General discussion

  • Creator
    Topic
  • #2250523

    Best way to enter into Info Security Career

    Locked

    by redsgirl ·

    I am a recent college graduate with a degree in CIS. So far, I have only held two ‘computer related jobs’; one with the title of ‘Computer Support Specialist’ and my current title of ‘Computer Operator’. More and more I am becoming interested in Information Security. I was wondering if anyone has any suggestions/ideas/comments, etc. on 1.) how to come from a job of ‘Desktop Support’…
    User:”Um, How do I turn on my computer? (lol)
    …” to entering into the world of Information Security.
    2.) Should I begin to study for CISSP this early in the game? Is CISSP the right starting point cert? Do I need to start w/ a cert?
    3.) What should I be doing NOW in my current job(I report to Sys Admin)to ‘dabble’in this area?
    …By the way YES I have been on the internet and reading a few books, just thought I’d poll the TR community & get some wisdom/suggestions from you guys!!!

    -redsgirl

All Comments

  • Author
    Replies
    • #3279928

      gaining experience

      by stress junkie ·

      In reply to Best way to enter into Info Security Career

      The real trick to security is getting used to what is or is not a security problem. Whenever you see any kind of system configuration you will immediately start to look for weaknesses. It helps if you know what kinds of problems have been experienced.

      For instance, one temp job I was working was to install DEC Pathworks on a DEC Unix machine in a Windows for Workgroups environment. The people were spending a lot of money to make the server more secure because a beligerent employee had deleted all of their files and then quit. Naturally they didn’t have backups and they wanted to be able to restrict each employee’s access to files. Now when I look at any computer configuration I try to think of all the ways that a beligerent employee could do damage and then I try to figure out how to close those holes in the security. That’s just an example. I’ve learned a lot by being called to this business or that business to repair some damage caused by accident or malevolence. It’s hard to study for that. You just start to get a feel for it.

      If you are on good terms with the system administrator to whom you report then ask if you can do a thorough security audit of the business systems under your care. You will learn a lot. You still won’t know what to look for unless someone shows you or you see what has happened in the wake of bad security + bad or ignorant people. You can look into various security tools such as nmap for network access vulnerabilities. Looking for these tools and then using them on your own systems would be good.

      I don’t know where there is a comprehensive list of security vulnerabilities such as having wide open file access to system files or other users’ files. You can look at cert.com, cert-us.com, securityfocus.com, and other sites like that. It still won’t give you a really good feel for security but it is a first step.

      • #3281414

        Some pointers

        by kjell_andorsen ·

        In reply to gaining experience

        Instead of trying to jump directly from endd user support to Security I would strongly advise trying to move into a network admin or sysadmin role first. Getting to know the ins and outs of how a network works is essential for really understanding the security aspect. Once you’re very familiar with networks you can start specializing in security. There are numerous Security related Certs, the VVSP seems pretty hot these days and might be worth looking into.

        • #3281215

          info on VVSP?

          by elrico-fantastica ·

          In reply to Some pointers

          hey peeps,

          im interested in heading in a similar direction also with my career.
          im already in a sysadmin role and wouldnt mind getting some required reading or starting to study for the right certs.

          I googled VVSP certification but i cant find info on it. does anyone out there have some direct links or this or other security certs?

          thanks

        • #3221458

          The value of proof-reading…

          by kjell_andorsen ·

          In reply to info on VVSP?

          …is that you don’t make embarassing mistakes like I did. I meand the CCSP not VVSP. Sorry about that

        • #3281212

          Few more points to add …

          by unni_kcpm ·

          In reply to Some pointers

          1. As mentioned above, Information Security
          arena is a very critical and wide
          information + experience required area
          and freshers with limited experienced
          won’t suit to it(No discouragement but
          to give yourself a yardstick).
          2. Sure, it’s a VERY VERY CHALLENGING and
          promising job area(Me too aspiring for
          it !!).

          Certifications :

          CEH(Certified Ethical Hacker),CISA
          (Certified Information Security Auditor),
          CISSP and many others are some of them
          besides MS, CISCO related certifications
          which will give you more throughput and
          knowledge in the IT field.

          Best Wishes !

    • #3221650

      Making the jump.

      by bgrime ·

      In reply to Best way to enter into Info Security Career

      I just recently made this move (Desktop to Security) and the one pointer I will give is show and interest and make it known that you have an interest in Security. I told the Director of IT that I had an interset and I also showed an interest with the current Security staff. What this does is when a position opens if your company considers you to be an asset they will know that you have an interest and hopefully with working with the Security staff they will be more willing to trust you.

