Slashdot Mirror
Infosec Career Hacking
nazarijo writes "Plenty of people are curious as to how to become an information security
professional. It's a profession that has a bit of an establishment atmosphere
to it where entry to various levels is granted in secret. And it's often
hard to understand where to start. Infosec Career Hacking
attempts to demystify this process and show you not only generic strategies
for employment, but ones specific to the information security field." Read on for the rest of Nazario's review.
Infosec Career Hacking: Sell Your Skillz, Not Your Soul
author
Aaron W. Bayles, Chris Hurley, Johnny Long, Ed Brindley, James C. Foster, Christopher W. Klaus
pages
448
publisher
Syngress
rating
7/10
reviewer
Jose Nazario
ISBN
1597490113
summary
Career guide specifically tuned to the information security professional
The first part of the book is especially useful, and I think provides most of the value that's not available elsewhere. Things that are covered may seem like basics that people should have just picked up, but it's hard to know what you're supposed to know when you change environments, let alone see it all together in one place. I find this section to be especially useful and reasonably well written.
Chapter 1 opens up with a basic orientation of the infosec landscape, including the types of companies and organizations you may want to look at working with, the types of work and positions you see typically, and what kinds of skills you'll need to consider get the interview, let alone the job. Chapter 2 is much like a hacking book in that you're encouraged to perform some scout work on your potential places of employment. Good advice, and it's nice to see it demonstrated. Chapter 3 talks about getting experience and getting your feet wet in the infosec world. Things like conferences, local groups and meetings, and even security clearances are covered. A nice overview, but a it shallow in places, too. Chapter 4 focuses on the resume and the interview, the kinds of things that normally jump to mind when you think about career hacking. A decent overview, and good things to learn.
Part 2 focuses on technical parts. These chapters, I felt, were a bit thin on value and attempted to provide too much coverage but without the depth. What I felt this part of the book was trying to do was to be a quick overview of what you should know if you want a career in information security without any of the work it takes. Because this is such a broad amount of material, and the book only spends about 180 pages on it, the coverage isn't deep. Instead, the cursory coverage is a detriment to the book's value.
Chapter 5 is where I found the most material to complain about. This chapter is titled, 'The Laws of Security', and can be used for your benefit or your downfall. In the right hands, where the nuances that come from actually encountering these challenges in the wild and discovering the reasoning behind them, you can display wisdom. In the wrong hands, where you can't successfully defend a challenge to these axioms, at best you'll appear to be someone who parrots security luminaries, and at worst you'll look like an uninformed buffoon. If you decide to accept conclusions without understanding the reasoning behind them, you're asking for it.
Chapter 6 talks about building a home lab of machines for attack. I felt this chapter devoted too much time to drooling over gear and not enough time discussing more equipment and more valuable gear. Large classes of lab resources, including enterprise applications, networking gear, and even commercial security software was left out. The disclosure debate was reasonably well handled in chapter 7, discussing the various ways that people have established this process. What's missing here is how to actually find where to send the report to and how to ensure it's been acted upon. And finally, a nice, succinct and reasonably comprehensive (if a little too short at times) classification of vulnerabilities and attacks fills chapter 8.
Part 3, 'On the Job', is for when you finally have the position and now you want to keep your job, advance your career, and improve your skills. Unfortunately, this section feels a bit undeveloped in too many places. There's a lot to cover, but the chapters here lack any significant depth to them, and it doesn't feel like they really deliver as strongly as they could.
This section opens with an approach to your career much like an intruder would take to advancing their compromise. Chapter 9 covers how to perform scouting of your new environment, how to get through meetings without messing up, landing your own projects and succeeding with basic project management. Thinking about striking out on your own? That's natural, and the next few chapters will help with that. Chapter 10 is a short list of ideas on how you can use your new knowledge and skills to benefit others, which can help you build a name for yourself and maybe even clients. Chapter 11 looks like it's trying to encourage you to become a local leader of information security knowledge, using that information specifically for incident response. In a crisis, everyone loves a hero, so why can't that be you? And finally, the book closes with a chapter on how to start looking at being an independent consultant. It's been said that you'll never succeed working for someone else, so why not work for yourself? This chapter introduces you to some of the possibilities here, along with some of the considerations. Overall, these chapters have some clear value to them, but because they try and cover so much, they feel underdeveloped and fail to really deliver a strong benefit to the reader.
