Wednesday, December 27, 2006

Starting Out in Digital Security

Today I received an email which said in part:

I'm brand new to the IT Security world, and I figure you'd be a great person to get career advice from. I'm 30 and in the process of making a career change from executive recruiting to IT Security. I'm enrolled in DeVry's CIS program, and my emphasis will be in either Computer Forensics or Information Systems Security. My question is, knowing that even entry-level IT jobs require some kind of IT experience, how does someone such as myself, who has no prior experience, break into this exciting industry? My plan is to earn some of the basic certifications by the time I graduate (A+, Network+, Security+). What else should I be doing? What introductory books and resources can you recommend?

I thought I'd discussed this sort of question before, but all I found was my post on No Shortcuts to Security Knowledge and Thoughts on Military Service. I believe I cover this topic in chapter 13 of Tao.

To those who are also interested in this question, I recommend reading both of those posts first and then returning to this post. I'll do my best to provide some additional useful advice here.

Here are seven ways you can make yourself more attractive to security-minded employers.

  1. Represent yourself authentically. It's tough when starting out to recognize the size of the digital security world. It's taken me nearly ten years to grasp the scope of the field. You'll be successful if you can clearly identify just what you (think) you know, and what you definitely do not. You will not do anyone favors if you claim to be even somewhat proficient in all or nearly all aspects of digital security. It's extremely important to want to work in security for love of the field, and not the potential paycheck.

  2. Stop using Microsoft Windows as your primary desktop. This is not an anti-Microsoft rant. The reality is the vast majority of the world uses Windows. When you stop using Windows, you move yourself into a smaller group that needs to think and troubleshoot. Some see this as a problem, while others see it as a learning opportunity. If you are completely new, start with one of the easy Linux distros. As you feel adventurous try one of the BSDs. (Mac OS X doesn't really count as a non-Windows platform for the purposes of this point.) This does not mean you will never use Windows again. I dual-boot Windows and FreeBSD on my laptop.

  3. Attend meetings of local security group. Ideally you would have a group like NoVA Sec nearby, but you're more likely to have an ISSA chapter in your city. In either case, attend some meetings. Get immersed in the discussions that occur in those settings. Ask questions.

  4. Read books and subscribe to free magazines. You should start with the books on my Listmania Lists. Subscribe to Information Security, SC Magazine, NWC, and Cisco's IP Journal. I wouldn't bother with 2600. It costs money and more often than not you'll read about "hacking" point of sale terminals and the like.

  5. Create a home lab. No real security "pro" has a only single laptop/desktop connected to a DSL/cable modem. Most every security person I know maintains some sort of lab. If you are resource-constrained, install VMware Server and build a small virtual lab. Experiment with as many operating systems as you can.

  6. Familiarize yourself with open source security tools. Fyodor's Sectools.org is a good starting point. As you meet people and read, you'll learn of new techniques and tools to try.

  7. Practice security wherever you are, and leverage that experience. So many people are in security positions but do not recognize it. If you are a network administrator, you have security potential and responsibilities. If you are a system administrator, you have a platform to secure. If you are a developer, you should practice secure coding. If you set up a home lab, you need to operate it securely. It is both a blessing and a curse that anyone with a computing device is an administrator and a security practitioner. Whatever your background, consider how it might apply to security. For example, former software developers might become involved in application testing and/or source code review, instead of securing carrier networks.


Once you follow this advice, where can you work? A search for jobs with "network security" at Monster.com or similar job sites reveals plenty of opportunities. If you are just starting out, I recommend getting a job where you are a cog in the machine and not the whole machine. In other words, you are probably setting yourself up for failure if you land a job as an organization's sole security person -- and you are brand new. You won't know where to start and you'll have no one on site to mentor you.

It's best to pick a niche first, know that niche well, and then branch out as time passes. It also pays to know where you (want to) fit in the security community.

I appreciate anyone else's advice for this question-asker.

12 comments:

Stephen R. Moore said...

Great post. The point about being a "cog" first is very important to remember. It does help to have other related experience first, then move to Infosec.

If the person cares to share, I would love to know how one goes from exec recruiting to IT security -- and to what area?

While I have no real issue with DeVry, there are other schools I would look to first. Do a search on "NSA Centers of Academic Excellence" -- that will give you a pretty good start. For the money, do Boston U., JMU, or Norwich online -- IMO.

