Slashdot Mirror
Finding Student IT Security Placements in the Industry?
CABAN writes "I am a third year computer security and investigations student. My program requires a three month placement in the IT security and forensics industry. Finding an appropriate learning environment seems to be harder than I expected. Lack of security clearance, no real world experience and many companies, who just don't see a need for ITS, are the critical shortfalls right now. What tips does Slashdot have for finding organizations who are willing to let students get involved with sensitive security procedures and cases?"
And posting on slashdot won't help you attain a higher clearance.
if you want to come manage security patches for a few thousand windows, aix, solaris, and linux machines for me, let me know.
MORTAR COMBAT!
My program requires a three month placement in the IT security and forensics industry.
Your program should then have some mechanism to facilitate such placement. Most programs that require intenships provide assistance in placement. If yours doesn't, then you are being shorted. This isn't a DJB class is it?
How about working for your school's IT department helping to clean and/or investigate compromised machines. They could probably use the help. Is .edu not real-world enough?
a program that requires an internship that it is unable to provide support for? you might want to talk to the career center of your school....
BP http://www.card-central.com
It appears they are in need of a good security consultant.
I almost always have one Co-Op (paid) on staff at all times. Being in a large city might help.
These companies are both expanding their security apparatus and also are both industries known to be in love with the college intern concept. I interviewed for several security positions at insurance firms (specifically car insurance) who were hiring something like 5 or 6 security architects in one shot. Try to apply to intern programs there or at big Financial.
Do what everyone else did.
Hack into a bank and get caught.
You'll get a few years in the state pen, but then you'll be a hot commodity.
(P.S. This is one fucked-up world.)
1.You need a job but the companies only want people with security clearances.
:)
2.You can only get a security clearance if you work for a company that will pay for it (and justify it).
Rinse and repeat.
My suggestion would be to get a position which doesn't require a security clearance with a company that has security positions available. The company is more likely to hire you into one of those positions and pay for your security clearance, if you already work for them. That's what I'm doing (sorta).
Course, I don't have a clearance yet so maybe it's not the best idea
-Teiresias
I hate to say it, but this is a difficult thing to get into. The problem is getting your foot in the door, just as you are trying to do. Offer your services to some companies for free if you have to. That may be all you can do to get any experience in the field. It's good that you are in a program that specializes in security though, because it's harder to make the leap from a degree like Computer Science straight into IT security. Once you meet the requirements though, you absolutely must go get your CISSP (certification, you probably know of it) if you want to advance very far. It can be a lucrative field, but experience and certifications, rather than traditional education, are the biggest factors in being successful at it.
You should hack into high-profile website. That way, when you get got, the government will offer you a job... :)
But seriously, what are the requirements that your placement must meet? I wouldn't think it'd be too hard to get a placement in an IT Dept. somewhere, anywhere, it may not be glamourous, but I would imagine it would fulfill your requirement.
-Phixxr
ungggghhhh
Without them it is difficult to find that "first job" or great internship. I managed to find mine without assistance from other but I had people helping try to find me one.
you need to make those critical connections in college or atleast your parents need to know people. people who say academics get you everywhere are idiots, it is all who you know and who you know knows.
Since when did Slashdot become a job posting site? OTOH-I could use a job ;)
I would be looking at smaller companies and offering what you have to them. Most cannot afford security consultants and would probably welcome your expertise perhaps on a intern or consultant basis. The other obvious option is to talk to those companies that build security software for a living.
.02
My
Yeah? Well I think you're overrated too.
Focus on infrastructure, especially hospitals. Hospitals are used to the idea of intern types, and they usually have contract deals set it up with recruiters. Standard Job location procedures apply here... your average job sites apply, and they are chock full of openings. Don't expect to get into forensics right away... It's not an easy job, and if a particular shop is doing it, its going to be for a legal case. There is hope for you however: alot of places do train, because forensics procedures vary shop to shop. Everyone has their own way to doing it... and that is fine as long as the documentation is rock solid and you can provide a good chain of custody process. In this arena, its not just good technical skill that is the issue, but also how well you can document things. We, as technocrats, seem to have a disdain for writing things down, and documentation is paramount to forensics. Bottom line: you are new, and there is nothing wrong with that. Put together a resume, and get it out there. Draw on your personal experience, because thats all you have to work with at this stage in the game. Good luck.
I'd assume that the university has an IT department and often uses students to help administrate the network. See if you can get a job there. The pay will most likely suck but the location is hard to beat in terms of distance. Also look at small companies in the area and instead of offering yourself as an IT security person, offer to do the WHOLE IT thing. Another option would be non-profits. A lot of Boys and Girls Clubs have computer networks that were donated in the late 90's that are in desperate need of help. They don't pay too bad and while it will be mostly grunt IT work you will have to deal with security too. Good luck and keep your options open.
Join the FBI,CIA or Military.
There you will get real world experience and they will also do your security clearance.
Its a 12-week program following the student's third year.
As a participant in the Summer Network Evaluation Intern Program (SNEIP) you will acquire an appreciation of the challenges our Nation faces in network security as it relates to real-world work experiences. You will experience first-hand some of the critical work done at NSA as well as have the opportunity to apply your skills on hardware and software systems to enhance network security and contribute to the security of U.S. information systems.
Sadly, this wont benefit you since the application deadline has passed.
I guess you need some value proposition. Remember that most companies are in the business of making money, and it needs to be the case that you can give more than it takes to employ you in terms of usage of staff time, resources, training, office space. Here are a few ways you can do this:
- Offer to help with more general systems development/support as well as the security element. You might have to spend a signficant percentage of your time acting as a cheap coding monkey in order to get exposure to the stuff of relevance to you.
