Security career questions

I've been lurking here for a little while now, but I figured it's time to post something. I'm at a point in my career where I need to make an upgrade. The quick question - what is a day in the life of an incident handler like? My current job isn't super-security focused and I think it's time to leave the comfortable confines of straight systems / network admining and doing something more security-centric (forensics, intrusion analyst, etc.), although I'm unsure which direction I should strive towards. Your advice may help me decide which GIAC course to take.

A little background on myself: I've been doing "computer work" for over a decade. The last 7 years I've been running a small non-production system at work where I manage firewalls (PIX, Check Point VPN-1, some pf, some iptables), VPN gateways (Juniper Secure Access, old Cisco 3000 series, F5 FirePass, Nortel, Check Point, etc.), your usual routing / switching, backend policy management / authentication, and all the client / server AD joy. I do a little of almost everything but I wouldn't consider myself an expert in anything these days. Before this, I spent a few years doing Level I and II support in IT.

I do not have a formal technical education, at least in the college sense. Although I have a few years of college under my belt, I never finished. I never even bothered to get any certs until last December when I decided I need to start filling in some knowledge gaps and pad my resume (CCNA, CCNA Security, Net+, Sec+ so far in that order; I'm working on my GSEC right now which isn't too difficult except it covers a lot of ground that I'm happy it's an open book / notes exam).

Second question - how different was your preparation experience between the GSEC (or any GIAC course) vs. CISSP? I took a Global Knowledge CISSP prep course a couple of years ago, I've done some reading in Shon Harris' fourth edition, and it seems to cover some of the same ground with the GSEC and Sec+ with some additions like regulatory compliance, Common Criteria, etc.. Although from a personal enrichment standpoint it's not the most critical certification to obtain, it's the big one as far as resume / self-marketing goes so it becomes a major deal for me. I'm tackling the CISSP after my GSEC exam in a couple of weeks.

Follow-up question ("question 2b") - what does (ISC)2 consider "security work?" I just want to make sure that my past experience fulfills the minimum experience requirement, although what I do isn't "pure" security in the hardcore sense (watching the IDS logs all day, containing breaches, etc.).

Find more posts tagged with

Comments

dynamik

I think incident handling positions will vary dramatically. You may end up working some really interesting, complex cases once you develop your skills, but you'll probably start doing menial tasks like responding to viruses/spyware, lost mobile devices, etc. There's going to be a lot of policy work and documentation as well, so be sure you're ok with those types of tasks. Lots of people who get into pen testing are often unhappy with the amount of report writing they have to do (and/or lack decent writing skills).

I'd play around with technologies in each area and try to learn what's involved with each role in the real-world. There are many books on IA, IH, and forensics on Amazon, and I'd encourage you to get at least one in each area before you make a major financial commitment to a SANS course. Although, it's not like you can really go wrong with one of those, and a lot of the material is complementary and overlaps with other courses.

I'd say prep is pretty much the same. Just read, take notes, take practice exams, optionally use CBTs, and repeat (not necessarily in that order). Length of study time will vary based on what your current level of experience is as well as the depth/breadth of the exam. There's no magic bullet for any of them; just be consistent with your studies.

Only (ISC)2 can give you a definite answer, but from what you've said, you seem to be in pretty good shape.

docrice

Documentation work is not a problem (I used contribute regularly to my company's technical knowledge base) so doing reports shouldn't be too much of an issue, although for some reason I foresee it getting old if it's the same kind of the thing for every incident / assignment.

I may opt for the intrusion analyst course next, or perhaps enterprise defender. The idea of pen testing sounds like fun but I'm not sure if that's the kind of work I'd want to do day-in, day-out. Maybe I'll stick with the corporate IT security route.

I've only taken one other "security" course and that's the CHFI which was fun, but I doubt I'll end up being a digital forensics analyst in the IT CSI sense. Those skills at the basic level are important though as sometimes you have to recover data / look through a former employee's drive with a fine-tooth comb, etc.. Some of the same tools and methodology is good for finding a needle in the haystack when troubleshooting environments (like an OS / app stack) with a lot of moving parts.

I'm sure this has been answered before, but I'll ask again anyway to fish for response variants: how different is the material from Shon Harris' fourth and fifth editions? Should I invest in buying the new edition?

JDMurray

docrice wrote: »

how different is the material from Shon Harris' fourth and fifth editions? Should I invest in buying the new edition?

The 4th edition is more than adequate as a study aide for the current CISSP exam. But remember, don't rely on only one or two study references. No one resource contains everything you need to know to pass the CISSP exam.

docrice

I have the official CISSP CBK study guide from a few years back as well (along with the course material from the Global Knowledge CISSP prep course). Hopefully these should be enough.