I wrote about something similar here: http://stephenrmoore.blogspot.com/2006/11/from-wwwsecurity-forumscom.html

A friend and fellow blogger, Didier Stevens, also said I should add Podcasts. His list below.
- The Silver Bullet Security Podcast
- CyberSpeak Podcast
- PaulDotCom Security Weekly
- SploitCast
- A Day in the Life of an Information Security Investigator
- Security Now!
- Binary Revolution Radio

LonerVamp said...

2. This is definitely good advice, and besides learning something new, it is good therapy to break away from Windows and learn *nix/bsd. Everyone in security and IT will have to dive into new things at some point. Get used to it. :) That said, don't give up the ghost on Windows, especially since Vista is new and needs to be learned, but now is a perfect time as XP is more than "googlable" if there are issues, and Vista is still not settled. If you know BSD/Linux, move to Windows and learn the opposite direction.

You don't necessarily have to be an expert in one OS or technology, but you should have exposure on your personal time with them. It is on the job where you get the expert level education.

4. Just a thought, while I do end up buying 2600, you can just flip through it at the book store. Barnes & Noble and Borders (I think) both carry it in the magazine racks when it comes out. Pick it up, flip through it over some coffee.

Emphasize your enthusiasm and education. Your schooling shows you are willing to learn and go the extra mile on your own time. It also should show that you have more than just average smarts and time management ability.

With your background it can be a very valuable position to bring in a fresh face that can interface with both the business side (executives) and IT. There's still big black and white lines between business and IT and debate on who should be making the effort to bridge that gap, but having yourself already poised to be there is excellent.

JD said...

Funny, I find myself in a similar position as the querent--and my (night-shift) job may let me go in September as I *have* to take evening courses to get my cert/degree/whatever.

I would suggest that even if you're going to school and working, take time on the weekends not only to play with new stuff (Mr. Bejtlich's Sguil NSM scripts got me started with wanting to learn BSD--now I'm in love with an OS) but to read anything you can get your hands on. Volunteering is almost as good as an internship--you could volunteer to do network security for a church or Scout group, for example, or give network security basic training to your locality's police department.

Just my two pesos.

Jason said...

Hello all, I posed the question. Many thanks to Richard for the detailed response and to those who offered comments. Stephen, in regards to your question – I’m learning as I go. My plan is simply to earn some basic CompTIA certifications and somehow gain relevant experience by the time I graduate. I must confess I’m starting from scratch.

Digital Forensics is the area of security that I’m most interested in at the moment. Any thoughts on this? (I’ve read that one could use data recovery experience to segue into DF.) As for DeVry, I’m not exactly 100% certain myself of their program’s ultimate value to my career. But I’ve moved around so much and attended so many different schools that I’ve decided to finish what I’ve already begun there. But Stephen, I’ll look into the schools you mentioned for graduate programs.

Thanks once again to everyone for the comprehensive advice.

Scott J. Roberts said...

A great post Richard, one I'm sure I'll be directing people to for some time to come.

I really agree with your emphasis in finding your niche, it's easily overlooked and a big part of what leads to people being in way over their heads. I think infosec is often looked at as a sub diciplin of the overarching computer science field, and people don't realize how segmented it is. I know very few people who are really experts in information security, it's much more common, and useful ultimately, to be an expert in a particular piece. A security engineer may not understand exploit technology, but their skills are incredibly useful in the right circumstance.

It's tough to pick and get into a niche. As someone fresh out of school I can say that most budding infosec professionals all want to be pentesters, ethical hackers, whatever you call it if they're paid to "pw3n b0xen" not realizing how many other, and often more in demand, specializations their are. This is especially interesting as many of the people I've known in those type of jobs find them quite boring once they realize that they do little more than run Nessus, Qualys, or at most Metasploit or Clickscripts. They end up frustrated when they find they spend far more time reviewing policy and writing up compliance reports against SOX, GLBA, and other equally fun standards.

I would also add the importance of coding. So many infosec wannabes come out of school with little or no coding ability and it's definitely a hindrance. Scripting languages are infinitely useful for creating small applications that make the job easier. Developing larger applications (Like SQUIL, John the Ripper, Nessus, and NMAP) is less common, but a big way to advance your reputation in the field.