One of my big concerns when I began reading this book was that it would encourage you to simply become another script kiddy type consultant, capable of downloading a few tools and use old hat techniques to deliver sub-par results. That's a crowded marketplace already, so I didn't want to see anyone encourage that. Instead, it tries to impart valuable career skills. My big complaint is that it tries to do so much that it can't possibly succeed in all of them. It does a decent job, but in some places it definitely lacks the solid landing to make it stick. Overall, though, this uncommon book is a nice twist on the old career guides, tuned for the information security market.
You can purchase Infosec Career Hacking: Sell Your Skillz, Not Your Soul from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
The first part of the book is especially useful, and I think provides most of the value that's not available elsewhere. Things that are covered may seem like basics that people should have just picked up, but it's hard to know what you're supposed to know when you change environments, let alone see it all together in one place. I find this section to be especially useful and reasonably well written.
Chapter 1 opens up with a basic orientation of the infosec landscape, including the types of companies and organizations you may want to look at working with, the types of work and positions you see typically, and what kinds of skills you'll need to consider get the interview, let alone the job. Chapter 2 is much like a hacking book in that you're encouraged to perform some scout work on your potential places of employment. Good advice, and it's nice to see it demonstrated. Chapter 3 talks about getting experience and getting your feet wet in the infosec world. Things like conferences, local groups and meetings, and even security clearances are covered. A nice overview, but a it shallow in places, too. Chapter 4 focuses on the resume and the interview, the kinds of things that normally jump to mind when you think about career hacking. A decent overview, and good things to learn.
Part 2 focuses on technical parts. These chapters, I felt, were a bit thin on value and attempted to provide too much coverage but without the depth. What I felt this part of the book was trying to do was to be a quick overview of what you should know if you want a career in information security without any of the work it takes. Because this is such a broad amount of material, and the book only spends about 180 pages on it, the coverage isn't deep. Instead, the cursory coverage is a detriment to the book's value.
Chapter 5 is where I found the most material to complain about. This chapter is titled, 'The Laws of Security', and can be used for your benefit or your downfall. In the right hands, where the nuances that come from actually encountering these challenges in the wild and discovering the reasoning behind them, you can display wisdom. In the wrong hands, where you can't successfully defend a challenge to these axioms, at best you'll appear to be someone who parrots security luminaries, and at worst you'll look like an uninformed buffoon. If you decide to accept conclusions without understanding the reasoning behind them, you're asking for it.
Chapter 6 talks about building a home lab of machines for attack. I felt this chapter devoted too much time to drooling over gear and not enough time discussing more equipment and more valuable gear. Large classes of lab resources, including enterprise applications, networking gear, and even commercial security software was left out. The disclosure debate was reasonably well handled in chapter 7, discussing the various ways that people have established this process. What's missing here is how to actually find where to send the report to and how to ensure it's been acted upon. And finally, a nice, succinct and reasonably comprehensive (if a little too short at times) classification of vulnerabilities and attacks fills chapter 8.
Part 3, 'On the Job', is for when you finally have the position and now you want to keep your job, advance your career, and improve your skills. Unfortunately, this section feels a bit undeveloped in too many places. There's a lot to cover, but the chapters here lack any significant depth to them, and it doesn't feel like they really deliver as strongly as they could.
This section opens with an approach to your career much like an intruder would take to advancing their compromise. Chapter 9 covers how to perform scouting of your new environment, how to get through meetings without messing up, landing your own projects and succeeding with basic project management. Thinking about striking out on your own? That's natural, and the next few chapters will help with that. Chapter 10 is a short list of ideas on how you can use your new knowledge and skills to benefit others, which can help you build a name for yourself and maybe even clients. Chapter 11 looks like it's trying to encourage you to become a local leader of information security knowledge, using that information specifically for incident response. In a crisis, everyone loves a hero, so why can't that be you? And finally, the book closes with a chapter on how to start looking at being an independent consultant. It's been said that you'll never succeed working for someone else, so why not work for yourself? This chapter introduces you to some of the possibilities here, along with some of the considerations. Overall, these chapters have some clear value to them, but because they try and cover so much, they feel underdeveloped and fail to really deliver a strong benefit to the reader.
