Guidance needed from the InfoSec Gurus

Techguru365Techguru365 Member Posts: 131 ■■■□□□□□□□
in IT Jobs / Degrees
I am currently looking at breaking into the InfoSec field, but I am having something of a information overload. I am trying to land my first security related job,have had one interview so far, but I dont think I "speak the language " as yet.
I have studied and passed the sec+ exam, and I am currently studying the CEH material, however I find myself knowing the material once its fresh, but not working in the field is hurting me, as i soon forget alot of this info after a few weeks.

Questions
1. What are the fundamentals I need to drill down on, the must knows for a security analyst or pentest type role?
2. what are the softwares, security forums etc that I need to familiarize myself with?
3. Whats a good next step certification after Sec+ ?(I am having a hard time finding one and sticking with it)
· Share on FacebookShare on Twitter

Comments

  • philz1982philz1982 Member Posts: 978
    Techguru365 wrote: »
    I am currently looking at breaking into the InfoSec field, but I am having something of a information overload. I am trying to land my first security related job,have had one interview so far, but I dont think I "speak the language " as yet.
    I have studied and passed the sec+ exam, and I am currently studying the CEH material, however I find myself knowing the material once its fresh, but not working in the field is hurting me, as i soon forget alot of this info after a few weeks.

    Questions
    1. What are the fundamentals I need to drill down on, the must knows for a security analyst or pentest type role?
    2. what are the softwares, security forums etc that I need to familiarize myself with?
    3. Whats a good next step certification after Sec+ ?(I am having a hard time finding one and sticking with it)

    Here ya go brother this should help you out

    http://www.sans.org/reading-room/whitepapers/testing/penetration-101-introduction-penetration-tester-266
    10 things you need to know before hiring penetration testers | ZDNet
    Ideal Skill Set For the Penetration Testing - InfoSec Institute
    PenTesticles: What You Need To Know to Become a Penetration Tester
    Read my blog @ www.buildingautomationmonthly.com
    Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
    · Share on FacebookShare on Twitter
  • Techguru365Techguru365 Member Posts: 131 ■■■□□□□□□□
    Thanks Philz I will give that a read right away
    · Share on FacebookShare on Twitter
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    I am having a similar problem, I think the main issue that I am facing is that I have no one to discuss IT security related issues with.

    Depending on reading and forums helps but I think having a direct conversation with a person or group interested in IT security will be more beneficial.
    · Share on FacebookShare on Twitter
  • philz1982philz1982 Member Posts: 978
    Feel free to PM me, if I can't answer your questions I can point you in the right direction.
    Read my blog @ www.buildingautomationmonthly.com
    Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
    · Share on FacebookShare on Twitter
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    Thanks Phil (if your comment was directed to me :) )

    I will give you an example, like Techguru365 I passed Security + (2 weeks of study) I knew the exam contents inside out, but then information started to disappear.

    If I could discuss Security+ topics with coworkers or friends then it will stick.

    And thanks for the links.
    · Share on FacebookShare on Twitter
  • philz1982philz1982 Member Posts: 978
    Yes that was directed at you, also you could find a non-profit and actually do the concepts for them probono?
    Read my blog @ www.buildingautomationmonthly.com
    Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
    · Share on FacebookShare on Twitter
  • Techguru365Techguru365 Member Posts: 131 ■■■□□□□□□□
    Is there a windows suite alternative to Kali Linux?
    · Share on FacebookShare on Twitter
  • seigexseigex Member Posts: 105
    You can get the windows-based version of Metasploit and add to that to make your own framework, but nothing like Kali Linux specifically that I know about.

    I would learn the main tools, metasploit, nmap (ZenMap GUI), winpcap/aircrack, there's lots. I use Kali, but IMHO It's better to build your own toolbag so you learn all the tools that are out there.

    Like with anything else, fundamentals fundamentals fundamentals. Based on your CERT list it appears you have them, or at least the basics, but you need to drill down on the theory behind different hacks and cracks so you can apply them to new stuff and know which tools you need. Also set up boxes in your house and try out different exploits on them. Walk through some buffer overflow tutorials. Monitor CVE (Common Vulnerabilities & Exposures), NVD (Nist's National Vulnerability Database), MS's vulnerability database, Bugtraq, etc so you can learn what's out there and how they work.
    · Share on FacebookShare on Twitter
  • philz1982philz1982 Member Posts: 978
    Techguru365 wrote: »
    Is there a windows suite alternative to Kali Linux?

    Yes it's called virtualbox running a Kali VM.
    Read my blog @ www.buildingautomationmonthly.com
    Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
    · Share on FacebookShare on Twitter
  • Tom ServoTom Servo Member Posts: 104 ■■□□□□□□□□
    I have a security job, yet still suffer from information overload. I want to do more offensive pentest/red team typer activities, but currently my role is focused on defensive data and application security. I also hit the issue of 'use it or lose it' with what I study. Here is my current approach to develop tech skills outside of work:

    Build a virtual lab. I am using this book as a reference guide. https://www.packtpub.com/networking-and-servers/building-virtual-pentesting-labs-advanced-penetration-testing. Even with this book, I have had to do additional digging to figure out why things aren't working. If you're anything like me, you'll learn something going through the pain. This book explains how to do things cheap/free - or with a little bit of $$$ (or you could use unlicensed software... which of course you wouldn't....).

