Advice on possible security career

Madmd5

Hello, all! I am new to this thread although i have been reading many posts for the past month or so about various certs and career paths. I am currently a full-time student about to get an associate's degree at community college, then I plan to pursue a bachelor's degree in cyber forensics & information security at a 4 year college. In the meantime, I have been reading numerous threads here and obviously came to the conclusion that certs are also very important to have in the IT world. My interest is in security, specifically in network security. I have also read articles online that says network security is a declining career, do you all agree? I do want to get involved in network security, but if the job market in a few years isn't that great, I may pursue another area of infosec. I currently have no certs at the moment, but i am planning on getting compTIA A+ within few months from now, along with N+ (accomplished through course at my school), and security+. What do you guys think would be the best route after I study and hopefully receive those three certs? Now i have read many posts and i realize nobody starts out in security career, you start from the bottom up, and that's why I'm planning on getting my A+ to hopefully land me a help-desk position fairly soon. I just want to have a general route to follow during my college career and was wondering what do you guys think is the best cart path for someone that wants to get involved in network security someday.

Thank you in advance for your advice!

docrice

I work as a network security engineer and it's the busiest job I've ever had. I don't see how this could be a declining career path at all. "Network security" encompasses many things from infrastructure to services and applications and there's a lot of emphasis at the moment on web apps. It may be substantially more evolved in the years to come.

As it stands now, once you gain sufficient years at the ground level doing systems / network admin work, you'll have the fundamental core knowledge to do network security but there are still many specializations. You could be a network security generalist or possibly something much more specific like intrusion detection analyst, incident handler, web app pentester, etc.. The field is evolving quite rapidly and what's normal or complicated today may be dated and simple in the future.

After Security+, many people do the CISSP. For network security in general, I'd also recommend the CCNA, GSEC, and certs related to the vendor equipment you may use to be effective on the specific job you're hired for. I'd also recommend vendor-neutral certs such as the ones from GIAC - the GCFW and GCIA are such examples. That's more related to traditional network infrastructure. If "network security" for you involves server-side, then the Windows and Unix related pursuits are advisable.

Now that said, currently in the infosec field many of us don't really give much credibility to certifications. They help, but after a while it's more about what you can deliver rather than the letters after your name. That means you'll be evaluated on your attitude, mindset, and general aptitude rather than the framed pieces of paper hanging on your wall. Some places may have HR-based requirements as checkboxes for certain certifications (and HR often doesn't understand any of it and the associated real context), but doing the job itself will come down to your real-world abilities more than anything else.

I can't speak for other areas of the IT industry from a career perspective, but being in security requires a lot of upkeep. You have to stay on top of your game, read industry news every day, be sensitive to the changing threat landscape, be critical and scrutinizing in your evaluations of vendors and their products / services, and adopt a constant vigilant attitude. This all comes with a price of updating your training, time spent reading up on the latest issues, and managing a lot of details.

It can be fun, but only if you're ready for the workload and the constant uphill battles you'll face with selling ideas to management, justifying budget, and helping ensure compliance.

paul78

I would be curious to see where you read that network security is a declining career path. If you could share some links, I would appreciate it. It's been my suspicion over the past few years that network security (as narrowly defined in wikipedia - Network security - Wikipedia, the free encyclopedia) should be declining. But I have never actually seen any actual metrics. As network technologies become to mature and simple to deployment, in theory the number of persons with network skills become more abundant; I would expect that network security skills will also become a commodity.

But that said, I also believe that infosec careers as a whole is likely to increase as the Internet access continues to globally become more ubiquitous.

I strongly echo docrice's sentiment that in the infosec field, little credibility is given to certifications. I work in information security management. And while most of my peers do hold some certifications, mostly ISACA and ISC2 certs. The certs that I hold, I have obtained as an after-thought. I didn't actually hold a single cert until after about 23 years in IT. My recent interest in certs is primarily driven by my discovery that certs offer a structured and easy approach to continued learning with a knowledge challenge as part of the exam.

