Moving toward security, what should i take after Sec+?

i took Sec+ several years ago and passed. After discussing a career path with a friend of mine i've decided to head toward the security end of things. the plan, i think, is to basically get away from anything "tied to hardware" as he puts it. He had suggested SAN classes but i cant afford that. I have CBT's for CISSP, CEH and SSCP. What do you think i should start with? He also mentioned i should learn a little C# or something at some point. I've also started concentrating on some MS stuff like CA's and some PKI.

any advise would be appreciated.

Find more posts tagged with

Comments

dynamik

What are you doing now and where do you want to go?

Your next step is going to depend a lot on that. Out of the one's you listed, the SSCP and CEH are potentials. The CISSP will require you to have four years or experience, although, you can become an associate without that.

If you want to do MS security work, the 2003/2008 tracks might also be where you want to focus. C# and Powershell would compliment that as well.

tdean

well, right now im laid off, so i figure this is as good a time as there will be for me to make a move. i dont really have any ideas about what i want to do short term... long term i would like to get into computer forensics and start my own company. the guy i was talking about earlier is a security big wig at the DOD and said he knows quite a few people that do that and its extremely lucrative. especially with computers becoming evidence in divorce cases etc now. id have to get a company to pay for my SANS classes for that though.

sooooo, back to the question.... right now, just anything that will make me more marketable, but even more importantly, make me better at what i do. which right now is simple net admin stuff, which i've decided i dont like at all. im finishing up my CCNA this week, have 2 server 2008 classes done and just finished 80+ hrs of vSphere training.

dynamik

Well, keep in mind that you can't secure or investigate what you don't understand. A lot of the material that may not interest you is important in what you want to do. Network and systems administration concepts are important.

Unfortunately, a lot of the forensic stuff deals with CP or civil stuff (like divorce, cheating spouses, etc.). Expect to get tied up with a lot of things like that if you pursue forensics.

As far as forensics goes, you might want to keep this (relatively new) blog in your RRS reader list: An Eye on Forensics

Coming up with a short-term strategy should be a priority for you. You're going to have a difficult time starting your own business without the experience to back that up. Everyone you're going to work with is going to ask for references/credentials.

Hit me up anytime; I'm more than happy to help in anyway that I can.

docrice

Information security, while considered a subset of the overall IT discipline, is generally rooted in a lot of fundamentals based on practical IT work such as systems and network administration, etc.. Security as a bubble of this subset can also be very wide and deep ranging from application work, network forensics, disk forensics, cryptography, etc., etc.. I'm not sure what your existing work experience is, but generally people don't just jump into security right out of the gate. As this is also a constantly-shifting field, it's possible that one day traditional disk forensics will become more and more integrated with network-level investigations and whatnot and all the sub-disciplines will eventually correlate together in real-time. Your preferences may change accordingly as your career moves forward.

So to get to your question, there are a number of different routes to look into: forensics is one (but not too commonly discussed here), network defense is another, there's penetration testing, there's application development, then you have your usual firewall / VPN work, operating system hardening, malware research, protocol analysis, and perhaps even desktop support work might involve security to some degree (such as establishing baseline security configuration for deployed images). These are just some of the common examples. It can be very involved across a wide variety of areas for a given position, or it could be very specific (like watching logs all day).

So while we'd like to point you in a direction, I think it's important to determine a starting area that you're relatively comfortable with. I personally started as a Windows admin, eventually incorporated the network stuff, done some integration reviews for various application stacks and combinations, and at work I'm also asked to document recommendations on how to improve our development approaches on platforms that we code software for. I don't code, but I understand Windows more than the developers do to be asked to show what our customers look for in their enterprise deployment. I also do occasional in-house training to internal employees for areas that I'm knowledgeable enough which can benefit the operational efficiency of my organization. You can cast a wide net or a narrow one, but you have to figure out what you like.

So to loop back around, I think the question's already been posed: what do you want to do? I think enjoying the work is more important in the long run than the amount of income you'll get. If you don't care for networking, there are other areas but keep in mind that even forensics will require an in-depth understanding of networking fundamentals in order to support your decisions and the investigative methods.

tdean

thanks very much. i will definately have questions. Like i said earlier, i've been doing the MCITP path... now going back to really concentrate on some of the security features. I guess the SSCP would be the best start point for me now. As far as the forensics, that is down the road. i'd like to get into a company now, and slowly start implementing some of the security stuff i learn. My next door neighbor is a State cop, my uncle is a cop and a couple other friends are also, so that might provide an "in" somewhere along the way. As it was explained to me, when breaking in to that field you must align yourself with 2-3 different PI's to start making a name for yourself and get "busines."

tdean

docrice, just saw your post. i think my problem is that i have no idea what is out there, so i dont really know what i want to do. i've got 8+ years net admin experience, but its been at small companies >1,000 employees and i've been the entire "IT staff" at all 3 places. im hoping a change of scenery and fresh start will allow me to see whats out there so i can make better informed decisions.

docrice

I would think that being the one-man show for a thousand employees is, well, overwhelming and I don't think that's typical. If you've already done your share of Active Directory and general networking, then you can at least start looking at other people's blogs to get an idea.