- Offer to train other staff free or charge, or provide audit or documentation for systems.
- Highlight the risks of security problems in terms of real monetary costs to an organisation who don't invest in security.
- Sell yourself as an independant and pro-active potential employee who won't be a drain on resources.
- Be flexible in the work and projects that you can offer. Remember that you will only be hired for the work experience if you can fill a valid required business objective.
- Cast your net wide, and speak to people on the ground in an organisation. Contacting a small group of companies via HR departments is a guaranteed way for your e-mails to end up in a black hole.
- Get on the phone or right physical letters. They're emotionally harder to discard or ignore than an e-mail.
- Remember to contact non-obvious choices such as schools, charities, NGO's, open source projects?
- Above all, be enthusiasitc and state your willingness to learn!
Vacancy for signature. Apply within.
This is a highly-competitive program but they will hire college student who go through the standard battery of background checks (including polygraph). Details can be found here
My program requires a three month placement in the IT security and forensics industry.
University IT doesn't count? Usually, there's plenty work to do in the security and forensics area.
If I were a IT security company, I wouldn't hire someone with no previous experience for just three months. The risks are simply too high.
Although you might not like the prospect of it, ont of the easiest ways to get a security clearance and on the job ITS experience is to work for the Department of Defense, particularlly the Air Force.
Slash their tires, then try to sell them new tires.
[Whose tires?? theirs...]
Chris
"You can drive out Nature with a pitchfork, but It always comes roaring back again." - Tom Waits
Haven't you seen the Slashdot - HotJobs ads? What about the Tech Jobs link under Slashdot's Services menu?
Try your state Public Defender's Office IT department. Having worked in one, we got involved in some computer forensics and analysis of machines belonging to the clients. They might be able to offer a place doing this type of work.
I have a few friends in CS who got CO-OP jobs with the Communications Security Establishment in Ottawa. No pre-existing security clearance was needed. You might also try the RCMP.
We are always looking for talent. Or interns. Hope you like snow, HQ is in Pittsburgh.
trustedworlds.net - gaming, security, and the gunk that lives in between
Assuming that you're in the US, try the Federal government. They're always hiring interns. Just focus your search on civilian agencies, and you shouldn't have to worry about needing to get a clearance.
Look to security and forensic technologies vendors for you first iternship.
Your best bet is probably a Computing Resources department at a local University. You won't get paid much considering it would be a state job, but you will definitely get experience.
This is a test. This is a test of the emergency sig system. This has been only a test.
Three months is very short. Companies would be more willing to hire you, and more willing to get you a security clearance if necessary, if they can get a better return on their investment.
to get a clearance is through the military.
;)
Join the reserves (not the Army reserves, lol).
Of course, if you have a shady past, it won't help you.
All your base are belong to Google.
Okay, I don't want to be Mr. Cassandra here, but after having been going with the punches in this industry for the last decade or so I need to tell you that this is a first taste of what's to come. Obviously, there have been many threads on ./ about how the IT market has fallen apart and that many of us having a hard time finding a job (and keeping it!). I myself was let go again last week and I can tell you, it's ugly out there.
;-)
Before you go out there trying to get your 'career' in gear and finding a company you're loyal to for a good part of your life, I would recommend you read a book called 'Poor Dad, Rich Dad' (or the other way around). It basically teaches you to create value for yourself and not to focus on a particular skill set. This will not only help you prepare to structure your ambitions and your career but will also leave you with a more sane prospective regarding the current job market. Bottomline is: we are all cogs in a big machine and we are replacable (as you soon will find out) - only by creating value for yourself and by seeing work as an 'opportunity to learn and to get one step closer to your own plans' will you be able to deal properly with the frustrations of finding a gig (or internship) in the IT industry. Don't trust any promises made by any corporation out there - you are selling them time of your life and nothing else - they will treat you like a spare part that can easily be substitured for a newer, cheaper one. BTW, no - I am not depressed about all this - once you see the light and accept reality for what it is, it's actually a healthy prospective (and it's kind of Darwinian
I know this is a bit offtopic, but I wanted to chime in here to pass along a philosophy that's been keeping me going since the market fell apart.
I know if I was in the position to have someone check security, I would want a trusted person to do it. The problem is your not really trusted anywhere yet.
I would probably make up a really professional looking resume and a cover letter explaining your school and your situation. Offer to write a comprehensive report on the security situation in a business and send them out to every business you can think of that uses a computer. Maybe use the angle that a company could check on their current security company by having a different party do the testing.
The trick will be getting someone to let you do this when they don't really know you or what you would do with the information you get. Most security people aren't too happy about someone else coming in to check thier work, as that is insecure in itself. Best bet is to just ask as many places as you can think of and hope that one will let you do it.
My university also has a full-blown co-op program. It operates by contacting businesses across Canada and asking if they would like to have some of their students apply for jobs. Then us students go through a process much like applying for a job in the "real" world. I think this is much better than having some scruffy third year student (like me) call them up and ask if they want to hire him (or her) for a security position.
Also, there is a precedent for security companies hiring Co-op students. If I am not mistaken, The Canadian Security Company (I can't remember their proper name, CSE or something like that) hires some students from my university every study term. The students have to go through a security clearance process that has several requirements such as: you must be a canadian citizen and, criminal record checks and such.
if you want to see our website, go to www.cs.unb.ca
So yeah, the point of all that is to tell you to definitely get in touch with your advisor. I'm sure you have a course advisor (if you don't, get one!). He or she should be able to point you in the right direction.
rydawg --
Depending on your focus and your location, I'd suggest looking at any law firms in your area that specialize in cyberlaw. There's a definite shortage of people in that field with a knowlege of digital forensic procedure.
