Information Technology (IT)

[Belgium]

Passed the entry exam so I'll be starting my programming education (specializing in .NET) soon, unfortunately I'm on a waiting list for probably a few more months.

Normally I was supposed to become a nurse but had to drop out somewhere in the final third of my first year due to an emergency partial lung removal surgery and subsequent chronic illness that made the physical aspect of the job impossible.

I was poor at the time and had a big (by Belgian standards, €4400) medical bill from the surgery so a US friend helped me get back on my feet financially by teaching me a bunch of stuff about the market for certain social media usernames and finding and exploiting security vulnerabilities in websites. The two go hand in hand.
IT initially didn't really interest me much before my illness made it clear I had to look for a different career but that time hunting and exploiting vulnerabilities was some of the most fun I've had.

 

[Stakeholder]

I guess from the IT consulting side the certs trifecta is PMP, Lean Six Sigma, and Agile?

A consulting req that I crosswalked with some industry certs (bolded, underlined) based on the description (I'm not hip to cloud/AWS tho) :

Minimum Qualifications:

• Master’s or Bachelor’s Degree in Computer Science, Engineering, Business, or a related discipline, or equivalent professional experience
• At least 7 years of experience in the technology industry, managing projects and leading product/service delivery teams through a full lifecycle
• At least 4 years of experience in customer-facing consulting (strategy, transformation, or program management) - Cert: PMP
• Career (1-2 years) exposure to SDLC life cycle or Agile delivery is desirable, which means:
• Product Owner / Product Management - Cert: Certified Scrum Product Owner
• ScrumMaster - Cert: Certified Scrum Master
• Software development and testing experience
• Continuous delivery using automation experience -
• Familiarity with cloud technologies, technology delivery process improvement and optimization, data analysis, and KPIs reporting using dashboards and tools
• Strong communication skills; experience presenting to executives as well as running and facilitating workshops and other collaborative sessions with customers such as value stream mapping, roadmap development for product delivery and cloud migration
• Experience with Organizational Change Management (OCM) - Certs: ProSci, La Marsh, CCMP
• Experience working with project management and reporting using tools such as JIRA, TFS, Rally, Confluence, etc.
• Ability to create financial models to support Return on Investment (ROI), TCO (Total Cost of Ownership) calculations for customers
• Ability to travel up to 75%, as needed

Preferred Qualifications:

• Understanding of Cloud technologies (IaaS, PaaS, SaaS, etc.). Certification in AWS cloud platform is a plus
• Understanding of AWS Cloud Adoption Framework (CAF), Migration Readiness Assessment (MRA), and Migration Readiness Planning (MRP) constructs
• Understanding of Continuous Delivery using automation concepts i.e. processes, team structure and operating model, best practices, frameworks, tools, etc.
• Exposure to scaled agile frameworks such as LeSS, SAFe, etc. Certs - Lean/Six Sigma, SAFe Agilist

Personal skills:

• Self-starter with results-oriented, proactive management approach
• Exhibits entrepreneurship, and embraces critical questioning, innovation, service and continuous improvement
• Demonstrates excellent oral and written communication skills
• Exhibits business acumen in a variety of industry verticals
• Ability to learn on the job quickly and desire to develop expertise in AWS cloud platform
• and Continuous delivery practices
• Ability to work in a fast-paced consulting environment and collaborate effectively as a team member

 

[bowflex]

I guess from the IT consulting side the certs trifecta is PMP, Lean Six Sigma, and Agile?

A consulting req that I crosswalked with some industry certs (bolded, underlined) based on the description (I'm not hip to cloud/AWS tho) :

Minimum Qualifications:

• Master’s or Bachelor’s Degree in Computer Science, Engineering, Business, or a related discipline, or equivalent professional experience
• At least 7 years of experience in the technology industry, managing projects and leading product/service delivery teams through a full lifecycle
• At least 4 years of experience in customer-facing consulting (strategy, transformation, or program management) - Cert: PMP
• Career (1-2 years) exposure to SDLC life cycle or Agile delivery is desirable, which means:
• Product Owner / Product Management - Cert: Certified Scrum Product Owner
• ScrumMaster - Cert: Certified Scrum Master
• Software development and testing experience
• Continuous delivery using automation experience -
• Familiarity with cloud technologies, technology delivery process improvement and optimization, data analysis, and KPIs reporting using dashboards and tools
• Strong communication skills; experience presenting to executives as well as running and facilitating workshops and other collaborative sessions with customers such as value stream mapping, roadmap development for product delivery and cloud migration
• Experience with Organizational Change Management (OCM) - Certs: ProSci, La Marsh, CCMP
• Experience working with project management and reporting using tools such as JIRA, TFS, Rally, Confluence, etc.
• Ability to create financial models to support Return on Investment (ROI), TCO (Total Cost of Ownership) calculations for customers
• Ability to travel up to 75%, as needed

Preferred Qualifications:

