I am lost, confused.. begging for your help experts.."Security job position"

FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
Hi forum First let me inrtoduce my self, at least my background knowledge, I am an undergraduate student, my course is electronics and computer engineering, I love security from every angle, I wasted couple of years doing nothing, However I have one year left to graduate, the modules that I studied on the computer engineering side was:

-Networking (TCP/IP & OSI) basic background
-JAVA programming (advanced)
-Assembly & CPU programming

Need to mention that this year 2011-2012 I dropped of university and working for experience (6 months contract), will go back to university (college) in 2012-2013, so hopfuly will graduate June 2013. for now I am so confused, I'm begging for help, so it starts this way: after I dropped of university I worked (still working) for a company, on Linux operation systems, when I first started, did not know anything about Linux, not even how to type a single command, or even make partitions on the system, well I worked it out and by now have some basics on running and configuring a linux system (installing, shell scripting ...etc), when I get back home, I do self study, preparing for the CCNA cer, and I have also enrolled for the cPPT course online (elearnsecurity.com), this course is very similar to CEH only its better (my opinion), but its not known as CEH, I only took it to get the knowledge, note that I did not have any security background before going for the cPPT course, still managed to go threw it after suffering. by now you do know what knowledge I've got or "intend" to have, my main goal is "Security", I love pentesting, specially when it comes to networks, also OS. Now I am confused how after learning topics from different fields will end up on getting a security position job!!

What I know is that I:

-Can program in java (advanced)
-Currently Studying and preparing for CCNA
-cPPT certified, "Just like CEH"
-Have essential background of Linux "planning to get an administrator cert from LPI"

Now how on earth am I gonna end up in a security position? is Cisco and Linux related to each other in a real job? Does CCNA and LPI help together to achieve something? even If I mastered Cisco and Linux from the security side? plus, after getting CCNA and LPI, I dont really know what to cert to go for next? The most time I enjoy is when I set a pen testing lab at my place and spend the whole day looking at how those packets loop trying to exploit the network and the system. What do you suggest for me? After graduating I will end up with my electronics and computer degree + CCNA + cPPT + LPI, will go for a network job related to linux maybe? but that can't happen I guess since I will be only working with the help of my CCNA cer for networking jobs, which will result on working with Cisco systems only and not linux, but I guess after that I could move into network security? I know my thread is messy & sorry for that, I have been reading about certs and jobs for months now, I really need advice and would be very thankfull.

Thanks all :)
«1

Comments

  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    Don't fall into the "sexy" I.T. job trap. Yes a lot of I.T security jobs sound awesome but a good amount of them are the opposite of what you actually think. Just be aware, I found out the hard way with computer forensics.
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    Thanks for the links
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    Don't fall into the "sexy" I.T. job trap. Yes a lot of I.T security jobs sound awesome but a good amount of them are the opposite of what you actually think. Just be aware, I found out the hard way with computer forensics.

    Do you really think I want to work in the security field for the rest of my life just becuase I saw a movie? :p
    what did you do working with computer forensics?
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    A lot of people want to be a pentester because it sounds cool to "hack", not because of the movies. Myself was one of those people, than I began to find out what penetration tester actually do.

    "what did you do working with computer forensics?"
    I had/have an internship as a junior computer forensic analyst..I'll be posting a review of my experience in about a week.
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    "Secure" sounds to me alot cooler than "hack", if you notice most of the poeple who wants to learn security they try to avoid learning how to program or getting into complicated details, for me im already a programmer and I like everything about computers, administering.. engineering.. securing.. networking.. programming.. and the list goes on, of course I prefere some fields over the others. I liked I.T security in general when I was young, by the way if you read my post I'm more into networking security and that its self is a broad.
    Looking forward on that review, in details please :D
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    That's awesome you're already a programmer. I wish I started programming in high school. I've bought a couple C++ and python books, but I can't motivate myself to finish the books.
  • jdubb45jdubb45 Banned Posts: 20 ■□□□□□□□□□
    Just have fun and enjoy the ride. Id say with your advanced programming experience that you are on your way. Is Cisco the way you want to go? Are you wanting to setup IDS/IPS, firewalls, VPNs, VOIP systems etc? In my opinion since you are already a advanced java programmer why not go for a secure coding track? Not saying routing/switching isn't important because it is, but do you need to go for Cisco exclusively to gain advanced routing and switching concepts? web application testing | fuzzing/secure coding is in high demand especially with all the different platforms out there today.

