Need advice for a career in security

kellyjd83 · October 2016

So a previous post of mine I asked about my resume and the advice was sound and it helped me get a position as an Infrastructure Engineer for a company in London. That position lasted 3 months mainly down to the company severly under paying me. My duties included Server Admin (Mac & Windows), Exchange Admin, Blackberry Server Management, Symantic Backups & AV, Asset Management, Avaya Phone Management, Desktop Management (Win 7 - 10, Mac & Linux), Printer Management (Richo, Canon, HP etc), Cisco Switch and Router Configurations (Vlans [Due to few others being able to do it]), Juniper Firewall Configuration, Incident Analysis (though this was cut short because they didnt care how an entire company had their systems infected). I managed the infrastructure for 6 companies and was on call 24hrs a day 7 days a week....So a typical Engineer role (at least in my mind). And was picking up a monthly wage of £1,600 (or £19,200 pa)

Now living in London isn't cheap, my rent alone is £1k, I have a monthly payment of £300 (educational loan), I quit smoking and started vaping to reduce my out-goings (cut by 50%), I ate nothing but porridge and beans (like the true backpacker that I used to be) my out-going per month amounted to approx £200 - £250, and I didnt see the inside of a bar / pub (cos well I coudn't afford to)

Pardon the above but like any good question you need a beginning middle and end.

So I have had a deep interest in security for as long as I can remember! I have no interest in fixing printers, or reseting passwords for the rest of my life. I want a career that interests me and that interest is firmly footed in security. Now yes the security industry is one of the broadest. My area of interest is figuring out how hackers got in, how a virus infected a system, what tools are attackers using. An analyst is the only thing I can think of. Eventually I want to get to Pen Testing

Current study endeavours:
Currently studying for the Windows server 2012 exam (70-410) - Just cause I paid for it awhile back and can't leave it undone!
Looking to pursue the following from the 26th of October:
Comptia Security+
(ISC)2 SSCP
Powershell & Python

Afterwards, I'm leaning towards the CISM.

Now the questions!

Where does a career in infosec start?
What is the career path to become a security analyst?
What roles should I apply or look for?
What courses do I need to do?

Any advice on the matter would be greatly appreciated.

Regards,

Kellyjd83

TranceSoulBrother · October 2016

Frankly, any advice could start with the myriad of threads that are in this forum.
Read from people's experience and what has been posted already to these very specific questions. Basically, you have to start somewhere and work your way up. Security is much more than SIEM or whatever else happens in a SOC. Have a base knowledge and base experience and start from there. Nothing wrong with resetting passwords if done for a year not 5. Roles and experience to gather has been shared here ad nauseum.
Helpful certifications are available and you're on the right path. Get your Sec+ and continue studying. Be wary though of certification requirements before wasting your time. I think that CISM requires 4 years of job experience for the endorsement.
COMPTIA has a nice graph to show a sample career path with the advised certifications.

kiki162 · October 2016

For your resume, you only want to have certs that you DO have. The only time you would put anything like that is if you were working on a degree, and you were going to be graduating within a year or two. Also put only the last 2 or 3 IT jobs that you gained the most experience. For bullet points under those jobs, put only the top 5-6 items that relate to the experience you gained. Be specific about any tools that you used, and do NOT include points about the existing environment that you worked in. (ex: Working within a TCP/IP network environment....). If HR staff wanted to proceed in hiring you, then they will care about your previous work history, and then you can put a lot of that stuff in. Again, keep it short and to the point.

So it looks like you have a background with Windows system admin and a bit of Cisco networking. Now you need to solidify that experience into certifications. You really need to have a solid background or a base skills set in order to figure out how attackers gain access to systems.

