Getting started in the security field [books, resources, advice]

Re: Getting started in the security field

Just to throw some advice in the bucket, since I'm likely to break into the security field in the next 6 months or so.

Get into a company with diversified IT needs. Even if you're a developer, support technician, or a sysadmin you can move around. Best of all, they expect you to move around. Added bonus? A company that big tends to be more stable, have more benefits, and the barrier to excellence is lower (read: useless desk warmers abound). The downside? You're expendable, until proven otherwise. Consider that last bit a challenge; make your mark.

The next question you're going to ask is, "How do I get into a company that big with no experience and no degree?"

You don't. Degree first, paltry pay next, and then you can level up with some experience. The Bachelor's program may seem like a waste of time and money, but the skills you'll learn (i.e. how to learn, social skills, dealing with pebkac gracefully) will be worth it. You might even build a good social network and be able to skip step two. Don't underestimate the power of your own network.

Having a degree is the gold standard. Our company goes around the country looking for new grads. We prefer to bring in the young so that the aging workforce can impart their knowledge to them before they retire. You need to make sure you don't get pinned with the duties passed down from your predecessor. Do your job, and do it well -- but don't get stuck. If you stop learning, then it is time to move on.

I spent the last two years writing code for systems I could care less about. In that time, I realized that we have no clue about security. You mention XSRF and SSL strip to our leads and their eyes glaze over. So I spent the last year looking for a way out; a way to make a difference. I interviewed all over the place: Facebook, internally, and even at old jobs I enjoyed. Finally, I ended up in the place I wished I had been three years ago. I'm joining a leadership development program. Yes, it sounds ridiculous and down right useless but... I get a new job every 6-9 months -- and I get to pick where I go.

My first assignment isn't 100% technical, and it certainly isn't a red team assignment, but it is a door, and my foot is in it.

Re: Getting started in the security field

This is a Good Idea(tm).

Not necessarily, particularly as applies to that latter statement.

While there may be room to move around, it's going to very much depend on the employer in question. Internal hires may be desirable, but having an employee make a lateral move from one department to another may not put the best candidate into the open slot.

As an example, I worked for a company where we did an internal hire from QA into IT. This was fine on paper, but IT ended up with someone who couldn't ramp up to IT's needs quickly enough - and couldn't go back to QA because that position had been filled with an outside hire immediately after he moved. End result: QA's capabilities are diminshed, as are IT's.

While I understand that this is a narrow example and could have avoided becoming a problem in the first place (hint: other management had been playing favourites with that specific candidate), it is representative of one issue with lateral moves and should give some insight as to why they are not necessarily looked on favourably.

Another consideration: head count. Someone moving out of or into my department brings pretty much the exact same movement-of-bodies issues as a new hire or open position - except that in the case of a lateral transfer, it affects two departments instead of one. And no matter how smoothly these things are supposed to go, they never do.

One thing to consider as a candidate is how internal moves are going to look on a resume. Let's say you've put in 10 years with General Dildonics, making an interdepartmental (or group-to-group) move every two years. You're now interviewing for a position with a different company. While the interviewer may be able to see that every move you have made is a logical career step, that ten years of experience in those roles with only one employer tells that interviewer that you're used to doing things the General Dildonics way, and may not be a good cultural fit for the position he has open at e-buttplugs.com.

Obviously there are exceptions in every case - but the generalities do hold true.

Negative. You are expendable anywhere. While benefits and other perks are nice to have, never, ever assume that you are indispensable. You may be valuable to the organisation in your role, but all it takes is one round of budget cuts or pissing off the wrong person and you're out the door.

To expand on this: the question is predicated on the assumption that you should go work for a big company, presumably right off the bat. While I have no problems with people working for companies of any size, this really is a case where size doesn't matter. Consider that in a large organisation it's easier for incompetence to go unnoticed for longer than in a smaller one - and if I'm your interviewer (who has worked in both environments), I'm going to be wary of someone who doesn't have experience outside of a place that may have served as a shield for the fact that their job duties really consisted of pulling into the parking lot 15 minutes after they were meant to be at their desk, spending the next 45 minutes trying to get a parking place 3 spots closer to the exit door, then sitting in their cube all day trying to avoid the pornography filter and figure out how to leave at 3.30 without anyone noticing.

These are all good points. Soft skills count for as much as (and in many cases more than) technical ability.