One of my big concerns when I began reading this book was that it would encourage you to simply become another script kiddy type consultant, capable of downloading a few tools and use old hat techniques to deliver sub-par results. That's a crowded marketplace already, so I didn't want to see anyone encourage that. Instead, it tries to impart valuable career skills. My big complaint is that it tries to do so much that it can't possibly succeed in all of them. It does a decent job, but in some places it definitely lacks the solid landing to make it stick. Overall, though, this uncommon book is a nice twist on the old career guides, tuned for the information security market.
You can purchase Infosec Career Hacking: Sell Your Skillz, Not Your Soul from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Why must every advice book for geeks have the work "Hacking" in the title? Instead of calling it a career advice book like they would for any other profession, it's "career hacking". Wasn't there some topic on Slashdot about "car hacking"? Maybe somebody can publish a cookbook with foods that appeal to geeks and call it "Food hacking". Maybe I should go register that trademark right now...
Microsoft is making more secure software so security profesionals will no longer be in such great demand
1. Learn about computers at an ivy-league but technically questionable university.
2. Ask your well-connected buddy from said university if you can join him working at the NSA.
3. Get a job in security because you're just "the right kinda guy".
"It's not your information. It's information about you" - John Ford, Vice President, Equifax
Not that they're having me interview the information security personnel anyway*, but not in a million years would I ever hire someone who talked that way...
* To their detriment -- at least I'd find someone who knows there's more to security than making users change longer and longer passwords more and more often.
What I'm listening to now on Pandora...
just show 'em how you set up a 'leet ftp site with 0-day warez on Paris Hiltons sidekick. That'll get you the job no problem.
And once you're in you'll be able to afford your very own sidekick!
awesome!
Starsucks
..."don't bother." A lot shorter and more concise than the 6kB mini-review Timothy gave it. I suppose it makes him look like he reads bad books too, and isn't just writing advertisement copy.
Is it just my observation, or are there way too many stupid people in the world?
Hacking your career? Some managers might get upset with this. :-)
My biggest problem with this type of title is that it assumes your career is something that can be ordered online, like a book. The best security folks I've found have a passion for the topic. They're obsessed with finding vulnerabilities and closing them. I think your money might be better spent on some of the exciting books in the area like Applied Cryptography .
InfoSec careers are often unglamorous. Writing, policies, making integration recommendations, attending spec meetings, reviewing logs, etc... No, your typical InfoSec career isn't being a White-hat security reseacher.
Often, with less-than-enlightened organizations (most of them), a good bit of your activity is justifying your own existence, as InfoSec is a cost-center and doesn't bring anything to the bottom line, unless you get hacked of course. In which case, you're there to take the blame (for management not following your advice).
Am I bitter? Of course! But I still love my job...
...have already lost their souls. Repent, sinnerz!
As a former hiring manager at a major corporation I look at this from a different point of view. Are people telling the talent how to get my attention? From the review, the title, and the way information is being imparted (apparent from the review) I would say not. If you want the big job with the big pay check get a real education along with the skillz. If you want to be a trusted partner in the security of a company you had better be able to communicate and do TCP/IP math. Maturity, professionalism, and education are more important the being some leet hacker wannabe. The corporate network is not the place to learn nor is it the playground for the disgruntled. Where have all the old school hackers gone? Where are the people who could actually write code, and configure networks too?
--- Location Unknown
Remember kids -- if there's a brand-new black SUV out in front of your home within 15 minutes of replying to a post on Slashdot, you may not have hacked your way into a career in the infosec industry, but at the very least, you've earned yourself a very exciting job interview!
My advice for people wanting to get into information security is to tune up your mathematics skills. In everything from cryptology (design to implementation) through to secure system programming and even information theory, having a solid grasp of modern mathematics (axiomatic set theory and modern algebra) can make a huge difference.
Perhaps they mean something different by "Infosec" (the fact that the book has the word "skillz" in the title is perhaps a hint), but from my experience a solid background in advanced mathematics is invaluable.
Jedidiah.
Craft Beer Programming T-shirts
Guys, this book is an answer to the endless "How to I break into the industry?" type messages. It's written toward a younger crowd that is aspiring to be professional, not necessarily the 10 year vets who know this stuff already.
Of course, it's a lot easier to troll on slashdot and whine than it is to actually write a book.