Going for your MCSA, and then MCSE is a good start. Your looking at about 5 exams in total for the MCSE 2012. Now keep in mind they are rolling out the MCSE 2016 exams as well, so that should put you at a good point to do your upgrade exams. If you really hit the books hard, andset yourself a good schedule, you can get all of this done within a year. With your previous posts, it sounds like your struggling to move ahead. Personally if I were you, I'd look at taking a risk and look at a bootcamp. Yes, you'll have to get a small loan for it, but at least it will put you in an environment where you can study and get ahead. For other certifications, Sec+ and SSCP are also good ones as well. Any PS and Python is good too. Now CISM is probably not worth your time, as that's more auditing and management focused. If you were getting into vulnerability mgmt, then I'd say that might be worth it, but not now. Other future certs could include GIAC exams such as GSEC and GPEN, although you'd want to be in a position where your employer would pay for it.

markulous · October 2016

If you said you had a deep interest and I was hiring you for a security analyst position, I'd ask you two things:

What do you do to keep up on the latest trends in security?
What type of lab do you have or what tools have you experimented with?

cyberguypr · October 2016

^ I ask this in every interview I do, hoping to get a good conversation going. Amazingly enough most candidates reply to the keeping up question with random sources like CNET, Yahoo News, etc. They can't even talk about a recent issue they have seen in the news. Less than 10% actually mention security specific sites. For the lab question, it's similar; most people either have no lab or have "a laptop with vmware" but haven't done anything with it. Sad.

kellyjd83 · October 2016

My home lab constists of:
3x windows server 2012 (2 gui installs and server core) vm's
1x win 8
2x win 10
1x ubuntu
I run Kali off a Nexus 7 (which I'm still learning to use properly)
I have an old P4 which is loaded with Ubuntu which I broke (again)

I havent played with my labs I'd say in about 6 months maybe more, in my free time, I debug sample malware

As for where I get my latest trends news....Pardon the list (my book marks are all divided into sub folders etc[I like order]):

SecurityCurrent
https://isc.sans.edu//
techUK - Representing the tech industry in the UK
The Register: Sci/Tech News for the World
linkedin feeds
pentesticles
vulnhub.com
Computer Forensics World
cybrary.it (feed)
networkingworld
scmagazine (daily email)
(ISC)2 Blog
technewsworld
securitymagazine.com
helpnetsecurity.com
slashdot.org
infosecisland.com (not as much as I used to)
Cyber Security News | Cybersecurity & Malware Blog (only recently)
Counter terrorism Project (http://www.counterextremism.com)

Most of the news I get is from feeds or emails

Cnet & yahoo...for news...for security news...apart of me is laughing and crying at the same time!

As for the MCSA & MCSE Iam aiming to finish it and get the upgrade in January (supposed release date), but as a break from all things server related as I find it a little bit boring. I was gonna do the Sec+ and sscp as my foundations of security and fill the gaps in my knowledge then go back to the server certs and continue on with the MCSA(E). There's chaps I know that completly skipped technical examinations from vendor specifics like microsoft and such and went straight from Sec+ to Casp then Cissp and now work in SecOps one of them didnt have any experience even working in IT before he went and did his sec+ (not that understanding Networks is rocket science)

Tools:
Snort
Jack the ripper
cain & abel
Web Scarab
ollydbg
w3af
backtrack (3.0)
nessus

Im looking to put more effort into renewing my knowledge on attacking systems as soon as the 410 is finished. The idea was to study the sec+ then around the chapters 6 (understanding malware and social engineering) & 7 (Id advanced attacks) to up the labs in full swing (especially now that I upgraded my ram to be a bit meatier)

Danielm7 · October 2016

cyberguypr wrote: »

^ I ask this in every interview I do, hoping to get a good conversation going. Amazingly enough most candidates reply to the keeping up question with random sources like CNET, Yahoo News, etc. They can't even talk about a recent issue they have seen in the news. Less than 10% actually mention security specific sites. For the lab question, it's similar; most people either have no lab or have "a laptop with vmware" but haven't done anything with it. Sad.

