How to get from Sys Admin to Sec Pro

Ok, so I've got 15 yrs I.T. experience. 3 yrs as a Comp Supprt Tech, 1 yr as an I.T. Admin and 10 years as an Asst. Systems Administrator. I'm interested in Security, and am looking to make a move from Sys Admin/user support to something where I don't have to deal with users every minute of every day. I'm BURNT OUT on support.

I'm lucky to work for a company that offers training periodically, and have the CASP and CEH coming up. I have obtained my CompTIA Sec+, as well as a couple of MS certs. I have 10 yrs of exp in MS, 3 in Mac, and 1 in Linux.
My question is this - how do I go from where I'm at now, to a job in the IT Security field? I originally had planned to go and get a degree in Digital Forensics, but that will take 10+ yrs at the rate of which my employer reimburses., or $90k out of pocket.

Will certs plus my exp be enough to get me a job in Security, namely ethical hacking or digital forensics? If not, how can I make a lateral move to get experience? I don't mind starting as a junior sec analyst or something similar, but I don't want to take a significant paycut. I'm currently at $70k/yr, and while I know I'm worth more, I'm working in Academia, not corporate. I'm willing to work hard, as I learn FAST, and am extremely resourceful.

Ideas?? Any advice is helpful.

Find more posts tagged with

Comments

BillV_

There are a ton of jobs out there right now in this whole "cyber security" arena. More of them opening up every day. The interesting thing that has changed more recently, is the number of entry-level security positions not requiring much in terms of experience as a result. The demand for security professionals has made that happen. It used to be that you had to have X number of years in something else (whether it be system administration, network administration, or development) before being able to move over. The biggest reason being that you needed to have intimate and in-depth knowledge of the stuff you were managing to better secure/defend it, and then that translates into attacking it.

Sounds like you've got more than enough experience. And adding the Security+ is a step in the right direction. If you can get your employer to pay for it, or if you have the funds, take a look at the SANS GCED (Certified Enterprise Defender) course. The CASP would also be a good one, as you've noted. All of these are focused on defense though. Not a bad thing, as you certainly need to learn it but not what you've stated you want to do. The CEH, as I'm sure noted here somewhere in the forums, is a great entry-level introduction to hacking. It's a very broad course and covers a lot of information but only goes so deep. If you don't want to take a full class, grab a study guide and read through it. There are a couple of other books worth reading as well (ironically, that I just mentioned to someone else) - Counter Hack Reloaded and the Ethical Hacking and Penetration Testing Guide.

Just as there are a bunch of different areas within security to specialize (forensics, incident response, operations, offensive), there are areas you can choose to specialize in within security testing (network, wireless, web app, mobile, etc.). Unless you have a preference already, you'll probably want to get familiar with all of it at some level, until/if you decide where to focus. To that end, you'll want to stand up some sort of testing lab if you don't already have one. If you haven't used it yet, get familiar with Linux as well. Spend some time looking at vulnhub and playing with vulnerable systems (metasploit, mutillidae, web goat). Offensive Security offers a free course on metasploit called Metasploit Unleashed. On that note, the Offensive Security courses are also very good - while a bit narrow in scope, they are very technical and very demanding. The OSCP has a lot of respect within the community but isn't quite as well known to the HR folks.

I think you will have much more difficult time walking into a forensics position. But if you want to go that route, check out EnCase or the Certified Computer Examiner certifications. Many states have started requiring private investigator licenses to do forensic work as well.

Hope that helps somewhat, and good luck.

supasecuritybro

This is a great question. You are not wrong in wondering if getting a cert or degree will be enough to be a break out into the Security field. I would love to tell you that support would stop once you make it in, but entry level work will come with some support work. Also you might look at having to take a slight pay-cut if you are going into a junior work.

Here is my two cents and people can argue all they want but here it goes:

- You don't have to specialize right away but know its coming. You can do forensics, penetration testing, packet analysis, etc... so know that going in but its not important right now.
- You can see tons of jobs asking experience on many vendors, but working with technology (regardless of vendor) IDS, IPS, etc will be helpful.
- Going on my previous points, if you go get a cert, make sure you do a lot of hands on. That will be the difference between getting a paper cert to check a box or earning your cert qualifications.
- Personal opinion on your background, I believe someone with 10+ years of real admin work can move into security but need a little time to become proficient where you are very desirable as a candidate for many jobs.

