Getting into infosec

neonman

Hi all

I've always been interested in the security side of computing and would like to get into it more.

I currently work in networking and I've one exam to go for CCNP SP cert and would like to start on the security side of things next. I was thinking of doing CCNA security certs and maybe up to CCNP level as well.

I see there are tones of IT security certs out there that I could do. What do you recommend? What is the first step cert wise in IT Sec?

Anyway hopefully i'll get some replies on this.

Thanks in advance.
Neon

neonman

Lots of views but no recommendations (sad face)

I was thinking of starting with security+ ? Any views on this cert?

Cheers again.
Neon

Khannie

People on here aren't mental about it, but the CEH (Certified Ethical Hacker) cert is well recognised, leads on to ECSA / Licensed Penetration Tester (very well recognised) and actually has some decent information in it IMO.

Keyzer

Read these articles from the CISO of San Diego city. Very smart guy, describes how he moved into Cyber and progressed his career. US centric but most can be applied to Ireland. I've read a lot of his articles.

http://www.securitycurrent.com/en/ciso_journal/ac_ciso_journal/path-to-a-career-in-cyber

http://www.securitycurrent.com/en/writers/gary-hayslip/path-to-a-career-in-cyber-and-then-some

neonman

Khannie wrote: »

People on here aren't mental about it, but the CEH (Certified Ethical Hacker) cert is well recognised, leads on to ECSA / Licensed Penetration Tester (very well recognised) and actually has some decent information in it IMO.

Thanks Khannie. I take it you should have some experience in the field before going down the CEH cert path or have some other lower level certs under you belt? I was thinking of doing the security+ cert as a basic intro into security info? Any thoughts on that?

Khannie

Not really familiar with security+ tbh. Maybe someone else can comment on it.

_Tombstone_

Search the forum neon, your question is a common one.

Or maybe it's out in comp&tech forum.

One of them anyway, I'm on phone.

Crosswind

It all depends on the security "route" you wanna follow. Quite a few of them. You can choose between technical ones like Pen Testing or go to a more white-collar role. When you decide which way to go, you can get the relevant certs.

neonman

Crosswind wrote: »

It all depends on the security "route" you wanna follow. Quite a few of them. You can choose between technical ones like Pen Testing or go to a more white-collar role. When you decide which way to go, you can get the relevant certs.

I would like to stay on the technical side that is for sure. I've looked at a few job listings for cyber security and I see a range of certs they are looking for (CISSP, GSEC, GCIH, CEH, CCNX Security). What I am trying to find is a starting point i.e. get a good base of knowledge and build up from there.

Crosswind

neonman wrote: »

I would like to stay on the technical side that is for sure. I've looked at a few job listings for cyber security and I see a range of certs they are looking for (CISSP, GSEC, GCIH, CEH, CCNX Security). What I am trying to find is a starting point i.e. get a good base of knowledge and build up from there.

Which technical path? Forensics? Cisco Network Security? Pen Testing?
If Forensics, i'd go for CCFP. If pentest, CEH. Cisco has a whole bunch of security certs if you see yourself using their devices for a long time.
http://www.cisco.com/web/learning/certifications/associate/ccna_security/comparison_chart.html
Hope that helps.

neonman

Crosswind wrote: »

Which technical path? Forensics? Cisco Network Security? Pen Testing?
If Forensics, i'd go for CCFP. If pentest, CEH. Cisco has a whole bunch of security certs if you see yourself using their devices for a long time.
http://www.cisco.com/web/learning/certifications/associate/ccna_security/comparison_chart.html
Hope that helps.

Both the forensics and pentest interest me greatly. So what to choose

zweton

go hear and start reading :-)

www.techexams.net/forums

pah

https://www.udemy.com/kali-linux-complete-training-program-from-scratch/?couponCode=KALILINUX&siteID=TnL5HPStwNw-.9PmOaF7BAf00z7pYA7FPw&LSNPUBID=TnL5HPStwNw#/

Billed as a complete Kali course - haven't looked at it but it's free and I find the udemy content good as it's visual learning.

neonman

I've added it to my list of courses on Udemy.

