Best route to get into Network Security(Penetration Testing)

MajorVision · May 2013

Hi all,

This is my first post so apologies in advance

I'm on an industrial placement this year working as a test environment support analyst but I want to get into network security as a career as fast as possible. I have a basic knowledge of networks and security engineering from university/self study but nowhere near enough to consider applying for jobs.

It seems gaining certificates is to way to go but N+ and S+ are pretty expensive and i don't want to spend money on a certificate that i don't need to get into the security industry.

Can you beautifully insightful people give me some advice on the best route to take to get into the security industry (more specifically penetration testing) seeing as I graduate in around a year and a half ?

networker050184 · May 2013

I'd start with a read through this thread.

http://www.techexams.net/forums/security-certifications/28593-security-certification-where-start.html

Welcome to the forums!

jasong318 · May 2013

Here's another good article from SpiderLabs about getting into security.

MajorVision · May 2013

Thanks guys both of those articles were great reads!

In regards to Wargames, is this the type of thing i can put on my CV and what kind of home labs would be required to 'play' them.

Considering i have no certs to speak of right now would it better to get the standard networking certs (N+, CCENT/CCNA) or focus more on security based certs (S+, CCNA: S etc)

Thanks again for the quick replies

lsud00d · May 2013

Depending on the horse power on your home machine, you can setup a pen testing lab with:

Backtrack
Metasploitable
Ultimate LAMP
Windows Server/Client OS's

This is a very good link on the topic:

https://community.rapid7.com/docs/DOC-2196

This is something you can put on your CV/resume and it will be a discussion point in netsec jobs.

bobloblaw · May 2013

If you don't understand most of the references lsud00d just made (along with items in the link), go buy the Security+ book. You have to start somewhere.

Anyone in pen testing actually start in pen testing? This isn't Ender's Game. You're probably going to end up doing something else first. Let's just say you're getting in a good time no matter what area you end up in. InfoSec is very broad.

Global Network of Hackers Steal $45 Million From ATMs | TIME.com

MajorVision · May 2013

I vaguely understood the references although reading up on Security+ seems like a good idea.

Would you suggest ignoring N+ and going straight for Security+ as a cert and learning experience as i see on CompTIA's website they suggest taking the N+ exam before attempting S+?

lsud00d · May 2013

N+ is definitely not necessary before S+...there are a few and easily understood concepts that transfer over but it's no show stopper.

MajorVision · May 2013

Thanks man, this whole forum is amazing!

Last but not least could you direct me to decent S+ book as there seems to be quite a few

lsud00d · May 2013

You're welcome! Welcome to TE by the way.

I used Darril Gibson's book and from what I've seen so do most people here. It's easy to read and there are practice quizzes after every chapter that help reinforce the topics. Here's a link to it on Amazon:

CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide: Darril Gibson: 9781463762360: Amazon.com: Books

MajorVision · May 2013

I'm purchasing right now! Thanks everyone, going to start studying for s+ exam and try and get a home lab set up.

Hopefully the S+ exam isn't a ballbuster...

bobloblaw · May 2013

Good choice. It's a great foundation. If you get stuck, the S+ forum here is solid. Darril is literally in there answering questions.

Don't take it lightly. I took it 2-3 months after getting my CISSP. Worked paid for it. I didn't care if I passed or failed. I didn't study (skimming a chapter here and there a month before the test simply doesn't count). I got a 751. Passing is a 750. Don't take it lightly. Great info in that book. Try and find some updated lab scenarios. Most is Q&A, but the lab stuff won't be rote memorization.

Good luck. Stay focused. Get more certs afterwards. They truly pay for themselves most of the time.

lsud00d · May 2013

bobloblaw wrote: »

Anyone in pen testing actually start in pen testing? This isn't Ender's Game.

On an aside, nice reference; did you know the move will FINALLY be out this November?? I'm so excited

DoubleNNs · May 2013

I second getting Darril Gibson's book.
However, I think you'll have a much easier time going thru the Sec+ material after studying for the Net+ or CCENT. In addition, I think the material found in those certs, are easier to use in entry level jobs.

If you're strapped for cash I would personally recommend this track:
1) Study for Net+ but DON'T take the exam
2) Take and pass Cisco CCENT
3) Take and Pass Sec+
4) Take and Pass Cisco CCNA

I think that track right there is the best bang for your buck.
Just something to think about, but in no way shape or form a necessity.