TaoSecurity
.:[ Layered Security ]:.
Schneier on Security

If you've never been to Defcon, take a trip to Vegas at the end of July. It's a lot cheaper than Black Hat, but there's a lot of crossover as many of the speakers from Black Hat also present at Defcon. That's a great way to get a feel for what the industry is buzzing about and the kind of work involved:

DEF CON 18 Hacking Conference

I'd also recommend taking a look at the Black Hat archives to see what kind of areas you gravitate towards:

Black Hat ® Technical Security Conference // Home

Look at the sponsors list, go to their websites, and look at their job openings. These will at least give you a clue what's out there. There's also Dice, etc.. There are also articles out there that will give you some ideas. Here's one I just Googled up:

SANS: The 20 Coolest Jobs in Information Security

Scott Moulton always presents at Defcon and his forensics talks are always entertaining. Check out the videos on this site:

Presentations & Information | My Hard Drive Died! | Scott A. Moulton

tdean

great info guys... i will go through it this week and hopefully bug you guys with questions next week!!

yeah, the last 3 jobs i had were providing support for the AD, email, proprietary apps, fw, routers/switches, remote access, virtualization, voip, wireless, wsus, virus scan etc etc for 1200, 700 and 600 employees. this might be why i dont enjoy the job much.

Paul Boz

Since you already have a skillset for system administration, continue with your plans to get really good at system administration security. I've found that if you can take your existing non-security knowledge then apply security to that you'll be a much more capable security practitioner. From there you can start branching out into other fields of infosec. I'd start with just learning how to properly secure the services and systems you're currently certified on or have work experience with. For example, work on hardening MS deployments or mail servers. Always stay true to your non-security background, as that expertise will make you valuable.

tdean

Paul Boz wrote: »

Since you already have a skillset for system administration, continue with your plans to get really good at system administration security. I've found that if you can take your existing non-security knowledge then apply security to that you'll be a much more capable security practitioner. From there you can start branching out into other fields of infosec. I'd start with just learning how to properly secure the services and systems you're currently certified on or have work experience with. For example, work on hardening MS deployments or mail servers. Always stay true to your non-security background, as that expertise will make you valuable.

Paul, this is one of the areas i just dont get. i see it written all the time, but other than patching and tightening permissions, what exactly does that mean?

docrice

Hardening and systems security is the general practice of identifying the functional requirements of the systems in question (and their respective applications, etc.) and turning off / removing services, configuring the settings, forwarding logs to a central location, etc., as well as tightening permissions and all the other usual considerations. Establishing a well-documented baseline which you can take deviation measurements off of at later dates is another example.

For example, take a look at the NSA hardening guides:

http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml

These configuration tweaks should obviously represent the general parameters outlined in the corporate security policy.

GAngel

tdean wrote: »

Paul, this is one of the areas i just dont get. i see it written all the time, but other than patching and tightening permissions, what exactly does that mean?

When you install default OS's they have a ton of services, extensions and ports open that people leave. An internet facing system should have nothing on it that isn't essential and everything else should be risk assessed and potential damage mitigated. It's basically the job of a senior system admin to know this. We just have fancy security titles for it now. This applies to workstations, routers, switches, printers etc. You want to restrict movement the most without compromising the end users ability to get work done. You want these systems to be logging critical info and to be redundant if needed. At the end of the day everything else is built around the box to make it secure. No tool, rule, or firewall will stop someone if the box is open like a fat kid in a candy store.

tdean

wow... awesome guys. you dont know how many issues that cleared up for me. my biggest problem is that i've always worked by myself so ive never had anyone to ask things of etc... sometimes i have questions, but dont know what the questions are, if that makes sense. thanks again!

Paul Boz

You should spend some time on the SANS website studying some of the concepts of system hardening. For example, they have excellent "**** sheets" for hardening windows environments. Here's a link to their page:

SANS: Information and Computer Security Resources

As GAngel said, securing a system is all about minimizing the number of attack vectors present. If you have a mail server which is configured for Telnet, FTP, small services, and RDP, you can bet your butt that someone's going to try to leverage one of those vectors. If you remove telnet, RDP, and FTP services, you've just dramatically cut down the number of entry points into that system. Think of unnecessary services as open doors on the system. By shutting down those unncessary services you have effectively closed those doors. Security is all about being the gatekeeper and doing your best to ensure that the only doors which are open are ones you want open.

tdean

Oh man....this is great info. this is exactly the info i didnt know how to get. Paul, does that link go into resolving what you say here?

"If you have a mail server which is configured for Telnet, FTP, small services, and RDP, you can bet your butt that someone's going to try to leverage one of those vectors."

tdean

docrice wrote: »

Hardening and systems security is the general practice of identifying the functional requirements of the systems in question (and their respective applications, etc.) and turning off / removing services, configuring the settings, forwarding logs to a central location, etc., as well as tightening permissions and all the other usual considerations. Establishing a well-documented baseline which you can take deviation measurements off of at later dates is another example.

For example, take a look at the NSA hardening guides:

Microsoft Windows Operating System - NSA/CSS

These configuration tweaks should obviously represent the general parameters outlined in the corporate security policy.

i somehow missed this link. excellent stuff!

Paul Boz

tdean wrote: »

Oh man....this is great info. this is exactly the info i didnt know how to get. Paul, does that link go into resolving what you say here?

"If you have a mail server which is configured for Telnet, FTP, small services, and RDP, you can bet your butt that someone's going to try to leverage one of those vectors."

That's just a generic scenario. It's an example that the more open ports and services which are open the more likely an attacker will be able to leverage one to get in. The point is that if services aren't necessary you should disable them to prevent an attacker from leveraging it. If there is a well known vulnerability with a service like Microsoft IIS but you don't have IIS running on your external mail server, the mail server won't be vulnerable to that IIS attack.

tdean

oh i know, you meant that as generic... i've been looking at the Sans site. kind of intimidating... lots there. im going to sign up for a portal acct.