As a plus, they're typically not so concerned with security clearances, so it should be easier to get your foot in the door.
The only way to get that security clearance is to start the process, and start it early. I notice that you are from Canada, so I can't give any advice specific to your situation, but I am sure that the Canadian government has cybersecurity internship slots.
/. commenters, find it odd that your program has a service component involved and no contact network or career advising attached to it. Frankly, if you're early in your studies, I would consider going elsewhere. Most programs that have service components have professors or advisors with vast social networks that can place you in a good position. I would certainly check with your professors and make sure that there isn't an unofficial social network there that they can get you hooked into.
Apply to one of those and the government will usually pay for the security clearance. A lot of times, government positions rotate their interns into many security positions and place them with a mentor, so you get the benefit of varied experience. Even better, these are most often available during the summer (three month vacation to a security position works) and since most places start processing in December/January, you're right on that edge for applying.
I suggest you check out your own various government agencies and send your resume out. Processing time for young people usually borders about four or five months (although it can take over a year), which would put you, if all goes well, at the perfect timing to get one of these positions. And, better, agencies often hire their interns for full time positions when the students graduate, and you will already have your clearance.
I, however, like many
But if you are planning on going into the security profession, that security clearance is something you will want/need anyways, so if you can get it now, all the better!
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I will definitely not allow any students who think they know so much in my IT-department. They might know a bit about their childish Linux, but they are just not up-to-date with modern Microsoft-technology.
Editing configuration files with a text-editor is really brain-dead -- that's what a graphical user interface is there for, to prevent erroneous data from endangering the system.
Some of them even have no clue how to maintain w decend web site. They insist on installing an ancient editor instead of using the standard-compliant web-editor of Word.
What do they teach you?
Sometimes I am really glad that we were able to outsource our security to an Indian company with competent people. The United States are really going down the drain with the students we see nowadays.
What tips does Slashdot have for finding organizations who are willing to let students get involved with sensitive security procedures and cases?
In this economy? The closest you'll ever get to hardening a security system is when the assistant manager at McDonald's lets you lock up for the night.
I would aim for small to medium businesses. Many of them have data that isn't so sensitive that you would need a security clearance - yet if they lost it, their business would be ruined. Any business with web accessible data storage is a good candidate. And perhaps they'll need a little convincing. I vaguely remember some statistic of the the percentage of small businesses that never reopen after a data loss (fire, computer failure, etc.) This is a data backup issue, but also a security issue.
Of course, you'll already need to know most of what you'll be doing, as these sorts of businesses will not have a security employee to learn from. But if nothing else works out, at least its real-world experience.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
I live in the states and have several e-mail addresses from several different country TLD's.
Having a
Trolling is a art,
To get some real-world experience, try getting a job in a department with those kinds of needs - but not explicit in your job description. That is, try being a sysadmin or network support guy somewhere. A larger company, a University, etc. The company I'm leaving is a small business with three dedicated web and database servers. This has allowed me to play the role of web and network security administrator, even though my job was originally completely unrelated to that. With a small business, you get to wear a lot of hats - giving you a chance to learn alot and get some real world experience.
After you get some of that experience, you'll have a better feel of where you want to go with it (and an easier time getting there).
I was a gaming agent for the Tulalip Casino up in Marysville, WA. I was responsible for inspecting the slot machines, which in Washington state are basically networked computers. (They have no internet connection if you were wondering.)
These places are always looking for good, qualified people and seem to have trouble getting them. I was one of two people in the whole agency with a CS degree, making me uniquely qualified. Generally, they have to take people with a criminal justice degree and teach them the ins and outs of the computer system. They would love someone already trained in computer security.
Besides looking at your local casinos, you can also check out the slot machine manufacturers. Sierra Design Group, located in Reno, is a group I highly recommend. They have an awesome, stable product, that the industry loves and runs on Unix. They're a subsidiary of Bally Games, so you can find their job page here.
Another computer, located in Austin, is Multimedia Games. They pretty much have the lock on the class 2 games. Here is their jobs page.
But keep writing to any company you think may fit. A lot of the bigger firms do placements. I'm sure IBM or MS could accomodate you. BTW if you do get to an interview they're not like they used to be, every company is obsessed with you being a team player to the degree that they turn down perfectly able interviewees, in your CV interview cover sheet everything stress you love teams and are a team player. I have who worked for IBM on a placement for a year did a fantastic job running grids AIX servers and all sorts of stuff, must have saved them a fortune - he single handedly ported one of their products to Linux from windows and was then told in the interview for a graduate place that he wasn't enough of a team player, i'm not talking about being socially inept - which he totally isn't, he just didn't shout team team team for 30 minutes.
"all through my house i set up traps, it seems like the rats have a map, so now i feed the rats crack" - Donald D
Hack in and place your resume....you'll get hired or goto jail. But the good news if you goto jail someone will hire you.
Danger Will Robinson! You are now entering a condescending Unix user zone!
Almost all of the computer security professionals I know, with the exception of some lucky ones who happened to get trained in the military, have had to do grunt IT work of one sort or another before moving into the field of IT security.
Don't expect to get involved in computer forensics straight off the blocks. As a previous poster mentioned in a roundabout way, look for a security position that's more closely affiliated with a traditional IT role (patch management is a good example).
Though I don't want to take the wind out of your sails entirely, I think that you shouldn't expect to get into the glamorous side of IT security without demonstrating that you have a thorough grounding in IT by doing some sort of sysadm/networkadmin work, or even (gasp) phone support work first.
