Slashdot Mirror
Required Knowledge for a Career in Network Security
mtgarden asks: "I am trying to decide if I want to make a career shift into network security. I enjoy learning about cutting edge technologies and find security interesting. I am not especially good at programing but would potentially enjoy the analysis side of security. Where would I start studying to learn whether this field is a good fit for me?"
Know how to spell security.
Apparently, spelling is not required knowledge for a career in network securit :)
For every problem, there is at least one solution that is simple, neat, and wrong.
Can you install NIS with a straight face, and charge them? ;-)
Common sense is not so common
Required Knowledge for a Career in Network Securit
I'd say maybe some typing, spelling, and proofreading skills to start.
Don't just game, Dungeoneer
Another is equipment. Know what equipment (routers, firewalls, etc) is used for what and how it works.
Finally, software. Figure out how firewalls, spam filters, etc do their job and how to open and close ports.
I'm sure there's many more ideas but here's a few to start out with.
What's the matter, James? No glib remark? No pithy comeback?
SANS has a wealth of in-depth courses, taught by experts in the field. They aren't inexpensive, but these aren't courses you will find at your local community college either. Some are taught on-line, in their "SANS@home" programs, where you have books, a CD of test data (in my case), and the Java client gives you an interactive environment with slides and audio.
Securit® - Information Management and Destruction seems like the obvious place to start, and they're hiring.
I enjoy learning about cutting edge technologies and find security interesting.
You can forget dealing with the cutting edge. Security work is all about currently deployed applications. For example, doing an audit at the moment is much more likely to require a good knowledge of Windows 2000 than XP or Vista.
http://twitter.com/onion2k
Those are a few things I can think of. HTH.
ConsultingFair.com
...and an extremely good way of getting your head around the latest threats, particularly in terms of the latest spy/mal/adware out there. The info is reliable and free, and you might learn something too. A lot of these sites are used by industry professionals, and you can gain a great network of contacts with a little hard work. A list of around 50+ forums to get you started, on everything from Malware analysis to building testboxes: http://asap.maddoktor2.com/
You must be able to quote at least 75% of the movie "Hackers," 85% of "War Games," and for extra credit about 10-20% of either "Swordfish" or "The Lawnmower Man."
Slashdot Burying Stories About Slashdot Media Owned
You basically have to know someone or already work in the field. At most places, if you express an interest in or concern about security, and you aren't part of the empire-building, power-tripping group, expect to be accused of being a risk yourself.
As a system and network admin, security is something I think about quite a bit. As far as I can determine, truly good security people are the best of the best in the computer world. There is _nothing_ in computers as difficult.
As an admin/architect, you need a prodigious memory; you have to know all the software you're deploying, with all its various warts. You have to know your operating systems, and their interactions with your chosen hardware, both system and network. And you have to understand your network layout and be able to troubleshoot.
As a programmer, you need less knowledge and more raw brainpower. You still need to know how other people do things, but a great deal of the job is raw invention on the spot. Knowledge in the programming field tends to be narrow, specialized, and very deep.
As a security person, at least to be a GOOD one, you need all the skills of both fields, plus more besides. You have to be able to audit source code and find weaknesses; you have to be able to probe a network remotely and understand its layout and where its holes are likely to be. Defensively, you have to understand all the possible ramifications and interactions with combinations of software. Offensively, you have to be able to find the holes that nobody else has seen before.
Both programming and sysadminning can lead into security, but if you want to be GOOD, I'd strongly suggest trying to be both. You might want to program first; that's usually harder to break into, and it can be easier to get a job out of college. Admins tend to like experience as much or more than education, so once you have a good degree of programming skill, you can probably branch out and pick up what you need in terms of system administration. You don't necessarily need the day-to-day details, but you do need a very, very deep understanding of _exactly_ what the operating system and programs are _actually_ doing... not just the cruder models most of us tend to use.
It is a very interesting field, but it'll take everything you have and then some just to keep up.
As with most things involving deep technical expertise, you don't choose the career so much as the career chooses you. Here's how it goes for network security:
You work as a junior network administrator.
You get interested in the security aspects.
You find you have a knack for it and tend to spend any unassigned manhours scanning logs for connection attempts and looking up the ports to see what the originator was attempting.
