How to start a carreer in IS Security

InMichiganInMichigan Registered Users Posts: 1 ■□□□□□□□□□
So I've looked on-line. Called universities. Asked those in the field. I've read the blogs. It seems impossible to figure out how to get into the security world in information systems. No one seems to know the exact path to become a IT security person. There is no "step by step" process that I can find. It seems the only real viable option is to join the military which I suppose some how gets you invited in the secret society of IS Security. Maybe if someone could teach me the secret handshake, it would help?

Lets say someone was in the process of choosing a carreer path. For example, a high schooler may determine they're going to be an attorney. They can ask a counselor how to proceed. They maybe advised to attend a university in pre-law and then enter into law school. That process should take 6 to 8 years. Once the educational requirements are completed, that person then must take the bar exam. Pretty simple steps, in my opinion. However, when ever I ask someone about becoming an IS security guy, the question isn't so simple. I'm told to read a book. Well, reading a book doesn't lay down the basics of IS. I'm a complete moron when it comes to computers. I do like them however.

Does anyone have any advice on how to proceed? I'm currently a physical security expert but would like to look more toward the IS world. Any help would be greatly appreciated.

Comments

  • routergodsroutergods Member Posts: 66 ■■□□□□□□□□
    InMichigan wrote: »
    I'm a complete moron when it comes to computers.

    Yikes.... first become VERY good to great with computers. Build a couple, learn how they work, become the "Go To" guy for computer problems. Then start learning about networks. Build a couple, learn how they work.. you get the picture.

    There is no exact path into getting into IS security. There is no secret handshake other than putting in the hard work and know the right people.

    I started by attending Defcon. You meet tons of people there and then I was off and running.
  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    Honestly it could be easy as getting an internship. I have a buddy who had an internship during his last year of university. His degree is in Network security. Now he's some security admin at the place he did his internship at but now it's a full time job. Yea when he told me that, I was like "what what?!" He didn't have any experience in the security field before that.

    I think it's safe to say that being a physical security expert is helpful because that is part of IS/IT security. Camera's, locks, mantraps, and so on. Those are pretty important things.

    For education stuff. Just start with the basics and move up. Play with different technologies like IDS/IPS, Firewalls, Antivirus, and so on until you start to figure out what you like and then go for it. It's kinda like making your own path but at the beginning almost everyone has to start learning the basics such as routing and switching, subnetting, ip/tcp packets, and so on.

    If you don't have a security lab, then try to make one. I suggest getting Backtrack 5R3 and metasploitable. You can either put them in to virtual machines or dedicated boxes. Trying to learn how to use tools like, wireshark, nmap, hping3, nikto, john the ripper, and so on will help you out too.

    If you're really in Michigan, there is a security conference in Grand Rapids starting next week Thursday and it goes until Friday night. There will be some teachers from the university I attend (davenport) there along with a lot of security professionals. GrrCON the premier midwest information security and hacking conference hosted in grand rapids, mi.
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    You can also try to put yourself in a position that will (eventually) open up InfoSec career opportunities to you. Joining the AF or AFNG with the intention of getting into Cyber Command is one, certainly, but there's no guarantee that you will get in to the CC, or even end up doing a job that you like. Another possibility is joining a big corporation as a physical security or help desk person, getting degree/certifications in InfoSec, hanging out with the IT security people, and then applying for any internal job postings that appeal to you. This is a long-range (2-4 year) plan. There is also the possibility of luck in having a friend that can get you hired into an InfoSec position that you are not qualified for, and you just learn on-the-job.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,882 Mod
    Security is a specialized are of IT which has its own sub areas. There is no one definitive path like law or medicine. You carve your own depending on what your ultimate goal is. In my eyes a well-rounded security professional must know systems, applications, network, platform, policy, law, and a zillion other things. Where do you start? At the bottom.

