"Breaking In" to Information Security

I am currently working on getting my foot in the door in Information Security. I have read quite a few posts on here regarding this topic and they seem to vary a little based on what people want to do in Information Security.

I have been in IT for 7 years in various levels of Helpdesk (level 1 100% phone to Help Desk Supervisor of a 2 man team). Currently I get my hands on all levels including some Server support duties, Firewall config/troubleshooting, User Administration, and similar tasks. I was able to obtain my SSCP in September, but I lack the experience to get the CISSP by 2 1/2 years (even with the 1 year experience waiver for SSCP).

Currently, I am working on the MCITP: SA and was thinking of the CCNA next. My thoughts were that I should get a Network/Systems Admin role to get more hands on experience in the different security domains and then start trying to get into Info Sec role.

If I want to get into Vulnerability Assessments, Penetration Testing and remediation, do I have the right path in mind? If not, what should my career/certification path look like?

Other Certs on my list are: Python, OSCP, C|EH, CISSP

Thanks in advance for your advice!

Mike

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

lsud00d

I am interested in this as well, looking forward to the replies

YuckTheFankees

If you are wanting to go down the penetration/vulnerabilities assessment career path, I have a few questions for you?

* Can you program? If so, which languages? Do you have a computer science degree? They really love those for pentesting.
* Can you script? If so, which languages?
* Do you know ASM?
* Are you familiar with PHP, HTML, SQL, LINUX, etc..
* Do you know how to use and have experience with nmap, nessus, dsniff, libnet, netcat, and network sniffers and fuzzers?

If anything I would say go for the OSCP and see if you can complete the course/gain the certifications. The senior penetration tester I know, says gaining the OSCP would definitely prepare you for a junior pentesting position.

eansdad

Most inforsec people I know at large banks and corps have GCIH and CISSP. They deal with detection and response though. If I was going to go for pentesting OSCP and the Secure Tube Python Security Expert would be what I would look at.

Keener

YuckTheFankees wrote: »

If you are wanting to go down the penetration/vulnerabilities assessment career path, I have a few questions for you?

* Can you program? If so, which languages? Do you have a computer science degree? They really love those for pentesting.
* Can you script? If so, which languages?
* Do you know ASM?
* Are you familiar with PHP, HTML, SQL, LINUX, etc..
* Do you know how to use and have experience with nmap, nessus, dsniff, libnet, netcat, and network sniffers and fuzzers?

If anything I would say go for the OSCP and see if you can complete the course/gain the certifications. The senior penetration tester I know, says gaining the OSCP would definitely prepare you for a junior pentesting position.

I have a CS degree. I have programmed before, but not since college (C, C++, Java, Assembly). However, I can pick it back up pretty easily.

I have not done much scripting except tweaking something here and there. Again, I could learn this pretty easily based on my past experience. This is why I want to learn Python, Powershell, etc.

Do not know ASM.

No PHP, basic HTML, basic SQL, very little Linux but Linux is on my agenda before OSCP (just not a certification).

I do not have any experience with nmap, etc, but will be using it for work soon. I do have some experience with wireshark for captures.

Thanks for the info and things to study up and learn. I greatly appreciate that info. What about job progression? Is there a next step in between where I am at and pen testing, or is a Jr. Pentester the next step?

jasong318

ASM is assembly. It looks like you're on a good track as it is, if you can get a Jr. Pentester job, go for it. If not, try the Network/Sysadmin route to get some real world experience and learn why people often make the mistakes they do that make pentesting a reality

In the meantime, read this article: Getting a Start in the Security Industry - SpiderLabs AnteriorSet up your own lab and play with it. It doesn't even have to be a real, physical lab. Put virtualbox on your laptop with a copy of OWASP broken web apps, Metasploitable (v1 & v2) and backtrack. Setup Security Onion to monitor them while you attack, learn lots

Try hooking up with local groups in your area (2600, Defcon, OWAP, etc.), these are invaluable resources not just for learning but for networking. Also, you can go ahead and test for the CISSP without the required experience, you'll just be a 'associate of isc2' until you get the full 5 years and then become a full fledged CISSP. And to echo what others have said, the OSCP would be most valuable in terms of learning/value. Having the CISSP is nice and will get past the HR screen but the guys doing the acrtual hiring love the OSCP

Keener

jasong318 wrote: »

ASM is assembly. It looks like you're on a good track as it is, if you can get a Jr. Pentester job, go for it. If not, try the Network/Sysadmin route to get some real world experience and learn why people often make the mistakes they do that make pentesting a reality In the meantime, read this article: Getting a Start in the Security Industry - SpiderLabs AnteriorSet up your own lab and play with it. It doesn't even have to be a real, physical lab. Put virtualbox on your laptop with a copy of OWASP broken web apps, Metasploitable (v1 & v2) and backtrack. Setup Security Onion to monitor them while you attack, learn lots

Try hooking up with local groups in your area (2600, Defcon, OWAP, etc.), these are invaluable resources not just for learning but for networking. Also, you can go ahead and test for the CISSP without the required experience, you'll just be a 'associate of isc2' until you get the full 5 years and then become a full fledged CISSP. And to echo what others have said, the OSCP would be most valuable in terms of learning/value. Having the CISSP is nice and will get past the HR screen but the guys doing the acrtual hiring love the OSCP

Awesome! Thank you for the additional info. I appreciate it and will put it to good use!