Yes and no. While it does demonstrate a certain amount of personal discipline and knowledge in a field of study, there is no shortage of people out there with degrees who believe that that piece of paper makes them zero-experience experts in the field they're trying to be hired in. I've interviewed plenty of them, and they typically can't figure out why they don't get the job. Further to that:

Being prepared to (literally) work at Starbucks while you get your foot in the door somewhere should be an expectation. If you can get a company to hire you in this fashion, great - just be sure it's the right move to make, and be prepared to move again in a couple of years if it turns out not to be.

Getting back to earlier comments regarding lateral moves: be prepared to do that, but going from employer to employer. Helpdesk (see: Starbucks) may be the big green weenie you have to chow down on for a while before you get to the position that leads to the position you actually want.

Re: Getting started in the security field

Yesterday Dark Reading had an article about "Six hot and sought-after IT security skills" http://www.darkreading.com/vulnerabi...leID=224701863 Some of them are not exactly skills though (security clearance, for example). Do you guys think this is an accurate list?

My professors have been encouraging me to get into penetration testing and to learn some more computer forensics stuff on the side. They basically said that sometimes having a more unique skillset but less experience is more appealing to an employer than having a few years of experience in only one area. I guess that varies depending upon what jobs one is seeking and what skills one actually has.

I am supposed to start my final semester in June. I am still trying to figure out if I should do grad school or look for a job right away and save grad school for later. At this point, I am interested in so many aspects of IT Security that I am not sure what I would like to specialize in.

Re: Getting started in the security field

Most of that list depends on where you are planning on working. If you are going into a regulated space, such as Banking, Healthcare, Power Generation and Transmission, then you need to have a decent grasp on compliance and regulation. If you're work for a Federal Contractor, then your chances are greatly increased if you have that DoD clearance. Incident Handling/Response is always good to have, but again, depends on where you're working on if you'll be able to use it or bank on it in an interview.

I think the real key is to research the position and company to whom you're applying, then making sure that your application matches (and exceeds) the request as best as you can. The goal is to get past the HR drones to the hiring person where you have a better chance to exercise your knowledge.

my 2c

Re: Getting started in the security field

From the side of the federal contractor, it is also important to note that hiring trends ebb and flow in regards to people with or without clearances. We've had periods when we'd only hire someone with a clearance, and other times when we've gone on a spree and hired otherwise-qualified people (sometimes called an "investment hire") and sucked up the time waiting for their clearance. Unfortunately, for someone without a clearance it isn't necessarily easy to know when these such periods occur.

Re: Getting started in the security field

I'm glad you posted this article, I was reading the very same one the other day and was feeling that they really do generalize in an unhelpful way. As was mentioned some, all, or none of these may be applicable depending on your personal career aspirations.

I finished up a Computer Engineering BS two years ago and have decided to work right out of school. I've already been through two jobs (that "expendable" thing mentioned earlier heh) but I have taken it upon myself to study like mad in my freetime. Your real education heppens AS you work and teach yourself how to improve on both job relavent skills and general ones. I intend to approach graduate schools with a clear cut, focused mindset and have more skills than the average recent-grad. This also gives you time to study and try to focus on the particular areas you are most interested in.

Re: Getting started in the security field

So, you guys have covered alot in this thread, but there is still a question nagging at me. You guys talk about learn this programming language, and get this certification. You suggest books on TCP/IP or learning Perl, Java, assembly, C++ or any number of other options. How are these tools and knowledge translated into a working knowledge of pen testing, information security, and hacking? I ask because I find that knowledge of the tools is great, but only if the understanding of how to apply them correctly.

Re: Getting started in the security field

It is implied that you cannot write/modify a tool without knowing how it works and what it does. If someone out there has knowledge of tcp/ip writing in java or even knows how to write a vbscript/shell script and understands enough to pass the security+ then they should know how tools relate to each other, hardening techniques and so on and so forth. If they know all this and can't quite put the pieces together perhaps it's time to look at a career in only programming or switching careers altogether. Remember this thread is for people starting out. It is not designed for the mid-level to veteran because hopefully they have answered these questions and have established themselves. Just my opinion not any facts in this post at all. Good luck to all the new people looking to get established and I hope you never stop learning.

