Slashdot Mirror
Finding Student IT Security Placements in the Industry?
CABAN writes "I am a third year computer security and investigations student. My program requires a three month placement in the IT security and forensics industry. Finding an appropriate learning environment seems to be harder than I expected. Lack of security clearance, no real world experience and many companies, who just don't see a need for ITS, are the critical shortfalls right now. What tips does Slashdot have for finding organizations who are willing to let students get involved with sensitive security procedures and cases?"
if you want to come manage security patches for a few thousand windows, aix, solaris, and linux machines for me, let me know.
MORTAR COMBAT!
My program requires a three month placement in the IT security and forensics industry.
Your program should then have some mechanism to facilitate such placement. Most programs that require intenships provide assistance in placement. If yours doesn't, then you are being shorted. This isn't a DJB class is it?
How about working for your school's IT department helping to clean and/or investigate compromised machines. They could probably use the help. Is .edu not real-world enough?
a program that requires an internship that it is unable to provide support for? you might want to talk to the career center of your school....
BP http://www.card-central.com
It appears they are in need of a good security consultant.
These companies are both expanding their security apparatus and also are both industries known to be in love with the college intern concept. I interviewed for several security positions at insurance firms (specifically car insurance) who were hiring something like 5 or 6 security architects in one shot. Try to apply to intern programs there or at big Financial.
Do what everyone else did.
Hack into a bank and get caught.
You'll get a few years in the state pen, but then you'll be a hot commodity.
(P.S. This is one fucked-up world.)
1.You need a job but the companies only want people with security clearances.
:)
2.You can only get a security clearance if you work for a company that will pay for it (and justify it).
Rinse and repeat.
My suggestion would be to get a position which doesn't require a security clearance with a company that has security positions available. The company is more likely to hire you into one of those positions and pay for your security clearance, if you already work for them. That's what I'm doing (sorta).
Course, I don't have a clearance yet so maybe it's not the best idea
-Teiresias
I hate to say it, but this is a difficult thing to get into. The problem is getting your foot in the door, just as you are trying to do. Offer your services to some companies for free if you have to. That may be all you can do to get any experience in the field. It's good that you are in a program that specializes in security though, because it's harder to make the leap from a degree like Computer Science straight into IT security. Once you meet the requirements though, you absolutely must go get your CISSP (certification, you probably know of it) if you want to advance very far. It can be a lucrative field, but experience and certifications, rather than traditional education, are the biggest factors in being successful at it.
I would be looking at smaller companies and offering what you have to them. Most cannot afford security consultants and would probably welcome your expertise perhaps on a intern or consultant basis. The other obvious option is to talk to those companies that build security software for a living.
.02
My
Yeah? Well I think you're overrated too.
Focus on infrastructure, especially hospitals. Hospitals are used to the idea of intern types, and they usually have contract deals set it up with recruiters. Standard Job location procedures apply here... your average job sites apply, and they are chock full of openings. Don't expect to get into forensics right away... It's not an easy job, and if a particular shop is doing it, its going to be for a legal case. There is hope for you however: alot of places do train, because forensics procedures vary shop to shop. Everyone has their own way to doing it... and that is fine as long as the documentation is rock solid and you can provide a good chain of custody process. In this arena, its not just good technical skill that is the issue, but also how well you can document things. We, as technocrats, seem to have a disdain for writing things down, and documentation is paramount to forensics. Bottom line: you are new, and there is nothing wrong with that. Put together a resume, and get it out there. Draw on your personal experience, because thats all you have to work with at this stage in the game. Good luck.
Its a 12-week program following the student's third year.
As a participant in the Summer Network Evaluation Intern Program (SNEIP) you will acquire an appreciation of the challenges our Nation faces in network security as it relates to real-world work experiences. You will experience first-hand some of the critical work done at NSA as well as have the opportunity to apply your skills on hardware and software systems to enhance network security and contribute to the security of U.S. information systems.
Sadly, this wont benefit you since the application deadline has passed.
I guess you need some value proposition. Remember that most companies are in the business of making money, and it needs to be the case that you can give more than it takes to employ you in terms of usage of staff time, resources, training, office space. Here are a few ways you can do this:
- Offer to help with more general systems development/support as well as the security element. You might have to spend a signficant percentage of your time acting as a cheap coding monkey in order to get exposure to the stuff of relevance to you.