Of course, if you're willing to work for free, there are quite literally dozens of sites and groups out there who would probably benefit from some sort of IT security assistance, even in your field. Things that come to mind immediately are the EFF, blackboxvoting.org, or any of hundreds of different nonprofits that have a web presence and probably don't have 3rd party audits of their site. If you or any of your friends volunteer for a nonprofit already, why not check and see if they'd like you to set up a computer security program for them?
Finding an appropriate learning environment seems to be harder than I expected.
Now, I want you to really stop and consider this for a moment...
You can't find work as slave labor in your chosen field, and you think you'll do a whole lot better once you graduate?
Switch to a business or marketing major now. If you can handle IT, a quick lobotomy aught to get you through such a degree in no time at all.
You could consider a law enforcement career.
There's bound to be opportunities there as long as you pass the entrance requirements ie: physical condition, psychological state and criminal history.
Lots of students from my University ended up working for the US government at the National Laboratories. I don't know if that's a viable path where you're located, but they have a number of IT Security related positions, of course. The best I know about is Sandia National Labs, which has a specific group of student interns in ITS training. (Called, unfortunately, "Junior Cybercorps" or something).
The government always needs security, and they're often willing to accept and train student interns.
I yearn for you tragically. A. T. Tappman, Chaplain, U.S. Army.
As you approach companies, don't ask for a job. Unfortunately, you describe the situation many of us have fallen into with jobs that we don't have the past 10 years experience in...
The best way to approach it is to go to companies that HAVE what you are looking for, ask them about an Apprentis or Intern program, apply with them for that program and work from that POV.
OR, if they don't have these programs, then you could ask to start one.
If you get your security clearance, you may find that companies are not unwilling to NOT pay you to come in and work...sure, you work for free, but you CAN put the experience on your resume!
--E--
Hi - I teach programming here in CANADA at the post-secondary and continuing education level (so I am aware of your situation as a Canadian student) - my practice was based on all things practical, and a little bit of opportune timing. You could for example, go back to your high school (if you had good relations with them) and demonstrate vulnerabilities in their network security, fix it, and demonstrate this as a case study of your work. It would be nice to get some money for it, but you may have do things like this for little or pro bono until your resume clearly demonstrates your experience. Stress how it can relate to corporate and enterprise level security (if that is what you are aiming for)...Technology has come down to a level such that a large amount of the general population is aware of security measures for computers and networks - demonstrate that you can do more. On the other hand, you can always hack a website LOL.
just a web application developer and instructor in Toronto, ON Canada
Perhaps you could volunteer your time on a large FOSS project doing security audits, patches, testing, coordination, analysis, etc.
For example, the BSD projects have dedicated security officers. Other projects could probably use help. Pick large ones that have some substance (legal corporate/non-profit structure, etc) to them: Mozilla, the Apache Software Foundation, etc.
http://admsol02.mcs.muohio.edu:11180/apps/miamijob s/jobsOnLine/positonDetail.cfm?positionNumber=1965
We're offering two of such positions - perhaps you'd find something like this on an intern basis - we have a rather robust security department as it is, so I'd venture to say other Universities would as well.
I haven't posted in so long, my sig is out of date.
You might be forced to start your career by running laps in Quantico, VA.
Check out the Extreme Blue Co-Op program with IBM. I am sure they would have Project positions somewhere in the company for this skill set.
http://www-913.ibm.com/employment/us/extremeblue/
My brother-out-law (read S/O's brother, we aren't married...) is in a co-op program as an engineer, which at least gives him the benefit of a well established field with lots of choices. So much for the plusses.
What precisely are you going to learn in three months? For my BOL, physics is physics, and electrons are electrons, doesn't matter where you work. Not so in IT. Even where "experts" agree on a result, they rarely will agree on the method of achieving it. You'll spend that three months learning really nothing more than how to be an employee, and almost nothing relevant to your program.
Where I work tried getting interns to work in my dept. I finally asked them to stop, I was doing nothing more than training a new intern every three months. Of course the majority of those interns make no significant contribution to the department, they spend most of their time learning how to be an employee in the department. Those few who actually tried to make meaningful contributions, well, that work went to /dev/null as soon as the intern went back to school. Great, we had a guy at a real cheap wage for three months, and he/she accomplished nothing of consequence, and this is a cost savings how? Three months just isn't enough time to make a decent IT employee in more places than I suspect the Curriculum Design moron at your institution realizes.
Real world experience is a valuable part of the educational process. In the case of your school, I would suggest starting with the Curriculum Design Moron. Get that individual out of their ivory tower, and out there talking to the people who do the work. Not only should they be helping you to find such a placement, maybe if they were they'd get some feedback from guys like me, and make some changes that would make interns an attractive option in IT.
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
I know that many of my fellow classmates were actively recruited by the CIA, FBI, and other agencies that were looking for students with an interest in computer security. After their stint as a fed intern, most of my friends also landed jobs in government or were at least offered.
Many companies consider contractors and temps a security risk are unlikely to have anything available. I know my company (a small one in financial services) would be highly unlikely to hire anyone to the security team that was not full-time and permanent.
If your program has that as a requirement, perhaps ask them how previous students satisfied it and network that way.
The NSA's stated requirements...
Must be a U.S. citizen
Must be a college student majoring in Construction Management, Supply Line Management, or related Facilities/Logistics field
Have a minimum cumulative grade point average of 3.0 on a 4.0 scale
Must possess strong written and oral communication skills
Eligible to obtain a high-level security clearance
Must have reliable transportation to and from work
As noted, this year is out-- they take applications from August 1 through November 15 for the following summer. However, the first requirement is likely to be the deal-breaker. The student states they are in a "computer security and investigations" program-- this strongly suggests the querent is in the Fleming College program, in Ontario, Canada.
