How to get started in IT Security...

vigos

This is a question for any security professionals who might frequent these pages...

how does one go about getting into area or whats the best way to go about it?

I work in IT and have always had an interest in IT security and would like to start working with it more only I dont have much experience.

I guess the best way to get started is to start working in it but for that you probably need experience...

I have thought about doing the masters in DCU but cant afford to take a year off, so was looking at courses I could do in my own time. I was also looking at certifications but like with most IT certifications they have their pro´s and cons and cant stand up against real world experience. But then again it could be a good starting point for me as it lays out a list of things to learn.

Other than that I was planning on setting up a home network of different OS´s to learn about the different ways to secure and harden different OS´s.

I guess for the time being I could ask in my own company if its possible to get into more security oriented role too.

anyway any help or advice would be appreciated

vigos

ok I was hoping to see some posts on this by now but have been doing my own searching and found this one which is also links to a few others

http://bhconsulting.blogs365.org/wordpress/?p=167

monkey tennis

IT security is an interesting field, but it can be tough going. There's so much to learn that it's very difficult to keep on top of the latest threats and mitigation approaches. I'd start off with getting a solid foundation in networking, i.e. CCNA-level minimum. Decent programming ability is very useful (particularly low-level programming, as it'll teach you how processors and memory work, and help you to understand common exploits such as buffer overflow attacks). Try to read about security every day, to always have an idea what the current trend is on both sides of the struggle. Some things will always be around, e.g. social engineering, so get familiar with those topics. Setting up a home network is a good idea, and VMWare or similar could help cut down on the hardware requirements.

What's your degree in? Anything IT-related?

Some sites to check out:

www.secunia.org
www.securityfocus.com
www.packetstormsecurity.com
www.windowsecurity.com has some interesting stuff on it, particularly Don Parker's articles.

Some technologies to learn about:

Firewalls (obviously)
VPNs (IPSec is common, SSL is getting very popular)
NAC (Network Access Control) I reckon is going to get popular
WPA (Wi-Fi Protected Access)
Spam prevention (boring, but a lot of money is spent on it)
I'd advise you to get familar with UNIX-like operating systems if you're planning to be taken seriously
Penetration-testing techniques, while not such big business yet in Ireland, are useful to be familiar with

Screaming Monkey

Quick things

1) Recommend the following book - slightly American, but has great information and will answer most of your questions, it will give you a direction within the security field...buy it off amazon or use your l33t skillz to find it on the web
"InfoSec Career Hacking: Sell Your Skillz, Not Your Soul"
http://www.amazon.co.uk/InfoSec-Career-Hacking-Sell-Skillz/dp/1597490113/ref=sr_1_2?ie=UTF8&s=books&qid=1197969926&sr=8-2

2) You need a vendor certificate that is related to security, even though its no substitute for real-world experience it will show intent to your employer and will get you past the HR droids if you decide to move on..

CCNA - not strictly security but shows ability to learn
CompTIA Security+
MCSE: Security (there are some standalone ms exams as well exams like 70-227, Exam 70-220 or Exam 70-330)
CISSP - lots of study, but its do-able

There are also firewall vendor exams from Cisco, Checkpoint, Juniper and some of the unix vendors have security exams like Sun's SCSECA.

Basically any exam that has security in the title !

3) You also need to be familiar with linux, be able to install and run nmap(not on your office network without permission). Have you setup a firewall at home or built a firewall machine. ?

vigos

monkey tennis wrote: »

What's your degree in? Anything IT-related?

Well my degree is in electronic engineering so I have done some low level programming in C and assembler but its been a while. I have been working in IT doing some software development in the telecommunications area. So I do have a good bit of knowledge regarding networking, unix systems administration, programming. Over the years the security aspect has started to me more, so once you´ve worked in a certain area for a while it can be hard to make a break into a new area where you have little or no experience.