- Offer to train other staff free or charge, or provide audit or documentation for systems.
- Highlight the risks of security problems in terms of real monetary costs to an organisation who don't invest in security.
- Sell yourself as an independant and pro-active potential employee who won't be a drain on resources.
- Be flexible in the work and projects that you can offer. Remember that you will only be hired for the work experience if you can fill a valid required business objective.
- Cast your net wide, and speak to people on the ground in an organisation. Contacting a small group of companies via HR departments is a guaranteed way for your e-mails to end up in a black hole.
- Get on the phone or right physical letters. They're emotionally harder to discard or ignore than an e-mail.
- Remember to contact non-obvious choices such as schools, charities, NGO's, open source projects?
- Above all, be enthusiasitc and state your willingness to learn!
Vacancy for signature. Apply within.
This is a highly-competitive program but they will hire college student who go through the standard battery of background checks (including polygraph). Details can be found here
Although you might not like the prospect of it, ont of the easiest ways to get a security clearance and on the job ITS experience is to work for the Department of Defense, particularlly the Air Force.
We are always looking for talent. Or interns. Hope you like snow, HQ is in Pittsburgh.
trustedworlds.net - gaming, security, and the gunk that lives in between
My university also has a full-blown co-op program. It operates by contacting businesses across Canada and asking if they would like to have some of their students apply for jobs. Then us students go through a process much like applying for a job in the "real" world. I think this is much better than having some scruffy third year student (like me) call them up and ask if they want to hire him (or her) for a security position.
Also, there is a precedent for security companies hiring Co-op students. If I am not mistaken, The Canadian Security Company (I can't remember their proper name, CSE or something like that) hires some students from my university every study term. The students have to go through a security clearance process that has several requirements such as: you must be a canadian citizen and, criminal record checks and such.
if you want to see our website, go to www.cs.unb.ca
So yeah, the point of all that is to tell you to definitely get in touch with your advisor. I'm sure you have a course advisor (if you don't, get one!). He or she should be able to point you in the right direction.
rydawg --
The only way to get that security clearance is to start the process, and start it early. I notice that you are from Canada, so I can't give any advice specific to your situation, but I am sure that the Canadian government has cybersecurity internship slots.
/. commenters, find it odd that your program has a service component involved and no contact network or career advising attached to it. Frankly, if you're early in your studies, I would consider going elsewhere. Most programs that have service components have professors or advisors with vast social networks that can place you in a good position. I would certainly check with your professors and make sure that there isn't an unofficial social network there that they can get you hooked into.
Apply to one of those and the government will usually pay for the security clearance. A lot of times, government positions rotate their interns into many security positions and place them with a mentor, so you get the benefit of varied experience. Even better, these are most often available during the summer (three month vacation to a security position works) and since most places start processing in December/January, you're right on that edge for applying.
I suggest you check out your own various government agencies and send your resume out. Processing time for young people usually borders about four or five months (although it can take over a year), which would put you, if all goes well, at the perfect timing to get one of these positions. And, better, agencies often hire their interns for full time positions when the students graduate, and you will already have your clearance.
I, however, like many
But if you are planning on going into the security profession, that security clearance is something you will want/need anyways, so if you can get it now, all the better!
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
I will definitely not allow any students who think they know so much in my IT-department. They might know a bit about their childish Linux, but they are just not up-to-date with modern Microsoft-technology.
Editing configuration files with a text-editor is really brain-dead -- that's what a graphical user interface is there for, to prevent erroneous data from endangering the system.
Some of them even have no clue how to maintain w decend web site. They insist on installing an ancient editor instead of using the standard-compliant web-editor of Word.
What do they teach you?
Sometimes I am really glad that we were able to outsource our security to an Indian company with competent people. The United States are really going down the drain with the students we see nowadays.
Quite honestly this is probably the easiest way to get security clearance. I started off working for Arctic Polar, which does FAA contract work. The program requires that you're a college student only, working towards a related degree. The placement was simple and they paid for my security clearance right away. Any of the Boeing/Lockheed Martin type places have programs for college students that both pay well and get a leg up on future security requirements. And in my case, turned into a permanent position for me after graduation.