If so, inquiring whether the Communications Security Establishment has a comparable program; however, their student/coop page doesn't seem overly promising.
//Information does not want to be free; it wants to breed.
Assistance has been limited because the program was originally developed for an applied project. Placements were last minute options. This is a Canadian program. http://www.flemingc.on.ca/Full-time/ProgramDisplay .cfm?ProgramCode=CSI
More than likely no money in it for you since they are all under funded, but I am guessing that they have a wealth of work that could be handled with people of your skill set. Even if you are only doing and indepth security audit and then making recommendations. Run a few interviews, bill your self as a consultant if you need more hours do in in more than one school or school district!
I've been encouraged by my family to get a job in tech because "it pays well and everybody's going to need it." I've decided to go with Education instead. Doesn't pay well at all, but I know it is in demand, unlike tech skills. It seems everybody's family in the 90s was telling their kids to get into tech. Not all of them have foresight of prophetic measure, so they paid for college for that crap. Now everybody, even Indians, has these skills. Supply is up, demand is down. The tech job market is saturated. I apologize for your plight.
Moreover, how many are at Canadian colleges with a "computer security and investigations" program?
//Information does not want to be free; it wants to breed.
...but I really think anyone involved in IT security should have at least 3-5 years in the trenches first. If you *really* want to know your stuff this is simply a requirement. Finance or Medical is a good proving ground, but infrastructure (power companies, etc) is starting to be a good one too.
My advice would be to get a sysadmin or operational job first, and spend every second of free time addressing the security aspects in that environment. Then when you move into a security specific job you have some meat to talk about: "well at company X we implemented Plan Y to address this issue", and "I found that we consistently had problem Y". I personally would be very skeptical of a security pro right out of school.
I am sorry that you are having such a hugh problem getting a job. The other that I have read are correct, the schools Job Placement should be able to help. If not, it depends on where you live. I live in Central Florida and here there are many jobs from Lockheed Martin Corp which is a Gov job but will help you get Security Clearance for you and they have plenty of job openings. Go to Career Builder and look for yourself. Hope this info is helpful.
The clearance aspect will always be a huge barrier to entry. By all means, try to find placement that will grant you a clearance because you will be much better posititioned to find employment after college if you have it.
Then there's plan 'B'. What do you do when there's a piece of commercial hardware or software that you can't get your hands on? You probably find an OSS variant or you figure out how to make your own with the materials on hand! Such can be the case when seeking real-world experience in the IT/ITSEC universe. Seek out non-profit organizations or even local area elementary/high schools that might benefit from someone with your book learning. Create a proposal in which you offer to use what you've learned to evalulate and repair any security holes you can find in their infrastructure and practices...for free of course! Non-profits rarely have any operating budget for these type of things, so they might be willing to take you up on the offer. There is the downside in that you will probably not be receiving any mentorship going this route. On upside, you will be receiving more hands on experience then you might have otherwise AND you will not be asked to get coffee for anyone! If you are truly feeling the DIY spirit, you may be able to find ITSEC professionals/corporations who are willing to provide mentorship for your non-profit endeavors as a way to give back to the community (and possible tax write offs).
Being part of the critical infrastructure, utility companies are taking security much more seriously.
Hot Damn! It's the Soggy Bottom Boys!
I'm an IT Manager and the last thing I'm going to do is let an Intern anywhere near equipment relating to security at my site. I use Interns to setup PC's and help with the IT grunt-work around the office but giving access to the routers, firewalls and IDS systems to a newbie...sorry. It's like handing over the keys to your Ferrari to someone with a learners permit. I can appreciate the situation, you gotta start somewhere. My suggestion would be to Intern in a plain vanilla IT role and after graduation become a Systems Admin somewhere for a while. Then work up to the Security side of the house. The school that set up this program should re-evaluate this requirement.
Public libraries have the interesting conundrum of letting people just walk in and use our computers while keeping them out of our major systems. "Yes, you may use our computer. No, you may not change anything." We're certainly short of people with security experience and I'm sure many would appreciate the help.
The Air Force offers a cyber security boot camp. It looks like a great learning experience and work experiance. It consists both of classes and hands on projects. I looks like you get assigned one main project you are to complete on a current real world secruity problem. I don't know if this would count towards the three months placement but it looks like it could really open the doors.
The application is due January 1 and they are planning on 50 students total.
Here is the webpage: http://ace.syr.edu/
I had an interview with CSE (http://www.cse-cst.gc.ca/) 2 years ago (didn't make the cut). I was at the University of Guelph, and their co-op program had ties with CSE, allowing for co-op/internship programs.
There's lots of cyber security going on with CSE, and I've heard they prefer the public doesn't know they exist. I'm sure they appreciate this post.
Maybe your school's co-op program has similar ties?
Just to note, your application usually has to be in 4 months before you plan on doing your placement.
Collective Type Project
IOW: If you're the chicken, don't hand the farmer the axe.
Spam your resume out on job sites. You'll probably have a response rate of 1 in 300 resumes sent out. If you have friends, see if they can pull strings for you. This is the easiest way to get a job. Keep studying in stuff you're interested. You may not find a job out of college anymore, but you can become an intellectual who's still productive to society. Press the boundries of what's known and advance upon them. Theres so much in computers that hasn't been touched. Of course you don't often make money doing this, so its not for everyone.
God spoke to me.
1. Go war driving, stop by the companies, and SHOW them how insecure they are.
2. Have them hire you to fix it.
3. PROFIT! I mean GRADUATE! no wait...
Seriously, at the very least you could earn some extra cash until you find a position.
hack a day
Sandia National Labs hosts a program for students that are interested in ITS. The program is sponsoreed by the National Lab in both New Mexico and California. I am curently involved with the program and I love working here. http://education.ca.sandia.gov/internships/institu tes/ccd/index.lhtml
I was one of two people in the whole agency with a CS degree, making me uniquely qualified.
