10

I've had to learn enough to be dangerous (if only to myself), managing the firewalls, switches, etc for small networks over the past ten years. However, I know there's a pretty massive gap between what I've been doing (security as a hobby, really) to actually pursuing mastery of the subject.

Research gives me certifications from Security+ to CISSP and a slew in-between. Are there any certifications out there that you feel would provide a good learning roadmap?

I'll throw out a short list of what seems needful, in case I'm anywhere near the mark.

  • Wireshark virtuosity
  • *nix familiarity
  • Cisco IOS (CCNA would be a 'quick' way to pick this up?)

I realize this is a massive undertaking, but as a comparison from a Win admin perspective, if I could reach back and give my younger self a few pointers, I could have saved myself a TON of time and head-vs-wall encounters by pursuing certain learning shortcuts. It's my hope that some of you security-focused SFers have similar advice.

Jindrich
  • 4,989
Kara Marfia
  • 7,892

7 Answers7

9

What part of security do you wish to work in? Security is a very broad field, even more so if you count all the ways you can work being partially in other fields. Typically there are a few general areas of security

  • Corporate security:

Start learning frameworks, ISO/IEC 27001, governance, auditing, risk/benefit, legal framworks and more similar things. You will end up as CISO and perhaps as CSO in a company towards the end of your career. Until you get there expect to spend a lot of time writing policy documents.

  • IT security

Start learning the general tools of the trade, wireshark, IOS and the similar are a good start. Pick up the more specialized skills such as forensics when you have the chanse. There are several different sets of courses. SANS have a pretty good reputation, for example. Cisco a reasonable one. Sadly it's hard to get far if you take this path. You might move up into middle management after a while, but there the skills are mostly useless. In some companies you might also deal with physical security, which leaves more openings upwards. If you go to the police you will spend a lot of time looking at nasty pictures if you chose this path.

  • Technical security

Start learning advanced math and other technical skills. Choose an area and specialize. And specialize. And specialize. If you are lucky you are in an area where there is high demand, or you find a company where you like working. You will become more or less impossible to replace. If you play your cards right you get to travel around the world and meet lots of very bright people.

From my perspective the first thing to do is to learn to think security. Start reading people like Schneier (Beyond fear) and Ross (Security Engineering). Once you have a grasp of the basic thinking in the security field you can chose your path, if you want to dig down in this field at all. It's not nearly as glamours as some people want to make it. Security is the first budget to cut when things get tight, and expect to get the blame for everything that goes wrong.

pehrs
  • 8,889
  • +1 for different niches in InfoSec. "InfoSec" is a broad field, just like "I.T." Also + for SANS. – Josh Brower Jan 18 '10 at 22:54
  • Exactly the kinds of questions I need to research, thanks! I'll pass on glory, and I'm used to being considered overhead - it's the chunk of my jack-of-all-trades job that I enjoy the most. – Kara Marfia Jan 19 '10 at 13:27
8

I've been an admin for 20 years (15 years professionally), mostly Unix with a dash of Windows as required. From the beginning, I've tended to play the paranoid admin, mostly because it's practical and instructive, not because I believe hackers from the other side of the globe are targeting my servers. ;-) Security really is a de facto sysadmin requirement, one which can be practiced daily.

You don't specify whether you want to wear the official badge of "Security Specialist" and do things such as pen testing, PCI compliance auditing, incident response (forensics, etc.) or you just want to be an admin with some heavy security creds to help widen your career options and defend high profile systems under your charge.

Of the few peers I know in the "official" category, the CISSP cert was the first they tackled and they went on to land decent jobs because of it (of course, they had 10+ years of hand-on experience, like yourself, to back it up). There are tons of materials online, in addition to official training materials and courses, to asses your grasp of the material.

While the concepts can be learned and applied on any platform, I personally recommend Unix, since you get such low-level access to everything, with the added benefit of being able to access that information easily via remote shell: watching live tcpdump sessions, syslog entries, web server logs, snort dumps, dumping live system memory, to a million other open source tools for peeking and poking at the innards of a running system.

