Getting into Information Security?

GeekboyGeekboy Member Posts: 16 ■□□□□□□□□□
I’m 99.9% sure this is the route I want to take now in my IT career. But not so clear on how to start my course. See, I’m confused about getting my foot in the door as a Security Professional. I have about 9 years in IT experience doing various things such as NT/2000 Admin, QA, Web Design -- Intranets, Jr DBA, and now Application Integration. As you can see I have experience with a few things but not security.

I look at the certs available and see that Security+ is the first one I should obtain, but after that, what’s next? The others I found so far require (infosec) experience. So what would be the next path to take after the security+ cert? I guess I’m tossed up since I don’t have the experience wonder how do I get my foot in the door working as a InfoSec pro, while maintaining my current salary (range). I feel I can offer the above items along with the security if that is possible.

I ask here since I’ve been out of the loop for a while and just not sure where I’m heading in IT but I’ve always been intrigued by security, hacking, hardware, troubleshooting, and tinkering with computers, I guess this is why I started in the first place. I’ve reached the top, as far as I can go in my current employment, and become unsure about IT, and now need to revive the passion I once had for this industry and get my ass in gear.

icon_arrow.gif Your thoughts, suggestions, cert/reading recommendations would all be greatly appreciated.

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    It sounds like the CEH is the next logical step after the Security+ for what you want to do.

    Sun, RedHat, and the 2003 MCSE have security specializations.

    You may want to start getting some experience with Cisco and/or other firewall/network appliance vendors.

    You should set your sights on the CISSP as your end goal, but that has some fairly rigid requirements. You can pick up the SSCP after one year of experience (or become an associate with either without meeting the requirements).

    Check out these posts as well:
    http://www.techexams.net/forums/viewtopic.php?p=213741#213741
    http://techexams.net/forums/viewtopic.php?p=172435#172435
    http://techexams.net/forums/viewtopic.php?t=19563
  • GeekboyGeekboy Member Posts: 16 ■□□□□□□□□□
    EDIT: Im still looking through the threads, and may have missed... So if I posted too soon icon_redface.gif
    Thanks dynamik and I do understand about going CEH possibly next, but other than it still does not really help. I guess I was hoping some Security experts (or guys/gals with the cert.’s in this arena) may chime and show how they achieved their positions. For instance if you go for MCSE you basically are going for an Admin / Infrastructure / Windows Server support gig in IT. It’s a broad cert. and security however, is a little narrower and can be a little more difficult to get your foot in the door. What would help make this easier?

    I’ve researched a little last night and figure I just put a plan together and get my Sec+, and possibly the CEH (since I cannot get anymore without experience, and quite a bit of money from what I’ve read online) to start with and just look at the different available positions in NYC and see what the employers are looking for these days. Maybe even finish my MCSA (which I’m just not into anymore). I have a diverse background and maybe trying to focus on one thing (security in this case) is not the correct way to go about it. If nothing else with any luck I can get into an organization that allows me the opportunity one day.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    I disagree that MCSE is a "broad cert" and security is more "narrow". Security could be argued to be actually broader than MCSE. With MCSE, you need to know how to do patch management for Windows based machines vs. Security as a whole you would need to know how to do it for all operating systems and major applications.

    Carry this to the logical conclusion, and you realize security is a big, broad subject.

    In my experience, you don't get higher level security positions until you prove yourself on platforms. If you don't have advanced skills in any operating system, how are you going to convince potential employers you can secure them?

    I would encourage you to develop skills in at least one platform. That would mean go for MCSE, or a linux cert, whatever.

    I would also recommend you begin developing skills in enterprise class firewalls, too.

    You're in the position you need to get experience with security work before you can get the higher level security certifications. That is more product centric knowledge. Do you know how to configure a PIX/SonicWall/NetScreen firewall for example? Do you know how to harden servers of at least one OS platform? Do you know how to assess the security levels of those servers?
    Good luck to all!
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    You may want to try reposting in the security forum http://techexams.net/forums/viewforum.php?f=52 (or maybe someone can move this there).