    You can't secure what you don't understand. Since you don't know much about computers I would start by learning the basics. Windows, Linux, networking, etc. Choose whatever catches your eye and start gaining knowledge on it. An entry level help desk or network related position will allow you to build a solid foundation and will eventually open doors to other opportunities. Definitely work on some certs while racking up experience. A+ maybe the right place to start so you can get familiar with computers.
  • dmoore44dmoore44 Member Posts: 646
    Infosec is a pretty specialized niche within the large IT career field. If you want to get in to Infosec, you have to be prepared to take a long view - especially since you're not already working in an IT related field. Like the JDMurray and cyberguypr have said, start at the bottom and learn the basics - PC troubleshooting, operating systems, networks, web architecture, etc... Once you know how those work and are confident with them, you'll have a solid foundation to move in to a Infosec specialist (as opposed to an IT generalist).
    Graduated Carnegie Mellon University MSIT: Information Security & Assurance Currently Reading Books on TensorFlow
  • grauwulfgrauwulf Member Posts: 94 ■■□□□□□□□□
    Physical security is information security. If you're _really_ good at physical security; lock picking, access bypass, social engineering, process manipulation, things like that, then I'd start off by free-lancing to some pentesting companies. Trust me on this one, very few things make a pentester happier than having physical access to a box. >icon_biggrin.gif

    If you're interested in getting into the tech side of things then you've already surrounded yourself with potential mentors, by utilizing your current skill-set in a new arena.

    Also: there is no secret handshake. However, the code phrase is "hack the Gibson".

    Happy hunting.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    As an aside, I ran across a circa 1979 US Army Field Manual for physical security. It actually has a chapter on computer security too. I think the illustrations are from much earlier editions of the same manual. I'm not quite sure what's on the upper lip of the "Computer Wizard."

    FM 19-30 - Physical Security - ENLISTED.INFO
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Career counselors can't give you a straight line to walk on in order to get into infosec because it's a rapidly-evolving area and it has essentially become a moving target. For many, the field is an abstract because people generally don't understand what computer security is beyond "malware and antivirus."

    It's probably a bit easier these days to get a security career going due to elevated corporate / government awareness and skill demand, but the traditional path is certainly a recommended option (starting from the bottom being an all-around IT guy, assuming you want a technically-oriented career). If you've really searched online well, this kind of information is out there and isn't difficult to find these days. Books have been written about this (such as IT Security Interviews). This forum has discussed this topic quite often.

    Almost no one starts an IT career doing security work, unless you consider helpdesk / password resets a practical form of experience in access control (although there are good lessons to learn such as social engineering issues, etc.). Your existing knowledge in physical security will tremendously help since much of those concepts apply to the digital world. Seeing risks and opportunities from an adversarial point of view is an advantage.

    The many nuances in technology change constantly and it requires a lot of motivation, maintenance, and perseverance to stay current on events and new developments. If you really want to jump start / accelerate / get ahead, you can forget the 40-hour week. I spend at least an hour each day trying to read up on the daily news on top of what essentially ends up being a 70+ hour work week. There's a lot of pressure from all directions including business needs, compliance, real-time analysis / troubleshooting / detection, mitigation, making trade-offs due to budget constraints or prioritized availability requirements, and so on.

    Build your fundamentals on systems and networks. Don't skip steps because it'll come back to haunt you. If you're new to supporting the digital world, it'll take time to get into a role where you're trusted with security responsibilities. Understanding the security part requires the background experience of understanding the process and requirements of planning and deploying technical environments at the client, server, application, and network levels (and you won't be good at all of them). At each step you can learn to fold that into the larger picture of risks and trade-offs that make up the security world.

    If you want to be fluent in the increasingly complex spaghetti mess of moving parts, it will take years but the pay-off is worth it. You probably already have a head-start compared to peers who are just starting to think about some kind of career ... but you will have to push yourself for it through a lot of hard work and self-guided interest.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • the_Grinchthe_Grinch Member Posts: 4,164 ■■■■■■■■■■
    All about getting a foundation in the technology you want to secure. As you are learning, there is no solid path to security as everyone got into it in their own way. I have a degree in computing security and took the gauntlet of security courses, but the lack of experience kept me out of the industry. Physical security is definitely a great skillset to have so definitely play that up. I'd start studying for Security+ because with you current skillset it shouldn't be too difficult to complete.