Due to Unix being an ideal platform for learning this kind of stuff, it easily follows that a great way to learn is by throwing yourself to the proverbial wolves. Get yourself an entry-level Linux or FreeBSD VPS, a true virtualized VPS (such as Xen) with all the "hardware" and admin access you'll need to simulate the real deal in a live, exposed internet environment.

Set yourself up with a live, working system. Get a live SMTP server running, and watch the spam bots and scan for malware. Set up a web server and watch the script kiddies try SQL injection attacks in your web and DB logs. Watch your ssh logs for brute force attacks. Set up a common blog engine and have fun fighting off spam bots and attacks. Learn how to deploy various virtualization technologies to partition services from each other. Learn first-hand if ACLs, MAC, and system-level auditing are worth the extra work and hassle over standard system permissions.

Subscribe to the security lists of the OS and software platform you choose. When you get an advisory in your inbox, read up on the attack until you understand how it works. Patch the affected systems, of course. Check your logs for any signs that such an attack was attempted and if one succeeded. Find a security blog or list that is to your liking and keep up with it daily or weekly (whichever applies), picking up the jargon and reading up on what you don't understand.

Use tools to attack and audit your own systems, trying to break your own stuff. This gives you perspective from both sides of the attack. Keep up with cutting edge of the "black hat" mindset by reading papers and presentations from well-established conferences like DEFCON. The archives from the past ten years alone is a treasure trove of information, much still valid.

Granted, I have no certifications, nor do I bill for "security specialist" services. I just make it part of my daily routine to keep up with this stuff to make myself a better admin. Whether or nor the certs are desired or required for your goals is better left to someone who has them. However, I believe that a heavy hands-on approach is the best way to learn this stuff, and I hope some of my suggestions provide some food for thought.

Geoff Fritz
  • 1,727
6

Doing the same type thing you are, what I have found to be very beneficial is the SANS Institute. SANS is a vendor-neutral InfoSec trainer & certifier. Take a look at the SANS Certification Roadmap. I started out with the GSEC, took my GCIH, and now am working on my GCIH Gold. The GSEC is a great intermediate starting point.

Hope this helps.

Josh

Josh Brower
  • 1,669
2

I know this isn't providing you with specific courses. Some general thoughts from my experiences, though, are:

  • Know TCP/IP and routing inside-out. IOS is good, obviously, where there is Cisco involved.
  • The Wireshark course would be good. Packet analysis is fundamental to security tracing.
  • Know application level protocols inside-out. HTTP, FTP, SSH, SSL, SMTP
  • The *nix familiarity is definitely a good one

Not much help with specifics there, I know, but hopefully it helps maybe in priorities or direction!

squillman
  • 38,013
1

Depending on what specific place you end up, it may also be important to not only work on your technical side, but what groups, networks, and so on you may be wise to join.

There are all sorts of important places to go perhaps (IETF, NANOG, etc) depending on your area. Don't forget the various response centers such as DNS-OARC for DNS-related security.

One of the biggest problems in security work is that people tend to keep things secret when they find a problem. Sometimes it's better to share and work together across organizational boundaries than it is to work in a vacuum.

Michael Graff
  • 6,698
1

In my experience, you can't be proficient as a defender until you know what the offense is capable of. Some conferences I think are of benefit:

http://www.blackhat.com/
http://www.defcon.org/

oz10
  • 370
  • I enjoy reading about these every year. I'd love to treat myself by attending one of these days, but it'd be hard to leave my laptop behind for that long. ;) – Kara Marfia Jan 19 '10 at 14:16
  • @"Kara Marfia" you could totally take your laptop to Black Hat, no worries. DefCon is another story. ;) You could bring your laptop to DefCon assuming your OS has been hardened, that you have wireless & bluetooth & infared devices disabled and that you never connect it to the DefCon network. Or bring it and leave it in your hotel room, using it only at night ;) – oz10 Jan 20 '10 at 00:03
0

Become really familiar with OWASP: http://www.owasp.org

Also a significant portion of security is process/operational related.

OWASP provides OpenSAMM, but there are frameworks like ISO 27000 (like someone else mentioned), COBIT, SABSA, etc.

Cheers

HTTP500
  • 4,843