    ***Docrice cracks me up with that paying your dues stuff. I wish the US Army and the Corp world really had your mentality! Boy do I. Tell that to the SGT major with 24yrs experience who has to stand at attention for a 24yr captain with a BA degree in anthropology with no real life military experience. Tell that to the MSCE with a BS degree with 15yrs exp, who keeps getting dodged for a Sr. level admin position because he doesn't have a MBA and doesn't want to suck up. How long is long enough. I also do realize people make choices in life. ****

    I also admire your principles and wish more people thought like that! Unfortunately I have seen a lot different. I've seen highly qualified people get passed by, because of their inability and non desire to play corporate politics. I've seen truly unqualified persons (which everybody knows who they are because they surely gossip all day about them) with ABC soup and an MBA who don't mind breaking a persons spirit or unloading work on them to get moved to the top, and in record time.
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    jdubb45 wrote: »
    Just have fun and enjoy the ride. Id say with your advanced programming experience that you are on your way. Is Cisco the way you want to go? Are you wanting to setup IDS/IPS, firewalls, VPNs, VOIP systems etc? In my opinion since you are already a advanced java programmer why not go for a secure coding track? Not saying routing/switching isn't important because it is, but do you need to go for Cisco exclusively to gain advanced routing and switching concepts? Application testing | fuzzing/secure coding is in high demand especially with all the different platforms out there today.

    I do however admire your principles and wish more people thought like that! I have the same values but unfortunately I have seen a lot different.

    I actually wanna go for Cisco to get a foot into networking, and yes I would love to have experience with "setup IDS/IPS, firewalls, VPNs, VOIP systems...etc", remember that java also implements Cisco systems, I would prefer to get experienced in Networking, OS "Servers", programming "other languages", first then move to Security, how i'll be securing networks without a solid knowledge of OS's? vice-versa.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Security is one aspect of an overall operation. You might make recommendations as to what others should do, but it's not necessarily the case that you are going to be telling others what to do. Security just happens to be getting hotter at the moment because of all awareness of the threats and digital missiles coming our way with our current defenses being generally inadequate due to previous complacency or risk decisions. It all folds into an overall mission and security isn't necessarily an elite area.

    Your programming background is a good thing, but based on my impressions, what's taught in academia and how it works in the real world (which can be really sloppy) could be very different. You'll find that doing security work amounts to a lot of stress due to political infighting, bureaucratic inefficiencies, cost-cutting, and generally just keeping up with the updates and changes that are constantly being thrown at you. It's a full-time job to do the work, and it's another full-time job to keep your head above water on other realities around you with news and other developments. This is not to be taken lightly.

    If you want to do the software route, there are jobs out there but it'll take time to get to the point where you're ready for it:

    http://www.clearancejobs.com/jobs/1536410/cyber-software-engineer-2

    The diversity and complexity depth of infosec is large enough that you won't be able to tackle all of it. You should dabble in a little bit of each (reading through the materials, etc.) and find your path, keeping in mind that you may want to change course later. That's probably not uncommon either.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • jdubb45jdubb45 Banned Posts: 20 ■□□□□□□□□□
    That is awesome! I agree it would make sense to understand the device in which you want to secure.

    ***On a funny note how many of us at 3+/- yrs old would have been able to ride our bikes if our parents first told us the prerequisite to them guiding us to take the first stride was to have a solid knowledge of first aid, bike laws, Physics, etc? You would be 15yrs+ old before you could have been able to ride it.**** standardization at its best...lol
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    That's awesome you're already a programmer. I wish I started programming in high school. I've bought a couple C++ and python books, but I can't motivate myself to finish the books.


    I started programming at College, learning java needs passion, once done other programming languages become easier to learn (my opinion), I also did machines programming "Assembly", not in depth, However what most attract me about Security, is the need of having solid knowledge about different fields; Networking/Os's "Servers"/Programming.. etc, which makes you different from the other, " you tell the the people what to do ex'Administrator' ", also when having those solid background, then getting experienced in security field, you are easily offered a manager position (at least where i live)... my uncle is the head manager of a usa government Networking Department, he told me by word: "Security is the Future".
  • jdubb45jdubb45 Banned Posts: 20 ■□□□□□□□□□
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    As others have said, get a firm foundation is something and then look to begin to secure it. Networking is a must because without networking knowledge, you'll be weak in other areas of security. It can be tough to get into security right off the bat, so getting experience in IT would be the name of the game and then move into the security arena.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • chopstickschopsticks Member Posts: 389
    QuoteOn by YuckTheFankees -

    A lot of people want to be a pentester because it sounds cool to "hack", not because of the movies. Myself was one of those people, than I began to find out what penetration tester actually do.

    "what did you do working with computer forensics?"
    I had/have an internship as a junior computer forensic analyst..I'll be posting a review of my experience in about a week.