If you're half as beautiful naked, you'd be 4 times as beautiful with twice as many clothes on.
I was a gaming agent for the Tulalip Casino up in Marysville, WA. I was responsible for inspecting the slot machines, which in Washington state are basically networked computers. (They have no internet connection if you were wondering.)
These places are always looking for good, qualified people and seem to have trouble getting them. I was one of two people in the whole agency with a CS degree, making me uniquely qualified. Generally, they have to take people with a criminal justice degree and teach them the ins and outs of the computer system. They would love someone already trained in computer security.
Besides looking at your local casinos, you can also check out the slot machine manufacturers. Sierra Design Group, located in Reno, is a group I highly recommend. They have an awesome, stable product, that the industry loves and runs on Unix. They're a subsidiary of Bally Games, so you can find their job page here.
Another computer, located in Austin, is Multimedia Games. They pretty much have the lock on the class 2 games. Here is their jobs page.
Almost all of the computer security professionals I know, with the exception of some lucky ones who happened to get trained in the military, have had to do grunt IT work of one sort or another before moving into the field of IT security.
Don't expect to get involved in computer forensics straight off the blocks. As a previous poster mentioned in a roundabout way, look for a security position that's more closely affiliated with a traditional IT role (patch management is a good example).
Though I don't want to take the wind out of your sails entirely, I think that you shouldn't expect to get into the glamorous side of IT security without demonstrating that you have a thorough grounding in IT by doing some sort of sysadm/networkadmin work, or even (gasp) phone support work first.
Of course, if you're willing to work for free, there are quite literally dozens of sites and groups out there who would probably benefit from some sort of IT security assistance, even in your field. Things that come to mind immediately are the EFF, blackboxvoting.org, or any of hundreds of different nonprofits that have a web presence and probably don't have 3rd party audits of their site. If you or any of your friends volunteer for a nonprofit already, why not check and see if they'd like you to set up a computer security program for them?
Finding an appropriate learning environment seems to be harder than I expected.
Now, I want you to really stop and consider this for a moment...
You can't find work as slave labor in your chosen field, and you think you'll do a whole lot better once you graduate?
Switch to a business or marketing major now. If you can handle IT, a quick lobotomy aught to get you through such a degree in no time at all.
Hi - I teach programming here in CANADA at the post-secondary and continuing education level (so I am aware of your situation as a Canadian student) - my practice was based on all things practical, and a little bit of opportune timing. You could for example, go back to your high school (if you had good relations with them) and demonstrate vulnerabilities in their network security, fix it, and demonstrate this as a case study of your work. It would be nice to get some money for it, but you may have do things like this for little or pro bono until your resume clearly demonstrates your experience. Stress how it can relate to corporate and enterprise level security (if that is what you are aiming for)...Technology has come down to a level such that a large amount of the general population is aware of security measures for computers and networks - demonstrate that you can do more. On the other hand, you can always hack a website LOL.
just a web application developer and instructor in Toronto, ON Canada
Perhaps you could volunteer your time on a large FOSS project doing security audits, patches, testing, coordination, analysis, etc.
For example, the BSD projects have dedicated security officers. Other projects could probably use help. Pick large ones that have some substance (legal corporate/non-profit structure, etc) to them: Mozilla, the Apache Software Foundation, etc.
The NSA's stated requirements...
Must be a U.S. citizen
Must be a college student majoring in Construction Management, Supply Line Management, or related Facilities/Logistics field
Have a minimum cumulative grade point average of 3.0 on a 4.0 scale
Must possess strong written and oral communication skills
Eligible to obtain a high-level security clearance
Must have reliable transportation to and from work
As noted, this year is out-- they take applications from August 1 through November 15 for the following summer. However, the first requirement is likely to be the deal-breaker. The student states they are in a "computer security and investigations" program-- this strongly suggests the querent is in the Fleming College program, in Ontario, Canada.
If so, inquiring whether the Communications Security Establishment has a comparable program; however, their student/coop page doesn't seem overly promising.
//Information does not want to be free; it wants to breed.
