Getting started in the security field [books, resources, advice]

Humble Bundle FTW and make sure to crank the bar to Charity
https://www.humblebundle.com/books/cybersecurity-wiley

A user later in this thread mentioned that the URL provided to the article here is no longer working. A search with google found a new URL to the same article: http://www.computerworld.com/article...sec-field.html

I did not feel comfortable abusing my mod controls to edit your post, but a comment works well enough. You are welcome to edit your own post if you want.

I assume you were writing about this post in this thread:
I took a sentence from a portion of the article copy/pasted by DT, and performed a quoted search on google for: "My decision to stay in my current job for quality-of-life reasons provoked emotional responses from several readers." which found a page from computerworld:

http://www.computerworld.com/article...sec-field.html

HTH,
-Cot

I just tried to view the article that Jeff posted but the link is now leading to a now-gone article. Was it posted anywhere else I could take a look?

Great article!

Great article, I am new to the forum and am enjoying the vast amount of information that I am picking up. I am interested in networking/computer science as a career in the future so I am trying to get ahead of my age group.

Re: Getting started in the security field

I have a minor in CS, and worked in normal IT work three years before getting into Security just over a year ago. Here's where these bits and pieces have proved useful to me in my duties.

Vulnerability Scans - When I look through Vulnerability Scan results, the descriptions are frequently vague. In order to get to what the exact problem is, you have to dig through the XML files and find the checks. Those checks are usually some form of RegEx. Since I happened to look into RegEx when I was learning a bit about shell scripting, I'm able to decode what the Vuln. Scans are looking for and help diagnose if it's a real problem or a false positive. Knowing the various security and encryption protocols allows me to explain why it's a problem that perhaps a server has the group policy disabled that normally would force FIPS compliant encryption. Since I'm the scan guy, I'm also expected to explain why the scanner isn't working on certain boxes, so I've spent a significant time trouble shooting SSL connections. My knowledge of the handshake process was key there. I also frequently need to get down to the packet level to troubleshoot connection issues, though that would also be useful if we were logging packets here.

Configuration Management - I need to be conversant in Windows, UNIX, and Oracle in order to explain whatever configuration guidelines we have and why it's important they follow them. I need to be able to look at the results they provide me and judge if they're correct and/or BS.

IPS Administration - I also administer our IPS. I need to know enough about Windows that when an alert is generated, I either know or can figure out quickly if it's a false positive or a real problem. The IPS provides the files, processes, ports, users and IPs involved, and if I didn't have any base technical knowledge of how Windows worked, I'd be SOL and guessing on these guys.

Finally I don't use programming much, but do occasionally use it to automate spreadsheets. Lots and lots of spreadsheets ><

You mention hacking and penetration testing, but I really can't comment on those. On the defensive side, the experience I had in IT and in my hobby interest in computers is one of the seriously important factors that has allowed me to excel in my current role. The person who was here before me was a policy person, and I'm regularly lauded for being able to present better and more accurate information than they were. It's not because I'm smarter or hardworking, but I had a much stronger technical background than they did, and am able to leverage that.

Now, if you wanted to write policy or compliance stuff all day, then maybe all that TCP/IP, programming stuff isn't quite as important. I did that for six months and found it horribly boring though. So finally, to answer your question, all those skills are the base of your information security knowledge. You can be a marginal InfoSec guy without them, but you can't be an effective one, in my opinion.

M.

Re: Getting started in the security field [books, resources, advice]

Bruce Schneier did a blog post on this topic not too long ago:

http://www.schneier.com/blog/archive...ecome_a_1.html

FTA:

July 5, 2012
So You Want to Be a Security Expert

I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice.

First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You can be an expert in finding security problems in software, or in networks. You can be an expert in viruses, or policies, or cryptography. There are many, many opportunities for many different skill sets. You don't have to be a coder to be a security expert.

In general, though, I have three pieces of advice to anyone who wants to learn computer security...

Re: Environments for Practicing Hacking [merged with &quot;getting started...&quot;]

Lol. I love that book! I'm reading it literally right now (ok, not right right now, I'm posting, but after I'm done on here. You get the point.).
I dropped $100 on some books at defcon (ninja hacking and another syngress book). I'm gonna get that new metasploit book asap, but they were sold out at defcon and now I don't have money.

Re: Getting started in the security field [books, resources, advice]

I can't believe no one has mentioned this yet...and I'm an ubernoob to all of this...but MIT has open courseware... In terms of learning the basics of programming that's what I've been using. Also I've taken a class called Database Art: MySQL/XML . It's actually a visual art class...we made APIs. It was fun.

MIT link:
http://ocw.mit.edu/courses/#electric...mputer-science

Environments for Practicing Hacking [merged with &quot;getting started...&quot;]

I purchased "Hacking:The Art of Exploitation 2nd Edition" which was a GREAT book. I'm new to Computer Security, but I'm genuinely interested. The book was great,but had one problem. I couldn't load linux on my laptop (The CD that came in the book). I was wondering what other books have similar ways of teaching Computer Security for a newbie like myself.

Re: Getting started in the security field

Also, don't get hung up on jobs. Grad school can be quite fun - I reccomend any undergrads give security research a try. Look for NSF REUs: http://www.nsf.gov/crssprgm/reu/list...fm?unitid=5049

Or just talk to a professor. I got a sweet research gig for the summer just by asking a prof who I had class with if they knew of any opportunities for security research.

Re: Getting started in the security field

I think this is a really valid question. It's much easier to see the application for such skills when you currently have a job that uses some of them. For instance if you already have a job as a developer, tester, etc., often times you can see where you can start building a bridge from where you are now, to where you want to go. However, if you have a non-IT job, let's say a barista at Starbucks, I think it can be difficult to figure out what the next move is. At least I think that's what star6966 was sort of getting at. Or I could be completely off.

Re: Getting started in the security field

It is implied that you cannot write/modify a tool without knowing how it works and what it does. If someone out there has knowledge of tcp/ip writing in java or even knows how to write a vbscript/shell script and understands enough to pass the security+ then they should know how tools relate to each other, hardening techniques and so on and so forth. If they know all this and can't quite put the pieces together perhaps it's time to look at a career in only programming or switching careers altogether. Remember this thread is for people starting out. It is not designed for the mid-level to veteran because hopefully they have answered these questions and have established themselves. Just my opinion not any facts in this post at all. Good luck to all the new people looking to get established and I hope you never stop learning.

Re: Getting started in the security field

So, you guys have covered alot in this thread, but there is still a question nagging at me. You guys talk about learn this programming language, and get this certification. You suggest books on TCP/IP or learning Perl, Java, assembly, C++ or any number of other options. How are these tools and knowledge translated into a working knowledge of pen testing, information security, and hacking? I ask because I find that knowledge of the tools is great, but only if the understanding of how to apply them correctly.

Re: Getting started in the security field

I'm glad you posted this article, I was reading the very same one the other day and was feeling that they really do generalize in an unhelpful way. As was mentioned some, all, or none of these may be applicable depending on your personal career aspirations.

I finished up a Computer Engineering BS two years ago and have decided to work right out of school. I've already been through two jobs (that "expendable" thing mentioned earlier heh) but I have taken it upon myself to study like mad in my freetime. Your real education heppens AS you work and teach yourself how to improve on both job relavent skills and general ones. I intend to approach graduate schools with a clear cut, focused mindset and have more skills than the average recent-grad. This also gives you time to study and try to focus on the particular areas you are most interested in.