IT security is a more and more specialized domain in the information technology field. It used to be that system administrators fulfilled the role, regardless of whether they had specific training in security, but now increasingly, corporations want dedicated IT security staff to take care of maintaining security policies, intrusion detection systems, firewalls, penetration testing, and so on. Sometimes they contract this out to contractors, or they hire full-time employees. As a result, a lot of IT pros who have made a career in system or network administration are tempted to make the switch into IT security.
IT security is often seen as the most mysterious, cloak-and-dagger type of computer discipline. Pen testers in particular are dreaded by a lot of traditional IT folks, simply because their whole goal is to break everything you've set up and get into your systems. But making the switch really isn't that hard. In order to go into IT security, you need to know all of the basic system and network administration tools, but you also need another layer of knowledge and skills. You need to be able to think like a hacker, and use the tools that they use in order to find out what you need to do to keep them out. So as you can imagine, the most important tool is experience. If this is something you want to do on the side, then start by subscribing to the security mailing lists. The SANS newsletters for example are a staple of IT pros, and a must if you want to keep up to date in the field. Make sure you also go to SecLists which hosts the archives of many other popular mailing lists like Bugtraq and CERT.
There are a few books that are key for any IT security expert. You can check out Hacking: The Art of Exploitation, which explains all sorts of hacking techniques and how they work; The Web Application Hacker's Handbook, which covers web security like cross domain injection, frame busting, GET and POST parameter pollution, and more. Finally, The Shellcoder's Handbook goes deeper into how vulnerabilities are found, and provides more advanced techniques. These three books will give you a pretty good idea of how hackers think, and what will be required of you to do your job as a security consultant or a pen tester.
Finally, if you actually want to work in the industry, then getting the right skills by yourself may not be enough. Most people these days want a degree. If you already work as an IT pro and you have a degree in computer science or in network administration, then that may be enough to get you into an IT security position. But now colleges and universities also offer degrees specifically aimed at preparing security experts, some of them even available remotely, like the Stanford Advanced Computer Security Certificate. There is a lot to cover in this type of degree, everything from writing secure code, deep kernel exploitation, web framework security, mobile phone security, and so on.
The IT security position is a much broader role than it used to be, sometimes even more so than IT administration. It's not just about configuring servers and networks — you will be called upon to set up policies for employees, deal with physical entry mechanisms, and manage risk while understanding organizational goals and business requirements. IT security is a fascinating field, but one that requires quite a bit of dedication if you wish to make it into a career.
If you are already a working security pro, how did you get into the field? What are your recommendations and advice for those contemplating a career in security? Which certifications are the most important?Related:
Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news community TideArt. He's always at the forefront of the latest happening in the world of technology. You can find him online at http://dendory.net or on Twitter at @dendory.