Consulting can vary to your road warrior types that do a few months out or a couple weeks out doing projects.  Or you can work for a consulting company that handles the IT needs of a number of clients and you may only be spending a day at different clients around the state/city.  I worked for 2 such companies and spent my days driving around my state and playing IT Manager at a number of SMBs (Small/Medium Businesses) ranging from Law firms to larger manufacturing companies.  One can put in about 5 years in such a job before getting too fried.  You can do everything from Desktop deployments to Server migrations and Firewall installs.  I did plenty of firewall installs as well as Web/Spam filtering solutions.  So you do get a good amount of exposure and then you can determine the path you may want to follow.  Some companies may even give you an opportunity for professional development. 

Again, the more background experience you have the better security pro you will be.  Me personally, I think half of my career was spent fixing stuff and the rest of my career will be spent preventing it from breaking

Why not both?  I have found with Windows, that you can only do so much before it becomes a repetitive task.  I imagine Linux will be a similar task at some point.  I've never had the pleasure to administer a linux environment, but like most admin jobs, it will become the same old thing.  No matter your platform, networking is the base for all things LAN/WAN.  So it is always helpful to have a good understanding of where your data is heading and how it gets there.  Granted in a larger environment, most network engineers will seldom work on the server level and vice versa.  I think an IT Generalist can certainly move deeper in the Security realm a bit easier than someone who has chosen a set specialization and has not diverted from it much.

Here are my thoughts, as someone in Information Assurance you will be focusing on protecting the data within your network.  The best way to do that will be to know a bit about all aspects of the network.  This really only comes with experience.  I personally have worked roughly 10+ years doing everthing from managing a large public school network, learning alot as I went but ultiamately worked with everything from configuring switches, firewalls, server builds, desktop deployment, AV deployment/management and enterprise applications like Exchange, including migrations.  So I worked the trenches. 

Later I took a postion as a consultant for about 5 years.  Same sort of tasks involved but I then moved into working more with Macs, getting a bit more involved with cross-training on platforms and eventually took an interest in concentrating on security.  I began doing more detailed vulnerability assessments which are fun to do.  Run your automated scans, check to see if they are false positives and determine remediation steps if they are not.  Sadly I had to leave the job due to some conflicts with management but it was time to leave anyway. 

Since then I took a few jobs and I am now in my 2nd position as a Security consultant.  So gain as much knowledge as you can.  The more you know about the networks you need to protect, the better! 

I will +1 the scripting route as well, but also +1 the "depends on what you want to do."  But yes, scripting will give you some basic programming knowledge or principles and such and yes if you look programming code and scripting code side-by-side, it will look pretty similar in its design and such. 

I am actually learning Python now using http://learnpythonthehardway.org/ - the html book is free but if you like the hardcopy you can purhcase that or the PDF.  Just be careful with Python, I would recommend sticking to 2.6-2.7 since there are annoying changes in 3.0 which make learning something new sort of a PITA when the reading material is not up to snuff.  Also you can check out Dive Into Python but the online version seems to have been removed. 

I am by far no expert with the tool but I am aware of the many uses aside from basic network mapping and port scanning.  If you are ever curious as to what more it can do, take a look through the scripts directory on your install.  There are a ton of useful things in there.  On in particular that caught my eye was a script designed to listen for Dropbox.com broadcasts.  Even though you may block the site in your web filters, the client itself goes over a different port that may be allowed out of the network.  Want to find those troublesome folks, well fire up the listener script with your LAN range and this will pick up on the traffic and even enumerate the system broadcasting it.  

There are a number of other useful ones as well.  Just something I thought I would pass on for those wondering just how useful NMAP can be and are new to the business.  Hope it helps.

Oh and before you go wild with running these scripts against targets, check the code first it will tell you if it is a safe one or intrusive.  So if you feel the need to experiment on a production network with security tools in place, you may anger them.  And No I did not learn that the hardway though I was curious ;-)

And now the music is playing in my head as I see drones flying back and forth launching missles at pig targets.

Glad I gave a good laugh this morning, thank you and good night!  don't forget to tip your waitress!

I think the focus on big companies will shift.  Be prepared to maybe not make quite as much but I think the SMB market will start to flourish and hopefully they will take security more serious than the big guys.  Their networks aren't as complex so it will cost them less to straighten things up accordingly.  Regular audits will probably be mandatory so bone up on your PCI/HIPAA knowledge.  In reality, the compliance industries really need to come up with one solid standard since they all require almost the same exact controls.  The changes are needed though to actually force proper configurations to be in place. 

Be prepared to know how to implement better network segmentation controls, App Whitelisting, Web Filtering controls.  Whitelisting will be the key to most of our current problems.  Organizations must learn to adequately document the network and know EVERYTHING that is running on it.  So be prepared to watch for that proper network documentation is present.  Get familiar with Cloud and Web App security as well.  Many companies that are trying to cut down on hardware costs may move completely into hosted services models.  Applications will then be migrated to either a Citrix style environment or delivered straight from a hosted Web application.

