5 Ways to Boost your Cybersecurity Career in 2024
Summary
TLDRこの動画では、2024年におけるセキュリティエンジニアやペネトレーションテスターとしてキャリアを次のレベルに引き上げるために必要な5つのスキルについて説明しています。具体的には、クラウドコンピューティング、PowerShellスクリプティング、ソフトスキル、コンテナ、そして暗号通貨とブロックチェーンのセキュリティについて取り上げています。それぞれのスキルについて、なぜ重要なのか、どのように学習すべきかがわかりやすく解説されています。実践的なハンズオンだけでなく、これらの最新の技術的知識とスキルを身につけることで、競争の激しい分野で際立つことができると強調しています。
Takeaways
- 🌐 クラウドのペネトレーションテストには、クラウドの権限、サービスの誤設定、API操作の知識が必要です。
- 💻 PowerShellやスクリプティングのスキルは、Windowsの深い理解、.NETフレームワークへのアクセス、ステルス性、ポストエクスプロイトに役立ちます。
- 🤝 ソフトスキル(コミュニケーション能力、チームワーク、プロジェクト管理能力など)は、技術者にとって非常に重要です。
- 🐳 コンテナ技術(Docker、Kubernetes など)の理解は、モダンなアプリケーションデプロイメントとクラウドインフラストラクチャにおいて不可欠です。
- 💰 ブロックチェーンとクリプトカレンシーのセキュリティ分野は成長分野であり、先を行くためにはこの分野の知識が必要です。
- 📚 実践的な学習(プロジェクトベースの学習など)が、これらの新しいスキルを身につける上で非常に重要です。
- 🔍 ドキュメントの参照や最新の研究動向のフォローは、常に最新の知識を維持するために欠かせません。
- 🛠️ 適切なツールの使用(クラウドのペネトレーションテストツール、コンテナ関連ツールなど)が効率的な作業に役立ちます。
- 🎯 ニッチな分野(ブロックチェーンセキュリティなど)に特化することで、競争力を高めることができます。
- 🚀 これらの新しいスキルを身につけることで、ペネトレーションテスターやセキュリティエンジニアとしてのキャリアを次のレベルに押し上げることができます。
Q & A
クラウドペネトレーションテストにおいて、重要な知識や技術は何ですか?
-クラウド環境における権限管理の仕組み、利用されているサービスとその潜在的な設定ミス、APIの利用、関連するペネトレーションテストツールの使用方法など、従来のネットワークベースのペネトレーションテストとは異なる知識が必要となります。
PowerShellの習得が推奨される理由は何ですか?
-PowerShellはWindowsの深い理解につながり、.NETフレームワークにアクセスできるため、ステルス性と回避性、そして被害後の活動に役立ちます。また、PowerShellスクリプトを借用して自身のツールキットを拡張できるメリットもあります。
ソフトスキルとは具体的に何を指しますか?
-ソフトスキルとは、他者と効果的かつ円滑にコミュニケーションをとる能力、チームワークを発揮する能力、プロジェクト・時間・リソース管理能力などが含まれます。技術力だけでなく、このようなスキルも重要視されています。
コンテナ技術の理解がなぜ重要なのですか?
-コンテナはモダンなアプリケーションデプロイやクラウドインフラストラクチャの基盤となっており、セキュリティ強化と新たな脆弱性の両面があるため、適切なセキュリティ対策が求められます。コンテナの動作原理や構成、ベストプラクティスを理解する必要があります。
暗号通貨・ブロックチェーンの分野でペネトレーションテストを行う際に必要な知識は何ですか?
-ブロックチェーン技術の基本的な仕組み、スマートコントラクトとDecentralized Application(DApp)の詳細、ウォレットやエクスチェンジのセキュリティ、最新の研究開発動向など、この分野特有の知識が求められます。
クラウド環境でよく見られる脆弱性にはどのようなものがありますか?
-サービスサイドリクエストフォージェリ、メタデータエンドポイント、S3の権限設定ミス、ソースコードやコンフィグファイル内の認証情報の流出などがよく見られます。
PowerShellを学習するために推奨されている書籍は何ですか?
-「Powershell in a month of lunches」という書籍が紹介されています。この本はPowerShellスクリプトの記述方法だけでなく、PowerShellの視点から問題解決する方法や、困った時の参考資料の探し方なども教えてくれるそうです。
ソフトスキルを向上させるにはどのようなアプローチが推奨されますか?
-自身の弱点を特定し、そこを改善したい点に焦点を当てる必要があります。プレゼンテーション力を伸ばしたければ手法を学び、タスク管理が課題ならタスク管理の書籍を読むなど、具体的な改善点を設定し、実践することが重要です。上司や同僚からフィードバックを受けることもスキルアップに役立ちます。
コンテナ環境でのペネトレーションテストではどのようなアプローチがとられますか?
-コンテナイメージやコンフィグレーションを入念に検査し、脆弱性を特定する必要があります。また、適切なネットワークセグメンテーションが行われているか、秘密情報が適切に管理されているかもチェックする必要があります。
暗号通貨・ブロックチェーンの分野に携わるペネトレーションテストの専門家になるメリットは何ですか?
