Career path - Need some advice please

Hey all,

I have primarily been a lurker on these forums, just kind of soaking up the knowledge. I have found some really great stuff here for both my current job,and for what I am looking towards in the future. I just want to say thank you to everyone who contributes first and foremost. Now, onto why I am posting.

I am in my junior year at UMUC going for my undergrad in Cyber Security. I am a little older than most college students at the ripe old age of 25. I did 8 years in the Army (just finished up clearing yesterday in fact), 2 years of which was in a desktop support role. I have a 4.0 GPA currently, and am just now starting to get into the technical classes at school. I am currently employed as a mid-level desktop support technician at NIH here in Maryland and I really feel that I am spinning my wheels. I don't learn much in the day to day as its all the same problems. Fix my keyboard, reset my password, etc. We do have the occasional malware infection, and I really jump all over those tickets to learn as much as I can.

I always reach out to our security people to help with anything and lately I have been helping in the movement to PIV card readers and FDCC compliance. However, in all honesty, the security people I work with are not what I would consider security professionals. I really feel like they were sent to a few boot camps and got some certs, and now hold their position. Anyway, I digress.

I have come to the conclusion that I do not want to be the type of security professional that is postured towards network defense. I dont want to be the guy who secures networks and waits for something to happen. I want to be the guy that stays up to date on hacking techniques, learning how to hack with the best of them, in order to catch the best. I am also intersted in forensics. I have always been interested in forensics in general, even before I knew about computer forensics. Sans has the top 2 coolest jobs listed as infosec forensic technician, and network auditor/pen tester and I cant agree more. I really feel that those 2 fields are my calling.

So, now for some of the questions I have. My degree seems to be focusing more on the policy aspect of security than I would like. I am much more interested in the technical aspects of security. This has brought into question whether or not I should be pursuing a different, more technical degree. Such as a vanilla IT degree, or even a comp sci degree. Does anyone have any input on this? Also, in regards to education. I am strongly looking at the sans institute masters in cyber security. Does anyone have any experience with their program?

Next up is certifications. I was always under the impression that certs were, while nice, not really respected. So I never pursued them. Since coming to these forums, however, I see that I was wrong. I actually have no certs at this time. I am fairly confident that I could sit A+,N+,CCNA, and Sec+ without much more than studying for a week or so. My question is this. Where do I go from here? C|EH? LPT? Some of the sans certs? I am unsure.

I have more questions, but I think this is enough for now. Any and all input is much appreciated. Thanks!

Find more posts tagged with

Comments

iVictor

Working closely with your security teams irrespective of whether they know their stuff or not, will always be useful. Perhaps you can study up on certain subjects and discuss it with them. Getting a hands-on is crucial and you can eventually rev up setting up lab for practice by involving them in the initiative.

If you are interested in pentesting, IMO start with open source stuff. Read up on a variety of security as well as daily system administration topics. A good pentester *must* know system / network admin areas at the least for delivering a thorough assessment. Grendel's De-ice disks are a good start. Get to know backtrack tools inside out. Metasploit is the, by default, framework in a pentester's arsenal. Study it and practice in the lab environ. Google for Metasploit Unleashed, if you haven't already.

Certs should reflect a confirmation of what you learnt and / or already versed with. So, short list a hand ful based on your comfort level with subject areas and go get them. There's no cert ~small~ per se. Each comes with its own defined, expected result in learning.

Identify your current skills, n then the new skill / learning you intend to gather. Plan certs accordingly. Plan for how you'd affirm [ read: practice / put to use ] those skills in your current role / environ, or if you plan to get into more specific role using the cert.

my 2 cents. Hope this helps.

+Victor

JDMurray

reppgoa wrote: »

I did 8 years in the Army (just finished up clearing yesterday in fact), 2 years of which was in a desktop support role. I am currently employed as a mid-level desktop support technician at NIH here in Maryland and I really feel that I am spinning my wheels.

Your military experience will be a great help getting your foot in the door at government agencies and defense contractors, so the time you have spent in the Army is not wasted. Defense is really a bad business to get into right now (no money is being spent), but in another two or six years it may be a difference story. Leaving the military with a security clearance can be a big help too.

reppgoa wrote: »

I want to be the guy that stays up to date on hacking techniques, learning how to hack with the best of them, in order to catch the best. I am also intersted in forensics. I have always been interested in forensics in general, even before I knew about computer forensics.

So military-wise you want to be on the offensive end of things doing CNA/CNE rather than CND. This is also known euphemistically as proactive defense. You don't hear of many commercial companies wanting cyber "first-strike" capability, so back to the DoD contractors for work.

reppgoa wrote: »

Sans has the top 2 coolest jobs listed as infosec forensic technician, and network auditor/pen tester and I cant agree more. I really feel that those 2 fields are my calling.