Re: Getting started in the security field

I think this is a really valid question. It's much easier to see the application for such skills when you currently have a job that uses some of them. For instance if you already have a job as a developer, tester, etc., often times you can see where you can start building a bridge from where you are now, to where you want to go. However, if you have a non-IT job, let's say a barista at Starbucks, I think it can be difficult to figure out what the next move is. At least I think that's what star6966 was sort of getting at. Or I could be completely off.

Re: Getting started in the security field

Also, don't get hung up on jobs. Grad school can be quite fun - I reccomend any undergrads give security research a try. Look for NSF REUs: http://www.nsf.gov/crssprgm/reu/list...fm?unitid=5049

Or just talk to a professor. I got a sweet research gig for the summer just by asking a prof who I had class with if they knew of any opportunities for security research.

Environments for Practicing Hacking [merged with "getting started..."]

I purchased "Hacking:The Art of Exploitation 2nd Edition" which was a GREAT book. I'm new to Computer Security, but I'm genuinely interested. The book was great,but had one problem. I couldn't load linux on my laptop (The CD that came in the book). I was wondering what other books have similar ways of teaching Computer Security for a newbie like myself.

Re: Getting started in the security field [books, resources, advice]

I can't believe no one has mentioned this yet...and I'm an ubernoob to all of this...but MIT has open courseware... In terms of learning the basics of programming that's what I've been using. Also I've taken a class called Database Art: MySQL/XML . It's actually a visual art class...we made APIs. It was fun.

MIT link:
http://ocw.mit.edu/courses/#electric...mputer-science

Re: Environments for Practicing Hacking [merged with "getting started..."]

Lol. I love that book! I'm reading it literally right now (ok, not right right now, I'm posting, but after I'm done on here. You get the point.).
I dropped $100 on some books at defcon (ninja hacking and another syngress book). I'm gonna get that new metasploit book asap, but they were sold out at defcon and now I don't have money.

Re: Getting started in the security field [books, resources, advice]

Bruce Schneier did a blog post on this topic not too long ago:

http://www.schneier.com/blog/archive...ecome_a_1.html

FTA:

July 5, 2012
So You Want to Be a Security Expert

I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don't have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security...

Re: Getting started in the security field

I have a minor in CS, and worked in normal IT work three years before getting into Security just over a year ago. Here's where these bits and pieces have proved useful to me in my duties.

Vulnerability Scans - When I look through Vulnerability Scan results, the descriptions are frequently vague. In order to get to what the exact problem is, you have to dig through the XML files and find the checks. Those checks are usually some form of RegEx. Since I happened to look into RegEx when I was learning a bit about shell scripting, I'm able to decode what the Vuln. Scans are looking for and help diagnose if it's a real problem or a false positive. Knowing the various security and encryption protocols allows me to explain why it's a problem that perhaps a server has the group policy disabled that normally would force FIPS compliant encryption. Since I'm the scan guy, I'm also expected to explain why the scanner isn't working on certain boxes, so I've spent a significant time trouble shooting SSL connections. My knowledge of the handshake process was key there. I also frequently need to get down to the packet level to troubleshoot connection issues, though that would also be useful if we were logging packets here.

Configuration Management - I need to be conversant in Windows, UNIX, and Oracle in order to explain whatever configuration guidelines we have and why it's important they follow them. I need to be able to look at the results they provide me and judge if they're correct and/or BS.

IPS Administration - I also administer our IPS. I need to know enough about Windows that when an alert is generated, I either know or can figure out quickly if it's a false positive or a real problem. The IPS provides the files, processes, ports, users and IPs involved, and if I didn't have any base technical knowledge of how Windows worked, I'd be SOL and guessing on these guys.

Finally I don't use programming much, but do occasionally use it to automate spreadsheets. Lots and lots of spreadsheets ><

You mention hacking and penetration testing, but I really can't comment on those. On the defensive side, the experience I had in IT and in my hobby interest in computers is one of the seriously important factors that has allowed me to excel in my current role. The person who was here before me was a policy person, and I'm regularly lauded for being able to present better and more accurate information than they were. It's not because I'm smarter or hardworking, but I had a much stronger technical background than they did, and am able to leverage that.

Now, if you wanted to write policy or compliance stuff all day, then maybe all that TCP/IP, programming stuff isn't quite as important. I did that for six months and found it horribly boring though. So finally, to answer your question, all those skills are the base of your information security knowledge. You can be a marginal InfoSec guy without them, but you can't be an effective one, in my opinion.

M.