Advice for InfoSec undergrad students or new grads

InfoSec Society

Hi,

I've been a long time lurker on this site and there's so much beneficial information and helpful users. I am part of an infosec student group at my college. We'll be having a career information event later this month and I'm doing a short presentation on advice from infosec professionals to undergrad students.

I was hoping I could get you all to answering the following question briefly:

What is one piece of advice you'd give to infosec students?

Top replies will be put in the presentation and posted on our blog.

Thanks

White Wizard

InfoSec major here, looking forward to the replies

YFZblu

This thread got some positive responses, and good feedback from seasoned infosec people is in the replies:

http://www.techexams.net/forums/jobs-degrees/90294-security-analyst-interview-some-what-you-need-know.html

wes allen

Mindset > Skillset > Toolset.

Get a twitter account and follow 50-100 infosec people.

Find 2-3 infosec podcasts you like, and listen to them regularly.

Many people might not agree with this one, but it has been very helpful for me: Learn hands on OffSec (CEH doesn't count). Even if you don't take the exam, take the PWK course, which might mean learning some prereq stuff as well. Your goal might not be a job as a pen tester, but knowing how to attack stuff will help with defending it. Plus, Pen testing is all about info gathering, service enumeration, scripting. and vulnerability research which are key skills for a defender as well.

veritas_libertas

My piece of advice would be not to think you can just walk in to INFOSEC. Get a job as a Network or SysAdmin and spend some time learning how everything works before trying to protect those systems. I find it frustrating how many college students think they can just walk into the job. It can happen, but it's rare.

Wes Allen mentioned OffSec, eLearnSecurity also has some great material as well SecurityTube.

tpatt100

Pretty much what veritas said, can't protect what you don't know how to use very well. Most of the stuff I audit came in handy because of my systems administration background.

veritas_libertas

To follow up what I said. I'm now in InfoSec and I wish I had spent more time on the following:

• Learning to program. I had a C++ class in college, but I didn't continue learning after college. Big mistake.
• Learning Linux
• Studying for the MCSA. While I'm not a SysAdmin, I think this is the only way I'm going to learn this material. You might be surprised how often a INFOSEC professional has to interact with MS server boxes. I interact with them almost every day for many reasons.

I'm now playing catch up on the above. I'll catch up, but it would have been a whole lot easier if I had learned these subjects earlier.

Tom Servo

Absolutely 100% agree with veritas_libertas. I'm at a disadvantage because I avoided linux and programming. I'm spending the next couple years fixing that gap, but it's much more challenging now that I'm working full time.

cgrimaldo

veritas_libertas wrote: »

To follow up what I said. I'm now in InfoSec and I wish I had spent more time on the following:

• Learning to program. I had a C++ class in college, but I didn't continue learning after college. Big mistake.
• Learning Linux
• Studying for the MCSA. While I'm not a SysAdmin, I think this is the only way I'm going to learn this material. You might be surprised how often a INFOSEC professional has to interact with MS server boxes. I interact with them almost every day for many reasons.

I'm now playing catch up on the above. I'll catch up, but it would have been a whole lot easier if I had learned these subjects earlier.

Do you have recommendations on programming languages to learn? What about flavors of Linux? Thank you for your insight!

veritas_libertas

I wouldn't worry about a certain flavor of Linux. Grab a Linux+ book and start reading. I'm not suggesting that you have to take the exam, but the material is vendor/flavor neutral which will help you. As far as languages go, I'm not a programming expert but I think Python and C++ are a good starting place. You should also learn scripting. Even simply learning Bash, Batch and Powershell would be helpful.

Security is one of those areas where you will always have something new to learn. This is good, but at times overwhelming.

cgrimaldo

I appreciate your feedback. Thanks!

JaneDoe

If you want to learn Linux, install Slackware/Gentoo on your laptop, the one you use every day, as your primary OS. Make it work. When your done, you'll have had a great crash course in Linux.

ITcognito

veritas_libertas wrote: »

My piece of advice would be not to think you can just walk in to INFOSEC. Get a job as a Network or SysAdmin and spend some time learning how everything works before trying to protect those systems. I find it frustrating how many college students think they can just walk into the job. It can happen, but it's rare.

Wes Allen mentioned OffSec, eLearnSecurity also has some great material as well SecurityTube.

I've encountered this kind of rhetoric before and while I understand where you're coming from, it's very unreasonable and quite illogical. You're talking about infosec as if it's some domain outside of the reach of anybody except seasoned vets. Like some kind of old boys' club that you can only enter after working your way up the IT ladder for years. Infosec is really broad and there are many jobs that fresh college graduates are capable of doing such as entry level security analyst jobs, web application security, penetration testing, security research, malware analysis, etc. Just as an example, how would working as a Windows system admin for a few years prepare you to secure web applications? There are increasingly many college programs that specialize in infosec and prepare their students for a career in infosec. You've also ignored on-the-job training and continuous education. Nobody is saying hire a fresher to be your next CISO.

docrice

While the infosec industry is widening and job opportunities are becoming more accessible, at the same time being able to perform these functions requires understanding the context of the technology, threats, and other tangibles. As someone who's in infosec (both as a professional as well as in the industry itself) and constantly buried under non-stop infosec work, I would be very hesitant to hire a recent college graduate without sufficient work experience for your typical IT security position. Being a security analyst, pentester, etc. requires much more than skills specific to the security subject niche. Everything eventually comes together - business objectives, compliance requirements, user behavior, applications, buggy code, traffic patterns, current threats, quarterly management objectives, technical configurations, over-promised/under-delivered solutions, etc.. Framing this into proper context and being able to make appropriate judgement calls takes time in the field to build a bit of wisdom for.

