.

Breaking in to Security

<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Tue Jul 17, 2007 10:22 am

Breaking in to Security

Just some thoughts as this question seem to keep popping up.
This is just my humble opinion on some steps forward.

You may have read stories, talked with friends or seen some of the tv/webcasts shows on “hacking” and decided you like to break in to the security industry.

Having solid computer skills, whether they are in programming, desktop, networking or a bit of a generalist is a good starting point for a security role. It has given you experience in the IT industry and an idea of what some of the demands can be.  Waking up one morning and saying “Right, I’m starting a new glamorous life as a security expert today!” is a very positive thing, but is unrealistic. I quite fancied being an astronaut for a while and was a bit upset that I’d have to go through years of training, evaluations and compete with the best and brightest to even get a look in ( I know I could pay $20 million to be a space tourist, but that $20 million is taking a bit of time to save…) You need to plan ahead!


Work out what you want to do first
There are a huge number of different security roles and jobs ou there, so before rushing in to expensive training courses, look at what you want to do in the security industry and try to pick a couple of jobs you could see yourself doing.

Getting information on your dream job will give you targets and goals on how to get there on how long it may take.

Break down the skills and experience those jobs are looking for, and then start doing some legwork.
By legwork, I mean talk to friends, start Google searches, read interviews, listen to security podcasts turn up to local user groups or start posting questions to security forums.

Build up skills and knowledge on the cheap
Having a clear idea of what you want means you can start gathering the skills, experience, tools and contacts to move on. Courses and training are fantastic, but only worthwhile if you can use those skills to further your career. If you spend, say $3000, on training and never use the skills, is that the best use of your money and time? Just because it a hot skill/certificate to have doesn't mean you'll need it to get that job.

Get hands on practice
If you can’t get experience at work or school, build a test lab at home. Build isolated test labs – Vmware, Ms Virtual PC/server and Mac’s Parallels are excellent tools to have a safe test lab working environment to practice with. Most software, including operating system can be downloaded as trial version, including Microsoft products.
Many free tutorials are online that show you how to use a tool or how bad guys can attack you system. Being able to see how something work and getting it to actually work is a great experience in itself and give out a number of valuable lessons.
 
Never be tempted to “test” you newly download metasploit or nmap against someone’s kit. Jail time looks very bad on a CV as does being fired for breaking company policy.

Get involved – look up local events and groups and join them. There are normally a number of local interest groups from sys admins, programmers, Snort users, 2600 and local security interests. Security folk need to have people skills for a number of reasons. Two great reasons are you make contacts, which help you get know to the security market (possibly a job down the line!) and learn something you may never have though of.
Join in on the many web forums. Don’t be a lurker! If you don’t understand or know about a topic, tool or methodology, ask questions and get involved. Use others knowledge to better your own.

Doing all this work before you start sending in you CV or wander in to a job interview will save you a huge amount of wasted time and heart ache. Being prepared and knowledgeable is a core element for any security role.
If know what type of skills, experience and knowledge is required for the job your applying for before submitting yourself for the role and know that you can cover most of those requirements, you’ll beat 70% of the other applicants straight off.

If you don’t have the experience, start with a job that gets you some of the experience or work for a company with a good name in the industry you’ll like to be successful in. Use it as a stepping stone not as a road block. The people you talk with and meet may be able to help you down the road get the job you want.

Good luck and don't get dishearten if you don't get interviews or a job straight off. It may take a while and some CV tweaking (don't lie!) to get your foot in the door for an interview. It's up to you to present yourself as the best candidate for the role and impress that potential employer with your knowledge and understanding of the job.


One pet peeve – if someone wants to know what you like to do in an interview avoid saying “I wanna be a hacker!” Not the best impression to give.
You’re a security professional. If you act and conduct yourself professionally, you’ll be treated like one and get the respect of your peers.

Some resources

Podcasts
http://www.pauldotcom.com
http://cyberspeak.libsyn.com/
http://sploitcast.libsyn.com/index.php? ... y=podcasts
http://www.sophos.com/security/podcasts/
http://www.grc.com/securitynow.htm
http://hak5.org/

Reading
http://www.sans.org
http://www.schneier.com/blog/

Windows tools tutorials
http://www.irongeek.com
http://www.ethicalhacker.net/component/ ... oard,18.0/
<<

boney

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Jan 15, 2007 8:46 am

Location: India

Post Wed Jul 25, 2007 12:41 pm

Re: Breaking in to Security

Wonderful domentation I should say.

