EH-Net

Hello everyone!

I will start with a quick run down of how i got here.  I am 2 classes away from finishing an associates in managment.  About 18 months ago I was bitten by the tech bug (building little static sites for small businesses) and it has only gotten stronger.  Now i am thinking about switching from my management degree to an IT degree once i get my A.S. this semester (my current school has a CNSS endorsed B.S. in info tech and security). 

I started researching this IT field about a week ago after talking with a few people who are knowledgeable about this topic (for those who want to know, i found this site by googling "CNSS"...1st page results).  So far i have had a hard time finding solid info from a "hands on" source.

  I really just want to know what i should expect to get out of this type of work?  What knowledge do you use the most (hardware, programming, neither)?  Is a specific degree that focuses on info security the way to go or should i get a more general degree (computer sciences?)

And lastly, is there any way i could jump in before switching majors and try some of this kind of work at home?  I have been playing with HTML, CSS, JS, and a little php for the past 18 months...will any of that carry over to this?

Thanks, and hello again :)

Hey Cheap5.0,

Welcome on board EH-Net.
Most of the questions projected by you are already discussed in detail under various forums here. Go through it and you will get what you looking for. However, let me try to answer few:

• What i should expect to get out of this type of work? - 100% Job Satisfaction – that would be my first answer if you are really passionate about security.
• What knowledge do you use the most (hardware, programming, neither)? - Common Sense and a combination of hardware, programming, networking and system concepts
• Is a specific degree that focuses on info security the way to go or should i get a more general degree (computer sciences?) - Yes there are many Universities and educational institutions that provide various courses that specialize on information security and information assurance.
• Is there any way i could jump in before switching majors and try some of this kind of work at home? - Yes, you can setup a hack lab at your home and do all your R&D. There are various threads on EH-Net that discusses on how to setup or the ideal configuration for a home lab. You can start off with Virtualization also.

Hope I covered most of your questions and expect more contributions from your side also. All the best and Happy Hacking (Ethical)  :)

Thanks for the help!  I noticed after posting that this is probably the most popular topic on the forums  :-[ Oooops....

I have been reading and searching and reading some more, and from what it looks like, security is:

-One of the more difficult IT professions to get into(?)
-a career requires more exp than education(?)
-a state of mind, not a job :) 

The first two are general questions that i assume are true, correct?

You answered my education question, but i want to make sure i understand completely.  You would recommend a specific degree specializing in security rather than a more general network degree if someone wanted to work in security?

Thanks!

Hi Cheap5.0! Welcome to the community.

Is security harder to get into compared to other areas of IT? Perhaps. Mostly because to be good at security, you have to have a good understanding of a lot of other areas. For example, if you're going to be protecting web applications but don't know anything about the code that is running those applications, you'll soon find yourself in trouble ;)

Does an InfoSec career require more experience than education? In my opinion, I would say yes. I myself don't have anything more than a high school diploma and a few college credits, but I'm also still early in my career.  I know there are several others floating around here that are in the same boat. This doesn't mean that an HR person or a recruiter isn't going to think highly of someone with a lot of education, but when you really get down to it, hands-on experience with the technology or being able to manage those technical folks is really what's going to help out. If you're considering a degree, and you're 100% sure that you want to stick with security, then I would agree that you should find one that specializes in security. There are multiple schools out there that are recognized by the NSA for their information assurance programs. Check into one of those. Steer clear from 'computer science,' though.. that's typically "programming" in disguise. You would want a computer information systems program or something that puts more emphasis on networking (unless of course you want to program).

HTH (and again, welcome :)

BillV

Thanks BillV, I just got done with my college adviser yesterday.  I am finishing my current degree in November, and will start on the info sec degree in January of '09.  I am going to go for the A+ cert before the new year just to get a little bit of a start and try to get in somewhere (anywhere!) to start working in the IT field asap. 

When you say i should know how ________ programming language works, do you mean i should be able to code using it or just be able to look at it and understand why it does what it does?