    From what I've discerned, getting into security is somewhat of a gradual transition. It seems like very few people get security positions right off the bat, and most have to start as a systems or network admins and take on more responsibilities over time. Definitely keep reading through the security forums though; there's a wealth of information in there.
  • shednikshednik Member Posts: 2,005
    I'm also looking to get into security here is my plan to migrate into security...I'm early in my career with only about 2 years of experience in windows admin, cisco networking, and desktop support. I'm looking to start my Masters of InfoSec this fall which will help me learn alot of the theory and make up for what my undergrad didn't teach me. While doing that I'm currently a network analyst for a extremely large corporation and since i'm in a rotation program for college grads to get exposure to different areas of IT, I will be moved to a second team either the unix team or the network security team who handle the edge router, firewalls, proxies, and anything to do with remote access.. I also have picked up several books, set up a vmware server, and plan to being my Security+ as well. I feel with all of these combined efforts I will move into security nicely within the next few years. I feel the road to security is not defined and you have to make sure you're always on top of your game which can be built from spending time in the trenches, and continuing to educate yourself with technology.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    My story: I decided to finally move into InfoSec at the same time I decided to go back to school and get a Masters degree. I had a work load that would enable me to go to school part time, and because of the ease of off-shoring of software engineering jobs, I was motivated to specialize in a profession that would not likely be farmed-out overseas. Well, one Masters degree later, I got a cool InfoSec job (InfoSec Research Engineer) and now I'm getting the IT certifications expected of an InfoSec professional. The continual self-education and personal improvement of an InfoSec professional never ends. ;)
  • ajs1976ajs1976 Member Posts: 1,945 ■■■■□□□□□□
    I'm a consultant and my work focuses around Windows, Exchange, and Citrix implementations. I get to do a lot of things that fall into the InfoSec category. ex. Citrix Secure Gateway, Citrix Access Gateway, Disaster Recovery plans, etc. I'm getting some experience in InfoSec, but would like to move into a role that is more focuses on it.

    I completed the Security+. Later this year, i'm going to work on the MCSA: Sec and the CCA: Access Gateway.

    Not sure when I'm looking to move into InfoSec fulltime, but i'm laying the ground work.
    Andy

    2020 Goals: 0 of 2 courses complete, 0 of 2 exams complete
  • GeekboyGeekboy Member Posts: 16 ■□□□□□□□□□
    HeroPsycho wrote:
    I disagree that MCSE is a "broad cert" and security is more "narrow". Security could be argued to be actually broader than MCSE. With MCSE, you need to know how to do patch management for Windows based machines vs. Security as a whole you would need to know how to do it for all operating systems and major applications.

    Carry this to the logical conclusion, and you realize security is a big, broad subject.

    In my experience, you don't get higher level security positions until you prove yourself on platforms. If you don't have advanced skills in any operating system, how are you going to convince potential employers you can secure them?

    I would encourage you to develop skills in at least one platform. That would mean go for MCSE, or a linux cert, whatever.

    I would also recommend you begin developing skills in enterprise class firewalls, too.

    You're in the position you need to get experience with security work before you can get the higher level security certifications. That is more product centric knowledge. Do you know how to configure a PIX/SonicWall/NetScreen firewall for example? Do you know how to harden servers of at least one OS platform? Do you know how to assess the security levels of those servers?

    Maybe “broad” was the wrong term to use but you have to agree that “security” is more of niche in IT than Windows (As are security certifications and experience.). It’s a specialty and not something an MCSE can walk into. Its niche market within IT and requires a broad knowledge of things. This is why I posted, just wanted to get various POV’s.

    I know I need experience, and knowledge, just wondered how others got there. It’s a mid-career mental block right now and I’m wondering if “specializing” is the key. Thanks again to those posting I got some good info here.
  • GeekboyGeekboy Member Posts: 16 ■□□□□□□□□□
    JDMurray wrote:
    My story: I decided to finally move into InfoSec at the same time I decided to go back to school and get a Masters degree. I had a work load that would enable me to go to school part time, and because of the ease of off-shoring of software engineering jobs, I was motivated to specialize in a profession that would not likely be farmed-out overseas. Well, one Masters degree later, I got a cool InfoSec job (InfoSec Research Engineer) and now I'm getting the IT certifications expected of an InfoSec professional. The continual self-education and personal improvement of an InfoSec professional never ends. ;)

    I like your story… Do you think it's possible to obtain a gig working on more security related items in IT, while pursuing a degree and or the next level’s of MS/Cisco certifications? For instance I have: Security+ certification and I’m an experienced IT guy. No master, but worked on a few things through the years. What role in IT security can I play -- where do I pay my dues? Or is it too soon to even think about it. Like ajs1976 I’m trying to lay down the ground work and who better to ask than my peers.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Geekboy wrote:
    Maybe “broad” was the wrong term to use but you have to agree that “security” is more of niche in IT than Windows (As are security certifications and experience.). It’s a specialty and not something an MCSE can walk into. Its niche market within IT and requires a broad knowledge of things. This is why I posted, just wanted to get various POV’s.

    I know I need experience, and knowledge, just wondered how others got there. It’s a mid-career mental block right now and I’m wondering if “specializing” is the key. Thanks again to those posting I got some good info here.

    I think you're looking at this a bit wrong. I would argue the average MCSE does security work. Patch management involves security. Locking down IIS properly involves security. Setting up security groups and ACL's is security work.