I find that to be successful in information security, having a good foundational knowledge of various technologies helps very much. Technical knowledge isn't the only way into an infosec career; it takes a very broad set of skillsets to make up a large enterprise risk and infosec organization. For example, I work with people from a variety of backgrounds including law enforcement, legal, project management, audit, etc. The more successful individuals have a combination of broad expertise.

tpatt100

Security is so wide and varied in the types of jobs that it's kind of hard to determine what will help you or not. There is the forensic pen test area, the network auditing area, firewalls, IDS, etc.

Like paul78 mentioned having a good foundational knowledge helps. Certs? not sure I think it helps but if you are pursuing certs and you don't have experience in systems administration I really don't see how earning a degree in Information Security will even help. I think some companies that don't know any better might give somebody a shot if they see certs and an Infosec degree but I know for myself I would get destroyed in interviews. Well destroyed if I interviewed in front of somebody that knew anything.

Last couple of jobs I interviewed for I always get asked scenario questions and anybody with half a brain can tell when somebody is giving a book answer and somebody that keeps up to date on security practices, current events and has a sys admin background.

The scenario questions are where they determine what your experience level is and how much of a creative thinker you are. I am able to give dozens of examples where I can show I had experience in different areas and where I am not that experienced in but can figure it out eventually.

I am not that big on schools creating Infosec degree programs at the bachelor level or even Masters (yeah I know I am getting one soon but it was 12 years after I started in IT) I think as a minor with an emphasis on systems administration and some courses in ethics, legal, administrative security would be a better choice.

dmoore44

Certs are a good way to validate experience to an employer, but the entire purpose behind them is knowledge validation - not as an avenue to quickly learn the absolute basics of a certain body of knowledge. Certs are useful to get your foot in the door, but practical and demonstrable knowledge is absolutely necessary.

As all the previous posters have stated, the best way to get in to security is to start off as an administrator (i.e. systems administrator, network administrator, etc...). When you've mastered being an administrator, then you'll be able to successfully move in to security. The best way to think of it is this: you need to know how something works before you can tell where security holes are.

Madmd5

Thank you all for your advice on my questions! I defiantly will look into network or system administration because you guys said that's the starting point for security professionals. And @paul78 the site I found for the information on declining career is here. Now i know obviously one person's opinion on a security career profession doesn't carry much weight, but i did think it was an interesting read either way. And @docrice thank you for some possible certs to look into! I actually was considering getting my CCNA, and GCIA and possibly others along the way. I do have a background in computer forensics and I'm going to be receiving a certificate at my current college in the spring so hopefully that will help me.

pinkydapimp

i agree with the above. Work on your foundational knowledge. then focus on which aspect of security you want to get into because there are sooo many directions you can go. And as said above, the security field is not going anywhere. I would actually say its probably the fastest growing area of IT.

a some of the areas are:

• Access Control –acollection of mechanisms that work together to create security architecture to protect the assets of the information system.
• Telecommunications and Network Security– discusses network structures, transmission methods, transport formats and security measures used to provide availability, integrity and confidentiality.
• Information Security Governance and Risk Management – the identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.
• Software Development Security – refers to the controls that are included within systems and applications software and the steps used in their development.
• Cryptography – the principles, means and methods of disguising information to ensure its integrity, confidentiality and authenticity.
• Security Architecture and Design – contains the concepts, principles, structures and standards used to design, implement, monitor, and secure, operating systems, equipment, networks, applications, and those controls used to enforce various levels of confidentiality, integrity and availability.
• Operations Security – used to identify the controls over hardware, media and the operators with access privileges to any of these resources.
• Business Continuity and Disaster Recovery Planning – addresses the preservation of the business in the face of major disruptions to normal business operations.
• Legal, Regulations, Investigations and Compliance – addresses computer crime laws and regulations; the investigative measures and techniques which can be used to determine if a crime has been committed and methods to gather evidence.

Madmd5

@pinky thank you for showing me some of the areas of security and I'm sure there are many more. I do have experience in computer forensics which I think will be helpful, and the major I'm pursuing now requires me to take general Information System courses which give me foundation in many areas which is important at what you said. So it sounds like I still have time to really figure out what area of security interests me and is worth pursuing.

paul78

@madmd5 - thanks for the link. It is certainly an interesting read. And in a lot of ways, echos my own sentiments a bit more clearly. The last bullet regarding application and bot threats is where I tend to see the most issues. One of the reasons why I am a big proponent of training more software engineers in security practices.