The trend for this has begun, as more controls are implemented, I think more will migrate to the managed/hosted services models.

Pauldotcom, Network Security Podcast, ISDPodcast and if you want something educational but not necessarily technical, I recommend the HowStuffWorks podcasts.

Keep Backtrack around as a VM, it can be a useful tool to fire up when you want to test something and don't feel like compiling the tool yourself in your standard linux build.  I keep a regular linux VM and a Backtrack one and I have loaded my most common tools on the regular ubuntu install to have them when I want. 

my python learning is paying off and my programming knowledge is leaking back into my brain, I actually had a feeling that was what was being done right in your code dump section  

But yeah, that is sneaky.  Very simple, but obviously effective. 

They were trying to upload the code for Angry Birds into their drones to play a live action angry birds.   

Or they saw the cool Wireless Network Scanning drone and figured why can't they have one too and found the "Free DIY Kit" online.

But seriously, I am finding that many folk are under the impression that just because they encrypt their USB drive, they are safe from all harm.  So if this did transfer, I bet it was on an encrypted drive that had actually never been properly cleaned when it got infected with malware at some point.

If your IP range that you are checking is public, then some search tools should give you some insight.  DNSStuff and MXToolbox might help out a bit.  Definitely Whois as well.  Aside from that, well you can always plug them into a browser and see if 80/443 are open.  If you are testing them for possible malicious activity, you may want to toss them in a sandboxed browser or visit using TOR to keep yourself a bit more anonymous.

Aside from that, you can run NMAP with no ping and scan for common TCP/UDP ports.  Sometimes just testing against the common ports, depending on where the IPs are located, can give you some decent info before firing up NMAP.

I too am primarily a Windows guy, at least from my beginnings.  Now I use a Windows system as my main home desktop, a Mac as my laptop and many VMs on both running linux.  I have yet to jump to the level of using my main desktop as linux only because I have so much crap on it that migrating will take some time which I don't have.  Then again I run VMware Workstation/Fusion, so I can always run Linux on the desktop in Fullscreen dual monitor mode and set it up accordingly. 

But I figured I will get some python knowledge, get an understanding of Assembly and also sharpen the Linux skills.  And in my spare time, learn how to analyze malware. 

Windows itself doesn't hold much interest for me, installing it is brain dead easy as well as installing apps.  Securing it has become push button friendly for the basics.  There is a bit more challenge in the server end, but again lots of point/click.  The advanced stuff is a bit more fun, but I rarely come across a client who will be utilizing some of the more advanced security features (GPOs for TPM enabled systems, full certificate based authentication and such). 

Its all a puzzle and that is what makes it fun.

I don't think any industry is immuned to the changes in the economy.  Right now InfoSec is big due to many factors related to the high profile breaches that have occured.  Not to mention the the increase in the hactivism movement, both the passive and extremists sides (Lulzsec).  So we can unfortunately, thank them for their work since it has now given us a plenty of work.  The big companies are shelling out dollars in hopes to make these problems go away but in reality, it will require them to change their mindset on the problem. 

The breaches that occur now that have given way to the newly hated acronym of APT are a new breed of attack.  The guys or gals on the other side of the wire are in this for one thing, money!  They most likely have nothing against the company but either a criminal organization, terrorist group or nation state has provided them with resources to get certain data and do it without detection.  They are highly intelligent and are being paid to bypass security.  They write their own code, use phishing attacks and utilize much patience.  They may wait for 6-12 months before actually taking anything.  They will drop backdoors that will go undetected because the company is still using definition based detection methods.  How do you detect what you don't know? 

The box with the blinky lights will not protect us any longer.  So upper management needs to change their mentality when fighting these threats.  Before they buy more software or hardware to throw at this threat, they need to shore up their current infrastructure.  Segment the big LANs, utilize ACLs on the switches, put your servers on a vLAN that only allows the essential services through to get work done.  Take your most critical data and place it in a tightly secured environment accessible through Citrix but no other way. 

Oh I am digressing a bit, what I am trying to say, eventually the big companies will do one of two things...  They will listen to us and do as we say and implement these new counter measures.  They will clean up the environment to eliminate any foreign presence and they will go on in business.  Or, they will say the cost is too high to proceed, they will not listen to us and go on deleted the malware and blocking websites and eventually that REALLY critical data will go out the door and into someone elses hands.  It will be used maybe by a competitor to help them obtain contracts, or maybe by a terrorist group to use against our own military.  Either way, that will cost the company greatly and possibly force them to close.

So when all these big companies close, there may be a surplus of InfoSec types looking for work.  The small/medium businesses and non-profits will become our bread and butter I think.

I so wanna take this course but trying to strengthen my skills in the coding area.  The description and hell even the exam make me want to take it.  You have 24 hours... GO! :-D  This damn profession has too many fun things to try and be good at!!