Best path for Security?

XDroidie

Hello Community!
So I am currently looking at what certifications to get and I want to work in infosec, I currently have no certifications to my name.
So I was looking at what to study first to get into infosec, I looked at the Comptia Career Pathway but I cannot see the point in getting an A+ which as far as I understand is a technician certification.
Only one I can see is worth getting is the MTA security exam as it lasts for a life time.
So should I go for Network+ first or CCENT or maybe something from Checkpoint/Juniper.
Same follows for the Security exam, CCNA Security or Security+.
I hope to end my career with something like Certified Penetration Testing Engineer.

I am also currently studying computer science and have the choice to go either Sciences or Networking with CISCO, which would benefit my end goal more?
The Networking route only preps you for certification and does not actually give you the certification or test.
The Science path starts you with Object Oriented Java, then goes onto algorithms using Python.

Thanks

OctalDump

OK. This is now my standard advice: go and read "Gray Hat Hacking the ethical hacker's handbook". It covers most of the ground you need to have a grasp on to start working in Penetration Testing.

There's quite a few domains you need a handle on to get started in IT Sec. You need the 60000feet view of IT, you need understand operating systems, security models, networking, hardware, programming including C, assembler and scripting, web servers, databases, reverse engineering, security tools, social engineering. Basically all of the infrastructure that you are likely to come across and which might be exploitable. If you are starting from "I'm good with computers", it'd probably take at least a couple of years to cover the ground works and start to be somewhere where you might be useful.

In those couple of years, you'd likely end up with something like CCNA general knowledge, but a bit more depth in certain areas. You'd be able to pass the A+ and know a fair bit more besides. You'd be familiar with a couple of server operating systems, a few different web servers, web programming, a bit of C, some assembler, some scripting, some SQL. You mightn't have enough to get MCSA, but you'd know a few things about Windows Server that even MCSE aren't aware of. You'd probably have enough skills to get a junior network admin or system admin role. You'd have a grasp of Linux. You'd be quite comfortable at the command line. Snort, nmap, wireshark, metasploit, kali et al would be old friends.

As far as the degree goes, you need both sets of skills, but I suspect that the computer science path with programming might ultimately be more useful. The problem with most standard courses is they teach you how things work (or are meant to work) but you need to know how things break. So, learning best practice of how to set up DNS on Server 2012 isn't really that useful, but knowing how to do a zone transfer against a misconfigured system is useful, even more useful is knowing how different DNS services react to malformed requests.

One of the nice things about programming, is you can write bad code for yourself and then exploit it and get an understanding of things at a fairly fundamental level. And at that level, it can be very similar whether exploiting a vulnerable instance of BIND or exploiting a webform or delivering code via a trojan, or escalating privileges through code running as a system account.

berto_tester

I did sec+, then CEHv8, Then CISSP, all while attending BA in InfoSec and Master Degree of InfoSec. Make it your life and the certs are super easy.

danny069

I agree with berto_tester, that's the path I am on too.

XDroidie

berto_tester wrote: »

I did sec+, then CEHv8, Then CISSP, all while attending BA in InfoSec and Master Degree of InfoSec. Make it your life and the certs are super easy.

Did you have any qualifications previous to that? Say N+ or CCENT or anything?
While I like networking its the actual security side of things that interest me most.

XDroidie

OctalDump wrote: »

OK. This is now my standard advice: go and read "Gray Hat Hacking the ethical hacker's handbook". It covers most of the ground you need to have a grasp on to start working in Penetration Testing.

There's quite a few domains you need a handle on to get started in IT Sec. You need the 60000feet view of IT, you need understand operating systems, security models, networking, hardware, programming including C, assembler and scripting, web servers, databases, reverse engineering, security tools, social engineering. Basically all of the infrastructure that you are likely to come across and which might be exploitable. If you are starting from "I'm good with computers", it'd probably take at least a couple of years to cover the ground works and start to be somewhere where you might be useful.

In those couple of years, you'd likely end up with something like CCNA general knowledge, but a bit more depth in certain areas. You'd be able to pass the A+ and know a fair bit more besides. You'd be familiar with a couple of server operating systems, a few different web servers, web programming, a bit of C, some assembler, some scripting, some SQL. You mightn't have enough to get MCSA, but you'd know a few things about Windows Server that even MCSE aren't aware of. You'd probably have enough skills to get a junior network admin or system admin role. You'd have a grasp of Linux. You'd be quite comfortable at the command line. Snort, nmap, wireshark, metasploit, kali et al would be old friends.

