Determining a Roadmap

dbrink

Hello all!! Wanted to post here and see if anyone could help me make some decisions on a road map to get where I want to be. My ultimate goal is to be involved with Penetration Testing, Vulnerability Assessments, and possibly some Malware Analysis. Something along those lines.

A little about me. I'm currently a Windows Systems Engineer with about 12 years of experience for a decent sized organization (~25,00 users) and I mainly handle the messaging systems (Exchange, Lync, Enterprise Vault), Active Directory, and systems automation with Powershell. I'm starting to get involved with the patch management process on the Windows side of our department and I try to get myself involved with any sort of security related projects that I can. Any time I see some sort of lapse in security (sensitive internal websites which should be using SSL, etc) within my organization I am sure to bring it up with the appropriate people. I would ultimately love to do pen testing and vulnerability assessments within my organization if that type of position ever opened up. I'm not sure who on our security team is doing that type of work. Also, I have been using Microsoft Baseline Security Analyzer to scan some of the Windows hosts I am responsible for to ensure there is nothing misconfigured on them.

So that brings me to figuring out how I can make a transition from a systems admin position into a security engineer/pen testing type of role. One way is for me to get a few security related certifications and that is what I am working on now. I'm studying for the Security+ exam and will be taking that in the next few weeks. From there I'm not exactly sure where to go. I went on Dice and looked at the requirements for a bunch of penetration testing/ethical hacker type jobs and it looks like most are looking for CISSP, CEH mainly with a few mention OSCP, GPEN, GIAC. Regarding tools the most mentioned ones were Burp, Nmap, Nessus, and Metasploit. Alot of them also want experience with Perl or Python mainly with some Shell, C++ and other languages thrown in.

I've also looked at the Masters of Information Security and Assurance from WGU because I would ultimately like to get a Masters degree. The thing I like about it is the fact you get the CCENT, CEH, CHFI, and GIAC G2700 certifications during the program. I can't decide if I want to do that program or just work on certifications to solidify my knowledge and have something that proves I know the material.

Here is what I am considering:

Security+ (doing it)
SSCP (possibly next)
SecurityTube Python
SecurityTube Metasploit
WGU Masters (CCENT, CEH, CHFI, GIAC G2700 certs)
OSCP

Alot of those positions mention the CISSP but I really don't want to get into that if I don't have to. I would rather put time into the masters program and some of the offensive security stuff like OSCP, OSWP, and OSCE. I would really like to do some of the SANS certs but I really can't justify spending that kind of money. I think I can get work to pay for the Security+ and SSCP certs and they will also give me $1700 a year towards a Masters degree. The one thing I like about the masters degree is the fact that it doesn't expire like certs possibly can.

I'm just at a point where I kind of know what I want to do but I just need to figure out how to get there and do it in a way that I could transition over from my current position. Thanks for any input.

jasong318

Try getting involved with local groups in your town such as DEFCON, 2600, OWASP, etc. If you don't have one, start one. I got tired of driving +4 hours to TX to attend meetings so started my local defcon group. See if there are any conferences in your area like BSides. You'll learn a ton at these type of events and get to network with your peers which is indispensable and often overlooked when one looks to break into the field. Plus, they usually have CTF events at these functions which will go a long way to solidify your skills and test yourself against others.

As for certs, the CISSP is mainly a cert to get past the HR filter as most infosec folks don't hold it in the highest regard (that being said, it wouldn't hurt you to get it). It looks like you definitely have a strong background in sysadmin, try getting in more experience with security. You say your company has a security team, try talking to them to see if you can help out or get assigned to any projects, hell, take them out to lunch and pick their brains I would highly recommend the OSCP course, it really does force you to put into practice what you have learned and to do research on your own. It is tough, but well worth it and you will gain real world, practical experience from it.

As for WGU, i've often looked at it, just can't seem to find the time. It doesn't look like a bad program, but how many of those job posts asked for Master's degree? But it your employeer is willing to pay for it, I would say go for it.

Beyond that, put together your own lab at home and go to town. Load up backtrack, metasploitable (1 & 2), OWASP broken web apps, etc. and practice, practice, practice!

Here's an article that I usually post to this kind of questions that has some pretty good tips: Getting a Start in the Security Industry - SpiderLabs Anterior

dbrink

Thanks jasong318. I am about 30 minutes from Charlotte, NC and I believe they have a 2600 and OWASP groups. Need to look into when they meet. I also had heard there was going to be a Bsides Charlotte this spring/summer but I can't find anything on their website. Maybe it fell through. There is a potential one in Raleigh so I will have to keep an eye on it.

Regarding the certs, I can't decide what I want to do after the security+. Really want to jump right into the OSCP stuff but I'm not sure if that would be setting myself up for failure. Currently I'm running VMWare Player with backtrack, metasploitable, XP SP2, and UltimateLAMP VMs. Toying around with those is a lot of fun and there are some pretty good resources out there (like securitytube) with some good tutorials. Just need to keep moving forward with that.

