Computer security as a profession?

Astute members and 10167fanboys may have noticed me asking lots of questions about security and my willingness to go way beyond "unnecessarily paranoid" in securing my computer.

This is mostly for fun.

Does anyone have any ideas on the best way to start with this? I don't really want to be a 1337 ahx0r or whatever the cool kids call it these days, I'd be looking more at a legitimate profession... with a paycheck.

I get the feeling this is one of those fields like biology where the ceiling on knowledge and ability is on par with Mt. Everest; how hard is it to get a decent job(decent being 40k+) in this field?

First things first obviously, I need to learn more about PC security.

This is actually kind of where I want to head with my career also.

In my research, this is one of the fastest growing sectors of the technology field.

Especially if you're willing to work for government organizations... They are recruiting fresh out of college alot of times because they can't fill the needed positions fast enough.

tom10167 said:

I don't really want to be a 1337 ahx0r or whatever the cool kids call it these days, I'd be looking more at a legitimate profession... with a paycheck.

Click to expand...

The funny part is that some of the highest paid security consultants are actually former hackers. With that being said, there are definitely jobs to be had in IT security. My company doesn't have any security specific people but that is because we are a small company

Are you planning on going to school for IT security? I've heard of colleges offering security as a specific interest of study in some programs.

Many of the security certifications are very valuable.....and require upkeep! They cost a lot to take, cost an annual fee and even require you to give lectures and stuff! Security professionals are needed without a doubt, but getting there is no joke.

you need to start by learning how to configure and monitor an IDS... Snort is awesome (lids is good too)... Go google!

*(i would also recommend properly setting up firestarter (to actually watch logs.)

*(you may also want to look up some basics... such as no root login for ssh, and max ssh attempts... *(all configurable in sshd conf)

let me know in a PM if you want more... *(personally i prefer to do my own research... so there's some starting points...

*(also if you have time, and an extra box... install pfsense... and own your own firewall.
any white box with 2+ nics will be fine, and faster then your run of the mill home router.)

Build networks, setup servers and break into them. A test router and BackTrack is an afternoon of fun. It all depends on where you want to start and what type of security you want to get into.

Security is not really the glory job most people think it is; at least not in your junior to mid-level positions. You're going to have to start small and try to work your way into an Information Assurance position. Most IA jobs are 80% clerical and 10-15% technical (the last 5% can vary). People who do network defense and penetration testing are almost always recruited from the IA field, so it's almost essential for you to work your way into IA.

However, since IA is typically 80% clerical, many IA folks can forget how to be technical and it can really hurt them when they try to advance. Therefore you'll also need to figure out ways to maintain your technical skill set. Continue to learn in labs you set up at home and study for various certification (Microsoft and Cisco especially); don't get too caught up with all the processes and procedures you deal with in IA and neglect technical education.

The Certified Ethical Hacker (CEH) is probably the career path you'd want to work towards. This cert is not easy to get, mainly due to the fact that you basically need to have a couple years of professional IA/security experience and applicants typically need to be sponsored by their company to take the required training prior to taking the exam. It'll take time, but stay focused and you'll likely end up where you want to be one day.

Agree with thideras and Templi - there are a lot of different ways you can start. I have a Windows client / server background, and a lot of the things I have seen with studying for the CISSP are related to the foundations taught in the MCSE field of study (principle of least privilidge, access control, separation of duties, etc).

You have to know how the 'bad' people think and the tools they use in order to better defend the systems you get paid to protect. You have to know the exploits available, how they are used, and how to stop them. I keep tabs on things from sites such as http://isc.sans.org and http://www.infosecisland.com just to name a few.

I would start with client side security; check out the MCTS for Windows 7 so you understand how the O/S works. From there, you can expand into the server side (i.e. Windows Server 2008), and learn how that works. Once you start learning how things are supposed to work, you need to learn how to think outside of the perscribed thought process. Where someone may expect a first name on a web form, a hacker will run a SQL injection attack. Where someone leaves open an unnecessary port on a firewall, a hacker sees a chunk of wall removed from your defenses.

You may also want to get into some books regarding system design / analysis, which may aid you in understanding the whole client / server / network end-to-end piece.

*(not to take back anything I stated. as stated a few times above, you really can get into this field in many different ways... they all require lots of reading and self motivation.. unless your pockets are fat).

I gave the way I know. Honestly though its good to dabble in systems, networks and social strategies to better ar your self... the best defense is a good offense. and don't ever believe "it can't be done" ... because EVERYTHING is possible.

sry i had some fleeting moment of inspirational thought..

really nobody can lay out a track, but give advise on whats worked for them... if you're smart, you'll make a list of all of the REAL recommendations above (meaning, the ones with ideas/tools/keywords in them) and make a list... dont discriminate based on OS.. and don't be afraid of nix... when you comfortable with windows, and want a challenge that will truly be YOUR PC when your done, compile gentoo...(i dont know your level of digging into this yet so these are all simply suggestions...feel free to ignore if you know ) you will learn more then you could care to imagine about system basics that can lead you into other doorways...

just keep an open mind. security doesn't work when you think you know everything and sit back and play quake all day... your best off playing it for half the day, and settling with you the knowledge that you are smarter then any one who has ever posted a 'yahoo question'....


pepped up? -> i hope so... the only real way to start is to go start breaking ****. and reading sec blogs.

knope said:

pepped up? -> i hope so... the only real way to start is to go start breaking ****. and reading sec blogs.

Click to expand...

Well it can be good to understand the technology you are breaking before, so that you get a better picture on why you managed to break it. If you are the type to learn things by heart rather then understand them then this might be a bit hard.

I found the security+ certificate to be pretty easy, but it had questions from a pretty wide range of IT technologies, I would imagine it could be hard if you did not have some background / understanding on how a larger infrastructure works as a whole. I found the hardest part was still understanding what they wanted me to answer, as I did not always agree with their assessments.