Me too, and I get pretty much the same answers, it's crazy to me. You're going to tell me you're super passionate about security and you can't tell me a single security related news source that you follow to feed that passion of yours?

kellyjd83 · October 2016

markulous wrote: »

If you said you had a deep interest and I was hiring you for a security analyst position, I'd ask you two things:

What do you do to keep up on the latest trends in security?
What type of lab do you have or what tools have you experimented with?

cyberguypr wrote: »

^ I ask this in every interview I do, hoping to get a good conversation going. Amazingly enough most candidates reply to the keeping up question with random sources like CNET, Yahoo News, etc. They can't even talk about a recent issue they have seen in the news. Less than 10% actually mention security specific sites. For the lab question, it's similar; most people either have no lab or have "a laptop with vmware" but haven't done anything with it. Sad.

Danielm7 wrote: »

Me too, and I get pretty much the same answers, it's crazy to me. You're going to tell me you're super passionate about security and you can't tell me a single security related news source that you follow to feed that passion of yours?

Can you recommend any news sites, feeds, or mag's?

markulous · October 2016

Twitter will be your best friend. Type in security or a couple sites you follow and start branching out.

The RSS feeds I subscribe to typically are: SANS, US-Cert, Dark Reading, Krebs on Security, SC Magazine, TechRepublic.

kellyjd83 · October 2016

markulous wrote: »

Twitter will be your best friend. Type in security or a couple sites you follow and start branching out.

The RSS feeds I subscribe to typically are: SANS, US-Cert, Dark Reading, Krebs on Security, SC Magazine, TechRepublic.

Nice, I'll def' check them out

beads · October 2016

Add F-Secure (Mikko Hypponen sp?) Trend Micro and whatever A/V or vulnerability scanner to that list. CVE and EU regulations are also worth keeping up on. For the US you should be dialed into regulations.gov once a week. Its all a matter of finding what works best for you.

Don't become so involved with 'Kali' that you start to drone on about that platform like they invented anything real about it. Its a collection of tools. Any of which you can download, configure and use on any Linux or Windows machine. Learn to use the tool most useful to you and do not tell me you are a drop down expert on every tool and technique on the CD. I will laugh uncontrollably as you leave the interview humiliated.

Your never going to be able to secure anything without having mastered many of those items above you don't want to do. Resetting passwords, doing advanced administration on Linux, Windows, network switches and SQL databases is much of what we are really doing when we talk of security. The time and effort demands can be ludicrous and never ending.

Security sees everything so learn to keep your mouth shut and do not gossip. I think its the hardest thing to get across to junior administrators and worse managers who want to know whose doing what, where and when. Its not your job to pry into every investigation going. Ask my now ex-supervisor how that worked for him. Thats twice in two years, by the way.

Lastly, think specifically about what in 'security' you really want to do for a living. 'Security' is more than just patching software flaws, its such a broad topic its hard to wrangle the whole thing into just one topic.

- b/eads

kellyjd83 · October 2016

Oddly enough I emailed Mikko Hypponen on linkedin and I "follow" him too (I swear everytime I type the word follow, I feel dirty) I do agree whole heartedly that kali is just a collection of tools, but anytime I look up job for pen testers it always lists kali as a must have....not sure if these recruiters know jack sheep about what kali is...actually now that I think of it they don't. For linux admin I don't know much in advanced admin, though I was looking at doing the first two exams in Linux (Server and networking) though to be honest I think i can just download fedora or Gnome and teach myself and save myself money. As for SQL, I never gave it much thought past what to look for in sql injections (Now I gotta find a decent book on the subject and it to the reading list)

Being an expert in every tool imaginable isn't difficult...just takes time and patience...mostly time. But it's like anything else, the more your practice the better you get, sure it will be slow at the beginning but just as if your riding a bike the training wheels will come off and you'll begin trying to do tricks / shortcuts. You'll know what to do and and what to look for. When I worked the construction tade, I had a toolbox of gear I know worked and did the job I needed to at the time, security tools work the same way, find one you like and does what it says on the tin, problem is there are soo many tools some are better than others but the ones that are better from a usable point of view are twice as complicated to use. So I have a tool that has a gui cracks passwords of a certain type but then theres another tool that can break the privious and then some but requires a deeper understanding of fluency in a programming language (which brings about a question of which language I should learn)

