Security MVP Article of the Month - July 2006
Paru le 12 juillet 2006
By Karl Levinson, CISSP, Looking Glass Systems
See other Security MVP Article of the Month columns.
So you want to get a job in information security? Or perhaps you're already working in information security (infosec), but you want to advance or switch to another infosec discipline?
Following are answers to the questions that I see asked most frequently about information security advancement. I've successfully used this information myself to learn and advance at various stages of my career. I only wish someone had clued me in to these things sooner—if they had, maybe I'd be retired by now and living on an island somewhere, instead of writing an article about how you can steal my job! Let's get right to it.
The time and money you invest to achieve certain security certifications can pay off later in higher salary and better employment possibilities. However, certifications are not a magic ticket to 'Easy Street.' Having one can help you get job interviews, but it will not get you the job. You'll have to prove your real-world knowledge and experience during interviews, and you cannot get that knowledge and experience from a certification.
One of the most valuable security certifications is still the CISSP certification offered by (ISC)2, the International Information Systems Security Certification Consortium. I recommend most security professionals consider pursuing CISSP certification before pursuing other similar credentials. Unlike other certifications, the CISSP requires that you pass only one exam. For those who can't afford expensive training, a variety of inexpensive CISSP study books are widely available. You can also ask whether your current employer might cover your expenses.
To get the CISSP certification, you must have a current or prior manager who is willing to attest that you have four years of paid full-time work experience related to security. (You may subtract one year if you hold an approved certification such as Microsoft Certified Systems Administrator (MCSA) or CompTIA Security+. Subtract one year if you have a college degree in information security.) Because of this requirement, the CISSP won't get you your first security job, but it could help you get your second or third. (ISC)2 does offer some lesser-known entry-level certifications, such as Systems Security Certified Practitioner (SSCP) with only one year of experience required, and the "Associate of (ISC)2" with no experience required. These certifications are not as well known as the CISSP, and so will not help your career as much. I recommend going straight for the CISSP, if you can.
The CISSP exam costs $499 to $599 (U.S.) and usually must be scheduled a month or more in advance. You may need to predict when you will be ready to take the exam, and then make sure that you can be ready by that date. In other words, you can't cram until you feel ready and then schedule the exam for the next day. Exams are only offered at a relatively small number of locations, generally in large cities. You may need to travel a distance or even find lodging the night before, as the exam always starts at 8:00 A.M.
During the exam, you have up to 6 hours to answer a whopping 250 multiple-choice questions, some of which can be confusingly worded. Exams are reportedly graded on a bell curve, so the passing score varies. A pass or fail grade is mailed to you about five weeks later. You are never told exactly how you scored.
If you read a 400-page study book to prepare for the 250-question exam, you should read and understand every page, or risk answering questions incorrectly. I suggest that you read at least one study guide, and also the free materials available on the CCCure.org Web site. You should then test your exam readiness by reviewing the quizzes at CCCure.org. You should also review the free (ISC)2Candidate Information Bulletin, which includes a list of the topics that may be on the test. If you don't feel sufficiently prepared for one or more items on the list after reviewing these materials, you'll know to read more about those topics.
SANS GIAC Certification
The SANS Institute's GIAC family of security certifications is also valuable. Most of the certifications and training that SANS offers are geared towards hands-on technical computer security professionals who have decided to specialize in niches such as intrusion detection, incident response, and so on. A few of the GIAC offerings are for auditors or managers.
Certification training from SANS is informative and can be helpful as job training. It is also pricey, at $2,000 to $3,500 (U.S.) or more, even if you choose SANS self-study. Inexpensive third-party study books are not available for most of the exams, so SANS is the main, if not the only, available source of GIAC training.
GIAC certifications come in "Silver" and "Gold." Gold certification requires you to write and submit a paper after passing the exam. If you purchase the GIAC training and exam bundled together, you must schedule your exam no later than four months after you complete the training.
If money is tight, you may be able to achieve GIAC certification with self-study: by reading several good books, taking one of the $50 GIAC online practice tests to build your confidence, and then taking one of the certification exams. Even then, GIAC exams without training cost $800, even if you fail. You could consider getting a smaller GIAC "certificate" by taking a $100 exam.
You can also pursue a Master of Science degree from SANS Technology Institute. To earn this degree, you must pass eight GIAC certification exams, submit several papers for "Gold" certification, complete three residential "Community Projects" that are assigned to you, and have three years of work experience by graduation. The total estimated tuition cost is around $29,000 (U.S.), similar to infosec Masters programs from other schools in your area. The MS degree can be completed in as little as two years. SANS is licensed to grant degrees but is not yet accredited.
Although CISSP and GIAC are two of the most valuable certifications for most technical security disciplines, some of these other security-related certifications might also help.
Some vendors offer certifications relating to the security of their products, such as the Microsoft Certified Professional (MCP) exams that are security-related, the Microsoft Certified Systems Engineer (MCSE) with Security Specialization, and Cisco's CCSP (Cisco Certified Security Professional) certifications. These certifications are valuable if you want or expect to be using, managing, or architecting these products in the future. If you don't want or expect to be working with Cisco devices, then there is little value for you in pursuing Cisco certification.