Your boss notices that you have a knack for it and lets you spend more time working on it.
You start reading the available literature to gain more insight.
A job comes along where they're looking for a network security specialist instead of a general network admin. You apply and get the job.
With all of your work-hours spent on network security your rate of learning increases.
You run in to a few unusual situations and start to consult with experts on the 'net.
etc.
At some point you cross a line. Now you are one the experts and folks consult with you.
You'll notice there is no coursework listed anywhere in there. It wasn't an oversight. Coursework provides a decent overview for folks who don't have the knack. It lets them get by without being completely ignorant. Someone with the knack, someone who should consider network security as a career path, will get the same results by spending an evening with a book.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
You must be able to write very long reports that management and the board of directors will be reading. You will use terms like "Due Care and Diligence", "Disaster Recovery" and "Business Continuity Planning". Security professionals don't provide anything tangible to a business so to prove your value you must consider every potantial problem and document it in advance even if management doesn't even read your reports. This is the only way to cover your ass.
So many people consider Network Security to be about running sploits and such, but really its about risk management. Have a good look at certifications such as CISSP, read some of the self training books and if you don't get bored to tears reading them then think about what it would take to write them because thats what you'll be doing 90% of your time.
FUD is your friend!
(Fear, Uncertainty and Doubt)
In order to be a really effective Security professional, you must instill fear among your audience. C-Level folks are the best to scare. Take notes on the way Der Departmant of Homeland Security does it. They are magnificent at this. (Code RED!, no Orange, no back to Yellow...no wait RED again!!!)
There are a few important distinctions
a. C-Levels (Ceo, CFO, CIO, etc) are primarily scared by 'breaking laws' cuz they are responsible. read SOX (Sarbanes Oxley), HIPAA (Health info act) et al to know how to instill FUD in the suits.
b. Geeks (Network Admins, etc) are primarily scared by 'fear of data loss', especially the C-Level's Email. Use stories like this:
"Joe schmo was an admin at Microsoft when a Cracka came in thru the backdoor and ate Bill Gates' Mail, no one has seen him since!"
Information security is a pretty large field, with different professionnals who may have very different backgrounds and expertises. The OP talks about network security, which is a subset of information security, but it is far from the only "kind" of security job out there.
Traditionnally, the easiest way to get into network security is by first being a network engineer/sysadmin. As you learn the ins and outs of networks administration, you'll have to tackle the related security issues at one point or another. Nowaday, all good sysadmins must have at least some general knowledge in security; the difference between the amateur and the professional is thus only in term of scope and depth.
Now, maybe that's not really what you were looking for when you said "network security". The part about wishing to do analysis rings a bell. There's a lot of other jobs out there in information security that have absolutely nothing to do with networks; you can do systems assessment, audits, business recovery, and other similar projects. While these kinds of activities also require some technical background, they must be backed by strong analytical abilities and a good grasp of how to do proper documentation and follow methodologies. Depending of your inclination, this may be sound fun and rewarding, or boring as hell. The typical career part of these "security professionals" is very different than from the network dudes. A BS in computer science is almost a must, and the best way to get some experience is probably to have some kind of intership with a security consultant firm.
There's a few certifications out there that can also raise your value and awareness in the field, althought personnally I believe that experience is much more important. The CISSP is the most common, but it is targeted more to the security professionals than to the networks dudes. Unfortunately, you can't pass it without prior experience in the field (3 or 4 years - I don't remember). Other certifications, such as the ones offered by the SANS, are generally more technical in nature (which isn't bad, just different). Look for their GIAC certifications paths.
Am I the only person here who gets a bit..., no actually, really... irritated by these questions ?
/. does not count).
/. editors were thinking when
they posted this article... I know, the 'try google' answer kills a lot of questions but if this
person had checked google for 1 second he would have found plenty of information.
/.
;)
"I enjoy learning about cutting edge technologies and find security interesting."
Well obviously not interesting enough to find out what the field is about. Spend some time on the net looking at forums, security related sites, etc. I can't believe that if you take a couple of hours to do this you wouldn't have a rough idea of what the field of computer/network security is about and wether the field is potentially interesting to you.
"I am not especially good at programing"
Ok, so you're not very good at research AND you're not very good at programming... Way to go so far...