Master Of Puppets · May 2013

For pen testing you have to pretty much know everything. I think of security as something different - in order to really protect something you have to really know how it works. A pen tester should know networking, programming, operating systems etc. Like the others have said it is best to start with something else and get into security after you have some experience and know a thing or two. Certs will definitely help.

On a side note, I see the security market getting saturated in a few years because absolutely everyone wants to do security.

dmoore44 · May 2013

Master Of Puppets wrote: »

For pen testing you have to pretty much know everything. I think of security as something different - in order to really protect something you have to really know how it works. A pen tester should know networking, programming, operating systems etc. Like the others have said it is best to start with something else and get into security after you have some experience and know a thing or two. Certs will definitely help.

On a side note, I see the security market getting saturated in a few years because absolutely everyone wants to do security.

I wholeheartedly agree, but I would provide a little more nuance. You do need to have a good command of OSes, networks, web apps, and all of the stuff that make them function. But you can specialize in one subset and join a larger team. If you want to go solo, then you'll definitely need to have a certain mastery over just about everything to be proficient. PenTesting is more than just grabbing BackTrack/Kali and running metasploit.

Master Of Puppets · May 2013

dmoore44 wrote: »

I wholeheartedly agree, but I would provide a little more nuance. You do need to have a good command of OSes, networks, web apps, and all of the stuff that make them function. But you can specialize in one subset and join a larger team. If you want to go solo, then you'll definitely need to have a certain mastery over just about everything to be proficient. PenTesting is more than just grabbing BackTrack/Kali and running metasploit.

You're absolutely right. However, don't you think that such specialization is a little harder to find employment with? I might be wrong on this one but, in my experience, sifting through security jobs, I see less of those. This makes me think that in some regions people could have trouble finding work. I would guess that the bigger companies are the one who could use one of these. I try to get better at at least a few of these areas in order to stay away from specialising too much(and quite frankly because I find it extremely interesting and can't get enough). Also, the thing about running metasploit cracked me up . The other day one of my friends said he downloaded Kali and wanted me to teach him to run some tools so he can "start hacking".

dmoore44 · May 2013

Master Of Puppets wrote: »

You're absolutely right. However, don't you think that such specialization is a little harder to find employment with? I might be wrong on this one but, in my experience, sifting through security jobs, I see less of those. This makes me think that in some regions people could have trouble finding work. I would guess that the bigger companies are the one who could use one of these. I try to get better at at least a few of these areas in order to stay away from specialising too much(and quite frankly because I find it extremely interesting and can't get enough). Also, the thing about running metasploit cracked me up . The other day one of my friends said he downloaded Kali and wanted me to teach him to run some tools so he can "start hacking".

To some degree. If you're in a large metro area (NY, LA, DC, etc...), I think you'll have a pretty easy time getting a job on a red/blue team. When you start moving in to the smaller markets, you'll want to have a broader skill set.

pert · May 2013

I don't understand why people want to work in security. I swear the only reason they want to is because it "sounds cool". Especially if you are new in IT, I'd do some research about what security guys actually do all day and see how cool it still sounds, because it mostly boring as hell.

To actually contribute to this thread, I don't really know anyone who started in Security. Everyone came from a related field, typically network engineering, had to do security work in that fields, then move full time into security. I think the best avenue is picking one of the fields that has a strong security presence, and pursuing that field until your between a jr and senior engineer, then take a detour into security.

Master Of Puppets · May 2013

Nothing wrong if they like it but this is exactly the main reason. I know so many people who don't even know what security is but they want to get into it. With no idea of what it actually is. Just looks cool in movies and when they talk about hackers in the media so let's do it too. Not a real reason to do something if you ask me.

jibbajabba · May 2013

pert wrote: »

I don't understand why people want to work in security.... because it mostly boring as hell.

Especially pen-testing focused jobs.

theanimal · May 2013

pert wrote: »

I don't understand why people want to work in security. I swear the only reason they want to is because it "sounds cool". Especially if you are new in IT, I'd do some research about what security guys actually do all day and see how cool it still sounds, because it mostly boring as hell.