Security professionals in some positions may be expected to know and support products from multiple vendors. If you are one of these professionals, you may be better off pursuing a "vendor-neutral" certification like CISSP first, and not pursuing too many certifications from any single vendor. Unless you are already interested in specializing, I recommend being semi-skilled in two or more operating systems or devices, instead of spending your time being highly-certified in just one.
If you list four or more certifications on your resume, a few employers may suspect that you spend all your time cramming for certification exams, and they may doubt your real-world knowledge. It's okay to get more than three different certifications, but I recommend listing no more than three of them at a time after your name.
Consider removing from your resume any certifications that are not relevant to your target job, or those for areas in which you feel the least proficient. Also consider removing less desirable certifications. For example, if you are MCSE certified, I recommend removing MCP from your resume. If you are actively pursuing a certification, you should list that fact on your resume.
CompTIA offers at least two entry-level certifications (Linux+ and Security+) that may be valuable, especially if you are not in a position to obtain (ISC)2 certification. The CompTIA A+ certification is not relevant to security, and I recommend removing it when applying for security positions.
Whether or not you're interested in certification, there are a variety of options for advancing your skills and experience. If you don't have the money for expensive training, self-study could be the way to go. The various Hacking Exposed books are an excellent introduction to a wide variety of disciplines. I'm also partial to the following books: Incident Response and Computer Forensics, Second Edition; Writing Secure Code, Second Edition; and TCP/IP Illustrated, Volume 1. If enterprise firewalls are your thing, consider Building Internet Firewalls, Second Edition. For network intrusion detection monitoring, try Network Intrusion Detection, Third Edition. (ISC)2 has a list of good security books that are also relevant for CISSP study.
For those on a budget, slightly used copies of many of these books, including CISSP study guides, are available at Amazon at a reduced cost. Your local library may have some relevant books, or you can check out free eBooks at NetLibrary or from the Web sites referenced in the following section.
The Microsoft TechNet Security Center Web site is a wealth of free security training and reference information, courtesy of Microsoft. They also have free Web casts, for those who prefer to listen rather than read. For example, be sure to look at Security Guidance, Learning Paths for Security, Threats and Countermeasures, Understanding Security, IT Pro Security Community, Small Business Security, and the Security MVP Article of the Month. How could you possibly ask for more?
The Special Publications from the National Institute of Standards and Technology (NIST) are like free training books on a variety of topics, most notably how real-world security is implemented in large enterprises. You can also read the short security papers (written by GIAC certification candidates) in the SANS Reading Room. The U.S. Department of Homeland Security BuildSecurityIn Web site has some good articles about Web and programming security, as does the Open Web Application Security Project (OWASP) site. Also check out the CERT/CC's Papers and Presentations. There is a lot of security information at my own SecurityAdmin.Info FAQ site, in addition to a long list of links to other useful articles, sites, and tools that aren't listed in this article.
Technical Support Forums
Posting in Internet support forums on Web sites and in Usenet newsgroups is a relatively painless way to get real-world experience. Even though it isn't paid work, it shows your security talent and commitment, your work ethic, and your writing skills. This is also a great way for a newcomer to learn the most common real-world problems (and the solutions to those problems). This information may help you reply intelligently in job interviews. Certifications alone often don't tell you exactly how to solve today's most common problems.
Find a technical support forum related to an IT security field that interests you. Don't post at first. Just "lurk" and read the problems and suggestions. But keep an open mind. Be suspicious of broad "always" and "never" statements about security. After a while, you'll probably learn and remember answers that you wouldn't have otherwise known. You can then start replying authoritatively to more and more questions.
After you become known in the forum, go a step further. Answering the same questions over and over is no fun for anyone. If the forum has a Frequently Asked Questions site, you could offer to help maintain the page. If there is no FAQ, write one yourself and post it to Usenet, or start your own FAQ Web site for that topic. (The FAQ on my site is just one of many example FAQ sites out there.) You can also add a blog to your Web site and add commentary and articles about current events, new hot topics, and so on. Whatever you end up doing, be sure to mention it on your resume and in job interviews.
Following are a few popular security support forums:
Some Web-based discussion forums are also available via e-mail or Usenet newsgroups. In the case of the latter, you may find it easier to use newsreader software (such as Microsoft Outlook Express or Forte Free Agent) to access the news:// servers directly, instead of using a Web page to read posts.
Microsoft MVP Award
As an added incentive, if you frequently post reliable advice to the free Microsoft tech support forums, you could be nominated for a Microsoft MVP (Most Valuable Professional) award. This is a definite plus on your resume. Other benefits of the Microsoft MVP award include educational opportunities, opportunities to network together with security professionals inside and outside Microsoft, and some interesting gifts. Microsoft MVPs can also gain opportunities to write and publish articles that will be read by thousands of people (such as this article that you're reading now).
