Getting started in the security field [books, resources, advice]

Re: Getting started in the security field

This has been quite an intriguing thread. I myself am looking into an INFOSEC career after spending several years as military intel. The articles have been great, and I've taken in a lot of knowledge. I do hope to see more threads like this in the future.

Re: Getting started in the security field

All that you mentioned is sound AFTER you get your typing speed and accuracy in order. If you like money there is another credential you may want to consider:

http://www.sans.org/training/description.php?tid=362

Gotta run.. I hear the hall monitor.

Re: Getting started in the security field

Just want to pop in and say that this thread has been a big help for me, and the articles have only reinforced my belief that it's better to start with the technicals and then move on to sec management.

Just introducing myself, I've always had the hacker's thirst for knowledge -- I first got involved with computers/hacking around 6th-7th grade when i got my hands on a copy of the anarchist's cookbook, and started out doing some phreaking -- red/blue/beige boxing...taught myself a bit of programming [a little bit of java, html, perl, cgi, lots of web languages] -- then when i got to hgih school I kind of fell out of it, and back then back in at teh tail end, so I lost touch with it, but still went to college with a computer related major in mind. I graduated in '06 with a B.S. in CIS and am finishing my MBA in Information Assurance and Security Management this June (I'm 22). I have the degrees, and will work on certs in my free time after graduation, since they should help me market myself better to potential employers.

What would you guys suggest for a first cert? I've been thinking of doing the easy ones like Net+, Sec+, then A+, and 70-290 MCP...and of course, eventually CISSP, though I have already been studying and slowly working toward my SSCP until I can get the experience needed for CISSP.

Also, Ive been trying to land some internships, but am also having a hard time finding a place that's willing to give me a chance, and even harder finding a place with a security division where I can learn things. I have very little professional work experience (mostly help desk tech jobs, and asst. sysadmin, but nothing with a security related job title) -- any tips? I know experience counts for so much in this field, and I need a place to start.

My program, being a Business Admin Major, has obviously focused more on the management aspects of security with regard to continuity planning, incident response, architecture, policy, and regulations (SOX, HIPAA, etc), but VERY little (read: almost no) focus was put on the technical aspect. Over the last year or so i've taught myself some basics like packet analysis with tools like nmap, wireshark and the like..I just need some help with finding a place where I can apply that and grow my knowledge, then hopefully [later on] get into mgmt.

Re: Getting started in the security field

"I feel concerned about computer security as a daily user and the only IT literate of the company."

You really need qualified IT profesionals if your company runs internal networking or an online server.

"What do you think about EC-Council certs?"

I think there are certifications for "chicken pluckers" but really "certifications" are baselines for what? I know guys and gals (PC Crap) that are "IT boxjobbers" and never see the "real" Internet, never have time to hack, crack, or test and could not hack a toaster oven. I see the same thing in University IT instructors who for one reason or the other are as outdated as an Eniac when it comes to corporate, Internet, and even their own home PC security because they aren't out here enough and are constantly using outdated classroom texts. On the other hand there are those out here who have an incredible grasp of hacking for the best and worst of reasons who may or may not also hold an "IT boxjob" that have skills abound. All I know is that if you work hard enough at anything you can become so good that a certification may only have meaning for those who believe it holds meaning. While certifications may or may not hold some sort of baseline they do not define hard work, intelligence, or dedication to ones field. On the other hand you could read every current tech manual on IT security and still not know how to hack a toaster.

Re: Getting started in the security field

IMO, in general, certifications are only as good as the experience that backs them up.

Re: Getting started in the security field

Hello,
I've read this thread with attention and find it very interesting.
I have a non-tech job but studied networking at an associate level in 2005.
That was more for challenge than for professional purpose as I had very few and less experience in IT.
I feel concerned about computer security as a daily user and the only IT literate of the company..
What do you think about EC-Council certs?
When I look at the outlines it sounds to be quite a serious program for pen-testers and white hats.
I'd like to go deeper in the understanding of computers and networks.
I didn't do it my professional way for many reasons but wanted to change after attending the networking courses.
In your opinion, is it possible to progress while being busy in another field and having only free time to do so?
Thanks forward

Re: Getting started in the security field

Yes, I agree. I don't think of it as bad at all, just a sign of the times. And, also agreed forensic analysis is not the same as cryptanalysis or pen testing.

