Getting started in the security field [books, resources, advice]

Re: Getting started in the security field

Hahaha. That story made my day.

Re: Getting started in the security field

I posted on the first page of this thread on how I wanted to get into the Security field of IT work. I think it is going to happen now. Even though I am a full time student (thanks to my wife), I have been looking around for a part time job, only applying to one place since I only want to do something in this field.

I am very lucky. I found a company that consults in PCI DSS only. The job ad was for a "scanner" and it sounded very interesting to me. Although I am not anywhere near the capability of everyone here, this will be a good first step for me.

Tomorrow I am going to another meeting with this company because after the third interview, they told me they were not giving me the job, but instead want me to create my position. So going on what was discussed, I came up with an idea. In a nutshell, I am going to present to them how they can extend the amount of effort they put into "Defense In Depth".

I was replying to you Deviant Ollam because the situation you described is the kind of work this company does, but not without real truth behind it :)

Re: Getting started in the security field

yeah, i recall hearing a story one time about Marc Tobias sitting with some corporate executive and getting on the topic of pen testing / security assessment. The executive asked Marc what he charges or something for a secuirty assessment and report... and, if i was told correctly, Marc replied that it varies a lot depending on the size of the job, but he would do a free remote assessment for just the cost of a drink.

"A remote assessment?" the guy asked, sounding impressed and looking at the laptop on the table between them. "Sure," he said and bought another round. Instead of reaching for his laptop or asking any details about the company's IP addresses, etc. Marc just sat for a second and possibly looked up or drummed his fingers on the tabletop. "OK, i'm done," he replied moments later. "Your network is alright but it's certainly far from totally secure. Your users don't use strong passwords and they leave them around written on post-it notes. Your IT staff has at least one piece of hardware that is configured with defaults from long, long ago when your first guy was hired and you have at least one rouge AP that some dickhead plugged in under his desk, if not more."

Funny part is, that's a pretty safe bet in terms of being accurate 9 times out of 10, i'd wager.

Re: Getting started in the security field

If you are doing pen test work you should never tell them 'yea, you are secure.' There is no such thing. There is always someone else out there that can crack what you can't. You have to take a pen test in conjunction with a risk assessment and let your client know the score.

Re: Getting started in the security field

i can understand why companies use certs as a measurement of what you walk through the door with to a degree, but my personal delema has always been in the fact that there no "cert" for "hacking.

i.e. as a rather young guy (22), id like to think that offering 3rd party pen-testing services isn't out of my reach when it comes to at least small time stuff (like say for example a coffee shop in my area wants to run customer wifi over the same internet connection as there atm system and wants to make sure the system they have in place is working. ), but how do i know? at what point should i say "this job is too big for me" and back off.

if somebody called me up tomorrow and said i would like to test my website for security holes and i say yes, at what point can i say "yea, you are secure", as apposed to "well i couldn't crack it but that doesn't mean somebody out there can't".

how do i quantify what i know against others when it comes to hacking in such a fashion that i can say my knowledge is "professional" level and not just "guru" level?

Re: Getting started in the security field

Been awhile since I last commented on this thread. As of this last Friday, I quit my job and will be going to school full time at Foothill College. I will start off with getting an AA in Informatics and then go into more specialized areas.

Because I quit my job, I also will be trying to get an internship with Cisco as well. I am hoping this will allow me more hands on experience and of course, a job with them in the future.

The information I have read here has helped a lot!

Re: Getting started in the security field

So does that mean you will be spending more time in the land of Bar-b-que and less time in the land of high taxes and brown outs?

Re: Getting started in the security field


So much for that job being only temporary! So much can happen in a year.

Re: Getting started in the security field

Reb00tz is right. The CISSP is broad knowledge of security. Basicly training yourself to understand security in the industry.

I think most larger companies look at certs as a great thing. Mostly just because someone has taken the time to read a book and take a test on it. I personally put no weight on certs because it is all about memorization. Almost anyone can take a test... but can you handle the situation of data lose and where it came from, how it was breached, when it was taken, and what you are going to do about it ALL while some CIO, CTO, CEO is breathing down you neck for answers.

Knowing the knowledge and using the knowledge is 2 entirely different things. I find that people with experiance out perform people with cert's. But not in all situations. Get the experiance first, then go take a test on what you know.. best solution.. pass or fail you know now what you have to work on

IMHO.

Re: Getting started in the security field

They are two different things. CCSE is configuring how to securely configure firewalls etc.. The CISSP is to have a broad view knowledge of information security; its like comparing apples and oranges.

Re: Getting started in the security field

Do any employer's value a certification such as CCSE/ CCIE over a CISSP. From what i have researched using the net, CISSP is not really merely recognised cert as Cisco cert's, but yet people with this CISSP cert are the 'real deal'. I was curious to know if perhap's CCNP or CCSE can subsitute a CISSP relating to the security field?

He forgot to say "Dye your hair a weird color too". People keep on wondering where my skills come from. It was the hair and the distro. C'mon, how else was I going to land the jobs.

"How to get a job with pen-testing team." by Dmitry

Dmitry wrote this funny overview of getting a job in the pen testing arena. Good humor writing a bit close to home. It remides me of the .com hey days. It mentions a couple people we know and here is a brief excerpt of rule #1 to get you interested:

"You can’t run Windows. Seriously, don’t even consider showing up to a Con|interview|class|etc with Windows. Even if you have to run a CD distro, or OpenBSD at runlevel 3, you must do it. You will be scoffed at and not taken seriously with a Windows machine. For bonus points, put con stickers or anti-microsoft stickers on the laptop. You get extra bonus points if you’re running a MAC. Just pull up Safari and browse over to slashdot. Yeah, you’re rolling hardcore now."

Full URL: http://blogs.securiteam.com/index.php/archives/223

astcell, I swear I'm not stalking you - you just post a lot. I'm in NC too, near Charlotte, but there is some HUGE bucks in New Orleans right now for ANY sector of the IT field. I lived in NO for over 7 years and I'm thinking of heading back to the bayou for a piece of this. A friend of mine is working on a contract for his his company and if he get's it I'm in. Some of you other "contract types" might want to check this out.

Tommy

I am in NC now. I can walk into Research Triangle and jobs will fall out the windows onto me. But the economy is not as good as California and I won't settle for that. Yea, I got spoiled by starting in CA. If you start in NC, KY, AK, etc, expect a slower curve.

When my current, uh, temporary job is over, it's back to CA.