Thanks

rtfm

A slightly different way to look at it is what are employers in the space looking for?

Generally there are 5 things I look for in a security bod - I don't know if I am typical of employers (and be advised that in bigger companies it may not be security hiring security people) but I certainly wouldn't take any job where the security team were not involved in the hiring if thats the career you are going for.

1. A background in general IT (can be almost anything but a strong understanding of networking concepts and practice, a good understanding of at least one OS (doesnt actually matter which one provided the person is open to learning others and gets the ideas behind it including hardware centric stuff), some understanding of storage concepts and a decent grasp of hardware - in short a generalist who is will to learn and adapt.

2. A genuine interest in people - security is 80% about understanding people, their motivations and getting your point across to them in a way they understand, so presentation and persuasion/interpersonal skills are extremely important. If you plan to sit in a darkened room pressing buttons then you are a sysadmin not a security guy (this is not to say you wont be doing this some of the time but you need to be able to be as comfortable in the darkened room as you are in the very well lit boardroom (eventually))

3. Problem solving skills and persistence - these have to go together, good problem solving skills mean you break a problem down into logical bits and take a systematic approach to solving it - complex problems take time to solve and a lot of people give up even if they have the solution in sight, hence persistence is super important and good security people tend to be quite OCD i.e. if they have a problem they will not be happy until its resolved and they tend to have very good focusing skills.

4. Integrity - there is an interesting quote from Warren Buffet on what he looks for in people "'Somebody once said that in looking for people to hire, you look for three qualities: intelligence, energy and integrity, if they don't have the last one don't bother looking for the first two". Integrity in the context of hiring means you are looking for someone who trusts their own judgement, looks critically at themselves and does they think the right thing is even under pressure. This is tough to gauge as an interviewer and also hard to get across as an interviewee so we tend to do a lot of digging online about you and we talk to your former collegues. A lot of security jobs come by referral and recommendation (almost all of them really..) so its very important to network and to demonstrate the qualities we look for before we talk to you, because we do check into what you were like before we talked to you. Also be aware that once you become a security person you will join a community and the community is quite small and tight - if you screw up it will get around and your employability will suffer.

5. Education - just some pointers on this one. I don't really look at your certifications but recruiters do so unless you have some of the basic ones you won't get an interview if we go via recruiters (but we almost never do...so really certification doesn't matter except when trying to get that interview. What I look at is your job history and what you learned/got from it. I dont focus on what actual job you did (you could have worked in McDonalds) but rather what you learned doing it - actually if you worked in McDonalds thats no bad thing i.e. team, customer facing etc. etc.. What I mean here is I look a lot at your attitude and what you take from things rather than your job role (especially when I am looking for experienced hires). You do need to be aware that some employers seem to actively dislike some certifications (i.e. google and CISSP, I have my thoeries on why but thats another story).



All of the above can be substituted for one thing - mindset and thats something thats impossible to teach I think - I sort of explain this below (this is the advice I give to other managers about sitting in on security interviews)



WHAT WE WANT
Flexible thinkers, problem solvers, when faced with roadblocks these people think around the problem (lateral thinking) but don’t compromise on security and think the problem through fully and are able to see the problem from alternate viewpoints. High Empathy, forms strong friendships, loyal, highly principled without being rigid. Goal oriented, high level of detail focus without losing the big picture. Action oriented, technical but able to explain technical issues in layman’s terms.


WHAT WE DON’T WANT – RED FLAGS
Naysayers, high ego, cannot explain technical issues in simple terms, power trippers, yes men (without thinking through why the answer is yes).

BACKGROUND CHECK
Criminal convictions (requires consent)
Credit
Job History (last 2)
Informal, security is a small world; if they are good we will know whom to ask

SAMPLE QUESTIONS

I am totally convinced that security is a mindset not a set of skills, you cannot make someone a security person, we just have a slightly different take on things we tend to think of the world as a series of problems to solve rather than going with the flow. We are definitely on the autistic spectrum OCD wise ☺

The most important thing about the questions below is watch the response time and their eyes, up left means they are thinking about how to respond, slow response means they are not sure of their answer – if they cannot answer the below immediately and without deep thought – they are unlikely hires.