Since you were one of TWO people, you were not uniquely qualified. If you had been the only one, then yes that would have been a true statement. Unique means "the only one of its kind", not 'special' or its synonyms.
Moose and Rocco will be by shortly to discuss your severance...uh, pay that is.
slashdot: A failed experiment.
As an individual in the field. You may want to start in other areas of IT, but make an emphasis on Security. I started out as a System Admin on NT4 boxes, then moved to Networking, which led me down the path to Firewalls, VPNS, and IDS. Because I have such a wide area of knowledge, I am usually the go to person in the department I currently work for, and thus in front of management quite often as well...
-- NeonRonin
Talk to companies who make money by providing Security Services. The best example of this would be the many Certification Labs that specialize in things like Common Criteria, FIPS, Visa PED & EMV. These companies charge product vendors for verifying security functionality. Hiring Interns/Co-Ops allows them to increase their profit margins by utilizing lower cost testing resources.
You sly dog: you got me monologuing! - Syndrome
The Security Jobs mailing list is a good place to start. When my company was looking for an intern for our incident response and audit team, we turned to that list. There was a standout resume and post from one student in particular... we hired him on. If we have a fulltime professional slot that opens, we'll likely reach out to him first.
What tips does Slashdot have for finding organizations who are willing to let students get involved with sensitive security procedures and cases?
:(
In this market you might try the nearest mall - everyone underestimates the danger and security issues involved in being a mall cop. Plus, who wouldn't want to drive around a parking lot in a geo with yellow lights...
Yeah, neither would I
As an alternative, if this is required as part of course work, maybe you can get the school to pay you through work study, and setup something with a local company that you can work for for no money out of their pocket. The key is that real world experience is great experience, beg borrow and steal the opportunity. To work, even if they give you the drudge work, you should be able to learn the nifty thing watching others work, and then volunteer to help with the fun stuff.
We don't let most of our security team be involved in investigations. In factr, its only the one or two people needed to deal with the issue that know anything about it.
If you're an intern here, you 'might' get to monitor spam, logs or the IDS. Involvment in investigations is not something we hand out as an entry level option.
Get a life, not a lifestyle. - Hikem Bey
Contrary to popular belief where you live, the world doesn't end at some United States controlled border.
:-) Some countries, like Spain, are pretty cheap in terms of living expenses (despite the current exchange rate).
Check out Canada, or, if you really want to have fun, Europe. They even speak English there
I guess I can sing the security clearance blues myself. American research labs (MERL, AT&T, I assume even the IBM ones) expect candidates to obtain a clearance -- which I, as a foreign national, can't get. My clean record, my good karma at Slashdot, and my heavy American accent won't do anything for me.
So, I'm sticking around Europe. And hey... IT'S GREAT HERE!
Look for work/internships as a systems auditor with a consulting firm.
Every publicly traded company in the US (and many have operations in Canada) is looking for Sarbox help. Look for a consulting firm that is willing to take you on for a few months. Dealing with Sarbox, you'll get a good real-world understanding of security. Though not glamorous, the experience identifying security opportunities and proposing changes will be invaluable later.
Though 2004 is the first year many companies will have to certify for Sarbox, the work for international compliance is still going strong. Look outside North America, you'll get international exposure and security experience.
You should contact security/IT departments in Universities surrounding your university. Depending on the number of students your organization servers, getting a student assistant position created that rotates out a new project to whatever student's term wouldn't take a lot of effort.
Hospitals may also provide that same amount of communication if your faculty/staff can help explain the program to someone in the office of IT/CSO @ the hospital. Many of those organizations are bogged down with HIPAA implementation right now and are looking to address these security issues.
The trick to getting an early post on an ask-slashdot question is to give no useful advice.
.\.\att Clare
How about your university? Back in the day the IT for our computer science department was totaly student run. Drake University probably still has one of the best Linux labs/ beowulf clusters for students at a small liberal arts institution. Check with the guys in your campus IT department and see if they want a free security intern.
Just make sure you stick to security and don't try to automate their jobs away. From my expirence most professional univerity IT departments go out of their way to "create" jobs.
bash-2.04$
bash-2.04$yes "Don't you hate dialup connections?"| write USERNAME
I agree, I worked as a contractor for the AF and it was a great environment. The other route you can take is temp agencies. There are a few around here that will get prospects their interm clearnace so they are available for the jobs. you can even consider going into the reserves...
I lucked out, my clearance has treated me better than a degree anyday. These days, you have a clearance, know Unix, you are good to go...
I am only going to say this once. If you are in school with an CS/IS&T major you MUST have real world experience to make it. Graduates with degrees but now real world experience are worthless. So, for all you rich geeks out there that have mommy and daddy paying your tuition, get a job in the computer field! Here is how it works: Real World/No Degree = Good/Okay Real World/Degree = Very Good No Real World/Degree = Worthless No Real World/No Degree = Suicidal
A few things...
1) The security consulting industry is larger then a lot of people realize. This would be one of the first places to look for beginner level positions.
2) Not all security jobs require security clearance, only government jobs (or jobs that are in some way related to government work) do. There are several industries that require the services of a security consulting company. For example, Financial intuitions are *required* to have independent security audits performed of their IT environment. There are various regulations out that motivate companies to hire security people (GLBA for financial institutions, HIPAA for healthcare, etc.)
3) Security professionals are in more places then you might realize. Any one of the top 15 accounting firms in the nation will most likely have a security consulting practice. There are countless managed security solution providers. There are companies (many of them!) that do nothing but provide real time 24x7 monitoring to their clients. Any one of these companies can usually find use for an intern, especially one that has the information security mindset, and most of these will not require a security clearance.