    • #3221644

      Certification a good start

      by goonigoogoo ·

      In reply to Best way to enter into Info Security Career

      CISSP certification would be an excellent start. However, the ISC2 governing body now requires experience and the reccomendation of another CISSP (in addition to passing th exam) to earn the certification. Passing the exam alone can earn you the Associate of ISC2 certification. This will open some doors for you. You can then get some experience, and later get the CISSP title by experience and continuing education.

      The CISSP is much more broad then many of the other certifications. So depending on your interests may not be the best path for you. Typiclly, CISSP are senior level security personnel. They are more focused on decision making, and less hands on.

      I am a security architect (studying for my CISSP), and typically network secuirty, system admins, and physical security people take action based on my recommendations. This is not true for every organization (and is not meant to diminish the value of other certifications), but the CISSP is not nearly as technically deep as many other hacking and network security certifications.

      Good Luck!

      • #3221509

        Other cets?

        by eva2k1 ·

        In reply to Certification a good start

        In your reply you mentioned other “network security certifications”. Can you tell me which ones? I have been considering Security + and CISSP. I already have a CISA, and I work mostly in audit, but I really want to jump to security design and implementation. Thank you.

        • #3221481

          RE: Other Certs

          by goonigoogoo ·

          In reply to Other cets?

          If you really want to get into the implementation, you can get certificatins from a number of vendors (in addition to those offered by security bodies – eccouncil.org, isc2.org, comptia.org, giac.org). Microsoft, Novell, Sun, Cisco, IBM (per system AIX, iSeries, Mainframe) all offer certifications on their security products and architectures.

    • #3221623

      Just do it

      by ~neil ·

      In reply to Best way to enter into Info Security Career

      Authors have a saying when they’re asked the question; “to be a writer, you must write.”

      Experience doesn’t mean you got paid for it (that’s ‘job experience’), it means you’ve done it. Feee experience is still experience.

      Regardless of what part of computers you are interested in, do it at home. Old cheap hardware is readily available. Set yourself up a home lab, and try the stuff out. Put two PCs together, and try to crack one (*not* somebody else’s). Harden it. Repeat. Every time you break it, fix it. Every time you fix it, try to break it. If you can’t do a lab, try virtualized PCs. Books are a start, but actually immersing yourself in the stuff is how you learn it.

      When you sit down with a job candidate, and talk to them for a couple of minutes, it’s fairly apparent who has read about it, and who has done it. They will ask you “have you ever used X” questions, but I’ve never had one care *where* I used X.

      If you can speak knowledgably and comfortably about security issues (and the nuts and bolts stuff) then you are a resource for your admin; it’s easier to get security-related tasks from them.

      Not to knock the certifications, but experience trumps paper. Having both puts you yards ahead of your competition.

      • #3221611

        Just do it 2.0

        by goonigoogoo ·

        In reply to Just do it

        I do agree with Neil. As mentioned in my earlier post, I am working on my CISSP — but I already have a security position. I am adding the certification to give my experience some credibility. My security career started when I started asking questions that no one else on the team had answers for. Start learning and practicing security. Make it the first consideration of every project you get to be a part of. Soon you’ll be regarded as an expert. One of the biggest security issues in IT is that for most app developers and admins – security is an afterthought.

        g.

    • #3221344

      Security Company

      by lyle148806 ·

      In reply to Best way to enter into Info Security Career

      Looking for a job with a Security focused company can also be a way in. The company I work for does employ some security experts directly in, but tries to grow their own. Starting at the bottom, being a ?Monitor? (watching the monitoring systems for System Health, and Security Events) or on the Service Desk, and from there apply for the Junior Security Admin positions with the Operations Team.

      Within our current Operations team providing Security Services, about half have come from the Monitoring and Service Desk teams.

      But being in the right place needs to be combined with all of the other comments, getting experience by playing in a Lab at home, studying for certs, even if you do not sit for the exam, but to start to get an idea about the depth and breadth of the knowledge required, asking questions and gaining understanding and showing your enthusiasm

    • #3222013

      Experience counts

      by jamie ·

      In reply to Best way to enter into Info Security Career

      Try and become fairly rounded in terms of IT knowledge. (Actually in IT its pretty easy to become rounded. Its the stationary lifestyle) Anything that you learn won’t harm you, try and get experience in security.
      Use Virtual PC to set up test enviroments and do what if scenarios. Go for certification it doesn’t hurt.

      Also read BOFH it will help you deal with stupid users.

Viewing 5 reply threads