Btw - if you have not seen the list provided by @pinky before - do spend some time at www.isc2.org. The domains listed are the requirements to earn a CISSP designation.

There is also good reading at SANS Information, Network, Computer Security Training, Research, Resources. The whitepapers are a good introduction.

Anyways, welcome to TE. I hope you enjoy your trip.

Madmd5

I do have another question: would a career in network forensics and forensic examiner be the same or different in duties?

kurosaki00

Good post, its good you know at least the basic about where to start. A lot of people think they can jump just right in. Im sure there are cases but you need some experience. Why?
Well how can you trust someone to secure your network when the guy havent worked in one.

Pinky has a lot fo areas where you can focus in security.
You should focus in gain experience in different areas, in desktop if you wanna to system sec or related
or get in a NOC for example if you want to end up in network security related fields

Before or while you do that, get your basic certs and knowledge, like A+, Net+, CCNA, MS ones, Sec+
Then while gaining experience study for your security certs and about security subjects

You got a lot of info in this thread

Madmd5

What exactly is NOC job, so its related to networking obviously, but is it also possible to obtain an NOC with no experience in IT job before?

StephenOnTheGrid

My take is don't study a path that is quick and were there is dime of dozen in the field. I see there is a need for more developers than just techs or network admins.

kurosaki00

StephenOnTheGrid wrote: »

My take is don't study a path that is quick

Infosec quick?

----

To OP
NOC = networking operating center
Yes its possible to land it without previous experience. But a good Net+ and A+ would help you a lot.
But in the one I work for we have people from 1-2 years of college to made professionals

tpatt100

I think "quick" might mean one cert or extremely focused job role wise. I have worked places where "Security" was running scans all day and putting files on a network share.

Madmd5

So If I stay on my general outlined course (below) when do you guys think would be the best time to get some Microsoft certs in there and what ones would suit me best if i want to eventually get into a security field, possibly network forensics?

currently: no certs or relative IT experience
Spring 2013: pursue compTIA A+
Spring 2013: receive my associates degree
Spring 2014: pursue compTIA Network+ (offered as course in my degree program)
Spring 2015: pursue compTIA Security+
Spring 2015: receive bachelor's degree in Cyber Forensics & Information security

I also plan on taking Cisco certs down the road at some point

pinkydapimp

Madmd5 wrote: »

So If I stay on my general outlined course (below) when do you guys think would be the best time to get some Microsoft certs in there and what ones would suit me best if i want to eventually get into a security field, possibly network forensics?

currently: no certs or relative IT experience
Spring 2013: pursue compTIA A+
Spring 2013: receive my associates degree
Spring 2014: pursue compTIA Network+ (offered as course in my degree program)
Spring 2015: pursue compTIA Security+
Spring 2015: receive bachelor's degree in Cyber Forensics & Information security

I also plan on taking Cisco certs down the road at some point

i would work in a CCNA prior to graduation. in fact, you should do that right after your net+ because there is overlap in the material. Then do the security+ and then the ccna security(again, overlap). between those and your Bachelors you should be in good shape with strong foundational knowledge and hopefully some experience during those 2 years as well.

Good luck!

Madmd5

@pinky Thank you so much you really helped me outline a plan for me and i appreciate that! You wouldn't recommend any Microsoft certs though? Even basic certs?

docrice

Network security can very potentially involve Microsoft technologies. If you foresee yourself dealing with them, I'd consider pursuing at least one or two exams to get you going. It's not "necessary," but at least reading through the material is a good thing. Performing vulnerability scans typically involves evaluating risks on server / client hosts. There's a lot of "contextual" considerations where network and systems risk assessment come into play.

Take network intrusion detection as an example. If your IDS alerts that a machine inside your network received a specific exploit, to better measure potential impact you need to factor in whether the attack only affects Windows, Linux, or other. Other items such as patch levels, server configuration, client share permission settings at the time of attack, etc. all need to be considered to reduce the chance you go on a wild goose chase on a false positive event. Knowing how the auditing logs are recorded / tainted is also something one needs to think about.

And so on...