Tesco Bank could do with this.

Get yourself a Linux distro like Black Arch or Kali...or any Linux distro and manually install required tools and learn from tutorials. If you want to learn to secure systems, you need to know how to break into them.

I'd suggest installing Arch Linux so that you learn a bit about how an operating system works, then install the tools from Black Arch repos or AUR as and when you need them based on tutorials you're following. Gentoo is good for learning too but requires compiling everything. If you need to hack servers, firewalls, routers, use KVM or Virtualbox. GNS3 will allow you to run Cisco router firmwares if you want to have a go at those. Recommendations for insecure systems that are easy to hack in order to learn the process are Metasploitable Linux and any version of Microsoft Windows.

If you find yourself using Windows at any point in this process (except for as something to attack) then you're doing it wrong.

There are also "war games" that are playable over SSH (you could even do it from Windows using something like PuTTY). An example is Bandit.

Think you need a certificate to get a job? Then you need to work on your social engineering skills, it's simply a process of manipulation.

Update - sent a few questions over to SANS
1. Funding – what is covered? Course only or more?
2. When is the closing date for applications?
3. It states London – do you run the same course elsewhere in the UK too?
4. Roles not in Cyber security understood. But does the applicant need to have an IT background or some level of proficiency if so to what level
5. Do you plan any online / remote learning by any chance?

Response below
1. In regards to funding, the course training itself is fully funded by the HM Government. Unfortunately we won’t be providing any accommodation for students, so students are expected to support themselves. This being said, there will be a number of scholarships available for students of the Academy. Sponsorships are available to assist students with accommodation and subsistence. Details will be released to all individuals that pass the Aptitude Assessment phase.

2. The final deadline for selection of candidates is set at December 21st. We are looking to put people into the Academy as as soon as possible, but the recruitment process will be ongoing. In summary, I would advise you to apply for the Academy at your earliest convenience.

3. Yes, the Academy will be held in Central London. This programme is currently being run as a pilot but we hope to run further Academies in the future. If this Academy proves to successful we would hope to run multiple Academies across different locations of the UK.

4. As the Academy is being run as a Retraining programme, it is designed to welcome individuals seeking a career transition.The application criteria is broad and encompassing to encourage people from all different backgrounds, not necessary from IT to apply. This opportunity is open to candidates who meet the criteria and have an interest in IT security, no prior knowledge is needed. The candidates will be selected upon their aptitude scores and suitability for the programme.

5. For 8 of the 10 weeks of the Academy, students are required to attend in-classroom training. The other 2 weeks are On Demand and Remote study weeks.

If we don't ask we won't know.

Cheers Dar! Nice to hear your perspective. In reality, I probably have a number of skills relevant already but just need to start actually using Linux and build from that. You've certainly given me food for thought.

Nmap I find useful for hotel wifi. Not that I'm trying to look for a default gateway and or open ports of 80/443/22/23.

It pains me when the dg is not .1 or .254! Bad design is worthy of a nose around!

Pretty good posts dar72. Had never heard of Arch Black before. Looked up some comparisons between that & Kali. May have a play with it at the weekend. Also had a quick look earlier @ the Bandit stuff. Definitely worth a play with..

Agree that you should be careful with what you post. Do you know of any decent forums where this is discussed more in a professional sense? Feel free to PM. Thanks

You don't need programming experience for Linux, I'm not great at programming myself. If you wanted to find vulnerabilities and code exploits then you'd need to learn programming. I've been involved in networking for over 10 years and used the Internet before it was cool.

Yes, that's what metasploit is. In reality, a lot of stuff isn't patched. Metaploit is just one tool and Metasploitable Linux is just a distro which is good for practicing using it as well as other tools. There's many other tools depending on what you want to attack. Heard of nmap? If not then look it up, even if you never use it to hack it will save you a lot of time doing networking stuff....don't know what IP a machine has and can't/don't want to login to the server to check DHCP leases? "nmap -sP -n 192.168.0.0/24"....there's all your pingable addresses on that subnet. Show anything with an open SSH port? "nmap -p 22 --open -sV 192.168.0.0/24"

You can use metasploit or nmap to do things like check for open SMTP relays, test things like insecure versions of SNMP, SSH and all sorts of other things

Nessus is good to run on your network though it's commercial so the free version is a bit restricted, that will tell you all the vulnerabilities, then try exploiting them yourself and then secure them.

Vagrant is very good for getting virtual machines setup quickly to play around with:
https://www.vagrantup.com/docs/getting-started/
That's an Ubuntu VM up and running with two commands! There are Windows boxes available but it has the annoyance of licensing and things, most of the publicly available boxes just install the trial/unregistered version. It is however great when I just need to test something on Windows or someone wants me to attend a webinar which uses nasty proprietary software (that is...pretty much all webinar software), once I'm done I just "vagrant destroy".