-この分野は発展が著しく、専門家の需要が高まっています。今から先行してスキルを身につけておけば、この有望で新しい分野での就職・キャリアアップのチャンスを得られる可能性が高くなります。
Outlines
🔑 セキュリティエンジニアとしての重要なスキル
この段落では、2024年に成功するためのペネトレーションテスターまたはセキュリティエンジニアに必要な5つのスキルについて説明しています。クラウド、PowerShell、ソフトスキル、コンテナ、暗号通貨/ブロックチェーンです。各分野の重要性、学習方法、関連するツールやリソースについて詳しく説明されています。これらのスキルを身につけることで、競争の激しい分野で差を付けられると強調されています。
🌐 コンテナとブロックチェーンの重要性
この段落は、コンテナとブロックチェーン/暗号通貨の分野に焦点を当てています。コンテナは現代のアプリケーションデプロイとクラウドインフラストラクチャの中核を成すものであり、セキュリティの強化と新たな脆弱性の両面があると説明されています。Docker、Kubernetes等のコンテナ技術の理解が不可欠です。一方、ブロックチェーンとクリプト分野の重要性が高まっており、スマートコントラクト、分散アプリ、ウォレットのセキュリティなどの知識が求められます。これらの分野の基礎を学び、最新の動向に注目することが推奨されています。
Mindmap
Keywords
💡クラウド
💡PowerShell
💡ソフトスキル
💡コンテナ
💡暗号通貨/ブロックチェーン
💡ペネトレーションテスト
💡ハンズオン学習
💡ツール
💡レポーティング
💡継続的学習
Highlights
Need for knowledge of cloud permissions, services, misconfigurations, and tools to perform effective cloud penetration testing.
PowerShell skills are valuable for deeper Windows understanding, .NET access, stealth, post-exploitation, and script adaptation.
Soft skills like communication, collaboration, time management are crucial for technical roles.
Containers introduce new security challenges; understanding their architecture, orchestration, and proper configuration is essential.
Cryptocurrency and blockchain security is an emerging niche; understanding smart contracts, wallets, and decentralized apps is important.
Learning by doing through projects is recommended for cloud computing.
Borrowing and adapting existing PowerShell scripts can exponentially expand a pentester's toolkit.
Actively working on weaknesses and seeking feedback is key to improving soft skills.
Hands-on experience by setting up containerized environments and introducing misconfigurations is the best way to learn containers.
Keeping up with the latest research and development in the crypto and blockchain world is important.
Common cloud pentesting areas: SSRF, metadata endpoints, S3 permissions, credentials/keys in source code.
Effective pentesting reports are crucial, highlighting the importance of communication skills.
Container escapes, unsecured registries, and mishandling of sensitive data are common container security issues.
Smart contract vulnerabilities, exchange security, wallet security, and 51% attacks are threats in the crypto world.
Experimenting with creating and testing smart contracts is recommended for learning blockchain security.
Transcripts
what are the skills you need Beyond
practical Hands-On hacking to be a
successful penetration tester or
security engineer in 2024 and take your
career to the next level I'm going to
give you five things that you should
learn and also share some resources on
how to actually go about learning them
these won't just expand your Knowledge
and Skills but potentially set you apart
from others putting your head in an
increasingly competitive field if you're
new to the channel then don't forget to
like And subscribe and let's just geted
that's it so first up we have the cloud
and you might be thinking well a pentest
is a pentest and I'll just deal with the
cloud when I get to it after all it's
just somebody else's computer right well
whilst the goal might be similar to a
traditional pent test I.E we want to
find weaknesses and vulnerabilities and
give actional remediation advice
attacking Cloud environments requires
knowledge of how Cloud permissions work
what services are being used their
potential misconfigurations and of
course it doesn't help that new services
and change ches are being pushed
literally all the time so for cloud
you're going to be spending a lot more
time with apis and whilst you can learn
a methodology to work with you'll likely
be reading a lot of documentation on the
Fly and of course there are cloud pen
testing tools to help you achieve your
goals but again that's another thing
that we're going to have to get to grips
with new tools some of the things you'll
run into a lot in the cloud are service
side request forgery metadata endpoints
S3 permissions and of course credentials
and keys in source code and
configuration files and if you're
thinking to yourself a lot of these
things sound like web attacks rather
than more traditional Network attacks
then you'd be right and so if you're a
network penetration tester it might be
time to dust off those web skills so
where should you go to learn about cloud
computing well most major vendors have
free training available so that's a
great place if you're starting from zero
and personally I tend to learn by doing
so I have some sub projects sitting in
AWS and I think unless you're starting
from scratch Project based learning is
definitely the way to go our next skill
is Powershell but you could also add
scripting here too the reason I want to
put the argument forward for Powershell
though is because it leads to a deeper
understanding of Windows gives you
access to the Net Framework and can help
you with stealth and evasion and of
course post
exploitation I have to admit my power
shell skills are not particularly strong
but even a basic understanding can be
really helpful during a
pentest I personally originally learned
from a book called Powershell in a month
of lunches and when I checked last week
there was an updated version published
in
2022 I really liked the way it taught
you not just how to write Powershell
scripts but how to solve problems from a
Powershell perspective and also where to
go and what to reference when you're
stuck or if something is broken another
real benefit of Powershell is that once
you have a reasonable grasp of it you
can start to borrow and adapt Scripts to
suit your needs for example I used to
take scripts from the Empire project and
use them in certain situations this is a
great way to exponentially expand your
potential toolkit as a pentester and may
open up new attack paths or options that