Assistance has been limited because the program was originally developed for an applied project. Placements were last minute options. This is a Canadian program. http://www.flemingc.on.ca/Full-time/ProgramDisplay .cfm?ProgramCode=CSI
...but I really think anyone involved in IT security should have at least 3-5 years in the trenches first. If you *really* want to know your stuff this is simply a requirement. Finance or Medical is a good proving ground, but infrastructure (power companies, etc) is starting to be a good one too.
My advice would be to get a sysadmin or operational job first, and spend every second of free time addressing the security aspects in that environment. Then when you move into a security specific job you have some meat to talk about: "well at company X we implemented Plan Y to address this issue", and "I found that we consistently had problem Y". I personally would be very skeptical of a security pro right out of school.
I'm an IT Manager and the last thing I'm going to do is let an Intern anywhere near equipment relating to security at my site. I use Interns to setup PC's and help with the IT grunt-work around the office but giving access to the routers, firewalls and IDS systems to a newbie...sorry. It's like handing over the keys to your Ferrari to someone with a learners permit. I can appreciate the situation, you gotta start somewhere. My suggestion would be to Intern in a plain vanilla IT role and after graduation become a Systems Admin somewhere for a while. Then work up to the Security side of the house. The school that set up this program should re-evaluate this requirement.
A few things...
1) The security consulting industry is larger then a lot of people realize. This would be one of the first places to look for beginner level positions.
2) Not all security jobs require security clearance, only government jobs (or jobs that are in some way related to government work) do. There are several industries that require the services of a security consulting company. For example, Financial intuitions are *required* to have independent security audits performed of their IT environment. There are various regulations out that motivate companies to hire security people (GLBA for financial institutions, HIPAA for healthcare, etc.)
3) Security professionals are in more places then you might realize. Any one of the top 15 accounting firms in the nation will most likely have a security consulting practice. There are countless managed security solution providers. There are companies (many of them!) that do nothing but provide real time 24x7 monitoring to their clients. Any one of these companies can usually find use for an intern, especially one that has the information security mindset, and most of these will not require a security clearance.
4) Contrary to what some may have you believe, certifications aren't everything. You can not get your CISSP until you have 3 years of experience (assuming you graduate) or 2 years of experience (assuming you graduate with a Masters). No company that is looking to hire an intern will be looking for that intern to have their CISSP or CISA.
5) Good news, the security industry is booming and everyone is hiring. The company I work for has consistently hired more people every year since I started. Three years ago there were 30 professionals dedicated to information security consulting, now there are about 85, a large portion of which were hired straight from college.
So, in summary, I would focus your efforts on companies that perform security services such as consulting companies (read: accounting firms, and specialty firms like the foundstones of the world), managed service providers, datacenters and various niche services such as real time intrusion detection shops. Start making phone calls, asking if they have a security practice, and who you could talk to about a job. These places are hiring, if you aren't on their radar already, it's up to you to put yourself on their radar.
I would recommend you look at simple facets of cyber-security. While being well versed about http://nist.gov/ NIST and http://www.netip.com/links/nsa_guides.htm NSA and related guidance is helpful when speaking about cyber-security... you may want to consider more common security problems for your internship.
...As for industries - well, I would strongly suggest banking, insurance, securities, and healthcare...
For example, many companies have identity management problems - particularly in industries with largescale mergers. Just documenting the variety of identities each employee has on different systems and blueprinting recommendations for consolidation can be a considerable task. Even on a small scale - lashing an identity scheme together for operators in a data center - this can be worthwhile and involved work that may get into topics like logging, auditing, provisioning, policy, identity consolidation, integration...
Likewise, most companies have security policy problems - either they implemented overly restrictive policies and have rapidly bypassed them (using local admin accounts or promoting people to domain admin levels of access), or they implemented piecemeal policies project by project resulting in no consistency and no centralized manner to audit and manage the policies in place.
You may also want to consider application integration security. E.g. web applications that authenticate locally but then redirect the internal user to an external site. The token handling and identity exposure of both the company and the user to the third party site (an outsourced customer service application for instance) is handled differently with each implementation - and consolidation would provide many benefits for businesses varying from retail to financial.
While doing core philosophical cyber-security work may be out of your reach due to the limit of your current credentials - documenting and/or implementing simpler aspects of cyber-security may be an avenue leading to greater opportunities.