• Understanding of Cloud technologies (IaaS, PaaS, SaaS, etc.). Certification in AWS cloud platform is a plus
• Understanding of AWS Cloud Adoption Framework (CAF), Migration Readiness Assessment (MRA), and Migration Readiness Planning (MRP) constructs
• Understanding of Continuous Delivery using automation concepts i.e. processes, team structure and operating model, best practices, frameworks, tools, etc.
• Exposure to scaled agile frameworks such as LeSS, SAFe, etc. Certs - Lean/Six Sigma, SAFe Agilist

Personal skills:

• Self-starter with results-oriented, proactive management approach
• Exhibits entrepreneurship, and embraces critical questioning, innovation, service and continuous improvement
• Demonstrates excellent oral and written communication skills
• Exhibits business acumen in a variety of industry verticals
• Ability to learn on the job quickly and desire to develop expertise in AWS cloud platform
• and Continuous delivery practices
• Ability to work in a fast-paced consulting environment and collaborate effectively as a team member

I've talked to companies looking for a mix of things. PMP and Agile are in high demand, Scaled Agile doesn't seem to be in high demand yet, but I may pick it up for the future. I currently have my PMP, PMI-ACP, ITIL4, and AWS Certified Cloud Practitioner Cert, so it's time for me to chase the bag.

 

[willypete]

I've talked to companies looking for a mix of things. PMP and Agile are in high demand, Scaled Agile doesn't seem to be in high demand yet, but I may pick it up for the future. I currently have my PMP, PMI-ACP, ITIL4, and AWS Certified Cloud Practitioner Cert, so it's time for me to chase the bag.

Throw a TS clearance in there and the bag is going to chase at that point.

 

[Belgium]

Question for you guys that I've been struggling with.

Hypothetically, would you include an impressive hacking feat (that is also a crime) in your resume or job interview? A local IT company CEO was giving me a tour of his company a while ago and I decided to bring it up in response to his questions about experience. I told him about how I (allegedly) uncovered a 0day exploit on a big company's website that allowed me to log in on anyone's account without having to know any login details, which in turn gave me full administrative control of the service. I did end up reporting the 0day to the company at some point.
He seemed very interested in the process of how I discovered it and didn't really appear to judge or care about what I (allegedly) did with it, all his subsequent questions were about the method. At the end he said he was impressed by the method and ended up offering me an internship for later so I guess in that case it went over well.

I'm still wary of bringing it up though, I only brought it up in that situation because I wasn't there for a formal job/internship interview or anything. I've reported and gotten exploits fixed for a couple other companies (without abusing the exploit) but those are small and pretty basic exploits, nothing complex.

How would you guys handle something like this?

 

[spiderjericho]

I, personally, wouldn’t disclose I ran the highest 40 while running away from a crime in trying out for the CFL/NFL.

Definitely raises questions on trustworthiness, ethics, morality, etc.

Just use the experience from the internship. Maybe try bug bounties as a way to validate pentest skills. If someone paid you or you found the zero day and stopped there and reported it....

However, that’s pretty cool.

 

[willypete]

Exactly what spiderjericho said. Just word it properly so it doesn’t sound like you’re implicating yourself of a crime.

 

[Belgium]

I, personally, wouldn’t disclose I ran the highest 40 while running away from a crime in trying out for the CFL/NFL.

Definitely raises questions on trustworthiness, ethics, morality, etc.

Just use the experience from the internship. Maybe try bug bounties as a way to validate pentest skills. If someone paid you or you found the zero day and stopped there and reported it....

However, that’s pretty cool.

Exactly what spiderjericho said. Just word it properly so it doesn’t sound like you’re implicating yourself of a crime.

First of all, thanks for your advice. From my conversations with various people in the IT industry, I'd say somewhere between 60-70% lean towards disclosing it but personally I'm more inclined to not disclose it.

(Any reference to criminal activity is alleged)
I like the idea of trying to package it in a way that makes it sound more whitehat instead of blackhat. However if I'm ever asked to prove my claim, my communications and informal agreement with the company explicitly mention criminal activities in relation to the 0day. There's also mentions of other criminal acts unrelated to the 0day.
Speaking of the company, I'd rather not explicitly name it so it doesn't show up on a search engine but it was the streaming service Tw*tch, shortly after they were acquired by Am*z*n.

My agreement with the company was essentially a mutually beneficial deal. I approached them first by accessing the account of the head of their security team to see what his email address was.
It states that my end of the deal was that I reported and helped fix the 0day, as well as an immediate and permanent halt to all account theft and username selling activities. There was also a demand that I keep quiet about the security vulnerability.

In exchange for that, the agreement states that the company would allow me to freely use their service again on 1 stolen account of my choice without the threat of continued bans for previous ban evasions related to the aforementioned activities. The condition for selecting a stolen account was that I tell them the username and that the account had to be inactive since the year it was created. Those were the only types of stolen accounts I had anyway, strictly ones that had been inactive for many years. The API showed when a user was last active.
Additionally, the company would refrain from investigating me, attempt to figure out my real identity or involve law enforcement.