Those two occupation require a lost of boring grunt work and mounds of documentation and report writing. I'm not sure how anyone could consider them "cool" or "sexy."

reppgoa wrote: »

So, now for some of the questions I have. My degree seems to be focusing more on the policy aspect of security than I would like. I am much more interested in the technical aspects of security.

Policy and technical are good in the DoD world. For the commercial world, you should also have an understanding of business processes. I'm not saying that you need an MBA, but having business courses under your belt to make you all the more marketable.

reppgoa wrote: »

This has brought into question whether or not I should be pursuing a different, more technical degree. Such as a vanilla IT degree, or even a comp sci degree.

Many places want a traditional engineering degree, like a CS, rather than a more foo-foo degree like CIS. However, this is changing. A dual-degree in CC/EE is really good for this profession.

reppgoa wrote: »

Also, in regards to education. I am strongly looking at the sans institute masters in cyber security. Does anyone have any experience with their program?

I wouldn't bother with SANS as a degree program until that have regional (CHEA) accreditation, otherwise your degree won't be worth transfer credits at any other CHEA-accredited educational institution. Also, the classes taught for the SANS degree program are not the same classes taught in the SANS workshops.

reppgoa wrote: »

Next up is certifications. I was always under the impression that certs were, while nice, not really respected. So I never pursued them.

The only people that need you need to respect your certs are the people that are hiring for the jobs that you want. Look at postings for jobs you'd like and check what certs they are asking for.

reppgoa

JD,

You confirmed pretty much what I was dreading. That the degree I am getting is for lack of a better description, a froo-froo degree. I have had this feeling over the last semester as I see the quality of students that are in the higher level security courses. People came into the security classes who didnt understand the difference between a threat and a risk. The teachers seem good, with lots of real world experience, but in the end, they have to teach to the lowest student. That is really disheartening, but not un-expected. Heres a follow up question. Would work experience with a froo-froo degree, self education at home via labbing and certs make up for not having a CC|EE degree? Or am I better off cutting my losses now, and applying to UMD to go for an advanced technical degree?

Also, if those 2 career fields are boring, what is exciting in the security field?

JDMurray

reppgoa wrote: »

You confirmed pretty much what I was dreading. That the degree I am getting is for lack of a better description, a froo-froo degree.

I know many people with only a CIS degree who work in "hackish" professions, so it isn't the end of the world, but it does decrease your chances of getting into organizations that insist on their hires having a traditional, "hard" engineering degree.

reppgoa wrote: »

Would work experience with a froo-froo degree, self education at home via labbing and certs make up for not having a CC|EE degree? Or am I better off cutting my losses now, and applying to UMD to go for an advanced technical degree?

That depends on the employer. An employer typically looks at professional work experience first, education second (unless you are fresh out of school, then it's first), and things like certs, professional affiliations, self-study, volunteer work, etc. last.

reppgoa wrote: »

Also, if those 2 career fields are boring, what is exciting in the security field?

"Exciting" is in the eye (and mind) of the beholder. Some people think writing software is exciting and stimulating, but others think it's the most confusing, mind-numbing thing they've ever done. Some people love doing audits and filling out paperwork, while others would rather die than spend their waking lives in a cube doing just that. You gotta try it and see what you think. I'm taking several computer forensics classes right now, and I'll say that 90% of the non-law enforcement people in the classes now know that CF is not what they thought it was--a desk job with a big, easy paycheck. You gotta find out what things are for yourself.

reppgoa

JD,

What would you say is the field to go into where I would have the most hands on. techie type of experience. I want to be hacking all day, with minimal paperwork. Does a job like that exist?

JDMurray

reppgoa wrote: »

JD,

What would you say is the field to go into where I would have the most hands on. techie type of experience. I want to be hacking all day, with minimal paperwork. Does a job like that exist?

Well, "minimal paperwork" often means "someone else does the paperwork," so you may want to consider organizations that have dedicated "paperwork people" to handle those chore and free up the tech people for what they do best. (Let me know if you find that such an organization really exists.)

The hands-on techs are the people in the trenches pulling the cables, configuring the network appliances, and writing the scripts and software. In the "real" business organization there can be a lot of paperwork in all of these jobs. All of this work needs documenting for configuration management (admin), reporting findings (auditing), or to fulfill customer (contract) requirements.