How did you end up in Security?
Best: I did X, Y, Z jobs before I ended up here – broad experience is the key
Good: I was doing it as part of my job anyway so I decided to specialize
Red Flag: I always wanted to do security (said no security guy ever…)

How do you protect your home?
Best: launches into a discussion about how their home security is the best that can be had, locks, CCTV, monitored, insurance etc. etc.
Good: We don’t have an alarm because it’s a waste of time (nobody responds), we do X, Y, Z to make sure we are covered.
Red flag: no insurance on home, no thought through response plan for theft, fire, forced entry etc. (if they have not thought what could go wrong, then they are not for us…)

The business wants to put an application live that you know has critical flaws that could lead to a root/admin compromise and theft of customer data – what is your advice?
Best: We have a problem – we will do X, Y, Z to manage the risk
Good: We have a problem – you will do X, Y, Z to manage the risk
Red Flag: we can’t go live until we resolve X, Y, Z

Have you ever been scammed or cheated? If so what did you do about it?

Best: Yes, I have and this is what I did to make sure nobody else was taken the same way.
Good: Yes, I have and this is how I sorted it out.
Red flag: yes or no I chalked it up to experience and did nothing further.

This is a critical question, security folks think about how their problem affects you, not themselves, if they didn’t solve the problem permanently and for everyone, they are not likely hires.

syklops

rtfm wrote: »

How did you end up in Security?
Best: I did X, Y, Z jobs before I ended up here – broad experience is the key
Good: I was doing it as part of my job anyway so I decided to specialize
Red Flag: I always wanted to do security (said no security guy ever…)

Hi, Nice to meet you.

The business wants to put an application live that you know has critical flaws that could lead to a root/admin compromise and theft of customer data – what is your advice?
Best: We have a problem – we will do X, Y, Z to manage the risk
Good: We have a problem – you will do X, Y, Z to manage the risk
Red Flag: we can’t go live until we resolve X, Y, Z

An application with critical flaws and a potential remote root compromise, honestly the best advice is that the application can't go live, or at least if you/they/marketing inisist on making it go live it needs to be recorded that it was done against the advice of the security team.

Have you ever been scammed or cheated? If so what did you do about it?

Best: Yes, I have and this is what I did to make sure nobody else was taken the same way.
Good: Yes, I have and this is how I sorted it out.
Red flag: yes or no I chalked it up to experience and did nothing further.

This is a critical question, security folks think about how their problem affects you, not themselves, if they didn’t solve the problem permanently and for everyone, they are not likely hires.

Ah here. I reported a problem to eBay when I was about 12, where you could edit the delivery price of your item to minus values making the item free. Did it solve all issues at eBay? No. I found a way of getting free tickets on a well known transport provider. It took them 3 years to fix. Is it my problem they can't get their house in order? No. But according to you it makes me an unlikely hire.

And then they wonder why there is a shortage of infosec people. :rolleyes:

dbit

I was interviewd 7 times by my current employer, 4 times for a job i applied for and 3 times for a job i did not . I took the job i did not apply for . :-).

Many of the style of questions RTFM posted were asked and then there was all the trap doors , jumped over most of them .
We also have a first off Sonru video interview to scope tekkies and to sniff out the Bull crap artists. (I think in tech industry this is becoming more comon place) I even had an ex-colleague refuse to do the Sonru as he did not feel comfortable ( Lots more money and needless to say he didnt progress any further. )

There is no sure fire answer to the interview preps but RTFM is pretty acurate on that delivery if you ask me .

rtfm

Heya Syclops,

Think you might have picked me up wrong - its rare for someone with no/little experience in security to know that this is something they have always wanted to do (its rare for anyone to know what they want...) and anyone saying that to me is likely to have me dig pretty deep into their motivations because I don't want to hire someone on a power trip (police forces/army have this problem also and they deliberatly select out for it, ineffectively it must be said but they do...). If someone gave the answer you did then it wouldn't be an issue but its so rare that I have never encountered that at interview.