    - QuoteOff by YuckTheFankees

    Can you share how bad is it being in the IT Security field?
  • nicklauscombsnicklauscombs Member Posts: 885
    chopsticks wrote: »
    Can you share how bad is it being in the IT Security field?
    as with any job it's only bad if it's not your passion. though i do think good points are made in here especially in regards to how certain aspects of infosec are put on a pedestal and made out to be more glamorous than they really are.
    WIP: IPS exam
  • YuckTheFankeesYuckTheFankees Member Posts: 1,281 ■■■■■□□□□□
    @chopsticks,

    I wasn't trying to say InfoSec is bad but like nicklauscomb said "infosec are put on a pedestal and made out to be more glamorous than they really are". I still want to get into the InfoSec field but I am no longer aiming for a pentesting or computer forensic job. For example: I don't know what you know about computer forensic, but do you find sitting in-front of a computer for 6-8 hours a day bookmarking and reviewing information that might not mean anything, but you need to bookmark it just incase...then another 2-4 hours writing a report. I found talking to the client or lawyer as the most interesting part but once you get into the actual work, I found it very boring. But that is just my opinion, so take it with a grain of salt.

    SANS put out a list of the "20 coolest Information Technology jobs" ( http://www.sans.org/20coolestcareers/ ) and the #1 and #3 jobs are held by computer forensic positions. With my personal experience, I tried computer forensics and it definitely wasn't what it was made out to be...I can only imagine what the other positions are like...going back to what nicklauscomb said "infosec are put on a pedestal and made out to be more glamorous than they really are".

    Within the next week or so, I will post a more detailed description about my computer forensic internship experience.
  • chopstickschopsticks Member Posts: 389
    @ nicklauscombs & YuckTheFankees, notes with thanks.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    It's interesting to me that so many people find Infosec glamorous. My experience has been that infosec teams are not generally very popular within a company. Infosec teams can be seen as a hurdle (if not marketed correctly) to business. And other employees place infosec in the same category as the legal department and HR.
  • afcyungafcyung Member Posts: 212
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    paul78 wrote: »
    It's interesting to me that so many people find Infosec glamorous. My experience has been that infosec teams are not generally very popular within a company. Infosec teams can be seen as a hurdle (if not marketed correctly) to business. And other employees place infosec in the same category as the legal department and HR.

    Are you referring to all the security teams in all different kinds of companies at all geographical areas? icon_wink.gif
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Infosec might feel glamorous if you envision yourself doing digital kung-fu in your organization's network matrix or if you're one of those rare star researchers who presents highlighted talks at conferences. But in general, security teams can be considered a nuisance since they "make it difficult to get the job done." Many times the only reason why a business might have an infosec team is compliance - something that satisfies the due diligence checkmark. Lame, yes, but security is generally seen as a cost of doing business rather than an obvious profit center.

    And specialized security equipment as well as training isn't cheap. No doubt the folks who manage the purse strings are keenly aware of this.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    docrice wrote: »
    Infosec might feel glamorous if you envision yourself doing digital kung-fu in your organization's network matrix or if you're one of those rare star researchers who presents highlighted talks at conferences. But in general, security teams can be considered a nuisance since they "make it difficult to get the job done." Many times the only reason why a business might have an infosec team is compliance - something that satisfies the due diligence checkmark. Lame, yes, but security is generally seen as a cost of doing business rather than an obvious profit center.

    And specialized security equipment as well as training isn't cheap. No doubt the folks who manage the purse strings are keenly aware of this.

    I think you're talking about non-IT based companies here? IT based companies whould have better enviroment if i'm not wrong.. and if I am, what are you trying to say? stay away from security field becuase its boring? useless? unreal?
  • nicklauscombsnicklauscombs Member Posts: 885
    FiR3x wrote: »
    what are you trying to say? stay away from security field becuase its boring? useless? unreal?
    all we are saying is make sure you have realistic expectations for any career choice (infosec, networking, systems, etc....).
    WIP: IPS exam
  • tpatt100tpatt100 Member Posts: 2,991 ■■■■■■■■■□
    You could just play "Who are you" by Pete Townshend really loud right before you start reviewing some log files. Maybe put some protective eye wear and a lab coat also. That would allow you to get more into it lol.
  • zrockstarzrockstar Member Posts: 378
    all we are saying is make sure you have realistic expectations for any career choice (infosec, networking, systems, etc....).

