I am interested to pursue a career in security in general. The question I have is, what are the disciplines available today e.g. networking, internet, system, etc and how do you recommend I go about taking lessons and learning for the same. Is there a good website tutorial on the same?
Security Path and Career
- Thread starter Techknowledge
- Start date
Security is tricky for a few reasons, primarily because it's not really recognized as a discipline in education, there's few widely recognized security certificates/degrees, the few that do exist tend to be additional modules for existing disciplines, for example you might take a security module in CISCO networking to complement the more general concepts.
My experience has been that you need a good understanding of the technology before you can learn to break it, so you need to decide what you want to specialize in and then learn how those systems work, and then afterwards learn how to break them.
I've been a systems administrator for about 9 years now, I gained a very broad knowledge of most IT systems in use inside modern small businesses and only recently got in to security. What got me interested were the DEF CON videos on youtube. DEF CON is an annual event in Vegas which has hackers from around the world come and release their new tools and hacks, there's literally hundreds of videos covering all aspects of security, references to their tools and how to use them, I simply went on a DEF CON video spree and used additional tools and materials from the web to fill in the blanks.
I've gone a broad brush approach because I'm interested in penetration testing where you attack via as many vectors as possible, so I watched every DEFCON video from the past 3-4 years. It's a LOT of learning but if you're interested you'll find it endlessly fascinating, the hacking culture and mentality is an extraordinary thing which sucked me right in.
As for getting a formal education around that knowledge, I have no idea...I don't think such a thing really exists yet, I'm not sure that it even really matters because holes in technology are found and fixed so fast that learning a 3 year degree would be a waste of time, you'd come out knowing grossly outdated information. Hackers tend to scorn at credentials though, it's about proving what you're capable of and letting your work speak for itself.
Now take a shot, and go watch some DEFCON videos, if you have any specific fields you're interested in, let me know and I'll point out what I think are the best videos.
My experience has been that you need a good understanding of the technology before you can learn to break it, so you need to decide what you want to specialize in and then learn how those systems work, and then afterwards learn how to break them.
I've been a systems administrator for about 9 years now, I gained a very broad knowledge of most IT systems in use inside modern small businesses and only recently got in to security. What got me interested were the DEF CON videos on youtube. DEF CON is an annual event in Vegas which has hackers from around the world come and release their new tools and hacks, there's literally hundreds of videos covering all aspects of security, references to their tools and how to use them, I simply went on a DEF CON video spree and used additional tools and materials from the web to fill in the blanks.
I've gone a broad brush approach because I'm interested in penetration testing where you attack via as many vectors as possible, so I watched every DEFCON video from the past 3-4 years. It's a LOT of learning but if you're interested you'll find it endlessly fascinating, the hacking culture and mentality is an extraordinary thing which sucked me right in.
As for getting a formal education around that knowledge, I have no idea...I don't think such a thing really exists yet, I'm not sure that it even really matters because holes in technology are found and fixed so fast that learning a 3 year degree would be a waste of time, you'd come out knowing grossly outdated information. Hackers tend to scorn at credentials though, it's about proving what you're capable of and letting your work speak for itself.
Now take a shot, and go watch some DEFCON videos, if you have any specific fields you're interested in, let me know and I'll point out what I think are the best videos.
My experience has been that security is not an entry level job.
Traditional paths that lead to security careers include programming, systems administration, and IT audit.
For academic background, you may want to look at the NSA's Centers of Excellence.
Best of luck,
Uno
Last edited:
Thanks PrincessFrosty. I appreciate greatly your advice. What's link to DEFCON videos? I would love to get on the bandwagon right away 
This.
Your post is right on. It's really worth pointing out that most security work requires a broad knowledge of everything. Most GOOD security people jumped around in IT for years before getting into security. The reason is that you need to be competent at many areas of computer knowledge, beyond just a layman or user, in order to do a good job.