Again, great post.

John Ward said...

Learning security is the same as learning any other field, whether it is programming, culinary arts, or botany. The three R's (Read, Read, Read) and the Three P's (practice, practice, practice). I haven't reached the level I am at in anything by just taking a course. I've gotten their by taking a lot of courses, reading a lot of books, putting in long hours of practice, and having tons and tons of experience. And after all that, there is still more to learn, more to read, and more to experience. The point is, don't just get into something because its a buzz word or a career advisor recommends it. Get into it because you love it, then live it and breath it. If you love a field, you work in it regardless, and the jobs have a tendency to find you.

Adam said...

I'm thinking about learning a programming language, and I've come to the conclusion that at least as far as security goes, Perl is a more defensive language (strength is working with text and log analysis) where C is more offensive (strength is in exploit development). However, if I'm not mistaken Richard said he wanted to learn Python, which I haven't considered and know little about. Why would someone in InfoSec chose to learn Python over Perl or C?

Pete said...

warning: grandstanding follows

I call shienanigans on point 2. That really should be rewritten as learn an os inside and out. The problem with windows in this regard is that it's an expensive route to go. Technet articles aren't neccessarily the most helpful. And books and an msdn subscription, an MS development environment OS and all will quickly exhaust an individuals bank account. So using a unix or unix like os is just easier and cheaper. There's free docs and the internals have been studied in universities for a while.

Actually alot of what you're talking about has been covered by Eric Raymond's how to become a hacker. there's a link over at insecure.org.

Though I'd really like to point one thing out. Information Security is a mindset and an understanding of the tools as they are. To be good in this field, I really believe that you need to understand programming at least at a basic level, and computer architechture again at least at a basic level. Understand how to debug and your life in general will be more fun i.e. learn ollydbg or gdb, it will only help you later on.

Also before you specialize. Hell security's become a big enough field at this point that I don't think we have that many generalists anymore, I really think that you need to be able to take what you've learned and understand how to generalize. I.e. you need to understand how and why data representations are there and the difficulty of writing parsers or code in general.

As to learning python over C or perl. There are more modules both on the offensive and defensive sides that are actively maintained. Also I'd argue that it's a cleaner language.

LonerVamp said...

@pete: No joke! That's one major reason I have more and more Linux boxes at home. I can't activate extra copies of Windows anymore (doesn't MS realize how much of the market they KEEP by allowing some piracy??) and I dislike shelling out $200 and up for a single copy.

Keydet89 said...

Richard,

Interesting post, and it is interesting to read all of the comments.

Some comments of my own:

Re: #2...I could not agree less. Back when I started in the infosec field, I worked with *nix gurus...and not a one of them could perform an assessment of a Windows system. In the professional arena, "Install Linux" is not an answer that a client is going to accept. In the field of forensic analysis, I am constantly amazed at the number of folks who do anything beyond a review of the file system, and perhaps some data carving and call that "analysis". Richard's right...the vast majority of the world uses Windows. So why not learn it, I mean really _learn_ it?

On second thought...ignore everything I said, and follow Richard's advice. ;-)

Re: #4 - I do agree that reading (and doing) are important. I also agree that one should not bother with 2600...in the last issue I flipped through, there was an article about a "hack" that was nothing more than blackmail. With regards to the free subscription magazines, I actually went out of my way to stop them from coming to my house. I still enjoy the Cisco magazine when it arrives, but InfoSecMag and SC Mag are an entirely different story.

Re: #3-6 : Add in "stop listening to the 'experts'". Learn for yourself. This does not mean that you should not see what others have to say, but if you don't understand something, then give it a short yourself and see what happens. Many times, an 'expert' (of which, I am not) will make claims about something that does not seem to sit quite right. Combine items 3 thru 6 and do some of your own experimentation.

From an aspect of professionalism, I'd add "learn to spell" and "learn to document". Both go toward producing reports for customers (it's hard to be a "professional" at anything without actually providing some kind of deliverable). Also, most great methods of professional growth involves writing of some kind.

Happy New Year, all!

dghnfgj said...
This comment has been removed by a blog administrator.
梦中林 said...
This comment has been removed by a blog administrator.