I was on a job a few years ago, nothing special. I was apart of a team that were migrating a corp infrastructure from srv 03 - 12, installing cisco systems among others. We all signed the usual NDA's, but I had this guy who while out in lunch in a public area started asking us questions about the company, what we would be doing etc (even with the documents we signed literally stated that we must not talk or comment on what we were doing or who we were doing it for), and i sat there wondering to myself if these people understand that the reason we get jobs like this is that we don't talk about it in such a public place. My supervisor whom I have known for a few years and has worked some high profile jobs, stared at him with what can only described as the "hunters stare". He was quickly shushed, before he could ask another. But it still boggles the mind! I live on the rule of "you don't need to know unless I have written consent...or you have a warrent or your a verified officer, end of story thats the way it is"

I have signed enough NDA's over the course of my career that it probably amounts to till death do us part!

beads wrote: »

Lastly, think specifically about what in 'security' you really want to do for a living. 'Security' is more than just patching software flaws, its such a broad topic its hard to wrangle the whole thing into just one topic.

- b/eads

On that, my go to place to figure out what the options are within the field is generally taken from Cyber Security Jobs | Requirements and Salaries which is good, but it doesnt really give the information I'm looking for though to be honest I get most of what I want from this forums as we are all on the same boat / electrode.

I'm still not 100% of which direction I want to go within security and I'm pretty much hoping that even getting a entry level position would open me up to different areas with in the sector. I'm going as far as applying for "Junior Security Administrator / Junior Security Analyst / Junior Security Engineer" as along as the salary is on or above £22k pa I can survive on it for a few years (actually I created a spreadsheet that calculates what my absolute minimum can be as to pay off what I owe, rent and living on a diet of beans and porridge) And yet when I apply for these roles I never get call backs etc. From recruiters handling the introduction they 9/10 say "they are looking for someone with more qualifications in security" I ask what and the general answer is they want someone with CISSP or CEH or CISM....Not even working towards it but actually having it. From what I have gathered -

CISSP
I can take the exam and be an associate
Once you are notified that you have successfully passed the examination, you will be required to subscribe to the (ISC)² Code of Ethics and have your application endorsed before the credential can be awarded. An endorsement form for this purpose must be completed and signed by an (ISC)² certified professional who is an active member, and who is able to attest to your professional experience. With the endorsement time limit, you are required to become certified within nine months of the date of your exam or become an Associate of (ISC)². If you do not become certified or an Associate of (ISC)² within 9 months of the date of your exam, you will be required to retake the exam in order to become certified. (ISC)² can act as an endorser for you if you cannot find a certified individual to act as one. Please refer to the Endorsement Assistance Guidelines for additional information about the endorsement requirements.

CISM
I can take the exam and be an associate
The work experience must be gained within the 10-year period preceding the application date for certification or within 5 years from the date of originally passing the exam.

CEHIt's pre-req is the NSA (Network Security Administrator)Still I'm looking further down the line at these exams, just I wouldn't expect a junior anything to have these...maybe I'm wrong!

For now, I'm concentrating on my upcoming Server exam, then Sec+. sscp and ISO27001. I'm hoping this is enough to get an entry position into the security field which in turn will open up doors to other areas within the sector and then follow on with what has been recommended:
MCSA & MCSE server 2012 (with the upgrade to 2016 - which supposedly will be released in Jan 17) - Still not sure I want to pursue Server to MCSE level. GSEC is most def' on the cards, it's a requirement for futhering into the GIAC exams, possibly Juniper associtae exam (but considering that I know the basis of the OSI model, I may be able to skip it) Again I'm hoping after getting an entry level job I should have better idea of where I should be aiming or where I'm leaning towards.

