Which aspect of security would I be suited to?

N7ValiantN7Valiant Member Posts: 363 ■■■■□□□□□□
I'm getting my foot in the door of the IT world by getting my A+ and Net+ and now I'm going after Security+ and will probably take a shot at the CEH after that(mostly because it was just one more security class at the local college on top of what I already took).

Thing is, I'm not too sure what aspect of security I should be focusing on. Pen testing sounds like the more interesting part, though my instructor says that part of InfoSec might be oversaturated because everyone else has that same thought. He suggests auditing is where the money is at, precisely because it's boring work that no one wants to do. An analyst sounds like where my local job market is because of the numerous military bases on Oahu(Camp Smith, Pearl Harbor, Kaneohe MCBH, Tripler Army Medical Center).

Though I did change majors out of Accounting because it was boring, even if I did well in the classes. I don't think my (likely, but not officially diagnosed) ADD mixes well with boring jobs that don't have adequate stimulation.


In any case, my most relevant experience in IT was interning at my local college's internal IT department as a PC Technician Tier 1/2. It was more hands-on technical work that was separate from the Help Desk. The work was very much varied where I did anything from physically install network cables to desktops to projectors. I setup new computers, installed a set list of programs, harden the system by changing default configurations on the computer and the browsers, updating the OS, and updating the software. Also took apart desktops to pull the drives and RAM, took apart laptops, and also took apart an iMac which was a rare treat.

The most fun I had was when someone gives you a computer that's acting strange, but you don't know what's wrong with it. I noted that fellow coworkers seemed to be uncomfortable working outside of set normal procedures. Say when a Windows 8.1 tablet was stuck at "Checking for Updates" forever and didn't update after leaving it to run overnight. If deleting the SystemDistribution folder didn't resolve the issue, he would try to let it update again for the next few hours. I opted to ask Google what the issue was and try to manually install the July rollover patch, which fixed the problem. Or when the guy who's been working there over a year tells me he doesn't want to try to tweak a particular registry entry that's causing File Explorer to pop up in your face at start up even when you back up the registry, and the boss just told you to fix that issue.icon_silent.gif

I didn't much enjoy the manual labor, waiting for updates, or (heaven forbid) running out of work to do, asking the boss for more, and not getting any.icon_eek.gif

Among the various parts of IT I was exposed to while getting my Associate's, I believe I have the greatest aptitude for programming(wrote a Sudoku generator using 3D arrays in my first programming class), although I didn't major in Computer Science(I neglected to do adequate research before signing up for the first class and I can't afford to go back right now). But not that good in networking and database.

Not that great with manual labor or social skills, so I don't think I'd be well suited to physical penetration testing or social engineering.
OSCP
MCSE: Core Infrastructure
MCSA: Windows Server 2016
CompTIA A+ | Network+ | Security+ CE

Comments

  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Here's an honest opinion.
    Nobody here can tell you what you are good for. You have to discover what you are good at or what you like on your own.

    Try different roles until you find something you enjoy. Some find whay they like to do faster than others, some take longer.
    Personally I liked all the jobs I've worked at because each gave me a different satisfaction feeling. I've worked as a technician, as a Helpdesk, as analyst etc etc.

    As you progress in your career and you learn new skills and gain new knowledge so will your desire to do something else will start to creep up on you.

    Thats the beauty of being in IT, its now a static field and at anytime you can transition to other roles as you gain experience.

    The moral of the story, try the different jobs on your own amd find out on your own.
  • N7ValiantN7Valiant Member Posts: 363 ■■■■□□□□□□
    Well, I was hoping to get some feedback from people who have experience that could maybe point to what they do in their day jobs in general terms. For example, I'd probably like a more dynamic job that would demand more problem solving skills and maybe toss a few curveballs at you every now and then to keep you on your toes(not to be confused with the boss riding your ass every week for an impossible deadline, which is a different kind of thrill) as opposed to a job where you have a static and monotonous routine that you do from Monday-Friday without ever changing.

    I spent 8 years in retail and would like a considerable distance from that.

