General discussion
-
CreatorTopic
-
October 10, 2006 at 10:03 am #2250523
Best way to enter into Info Security Career
Lockedby redsgirl · about 17 years, 5 months ago
I am a recent college graduate with a degree in CIS. So far, I have only held two ‘computer related jobs’; one with the title of ‘Computer Support Specialist’ and my current title of ‘Computer Operator’. More and more I am becoming interested in Information Security. I was wondering if anyone has any suggestions/ideas/comments, etc. on 1.) how to come from a job of ‘Desktop Support’…
User:”Um, How do I turn on my computer? (lol)
…” to entering into the world of Information Security.
2.) Should I begin to study for CISSP this early in the game? Is CISSP the right starting point cert? Do I need to start w/ a cert?
3.) What should I be doing NOW in my current job(I report to Sys Admin)to ‘dabble’in this area?
…By the way YES I have been on the internet and reading a few books, just thought I’d poll the TR community & get some wisdom/suggestions from you guys!!!-redsgirl
Topic is locked -
CreatorTopic
All Comments
-
AuthorReplies
-
-
October 10, 2006 at 11:58 am #3279928
gaining experience
by stress junkie · about 17 years, 5 months ago
In reply to Best way to enter into Info Security Career
The real trick to security is getting used to what is or is not a security problem. Whenever you see any kind of system configuration you will immediately start to look for weaknesses. It helps if you know what kinds of problems have been experienced.
For instance, one temp job I was working was to install DEC Pathworks on a DEC Unix machine in a Windows for Workgroups environment. The people were spending a lot of money to make the server more secure because a beligerent employee had deleted all of their files and then quit. Naturally they didn’t have backups and they wanted to be able to restrict each employee’s access to files. Now when I look at any computer configuration I try to think of all the ways that a beligerent employee could do damage and then I try to figure out how to close those holes in the security. That’s just an example. I’ve learned a lot by being called to this business or that business to repair some damage caused by accident or malevolence. It’s hard to study for that. You just start to get a feel for it.
If you are on good terms with the system administrator to whom you report then ask if you can do a thorough security audit of the business systems under your care. You will learn a lot. You still won’t know what to look for unless someone shows you or you see what has happened in the wake of bad security + bad or ignorant people. You can look into various security tools such as nmap for network access vulnerabilities. Looking for these tools and then using them on your own systems would be good.
I don’t know where there is a comprehensive list of security vulnerabilities such as having wide open file access to system files or other users’ files. You can look at cert.com, cert-us.com, securityfocus.com, and other sites like that. It still won’t give you a really good feel for security but it is a first step.
-
October 11, 2006 at 9:45 am #3281414
Some pointers
by kjell_andorsen · about 17 years, 5 months ago
In reply to gaining experience
Instead of trying to jump directly from endd user support to Security I would strongly advise trying to move into a network admin or sysadmin role first. Getting to know the ins and outs of how a network works is essential for really understanding the security aspect. Once you’re very familiar with networks you can start specializing in security. There are numerous Security related Certs, the VVSP seems pretty hot these days and might be worth looking into.
-
October 12, 2006 at 2:39 am #3281215
info on VVSP?
by elrico-fantastica · about 17 years, 5 months ago
In reply to Some pointers
hey peeps,
im interested in heading in a similar direction also with my career.
im already in a sysadmin role and wouldnt mind getting some required reading or starting to study for the right certs.I googled VVSP certification but i cant find info on it. does anyone out there have some direct links or this or other security certs?
thanks
-
October 12, 2006 at 10:49 am #3221458
The value of proof-reading…
by kjell_andorsen · about 17 years, 5 months ago
In reply to info on VVSP?
…is that you don’t make embarassing mistakes like I did. I meand the CCSP not VVSP. Sorry about that
-
October 12, 2006 at 2:49 am #3281212
Few more points to add …
by unni_kcpm · about 17 years, 5 months ago
In reply to Some pointers
1. As mentioned above, Information Security
arena is a very critical and wide
information + experience required area
and freshers with limited experienced
won’t suit to it(No discouragement but
to give yourself a yardstick).
2. Sure, it’s a VERY VERY CHALLENGING and
promising job area(Me too aspiring for
it !!).Certifications :
CEH(Certified Ethical Hacker),CISA
(Certified Information Security Auditor),
CISSP and many others are some of them
besides MS, CISCO related certifications
which will give you more throughput and
knowledge in the IT field.Best Wishes !
-
-
-
October 12, 2006 at 5:12 am #3221650
Making the jump.
by bgrime · about 17 years, 5 months ago
In reply to Best way to enter into Info Security Career
I just recently made this move (Desktop to Security) and the one pointer I will give is show and interest and make it known that you have an interest in Security. I told the Director of IT that I had an interset and I also showed an interest with the current Security staff. What this does is when a position opens if your company considers you to be an asset they will know that you have an interest and hopefully with working with the Security staff they will be more willing to trust you.
-
October 12, 2006 at 5:20 am #3221644
Certification a good start
by goonigoogoo · about 17 years, 5 months ago
In reply to Best way to enter into Info Security Career
CISSP certification would be an excellent start. However, the ISC2 governing body now requires experience and the reccomendation of another CISSP (in addition to passing th exam) to earn the certification. Passing the exam alone can earn you the Associate of ISC2 certification. This will open some doors for you. You can then get some experience, and later get the CISSP title by experience and continuing education.
