Since my employer decided to update my rob role from IT admin to Security Awareness Specialist, this might be the close to perfect time to get things moving in this part of the atmosphere.
I started my infosec journey about 4 years ago, thus changing my path in a very distinct way. And it all started, basically, because someone tried to phish me in my former position. As the most tech savvy person at that time in the office, I took on to figure out, what happened there, because it wasn't the worst out of the box phish.
- 1.
it came from a legitimate email address, we regularly communicated with
- 2.
it was a reply to a mail we actually sent out previously
- 3.
the mail referred to requested documents which we could download via the provided URL (which was quite common)
The mail arrived in our shared inbox and I just had a weird feeling about it, so I went to check the sender name to see if I recognized it, but the sender name was something Spanish which was odd. The sender address was correct though. So I checked where the URL would lead me ant it pointed to a .es domain and that just didn't fit in any legitimate category in that context. So I warned my colleagues, asked our IT service team about what to do and then ... I couldn't just let it go somehow.
Coincidentally, I was late to the party and got a somewhat modern hand me down smartphone and just wanted to figure out to use that somewhat privacy and security aware and that web search led me right to Darknet Diaries episode 105 - Secret Cells. After that I started listening to all episodes from the start and basically never stopped.
Apparently in dire need of something new to learn I looked into the whole shebang: I tried different linux distros in virtualbox (arch wiki is your friend), tried my first steps in Python. I read my way through EFFs Surveillance Self Defense Guide and VeraCrypt Docs and worked through networking basics until I decided to switch fully into a cybersecurity career.
I was stupidly lucky to find a company in the city I was living in that was specialized on Managed Security Services with Next Generation Firewalls and that had open slots for apprentices starting asap. I applied at about 21:00 and had an invitation for an interview at 21:10.
I started into my now trainee spot about two months later, a week after the full Russian invasion into Ukraine. So, my first months of professional training where full of "cyberwar" (gonna address that term sometime later), system hardening and custom IoC feeds.
A year later I got my first certification (Check Point Certified Security Administrator) and already switched gears into compliance topics. A German law went into effect that year that mandated Intrusion Detection Systems (not even response) for critical infrastructure. So I helped putting together a quick check evaluation to check for compliance and hopefully honest overall improvements of security posture.
Shortly after we took over the service for web based security awareness training (there it is) to integrate in pour managed service model. And since I already was becoming a Jack of some Trades, knowing a little of many topics, and kind of available I was in the new team.
My apprenticeship is done for some time now and I landed in this field of security awareness and, oh boy, is there stuff to do. Having some insights into the technical side of IT (Security) I do recognize some shortcomings which mostly are due to the fact that people people and tech people often don't work that great together and both sides bring their own, sometimes erroneous, assumptions into the stew.
I am by no means an expert in this field. I will be, though; come time.
And I hope, you can learn a thing or two by the things I'll learn and share here or by the mistakes I did or will make.