You need to be a pretty capable network administrator, you need to be a competent system administrator. You should be a moderately skilled programmer, or at least have a very firm understanding of it. You need to understand the basics of the hardware. You need some understanding of cryptography. You need some basic understanding of telephony. You also need a strong background in management and business process.
Here's a few questions you might need to answer during the course of a day as a security administrator (off the top of my head, these are questions I've had to answer this month, as a security expert):
What protocol layer does IPSEC operate at on the network? Describe it. Where is IPSEC normally used?
How does OSPF negotiate trust between routers?
What is DH Level 2 and how does it differ from Level 5 or Level 14? How is it used in IKE negotiations? Configure an IKE gateway for VPN connectivity.
How does 802.3q VLAN tagging (via trunking) affect the security of an ethernet wall jack? How would this differ if you were providing VOIP services? Configure a trunk port on a switch to demonstrate this.
Should we encrypt our SIP traffic? If so, why? What is the risk?
What is contained in a normal business continuity plan? Write one. Have it done by the end of the week. (bleahhhhh!!!)
What is the difference between Windows XP and Windows 7 in terms of malware and exploit resistance? (Your answer better mention something about ASLR/DEP, as well as UAC)
What happens to Windows devices that are not activated with MS, in regards to patching?
When deploying GPOs to Windows endpoints, what happens to laptops that aren't connected?
How do you protect against wireless MiTM attacks?
What is EAP-TLS and how does it differ from PEAP?
In Palo Alto firewalls, in what order are rules processed? When does rule processing stop?
In Cisco firewalls, how does rule processing differ?
Is a Cisco 2940 capable of performing firewall-like activities through ACLs? Describe the deficiencies that you might find in this configuration.
What .ini file options affect the security of PHP? How does PHP version 4 differ from Version 5?
What is SQL injection? Write a POST query to demonstrate SQL injection (assume your DBMS is Oracle).
What is cross-site scripting? Write a GET query to demonstrate reflected XSS in a nested JavaScript function (this is often tricky, fiddly JavaScript)
Write a business impact analysis for the XSS you just demonstrated.
Present this to an executive committee in 10 minutes or less. Use large words.
Off the top of your head, while standing in front of executives, answer teh following questions:
Is Ruby on Rails resistant to XSS? How about SQL Injection?
Has it ever been possible to execute SQL Injection against RoR?
Why can't I use Ruby to code iPhone apps? What language do I need to use? What are the security issues with that language?
When coding in Objective C, how much do I need to worry about security issues like SQL injection and buffer overflows?
Does my cat's breath smell like cat food?
All I'm getting at is that it's a wide variety of topics. Sure there are entry level "security" jobs, but you will be resetting people's passwords and staring at management consoles and be required to immediately escalate any flashing lights to someone with some experience.
I suggest getting into network and server administration, or coding (preferably both). Keep training with security things and getting certifications, when you can. Eventually, you can make a move into security.
At least that's how I did it....
I agree entirely with this. To be able to beat security you first need to know about the systems that are being protected, preferably have had to admin those system yourself for an extended period of time so you're familiar with security best practice, and then lastly you need to learn how to break those systems.
If you simply skip to the end and learn how to run a bunch of tools that exploit bugs then you'll be nothing more than a script kiddy and the lack of any deeper understanding of what's happening will hurt you, a lot.
Thanks PrincessFrosty. I appreciate greatly your advice. What's link to DEFCON videos? I would love to get on the bandwagon right away
Just go to youtube.com and search for DEFCON, you'll get a huge list, the talks are a mixed bag about all sorts of aspects of security, I can suggest specific talks if you have a specific security topic you're interested in. If you have no preference then just start randomly watching them and learn learn learn.
If you don't already have a good background in IT then a lot of this will go over your head.
Am currently reading study material for CompTIA's Security+ and I think it answers most of your questions there. It's kinda basic in that it covers a lot with kinda little, so I'm thinking its a good foundation to understand terms and how things work, but actually countering threats is something I think I'll learn as I advance to other more detailed material. But for someone that is wanting to get into security I think it's an excellent place to start.