I did look at doing the CCNA some years ago but never got around to it,but read the material for the exam. I think I would know most things now that would be in the CCNA exam, although subnetting in my head would not be one of them! Still I could look at doing this, could be a way of making sure my networking is up to scratch or at least to a certain level

Good idea also to start reading some security sites everday to see whats going on, once I dont succumb to information overload!

vigos

Screaming Monkey,

thanks for the book suggestion was having a look at on amazon and it seems to answer alot of the questions I have.

My only firewall exposure has been with the firewall on my adsl router at home so not much. Thats a good idea to setup one on a linux box at home. I´m sure I could learn alot by doing this.

Martyr

I have been working in IT doing some software development in the telecommunications area. So I do have a good bit of knowledge regarding networking, unix systems administration, programming. Over the years the security aspect has started to me more, so once you´ve worked in a certain area for a while it can be hard to make a break into a new area where you have little or no experience.

if thats true, then you already know alot more than some of the so-called experts.

All you need to be able to do now is "communicate complex concepts to non-technical people" - talk ****e to the customers, basically, so they haven't a clue what you're talking about, but like the sound of what you're saying.

This also helps when you need to harvest new customers through comments in the local media.

With that, get yourself certified, and you'll have a security job in no time.
..and i'm not being funny, either.

vigos

well Average Joe, I´ve kind of worked in alot of different areas but haven´t become an expert as such in any of them so more a jack of all trades!

"communicate complex concepts to non-technical people" I do that with my manager the whole time

I think my first steps are:

- get a home network setup be it virtual or physical
- Install different OS´s, Firewall, web server, mail server
- Go about locking them down
- Start working towards one of the networking/security certs - I think this will be useful from the point that if I´m signed up for an exam I might actually follow true on this rather than sitting on my arse

accensi0n

vigos wrote: »

well Average Joe, I´ve kind of worked in alot of different areas but haven´t become an expert as such in any of them so more a jack of all trades!

"communicate complex concepts to non-technical people" I do that with my manager the whole time

I think my first steps are:

- get a home network setup be it virtual or physical
- Install different OS´s, Firewall, web server, mail server
- Go about locking them down
- Start working towards one of the networking/security certs - I think this will be useful from the point that if I´m signed up for an exam I might actually follow true on this rather than sitting on my arse

I'd say go for the CompTIA Security+ cert to give yourself a good grounding and go for the CCNA if you reckon you know a lot of the material already. If you want an excellant guide on subnetting, PM me.

Gavin

DCU are looking at potentially delivering the security masters part time, or distance learning. Probably not for a year or two though.

Even then, having done the masters and currently teaching some stuff on it, you might be better off with a good, focused certification. The SANS GSEC course is reasonably well thought of.

It's difficult to learn this sort of stuff without a goal and a cert helps with that. A lot of practical 'computer security' is just having good sys admin knowledge.

mcloughl

learn the following three tools inside out:

TcpDump www.tcpdump.org
Nmap www.insecure.org
NetCat http://netcat.sourceforge.net/

Stick to the Linux versions as the Windows ports dont perform as well.

If you can read and interpret a packet capture, identify services running on a remote machine and setup and run listening connections you are well on your way.

the number of people in this industry who can run some crappy point and click audit tool but cant peform any of the above always astounds me

vigos

mcloughl wrote: »

learn the following three tools inside out:

TcpDump www.tcpdump.org
Nmap www.insecure.org
NetCat http://netcat.sourceforge.net/

yeah I was planning on starting to go through all the exercises/competitions on the honeynet project to try and get myself up to speed with these tools

cros13

I completely agree with Screaming Monkey.

You need to do something like a ccna to grasp some
of the fundamentals of networking before you dive in
to security focused stuff.

nmap and wireshark are good tools to have beside you
while you are learning as you can see things take place.
You can know about SYN/ACK but you connect the dots in your
head when you see the packets.

I'd say you should start learning basic UNIX as a basis.
Remeber most of the basic protocols and tools have their
origins on a unix varient.