The MS MVP award is given for past accomplishments to support the user community. Microsoft uses this program to encourage people in the user community to keep up the good work. Don't worry—MVPs are not obligated to say or do anything different after receiving the award. MS MVPs aren't required to become evangelists pushing Microsoft products—nor does being an evangelist help you get nominated as an MVP. (If you don't believe me, check out the next section in which I've included links to Linux boot CDs.)
Posting to the Microsoft newsgroups is not the only way to be nominated for an MS MVP award. People sometimes receive MS MVP nominations for providing sound contributions to other non-Microsoft communities such as those I mentioned earlier, or via their own Web site or software, as well. Other vendors besides Microsoft may also have similar recognition programs.
If you are only familiar with Windows, a good way to become familiar with the other operating systems and security tools outside of Windows is to use a free Linux live boot CD. Download, burn and insert a boot CD, and your computer will soon be running Linux, along with all the related utilities, without your having to install or troubleshoot anything. Helix and Knoppix-STD are two popular security-related live CDs, and others are listed on the Darknet and KNOPPIX Web sites. Some of these discs are even specifically geared towards penetration testing or forensics. Other Linux discs turn an old slow spare computer into a firewall. If you don't have access to a fast Internet connection, you can purchase these CDs through the mail. There are also smaller Linux distributions available that fit onto floppy boot disks.
The advantage of live boot discs is that you can carry them with you and run them on almost any computer, with little trouble. But unless you are disciplined and have set tasks to complete, you may find it hard to move past the "just tinkering" stage when you use just a boot CD. You would likely learn more if you were supporting or using that software daily. Responding to intrusions or monitoring network traffic with IDS software at home are just not the same as doing it at work with live systems and data.
You may want to consider specializing in a certain security niche. There are many different security specializations out there, and you can't possibly become an expert at them all.
Some disciplines may be easier for a rookie to break into. For example, IDS monitoring is a security field that needs entry-level people to provide affordable round-the-clock coverage. Specializing in IDS may help an infosec newcomer break into the field (assuming that there are companies in your area that are doing IDS monitoring). Being willing to work the evening shift for a while may help you get your foot in the door, although learning and advancing can be more challenging outside the day shift.
Specializing in computer forensics could be helpful, because the demand for people with forensics skills seems to exceed the supply. Such jobs may not always be as exciting as what you see on TV, though.
You aren't likely to find a trainee position in penetration testing or hacking into systems. Those jobs are hard to find. You might find some entry-level certification and accreditation (C&A) jobs that involve doing vulnerability assessment scanning, especially if you live near federal government or other entities that do such work.
Some jobs aren't posted anywhere but on the employer's Web site. To find your security job, you may have to identify and visit the Web sites of employers doing security work in your area. These tend to be large organizations (such as commercial businesses, and federal and state government entities), and also contracting companies (like my employer, Looking Glass Systems) that do security work for those large organizations. Large organizations like the top 25 on this list of the Top 100 Federal Contractors tend to have more entry-level security positions, and more advancement opportunities later on. Besides, many employers value security experience from large environments.
You may also want to consider pursuing a non-security position in a company that has security jobs. Many employers are hesitant to take a chance on someone they don't know and who has no paid security experience. However, those same employers might gladly move a solid performer with a hobby in security from the helpdesk or server team to a security opening, after a year of getting to know your work. But watch out: if you interview for a job in a new company by saying you would rather be doing security work, you may not be chosen for the job.
A lot of what you need to know about gaining access to the IT security field has nothing to do with IT or security. Job interviewers judge not only what you know and say, but also how you say it, in order to find out whether your personality will be a good fit for their team.
Like so many other things in life, job interviews are a game. You have to know how to play them, which means learning and practicing. Check out a book or two about resumes and job interviews from your local library. Expect no more than 4 callbacks for every 100 resumes you send out, and expect your first few interviews to be painfully unsuccessful. If this worries you, send out more resumes, and also do some pretend interviews with someone knowledgeable who can give you feedback.
In interviews, talking too much can be bad; talking too little is also bad. Be honest, but know what things not to say. Admitting that you don't know an answer is preferable to rambling and making things up. It's okay to embellish your past experience a little, but if you tell outright lies, most people will detect it, and those who don't are probably not ideal employers doing serious security work. If you join such a team, you may find other under-qualified people hired on the team, and you could end up doing their extra work, or learning very little, or being let go when the company begins to fail.
Have a list of questions ready to ask about the job, the team, and the company. Know when and how to mention money, and avoid being the first one to name a dollar amount. I'm surprised at the number of people I interview who don't seem to know these guidelines.
Confused? Good. I couldn't possibly fit everything you need to know into this small space. I hope I've at least made you aware that the issues I've discussed here exist, and have gotten you interested in seeking out further details.
Like most other skills out there, information security isn't a secret magic art that only a skilled few can do. If you read security, and do security, and enjoy doing it, you can become skilled at it and turn that skill into a career.
By the way, reading this article was step 1. The next 91 steps are up to you!