As far as the degree goes, you need both sets of skills, but I suspect that the computer science path with programming might ultimately be more useful. The problem with most standard courses is they teach you how things work (or are meant to work) but you need to know how things break. So, learning best practice of how to set up DNS on Server 2012 isn't really that useful, but knowing how to do a zone transfer against a misconfigured system is useful, even more useful is knowing how different DNS services react to malformed requests.

One of the nice things about programming, is you can write bad code for yourself and then exploit it and get an understanding of things at a fairly fundamental level. And at that level, it can be very similar whether exploiting a vulnerable instance of BIND or exploiting a webform or delivering code via a trojan, or escalating privileges through code running as a system account.

Well I have been studying computers over 8 years now, and have been exposed to a massive section of IT, from Programming, Networking, Security, Repair, Virtualization, Linux and other things, but all at the state you would consider basic apart from hardware, I understand hardware very very well.
Second to that would be Operating systems, nothing notable here compared to pros but decent for repairs.

Apart from the book is somewhere like CBT Nuggets useful for learning stuff?

Thanks!

E Double U

My path:

2+ years as a contractor building pc's, installing them, and doing minor support - got A+, Network+, MCDST

6+ years at a telco in NOC, config, and SOC - got CCNA, ITIL, CCSA

2+ years in bank security - got CCNP Security, CISSP, GCIH

XDroidie

Also is a+ worth even attempting I think I could pass it with minimal study

OctalDump

XDroidie wrote: »

Well I have been studying computers over 8 years now, and have been exposed to a massive section of IT, from Programming, Networking, Security, Repair, Virtualization, Linux and other things, but all at the state you would consider basic apart from hardware, I understand hardware very very well.
Second to that would be Operating systems, nothing notable here compared to pros but decent for repairs.

So if you have a pretty good background, I suggest reading the book to identify gaps. Then if that's ok, start using the tools.
I think the Sec+ CEH CISSP path is probably reasonable, but at some point you will need someone to offer you a job
So for getting a job, some kind of Security focused area of System/Network Administration might be a good place. And to get into a place like that, then probably you want CCNA and get into a NOC, then SOC.

Maybe you could short circuit that by going down the OSCP route.

But it depends also on the specifics of the career path you want. If you get good hands on skills, and can demonstrate them, you might get picked up by one of the smaller Security companies (if you google Penetration Testing and find some in your area). Smaller companies tend to be more flexible. Hell, it wouldn't hurt talking to them directly now to find out what kind of stuff they look for. You might even find out you don't like the idea at all

Mike7

XDroidie wrote: »

Hello Community!
So I am currently looking at what certifications to get and I want to work in infosec, I currently have no certifications to my name.

Check the posts in Security Certifications Forums

You may want to start with http://www.techexams.net/forums/security-certifications/113328-what-information-security-certifications-should-i-get.html

docrice

You should really understand why "security" interests you. Depending on the area you go into, it can be an extremely tedious, uphill-climb in the day-to-day grind with no end in sight. It can also be mind-numbingly boring in some respects.

beads

If your looking to actually be useful outside of another CEH (Tour of tools) type of "pen tester", learn real development and DBA skills instead of modifying scripts from others. Truth is there just isn't much job demand for pentesting and what there is out there really requires more skill than the standard OSCE, GPEN or CEH level of skill your likely to find.

Do a general search on Dice.com for Penetration and I found 30 - nationwide. Mostly for Northfolk Grummund. For those of you who are really gifted and serious about pentesting send me a PM and I will hook you up with real companies that actually consult doing this type of work. Warning! The current placement has been about one-half of one percent for the past decade. Lots of interested testers rarely do people pass the simple exam, let alone one of the advanced portions.

-b/eads

UnixGuy

beads wrote: »

...

Do a general search on Dice.com for Penetration and I found 30 - nationwide. ..
-b/eads

That's what worry me...I see the most jobs advertised are for policy GRC type work.

docrice

Also check the GIAC job openings list (although they just cull public sources and look for anything that has GIAC certs listed in them):

http://www.giac.org/certified-professionals/job-listings

JoJoCal19

Nevermind

JoJoCal19

beads wrote: »

If your looking to actually be useful outside of another CEH (Tour of tools) type of "pen tester", learn real development and DBA skills instead of modifying scripts from others. Truth is there just isn't much job demand for pentesting and what there is out there really requires more skill than the standard OSCE, GPEN or CEH level of skill your likely to find.

Do a general search on Dice.com for Penetration and I found 30 - nationwide. Mostly for Northfolk Grummund. For those of you who are really gifted and serious about pentesting send me a PM and I will hook you up with real companies that actually consult doing this type of work. Warning! The current placement has been about one-half of one percent for the past decade. Lots of interested testers rarely do people pass the simple exam, let alone one of the advanced portions.

