational/career experience before joining Evolve Security Academy?
I was a software developer with over 6 years of experience in information technology covering all stages of the development life cycle in business process analysis, requirement gathering, high-level design, development, testing, QA, and post implementation support. I got my Master of Computer Science in Computational and Applied Mathematics, Analytics, and Risk Management at Harrisburg University of Science and Technology.
2. What made you choose to invest in cyber security training?
During the 6-year period working as a software developer in multiple phases of the development cycle, I encountered the topic of cybersecurity over and over again. One of the projects that I worked on was ATPS (Automated Title Processing System) for the Ohio Department of Public Safety. As a government agency, they highly valued the importance of security in every aspect of the organization. On the other hand, as a developer, the majority of my focus was on functionality, performance, and user-friendly features.
Without a background in cybersecurity, the extra time spent writing code to add security layers and protect data from unauthorized users felt like an inefficient use of my time. There was often a debate between developers and security team members because we weren’t able to use certain technologies due to our lack of security knowledge. This motivated me to start researching cybersecurity and learn how to secure applications properly for different types of technologies.
However, trying to learn on my own was overwhelming. There were so many different cybersecurity resources and without a strong networking knowledge, it was very challenging to navigate. I knew I needed a course that offered guidance rather than just resources and that’s when I found the Evolve Security Academy Bootcamp. I was impressed by the comprehensive curriculum, instructor support and the affordable price compared to its competitors’ offerings.
3. You first participated in the Bootcamp and then took the more specialized Pentesting Training. How did they differ?
I put a lot of time and effort into preparing, learning and practicing during the Bootcamp. I started with a bare minimum knowledge about networking, and at the end of the bootcamp, I had a great understanding of networking. I also gained confidence in my ability to perform a full assessment on an IP address or even a subnet from scanning for port discovery, to vulnerability exploitation and reporting. What I really enjoyed during the Bootcamp was the Red Team/Blue Team exercises, where we were divided in groups and took turns attacking and defending our systems. At the end of each exercise, we got very useful feedback from experienced instructors about what we did right and what else we should do next time, which made the next iteration even more fun and interesting.
After the Bootcamp, I gained more interest in cybersecurity and wanted to take it to the next level, which was the reason I decided to take the specialized Pentesting Training. The course delivered more than what I expected since we had a lot of opportunities to practice on actual labs (almost every day). Each of the labs comprised of a variety of vulnerabilities, which allowed us to learn many different techniques to penetrate a system. As a result of my training, I recently joined the Cyberforce competition organized by Argonne National Laboratory as a RedTeam (attacker) with fellow Evolve Academy alumni.
As soon as I connected to the network, I knew exactly what to do and started hacking into the target systems. Due to the extensive amount of practice during the Pentesting Training, I quickly got access to multiple systems (before the Blue Team discovered and patched the vulnerabilities), dumped all the sensitive data out to my host machine, established persistence, and in some cases shut them down. Out of more than a hundred Red Team members at the competition, I was the only one who was able to exploit the ShellShock vulnerability, one of many techniques that we practiced multiple times during the Practical Pentesting Track.
4. How did you prepare for the trainings?
For the Bootcamp: as I mentioned above, I barely had any knowledge about networking but fortunately the Evolve Academy website pointed me to some very good resources to prepare. I went over almost all of them except the Python exercises since I already knew those pretty well as a developer.
For the Pentesting Training, I did not need to do anything to prepare for it since the Bootcamp had prepared me pretty well already.
5. Tell me about the learning environment at Evolve Academy. What was the curriculum and live-online instruction like?
The learning environment was pretty interactive between us as students and the instructors. The curriculum was very comprehensive as shown on the website. What I really liked about the Bootcamp is that they were flexible in adjusting the pace of the course based on the progress of the class, so we never got bored because the course went too slow or felt overwhelmed because everything went too fast.
6. Evolve Academy is known for their hands-on curriculum. Could you tell us about a project you worked on during the training?
One of my favorite projects that I worked on during the training was the Red Team/Blue Team exercise on a Linux system. In the first half of the class session, we spent time researching how to harden a Linux system with multiple techniques: disable unnecessary ports and services, modify user rights and permissions, enforce SSH login using keys instead of username and password, modify the firewall rules using iptables, set up snort rules as an IDS, and so on. For the second half of the class session, we started to attack the other team. Since we knew the types of vulnerabilities that their system had, we were able to try different techniques to penetrate it.
Fortunately, they did not patch everything correctly. We were able to gain access into their system to deface their web app, steal data, establish persistence, and so on. However, after a half hour, their IDS detected our unauthorized access, which allowed them to figure out our IP addresses and they kicked us out of their system. We then tried to find different ways to gain access to their system again. It was rewarding to apply the skills I had learned in a hands-on environment.
7. What was your biggest challenge during the bootcamp, and how did you work to overcome it?
To be honest, I did not have a lot of challenges during the bootcamp since the lab instructions were clear and easy to follow. As a developer, I had a certain skill set that allowed me to go through those labs pretty quickly. The real challenge that I encountered happened when I went through the Pentesting Training. Some of the practice labs were very hard to gain access to. I spent hours doing research and tried many different techniques. Sometimes my persistence paid off and sometimes it did not, however I was learning the whole time. Fortunately, the instructors were available to provide guidance on how they would approach the problem. Getting an inside view of how a professional penetration tester approaches the various tasks was a unique and incredible learning experience.
8. Where are you working now? Describe your day-to-day role and how your new skills add value.
I work for Speedbridge where we focus on providing operation efficiency and security for our clients’ businesses. Currently, I am working on a project that helps one of our clients build a secure web app. I handled both the frontend and backend of the app as well as DevOps on some occasions. The knowledge that I gained through the Bootcamp and Pentesting Training really have changed the way that I write code: from the implementation of authentication and authorization to the way that we handle data (at rest and in transit) and many others like input validation, countermeasures for SQL injections, XSS and XSRF. I’m able to take on more responsibility and more authority on the project, which will assist in accelerating my career.
9. Do you have any advice for people who are interested in pursuing cybersecurity?
I highly recommend the Bootcamp and Pentesting Training for anyone with a programming background or simply an eagerness to learn the industry. Whether you want to build a secure app or change your career path to the cybersecurity industry, if you are willing to put in the time and effort, the two courses will certainly take you from zero to hero within the 5-6 month period.
Take the next step to launch your career.
Apply for the upcoming REMOTE /04 live-online Bootcamp by December 8 to receive a $500 discount.
Register for the upcoming Penetration Testing live-online training by December 8 for the opportunity receive a full scholarship.
This post was sponsored by Evolve Security Academy.