TheFORCE · October 2016

Why would you go CISM if you want to become a Pen Tester and are currently debugging malware samples? CISM is more about management, business and compliance, audits etc.

kellyjd83 · October 2016

It was recommended to me by a chap that works as a pen tester at a seminar in London, thats the primary reason why I keep referring to it. And I have also seen it being listed in required qualifications for Pen Test jobs, it's not on all of them but every so often I see it listed

Looking at the CBK for it, it lists 5 out of 9 domains that would be on the mind for pentesting

Mike7 · October 2016

Do not have the details... I understand that companies in UK must be CESG CHECK accredited before they can offer penetration testing services to government and banks among other organizations. For individuals, it means getting certification from CREST, Tiger Scheme or Cyber Scheme. You may want to do further research, look at job requirements for pen tester jobs in London or ask around.

TheFORCE · October 2016

kellyjd83 wrote: »

It was recommended to me by a chap that works as a pen tester
....
Looking at the CBK for it, it lists 5 out of 9 domains that would be on the mind for pentesting

You mean the below 5 domains? They are all about theory and putting in practice policies and procedures. There's nothing technical on the CISM that would make you a better pen tester.

Domain 1—Information Security Governance: 23%
Domain 2—Information Risk Management: 22%
Domain 3—Information Security Program Development: 17%
Domain 4—Information Security Program Management: 24%
Domain 5—Incident Management and Response: 14%

kellyjd83 · October 2016

TheFORCE wrote: »

You mean the below 5 domains? They are all about theory and putting in practice policies and procedures. There's nothing technical on the CISM that would make you a better pen tester.

Domain 1—Information Security Governance: 23%
Domain 2—Information Risk Management: 22%
Domain 3—Information Security Program Development: 17%
Domain 4—Information Security Program Management: 24%
Domain 5—Incident Management and Response: 14%

I was looking at (should have worded it better)

Intrusion Prevention/Detection
Network Security
Physical Security
Security Tools
Security Trends

But your right, it's mostly theory over hands on practices. I would have thought having theoretical knowledge would have been a given to becoming a pen tester.

But even looking at the domains you have listed still sparks alot of my interest, whether it's useful as a pen tester remains to be a "no" I'd still want to know it

According to cyberdegrees.org the following list is favoured for pen testers seeking employment:

Windows, UNIX and Linux operating systems (MCSA, RHCSA & AIX - This is my assumption)
C, C++, C#, Java, ASM, PHP, PERL (Im aiming towards Python & Powershell)
Network servers and networking tools (e.g. Nessus, nmap, Burp, etc.)
Computer hardware and software systems
Web-based applications
Security frameworks (e.g. ISO 27001/27002, NIST, HIPPA, SOX, etc.)
Security tools and products (Fortify, AppScan, etc.)
Vulnerability analysis and reverse engineering
Metasploit framework
Forensics tools (Autopsy - is one I have been messing with...and not getting anywhere with)
Cryptography principles

Mike7 wrote: »

Do not have the details... I understand that companies in UK must be CESG CHECK accredited before they can offer penetration testing services to government and banks among other organizations. For individuals, it means getting certification from CREST, Tiger Scheme or Cyber Scheme. You may want to do further research, look at job requirements for pen tester jobs in London or ask around.

Ye 60% of the Pen testing jobs in the UK require CREST or TIGER, Junior pen test roles offer to pay for it but they also look for people that have a masters or equivalent (Which I assume is either or CISSP / CEH).