-b/eads

I normally agree with everything you post, but in this case I disagree that the outlook is that pessimistic. On Indeed, doing a targeted search for pentesting jobs (title: penetration) across the US, there are currently 264 hits. I do think that the demand for penetration testers is far less than most other areas of InfoSec. I also agree with you that having a dev background will really help. Knowing how to manually attempt to exploit apps and systems is what separates real pentesters from pretenders.

beads

It may indeed be my local market (Chicago) but I rarely get bugged for pentesting jobs. Everything else under the sun, yes but not true penetration testing for the last 3-4 years. That means GPEN, CEH and OSCP and real world experience.

I do know a couple of hardcore penetration testers and a couple boutique shops that do a great deal of penetration testing. The interview exams, I've seen them are brutal, real world test of wits and mental strength type exams. Seen people either blow through the exam in near record time types but most never get much past the fill in your name here stuff. So it depends. My cursory look didn't show anything in the midwest but much in the SW California market.

Personally, I haven't seen or meet anyone locally focused much on pentesting as of late. That would include perennial favorites such as any Blue Shield/Blue Cross organization in Chicago. There are three downtown by the way. Sears, Discover card, et. al. for years looked everywhere for pentesters, really QA people. The local market here just doesn't appear to be supporting the need it once did or the market is saturated at this time.

Locally what I hear about is incident handling and weird amalgam network engineer positions. But as I indicated above these things appear to come in and out of fashion like white pants - seasonally adjusted.

Not trying to be down as much as I am Y2K bored with questionable people looking for the next 'pot-o-gold', get rich by passing one's self off as a security practitioner thing. Been through all this a number of times: Novell, MCSE, Y2K, Programmer/Developer, Networking and now Security. Its all the same hype cycle. Security too shall pass. Difference is I have been in the security realm for over 20 years as a dedicated practitioner. The field chose me not the other way around.

- b/eads

Chinook

I can tell you from personal experience that the "Security" realm encompasses many things. The classic example is the penetration testing guy/social engineer but those types of positions aren't that common.

What is more common is the day by day defensive side of network security. That could be you employed in a large bank protecting the assets or you working for a large web host where you're pen testing your Apache & MySQL systems. And as someone mentioned above, some of the jobs are quite tedious. Reading log files or Wireshark captures gets pretty boring . There are companies that run their own vulnerability scans across their own networks & that's part of the security world. A lot of it is procedural too.

There is also a growing computer forensic business. Large auditing firms often employee these type of people as do legal firms & law enforcement. Law enforcement will often hire civilian technologists to do the tech work. The reason is it's simply too much to expect a person to be a working police officer and specialize in computer forensics. The collection of "e-evidence" is now huge & that evidence is often the largest percentage of the material in some court cases.

- Learn as much as you can about everything
- Learn to be comfortable in Linux. Most hacking tools are built for Linux.
- Get a good understanding of Layer 2/3 (routing, switching)

Security is a frustrating gig too. You spend a whole bunch of time standing on a mountain telling people to secure their data only to watch the "post traumatic after hack meltdown". Then you get the cleanup duties. The truth is not a lot of people care about security and that's evident by the endless list of companies getting hacked.

I do think the Ashley Madison hack will bring change though. For one thing, the average user suddenly realizes his data might not be secure. He might well be hesitant to sign up to the next site that comes along. But, WAY more importantly is the financial disaster this will turn out to be. We may well watch this firm go bankrupt because of this hack. That's going to scare the hell out of a lot of internet firms who realize they could be next. Up to now few firms have been monetarily affected by hacking. Ashley Madison has been affected (they pulled their IPO for example). Money talks. And only when money talks does management do the security walk.

Edit: Put yourself in a "security mindset" when you study something. So if you do your MCSA in Server 2012, start thinking about how you could corrupt WDS versus just setting it up. Or how you could poison the DNS. etc. etc. You'll start seeing things others won't & it's a good idea for career development.

docrice

Chinook wrote: »

Then you get the cleanup duties.

A good bulk of security work can be cleaning up the mess someone else leaves behind. Most people don't really take security seriously because it doesn't hurt enough, and that's partially because the general lack of individual accountability doesn't have enough personal sting. I think until there's a much more significant downfall where people are losing their shirts, getting their bank accounts emptied, or publicly embarrassed, most people will just fall into their routine as most human beings are accustomed to.

It's really important to understand for those looking at the field from the outside-in that this is almost always a non-glamorous job. It's tedious, requires combing through tons of minutia, you're always behind the curve, no one wants to listen to the best practices because it's too business-inconvenient, and in the end you're going to get blamed for the breaches unless management really understands the fundamental problems (rare).

mukta

I think you have got your answer from Octadapm.