On the second one where something has critical flaws, the job is to tell them, advise them of the risk and seek to manage it- if you say no then you had better be on the company board otherwise you are going to get steamrolled and labelled anti business (thats unfortunate but thats what does happen)


For the last bit you did exactly what I suggested - you reported it trying to resolve the issue for everyone, the fact that the company were lazy wasn't your fault.

So yep - you were pretty close to the mark on those questions

Keyzer

rtfm wrote: »

Heya Syclops,

Think you might have picked me up wrong - its rare for someone with no/little experience in security to know that this is something they have always wanted to do (its rare for anyone to know what they want...) and anyone saying that to me is likely to have me dig pretty deep into their motivations because I don't want to hire someone on a power trip (police forces/army have this problem also and they deliberatly select out for it, ineffectively it must be said but they do...). If someone gave the answer you did then it wouldn't be an issue but its so rare that I have never encountered that at interview.

On the second one where something has critical flaws, the job is to tell them, advise them of the risk and seek to manage it- if you say no then you had better be on the company board otherwise you are going to get steamrolled and labelled anti business (thats unfortunate but thats what does happen)


For the last bit you did exactly what I suggested - you reported it trying to resolve the issue for everyone, the fact that the company were lazy wasn't your fault.

So yep - you were pretty close to the mark on those questions

I agree with Syclops on all his reponses.

Clearly someone cant want to be involved in information/cyber security from birth. However, once exposed to cyber whether it be media or through friends, school whatever, a person can have a immediate desire to pursue a career in this field. You don't need any experience to know you want to do something or at the least want to investigate pursuing a career in this field.

My own "interest" in hacking/cyber was seeing a movie called Wargames. I was 7 at the time and I thought the stuff the main character was doing was magical. I had no idea how I would "get into" this world. A couple of years later I seen a documentary on Channel 4 (https://www.youtube.com/watch?v=nwZiSXPoS7Y) which literally blew my mind. Again, this was tantamount to sorcery. I was hooked. It took me years to get into IT and another 10 years after that to get into info sec. But the desire was always there from an early age.

In regards bringing an application live with a known vulnerability which could allow root access - that's gross negligence and in some sectors illegal, any company should be strongly advised against doing so. A complete review of development practices should be undertaken to identify (who, what, why, when and how) how this issue came about. Measures should then be built into the SDLC to ensure these issues are discovered early in the development cycle and eradicated. Anyone who rubberstamps approving such an application to go into production even at c-suite level is living in the dark ages.

Blowfish

Keyzer wrote: »

Anyone who rubberstamps approving such an application to go into production even at c-suite level is living in the dark ages.

I dunno, I think that may be a little too simplistic reasoning for the real world as it ignores the other side of the coin, i.e. what is the risk to the business if the vulnerable service doesn't go live.

As much as we as infosec people would love to secure all the things, if the business risk outweighs the IT risk, then deploying is the correct decision, regardless of the vulnerabilities.

syklops

Blowfish wrote: »

I dunno, I think that may be a little too simplistic reasoning for the real world as it ignores the other side of the coin, i.e. what is the risk to the business if the vulnerable service doesn't go live.

As much as we as infosec people would love to secure all the things, if the business risk outweighs the IT risk, then deploying is the correct decision, regardless of the vulnerabilities.

I think the true fact is, there is no one true correct answer to this question. And I know it is a dilemma faced by infosec people every day. I've written three different responses to rtfm's post and deleted them all because I couldn't get the wording right.

Welcome to the world of risk management!

A department wants blah application, and they want it internet facing, but it has a remote root vulnerability. There are three logical paths.