Now my opinions :

Regarding hands on practice, why not try on a network which is already estblished and it'll be a great experience if you try it on a secured network. Believe me, its tuff and annoying as hell. You tend to move to a comfort zone, if you are trying things on your own netwok. Im not saying that you shouldnt create a network, but breaking into networks and coming out without leaving any evidence behind is like a job done.


Now about getting involved, its really good to socialise. You know many new things and the usage and ur always updated. But again, "If you are a good hacker, everybody knows you, If you're a great hacker, nobody knows who you are".


The documentation is really good. I appreciate the references in some resources as well.

Keep up the good work.
C|EH

All my life I wanted a computer...
Now I want my life back !
<<

invincible

Newbie
Newbie

Posts: 3

Joined: Fri Jul 20, 2007 4:44 am

Post Thu Jul 26, 2007 8:10 am

Re: Breaking in to Security

Excellent documentation .
Many thanks for this ..
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Thu Jul 26, 2007 8:58 am

Re: Breaking in to Security

@ boney,

Thanks for the comments. I'm more from the defending side, so it's worth check out ChrisG and Slim Jim's comments in the forums about pen testing

Again these are just my take -
Practice does make perfect, but you have to have permission and written permission (which you have a copy of!) before you even think about testing someone else network defenses.

One of my previous roles was at a university.
A number of the student body though it was okay to try hacking with the new tools or skills they had.
Some of them got in and "beat" our defenses.  Some times they go too far and mess up an important system through poor understanding for what they were doing or just plain ol' being nasty.
My boss would shrug, send me off to rebuild the comprised system and then have the offending hacker dismissed from campus. 
We weren't designed to be a locked down zone, but we recorded everything, as per campus guidelines which everyone signed. Having records made it easy to track and sack the would be hacker.
In the US, if you are seen to cause more than $5000 worth of damage, then the FBI can be called in.
I've seen NMAP/Nesus scans on the wrong setting effectively DOS a system offline. If that's a company web server, which they get revenue from, they can claim a hacker has caused tens of thousands worth of damage. Oops.
I've never like the though of crossing the law, hence sitting on the defense line ;-)

If you want to practice against other systems, get a friend to knock up a virtual lab and then get his permissions to test his defenses. You'll both get excellent experience and not need to worry who's knocking on your door :-)
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Thu Jul 26, 2007 9:14 am

Re: Breaking in to Security

I fully agree with What90 comments. It's always best to stay legal and remember that everything you do and say on the internet is forever (thanks Google).

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

boney

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Jan 15, 2007 8:46 am

Location: India

Post Thu Jul 26, 2007 9:48 am

Re: Breaking in to Security

appreciate the reply.
I was trying to critisize on the good work.  ;)
You took it professionally.
Good. Anyways i say again, the documention is good.

Keep up the good work.
C|EH

All my life I wanted a computer...
Now I want my life back !
<<

tmartin

Recruiters
Recruiters

Posts: 46

Joined: Tue Sep 20, 2005 9:36 pm

Post Sat Jul 28, 2007 10:02 am

Re: Breaking in to Security

Another way to do it is to get a job working in PC break/fix department or helpdesk. You'll learn a lot there. Then move to sys admin/network admin job (while you doing break/fix, study for admin job).

All the while, keep your eyes open for security problems (don't scan or hack w/o permission) and alway volunteer to test new SW/HW/processes -- that's permission to test security and poke at what's being tested...just make sure you ask the team what's okay to do. Usually, you can test in an isolated environment or take it home and test it there.

Little by little you learn more while gaining respect. Then maybe you can be sent to some security training or move over to the security team.

The other thing I did early on was volunteer. I was the go-to guy on the church's network, helped all my friends, helped at the Lion's club, etc. Of course you have to be REALLY careful that you know what you're doing, but it's a great way to gain experience for your resume.

Tell everyone you know you're willing to help...and study like mad.

Return to Opinions

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software