However, it really depends on the policies of the organization and customers you are working for. A small business might not want to spend the money for you to write documentation and fill out parerwork that nobody may ever look at. This means they are probably not too hot on proper content and configuration management either, and that can cause problems for you. Minimal or no paperwork is usually a bad thing--but you must experience this to truly understand why.

the_Grinch

I can echo what JD has said, paperwork is going to come with the job. Often it is hard for someone else to write the report when you found the bug/hole. As for what degree you should go for, if I could do it over again I would have went with Computer Science. My degree (Computing and Security Technology) was completely hands on and I am happy to have it, but it lacked any core coding requirements. Eventually (if you do pen testing) you will find a hole and have to exploit it by coding it yourself. Plus, a CS degree usually requires a concentration and from there you could select say operating systems. You'll learn from the ground up what makes an operating tick and that also puts you in a great position for pen testing.

Leaving your current program should be something seriously thought about. How long have you been there? How much have you already paid? Will your credits transfer? Being in Maryland you have some advantages. One, plenty of schools in the area with the right accreditation for security. Two, plenty of agencies and contractors in the area to work in security. It may be to your advantage to finish the degree and look to a Masters. GWU has a Master in High Technology Crimes Investigations if you are aiming for forensics. I'd assume you have at least a Secret clearance so that alone could write you a ticket to a job. I have a friend who has a CS degree and all helpdesk background who was hired as an Information Assurance Officer (contractor).

Lots of options, thing long and hard about how you want to proceed. Keep asking questions and look into the various areas of security. I find reading books on various security topics really helps you to get a focus on what you would like to do. Good luck!

Turgon

reppgoa wrote: »

JD,

What would you say is the field to go into where I would have the most hands on. techie type of experience. I want to be hacking all day, with minimal paperwork. Does a job like that exist?

We have a lot of process and structured workflow these days to follow. Also a lot of cover your arse paperwork and audit trail. Measurement is in so you can expect to be generating reports and other paperwork in most IT jobs these days. As a Network Architect there are people below my level who have a good deal of that to cope with, but even I'm not spared completely! A plus point for me is I get an opportunity to define or redefine process to get improvement in.

reppgoa

Paladin- You are right, after looking at some of the CCNA material, I would need to do a bit more than a week of studying. I guess I just always kind of considered CCNA as an entry level type cert. Thanks for pointing that out.

Grinch- Thanks, good points of view. I really just feel as if the degree I am getting is just a piece of paper. We do so little hands on in ANY of my classes. I know that the school is designed for working adult, but I don't feel that standards should suffer because of it, and they do. I pass most of my classes with A's and B's with very minimal effort, and I am not the smartest kid on the block. Also, I have decent coding skillz, but I would like to take a few more classes in programming. I still think that pen testing and network auditing is the path I want to take. With maybe forensics down the road so that working with law enforcement is an option. I am just so unsure right now. I don't want to make the wrong decision, but I dont know what the right decision is. That's life I guess.

ConradJ

The CCNA was the entry level cert, but is no longer. It has been bumped up a notch and replaced by the CCENT as being the entry level of the Cisco track.

ibcritn

reppgoa wrote: »

Next up is certifications. I was always under the impression that certs were, while nice, not really respected. So I never pursued them. Since coming to these forums, however, I see that I was wrong. I actually have no certs at this time. I am fairly confident that I could sit A+,N+,CCNA, and Sec+ without much more than studying for a week or so. My question is this. Where do I go from here? C|EH? LPT? Some of the sans certs? I am unsure.

I have more questions, but I think this is enough for now. Any and all input is much appreciated. Thanks!

CEH sure as it meets DoDD 8570 for CND roles

SANS, SANS, and more SANS you can't go wrong.....the GIAC certs are held very highly among technical security peps who take what they do seriously

If you want to get serious with hacking have you looked into the OSCP course by Offensive Security? I am going to start mine shortly.

Also, consider much like you don't start out in Security....you also don't start out in a Red Teaming role....typically you do have to have a defensive security/Sys admin background as not only is it a very difficult role, but people want the best attacking their networks.

Lastly, you must realize what you are signing up for. I know its awesome and is the buzz word to do "hacking", but to actually make it into a role like that you better be prepared to dedicate your life to the pursuit of skills/knowledge. You must truly truly love it and not just be interested in it.....how is your situational awareness currently? Do you track "whats going on" in the security field through podcasts, forums, other web sources? If you aren't this is a good thing to change and see if you can handle the amount of free time after work you will have to dedicate to research.

Turgon

reppgoa wrote: »

Hey all,

I have primarily been a lurker on these forums, just kind of soaking up the knowledge. I have found some really great stuff here for both my current job,and for what I am looking towards in the future. I just want to say thank you to everyone who contributes first and foremost. Now, onto why I am posting.

I am in my junior year at UMUC going for my undergrad in Cyber Security. I am a little older than most college students at the ripe old age of 25. I did 8 years in the Army (just finished up clearing yesterday in fact), 2 years of which was in a desktop support role. I have a 4.0 GPA currently, and am just now starting to get into the technical classes at school. I am currently employed as a mid-level desktop support technician at NIH here in Maryland and I really feel that I am spinning my wheels. I don't learn much in the day to day as its all the same problems. Fix my keyboard, reset my password, etc. We do have the occasional malware infection, and I really jump all over those tickets to learn as much as I can.