The CISSP is much more broad then many of the other certifications. So depending on your interests may not be the best path for you. Typiclly, CISSP are senior level security personnel. They are more focused on decision making, and less hands on.
I am a security architect (studying for my CISSP), and typically network secuirty, system admins, and physical security people take action based on my recommendations. This is not true for every organization (and is not meant to diminish the value of other certifications), but the CISSP is not nearly as technically deep as many other hacking and network security certifications.
Good Luck!
-
October 12, 2006 at 8:57 am #3221509
Other cets?
by eva2k1 · about 17 years, 5 months ago
In reply to Certification a good start
In your reply you mentioned other “network security certifications”. Can you tell me which ones? I have been considering Security + and CISSP. I already have a CISA, and I work mostly in audit, but I really want to jump to security design and implementation. Thank you.
-
October 12, 2006 at 9:48 am #3221481
RE: Other Certs
by goonigoogoo · about 17 years, 5 months ago
In reply to Other cets?
If you really want to get into the implementation, you can get certificatins from a number of vendors (in addition to those offered by security bodies – eccouncil.org, isc2.org, comptia.org, giac.org). Microsoft, Novell, Sun, Cisco, IBM (per system AIX, iSeries, Mainframe) all offer certifications on their security products and architectures.
-
-
-
October 12, 2006 at 6:19 am #3221623
Just do it
by ~neil · about 17 years, 5 months ago
In reply to Best way to enter into Info Security Career
Authors have a saying when they’re asked the question; “to be a writer, you must write.”
Experience doesn’t mean you got paid for it (that’s ‘job experience’), it means you’ve done it. Feee experience is still experience.
Regardless of what part of computers you are interested in, do it at home. Old cheap hardware is readily available. Set yourself up a home lab, and try the stuff out. Put two PCs together, and try to crack one (*not* somebody else’s). Harden it. Repeat. Every time you break it, fix it. Every time you fix it, try to break it. If you can’t do a lab, try virtualized PCs. Books are a start, but actually immersing yourself in the stuff is how you learn it.
When you sit down with a job candidate, and talk to them for a couple of minutes, it’s fairly apparent who has read about it, and who has done it. They will ask you “have you ever used X” questions, but I’ve never had one care *where* I used X.
If you can speak knowledgably and comfortably about security issues (and the nuts and bolts stuff) then you are a resource for your admin; it’s easier to get security-related tasks from them.
Not to knock the certifications, but experience trumps paper. Having both puts you yards ahead of your competition.
-
October 12, 2006 at 6:43 am #3221611
Just do it 2.0
by goonigoogoo · about 17 years, 5 months ago
In reply to Just do it
I do agree with Neil. As mentioned in my earlier post, I am working on my CISSP — but I already have a security position. I am adding the certification to give my experience some credibility. My security career started when I started asking questions that no one else on the team had answers for. Start learning and practicing security. Make it the first consideration of every project you get to be a part of. Soon you’ll be regarded as an expert. One of the biggest security issues in IT is that for most app developers and admins – security is an afterthought.
g.
-
-
October 12, 2006 at 4:15 pm #3221344
Security Company
by lyle148806 · about 17 years, 5 months ago
In reply to Best way to enter into Info Security Career
Looking for a job with a Security focused company can also be a way in. The company I work for does employ some security experts directly in, but tries to grow their own. Starting at the bottom, being a ?Monitor? (watching the monitoring systems for System Health, and Security Events) or on the Service Desk, and from there apply for the Junior Security Admin positions with the Operations Team.
Within our current Operations team providing Security Services, about half have come from the Monitoring and Service Desk teams.
But being in the right place needs to be combined with all of the other comments, getting experience by playing in a Lab at home, studying for certs, even if you do not sit for the exam, but to start to get an idea about the depth and breadth of the knowledge required, asking questions and gaining understanding and showing your enthusiasm
-
October 12, 2006 at 6:34 pm #3222013
Experience counts
by jamie · about 17 years, 5 months ago
In reply to Best way to enter into Info Security Career
Try and become fairly rounded in terms of IT knowledge. (Actually in IT its pretty easy to become rounded. Its the stationary lifestyle) Anything that you learn won’t harm you, try and get experience in security.
Use Virtual PC to set up test enviroments and do what if scenarios. Go for certification it doesn’t hurt.Also read BOFH it will help you deal with stupid users.
-
October 13, 2006 at 6:59 am #3221888
EXPERIENCE COUNTS
by redsgirl · about 17 years, 5 months ago
In reply to Experience counts
jaime@…
what’s BOFH?-
October 13, 2006 at 7:46 am #3221864
BOFH
by kjell_andorsen · about 17 years, 5 months ago
In reply to EXPERIENCE COUNTS
Is an acronym for “Bastard operator from Hell” a long running web-series covering the adventures of an Evil Sysadmin and his assistant the Pimply Faced Youth (or PFY). It’s often a hillarious read, epsecially for techies and is published regularly in the register (British IT news site (http://www.theregister.co.uk/) the complete BOFH archives can be found at
http://www.theregister.co.uk/odds/bofh/
-
-
-
-
AuthorReplies