"but would potentially enjoy the analysis side of security"
Ahh ! I love your type. You don't know jack but are happy to spend the boss' hours reading sites, ya know, scannin' da net, keepin' da finga on da s3c4r1ty sc3n3 (sarcasm intended).
I hate to break it to you but in order to analyse stuff you need to know stuff. And the best way to know stuff is to have done stuff (posting questions to ask
Sorry about the rant, but at times like these I wonder what the
These kinds of questions waste our time and I consider them disrespectful of all those people who have spend thousands of hours finding out about security for themselves instead of looking for a quick answer by posting to ask
Now i'm going to do some breathing exercises to get my blood pressure levels back to semi-normal
If you run Windows, your shit will get pwned. The only question is when it will happen.
The security of your network will be in inverse proportion to the sum of the following:
1. The number of users in your organization who are just straight up stupid and will run anything that arrives in their inbox. Stupid users with laptops that they use on their cable/DSL at home and then bring into the office chock full of malware count as two people.
2. The number of users in your organization who are too [self-]important to learn how to use their computer properly.
3. The number of users in your organization who are exempt from your security policies because they are too important to be penalized for ignoring them (e.g. the upper-level manager who has full admin privileges on his PC, has LimeWire installed and surfs shady porn sites all day). All of those count as three people.
Look at the things you need to cover to get CISSP certified - that'll give a good idea..
When working in network security, your biggest battle wont be securing servers, or even establishing security and education to the employees.
Nope, its going to be cleaning up the mistakes of idiots who wont listen to you, and are often your boss. Be prepared to take the blame when security is "broken" because the CFO clicked an attachment because he wanted to see boobies.
Its not their fault. It never is. Its going to be your fault every time someone else decides to tear a window out of your carefully constructed wall of security. It'll happen, and you better be prepared for it. Youll get yelled at, lectured, or in some way admonished because other people are fucking idiots that didnt listen to you in the first place.
It doesnt matter how many meetings you give, warnings, emails, memos. Someone, somewhere is going to mess everything up and its going to be YOUR job to take the blame, even more-so then fixing the inevitable problems.
Yeah, I am slightly bitter because I told a CFO "you shouldnt click porn attachments, you really messed things up here" and he became enraged at me for "accusing" him of this... when I had the window open right there, and he admitted to it 20 seconds prior.
I suppose patience is the best thing.
You also need to think about and decide what sort of longevity and upward mobility you want in that (or any) field. You certainly need to understand the mechanics - how to install security software, etc. But, if you want to rise up, you need to understand the foundation. If it's network security, you need to understand network protocols and statistics. Get Stevens Vol I and Ethereal and start capturing packets and looking at real network traffic. Also, get a book on statistics that includes distributions. Then filter and dump the Ethereal traffic and analyze it. Create distributions of what "normal" traffic looks like under various conditions (time of day, location) and by protocol. Then you will really understand those things you memorized, like what's the problem with a xmas tree packet anyway? Also, if you're sure you want to apply the knowledge and not develop software, skip the compiled programming languages and learn perl or python (or both).
There are IT engineers and there are IT technicians. One is not necessarily better or worse than the other. Both have their roles. The difference is that the IT engineer has a deeper understanding of the fundamentals. When the technology changes, the IT engineers are in a better position to retrain themselves. The IT technicians often have to shell out for another course or three on the "next big thing".
Not trying to dissuade you. It's good to want to learn about security. Just don't romanticize the field. I'm a network security consultant. What does my day consist of? Meetings mostly. I have to go to pre-sales meetings with our sales people, I have to go to project meetings with our customers, I have to go to wrap-up meetings after the projects are done.
What's my second biggest time slice? Writing reports and policy papers. My girlfriend gets asked what I do, and she answers "He mostly writes reports." That's all she ever sees of my work. Usually it's done after hours because of the meetings. For each hour of interesting techie work I do, I probably spend 12 to 24 hours either in meetings or writing papers supporting it. That's the real life of most IT security people.
IMHO, the most basic requirements of being a good network security guy are an ability to write and speak coherently, and the ability to understand and explain complex ideas at the level your audience understands. It doesn't matter how good you are at the techie stuff if you can't put on paper for others to understand. It's also good to keep your head when others are losing theirs. It's pretty much required to have an analytical mind. Some will argue this last one, but I think it's good to have the mind of a criminal. I constantly find myself looking at things from this angle. "How could I get around this impediment..." That's where the knack for this work comes from. Act on those insights however and you can say goodbye to any sort of meaningful career in this field.