    The military is an option, but you have to remember that just like in the corporate world IT people are seen as all the same. The Air Force has a number of positions, but some of them are really policy only position. If I were to join up, I would look at the Navy rating CTN. That is a true computing security position and more then likely you will do security related work. The other big thing is the security clearance, that alone could get you a security position with just a little skills in computers.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • NetworkVeteranNetworkVeteran Member Posts: 2,338 ■■■■■■■■□□
    InMichigan wrote: »
    Called universities... It seems impossible to figure out how to get into the security world in information systems.
    Call better universities. Look for ones with Information Security programs. There are dozens. Work with your professors and seek internships for experience. The security chair at my alma mater, at least, provided clear pathways in that direction. That was true even if you took a CS or EE degree and the security courses as electives. :)
  • BMOBMO Member Posts: 11 ■□□□□□□□□□
    If you choose to go into the military make absolute sure that your occupational speciality is EXACTLY what you want or you could spend years doing a job you didn't want to. Recruiters can be misleading. Their promotions are based off of how well they recruit and there can be stiff penalties for not doing well. So right off the bat they have an incentive to rush you in asap. Also, you might want get a college degree first or you'll be enlisted and could end up spending a significant amount of your time picking up cigarette butts and other crap work. Officers however never do any of that and they get paid significantly more (like double the salary). You'll also be much more likely to do the type of higher level IS work if you get the right occupational speciality. Do your research.
  • SephStormSephStorm Member Posts: 1,732
    I wont say BMO is exactly right, but hes in the ballpark. IT in the military is a tossup. 25 series does IT in the army. Officially it's 25B, but i've got 25 everythings working with me on the helpdesk right now.

    If you want to do CNO in the army 35Q is the way to go. There are a few other mos' with their hands in the pot but officially its 35Q.

    Air Force: There is a Cyber Surety ASFC in the AF, I have never met one, but it is safe to guess you might get a chance to do your job, the AF is very job based from what I hear, they expect you to be competent.

    Navy: CTN is what I hear works in this area. I swear if I had seen this rating earlier....

    Marine Corps: Based on my knowledge, no initial entry mos does cyber, there is a communications mos that does cyber work, but I believe you have to be an E6 or above to go for it. Regular Communications is 06 field, like the above user stated, be careful when enlisting in branches that do not guarantee a specific mos. A occ field is not an mos.

    Anyway, i'll get off that horse.
  • Michael2Michael2 Member Posts: 305
    Given your physical security background, I think your best bet would be to start an offsite storage facility.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,667 Admin
    I know physical security people who really like working in the Disaster Recovery business. You might check that field of InfoSec too.
  • BMOBMO Member Posts: 11 ■□□□□□□□□□
    SephStorm wrote: »
    I wont say BMO is exactly right, but hes in the ballpark. IT in the military is a tossup. 25 series does IT in the army. Officially it's 25B, but i've got 25 everythings working with me on the helpdesk right now.

    If you want to do CNO in the army 35Q is the way to go. There are a few other mos' with their hands in the pot but officially its 35Q.

    Air Force: There is a Cyber Surety ASFC in the AF, I have never met one, but it is safe to guess you might get a chance to do your job, the AF is very job based from what I hear, they expect you to be competent.

    Navy: CTN is what I hear works in this area. I swear if I had seen this rating earlier....

    Marine Corps: Based on my knowledge, no initial entry mos does cyber, there is a communications mos that does cyber work, but I believe you have to be an E6 or above to go for it. Regular Communications is 06 field, like the above user stated, be careful when enlisting in branches that do not guarantee a specific mos. A occ field is not an mos.

    Anyway, i'll get off that horse.

    Having spent 11 years in the Army I do know a little what I'm talking about. You don't have any control over what position you land when you join the military, only your occupational specialty. I am a 25 series myself. 25B is basically a help desk technician, the Army's geek squad if you will. Sometimes you will get lucky and can work in a help desk, other times you could end up in a crappy office job for 3 years waiting to PCS to a better position. If you really want the good IT stuff in the Army then you need to go Warrant Officer 251A or 250N. I was this close to becoming a WO. Had my packet in and everything then I jacked up my back and was put out. Since the OP is specifically looking for security positions, his best bet is to look to upper management security positions and not grunt work.

    Edit: To clarify what I meant about the recruiters earlier. They may have changed it but to get promoted from E5 to E6 you used to have to get a certain number of people enlisted, I can't remember the number. This may have changed since then. And I personally heard an E7 recruiter tell a kid who was looking to get into IT "Yeah... the Army doesn't really have computer jobs because we don't really use computers much in the Army." and then tried to push him to go infantry. True story.
  • jasong318jasong318 Member Posts: 102
    Here's a pretty good article to getting started in infosec...
Sign In or Register to comment.