I started as a UNIX bod with AIX in the 80's moved to linux in '94
Got my CCNA, then CCNP, then moved in to security from there.

CEH is a good course to do. CISSP although i have done is it is more
theory then practice and for definate unsuitable for someone starting out.
I'd say avoid the university courses at all costs until you have a practical
base to see through the academic bull****. My 2 cents....

cros13

Interested to know opinions on the SANS GSEC.....

quinta

IT Security is moving more towards a Governance and Compliance Framework. The technical skills are more and more being handled by the relevant technical towers with the Compliance/Governance function being the overseer's if you will. Ensuring standards/policies etc are being adhered to. SMEs may still hold on to the traditional Security function due to cost constraints but it is not the ideal way of maintaining control and governance in an Org. Who watches the watchers?

Timmy_d

quinta wrote: »

IT Security is moving more towards a Governance and Compliance Framework. The technical skills are more and more being handled by the relevant technical towers with the Compliance/Governance function being the overseer's if you will. Ensuring standards/policies etc are being adhered to. SMEs may still hold on to the traditional Security function due to cost constraints but it is not the ideal way of maintaining control and governance in an Org. Who watches the watchers?

Not being smart but could you repeat that in english or non technical terms!

Quoi?

Perfect timing with the thread man, I just logged in to ask the exact same question! I'm also in need of some advice.

My own background is as follows:

BSc Computer Science (Software Engineering focus)
CCNA
MCSE 2003

I've just over 2 years experience in Systems/Network Admin/Field Engineer roles. Have a reasonably good understanding of of administration/setup of Desktops, Servers, AD, Exchange, Citrix, Networks, VPNs, Firewalls, Backups, Broadband, etc.

I did the CCNA some time ago so it's in need of revision on the more in depth stuff, and the MCSE I've only just completed, having done it over about 22months (i.e. not boot-camp/Test-King only...). I chose Security as my Design exam.

However, my interest lies more in Security and Networking.


My current plan is to start with the Comptia Security+ book. I will do the exam, but I'm doing it more to gain a good all-round grounding in security Concepts/Processes. (please tell me if/why this is a waste of time)

Next, I'm going to do the CSTA Ethical Hacking course & exam.

Following that, I was going to do the Security Implementation/Management MCP - purely as for the sake of one exam, this plus the S+ will make my MCSE an MCSE in Security.

However, as people mention the importance of Unix knowledge above... maybe I should spend some time with that?
I have zero Unix knowledge/experience (beyond having used a few shell controlled systems with basic commands).
How important is Unix in the IT Security business? And what is it important for?
What would you recommend to learn about Unix? & how?

Quoi?

Timmy_d wrote: »

Not being smart but could you repeat that in english or non technical terms!

I think:

IT Security decisions in companies will be made based on Government /Industry Body Laws/Requirements. Companies will only directly employ someone to ensure the Laws/Requirements are enforced/met.

This person will then outsource the configuration of the various hardware. E.g. they will hire a Cisco specialist and provide them with a list of requirements that the Cisco PIX Firewall needs to conform to. These will be listed at a higher, not technical, level. The specialist will then configure the device(s) with the necessary settings to meet the requirements.

The company's in hosue security person will not need to know how to design/configure specific devices, and will only be there to ensure that the devices perform as required by law/industry body stipulations.


His/Her point being that if the person above(and me) really want to work in the Technical side of IT security, we are best to seek employment with an IT Security provider/specialist, as opposed to in an in-house IT Department for a company.

ActorSeeksJob

What places in Dublin do an IT Security course/program ?

vigos

I´ve only seen the DCU one which is a one year masters course

Quoi?

Ashfield College in Templeogue run the 7Safe Series of Security/Forensics courses, which if you do them all, along with some assignment work and a thesis/project at the end, will give you a masters.