Now if you'll excuse me, I've got a meeting to attend. And I've got a report that's due tomorrow.
Where would I start studying to learn whether this field is a good fit for me?
I'd recommend the Northcutt/Novak book "Network Intrusion Detection" as a good one to start with. If you come out with a knowledge of IP packets, how to read them in hex format and TCPdump (yes, TCPdump, not Ethereal) then continue on in the field. If it's not of interest or is too hard, don't.
(Good) Network security isn't often all that interesting or that sexy. You have to do a good deal of ongoing research to stay on top of what the bad guys are developing. Chances are that you'll deal with a lot of bots, spam, script kiddies, and worms rather than some 'leet hacker who will challenge you to an international manhunt. You have to read lots of packets and system logs. You don't have to be an expert programmer, but being able to write $SCRIPT_LANGUAGE well enough to write quick custom log parsers and analyzers is a big plus.
Of course, there's plenty of hacks (in the old, pre-computer meaning of the term) who'll run Nessus against a client and bill them a couple thousand dollars. But I'm assuming you don't want to be one of those.
You can look at the CISSP prep books, but (IMO) their program is less technically oriented than the SANS type ones, and will show you more about how to interact with management as a security analyst than the technical aspects that you would have to know.
IA can be divided into 7 categories:
There are also several dimensions of each category:
I would recommend that you investigate each one to see where your personal strengths might make the best fit. If you enjoy math, then you might want to specialize in crytography, passwords, and secure communication. If you enjoy the business side of things, you can look at developing corporate policies on security matters. If, like you said originally, you've decided on network security, you can focus on network packets, matching attack patterns, creating router and firewall rulesets to block known (and unknown) attacks. Network security can also include network hardening: knowing what services are running, why, and who has the right to use them; and then restrict everything that is outside of that approved use.
Obviously there is a lot to it, but the point to be made here is that you should look at all of the different facets of Information Assurance and find the direction that is right for your skills and interests. Many of the fields will overlap and a well rounded security professional will be talented in many of these directions.
Another important quality of a security professional is a strong set of ethics. You will probably at some point have access to very sensitive information, and you must have the ethics and tact to handle those situations correctly.
An important bit of advice on the side: Before you use any security tools on a network, get permission in writing from the appropriate authority (the higher up the better).
At that point, you can start looking at the types of network security work that are available. Possible areas include:
There are many others, but those seem the most "network" of the fields in the security arena.
Still, with a plan, you only get the best you can imagine. I'd always hoped for something better than that. -CP
Hackers
Sneakers
3 Days of the Condor
War Games
Firewall (just kidding!)
The Net (also just kidding!)
Did I miss anything?
With the first link, the chain is forged.
There are a lot of fields in the security area, some deal with networks, but many do not. You need to spend some time researching what "specialties" there are in the broader field.
.xls to a .jpg) or hidden in slack space on a drive. Sometimes this can be fairly straightforward, and sometimes it isn't.
For example, computer forensics is a specialty within the security field, and it can mean a lot of things. It could mean examining network logs to trace the source of a DDoS attack, or to determine the full scope of an attack. Ex. We know we were hacked, but did they get access to accounting or our development systems? Determining what was compromised is important and may require days of detailed analysis and little to no programming. Forensics may also mean using tools such as EnCase or Forensic ToolKit (FTK) to examine a captured hard drive for evidence. You may be looking for illegal pornography, stolen data or hidden records. Some of them may be deleted, obfuscated (such as changing a
A lot of areas in the security field require entirely different skillsets, so having an idea of what you want to do is vital. Using the forensics example, if you want to examine network logs, you need to have a very strong understanding of networking and protocols. If you want to examine hard drives for evidence, you need a strong understanding of file formats and how OSes and hard drives handle data. In general you need a good understanding of the law, especially evidence collection. This knowledge might be helpful if you want to conduct Sarbanes-Oxley (SOX) audits, but not nearly as much as a solid understanding of business principles, and the ability to understand how the internal information is handled and stored. All of these may be handled by the same forensics team, (or one very overworked individual), requiring a lot of knowledge and skills.