    Try things in your virtual environment. Expect to get unreasonably frustrated. Spend hours dissecting what you are doing wrong, and understanding what is working. Consider going through this book: https://www.packtpub.com/networking-and-servers/advanced-penetration-testing-highly-secured-environments-ultimate-security-gu if you need guidance/structure on what to do. Consider going through the free Metasploit unleashed course at www.offensive-security.com/metasploit-unleashed/Main_Page. For web app pen testing - consider doing the exercises in OWASP Broken Web App, Web Goat, and Multilldae. Remember - if it is easy, you aren't learning.

    If you are comfortable with all of these items - consider signing up for OSCP. It is the most in-depth pen test training I've encountered for the price. If you want to be great at security, or you want to get into a part of security that you don't have experience, plan to work 15+ hours a week at home beating your head against a keyboard.
    · Share on FacebookShare on Twitter
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Tom Servo wrote: »
    I have a security job, yet still suffer from information overload.

    This is so true! There just aren't enough hours in the day.
    · Share on FacebookShare on Twitter
  • aspiringsoulaspiringsoul Member Posts: 314
    Does anybody else here feel that they suffer from information leakage?

    The more I learn, the more I seem to forget it seems...I mean there are concepts that get beat into your head so much, and so often that you're not able to forget...but with the rapid pace of technology, and just how quickly a lot of the material is deprecated, it just seems like it's too much at times.

    One of the reasons I would like to specialize in something, rather than be a Generalist...
    Education: MS-Information Security and Assurance from Western Governors University, BS-Business Information Systems from Indiana Wesleyan University, AAS-Computer Network Systems - ITT Tech,
    · Share on FacebookShare on Twitter
  • Tom ServoTom Servo Member Posts: 104 ■■□□□□□□□□
    @aspiringsoul - not only do I constantly feel like I am forgetting things; for each thing I finally understand, I discover 2 or 3 other things I know nothing about. The more I learn, the more I realize I don't know stuff. I have a OneNote file I use for my notes, tips, hints, reference, etc - written so I can understand/find the info I need when I inevitably forget a concept or tool. I find that to be helpful.
    · Share on FacebookShare on Twitter
  • seigexseigex Member Posts: 105
    Tom Servo wrote: »
    The more I learn, the more I realize I don't know stuff.

    The key to a successful IT career.
    · Share on FacebookShare on Twitter
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    @OP

    Depends on what part of INFOSEC are you interested in?
    · Share on FacebookShare on Twitter
  • dou2bledou2ble Member Posts: 160
    seigex wrote: »
    The key to a successful IT career.

    Agreed. Be an expert and a life long learner.
    2015 Goals: Masters in Cyber Security
    · Share on FacebookShare on Twitter
  • Techguru365Techguru365 Member Posts: 131 ■■■□□□□□□□
    @cyberscum I mostly see jobs for pentesters or security analyst in my area,so I would like to learn the concepts that apply to those, get my feet in the door and maybe evolve to other areas down the road.
    · Share on FacebookShare on Twitter
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Techguru365 wrote: »
    @cyberscum I mostly see jobs for pentesters or security analyst in my area,so I would like to learn the concepts that apply to those, get my feet in the door and maybe evolve to other areas down the road.

    Look into what both of those jobs entail, they can be very different. Pen testing specifically is not something you're going to just pick up from doing a cert unless you do the OSCP, and that isn't something you just work on casually. You'd probably have more luck getting an analyst position. Do you have other IT experience to leverage or are you trying to make this your first job?
    · Share on FacebookShare on Twitter
  • aspiringsoulaspiringsoul Member Posts: 314
    Tom,

    Thumbs up on using OneNote as a note taking tool. That's what I've used in the past, but a friend just recently introduced me to Evernote and I like it much better.

    The more I learn, the more humble I become.
    Education: MS-Information Security and Assurance from Western Governors University, BS-Business Information Systems from Indiana Wesleyan University, AAS-Computer Network Systems - ITT Tech,
    · Share on FacebookShare on Twitter
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    Techguru365 wrote: »
    @cyberscum I mostly see jobs for pentesters or security analyst in my area,so I would like to learn the concepts that apply to those, get my feet in the door and maybe evolve to other areas down the road.

    Again, what part of INFOSEC are YOU interested in? If you do something you are interested the rest will fall into place.
    · Share on FacebookShare on Twitter
  • E Double UE Double U Member Posts: 2,233 ■■■■■■■■■■
    aspiringsoul wrote: »

    The more I learn, the more I seem to forget it seems...

    Reminds me of a Married with Children episode. :)
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, CompTIA, AWS
    · Share on FacebookShare on Twitter
Sign In or Register to comment.