Comments on: Security entry-level positions

By: risecure

risecure — Wed, 05 Jan 2005 08:13:13 +0000

Security is part of every IT job in companies where security is a visible element of the business practice. Banking, finance, health-care, legal, software development.

If you are not in one of those companies, consider a job change to one that does. For instance, I worked for a DoD contractor and lottery provider. Security was part of the business, and helped me gain insight that positioned me for my current job.

I also think that experience in QA and testing can be transferable. Especially in companies where QA is part of the entire product lifecycle.

There are all sorts of security positions. One valuable entry point is being the lead security resource for an element of infrastructure or an application. Most vendors define security best practices, and provide means to identity and correct vulnerable configurations. Many educate on the threat vectors that target those vulnerabilies. By understanding the vulnerabilities and threats, and other business constraints, you will be assigning management in the appropriate risk management decisions.

Good luck!

By: bobkberg

bobkberg — Mon, 03 Jan 2005 10:44:51 +0000

Ah, back in the saddle after the holidays. I really enjoyed reading all the followup posts – particularly CheckSix’s point about paranoia. I view a large part of my working attitude as “paranoid by policy”. That is, even if you don’t believe “they” are out to get you, act as though you did.

Other point, which was brought up by kojones is Snort and other tools. Get as many free tools as you can stand to play with. Nessus should also be in your toolbox.

For a great list – go to http://www.insecure.org (Home of nmap) and look at the Security Tools page (http://www.insecure.org/tools.html) Fyodor has pulled together a marvelous selection from the security community as well. It used to be the top 50 tools, now it’s the top 75. He also provides the platform(s), and whether or not each is free or costs.

At the risk of shameless self-promotion, I’ve also written some white papers, available at http://www.networkeval.com/downloads.htm The one at the top of the list is a sanitized audit report (considerably shortened) which will also provide some guidelines on the sorts of things you should think about. It’s not complete, because there are aspects of auditing that the customer in question did not want performed.

bobkberg

By: kojones

kojones — Mon, 03 Jan 2005 08:57:28 +0000

Breaking into the Security is quite a task as relayed by each reply. One of the things that you can do, is setup your own network at home with some of the freebies from sans.org. In particular, SNORT is still free, so you could bone up on what SNORT presents to you and then ask questions to either the administrators and/or the security team to help you understand what is going on. As stated earlier, be sure not to offend anyone by making them think that you are ready to take over their job. That is not your purpose and it should not come across this way. Good Luck!

By: netmin

netmin — Sat, 25 Dec 2004 13:40:04 +0000

I agree with all of these repies. as long as you are in any IT or network admin position, you can use your certification combined with a viewpoint that EVERYTHING in IT has a security aspect to it. I would not limit my learning to a particular aspect of security, because it takes ALL levels of security awareness to truly protect your company’s data and internal network. Don’t forget about spyware on your end users desktop machines. The question about being paranoid is particularly relevant to the information security field. If you are not paranoid about someone hacking your network, either from the inside or the outside,you will not be diligent enough in the security business.Lack of paranoia leads to compacency.

By: poppaman

poppaman — Thu, 23 Dec 2004 10:39:30 +0000

I too am in a similar situation (ie: wanting to break into the Security field), and have come across the same catch 22 – can’t get the job w/o experience; can’t get experience w/o the job… (to oversimplify things…)

I think the previous comment’s closing statement (“you are paranoid, right?”) might realisticly be ammended to : Just because you’re paranoid, doesn’t mean ther’s no one out to get you…

I would add to/expand the suggestions, especially in light of the mention of SANS: the SANS/GIAC vcertifications are quite useful, especially if you have a specific area in which you desire additional in-depth knowledge (such as intrusion detection, Linux security, Windows security, etc…).
If you use your certifications/training to augment your skillset when applying for any IT job (possibly but not necessarily excluding “helldesk” positions), you may just find that you become the “go to” guy when dealing with non-emergency issues…

By: moezter

moezter — Thu, 23 Dec 2004 10:33:22 +0000

Thanks CheckSix. Yes, I’ve been reading and doing more reading. I’ve been playing around with various tools (nmap, snort). I’m subscbribed to various sec alerts, and magazines, whitepapers etc. You’re right infosec does encompass a large area which makes me feel like I’ll never learn or cover everything. So would you suggest focusing on a certain area of security (i.e. firewalls, IDS, pen testing, audit etc..)

Why yes, I am paranoid