But if you actually got off your butt and wrote one, you can rest assured the trolls here would rip it to shreds.
Even if some magic wand made MS 100% secure (and really it's not that far off) by default, there would be tons of work for security professionals. For example the recent brewhaha over the Cisco OS, the insecurity of DNS, and just the stupid way so many corporate networks are set up and maintained.
What good is a secure Windows network when your server room and backup tapes are destroyed in a fire?
Back before the Fourth of July, a major bank in Wisconsin had a major fsck up that resulted in direct deposit for its client companies not being deposited. In our company alone, over 1000 people had to get their check overnight expressed to them. Multiply this by hundreds of major employers across the state who used this bank, including government payrolls and this was a major incident that wasn't mentioned once in the media.
This disaster most probably had nothing to do with Microsoft, but was the result of poor administration of a complex system with little thought to business continuity. Was it a security breach, or just bad software -- I don't know. But if they had decent Security principles in place the fiasco would have been contained immediately saving the bank millions in overnight courriers, overdraft refunds and lost customers.
This is what Computer Security is all about, not just protecting computers from bad guys, but protecting data and its processing from the uncertainty that the world creates. As systems become more and more complex, this uncertainty is increased as is the need for better security.
Interestingly, the parent is correct in that this is a path that a lot of people are taking, and an added bonus is that you end up with a current (and valuble) security clearence. KJust keep in mind that it's safest to join the Air Force, us "pretty boys" tend to stay out of the line of fire. You do have to be willing to "whore" yourself a bit and keep your mouth shut about politics. Oh, and drink like a sailor but stay away from smoke...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
That's not the theme, that's marketing. They're trying to sell the book to that demographic.
I would imagine the book doesn't speak that language, nor encourage readers to do so.
"Ask not what your country can do for you." --John F. Kennedy
>>> at least I'd find someone who knows there's more to security than making users change longer and longer passwords more and more often.
Don't forget blocking portZ! The truely 3l33t InFoSeC H3ck3r blocks all the portZ he can with his F13ew311! Cool!!
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
1. Don't get in trouble with the law (other than traffic/minor juvenile offenses)
2. Don't screw up your credit (i.e. bankruptcy)
3. Don't use drugs (rather, don't admit to or get caught using drugs)
4. Keep your alternative lifestyle choices in the closet
Or, barrring any or all of the above:
Enlist in the U.S. Air Force, lie to your recruiter, pass the Defense Language Apptitude Battery, and become a RC-135 Rivet Joint crewmember - arabic speakers preferred
What?
Another book from Johny Long. Does he ever rest?
...and one flew over the cuckoo's nest.
If you have the right mindset for security work, you'll be delighted by Ross Anderson's "Security Engineering". Once you realize that security isn't a technical issue, slog through Levenson's "Safeware" and draw your own generalizations from the book's case studies.
My perspective in writing this comment is a bit biased since I know the authors of the book. That being said, I have a career where my primary responsibilities fall under the umbrella of infosec so it shouldn't be discounted.
First off, if you can't get beyond the title of a book, then perhaps you fall directly into the elistest category. I know for a fact that the skillz portion of the title was infact the publishers (syngress) decision and not the authors.
Secondly I wish slashdot commenters would actually take the time to see what is inside the book before making statements such as "XYZ would be much more benefitial to know then ABC". The lack of research is shown to those of us who have read the book and are well aware that both XYZ and ABC are included in the text.
Third, I think it is a horrible notion when anyone makes the statement "just goto college right our of High School". Some of the top people in the field that I know, actually didn't go straight to college, they started out in the military. It's a great way to get experience, have money for college and aquire a clearence.
Fourth, while I do agree that some parts of the book could have gone more indepth, I think to do so would have lost the focus of the intended audience (which was not the "experience infosec professional").
Fifth: The notion that the authors are in someone attempting to create script kiddies is simply ridiculous. As I stated before, the title word choice was done by the publisher and if you read the text or any information about the authors you will quickly realize that they know what they're talking about.
Sixth: As was stated in the review, the book does have some draw backs. But view as an entire body of work, for the audience of a geek trying to break into the specialized field of Information Security, I believe it's top notch.