you may not have previously explored I
don't have much more to say on
Powershell other than that so A short
and sweet section I suppose so next up
we have the dreaded word or phrase that
gets thrown around a lot and that is
soft skills but to me soft skills are
really a measure of interacting
effectively and harmoniously with other
people and particularly for technical
roles effective communication is vital
it could be explaining technical details
or it could be abstracting something to
help another department understand your
requirements soft skills do go beyond
communication though being a good team
member and collaborating effectively is
often an important skill we need to
master and managing projects time and
resources whether they are your own own
or your teams is also very important too
so how can we improve our soft skills
well to begin with we need to decide on
what we really want to improve if you're
not so good at presenting or public
speaking then the Fineman technique can
really help or if you're always jumping
from task to task and fighting fires
then pick up a book on techniques to
better manage your tasks and time it
comes down to finding things that you
want to improve and actively doing
things so that they can improve prove
and if you can get meaningful feedback
from a colleague or a mentor then you're
going to be even more successful I was
recently watching something about soft
skills and it said hey you can be 10 out
of 10 technically but if your
communication skill is only three out of
10 how do you think people will judge
you and it's the same as a pentest a
good pentest is only ever as good as its
reports a pentest without a report is a
complete waste of time unfortunately
make sure you put a little bit of of
time into improving your soft skills and
filling in any weaknesses that you might
have all right so now we have containers
which have basically taken over the
world and are now a fundamental part of
modern application deployment and Cloud
infrastructure they can both improve
security and introduce new weaknesses
into a system so getting containers
right is a key part of the development
life cycle and of course as security
engineers and pentesters something that
we also need to be familiar with
containers provide an isolated
environment for your application to run
which can be a double-edged sword on one
hand it offers enhanced security through
isolation but on the other hand
misconfigurations can lead to
significant vulnerabilities some common
issues that we do find are container
escapes unsecured container Registries
and the mishandling of sensitive data so
when it comes to pentesting in a
containerized environment you really
need to understand the technology that
you're working with so maybe it's Docker
podman kubernetes whatever but you need
to understand the security best
practices and in this situation it's
often critical to inspect the container
images and configurations for
vulnerabilities you also need to make
sure that there's proper Network
segmentation and that secrets are being
managed appropriately personally I kind
of learned Docker a little bit by doing
at the start and then expanded my
knowledge by doing more research or
reading blog posts and documentation and
if you're looking to deepen your
knowledge of containers diving into the
architecture of
containerization understanding the
orchestration within things like
kubernetes and exploring the tools in a
Hands-On way is definitely recommended
and personally of course I think
hands-on experience is key so setting up
your own containerized environment and
introducing misconfigurations and then
trying to break it I think is the best
way to learn I did a Docker 101 video a
little while ago and so you can check
that out if you're interested and want
to get started let's talk next about an
area that's been gaining immense
traction and that is the world of
cryptocurrency and blockchain security
now I wouldn't usually recommend this to
someone who is still looking to build
their fundamental skills but if you want
to get ahead or find a niche then it's
definitely worth exploring with the
increasing adoption of cryptocurrencies
and the blockchain technology that
powers them understanding security
surrounding this technology is critical
so blockchain technology records
transactions across many many machines
in a way that the records cannot be
altered
retroactively however this doesn't mean
that they're immune to all security
issues common threats include smart
contract vulnerabilities exchange
security wallet security and network
level attacks like the 51% attack when
pentesting in the crypto world it's
crucial to understand how how blockchain
actually works the specifics of smart
contracts and decentralized applications
or D apps you'll often be looking to
identify vulnerabilities in daa
interfaces and ensuring the security of
crypto wallets and there is also a
growing need for specialists in this
field so getting ahead now can put you
at the Forefront of an exciting and
evolving industry so if you're looking
to dive into this space then definitely
start with the basics of blockchain tech
technology and cryptocurrencies and
explore the best practices of crypto
exchanges and you can even experiment
with creating and testing your own smart
contracts and of course keeping up to
dat with the latest research and
development in terms of the crypto and
blockchain world is important too so
that's it for this video once again if
you enjoyed it then don't forget to like
And subscribe and of course if you have
any questions then we live stream here
on the Cyber Mentor YouTube channel
every Tuesday Tuesday and Wednesday
other than that you can always catch us
on the Discord to share ideas and meet
like-minded people catch you next time
Browse More Related Video
5.0 / 5 (0 votes)