Getting started in the security field [books, resources, advice]

Heh, you should try getting a IT job in NC!

I have about 17+ years expierience in the field and since I moved to NC I have had to commute to SC just to get a decent placement. Here they pay un-qualified hicks to do the job for less than half what they'd pay a qualified person.

I've also grown sick of these CNC and Stamp developer jobs, they are crap. What does a guy have to do to sit in a cubical all day and not get fucked with? I remember when IT jobs where extremely easy to find.

BTW, I wouldn't work at RedHat Software for less than $200k a year, the people there are all the marketing puke type who talk about football and scratch there nuts all day.

The last guy I hired has MCSE, A+ and CNA. I had planned to ask him 25 questions. Because of his certs I skipped about 10 of the questions. That's what they are worth to me. They make me assume he can answer the 10 I did not ask him. No doubt you can too.

Also you may consider working for a government agency. That way I don't care if you are in Nome, Alaska, they will have a slot that no one else may have. It may be filled, but you gotta be patient and flexible.

The problem with INFOSEC jobs is where your located at. Here in Michigan, trying to find any decent security jobs is like pulling teeth from a croc.

I've been in the industry for 15+ years and it's still hard as hell trying to find something. I hate certs for my own reasons more then anything and will never get them. I've been told by many HR ppl and ex employers that certs don't get people in the doors here anyhow, they look for experience and references and I have plenty of both. I'm have been out of work since Dec 22nd and I'm seeing that Security really hasn't changed since the last time I was looking. People still consider it a joke and really don't care about making sure their companies are secure.

Due to health issues with my daughter and also my own, I'm unable to relocate my family to another state for work because then my daughter wouldn't get the help she needs. I've thought about other fields outside of computers but I know it wouldn't last since the only time I'm happy is when I'm doing some kind of security work and with my wife and kids.

The Infosec industry is huge, and growing. Whilst the majority of new entrants into the field arrive from a technical background, there is an ever increasing number of opportunities for those with a 'softer' skillset. Don't underestimate the need to improve your business acumen, management, influencing and persuasion skills. This side of IS Security may not be everyone's cup of tea but increasingly companies are paying the big bucks to people who can turn their hand to a number of areas; policy development/enforcement, audit as well as hands on technical security administration.

It isn't easy, but building a career in Infosec can be very rewarding, and well worth the effort.

Well, that second guy, geez, what did you expect? And the first one? I don't even want to talk about him.

/ducking.

Although some of the authors are real jackasses, this book might be of use to someone looking into the INFOSEC field. Never mind the title.

http://www.amazon.com/exec/obidos/tg...books&n=507846

Getting started (and continuing) in the security field

I remember reading the article that skroo posted last year. Was definitiely time for a re-read.

Gaining and maintaining basic skills can be challenging in this field, as one also needs to stay on top of emerging technologies and what types of vulnerabilities they may introduce into an existing infrastructure. I speak from experience that running from short-term engagement to short-term engagement does not facilitate either one, and increases the challenge of keeping one's skills sharp in an ever-changing field. Nor does the necessity of maintaining useability percentages provide one the freedom necessary to "play" with their own creative ideas and concepts to share with others.

The article posted by Dark Tangent points out that opportunities to work in the field are out there, and are increasing. However, one must be cautious: While high salaries and sexy job titles may be a big draw, if one is too stressed and too busy to really enjoy their craft, there really is no point to it. I do what I do because I love it. And I want to keep loving it. And I want to always give good security advisory foo to my clients while maintain some semblance of a life. This last article as well as the first posted are good reminders of that which one should pay attention. Thanks, gentlemen.

valkyrie

Article on this topic

http://www.computerworld.com/securit...105902,00.html

From the beginning of the article:

Security Manager's Journal
By C.J. Kelly
NOVEMBER 07, 2005
COMPUTERWORLD

My decision to stay in my current job for quality-of-life reasons
provoked emotional responses from several readers. Some of those who
wrote to me about that column [QuickLink 57182 [1]] had made similar
decisions. But a few, after reading about how I turned down multiple
job offers, asked, "Where are all these jobs you keep talking about?"
I felt compelled to do a little research on the information security
job market and present the results here.

This was a perfect thread for me. I am as green as they get! After many years of trying to figure out what exactly I want to do in the computer field, I finally realized that Security is where I want to be. Then, trying to figure out where to start and who's advice I should take, this thread answered that for me! This will be a good starting point. Thanks!

This is probally old information, but i will post it anyway. The NSA has many programs for high school and college students wanting to get into the security field. I believe some of the programs include paying your college tuition and a guaranteed job when you graduate. Check it out at www.nsa.gov

One year later...

Hey, it is a sticky thread, so why the hell not reply? I have to say, after ten years in the industry, that it is absolutely essential for security professionals to have detailed knowledge of programming, scripting, and the program execution environment provided by one or more operating systems. To be blunt, I have never met a good security person that did not know how to write code and scripts. Some may have not written C in quite a long time, but they remember enough to apply source patches and understand what a stack frame looks like in memory on a x86 machine. Now understand that there is a big difference between understanding how to program and being a software developer.

I would not consider myself a software developer, even though I know x86 asm; C/C++; Python; Ruby (which rules btw); gdb; and a bit of lisp, perl, Tcl, shell, etc. I have written code for commercial products and implemented internal products that were several thousands lines of code. But being a software developer implies one is a master of CVS/Perforce/Subversion, profilers, various design methodologies, common and not-so-common algorithms and data structures, design patterns, and adheres to team development processes. I have little interest in those things and, no surprise, little skill in those areas. That is part of the difference between being a hacker and a software developer ;>

All that said, I agree with Don Parker (author of the securityfocus article quoted in first post) that understanding TCP/IP is very important for security professionals. Actually, for many years my colleagues and I would use questions about TCP/IP to do initial screening of potential candidates for security jobs. It was mind blowing how many people with credentials (either by actual certification, apparent job experience, or by reputation) would fail miserably on pretty simple TCP/IP questions. We would also notice that many experienced software developers had no real idea how TCP/IP worked either, and we would end up debugging their programs and application protocol implementations.

When people ask me what information they need to know to be good at security, one of my recommendations is always to read "TCP/IP Illustrated Volume 1" by Richard Stevens (RIP) and remember 30% of it :) My other recommendation is to learn an assembly language, C, Ruby/Perl/Python, and Lisp (in that order). I would now add IDA Pro to the list, since the ability to reverse engineer software is becoming an important part of the security realm.

The job that Don Parker is describing would be a network IDS analyst, and to be honest that is a boring and inconsequential security job. NIDS has ever decreasing value in the enterprise environment, and more attention is being places on application level vulnerability analysis and remediation, compliance verification processes and tools, and forward thinking to anticipate the direction threats such as phishing and client-side exploitation are taking and how to protect against them.

Great article!

I wish more people in the security field started out learning "the basics" before they make security their career path du jour.

I constantly see people looking for security positions in organizations that can quote router configs and firewall rules verbatim, but don't understand how a packet is built and routed.

(edit) Sorry all. I should have looked closer at the dates on the post.

Another article about the basics:
http://www.computerworld.com/securit...6090p2,00.html

Good find.

I'd have to disagree here. I know that people come into security every day without any background of coding/scripting or any type of automation, but when you start working on larger projects it becomes an extremely necessary skill. Anytime you look at rolling out large patch deployments, or changing security settings on multiple machines, some type of coding/scripting should come into play, unless you are really keen on consoling into every box and doing it manually. :)

Don't dismiss that idea that knowledge of code isn't a very important one in security. It may not be everyone's jumping off point, but they should at least consider it.