I always reach out to our security people to help with anything and lately I have been helping in the movement to PIV card readers and FDCC compliance. However, in all honesty, the security people I work with are not what I would consider security professionals. I really feel like they were sent to a few boot camps and got some certs, and now hold their position. Anyway, I digress.

I have come to the conclusion that I do not want to be the type of security professional that is postured towards network defense. I dont want to be the guy who secures networks and waits for something to happen. I want to be the guy that stays up to date on hacking techniques, learning how to hack with the best of them, in order to catch the best. I am also intersted in forensics. I have always been interested in forensics in general, even before I knew about computer forensics. Sans has the top 2 coolest jobs listed as infosec forensic technician, and network auditor/pen tester and I cant agree more. I really feel that those 2 fields are my calling.

So, now for some of the questions I have. My degree seems to be focusing more on the policy aspect of security than I would like. I am much more interested in the technical aspects of security. This has brought into question whether or not I should be pursuing a different, more technical degree. Such as a vanilla IT degree, or even a comp sci degree. Does anyone have any input on this? Also, in regards to education. I am strongly looking at the sans institute masters in cyber security. Does anyone have any experience with their program?

Next up is certifications. I was always under the impression that certs were, while nice, not really respected. So I never pursued them. Since coming to these forums, however, I see that I was wrong. I actually have no certs at this time. I am fairly confident that I could sit A+,N+,CCNA, and Sec+ without much more than studying for a week or so. My question is this. Where do I go from here? C|EH? LPT? Some of the sans certs? I am unsure.

I have more questions, but I think this is enough for now. Any and all input is much appreciated. Thanks!

I personally think being a pen testor is terribly over rated. I have been dealing with pen tests and pen testors for years. It really isn't all it's cracked up to be. I think you are underestimating the CCNA if you think you can crack it in a week.

If hacking really turns you on then you need to be spending a significant amount of your time playing around in a lab at home. You can learn from books and you should read a great deal but a lot of knowhow really comes from *doing*. It's similar to network engineering in that respect. Learn how to use the tools and your way around a Windows and Linux and Unix box. Get awareness of applications and how they *actually* work, and databases. Understand TCP/IP at the socket level and the session, application level. The security field has mushroomed to an extent it has become bloated with semi technical or non technical roles these days so you may find the out and out technical role you crave somewhat hard to come by. A technical degree and some certs would be good, but lots of hands on is important. I should add that there is a lot of competition for very specialised technical jobs in security these days and you are up against some very time served people. But new blood always welcome I guess. Just dont wind up being just another pen tester.

Turgon

ibcritn wrote: »

people want the best attacking their networks.

I can tell you, we had a third party doing this recently and the fools impacted the production network affecting customers after they had absolutely guaranteed it wouldn't. I guess they need to do some more reading up on their area of expertise..

reppgoa

thanks for all the input guys, keep it coming! I do know that being a top dog in security requires a lot of extra time spent keeping current. Thats fine with me. In fact, its one of the things that really draws me to the job. There is a definite separation between the pro's and the....not so pro's.

ibcritn: I hadn't heard of that course, I will definitely take a look. Thanks!

I dont know, I just feel that security is right for me. I tend to have a criminal mentality. I was a criminal for a long time as a teenager, therefore I know how they think and operate. I think that I just need to get my technical knowledge up to par, and then I can really make a splash somewhere. I am really thinking about once I get my degree done, getting heavy into programming. I was talking with one of my network engineers who is pretty versed in assembly, and he really put into perspective what you can do if you know how to program at that level. Very interesting stuff

Turgon

reppgoa wrote: »

thanks for all the input guys, keep it coming! I do know that being a top dog in security requires a lot of extra time spent keeping current. Thats fine with me. In fact, its one of the things that really draws me to the job. There is a definite separation between the pro's and the....not so pro's.

ibcritn: I hadn't heard of that course, I will definitely take a look. Thanks!

I dont know, I just feel that security is right for me. I tend to have a criminal mentality. I was a criminal for a long time as a teenager, therefore I know how they think and operate. I think that I just need to get my technical knowledge up to par, and then I can really make a splash somewhere. I am really thinking about once I get my degree done, getting heavy into programming. I was talking with one of my network engineers who is pretty versed in assembly, and he really put into perspective what you can do if you know how to program at that level. Very interesting stuff

There is more to security than networking, and much more to networking than Cisco, but to get some insights a good start would be the Cisco website and some of the documentation pertaining to IOS security features. JDMurray, Sexion, Keatron, Akharin and Dynamik could probably give you lots of technical advice.