With that in mind, I would recommend taking some classes in the security field. The college I'm at (Iowa State University) has a great program in Information Assurance, and has some great core classes for learning about the field. They are available through our Engineering Distance Education group, and the profs take into account that there are off-campus/non-traditional students taking the courses.
Otherwise, my advice is to talk to people in the field and ask them what they do, what their time is spent on and what skills they need to do their job. Take some time to find out what is available before trying to gather the knowledge or the skills - they might not be that helpful in what you ultimately decide to do.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
At least learn C and C++, be able to use same tools the hackers use... nmap, TCPDump, and a host of other tools. A scripting language like Python, Perl and PHP is also important. Learn to track network activity, use of Whois to track down network connections... Socket programming (At least POSIX stuff).
Join and read the relevant mailing lists, blogs, and also join the hacker blogs, botnet blogs, and keep abrest of current trends and situations.
j
This is a really, really complex topic. I'm going to focus on computer security in general rather than the network security specialisation, as IMO it's better to get the basics in shape so you choose the specific security area you go into, rather than specialise first then work into other areas. I got into security whilst doing OS work as part of my degree, went into a postgraduate degree focussing on Intrusion Detection research, then went into security consulting, now security auditing, and soon into a security management role.
I appreciate the comment above about getting your feet wet in administration first, however it is becoming the case that less and less people have the opportunity to 'fall' into computer security, and you need a better base of knowledge than administrators normally get time to get. It's been mentioned a few times, but one of the fundamental things about modern computer security is knowing the basics of how 'everything' works. Engineering degrees in the computer systems field work well for this. However, if you don't have that sort of background, you need to be aware of any coding language you may be auditing (you may still need to do a level of this depending on your exact roles) and the vulnerabilities available. Keeping up with every new 0-day vulnerability, and in-depth analysis of code is left to a small core of specialists, and if you aren't already good at coding, it isn't worth the effort IMO. You'll need knowledge of crypto for virtually any area, but the basics of how it works, and ability to use it in a black-box fashion is good enough, as 99.9% of your vulnerabilities are in implementation.
The CISSP CBK is very worthwhile investigating. If you know enough to pass the CISSP, you're on your way, but the CISSP is very broad knowledge, and shallow - so be prepared to get a shock when you start working in the field.
In the end, you'll either decide, or filter through to a few different general topic areas:
1. Application security - code reviews, OS vulnerabilities, actual coding, computer architecture.
2. Network security - networking (this is very intensive, and you need good knowledge in this area), wireless networking, OS vulnerabilities, computer architecture, specific network-centric attacks, firewalls, IDS/IPS, proxies, web applications.
3. Security Management - policy, soft skills, people management, alignment with business, compromise (particularly useful here), legislation, risk management, project management.
You do need to be aware of general vulnerabilities, ways of working around controls, the controls themselves, and the regulatory environment.
Different specialisations are also available, such as penetration testing, wireless network security, security auditing (more of a specialisation for a generalist), security policy, security risk management, vulnerability analyst(can be called almost anything) etc.
The field is huge - doing a postgrad course is good, and if you know your specialisation, then many of the industry courses are good at getting your foot in the door, but as mentioned before, very expensive.
Look at all the areas available before deciding on anything special. In addition, if you don't have work experience you will find it virtually impossible to become a security professional. Most positions require a few years experience, though not neccesarily in the role of the position itself - the field is unforgiving to people without practical experience, and this is one reason why a postgraduate degree in research (as much security research is still fairly practical as long as you stay away from crypto) can be a big boon.
I also have to mention, as with others, a vast amount of my time (~80%) is meetings and reports. Management must be aware of security to enable buy-in to get the work done - it's not as easy as other IT areas to do this, as while we add value by decreasing risk, we aren't generally adding functionality.
The security field is tough - even in high-level positions of policy and legislation, the field changes ra
Isn't there a certification - CISSP - whose list of topic requirements
would help you answer this question?
I'm told there are a few such books making the rounds via bit torrent,
as I write... but, if not, a nearby technical library is your friend.
Since you're talking about career choices, you might want to approach the topic from the broader sense - not just Network Security but Information Security.
InfoSec is a broad, fascinating field. And as with the field of medicine in the early 1800's, everyone is an expert, but no-one really knows enough.