I believe I might stick my neck out at work and find out from the security guys who is doing the vulnerability assessments in our environment and see if I can shadow them or something like that. Just don't want them to get offended or rattle any cages by doing that. I guess the worst thing that can happen is they tell me 'No'.

Once again, thanks for the reply.

jasong318

No problem! And you're not that far away (relatively) from DerbyCon which is in Louisville, KY. That seems to be the new hotness as far as conferences go. And ya, don't be afraid to speak to your security team, most would be more than willing to **** the 'grunt' work onto somebody else unless they're a real prick and fear for their jobs

I started out similar to you, was a netadmin for years and got into security. Went through Security+, CEH, etc, etc. I learned some but once I was actually thrust into a infosec role I realized how unprepared I was. It took many years of self study and networking to get where I am.

Basically, the more hands on experience you can get the better, I think the OSCP is excellent in that regard. You look like you have some Linux experience which will help tremendously and they will teach the basics in the course and expect you to research anything else needed. Quick example, they will show you how to write a simple python ping sweeper and than ask you to make it as fast as possible. This will lead you to figure out on your own topics such as threading in python.

Anyways, good luck in your journey!

docrice

It sounds like you have a good foundation on the systems side and the right attitude / proactive approach in your work right now. Since you're starting to help out on patch-management, you seem to be in a good area for transition to something more security-centric.

Doing vuln assessments, pentesting, and malware analysis is going to open up some can of worms in a good way. However, you should also make sure that your networking skills / competencies are in place as well. It doesn't mean you need to go and get your CCNA / NP / IE / etc., but a ton of things in the security world works on top of the networking layers, especially when estimating risk levels during vulnerability assessments and pentests.

These days, knowing how web applications work is crucial as well which is where OSCP would help. Also check out eLearnSecurity. I'm a fan of SANS training and GIAC certs (they're related, but not the same organization) and yes they are expensive. I continue to train with SANS though for a reason, although I wouldn't be exclusive to them.

Malware analysis is different beast though. Having Windows skills helps, but if you're going to do hardcore analysis, you'll need to know how to reverse engineer software which will require programming knowledge. All these different areas of infosec are branching off into their own domains quickly as the field evolves.

Always have a lab at home that you can break at a moment's notice. A virtual machine farm and lots of ISOs to install stuff with. The world is chaos and your lab should reflect it. Spend time doing the work. Prepping for cert exams is fine, but you may experience a lot of skill fade if you don't make use of what you learned. There's a lot of minutia out there and you only have so many hours in the day and you can't be good at everything. In time you'll figure out what your path is.

Lots of companies will ask the CISSP because that's what their HR department recognize. There's much debate among security professionals as to the real value ISC2 provides, so take it as you will. I work in security myself (for a security company nonetheless) but I don't hold the CISSP. Certs provide a nice glow to your resume, but infosec folks will often look past them because we're tired of paper tigers who don't live up during the real interview.

Your drive, initiative, experience, and honesty will be the qualities you'll be evaluated on. It's ok to not know everything. If you want to work with (against?) web apps, OSCP seems to be a good one (I haven't gone through it yet). The GIAC certs are great as well and cover a much larger variety of infosec subject matter, although almost all of them are multiple-choice exams and open book (and still relatively difficult). General pentesting will require some Unix skills, so if you don't have that, you'll definitely need to spend some time / years getting comfortable on the Unix command line.

dbrink

My Linux skills aren't as sharp as they used to be because I'm mainly working with Windows at the moment. My previous position I did a lot of Linux work (DNS, VPN, Web services, etc) and that is when I obtained my Linux+ and attempted to get my RHCE (ended up with the RHCT though).

One thing I think that helps me with malware analysis is I took an Assembly course and C programming course at NC State last year and I really enjoyed it. My problem is I keep getting side tracked by all of the cool stuff I want to learn and end up not concentrating on anything and learning it completely before moving on. That is why I feel I need to put together a good roadmap for myself and stick to it.

I've really been thinking about this the past 2-3 days and I think after finishing my Security+ test I may look at the C|EH next. When checking the jobs on Dice that fit the mold of what I would like to do most seemed to have CISSP and C|EH as either a requirement or desired certification so that may be enough to get me past HR. Then I think I'll look into the SecurityTube Python and Metasploit certs and follow that up with OSCP. That should get me through the next year or 18 months and then re-evaluate things from there.

One of my definite weaknesses is the web stuff, I have not really done anything with web hacking as of now but is definitely on my radar.

A constraint I have is going to be money, not sure if my job will pay for some of these certs that don't relate completely with my Windows-centric position but I might run it by my manager and see what he says.

Thanks for all of the input you guys have given, it is much appreciated.

dbrink

Just passed the Security+ today...time to move on to something else. Trying to decide if I want to take the CEH or just take some time to read some books and play in my lab before attempting the OSCP.