4) Contrary to what some may have you believe, certifications aren't everything. You can not get your CISSP until you have 3 years of experience (assuming you graduate) or 2 years of experience (assuming you graduate with a Masters). No company that is looking to hire an intern will be looking for that intern to have their CISSP or CISA.
5) Good news, the security industry is booming and everyone is hiring. The company I work for has consistently hired more people every year since I started. Three years ago there were 30 professionals dedicated to information security consulting, now there are about 85, a large portion of which were hired straight from college.
So, in summary, I would focus your efforts on companies that perform security services such as consulting companies (read: accounting firms, and specialty firms like the foundstones of the world), managed service providers, datacenters and various niche services such as real time intrusion detection shops. Start making phone calls, asking if they have a security practice, and who you could talk to about a job. These places are hiring, if you aren't on their radar already, it's up to you to put yourself on their radar.
"My program requires a three month placement in the IT security and forensics industry."
Personally I would think it would be a bigger security risk to have an intern for 3 months then it would be without one.
When it comes to business and security, if they take security serious, I would be very suprised if they would ever let someone outside of the company will little expierence, for only 3 months come near their sensitive data.
TruePunk | Games
Do you have to have a placement in the IT Security Industry or just a placement in a IT Security position? The former will be much more difficult than the latter.
Go back to the Curriculum Design Moron, and insist that since they're internship policy is crippled at best, and thereby crippling your ability to satisfy it, that they should accept you volunteering on say snort for three months.
But, the battle ain't over by a long shot. First you have to convince them, then you have to reach terms. Obviously they aren't going to send you home for three months and accept on faith you've been doing whatever for the snort project. So once you have acceptable terms with your school, you'll then have to find a project maintainer who will work within those terms.
It should be doable. But you'll probably spend three months fighting the battles alone. Ironically, you'll learn as much (and very much the same things...) fighting those battles as you would in a three month internship in lots of places...
To the parent: Galley slave? Lucky SOB, mine allways ended up being paperweights for HR...
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
check their network vulnerability from the outside then give them a list of some (but not all) of the security exploits you found that you could have used against them had you have been a hacker.
Tell them you will help secure their network and also that you will tell them the other places that their network is wide-open if they hire you.
Alot of new business concepts are forming up out of
need...I pay for lawyers on a prepay plan. Doctors
are forming up 'Boutique Clinics" where you pay up
front a chunk of money and they will take care of
all your outpatient needs by agreement, kind of like
a buffet. I'll bet a huge amount of small business's would be tickled to death to get access
to Computer Security Consultant skills on a prepay
concept...Damn did i think of this....hehehe..
Go For It...
I would recommend you look at simple facets of cyber-security. While being well versed about http://nist.gov/ NIST and http://www.netip.com/links/nsa_guides.htm NSA and related guidance is helpful when speaking about cyber-security... you may want to consider more common security problems for your internship.
...As for industries - well, I would strongly suggest banking, insurance, securities, and healthcare...
For example, many companies have identity management problems - particularly in industries with largescale mergers. Just documenting the variety of identities each employee has on different systems and blueprinting recommendations for consolidation can be a considerable task. Even on a small scale - lashing an identity scheme together for operators in a data center - this can be worthwhile and involved work that may get into topics like logging, auditing, provisioning, policy, identity consolidation, integration...
Likewise, most companies have security policy problems - either they implemented overly restrictive policies and have rapidly bypassed them (using local admin accounts or promoting people to domain admin levels of access), or they implemented piecemeal policies project by project resulting in no consistency and no centralized manner to audit and manage the policies in place.
You may also want to consider application integration security. E.g. web applications that authenticate locally but then redirect the internal user to an external site. The token handling and identity exposure of both the company and the user to the third party site (an outsourced customer service application for instance) is handled differently with each implementation - and consolidation would provide many benefits for businesses varying from retail to financial.
While doing core philosophical cyber-security work may be out of your reach due to the limit of your current credentials - documenting and/or implementing simpler aspects of cyber-security may be an avenue leading to greater opportunities.
1) Hack into a corporate server
2) Fax sensitive stolen data to the same company
3) Offer to become their security guru to prevent other people from stealing their data
4) Proffit!!
//Information does not want to be free; it wants to breed.
and many companies, who just don't see a need for ITS,
:-)
Become a virus writer and a hacker for a while. Not only do you learn more about security, but also CREATE a need
Table-ized A.I.
Are you thinking of Computing Devices Canada out of Calgary? They've hired a few Co-op students over the years. They are a defence contractor that specializes in computers for the Canadian and US Militaries.
Are you on crack? You have to be a complete moron to be using MS Word to edit webpages. If someone doesn't have a decent editor such as Homesite or heaven forbid Dreamweaver then MS Notepad would be a good choice. Microsoft Word is a NOT what you want to use for making webpages. That is like having someone create a page with Frontpage ( a POC imo). Frontpage adds a ton of garbage code that is horrendous. If you've read any decent books on webpage coding you might know this as pretty much all of them advise starting with Notepad if you use Windows.
I can't even believed you mentioned Indian outsourcing. The offshore tech support for companies now are nigh shy of seeming intelligent. All they provide is cheaper labor, due to US citizens demanding cheaper products.
You must be the manager of the IT department and not an actual IT pro. Perhaps I am just taking your post too seriously; I realize some people make posts in jest. If that is not the case I weap for those IT people that lost their jobs due to people like you!
"When the people fear the government, there is tyranny. When the government fears the people, there is liberty."
They're headquartered in Chicago (Riverwoods).