I am comfortable with PHP right now, but if i had to sit down and make a program that would interact with a dbase forget it...lol.  However, i can look at php files and see what they do and why without viewing them in a browser.

Nope, you certainly don't need to be an "enterprise developer" in any language. More so like you have stated... that you can look at the code and understand it well enough to determine what's going on and where the security holes are.

So, for the PHP example, when you see something like...


You would know that we quite obviously have a problem. I also don't mean that you need to know 'every' language either.

Also, going along with your 'studying for A+' idea and wanting to get into something... you may also want to have a look at the Microsoft MCDST (Desktop Support Technician). You can study for the exam for FREE directly though Microsoft with their E-Learning site...

https://www.microsoftelearning.com/eLearning/offerDetail.aspx?offerPriceId=54989

Good luck :)

BillV

Thanks for the suggestion Bill!  Did M$ just start doing the trainging courses online?  I thought i saw that pop up recently on del.ico.us....?

That makes me feel better about the language's.  If i was going to take a wild guess as to whats wrong with the php you posted, i would guess its something to do with how the sql is delivered to the db or modified by the inputs?  I really dont know, i need to get more comfortable with it i guess.

If you're looking at getting some industry certs to start of with I would suggest going for one of the MS ones first rather than a CompTIA cert. In my experience they're cheaper, more interesting (less basic) and are worth more as far as employers are concerned. By all means go for one later on, maybe the Security+, Network+ or Linux+. A+ is very basic hardware/software maintenance, the sort of skills you tend to pick up after a couple of PC builds, whereas the MS certs demonstrate a high level of proficiency with (unfortunate but true) the dominant industry OSs.

As someone else suggested, I would definitely look at setting up some sort of lab to play around in also. VMWare is very useful for this if you don't want a load of old PCs lying around.

I just signed up and I am starting this course, thanks for pointing this out! 

No problem. I'm not sure how long they have been offering training courses online. I would guess a while judging by the availability of different courses. I know I came across them sometime last year.


Yup, you'd be correct. Taking a variable (username) that's input from a form and placing it directly into a SQL query with no proper validation is not a good idea ;)


Good luck!! Let us know how it goes :)

BillV

I agree and disagree.

I used to have the same thinking back when I knew what the objectives were for the old A+ version when it was Cord Hardware and Core Operating Systems.

Recently, now that I've taken a closer look at the new A+ objectives (Essentials + IT Tech/Remote Tech/Depot Tech), I've been suggesting that to people looking at getting into IT. And, as I replied above, I also send them in the direction of that MCDST since that's a good place to start and the training is free from MS.

I really think that the A+ has changed a lot compared to what it used to be.

That would be a SQL injection right?

I am about 14% into that course (when you are logged in and "learning", there is a small meter that tells you how far along you are in the current course).  Its very useful, and explains everything quite well in basic computer terms that anyone with some experience would understand.  My only complaint is they introduce concepts abruptly.  Its hard to explain, but they use terms that they have not defined or explained.  If you go back through the lesson though, it all becomes quite clear.  But if you were just to watch/listen only once you would have a hard time getting through it.  Also the scenarios in which they teach you change from demo to demo.  In one you will be "working" on the host computer, then in the very next demostration you are working remotely on a computer in "London" while you are in "Vancouver".  If you miss that little fact the lesson gets very confusing quickly!  lol

One last piece of advice Cheap, and this is the easy part, ask questions. If you don't know something, ask around here. Some one will know the answer. I got in to he security field more by accident than design. I had a friend that knew me back when we served together and served as a mentor. He steered me towards this line of work and I love it. Good luck on your own journey.

Fair enough  :). It's been a few years since I saw the material and it was very basic at that point. Thinking about it that was nearly 10 years ago so no surprise that it's been updated really :P

Yeah, I'd imagine we're probably on the same page. Take a look over at the CompTIA website at the A+ objectives when you get a chance. You'll probably be pretty surprised at the changes. I know I was! Especially when I saw that 'security' is one of the domains. It's a much more well-rounded certification than it used to be :)

That may be the case, but until it loses its stigma with hiring managers, is it really worth anything?  (understanding that any training/education is obviously good for you)

Yeah, I see where you're coming from. I guess we have to hope CompTIA does their part of promoting it properly :-\ Seeing as how the [new] objectives are now 2 years old, I'm not sure how far it'll make it.

