Required Knowledge for a Career in Network Security

mtgarden asks: "I am trying to decide if I want to make a career shift into network security. I enjoy learning about cutting edge technologies and find security interesting. I am not especially good at programing but would potentially enjoy the analysis side of security. Where would I start studying to learn whether this field is a good fit for me?"

Just another day at the office

Not trying to dissuade you. It's good to want to learn about security. Just don't romanticize the field. I'm a network security consultant. What does my day consist of? Meetings mostly. I have to go to pre-sales meetings with our sales people, I have to go to project meetings with our customers, I have to go to wrap-up meetings after the projects are done.

What's my second biggest time slice? Writing reports and policy papers. My girlfriend gets asked what I do, and she answers "He mostly writes reports." That's all she ever sees of my work. Usually it's done after hours because of the meetings. For each hour of interesting techie work I do, I probably spend 12 to 24 hours either in meetings or writing papers supporting it. That's the real life of most IT security people.

IMHO, the most basic requirements of being a good network security guy are an ability to write and speak coherently, and the ability to understand and explain complex ideas at the level your audience understands. It doesn't matter how good you are at the techie stuff if you can't put on paper for others to understand. It's also good to keep your head when others are losing theirs. It's pretty much required to have an analytical mind. Some will argue this last one, but I think it's good to have the mind of a criminal. I constantly find myself looking at things from this angle. "How could I get around this impediment..." That's where the knack for this work comes from. Act on those insights however and you can say goodbye to any sort of meaningful career in this field.

Now if you'll excuse me, I've got a meeting to attend. And I've got a report that's due tomorrow.

Get a good book and see if you can follow it

[jschottm]

Where would I start studying to learn whether this field is a good fit for me?

I'd recommend the Northcutt/Novak book "Network Intrusion Detection" as a good one to start with. If you come out with a knowledge of IP packets, how to read them in hex format and TCPdump (yes, TCPdump, not Ethereal) then continue on in the field. If it's not of interest or is too hard, don't.

(Good) Network security isn't often all that interesting or that sexy. You have to do a good deal of ongoing research to stay on top of what the bad guys are developing. Chances are that you'll deal with a lot of bots, spam, script kiddies, and worms rather than some 'leet hacker who will challenge you to an international manhunt. You have to read lots of packets and system logs. You don't have to be an expert programmer, but being able to write $SCRIPT_LANGUAGE well enough to write quick custom log parsers and analyzers is a big plus.

Of course, there's plenty of hacks (in the old, pre-computer meaning of the term) who'll run Nessus against a client and bill them a couple thousand dollars. But I'm assuming you don't want to be one of those.

You can look at the CISSP prep books, but (IMO) their program is less technically oriented than the SANS type ones, and will show you more about how to interact with management as a security analyst than the technical aspects that you would have to know.