I've booked myself in for the CSTA(+) Ethical Hacking course coming up, and plan to do the CSTP(+) after. Not cheap considering I'm funding it myself, but should be worth it.

hmmm

Configuring firewalls/routers/whatever - that's all going to India in time or to dirt cheap local outsourcers.

Any course with the word "hacking" in the title is usually rubbish in my opinion. It looks amateurish on a CV, I like to see CCNAs and audit qualifications and something that screams "this guy can figure stuff out, has integrity, is pleasant to work with and has some cop on."

Someone mentioned SANS - top notch, very good on a CV but expensive.

If you really want to get into security it depends on where you want to end up. Do you want to be working for yourself shifting a few firewall boxes and coming in to do the odd bit of configuring or do you want to work for a security team in say a bank. There are feck all jobs where a forensic qualification is of use, if I really needed forensics done I'd hand it over to a specialist firm as I don't want to end up in court explaining how the security team junior screwed up my chain of custody.

For the latter, get into the IT department and make yourself and your enthusiasm known to the head of IT security. Learn as much as you can about a broad range of topics, in particular networking and the magic word "risk". If you see a risk, learn to say "I wouldn't do it that way, but I would suggest you do it this way..." rather than become known as the guy who says "no, that's stupid." You can't be a good security person unless you have worked for several years in an IT or audit role in my book - there are no direct routes.

Read up on single sign on, read up on logging, read on ISO270001 and MiFID, read up on Data Protection, understand what NAC is and what it can be used for, be able to talk about XSS and SQL injection, know what Nessus is, know how to conduct a basic risk assessment and think about how you explain security concepts to non technical business managers. The key skill for a security team is to be able to figure out the risks of a technology when asked to look at that technology, they are not expected to be the expert at every level of detail. You have to be able to talk with some confidence on the major risks no matter what question you are asked, but you will not be expected to be a technical guru on everything.

The absolute key skill to getting ahead in any job is to become an individual who has a good attitude and offers solutions and not just problems.

Martyr

Good advice, hmmm.

quinta

Good advice indeed Hmmmm. What I was getting at is security is not all about configuring firewalls/routers/ossec etc. It is very much moving towards, and already has moved towards, the risk based/governance/compliance model. You just should be aware of this if you are thinking of getting into it. The firewall/network/hardening side of this is more and more being handed over the the relevant technical towers, being governed and checked by the security function to ensure compliance. But this all depends on the size of the company and their resources.

Quoi?

God I love the internet!

Thanks Hmmm... some useful stuff there.

I wholey agree with your point on being someone who presents solutions rather than simply pointing out the problems. It's not much good knowing something is wrong if you can't fix it.

I'd not heard of SANS, but I'll check up on it.

As for which end of security,...at the moment, I'd like to go the latter of the two routes you mentioned, while, if I can, keeping a good basic knowledge of most areas of IT Operations - both to allow, if I decide to, a move into management down the line, and also as I believe you need to have a comprehension of how the security function interacts with other areas - both pure IT and business functions.

May I ask what your own position is? No need for specifics, but roughly what you do/what level/what industry?

Quoi?

Also, Audit Qualifications... such as?

Screaming Monkey

Saw this the other day, http://de-ice.net/index.php

From the site "In order to narrow the knowledge gap required for newcomers interested in learning penetration testing, I decided to create a project that provided real-world servers that could be used to practice against. "

When he talks about real-world servers, its ISO images that you download and run on two PC's at home then hack away, its a very cool idea.

JJJJNR

SOX knowledge would be fairly big, within a large organisation with an IT sec dept. Would make up 30% of the work.

ntlbell

JJJJNR wrote: »

SOX knowledge would be fairly big, within a large organisation with an IT sec dept. Would make up 30% of the work.

only if your working somewhere where they have to be sox compliant

I know IT sec eng's in financial's and they dont need to know anything about sox

they load up a template run it against a bit of software and thats about as much they need to know about SOX