1. No
2. Sure, go ahead, but I want it recorded that it was expressly against my advice, so that when the application does get hacked, and it will(!), the CSO doesnt come down and fire me.
3. Give us some time to look at said application and maybe we can engineer a solution. A custom WAF perhaps, but if we can't come up with a solution - refer to numbers 1 and 2.

Keyzer

syklops wrote: »

I think the true fact is, there is no one true correct answer to this question. And I know it is a dilemma faced by infosec people every day. I've written three different responses to rtfm's post and deleted them all because I couldn't get the wording right.

Welcome to the world of risk management!

A department wants blah application, and they want it internet facing, but it has a remote root vulnerability. There are three logical paths.

1. No
2. Sure, go ahead, but I want it recorded that it was expressly against my advice, so that when the application does get hacked, and it will(!), the CSO doesnt come down and fire me.
3. Give us some time to look at said application and maybe we can engineer a solution. A custom WAF perhaps, but if we can't come up with a solution - refer to numbers 1 and 2.

Exactly, its all about risk management. Listen, you can bring a horse to water yada yada.

At the end of the day, if you want to release a piece of junk with holes in it which allow root access which could potentially compromise your entire network then be my guest. Sign on the dotted line.

Personally, I couldn't work for retards of this calibre though, I'd be looking for a new job immediately.

liamo

Blowfish wrote: »

I dunno, I think that may be a little too simplistic reasoning for the real world as it ignores the other side of the coin, i.e. what is the risk to the business if the vulnerable service doesn't go live.

As much as we as infosec people would love to secure all the things, if the business risk outweighs the IT risk, then deploying is the correct decision, regardless of the vulnerabilities.

Exactly. InfoSec is there to offer support, advice, assistance etc to the business, not to dictate to the business. Once we make sure that the business has the information they need to make an informed decision then that's our job done! Our job is to ensure that they understand the risk - not to make the decision for them.

liamo

Keyzer wrote: »

Exactly, its all about risk management. Listen, you can bring a horse to water yada yada.

At the end of the day, if you want to release a piece of junk with holes in it which allow root access which could potentially compromise your entire network then be my guest. Sign on the dotted line.

Personally, I couldn't work for retards of this calibre though, I'd be looking for a new job immediately.

In fairness, it was (or certainly appears to have been) a hypothetical situation that was to be posed for a candidate in order to stimulate discussion and establish how the candidate would interact with the business in that (or a similar) situation.

I don't think yours is the reaction that they would be looking for in the ideal candidate. I don't seriously think that you would come out with something like that in an interview but if that's really how you think then a question like the one posed might provoke an unwise response.

Keyzer

liamo wrote: »

In fairness, it was (or certainly appears to have been) a hypothetical situation that was to be posed for a candidate in order to stimulate discussion and establish how the candidate would interact with the business in that (or a similar) situation.

I certainly hope it was a hypothetical question. Its probably a good question to spark a discussion on the topic of risk management. That said, I'd be telling the client I strongly advise against releasing such an application and, should they wish to move forward and ignore my advice, I would want a CYA get out jail free card when the company is eventually compromised and ends up losing client/customer information, suffering reputation loss and potentially facing hefty fines for knowingly putting their network at severe risk of compromise.

I don't think yours is the reaction that they would be looking for in the ideal candidate. I don't seriously think that you would come out with something like that in an interview but if that's really how you think then a question like the one posed might provoke an unwise response.

I stand over my response, releasing a application into the wild with a known flaw that could lead to a root level compromise is sheer lunacy. However, I wouldn't insult a prospective employer in an interview scenario by calling them retarded for doing so. I would respectfully disagree and most likely decide there and then not to work for them even if offered the job. If this is the kind of behaviour they resort and advice they offer to clients then god knows what other cowboy like antics they are up to behind the scenes.

Call me close minded, I fully understand my opinions may not be the same for everyone.

Back on topic and on the subject of education and certifications - I'm always attracted to a candidate who has a good educational background and has obtained industry certifications. It demonstrates dedication, ambition and a willingness to invest time in yourself. That said, candidates with excellent experience without the above also catch my eye.