    I've also been advised that jumping from job to job is not something that anyone looks kindly upon. You piss off your old employers and prospective employers will assume you're indecisive and lack commitment.
    OSCP
    MCSE: Core Infrastructure
    MCSA: Windows Server 2016
    CompTIA A+ | Network+ | Security+ CE
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    You want a job description of what people do? Head over tp LinkedIn and search for the job you like to one day do. That will not only give you an idea of what each role or title job description and tasks are but also give you the requirements for said job title.

    On a day to day basis I can do a myriad of things, first thing i start with is look at IPS/IDS logs then move from there.
    As for job hopping, my last 3 jobs have been 1.5 years(as analyst), 9 months (as VP), and now at 8 months as (AVP) at my current job. So in my experience I haven't encountered a recruiter that told me your short periods of stay turned off the hiring manager. But I can see how that can be an issue in a place like Honolulu. Not an issue in big cities in my opinion.

    If hiring managers are looking for a set of skills they will look to fill that gap now, they wont care what you going to do in 2 years or 3 years.

    On a side note I've been in the field since my profile joined date and speak from my personal experience.
  • N7ValiantN7Valiant Member Posts: 363 ■■■■□□□□□□
    Thanks. I ask because I remember someone mentioning getting a job (I think it was an analyst) because of his security+ cert and it kind of ended up being a dead-end do nothing job where he had enough time to study for a higher cert while on the job, only his actual duties would contribute next to nothing for getting a better InfoSec job since he wasn't really doing anything.

    That was the kind of situation I wanted to avoid, but maybe I was just getting a distorted view of an analyst position mostly because I would think that if IDS/IPS logs don't show an anomaly, there might not be much to do other than look at more logs. But maybe that only determines who I choose to work with rather than the position, as I could probably be an analyst for the NSA just because they have better odds of someone trying to probe them regularly.
    OSCP
    MCSE: Core Infrastructure
    MCSA: Windows Server 2016
    CompTIA A+ | Network+ | Security+ CE
  • EANxEANx Member Posts: 1,077 ■■■■■■■■□□
    Hands-on vs analysis is always the question. Most techs prefer hands-on and as was mentioned, that means certain parts of the industry are getting saturated while others go wanting. You will always have a need for auditors and analysts near where there's a lot of US government. You won't be the guy testing to see how a package did, you'll be checking the paperwork to be sure someone else did and see what the results were. The terms "NIST" and "STIG" don't stay foreign to an analyst for long.

    A stint as an analyst wouldn't be bad for someone who eventually wants to move into management but I've known a couple of people who were helpdesk, got a Masters in Cybersecurity, got jobs in information assurance (one as an auditor and one as an analyst) and within a year they had gone back to helpdesk. They made less but enjoyed the work more.
  • N7ValiantN7Valiant Member Posts: 363 ■■■■□□□□□□
    After doing some digging around, reading about CTF, and actually following a walkthrough to penetrate a VulnHub VM called SickOs using Kali Linux, I feel pretty certain that Red Hat Pen Tester is where I want to go.

    I suspect that if we imagine a ladder where Pen Tester is at the top of the rung, then the next rung down is "Security Analyst", with "System Admin" being a rung below that. My starting off point would of course be "Help Desk Support" at the bottom rung. I also get a feeling that I would want to pursue a Linux+ certification and seek out a position that allows me to regularly work with Linux.

    My focus was on pursuing relevant certs to pen testing like OSCP and perhaps CISSP(to get past HR), and perhaps pick up certs that might be remotely related like CCNA, CCNA-Sec, CASP, but upon reflection it seems like that may be the wrong approach with some of it being too far ahead and the rest not being relevant or applicable. I'm thinking I should only identify the "next step" and then only seek out certs to qualify me for that next step.

    Only thing is, I'm not sure what the next rung up is from help desk.
    OSCP
    MCSE: Core Infrastructure
    MCSA: Windows Server 2016
    CompTIA A+ | Network+ | Security+ CE
Sign In or Register to comment.