For CREST & TIGER I assume I could teach myself (to a point) till I find a role that is willing to pay or I take 3-6 loans out I do it myself....I'll just add it to the ever increasing bill I already have...(Which from now is approx £4.7k, which is nothing, but no job = late payments = fees being added on)

Recommended study materials:
Network Security Assessment (by O’Reilly, 2nd edition)
Hacking Exposed Linux
Red Team Field Manual (RTFM) (by Ben Clarke)
Nmap Network Scanning: The Official Nmap Project (by Gordon Lyon)
Guide to Network Discovery and Security Scanning
Grey Hat Hacking (by Allen Harper, Shon Harris & Jonathan Ness)

At the moment my educational endeavours look like:

A+ (Done), N+(Done), Win7(Done), 70-410(Doing), Sec+, SSCP (Studying for the Sec+ gives me more than enough knowledge to pass this exam [at least according to Tom's Hardware]), ISO27001, Linux Powered by LPI (3 for 1), GSEC (free assessment says I only got 40% which was a bit of a shock - but it tells me where I am...or that I can figure out which option isn't the correct answer), GCIH, CEH (don't know whether CEH 1st or Incident handler 1st), GPEN, OSCP, and so on

beads · October 2016

Unless things are drastically different in the UK neither the CISSP nor the C|EH should in any way shape or form be considered a 'Master's' equivalent or otherwise. I have comfortably completed both exams in about two hours apiece where my Masters degree took a little over a couple of years. I could have worked harder but I did one year in a combat zone. Wars, always such a time waste.

And YOU thought going to school and working was a pain?

- b/eads

kellyjd83 · October 2016

I don't recall saying going to school was a pain...though to be fair I didn't attend school either, at least not in a capacity to learn anything except that I hated being inside and was much more attuned to being outside.

Doing a Masters and serving in the military....Bloody hell! I applied for the Irish Army and Air Corp but due to a mental health issue(s) I was unapproved for combat and accrording to the Air corp recruiter at the time I was consdered "Too tall" (which at the time of my 16th birthday was 6'2"), probably should have tried the Navy but the two answers probably stopped it.

Hats off to you though for serving (Always preferred working with ex-army personal), I met alot of lads on my travels around Melbourne, Sydney, Boston and North Carolina and one or two from the Peace Core and two lads from the French Foreign Legion and a few lads that were ex-Israeli, good lads!

As for the CISSP and CEH I can only assume it's what the recruiters know of, and that the vast majority of the recruitment sites in the UK offer to teach people CEH and CISSP for a fee. I have called one or two in pure curiosity, only to find that it's online with out of date material and they don't expect the participants to have prior knowledge of system infrastructure beyond that of basic tcp/ip.

I don't know much about college / university (Both mean the same thing here) qualifications, I wouldn't think a Masters or PHD in cyber would be on the same playing field as Professional Qualifications...Same region but not the same ball park!

Consider what the EC Council's Masters or SANS Masters have, the idea that two exams is equal is not possible (even looking at the course details). It breaks the ground on some of the domains yes but not even close to the same level of detail and well simple calaculations for it, a 5 day course can't equal to 365 or 730 days of study.

The "....Junior pen test roles offer to pay for it but they also look for people that have a masters or equivalent (Which I assume is either or CISSP / CEH)..." was taken from a recent job posting and the phrase "masters or equivalent" was judged from the listings of Qualifications listed at the bottom of the page.

Moral of the story recuiters are sheep...bah!

kellyjd83 · October 2016

Thank you all for the replies & advice. After researching further into the needs described in US & UK job descriptions I have figured out which direction to go, and now start the journey to get the hell out of support and into the area of security that has replaced my social life (except for Paddy's day and once every 30 days [full moon], cos it goes against my religion).

Pardon for the slap at recruiters, the meds I take for ADD makes me a lil bonkers.

Peace chicken grease!

Mike7 · October 2016

Was looking through the recommended reading materials for CREST. There is a3rd edition of Network Security Assessment (by O’Reilly) that is still in pre-release; you get a early release eBook if you order it online. The 2nd edition was released in 2007 so there are major additions in the new edition.

DatabaseHead · October 2016

Agree I have two handles set up one stictly professional feeds and the other is whatever.....

Need advice for a career in security

Comments