Information Security?

rapyoke · August 2010

Hi,

I want to get into information security, and currently I'm entering my first year at GMU planning to get my BS in Information Technology, with a minor in business. Here is the page, if you guys care:

IT Major: About the IT Major | The Department of Applied Information Technology

Eventually, I'd like to get my CEH, CCSP, and hopefully the CISSP. My question is, where do I go after college? I've looked pretty extensively around craigslist, dice.com, monster.com, and it seems like everybody wants at least 3-5 years of experience. If nobody's hiring kids fresh out of college, where are we expected to get this experience? Is it just a result of the economy? Also, would you guys consider changing majors? I've looked through the job postings for network security analysts and it seems they all want a degree in Computer Science or equivalent. I don't know if the degree in IT will be considered on the same level as a degree in CS. Also, it seems to me like the IT degree is considered to be the easiest of the programs in the technology school at GMU.

So basically:

1. Where do I start after college if I want to get into network security?

2. Should I change from IT to something like Computer Science, or a more respected program? Or is a BS in IT fine?

phantasm · August 2010

1. You start out at the bottom like the rest of us. This will either be a NOC type job or a help desk job depending on where you want to go. You say security and mention the CCSP so that points me towards networking. For a CCSP you'll need your CCNA and CCNA Security before you can do the CCSP. The CCSP is also being revamped so the material right now for self study is hard to come by. CEH and CISSP are high end certs in the security field. Expect to do a few yrs as a network tech or helpdesk analyst before getting into any network security gig. Also, the Security+ is a good place to start.

2. I also state that if you can do the math required for a CS degree then go that route. The CS degree has more weight than any of the hybrid business/tech degress. For instance, I recently had an interview and was told the only reason I got the interview was because I had a CCNA. My B.S. from DeVry did jack for me. Best of luck.

earweed · August 2010

1. Your best bet is to try to get started while in college. See if your school has a co-op program. You can even try work study if you get lucky enough to land a position in a computer lab or something IT related.
Like you have already noticed all the positions require experience. You need to get some however you can.

dynamik · August 2010

phantasm wrote: »

1. You start out at the bottom like the rest of us. This will either be a NOC type job or a help desk job depending on where you want to go. You say security and mention the CCSP so that points me towards networking. For a CCSP you'll need your CCNA and CCNA Security before you can do the CCSP. The CCSP is also being revamped so the material right now for self study is hard to come by. CEH and CISSP are high end certs in the security field. Expect to do a few yrs as a network tech or helpdesk analyst before getting into any network security gig. Also, the Security+ is a good place to start.

2. I also state that if you can do the math required for a CS degree then go that route. The CS degree has more weight than any of the hybrid business/tech degress. For instance, I recently had an interview and was told the only reason I got the interview was because I had a CCNA. My B.S. from DeVry did jack for me. Best of luck.

Very well said.

I'd also do the CS degree if you could, but I don't think it's the end of the world if you don't go that route. I know people in this industry with completely unrelated degrees or no degrees at all.

Edit: I agree with Earweed too. Definitely try to get as much experience as you can sooner rather than later, even if it means interning, working at college, etc.

docrice · August 2010

Although I'm not in a traditional hardcore information security job, I work with firewalls and VPNs often enough that I guess I have a foot in the territory. I notice quite a few postings about getting into infosec. However, in my opinion, in order to do that kind of work you need a fundamental understanding of how systems, services, and networks function as an ecosystem. These things don't exist in isolation (unless you're doing strictly research work).

In order to gain that understanding, you need experience. Certifications are a start, but they don't add up to actual experience where the real wisdom comes from. What they teach you in textbooks and cert guides are one thing, but to actually comprehend and decipher all the moving parts in the electronic space and have a solid, holistic perspective is another thing that can't be gained without time, sustained effort, and soaking in the knowledge that comes from practical hands-on work and lots of trial-and-error. There's a lot of stumbling and falling on your face in that learning experience. That's why practically all employers look for someone who has gone through that history of discipline. Security work isn't a checklist. It takes some amount of maturity and attitude to perform well.