All things considered, an agreement I'm certainly happy with. They seemed to focus almost entirely on preventing the flaw and its severity from becoming public, much more so than anything else. That was the very first demand they made in the process of making a deal.

 

[tay1]

Question for you guys that I've been struggling with.

Hypothetically, would you include an impressive hacking feat (that is also a crime) in your resume or job interview? A local IT company CEO was giving me a tour of his company a while ago and I decided to bring it up in response to his questions about experience. I told him about how I (allegedly) uncovered a 0day exploit on a big company's website that allowed me to log in on anyone's account without having to know any login details, which in turn gave me full administrative control of the service. I did end up reporting the 0day to the company at some point.
He seemed very interested in the process of how I discovered it and didn't really appear to judge or care about what I (allegedly) did with it, all his subsequent questions were about the method. At the end he said he was impressed by the method and ended up offering me an internship for later so I guess in that case it went over well.

I'm still wary of bringing it up though, I only brought it up in that situation because I wasn't there for a formal job/internship interview or anything. I've reported and gotten exploits fixed for a couple other companies (without abusing the exploit) but those are small and pretty basic exploits, nothing complex.

How would you guys handle something like this?

 

[MakeNTGreatAgain]

Question for you guys that I've been struggling with.

Hypothetically, would you include an impressive hacking feat (that is also a crime) in your resume or job interview? A local IT company CEO was giving me a tour of his company a while ago and I decided to bring it up in response to his questions about experience. I told him about how I (allegedly) uncovered a 0day exploit on a big company's website that allowed me to log in on anyone's account without having to know any login details, which in turn gave me full administrative control of the service. I did end up reporting the 0day to the company at some point.
He seemed very interested in the process of how I discovered it and didn't really appear to judge or care about what I (allegedly) did with it, all his subsequent questions were about the method. At the end he said he was impressed by the method and ended up offering me an internship for later so I guess in that case it went over well.

I'm still wary of bringing it up though, I only brought it up in that situation because I wasn't there for a formal job/internship interview or anything. I've reported and gotten exploits fixed for a couple other companies (without abusing the exploit) but those are small and pretty basic exploits, nothing complex.

How would you guys handle something like this?

nah bring that up fam thats super impressive
its called bug bounty
and u can paint it as such

if you are twitter there are ppl who often discover such errors and they contact the company to make them aware to remedy the situation
be proud of what u did

 

[willypete]

I've been procrastinging on taking my security + for so long but I'm finally going to take it March 1st. I'll study as much as possible starting tiday.

 

[and1play5]

keep the vibes going guys, loving it

 

[MakeNTGreatAgain]

what are some good resources for jobhunting?
specifically infosec

 

[Belgium]

nah bring that up fam thats super impressive
its called bug bounty
and u can paint it as such

if you are twitter there are ppl who often discover such errors and they contact the company to make them aware to remedy the situation
be proud of what u did

As I said though, if I'm ever asked to prove my claim, my informal deal (established via email with head of security) with the company explicitly mentions a multi-year pattern of alleged criminality both before and after discovering the 0day exploit.

Official bug bounties tend to be above my current level of skill. The Tw*tch 0day was just a random idea that popped into my head while I was repeatedly changing accounts' original email addresses and replacing them with my own. It took about a month of testing to finally figure out the method to gaining full control over every aspect of the service. Tw*tch described it as very "unconventional" in my communications with them.

If anyone is curious about the 0day method, I can PM it to you since it's been patched long ago.

 

[Canadian Destroyer]

Has anyone tried Cybrary? Pretty impressed by the amount of courses/content on their platform.

 

[bowflex]

Anyone work as or know someone who is a Sr Customer Solutions Manager for Amazon? I have an interview coming up, so I’m looking for pointers.

 

[suberzat1]

You know someone that works at Amazon. Just ask him bowflex

 

[MakeNTGreatAgain]

Has anyone tried Cybrary? Pretty impressed by the amount of courses/content on their platform.

I am going to look into it, someone recommended it to me

 

[spiderjericho]

Seems like a lot of great options. ITProtv. Pluralsight. INE (w the cyber security library). Cybrary.

 

[Canadian Destroyer]

Do you guys think it would be possible to land an entry level job by training with one of these online resources and then getting the Sec+ cert?
(Online resources like the Cybrary SOC Analyst career path which includes lessons, labs, assessments and practice exams)

 

[MakeNTGreatAgain]

if anyone is doing amazon security specialty hit my lineee

 

[JustBlaze.]

Just passed the Security+

Joint was lowkey a beast.

 

[spiderjericho]

Congrats. First cert?

 

[JustBlaze.]

Congrats. First cert?

Nah. I have the Net+ and A+ as well.

 

[spiderjericho]

The holy trinity. What's next? Moving to a entry-level, intermediate, advanced cert?