To actually contribute to this thread, I don't really know anyone who started in Security. Everyone came from a related field, typically network engineering, had to do security work in that fields, then move full time into security. I think the best avenue is picking one of the fields that has a strong security presence, and pursuing that field until your between a jr and senior engineer, then take a detour into security.

One could really say that about any field, because ultimately what one views as boring or entertaining is all personal preference.

The NOC position where I work was actually very good because we could go and job shadow any of the server, networking, web tech, or security guys when we had free time and see what they did on a day to day basis. For me personally, Web Tech and Server/Open System/VMs was very boring and to me I don't see how someone could enjoy doing that day to day, then Networking and Security were fun and enjoyable and something I could see myself doing.

I hate math, I can't fathom why someone would want to be an accountant, but then I realize they enjoy it.

Though I do agree many people do want to get into a particular fields before they know anything about them.

Danielm7 · May 2013

theanimal wrote: »

Though I do agree many people do want to get into a particular fields before they know anything about them.

This is so true. In the last year I've seen 2 friends get their masters degrees then give up on their new fields within 2 weeks of finishing because they thought it would be totally different. I've always felt that there should be some sort of program where you can shadow people in a certain field for a day or a week and get an idea of what the job is really like before dedicating years of your life and 100K in debt to get into the field and finding out you hate it.

PurpleIT · May 2013

Danielm7 wrote: »

This is so true. In the last year I've seen 2 friends get their masters degrees then give up on their new fields within 2 weeks of finishing because they thought it would be totally different. I've always felt that there should be some sort of program where you can shadow people in a certain field for a day or a week and get an idea of what the job is really like before dedicating years of your life and 100K in debt to get into the field and finding out you hate it.

Not wanting to veer too far off topic here, but my daughter's high school has this as a requirement for graduation and my wife has served as a mentor for several students. For the most part, the students who followed my wife quickly realized the job was not what they expected and have decided to look in other areas in the future, but a couple of them were very excited and have gone on to graduate from college with degrees in that (or a related) field.

YuckTheFankees · May 2013

Good thread so far guys, I can related to almost everything that has been said so far.

I am one of those people who got into security because I thought it looked "cool", on top of that, I wanted to be a pentester too

lol What's cooler than hacking all day! or 75% of the day or 50% or maybe like 30%? Gotta love the paperwork

It was roughly two years ago, I was miserable doing finance work, looking for a way out. After researching and researching careers, I decided on IT security because at this time (early 2011) and I bet a lot of people can remember this...every other day, there was an article about how "cyber security needs skilled workers", "get into cyber security because the career growth is off the charts", etc..

Fast forward 2 years later (1.5 years in IT), I'm currently a security analyst/engineer. Is it anything like I expected, when I was researching it over the years...no. I honestly can't pin-point what I expected but this is definitely not it. But then again, I am at the bottom of the security totem pole...things should get better, right? haha

I have probably spent 100+ hours researching “how to get into security” over the last 2 years...so take my recommendations with a grain of salt.

1. Ask yourself and be honest, are you getting into IT security for the right reasons? Are doing it because you think it looks cool or sounds fun? Do you get excited when you read about a new exploit?

2. Before you decide on pentesting, take a good look at all the other specialties in IT security (or maybe regular IT jobs) and see if any others peak your interest.

3. Once you pick a specialty, start searching for professionals in the field who live near you (google, linkedin) and start talking to them. Ask them good questions: 1. is the job what you expected? 2. how did you get here? 3. whats your background 4. what’s your take on the career outlook? 4. How can I get in this field? etc...

4. Try and shadow the person, see if you like their day-to-day activities...but with security jobs, this may be hard.

5. After to speaking with a few professionals, you begin to love the field even more... let’s start looking at getting in the field.

Degree (check)
certs:
read network+ material
read ccent/ccna material - definitely worth it...especially if you are interested in network security
sec+ (basic security concepts)
OSCP - (if you’re interested in pentesting) people will say this cert is not to well-known with companies, but companies who want a pentester, usually know about this cert

6. Start looking for a job. Junior pentest jobs are rare, so I would start looking for NOC jobs or entry level security jobs that only require 1-3 years of experience (you will probably be doing support for firewalls, vpn, IDS, IPS, etc). Start with researching security companies and look at their openings..that’s what I did.