    What you're not defining is what security work do you want to do? You obviously want to become a higher level security specialist, but what exactly do you want to do? Implement firewalls? Penetration testing? Auditing? Secure network architecture?

    This isn't to start an argument, but it's to point out that what kind of work you want to do years from now should be steering you today. For example, if you want to get into secure network architecture (like recommending what firewall products to institute, where they should be installed, what the policies should be, etc.), you should be gearing up for that by getting experience with firewall products, and learning sound principles of firewall configurations applicable to all firewalls. If you're looking more at auditing, you should be learning OS's, how to evaluate their relative security, the various criteria systems are judged by (CIS, etc.).
    Good luck to all!
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I think you guys are just looking at it in different ways. If you look at it from a career perspective, it probably is more of a niche area. I'd wager that there are far fewer guys (and gals!) like Keatron than Windows admins. However, if you look at it from a general IT perspective, security is perhaps the widest reaching aspect of the field, and it is integral to nearly every OS, application, and network service.
  • livenliven Member Posts: 918
    dynamik wrote:
    I think you guys are just looking at it in different ways. If you look at it from a career perspective, it probably is more of a niche area. I'd wager that there are far fewer guys (and gals!) like Keatron than Windows admins. However, if you look at it from a general IT perspective, security is perhaps the widest reaching aspect of the field, and it is integral to nearly every OS, application, and network service.


    This correct.

    And he is also correct in stating that it is something you gradually get into.

    I am a security professional. But before this i did: system administration, network administration, and development/coding. Could I do my current job with out all of that experience? Sure, but I wouldn't be nearly as capable as I am now.
    encrypt the encryption, never mind my brain hurts.
  • livenliven Member Posts: 918
    HeroPsycho wrote:
    I disagree that MCSE is a "broad cert" and security is more "narrow". Security could be argued to be actually broader than MCSE. With MCSE, you need to know how to do patch management for Windows based machines vs. Security as a whole you would need to know how to do it for all operating systems and major applications.

    Carry this to the logical conclusion, and you realize security is a big, broad subject.

    In my experience, you don't get higher level security positions until you prove yourself on platforms. If you don't have advanced skills in any operating system, how are you going to convince potential employers you can secure them?

    I would encourage you to develop skills in at least one platform. That would mean go for MCSE, or a linux cert, whatever.

    I would also recommend you begin developing skills in enterprise class firewalls, too.

    You're in the position you need to get experience with security work before you can get the higher level security certifications. That is more product centric knowledge. Do you know how to configure a PIX/SonicWall/NetScreen firewall for example? Do you know how to harden servers of at least one OS platform? Do you know how to assess the security levels of those servers?


    As a security professional I totally agree with these statements also.

    You have to have a really solid grasp on the normal functionality of the systems your going to secure. If you don't have this how on earth can you pretend that you can lock them down?

    And just like Hero states, patch management, account administration, permissions etc. is all security administration. Security covers such a massive amount of things, because of this there are many sub categories of security admin. There are guys you evaluate and secure applications, networks, servers, desktops, physical security the list goes on and one. And unless you work for a small company you will most likely be doing all of the security stuff. It is good practice to separate these disciplines inside of major corporations. This is done for many reasons. One reason is because the forensic guy has so many logs to go through there is no way he is going to have time to check/change firewall rules. Another reason for this separation is it adds another layer of security. If one person has the power to change firewall rules, review logs, and admin the servers that person effectively holds the keys to the castle.

    My whole point with all of this is find out what part of comp technology is your favorite or you excel at the most. Then learn the security side of the that area.
    encrypt the encryption, never mind my brain hurts.
  • JDMurrayJDMurray Admin Posts: 13,023 Admin
    Geekboy wrote:
    Do you think it's possible to obtain a gig working on more security related items in IT, while pursuing a degree and or the next level’s of MS/Cisco certifications?
    The answer is, of course, "yes," but you are more interested in the "how," "where," and "when" of getting such a job.

    Assuming you don't have a friend that can easily get you such a job, experience is the most important quality to have. Lacking the experience to get an InfoSec job, you will need to use your other skills to get into an organization where, one day, you can move to an InfoSec position. As an IT person in very large organization, you will have much greater InfoSec-related opportunities than working for small to mid-sized organizations. Also, having the ability to move to a new job rather than staying only where you are increases your opportunities too.
  • GeekboyGeekboy Member Posts: 16 ■□□□□□□□□□
    As dynamik says we are looking at it in different ways. I have been browsing the boards and around the net and decided to just get myself in the learning frame of mind and tackle the Security+, and then maybe the CCENT or just go for the CCNA next. I’m not just going to focus on getting an InforSec job, but rather getting into a place that may give me the opportunity or learning experience. If time permits I may even try to get back to school in a year or so. Thank you all, your responses were insightful and appreciated.
Sign In or Register to comment.