Security covers a broad range of areas. Your career first-steps will depend on which of these areas interest you the most.

In general, I would get into a junior networking / desktop support / sysadmin position and increase your skill sets from there. Doing pentesting and similar work can feel glorious, but if you portscan and enumerate a service but don't know what kind of configurations can be in place or how the network might be set up behind it, the practice doesn't get you very far. You need insight to creatively work around someone's defenses (or protect against those offenses) and understanding the limitations of how it works in real-world networks is crucial.

tpatt100 · August 2010

I do Security full time, have been for about 7 years. I started doing Help Desk for a bit, then Desktop Support for a short while and then Sys Admin.

We have some guys that jumped straight into security because they know somebody and some of them can't even find their way around event viewer, let alone check settings for a web site on IIS.

Bl8ckr0uter · August 2010

I'm a little more than 3 years in and I am working as a Network Security Admin for a small company. I think I got two lucky breaks (one being a job at a major cisco partner doing VPN,ACLs, monitoring and a few other things which lead to this job) and it helped me get into security "early". Prior to that I was working on helpdesks and I worked my way through the ranks. There are still a lot of things I don't know but I think having working with security technologies in such an intense fashion helps me out. My suggestion for you is to try to work for a partner, such as a Cisco or MS partner and build you experience in that regard. Working for a partner is different than working at most places. I got to work on (literally) hundreds of routers, switches, and firewalls while working for the cisco partner and that knowledge helped me get the job I have now.

One other thing I want to say is be well rounded. I know, in the future I want to focus on *nix but right now I need to beef up my Windows knowledge since 75% of our servers are windows. Also be prepared for the boring parts of Infosec. I have to write a security policy and I have been reading about ISSE frameworks and the like. It made me want to kill myself, but I know the information is useful (or at least that's what I keep telling myself).

rapyoke · August 2010

knwminus wrote: »

I'm a little more than 3 years in and I am working as a Network Security Admin for a small company. I think I got two lucky breaks (one being a job at a major cisco partner doing VPN,ACLs, monitoring and a few other things which lead to this job) and it helped me get into security "early". Prior to that I was working on helpdesks and I worked my way through the ranks. There are still a lot of things I don't know but I think having working with security technologies in such an intense fashion helps me out. My suggestion for you is to try to work for a partner, such as a Cisco or MS partner and build you experience in that regard. Working for a partner is different than working at most places. I got to work on (literally) hundreds of routers, switches, and firewalls while working for the cisco partner and that knowledge helped me get the job I have now.

One other thing I want to say is be well rounded. I know, in the future I want to focus on *nix but right now I need to beef up my Windows knowledge since 75% of our servers are windows. Also be prepared for the boring parts of Infosec. I have to write a security policy and I have been reading about ISSE frameworks and the like. It made me want to kill myself, but I know the information is useful (or at least that's what I keep telling myself).

how does the partner thing work? when you pass an exam do they send your info to potential employers?

earweed · August 2010

You apply to partner companies

Partner Locator-Partner Central - Cisco Systems Cisco

Company Directory of Microsoft Partners, IT Support Companies Microsoft

Bl8ckr0uter · August 2010

rapyoke wrote: »

how does the partner thing work? when you pass an exam do they send your info to potential employers?

The way it worked where I was is that they had to maintain a ratio of cisco certified people. In my case it meant that the entire NOC was being pushed to get CCNA certified. Most people didn't do it because they didn't see the value but me as a new guy came in with the "Get certified " directive forced down my throat. I was told I had to get it within 90 days. I think I did it within 45 or so.

I just happen to apply at a place that was the largest Cisco Partner in Ohio. I wasn't cisco certified when I got hired (I failed it once and I was licking my wounds). They gave me a chance after giving me their "technical test" and I aced it.

I'm still very much a noob about certain things but being in that NOC helped me learn a lot very quickly.

Information Security?

Comments