While being a good Windows admin doesn't directly align to being a good web application security engineer, there's a lot of operational maturity and discipline that goes into getting to that level and mindset that has to be honed. While I'm not familiar with what higher education offers these days since I've been out of (traditional) school for so long, at the same time I'm under the impression that an "information security degree" isn't going to make someone immediately qualified for security positions.

Security work is generally hard, thankless, tedious, and typically requires knowledge of the existing disciplines which they stem from, whether that's client-server/application/network-services/network-infrastructure management, software development, risk management, etc..

There may be some exceptional individuals who do get into security positions right off the bat, but college education by itself does not prepare you for the corporate business world or to be a security researcher who provides actual value in the industry. As a generalization, grasping technology, its weaknesses, risks, and mitigation strategies require practice and exposure to complex environments to realize the nuances of how an organization works with and reacts to security issues. Business culture, competing priorities between business units, and their influences on technical implementations and decision-making is critical when an employee is trusted with sensitive information. That trust has to be earned, and it's typically earned over time learning how the pieces fit together in the larger picture.

There's a lot of risk entrusting that information to someone who might not be able to frame issues within appropriate interpretation.

Getting to the OP's original question ... that's a hard one to nail down, but I think my advice at this immediate moment would be this: don't assume. Expanding on that statement, I'm basically saying that the admin guides, vendor claims, RFC documents, etc. are not reality-textbooks. Technology is complex, implementers get it wrong, architects create design flaws, and so on. The rabbit hole is seemingly endless. Look beyond the books, the certification courseware, and what technology instructors teach. A big part of infosec is awareness and vigilance, and this often means probing farther than the UI or CLI on the magic security box and doing your due diligence to inspect at a more atomic level ... because the faults, vulnerabilities, and exploitations lie where most people don't reach.

GoodBishop

Certs and education is important, but what is really important is experience.

Never give up, never surrender.

bobloblaw

ITcognito wrote: »

I've encountered this kind of rhetoric before and while I understand where you're coming from, it's very unreasonable and quite illogical. You're talking about infosec as if it's some domain outside of the reach of anybody except seasoned vets. Like some kind of old boys' club that you can only enter after working your way up the IT ladder for years. Infosec is really broad and there are many jobs that fresh college graduates are capable of doing such as entry level security analyst jobs, web application security, penetration testing, security research, malware analysis, etc. Just as an example, how would working as a Windows system admin for a few years prepare you to secure web applications? There are increasingly many college programs that specialize in infosec and prepare their students for a career in infosec. You've also ignored on-the-job training and continuous education. Nobody is saying hire a fresher to be your next CISO.

I don't necessarily disagree with you, but I've yet to hear of anyone starting out in any facet of those areas without experience.

From another post I wrote in that I think applies here:

The single most common thing you will see in InfoSec is that no one ever started in InfoSec. Everyone always comes from another primary background (Sys admin, network engineer, dba, etc.). This could change in years to come, but no one is going to expect someone to perform a security audit/pen test of their Windows domain when that person hasn't ran a Windows domain (same for auditing their network, unix systems, etc).

the_Grinch

docrice and veritas have nailed it on the head. I was one of the aforementioned college infosec grads that thought he could stroll into a security position and be fine. I was very surprised to find how wrong I actually was. The only exception, I found, has been either large government agencies or large companies with infosec programs. Few and far between, but they will take on a new grad to build them up to where they want to be. Cream of the crop will get these jobs.

If you believe you can secure a server, switch/router, and let alone a network based on the few 15 week courses you took on those technologies in college you are very mistaken. I was in technology for five years before I made the jump and honestly it completely shows. Just knowing how to break into a technology isn't going to help you. In infosec, you will stand before people who vastly out rank you and will be defending a decision you've made. If you don't know the technology fairly well, you will lose. At my job I speak with people at all levels within my organization and in organizations outside of mine. On Friday I had a meeting with the Director of my agency and had to explain what we had setup, why, and how it was effective. On the other side I've had to tell VP's of IS why they had to change something to fit a regulation or to operate in a secure manner.

What should you do when you finish your degree? Get on a help desk. Our job is 90% people skills and you get that on a help desk. From there you will find out what interests you (systems, networks, etc). Start gaining experience in those areas because a strong foundation is important. As you get better, then begin to focus on technologies that are security related. Mix in the certifications and in about three years you should be ready to make the move to security full time.

thatguy67

veritas_libertas wrote: »

My piece of advice would be not to think you can just walk in to INFOSEC. Get a job as a Network or SysAdmin and spend some time learning how everything works before trying to protect those systems. I find it frustrating how many college students think they can just walk into the job. It can happen, but it's rare.

Wes Allen mentioned OffSec, eLearnSecurity also has some great material as well SecurityTube.

One of my instructors gave me this analogy: Infosec is police detective work while networking is a "regular" cop. Typically you need to prove yourself as a cop before being appointed as a detective. So you'd need to show employers that you can network well before they allow you to do security-related duties. Not sure if it's the best analogy but it gave me the basic idea.

I was told I need to know Linux, MCSE and CCNA. As others have said, programming would help if you are dealing with a lot of scripts or malware analysis.

docrice

That's a relatively appropriate analogy, although these days you would have detectives specialized in different subject areas. Doing malware analysis at a deep level can be quite different from being a network intrusion detection analyst. In smaller shops, you'll probably end up with a small number of security employees with generalized infosec responsibilities and overlapping skill sets.

bryguy

I'd say keep your nose clean, pay your bills on time, keep the peace with your neighbors. We interviewed a guy who seemed to be a perfect fit for the job. However, upon further investigation it was found that he had a previous DUI on his record that he didn't self report. The guy was immediately disqualified.