Any idea how I can gain security experience?

fabostrong

I currently work for a managed services company and I desperately want to work in security someone. There aren't really any entry level security positions and all security positions that I've seen want you to have at least 3-5 years of experience.

Anyone have any idea how I can get experience considering no one will hire me? lol.

Thanks

636-555-3226

congrats on the interest my man. infosec is at the very beginning of its industry and if there's a time to get in, this is it. some old timers will disagree & say infosec has been around forever. that's true, but the infosec of 2010 and earlier is nothing like the infosec of 2016 and beyond. barrier to entry for the bad guys is basically nil, and being a (successful) good guy is an impossible and hopeless task your administration will never believe.

All the tools the pros use are free with plenty of free how-tos online & on youtube

most useful - work on windows / powershell / linux / unix command line 101/201s and scripting

nessus
splunk
bro
metasploit
snort
tcpdump
active directory
bitlocker
keepass
etc
etc

follow the security conferences & techies on twitter (the only thing i find any use of for twitter) to keep up-to-date on tools and especially youtube presentations of new tools, tactics, techniques coming out. whenever there's a big conference like derbycon make sure you look at the list of presentation recordings and try to go through them during your spare time.

(in no particular order, plenty more to choose from, this is just enough to get you started then twitter will recommend good add-ons)

@TrustedSec
@DerbyCon
@SANSPenTest
@BHinfoSecurity
@securityweekly
@edskoudis
@harmj0y
@PyroTek3

(full disclosure - i like sans/giac, so my followings tend to follow them)

jscot002

Just what I needed to see! I'm also having trouble getting in, thank you.

fabostrong

636-555-3226 wrote: »

congrats on the interest my man. infosec is at the very beginning of its industry and if there's a time to get in, this is it. some old timers will disagree & say infosec has been around forever. that's true, but the infosec of 2010 and earlier is nothing like the infosec of 2016 and beyond. barrier to entry for the bad guys is basically nil, and being a (successful) good guy is an impossible and hopeless task your administration will never believe.

All the tools the pros use are free with plenty of free how-tos online & on youtube

most useful - work on windows / powershell / linux / unix command line 101/201s and scripting

nessus
splunk
bro
metasploit
snort
tcpdump
active directory
bitlocker
keepass
etc
etc

follow the security conferences & techies on twitter (the only thing i find any use of for twitter) to keep up-to-date on tools and especially youtube presentations of new tools, tactics, techniques coming out. whenever there's a big conference like derbycon make sure you look at the list of presentation recordings and try to go through them during your spare time.

(in no particular order, plenty more to choose from, this is just enough to get you started then twitter will recommend good add-ons)

@TrustedSec
@DerbyCon
@SANSPenTest
@BHinfoSecurity
@securityweekly
@edskoudis
@harmj0y
@PyroTek3

(full disclosure - i like sans/giac, so my followings tend to follow them)

Thank you, sir for the reply. I have experience with some of those due to taking E-Learn Security's penetration testing student course. But even with being familiar with programs and things, companies ask how can I protect their system if I've never actually done it before. Like the certs don't hold much value with out any real world job experience but no one will hire me to get it lol.

fabostrong

Anyone else have any input?

NetworkNewb

Almost everyone in IT deals with security in some way everyday. Just because you don't have it your title or it is not your main job function doesn't mean you don't have experience in it.

Also, if you want to get more into, find ways you can apply the security knowledge your learning to your current position. Even if it just a little bit, it is security experience you can put on your resume.

trueshrewkmc

If you don't have it already, consider picking up at least Security+.

Agree wholeheartedly with NetworkNewb about almost everyone in IT dealing with security. If you were to look at CISSP domains and list out your job tasks, you could probably find all kinds of matches. (If you ever want to be a fully endorsed CISSP, you have to match domains to jobs as part of the endorsement application.)

Might want to check out Draft NIST Special Publication 800-181----it lists tasks for all sorts of IT jobs and relates them back to cybersecurity.

NavyMooseCCNA

I've been listening to various IT Security podcasts. I'm a newbie and I'm going for my Security+ and most are over my head. The ones I like the best are:
Defensive Security
Security Now

Enticles

I too am just beginning to actively gain security related certifications, this is a fantastic thread for people who may otherwise struggle to meet the requirements employers are looking for in their security IT personnel. Thank you OP and to all who contributed

mudflaps

I'll reiterate, get your Security +, start immersing yourself in security media (podcasts, newsletters, technologies, youtube demos), and tweak your resume to slant toward a security focus. Apply for those jobs that you think might be out of range, and you will surprise yourself.

UnixGuy

Do a certification that's lab based...they're hard but the training is worth it.

Look at eLearnSecurity eJPT, eCPPT, and Offensive Security OSCP. I know these are pentesting certs but you will learn a lot of the tools mentioned in the posts above, and not just a theoretical knowledge.

Gotta start somewhere

fredrikjj

If I had an IT job and wanted to to get into security I would start looking at my current job from a security perspective. For example, if I was a network admin that worked on switches, I would look at the current configuration of the switches and try to identify problems. To do that I would have to learn about security issues in that domain. If I found problems, I would document the problems and then create a lab environment where I could run various attacks against the vulnerabilities. I would then present these findings to the senior people and ask if I could be in charge of addressing these problems.

636-555-3226

If you're a Cisco admin then Cisco has a security guide to help you learn what to do:

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

read thru it. even if you can't do it all (some is a lot of work), learn what it is, how it works, and why it's important

Danielm7

All great advice, as others mentioned, many jobs include security tasks. When I transitioned I looked at all my past (JOAT / sysadmin) experience and I had already been doing so many things I could highlight. I was competing against people who might have worked in security but all they did was escalate tickets and read alerts, I had configured switches, firewalls, setup logging, dealt with all sorts of different AV solutions, hardened servers and desktops, done IR, etc. It was harder to start as I didn't have a "security job" before but once I was able to talk to the interviewers it was all good.

nisti2

Mile2.com also have great certs to start!

With a bundle of video, DVD practice, lab all for self-study, Check out and good luck!

fabostrong

Thanks for all of the tips guys. I really appreciate it.