Security entry-level positions

0 pts.
Tags:
Security
I'm trying to get into the security field but most security positions require that you have at least a few years experience. How can I get experience in the security field when I can't even get an entry level security position? Right now I do have a Security+ cert and is working on my CCNA. Any suggestions would be helpful? Thanks.
ASKED: December 22, 2004  1:56 PM
UPDATED: January 5, 2005  8:13 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

This may not sound like what you’re looking for, but it’s how I got started.

I’m going to assume (for purposes of this reply) that you’re already within some sort of IT job function. Otherwise, you’ll have to get their first.

First off, view everything you touch job-wise as it relates to security. If you work for a company that has security people, ask them if there are any documents, policies, guidelines, etc. that can help you, as an individual contributor to better follow whatever standards are in place. Just don’t gush.

When you see something that looks “odd” from your “security” point of view, check it against the existing guidelines. Or ask security people (in your enterprise) what they think of it. Don’t over do it – lest you be viewed as NOT doing YOUR job. This is not going to happen overnight or even over-month (to coin a phrase). But the more you focus on security aspects, while still getting your normal job done, the more you will come to be regarded as part of the security effort.

One Caveat – some “security” people might view you as a threat or upstart. If you’ve got some of those in your company, you’ll have to tread more carefully. This might especially be the case where they know that either they’re not doing the job right, or they’re frustrated by the lack of support they get from upper management. I’ve seen some of these scenarios, but don’t have an easy answer for that.

Read – lots. If you don’t already, subscribe to the SANS.org emailing lists, Computerworld security email list, and many others that are around. If you wind up being the person who has alerted your outfit to new threats – and particularly – how to deal with them, you become more valuable in a security light.

Spend your free time working on related things – like learning snort (open source intrusion detection system). Prepare to be frustrated, and learn patience and persistence.

I’ve just barely touched the surface. Partly because there’s so much, partly because I’ve answered queries like this before, and it gets tiring doing it multiple times.

Search the archives of this server – you’ll probably find some relevant material there.

http://searchwindowssecurity.techtarget.com/ITKnowledgeExchange

Good luck

Bob

Discuss This Question: 6  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Moezter
    Thanks CheckSix. Yes, I've been reading and doing more reading. I've been playing around with various tools (nmap, snort). I'm subscbribed to various sec alerts, and magazines, whitepapers etc. You're right infosec does encompass a large area which makes me feel like I'll never learn or cover everything. So would you suggest focusing on a certain area of security (i.e. firewalls, IDS, pen testing, audit etc..) Why yes, I am paranoid :P
    0 pointsBadges:
    report
  • Poppaman
    I too am in a similar situation (ie: wanting to break into the Security field), and have come across the same catch 22 - can't get the job w/o experience; can't get experience w/o the job... (to oversimplify things...) I think the previous comment's closing statement ("you are paranoid, right?") might realisticly be ammended to : Just because you're paranoid, doesn't mean ther's no one out to get you... I would add to/expand the suggestions, especially in light of the mention of SANS: the SANS/GIAC vcertifications are quite useful, especially if you have a specific area in which you desire additional in-depth knowledge (such as intrusion detection, Linux security, Windows security, etc...). If you use your certifications/training to augment your skillset when applying for any IT job (possibly but not necessarily excluding "helldesk" positions), you may just find that you become the "go to" guy when dealing with non-emergency issues...
    0 pointsBadges:
    report
  • Netmin
    I agree with all of these repies. as long as you are in any IT or network admin position, you can use your certification combined with a viewpoint that EVERYTHING in IT has a security aspect to it. I would not limit my learning to a particular aspect of security, because it takes ALL levels of security awareness to truly protect your company's data and internal network. Don't forget about spyware on your end users desktop machines. The question about being paranoid is particularly relevant to the information security field. If you are not paranoid about someone hacking your network, either from the inside or the outside,you will not be diligent enough in the security business.Lack of paranoia leads to compacency.
    0 pointsBadges:
    report
  • Kojones
    Breaking into the Security is quite a task as relayed by each reply. One of the things that you can do, is setup your own network at home with some of the freebies from sans.org. In particular, SNORT is still free, so you could bone up on what SNORT presents to you and then ask questions to either the administrators and/or the security team to help you understand what is going on. As stated earlier, be sure not to offend anyone by making them think that you are ready to take over their job. That is not your purpose and it should not come across this way. Good Luck!
    0 pointsBadges:
    report
  • Bobkberg
    Ah, back in the saddle after the holidays. I really enjoyed reading all the followup posts - particularly CheckSix's point about paranoia. I view a large part of my working attitude as "paranoid by policy". That is, even if you don't believe "they" are out to get you, act as though you did. Other point, which was brought up by kojones is Snort and other tools. Get as many free tools as you can stand to play with. Nessus should also be in your toolbox. For a great list - go to www.insecure.org (Home of nmap) and look at the Security Tools page (http://www.insecure.org/tools.html) Fyodor has pulled together a marvelous selection from the security community as well. It used to be the top 50 tools, now it's the top 75. He also provides the platform(s), and whether or not each is free or costs. At the risk of shameless self-promotion, I've also written some white papers, available at www.networkeval.com/downloads.htm The one at the top of the list is a sanitized audit report (considerably shortened) which will also provide some guidelines on the sorts of things you should think about. It's not complete, because there are aspects of auditing that the customer in question did not want performed. bobkberg
    1,070 pointsBadges:
    report
  • RISecure
    Security is part of every IT job in companies where security is a visible element of the business practice. Banking, finance, health-care, legal, software development. If you are not in one of those companies, consider a job change to one that does. For instance, I worked for a DoD contractor and lottery provider. Security was part of the business, and helped me gain insight that positioned me for my current job. I also think that experience in QA and testing can be transferable. Especially in companies where QA is part of the entire product lifecycle. There are all sorts of security positions. One valuable entry point is being the lead security resource for an element of infrastructure or an application. Most vendors define security best practices, and provide means to identity and correct vulnerable configurations. Many educate on the threat vectors that target those vulnerabilies. By understanding the vulnerabilities and threats, and other business constraints, you will be assigning management in the appropriate risk management decisions. Good luck!
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following