7. Okay good, you have a job. Start networking with the security guys at your company, let it be known you are interested...maybe you can help out with some minor tasks a few hours a week?

8. Keep on pushing ahead.. certs, gain experience/knowledge, read articles and books, contribute to the field in some way (make videos, add to an open source project, look for zero days)

ArabianKnight · May 2013

Ok, so you went from finance to INFOSEC in 2 years......what did you do, because I need to do that!

Master Of Puppets · May 2013

Awesome advice from Yuck. I would really like to echo number 8. I think it is often overlooked and it is extremely important. You would be surprised how much that can help.

bigmantenor · May 2013

ArabianKnight wrote: »

Ok, so you went from finance to INFOSEC in 2 years......what did you do, because I need to do that!

I guess I can be counted as one of the rare ones who got their first job in IT in the security realm... Currently work as a security analyst (worked at a restaurant before that) for an MSP. Not to say that it was the easiest transition, but I quickly learned how to drink from the firehose of network security without choking.

If your interest is pentesting, the best thing you can do is get really, really serious about your studying and labbing. I work beside a few pentesters, and they all have a deep love for what they do. One issue with pentesting is that there is a LOT of paperwork involved, which may or may not be your cup of tea. I would also add that all of the professional pentesters I know have CS degrees; this may not be necessary per se, but may be something worth looking in to if you have the time and funds to spare for such an endeavor (computer science is NOT all coding).

TrevorEnygma · May 2013

YuckTheFankees wrote: »

Good thread so far guys, I can related to almost everything that has been said so far.

I am one of those people who got into security because I thought it looked "cool", on top of that, I wanted to be a pentester too lol What's cooler than hacking all day! or 75% of the day or 50% or maybe like 30%? Gotta love the paperwork
It was roughly two years ago, I was miserable doing finance work, looking for a way out. After researching and researching careers, I decided on IT security because at this time (early 2011) and I bet a lot of people can remember this...every other day, there was an article about how "cyber security needs skilled workers", "get into cyber security because the career growth is off the charts", etc..

Fast forward 2 years later (1.5 years in IT), I'm currently a security analyst/engineer. Is it anything like I expected, when I was researching it over the years...no. I honestly can't pin-point what I expected but this is definitely not it. But then again, I am at the bottom of the security totem pole...things should get better, right? haha

I have probably spent 100+ hours researching “how to get into security” over the last 2 years...so take my recommendations with a grain of salt.

1. Ask yourself and be honest, are you getting into IT security for the right reasons? Are doing it because you think it looks cool or sounds fun? Do you get excited when you read about a new exploit?

2. Before you decide on pentesting, take a good look at all the other specialties in IT security (or maybe regular IT jobs) and see if any others peak your interest.

3. Once you pick a specialty, start searching for professionals in the field who live near you (google, linkedin) and start talking to them. Ask them good questions: 1. is the job what you expected? 2. how did you get here? 3. whats your background 4. what’s your take on the career outlook? 4. How can I get in this field? etc...

4. Try and shadow the person, see if you like their day-to-day activities...but with security jobs, this may be hard.

5. After to speaking with a few professionals, you begin to love the field even more... let’s start looking at getting in the field.

Degree (check)
certs:
read network+ material
read ccent/ccna material - definitely worth it...especially if you are interested in network security
sec+ (basic security concepts)
OSCP - (if you’re interested in pentesting) people will say this cert is not to well-known with companies, but companies who want a pentester, usually know about this cert

6. Start looking for a job. Junior pentest jobs are rare, so I would start looking for NOC jobs or entry level security jobs that only require 1-3 years of experience (you will probably be doing support for firewalls, vpn, IDS, IPS, etc). Start with researching security companies and look at their openings..that’s what I did.

7. Okay good, you have a job. Start networking with the security guys at your company, let it be known you are interested...maybe you can help out with some minor tasks a few hours a week?

8. Keep on pushing ahead.. certs, gain experience/knowledge, read articles and books, contribute to the field in some way (make videos, add to an open source project, look for zero days)

Shout out to YucktheFankees for an awesome post. Very informative as I've worked in the NOC and now im in a datacenter trying to spill over into InfoSec. Thanks

Best route to get into Network Security(Penetration Testing)

Comments