Hello,

First I would like to introduce myself. My name is Stafford, I'm 21 years old and am currently in the Army. Before the Army, I worked at Geek Squad as both an in-home and precinct agent (just call it a computer repairer) for 2 years before the military.

I have been trying to learn as much about computers as I could since I was about 10. I love everything involving computers. I had a ton of issues deciding on exactly what field I wanted to work in until I came across ethical hacking. I have gotten my feet wet with learning Python and the intricasies of Software Security.

I recently decided to change my degree from an Associate's in Software Programming to an Associate's as a Network Systems Administration. I have been trying to get in contact with some professional's in the field that can help me chose the right path to get into the Ethical Hacking field. Once I ETS out of the Army in two years I will be pursuing a career in this field. I have found the perfect field for me.

My question is where would a beginner start? I have been researching a ton and have only really found certifications you need, but have had trouble with a good Bachelor's to obtain for the field. Any help would be greatly appreciated, and if you have questions for me, do not hesitate to ask as I am really trying to get my path cleared for once I ETS so I can support myself and my wife once I leave the Army.

Thanks for all the help in advance.

The network and systems admin path one way to do it. That's the way I did it. Hang on to that security clearance. There are tons of federal gigs on the east coast that want clearance.

This is actually a pretty common question on these boards, "how do I get into security..." Like I just told the last guy, there is a 100 ways to do it, just depends what part of security you're interested in.

Hi Stafford,

I think the best way forward would be hold on to that security clearance and try teach yourself as much as you can. It is very hard to get into security it took me 8 months to get a junior position with a company.

Most companies in the UK look for tester who have done CREST or TIGER.
It would be worth looking at these and seeing what you know and do not know on the syllabus and try learn from them. Also maybe try and do some hacking courses on your own just to build you skills up. OSWP or hackingdojo there are also lots other just look on forums they are the two that spring to mind as I have done OSWP and doing hackingdojo.

Having a good understanding of networking is good  as well web applications.

You should also get involved within the community depending on where you are in the UK there are forms like this one. you have DC4420 once a month in London or places like the BCS they have lots groups this great way to get you name into the industry and I got most my interview from people I meet at these locations. Also if you are not on linked in I would recommended joining up good way to network again have had lots people in the industry help me from that site.

I hope this helps here are a few links too.

http://jamierougive.co.uk/ My site maybe some use
http://dc4420.org/ dc4420
http://ypisg.bcs.org/ Young professional information security group


hope this helps and good luck!

Thank you for all that information, I will definetly utilize it. I plan on being on these boards regularly to get well versed in the field. I am currently in Iraq at the moment, but will have to get up on these conferences to get my face out there and meet some people. Thanks again

I don't plan on just sticking to networking, just trying the best way to get my foot in the door. From there I plan on expanding my horizons to other areas in the field. Thanks for the links and help Rance and Jamie, I will make sure to check into these for sure.

sil - thanks for reposting this, I had been looking for it and I knew it was from you, but couldn't find the address!

Sil, once again thank you for that link. Even though I didn't understand around half of it, I at least know where to get started to try and get a foot up before I get real deep into everything.

I think you need to pick your own poison and go from there. Think of security in terms of a baseball team. Here you are saying: "I want to play which position should I aim for?" What are your strengths and weaknesses. Focus on your weaknesses to bring them up to par with your strengths while in parallel upping your strengths.

In security, there are a lot of avenues to choose from. Forensics, pentesting, application security, cryptography, networking, etc. Each have their unique methodologies, technologies, protocols, pros and cons.

Examples:

++++++++++

Forensics. Where would you want to fit in? Working as an incident responder researching malware, researching e-Discovery, researching the cause of a compromise? What field? Pros: Banking, insurance, defense industries, huge Fortune 100s are always in demand for these types of individuals.

Cons: Job can be linear, stressful, repetitive.

Certifications: (real world relevant) GCFE, GCFA, EnCe, GCIH, ACE, CCE, GREM, WCNA (Wireshark), GCIA

++++++++++

Pentesting: Where would you want to fit in? Define pentesting. Too many companies have turned this field into a tool (Core Impact, Metasploit, Nessus, etc) however there is more to pentesting than running tools. In order to fit into a well rounded position, the document I linked you too will give you excellent foundations needed. You then need to progress into a more linear stage (focus on applications (which web application, business applications (SAP, etc)).

Pros: Can be fun, creative, non-linear (no two pentests are ever the same)

Cons: Industry has created too many retards that rely far too much on tools. Many industries are now mandated to have penetration testing (PCI requirement). With that stated, many companies are relying on point and click drop boxes (QualysGuard) and calling it a "pentesting day."

Certifications: (the ones that count) GPEN, CEPT, OSCP, OSCE, CPT, RWSP

++++++++++

Network security: Where would you want to fit in? Managing firewalls, IPS, IDS, DLP, acronym hell? Performing network analysis' with tools and hardware such as nGenius, Netwitness, Wireshark, etc., this can criss-cross the forensics realm.

Pros: ALL COMPANIES need network security period.

Cons: Can be as linear as in point A to point B

Certifications: (ones that count) WCNA, CC{N,D,S}P, GCIH, GSEC

++++++++++

Take note, all the certifications I listed are TECHNICAL, for those wondering why CISM, CISA, CGEIT, CISSP, etc isn't listed. And NO, the SSCP to me is not a technical cert. When I state "ones that count / relevant" I mean the ones you *truly* want to aim for as you WILL LEARN while getting them. Not to take anything away from say the C|EH, CHFI but it is what it is. I felt the certifications I listed would help you LEARN something as opposed to dumping a billion tools on your lap and telling you "hey this is a security tool, learn this tool's syntax and we will give you a shiny certificate!"

Your best bet regardless of any advice you see from me or anyone else is to determine something that you can enjoy while making money. I would hate to focus on Forensics only to have a job I hated doing e-Discovery 24x7x365. I know people that dread getting into the field. They work to dissect/analyze info, go to court, are stressed out as all hell. The money they make doesn't cover sanity, happiness.

Go over to Dice.com and check the markets for certs also. Search for the certification itself to see its demand and WHO is asking for that particular cert. That is a good baseline as is e.g:

http://www.payscale.com/research/US/Certification=Certified_Ethical_Hacker_%28CEH%29/Salary
http://www.payscale.com/research/US/Certification=SANS%2fGIAC_Security_Essentials_Certification_%28GSEC%29/Salary
http://www.payscale.com/research/US/Certification=SANS%2fGIAC_Certified_Intrusion_Analyst_%28GCIA%29/Salary
http://www.payscale.com/research/US/Certification=SANS%2fGIAC_Certified_Forensic_Analyst_%28GCFA%29/Salary
http://www.indeed.com/salary/q-Forensic-Consultant-Ence-l-New-York,-NY.html
http://www.indeed.com/salary?q1=GREM&l1=New+York%2C+NY

Hope that helps