Just some thoughts as this question seem to keep popping up.
This is just my humble opinion on some steps forward.
You may have read stories, talked with friends or seen some of the tv/webcasts shows on “hacking” and decided you like to break in to the security industry.
Having solid computer skills, whether they are in programming, desktop, networking or a bit of a generalist is a good starting point for a security role. It has given you experience in the IT industry and an idea of what some of the demands can be. Waking up one morning and saying “Right, I’m starting a new glamorous life as a security expert today!” is a very positive thing, but is unrealistic. I quite fancied being an astronaut for a while and was a bit upset that I’d have to go through years of training, evaluations and compete with the best and brightest to even get a look in ( I know I could pay $20 million to be a space tourist, but that $20 million is taking a bit of time to save…) You need to plan ahead!Work out what you want to do first
There are a huge number of different security roles and jobs ou there, so before rushing in to expensive training courses, look at what you want to do in the security industry and try to pick a couple of jobs you could see yourself doing.
Getting information on your dream job will give you targets and goals on how to get there on how long it may take.
Break down the skills and experience those jobs are looking for, and then start doing some legwork.
By legwork, I mean talk to friends, start Google searches, read interviews, listen to security podcasts turn up to local user groups or start posting questions to security forums. Build up skills and knowledge on the cheap
Having a clear idea of what you want means you can start gathering the skills, experience, tools and contacts to move on. Courses and training are fantastic, but only worthwhile if you can use those skills to further your career. If you spend, say $3000, on training and never use the skills, is that the best use of your money and time? Just because it a hot skill/certificate to have doesn't mean you'll need it to get that job.Get hands on practice
If you can’t get experience at work or school, build a test lab at home. Build isolated test labs – Vmware, Ms Virtual PC/server and Mac’s Parallels are excellent tools to have a safe test lab working environment to practice with. Most software, including operating system can be downloaded as trial version, including Microsoft products.
Many free tutorials are online that show you how to use a tool or how bad guys can attack you system. Being able to see how something work and getting it to actually work is a great experience in itself and give out a number of valuable lessons.
Never be tempted to “test” you newly download metasploit or nmap against someone’s kit. Jail time looks very bad on a CV as does being fired for breaking company policy. Get involved
– look up local events and groups and join them. There are normally a number of local interest groups from sys admins, programmers, Snort users, 2600 and local security interests. Security folk need to have people skills for a number of reasons. Two great reasons are you make contacts, which help you get know to the security market (possibly a job down the line!) and learn something you may never have though of.
Join in on the many web forums. Don’t be a lurker! If you don’t understand or know about a topic, tool or methodology, ask questions and get involved. Use others knowledge to better your own.
Doing all this work before you start sending in you CV or wander in to a job interview will save you a huge amount of wasted time and heart ache. Being prepared and knowledgeable is a core element for any security role.
If know what type of skills, experience and knowledge is required for the job your applying for before submitting yourself for the role and know that you can cover most of those requirements, you’ll beat 70% of the other applicants straight off.
If you don’t have the experience, start with a job that gets you some of the experience or work for a company with a good name in the industry you’ll like to be successful in. Use it as a stepping stone not as a road block. The people you talk with and meet may be able to help you down the road get the job you want.
Good luck and don't get dishearten if you don't get interviews or a job straight off. It may take a while and some CV tweaking (don't lie!) to get your foot in the door for an interview. It's up to you to present yourself as the best candidate for the role and impress that potential employer with your knowledge and understanding of the job.
One pet peeve – if someone wants to know what you like to do in an interview avoid saying “I wanna be a hacker!” Not the best impression to give.
You’re a security professional. If you act and conduct yourself professionally, you’ll be treated like one and get the respect of your peers.
Windows tools tutorialshttp://www.irongeek.comhttp://www.ethicalhacker.net/component/option,com_smf/Itemid,54/board,18.0/