Certs that the industry is asking right now: CISSP, CEH and any SANS course (ones I recommend for you GCIH)

Hope that helps. Friend me and let me know about your journey!

TK1799_st

My suggestion is to stick with CompTIA. If you want to get into another realm of Information Security, attend something else not EC Council. They have implemented a new exam path that is too fluid and broad without any expectation of success.

If you can get an employer to send and pay for SANS - that path pays dividends. However, CompTIA is solid and worldwide recognized.

That's just what I've seen on my level - and my level is national security. So take it for what it is worth....

You will do good - hang in there - and build your professional career!

wayne_wonder

In America the Security + seems to be very popular whereas in the UK it's not even on any job hits at ALL! i'd wait and see what happens with the CEH but cant see anything happening really and no doubt some 3rd party book will pop up soon enough

636-555-3226

You don't need a $90k+ degree in digital forensics to land a job. How do you even get a degree in digital forensics? Not sure I've ever seen that offered anywhere? SANS classes are good if your employer will pay for them, otherwise you could go something like the EnCase route. Self-taught is fine too, there's lots of resources. If I had to point you in a starting direction, I'd say convince your employer why they need to send you to the SANS classes.

IronmanX

Echoe3 wrote: »

Will certs plus my exp be enough to get me a job in Security, namely ethical hacking or digital forensics? If not, how can I make a lateral move to get experience? I don't mind starting as a junior sec analyst or something similar, but I don't want to take a significant paycut. I'm currently at $70k/yr, and while I know I'm worth more, I'm working in Academia, not corporate. I'm willing to work hard, as I learn FAST, and am extremely resourceful.

Ideas?? Any advice is helpful.

I would say no certificates are necessary but it is going to be tough to get selected for an interview without them.

I've worked with senior level people with no formal training.
I had a Software Engineer Team Lead/Mentor with a degree in Anthropology. He is probably the smartest software engineer I
have ever worked with.

Paul's Security Weekly Recently interviews Dafydd Stuttard (Creator of Burp Suite). He has a PHD in Philosophy. He said on the show he got out of school decided to do some Information Tech Consulting. He found that the Information Tech Consulting became boring for him, but he liked what he saw the Security Consultants doing. He asked a security consultant if he could work with him on future jobs. He created tons of tools to help him with his work as a Security consultant. Burp Suite was one of the tools he created and now if you take the CEH Exam you will/could be asked about it.

If you want to work in the Department of Defense directly or indirectly you must have certain certs.

CND = Computer Network Defense
CND-SP = Computer Network Defense Service Provider
IASAE = Information Assurance System Architect and Engineer
IAM = Information Assurance Management
IAT = Information Assurance Technical

Those are must have for DOD work. But other then that you just need to worry about getting by HR screening and getting interviewed by non technical people.

IronmanX

636-555-3226 wrote: »

You don't need a $90k+ degree in digital forensics

Yeah seems pretty pricey.

You could download SANS Investigative Forensic Toolkit (SIFT) for free. http://digital-forensics.sans.org/community/downloads

There are others like CAINE (Computer Aided Investigative Environment) but if you plan on taking a course you could always take a SANS course and they will be using SIFT for the forensic course.

Buy a WriteBlocker and some old devices and play with it.

TK1799_st

The DoD 8750 Certification is expired and will be replaced by the DoD 8140.01 - it is broader and is currently being defined within DoD. With, such certification such as OSCP will replace and may even override CEH. The only reason I went for that one was because of the 8750 Directive, but now is irrelevant.

Seek the certifications that maintain strict adherence to versions and defined parameters - at this point ECC has changed that starting 14 OCT 2015.

IronmanX

TK1799_st wrote: »

The DoD 8750 Certification is expired and will be replaced by the DoD 8140.01 - it is broader and is currently being defined within DoD. With, such certification such as OSCP will replace and may even override CEH. The only reason I went for that one was because of the 8750 Directive, but now is irrelevant.

Seek the certifications that maintain strict adherence to versions and defined parameters - at this point ECC has changed that starting 14 OCT 2015.