    Yes, you can find a lot of threads around here of people wanting to get into security and pentesting because they think it is all 007 work. A lot of people don't realize it is a lot of coding and scripting, Linux, and repetitive work of hitting a wall a thousand times before you get somewhere. Yuck is referencing movies because it is just like all those shows where somebody pops open a laptop and it's got some fancy UI on there flashing *ACCESSING* 10 times then all of a sudden you are backdoored into the CIA database. The reality is the job is wildly different from that. Granted I have never worked in security, so I have no experience to tell you first hand. But I have seen many threads come and go and come back again of people asking this question, and it is funny when you see some of them of people wanting to get into security because they don't like programming, or because it looks fun, or because they know the certs pay a lot. Like mentioned before, this has to be your passion, and it sounds like you are pretty passionate about it, and it sounds like you already know some linux and programming, so it is probably a good fit for you. Just give it a shot, buy some books, see how much you pour over them. If it feels like homework for you then get out, if you are reading a tech manual like it is a novel that keeps you on the edge of your seat, you might be getting somewhere.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Best way to think of it is, do you like paperwork? Any security related position is going to be all about paperwork. I've worked with various law enforcement personnel at the local, state, and federal levels. The best analogy I can think of is everyone wants to be a Special Agent at <place the agency here>. In the movies it is all run and gun, you never see this guy doing paperwork, just see him kicking in doors and getting in shootouts. But when you take the time and talk to a Special Agent, you learn the truth. It's 95% (probably more) paperwork and legwork for an investigation. It's always a small blip at the end of a dramatic news story where they say "after a two year investigation." Security is a lot of the same, 95% investigating/compliance/paperwork and 5% running and gunning.

    It just so happens that I actually enjoy the paperwork and compliance type stuff. At my last job I was allowed to run the PCI Compliance for one of our customers and I really liked it. It's nice to do some patching, clear up an issue, and then have paperwork to show hey we're in the clear go make money. And believe me, you save a company from a fine of a couple thousand dollars they'll really like you then ;) Also, I think it is up to the security department to show that they aren't a bunch of "no" people. Obviously, yes there are times when the answer will be no, but there is a way to articulate it so that it doesn't seem like you are hampering the business. During a PCI Compliance audit there were a number of changes that we would need to make and the customer was none to happy about it. Once I explained that it was all covered price wise, that it would make their business more secure, downtime would be minimal, and that they faced heavy fines/lawsuits by not falling within compliance it was funny how happy they were to make the changes.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    the_Grinch wrote: »
    Best way to think of it is, do you like paperwork? Any security related position is going to be all about paperwork. I've worked with various law enforcement personnel at the local, state, and federal levels. The best analogy I can think of is everyone wants to be a Special Agent at <place the agency here>. In the movies it is all run and gun, you never see this guy doing paperwork, just see him kicking in doors and getting in shootouts. But when you take the time and talk to a Special Agent, you learn the truth. It's 95% (probably more) paperwork and legwork for an investigation. It's always a small blip at the end of a dramatic news story where they say "after a two year investigation." Security is a lot of the same, 95% investigating/compliance/paperwork and 5% running and gunning.

    It just so happens that I actually enjoy the paperwork and compliance type stuff. At my last job I was allowed to run the PCI Compliance for one of our customers and I really liked it. It's nice to do some patching, clear up an issue, and then have paperwork to show hey we're in the clear go make money. And believe me, you save a company from a fine of a couple thousand dollars they'll really like you then icon_wink.gif Also, I think it is up to the security department to show that they aren't a bunch of "no" people. Obviously, yes there are times when the answer will be no, but there is a way to articulate it so that it doesn't seem like you are hampering the business. During a PCI Compliance audit there were a number of changes that we would need to make and the customer was none to happy about it. Once I explained that it was all covered price wise, that it would make their business more secure, downtime would be minimal, and that they faced heavy fines/lawsuits by not falling within compliance it was funny how happy they were to make the changes.


    Security field is broad, is it possible that they all work the same way in a real job? "Network security engineer/Cyber Security System Engineer/Security Analyst/ethical hacker/firewalls/web app..........etc" when you said %95 paper work did you mean all security jobs? ;)
  • FiR3xFiR3x Member Posts: 24 ■□□□□□□□□□
    all we are saying is make sure you have realistic expectations for any career choice (infosec, networking, systems, etc....).

    Ok i'll tell you what I expect from working in a security position, right so I'm given a system, on what ever im specialized on, and I'll have to experiment with that system, looking for bugs, exploits...etc, then write a report based on that. thats my general idea, am I expecting it correctly? in other words, hack/secure what ever you given.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    For the position I'm in, I wouldn't say it's 95% paperwork. That's a pretty extreme percentage. But there is still a considerable amount of documentation involved. Most of my work is hands-on in terms of deployment, troubleshooting, investigating, analysis, evaluations, etc.. A good chunk of my time is spent aggregating information into a event tracking system or emailing or diagraming. Part of the overall fun. I think far too many people who are outside of infosec looking in sees a much glossier picture than it really is. I've worked for technology companies for almost all of my career and in general it turns out to be more mundane when you get on the inside.

    It's like being in a nightclub with all the colorful lights moving about and seeing someone of the opposite gender who's really attractive across the room. Then when you get up close or walk outside with her ... reality hits.

    Well, maybe it's not necessarily that dramatic. You just need to understand that practically any security position is going to require a lot of "tedious" work in some aspects. It's not all keyboard time.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Sign In or Register to comment.