There's stuff written by people for you to use that allows you to do much more complicated things:
https://github.com/jhwohlgemuth/pentest-lab

I haven't used that one personally but it's an example of the type of pre-made lab that's available. It's cross-platform so you can run vagrant stuff on Windows, Mac, Arch Linux, Ubuntu, Red Hat...doesn't matter, all standardised as long as you have vagrant and the associated software.

The future of computing is in virtualisation, automation and SDN so learning things like Vagrant, Docker, Ansible, Puppet etc will be beneficial to you anyway....if not more beneficial than hacking skills from a career point of view.

In the real world most attacks are social engineering attacks. The weakest element of any system is the human element, you can patch your servers all you want but a high vis jacket and a bit of confidence will defeat your security quicker than anything. I have a lot of knowledge in this area of things but in ways it's an entirely different subject.

Hope this helps, PM me if you need pointing at anything more specific. I'm wary of posting things publicly here which would allow people with little experience to do this stuff.

Get yourself a Linux distro like Black Arch or Kali...or any Linux distro and manually install required tools and learn from tutorials. If you want to learn to secure systems, you need to know how to break into them.

I'd suggest installing Arch Linux so that you learn a bit about how an operating system works, then install the tools from Black Arch repos or AUR as and when you need them based on tutorials you're following. Gentoo is good for learning too but requires compiling everything. If you need to hack servers, firewalls, routers, use KVM or Virtualbox. GNS3 will allow you to run Cisco router firmwares if you want to have a go at those. Recommendations for insecure systems that are easy to hack in order to learn the process are Metasploitable Linux and any version of Microsoft Windows.

If you find yourself using Windows at any point in this process (except for as something to attack) then you're doing it wrong.

There are also "war games" that are playable over SSH (you could even do it from Windows using something like PuTTY). An example is Bandit.

Think you need a certificate to get a job? Then you need to work on your social engineering skills, it's simply a process of manipulation.

GCHQ gang at the ready!

Update - sent a few questions over to SANS
1. Funding – what is covered? Course only or more?
2. When is the closing date for applications?
3. It states London – do you run the same course elsewhere in the UK too?
4. Roles not in Cyber security understood. But does the applicant need to have an IT background or some level of proficiency if so to what level
5. Do you plan any online / remote learning by any chance?

Response below
1. In regards to funding, the course training itself is fully funded by the HM Government. Unfortunately we won’t be providing any accommodation for students, so students are expected to support themselves. This being said, there will be a number of scholarships available for students of the Academy. Sponsorships are available to assist students with accommodation and subsistence. Details will be released to all individuals that pass the Aptitude Assessment phase.

2. The final deadline for selection of candidates is set at December 21st. We are looking to put people into the Academy as as soon as possible, but the recruitment process will be ongoing. In summary, I would advise you to apply for the Academy at your earliest convenience.

3. Yes, the Academy will be held in Central London. This programme is currently being run as a pilot but we hope to run further Academies in the future. If this Academy proves to successful we would hope to run multiple Academies across different locations of the UK.

4. As the Academy is being run as a Retraining programme, it is designed to welcome individuals seeking a career transition.The application criteria is broad and encompassing to encourage people from all different backgrounds, not necessary from IT to apply. This opportunity is open to candidates who meet the criteria and have an interest in IT security, no prior knowledge is needed. The candidates will be selected upon their aptitude scores and suitability for the programme.

5. For 8 of the 10 weeks of the Academy, students are required to attend in-classroom training. The other 2 weeks are On Demand and Remote study weeks.

If we don't ask we won't know.

Students only or someone looking to career-swap into something like this?

Is a bummer - have asked a few questions and added response in thread.

I would attend this in a heartbeat if I lived in London. Unfortunately I don't and can't afford to spend a week there nevermind 10 weeks. Argh!!!

Good if you live near to it and can dedicate 10 weeks full time.

Would anyone employ you though if you only have 10 weeks of training? Hopefully the people they train will have prior IT experience.

superb finding. very good post op!

I knew this was a government thing as soon as I saw the title...because it has the word "cyber" in it lol!

If you've had to take a course and get a bit of paper to say you can hack, you're probably not very good at it

Because everyone lives in/around London and/or can afford board and lodgings there for 10 weeks. North South divide.

This deserves more up votes! Thanks OP for sharing.

Who can apply?

In order to apply for the Cyber Retraining Academy, candidates must be:
Aged 18 and over
A UK or EU national
Not currently working within a cyber security role
Able to attend the full ten weeks of the Academy
Available for employment following successful graduation from the Academy
Willing to engage with potential government and corporate employers introduced by SANS
Willing to undergo any necessary security clearance checks


Link to Sans

Proper job!!!

It says
Must be available for the full 10 week Academy, starting on the 23rd of January in London.
Hence willing to relocate

What is the date to submit the application by?
Can't find it on either websites. Although the course starts on Mon. 23rd Jan but there has to be a submission date for them to pick the creme de la creme candidates.

Tesco Bank could do with this.