It isn't just training, it is also research into new defensive and offensive technologies.
Usenix Security just sponsored it's first ever workshop on Offensive tech (WOOT), because there is interest and money there.
It is interesting to note that while CS -and all science - research is starving, there is a great deal of gov't funding available for any CS project that can be directly (and sometimes indirectly) related to security. However, the money does come with strings, which can include having to have permission before publishing. (I have personal exp. with this)

Re: Getting started in the security field

Realistically, though, this isn't necessarily a bad thing. Most government agencies that have had some responsibility in the security arena have traditionally fallen into one of two camps: completely awesome or truly fucking awful. Unfortunately, the latter has been somewhat prevalent: due to the institutionalised nature of most government positions, they don't really encourage moving beyond one's current skill set. The end result is that you end up with a pool of technically-mediocre people trying to deal with concepts and technologies that are beyond their view and understanding of the security arena. If this can be improved by sending government employees to civilian-sector training, so much the better.

One distinction that's important to make here, though, is the one between agencies, groups, or departments tasked with securing or cracking communications, and those who investigate and prosecute illegal activities. While there's some blur between the two, the differences between them are quite pronounced and as a result should be looked at individually.

Nope - more that the government has finally realised that this is an area that very much falls under the category of 'national defence', and that it moves at a far faster pace than traditional defence-sector industries do. Not to mention that there is no direct control that they can exercise over its development in either the threat or response fields, so getting people out into the 'real' world is crucial for ensuring that they are able to properly perform the job they're tasked with.

Re: Getting started in the security field

Have you noticed the trend in Fed sponsored hacking? WestPoint cadets are bused to Shmoocon, many universities now offer programs in Information Security Awareness and there are fed sponsored computer security conferences.

If you'd like Fed credentials, the DHS actually certifies the Information Security programs of a dozen or so Universities. The list is at dhs.gov

Also, from Infosec's mailing list today:
"The FBI has chosen the National Center for Supercomputing Applications
at the University of Illinois at Urbana-Champaign to host a new law
enforcement cybersecurity research center."

Is this official, legitimate recognition a sign that everybody has grown up?

-mouse

Re: Getting started in the security field

But there are likely hackers that are also criminals just as there are hackers that are feds, and maybe hackers that are feds and criminals (even if a criminal in *another* country.)

Re: Getting started in the security field

Seriously, I don't get it, either. However, I also have to explain to them the difference between real hackers and people who are the ones who propagate viruses through email. My mom summed it up: between hackers and criminals.

Re: Getting started in the security field

Don't take this the wrong way, but that is a total lack of intelligence with that approach. But I am not surprised about it.



Thanks! It is so far and I am really enjoying it. Everyone here has been helpful and continues to be. Good luck to you as well!

Re: Getting started in the security field

Hey there. I am going back to college working on earning an Associates degree in Networking. I work at an ISP who frowns on security conferences. Something tells me that I'll be switching it up to security really soon now.

Wanted to say thanks to everyone who posted on here. Lots of good stuff.

Right on Samurai! I hope it works.

Re: Getting started in the security field

Today was the day for my final meeting with the company I am trying to get a security position at. I spent about a week of about 20 hours on a PP presentation to kind of solidify the reason why I should be hired, but moreso the position creation.

I am happy to say that I was hired and without even having to show the PP presentation. I am amazed to be honest. For this job, timing was everything. Much of the content on this forum has been really helpful to me. Thank you all!

Re: Getting started in the security field

like i say... it's just what i heard. and while i didn't catch it firsthand, it surely seems like the sort of accurate and straightforward yet irreverently-witty remark that Tobias would make.