Just wanted to say that this is very great advise for anybody wanting in the security field.  I work in the profession and several months back I was contacted by our programming department when their website was a victim of SQL Injection.

First, they didn't realize how it happened and secondly wanted to know how to fix it.  The site was built with ASP and I was asked to look at the code and help them find the security hole.

So, to the OP, if you plan on working in the profession, you kind of have to be a jack of all trades when it comes to security.  If you plan on Freelancing, you can specialize in certain fields of security, but in most cases, an employer expects you know how to fix any security problem once you get CEH, ECSA, LPT or some other security cert by your name.  Just be prepared for that.

Unfortunately I'm seeing this far too often lately with developers.

A site (or several) get hit with an (often automated) SQL injection attack and the 'fix' is to roll the database back to a clean state. Then get confused when the same thing happens less than a week later (lather, rinse, repeat...). People seem intent on fixing the symptom rather than the cause where web-site infecction is involved.

I've also seen cases of otherwise secure coders cut&pasting code from another source without checking it cuts mustard from a security perspective

Nothing wrong with finding a DB vulnerable to this. The problem is that they (DBA, SA, NA) don't know that they don't know how to fix it. So instead of asking the question, it's easier to just roll back to the last backup. Which as RR pointed out, leaves them open for round 2. got to love the admins....

Thanks again for all the help with this guys, but i am having some trouble finding info about setting up a hack box/what kind of things i could do with one. 

I am slowly buying parts to rebuild my computer (getting stuff as 24 hour sales pop up, waiting for price drops, etc...) and i am thinking i will turn my current computer into a hack box.  Can someone link me to anything useful?

Anyone want to lend a hand here?  What should i be looking to accomplish when building a hack box?  Should i just throw some spare parts together, put *nix on it and network into everything else at home?  Then what? 

Sorry if it seems like a 'duh' question, but i really do mean whats next?

Any box can be a hackbox really.
As Linux is not really hungry on resources, it doesnt ask for to much, but I prefer to have a reasonable amount of memory for number crunching.

A good processor and a decent amount of memory will help. All of our boxes here run on Linux. As dale pointed out, Linux runs light freeing more system resources for what you want to do. there are also many tools out there written just for just for Linux. Aircrack -ng for instance can be compiled to run on Windows, but the developer basically said that you are on your own for the required drivers for Windows. Good luck and happy hunting.

Alright guys, i have setup (through my college) a job shadow.  We have not hashed out the details, but it should be within the next month.  They are trying to find someone in the info sec field that is willing to allow me to shadow them for a day or three, but i might end up following around a network admin (admins often wear the security hat in a smaller business right?)  If i end up with someone not specificly in the security field, but is knowledgable about this topic what kind of questions should i be thinking about?  I guess a better way to ask this question would be, what do you wish you asked about before you got your job in the field?

Also, in trying to find someone suitable what should the advisors helping me with this (and me as well) be asking about the person involved?  If a info sec person is not someone i can find what would be the next best thing?

Definitely looki for an admin if there are no security guys around. But don't just focus on the network admins either. Look for a good SA to shadow. Ask them to show you any of the security built into whatever system they are an admin on. Unix type machines have several feature like a shadow file or a host.deny file. Ask them to show you wys to secure the box or if they know of any ways around the security in place. If a Windows SA, talk about the hashes, LM vs NTLM. Any competent SA should be able to help you out there. If you want any more info on what you could look for, do a Google search for DISA STIGS ro just DISA STIG. These are guidelines from the federal government for securing netowrk computers. There are also guides available from NIST.

Oh, just thoughtof this: Do you have a clearance? Without this, you shadow oportunities may be limited. Good luck.