There seem to be six main "practitioner" fields, right now:
1) Documentation (certification and compliance)
2) Network / Systems Administration
3) Legal and Physical Protection
4) Management of all the above
5) Countermeasure Device Development and
6) Training.
By "Countermeasure Device Development" here I mean such things as writing / building programs (or appliances) to simply "improve the situation". This currently includes developing such things as Firewalls, Intrusion Detection Systems, Vulnerability Analysis systems, Systems Hardening software, etc. That field is open-ended.
At first glance, this sounds like what you're thinking about. As to programming skills - don't worry. If you love a thing enough you'll do it a lot. If you love a thing a lot and do it a lot you'll get quite good at it (One suggestion, though - the best way to debug code? Don't put bugs in when you write the code in the first place - makes debugging infinitely easier).
If writing such software is what you're thinking about - talk with folks who have already done it. Find a way to talk with Marty Roesch (who wrote Snort), Renaud Derraison (who wrote Nessus), Ron Gula (who wrote the Dragon firewall) - you get the picture. People capable of writing such devices are in a very small, select group - and they're very good people.
As other people here have said, take a look at the ten areas of knowledge that the CISSP certification considers (Certified Information Systems Security Professional - go to http://www.isc2.org./ That will give you a broad overview of the technical side of the field.
Do also look at the GIAC (Global Information Assurance Certification) program that SANS encourages (http://www.sans.org./ As I understand it, both the CISSP and the GIAC certs each have both breadth and depth, but the CISSP is primarily interested in breadth with a reduced depth, whereas the GIAC selects a narrower subset and drills more deeply into that.
To thrive in the field - to even enjoy the field - you'll need both breadth and depth.
And speaking of breadth, do also read Kevin Mitnick's book "The Art of Deception." This is about the part of InfoSec that's the toughest to solve computationally - the human element. In my opinion his solutions listed in that book to the problems of social engineering don't go deep enough, but _nobody_ understands social engineering as well as he does.
In fact, speaking of the human element, do also take a look at the CPP (Certified Protection Professional) certification from ASIS International (http://www.asisonline.org./ This certification deals not only with how to use computers to find the bad guys, but what to do once you've found them. Interesting.
InfoSec - it can be frustrating; it can be fun. Enjoy!
That's a very insightfully real-world and down-to-earth focused post, IMHO. Not the kind of post that would give Slashdot techies a hard-on, mind you (that's probably why the post scores only 1).
I'd recommend 'Secrets and Lies' and 'Beyond Fear' from Bruce Schneier for a no bullshit look at security and reality. Be aware that to do it right you're looking at quite a lonely career, and your main effort in any company is to make yourself redundant..
Which is why it's better to be a consultant in this field - you get to do the interesting stuff. What I enjoy best is resolving calamities and helping companies with invoking DR strategies - I'm personally not very good at handle turning but very much at home with the chaos that follows a breach or a problem (but you need to be prepared to take decisions based on sometimes less than ideal information).
Depends on your aims.
Good luck!
Insert
Learn TCP/IP backwards, pick up a scripting language, analyse and understand the threats to an organisation from within.
Don't waste any time "learning how to think like a hacker". Everyone says it and its utterley pointless. For a start most of your time will be spent satisfying audit points and closing loop holes for internal fraud. Which "hackers" do that?
Also, unless you work for a clueless outfit in the first place you will not be dealing with effective malicious attacks on even a 6 monthly basis.
Pick the rest up by RnD work.
Most of all. Never believe anything you read unless you can prove it yourself.
Security is largely about keeping information secret from those who shouldn't have it. Yea, it's great if you can set up a firewall, you and 100 million other people. Frankly, I wouldn't hire a so called security expert if they couldn't explain to me what a Feistel round is or why RSA is hard to break. These are just a couple of examples of questions you might ask a security "professional," but they tend to distinguish people who claim to know about security from those who actually have a little bit of background in information security.
"Nature doesn't care how smart you are. You can still be wrong." - Richard Feynman
Yep, that's what you need. Telling a COO/CIO/CEO that what they want would open the corporation to nearly unlimited liability take big ones.
Or you can just "play" security consultant in your house. That's fun too, but the paycheck isn't worth it usually.