If you need a book with "Skillz" in the title to get a career in security, then--for the love of all things sacred--I hope you fail miserably.
as it seems. I've been in infosec practitioner for a few years now (coming from unix administration), and it's work like anything else. Granted, infosec is considered the "sexy" IT job, but in reality, it's not.
I work for a company that does nothing but security, and I can tell you that while infosec is cool in theory, it's just another job.
Getting a clearance in this gig allows one to have even more choices within the infosec arena, but then you are almost always dealing with federal stuff (even more boring and restrictive).
Forget what you see in the movies, kids. It's just that. Forget EVERYTHING you see in the movies.
I've done everything from firewalls to risk assessments, and I can tell you that I wish I were doing almost anything else IT-wise sometimes. Security is a process, and a tedious and drawn out process. People don't listen when you tell them things, even when proof is provided.
I can envision myself making the transtion to usability specialist or interface design. Security is getting old and boring after almost 5 years.
Harvard
Cornell
Princeton
Dartmouth
U Penn
at least one: Cornell had a '93 grad KIA
does one really need a book? check out the following three places...
www.securitydocs.com
www.sans.com/rr
www.oreilly.com (resource centers)
Get busy livin' or get busy dyin'
--Andy, "Shawshank Redemption"
Where have all the old school hackers gone? Where are the people who could actually write code, and configure networks too?
With the way the economy swings up and down like a freakin' yo-yo, this old-school genuine computer-scientist sysadmin/coder/network professional has gotten a government gig. (I do not use the term "hacker" anymore, that word has been hijacked and distorted to mean an evil-doer now) True, I did have to pay my dues of a few years of significantly lower pay, but now that I've got some seniority, my pay is almost on par with the private sector, the benefits and retirement package are absolutely smokin', and I do not have to worry about being outsourced every other day or that some CEO is bankrupting the company in order to inflate his golden parachute right before he bails out.
Talk to me about increasing my salary to 125% of what I'm making right now plus match all my benefits, plus guarantee me 10 years continuous employment contract with all 10 years salary increasing at minimum 3% per year or the cost of living increase for the D/FW TX region, whichever is greater annually, and put my entire future salary into escrow so I'll be guaranteed to be paid even if the private company goes bankrupt (and in the case of bankruptcy the entire future salary becomes payable in full and immediately withdrawable from escrow by me 3 business days before the company can file their bankruptcy papers in court) then I'll be willing to go to work for your private sector company.
But anyway, yes, yes and yes!
I'm definitely seeing where in corporate I.T., it's almost *entirely* about who you know, plus "to the biggest B.S.er go the spoils".
Where does "formal education" come into play? It's pretty much a "key" that turns the "lock" of the H.R. department. They typically don't understand a thing about what the company is really looking for in a technical position like an I.T. opening. So they serve as "gatekeeper", screening for what basics they know how to screen for. If the hiring manager told them he specifically wanted a certain certification, then they toss aside all resumes not listing that one. Otherwise, they ignore that stuff entirely and they look for a "4 year college degree".
If you want to bypass that, you have to know somebody on the inside who can push your name to the top of the hiring manager's stack of resumes. (In larger companies, you can't really "sidestep" H.R. yourself, but the hiring manager can always inform them to "stop looking" because he "found what he's looking for".)
But short of knowing somebody who can try to get that door open for you someplace, I think the most important factors for getting hired become all the wrong things. EG. Maybe a place is all gung-ho on the whole "team player" concept, so they're judging how well you generally seem to "fit in" with whatever their department's "corporate culture" is. You might be perfect for what they need, but you didn't happen to talk about going golfing on the weekends or seem enthused enough to go introduce yourself and shake hands with random employees you walked by during the little "tour" of the place someone gave you. Who knows?
The new term for Infosec is "Information Assurance and Security". You want to find a university that offers an IAS program and attend it. The NSA has an IAS certification program if you look arround their website you can find NSA accredited IAS programs. Most notablly are programs offered by Perdue University at thier Center for Education and Research in Information Assurance and Security (CERIAS).
UMFK is also a good choice for Information Assurance and Security if you can't afford Perdue's tuition rates.
Once you have a degree with an IAS specialization it's not hard at all to find internships and eventually job opertunities in the field as its growing like wildfire. Most IAS programs have their students grabbed up by employers before they even finsih their senior year.
1. Get a DoD civilian job. 2. etc....
If our behaviour is strict, we do not need fun!