Many companies now outsource their security
to what is perceived to be lower cost places
around the world: eg: India and Argentina
Now that's what you call trust.
--
cheers
me
Blessed are the geeks for they shall inherit
the old re-cycled 'puters.
I don't know if it would qualify, but I would look into Voulnteer work at charitable organization of some kind. Also, you might get lucky with public schools that have no IT budget.
In a perfect world I would say your correct. But the past speaks for itself. Who better to catch the bad hackers, then someone with experience. Take the case of Frank W. Abagnale jr. I'm not saying that doing the wrong thing is ok, I'm saying knowing how to do the wrong thing is of great benefit.And the government will and does hire those with that expertise.
Danger Will Robinson! You are now entering a condescending Unix user zone!
While I don't agree with blind corporate loyalty (I'm self-employed), I thought I'd point out that the Rich Dad, Poor Dad book by Richard Kiyosaki has been subject to criticism. (That's just one of the many sites, but it's the most thorough, IMHO.)
-- SYS 64738 --
I'm saying knowing how to do the wrong thing is of great benefit.And the government will and does hire those with that expertise.
I can't disagree with you about that.
That is why a lot of these forensics/computer security programs are actually taught by reformed blackhats. One is taught to "think like a crimminal," but generally under the protection of proper permission, and signed papers.
They actually "unleash" these students on systems as part of red or blue teams, but always with prior permission.
That is how they get a lot of the expertise of how to go about doing the wrong thing, while still not technically maliciously hacking, making them AOK in the government's eyes.
It seems that a lot of the strictness in hiring (being concerned with hacking pasts and such) is fairly new. I suppose that I should check out your case study, but I was under the impression that the three-letter agencies had tightened up on things like that.
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
The best way to get an internship is to start about a year earlier. With my students I start posting and discussing internship opportunities with my sophomore classes. This gives them time to apply. Since regional Universities don't have the clout for big name contracts it can be harder to find placements. I average 7 to 10 direct requests a semester for my best brightest students. Our security program is in its infancy so I expect that to grow. I also for a limited amount of students accept undergraduates into research billets where they get to hack on grid computers and forensically analyze all those trivial traces we do (grunt work). This is also a growing area and usually is going to the student who has already identified they are going to graduate school. During Christmas break three students and I are setting up a 100 node Beowulf cluster to build signatures and traffic analysis models for a research project. For a real select few starting this year I've started taking star students and we are beginning to publish their independent projects at conferences. The first one should be in April. I expect that will draw demand both for our program and the students. Getting the students work out in the open I'm hoping will make internships easier. Since our program is just getting off the ground we are pushing the students work to show what they can do. I think next semester we are going to build some portfolios of students work and that may help the process too. For the student doing it on their own I would likely start by preparing a portfolio of projects, papers, and laboratory assignments. That is your school work or thinking work to prove you're smart. I would then take my best projects and build upon them to show that you have skills. Build a resume or vita around those items and be prepared to show case what you can do and what you think you can do.
--- Location Unknown
if the companies don't see a need for ITS now who do you think is going to hire you after you graduate?
my karma will be here long after I'm gone
If the work doesn't have to be paid-for, or paid-work at a high rate, could you work for / volunteer for a variety of computer-security publications and conferences that you may be able to support. Go to their web sites and inquire.
:
c urityAssociates.com
You could be exposed to a variety of topics and subjects relating to information security, and deal with balancing issues related to what subjects are pivital in different infosec themes:
There are some academic venues
National Information Systems Security Conference (NISSC) - don't know that this is still running. Perhaps it is, or there is something similar.
http://www.ncisse.org/
Colloquium for Information Security Education
"Hacker Magazines":
2600: The Hacker Quarterly
http://www.2600.com
Blacklisted 411:
http://www.blacklisted411.net
Binary Revolution
http://www.binrev.com
Anyway, I'm not saying that anything would come from it, but these are a few organizations that you might want to contact.
- Sam
http://www.iamsam.com
http://www.NitzbergSe
Try a Big 4 accounting firm, or one of their (formerly related) consulting wings. These organizations often have a large IT Security practice, and are experienced in hiring co-op students (accounting students for financial audits). I'm working for one of the big 4, in a security-related job, and I came in with very little relevant experience. I've found it to be challenging, but ultimately rewarding.
I teach CS at a community college, and I have to say that I am horrified at the response of academia to the need for security professionals. Jump on Monster sometime and search on "Computer Security". 90% of the jobs out there require at least 2-5 years beyond a BS, and a quarter require closer to 10. Security, done right, is very difficult work, and not something that can be simply taught to people in an academic setting. At least in the poster's case it's a four year program, and not one of the plethora of "here's how you set up this router" 2-year degrees popping up all over the place.
You're not going to find that security related job (without an extreme amount of luck), because you don't know security. In my opinion, any claims by your school that they are teaching you security in such a way that you will be qualified to work in it are fraud. The problem is, if you're being short-changed the rest of a general CS curriculum, they're not going to send you out qualified for anything else either.
As a recent graduate in CS I'd say interning or a COOP placement is necessary for the average college student. Getting your foot in the door with some experience is often the hardest step. Second hardest step is finding a good door to step in.
My advice is go to any career fairs and try to make contacts. Don't be afraid of going to local businesses and seeing if they would consider an internship position. This is your chance to find a real job before you are the only one paying the bills.
This college is trying to do you a favor.
Not bad, you actually had me going til the bit about Word :)
For the love of God, please learn to spell "ridiculous"!!!
Hook.
:)
line.
and sinker.
Check who's posting when you reply, you may realize you're wasting your time next time
cyn, free software and *nix operating systems enthusiast.