Most Security certifications take the 30,000 ft view of what Security encompasses, such as Security+ or to a greater degree CISSP. If you want specific's check out GIAC certifications. They are VERY pricey but they get pretty specific on the topics. I wouldn't recommend starting on them though.
Security+ is a great entry cert for Security.
Security+ is a great entry cert for Security.
Agreed in that the GIAC is a decent one and Security+ is very entry level. It should be noted that the GIAC is a difficult to pass certification for the entry level person.
That said, I've never seen a really "legit" certification for security, outside of the 30,000 ft "buzzword" view. There are some very interesting narrowly tailored ones, whether it's a CEH (which is mostly just a tools quiz) or one of the vendor certifications like the CNSE. I find that someone who has a background with a number of them is generally more knowledgeable than someone without any, but I don't put as much stock in certs within security as you might in other fields. Most of the best security guys I know were good before they got certs and only did them for some vendor/customer/employer requirement.
Everyone has their own perspective on security certification
The above image represents one perspective from the DOD. I'll trust that you can Google DOD 8570 to find more info.
Short answer
If your employer is paying, its a no brainer, get as many of the certifications on the above list as your time permits.
If you are paying, then an entry level cert, Sec +, CEH, whatever may have value to a future employer. (Actual value will vary from employer to employer.) For what many people have invested in their education, costs for these entry level certs are not that significant. (In contrast, SANS certs take a financial commitment. My experience is that most people I know have their employers pay for those...)
There are many other nuances but if you are just starting out, you could do a lot worse than earning Sec+.
Best of luck,
Uno
Last edited:
"Present this to an executive committee in 10 minutes or less. Use large words."
Nooooooo, absolutely DO NOT do this. If you're talking to executives, you almost always need to use SMALL words, not large words! They're not dummies, but they're not going to want big words. Just get the point across and get it across as simply and concisely as possible. Most executives I know will just ask you to talk to them like you would a child, because while they want to understand, they don't want some guy with a PhD to lecture them... and they definitely don't want you to waste their valuable time talking half an hour about something that you can say in 2 minutes.
Nooooooo, absolutely DO NOT do this. If you're talking to executives, you almost always need to use SMALL words, not large words! They're not dummies, but they're not going to want big words. Just get the point across and get it across as simply and concisely as possible. Most executives I know will just ask you to talk to them like you would a child, because while they want to understand, they don't want some guy with a PhD to lecture them... and they definitely don't want you to waste their valuable time talking half an hour about something that you can say in 2 minutes.
Everyone has their own perspective on security certification
The above image represents one perspective from the DOD. I'll trust that you can Google DOD 8570 to find more info.
Short answer
If your employer is paying, its a no brainer, get as many of the certifications on the above list as your time permits.
If you are paying, then an entry level cert, Sec +, CEH, whatever may have value to a future employer. (Actual value will vary from employer to employer.) For what many people have invested in their education, costs for these entry level certs are not that significant. (In contrast, SANS certs take a financial commitment. My experience is that most people I know have their employers pay for those...)
There are many other nuances but if you are just starting out, you could do a lot worse than earning Sec+.
Best of luck,
Uno
What stinks about certifications is that most of them will 'expire' in just a few years... and then you have to pay the $$$ all over again to be formally 'certified'. It may help to go through something once to learn it, but even just preparing for the exam and taking a test prep is usually enough for that. They can get expensive. It's a business, just like colleges, and I mostly see it as a scam unfortunately. As soon as something becomes a business it usually boils down to people just paying for a degree or certification, or studying for 'the official test' and not really learning the material. I've seen a shocking number of programmers out of college who were really bad, for example, asking basic questions like how to do a for loop... with little motivation or interest in learning anything on their own.
The certifications are only really valuable if you know you are going to be applying for a job that requires them before they expire, or if your company 'requires' you to maintain your certifications... that's my opinion.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
-
Facebook
Twitter