DOD 8750 has not expired and "such certification such as OSCP will replace and may even override CEH" is pure speculation and does not even make sense.

[h=2]What is DoD Directive 8140.01?[/h]DoD Directive 8140.01 reissues and renumbers DoD Directive 8570.01 which provides the basis for an enterprise-wide solution to train, certify, and manage the DoD Cyberspace (CS)/Information Assurance (IA) workforce. The policy requires Cyberspace (formerly known as Information Assurance) technicians and managers to be trained and certified to a DoD baseline requirement. The Directive’s accompanying Manual identifies the specific certifications mandated by the Directive’s enterprise-wide certification program.
Much of the Directive addresses workforce management issues. Components must identify and document in personnel and manpower databases, Cyberspace/IA personnel and positions and make certain that Cyberspace/IA personnel meet training and certification requirements related to their job functions.
The ultimate vision of the Directive is a sustained, professional Cyberspace/IA workforce with the knowledge and skills to effectively prevent and respond to attacks against DoD information, information systems, and information infrastructures. This effort will enable DoD to put the right people with the right skills in the right place.
[Top]
[h=2]What is the status of the Manual (DoD 8570.01-M)?[/h]The Manual has been approved by the Assistant Secretary of Defense for Networks and Information Integration (ASD NII)/DoD Chief Information Officer (CIO) and is now mandatory for all DoD organizations to comply with its requirements. A copy of the Manual is available on the DoD Publications website located at http://www.dtic.mil/whs/directives/corres/pdf/857001m.pdf.

BillV_

IronmanX wrote: »

DOD 8750 has not expired and "such certification such as OSCP will replace and may even override CEH" is pure speculation and does not even make sense.

As I understand things, the government/DoD is the one pushing for ANSI accreditation. Those are the certifications that are getting approved and why you see all of the "big" certification organizations trying to get their stuff ANSI accredited (because, obviously, the government has some deep pockets). Also, ANSI doesn't know how to handle practical examinations like the one the OSCP uses. Until they do, and until the OffSec guys want to jump through all of those hoops, it won't be getting the accreditation and is not likely to end up on any approved government list.

IronmanX

BillV_ wrote: »

As I understand things, the government/DoD is the one pushing for ANSI accreditation. Those are the certifications that are getting approved and why you see all of the "big" certification organizations trying to get their stuff ANSI accredited (because, obviously, the government has some deep pockets). Also, ANSI doesn't know how to handle practical examinations like the one the OSCP uses. Until they do, and until the OffSec guys want to jump through all of those hoops, it won't be getting the accreditation and is not likely to end up on any approved government list.

Also I don't see OSCP being approved when the test (practical test) is done remotely. I could just get a buddy to do it for me.
Not to say OSCP is't worth it.

Is having a test done at a testing centre part of ANSI?

Maybe some useful information for the original poster is that most certs now of days have to be written at a testing centre. For me it was a bit of a pain because the closest testing centre was 2 hours away. I believe not that long ago many cert tests could be done remotely.

Pentest Labs | Security Warrior I don't know how much those courses are but something like this if cheap might be worth while to get a handle on pen testing.

Off Sec has a metasploitable VM and its free but I don't believe there is training material that comes with it
https://www.offensive-security.com/metasploit-unleashed/requirements/

Off Sec has the OSCP course which is around $1000 https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/

BillV_

IronmanX wrote: »

Also I don't see OSCP being approved when the test (practical test) is done remotely. I could just get a buddy to do it for me.

Ah, yeah. Very valid point.

As for ANSI requiring testing at a testing center... No, I don't think it has to be done at a test center necessarily. However, you do have to prove your identity. As an example, a test I took required me to be in a room by myself, have a camera (like a webcam or built-in on a laptop), and provide my ID to the proctor. Thus, it could be done over the Internet but I had to show that it was me, that I was alone, and the proctor was able to watch my camera as well as see my screen during the exam. I can't remember the name of the organization that does this (UCertify or something like that maybe?) but I believe that EC-Council was considering this type of approach at one point, if they didn't already go down that path. In fact, this may have been something that came from ANSI as a recommendation for people that were too far (physically) from an authorized testing center - which is exactly to your point