Slashdot Mirror
Required Knowledge for a Career in Network Security
mtgarden asks: "I am trying to decide if I want to make a career shift into network security. I enjoy learning about cutting edge technologies and find security interesting. I am not especially good at programing but would potentially enjoy the analysis side of security. Where would I start studying to learn whether this field is a good fit for me?"
Can you install NIS with a straight face, and charge them? ;-)
Common sense is not so common
SANS has a wealth of in-depth courses, taught by experts in the field. They aren't inexpensive, but these aren't courses you will find at your local community college either. Some are taught on-line, in their "SANS@home" programs, where you have books, a CD of test data (in my case), and the Java client gives you an interactive environment with slides and audio.
Securit® - Information Management and Destruction seems like the obvious place to start, and they're hiring.
I enjoy learning about cutting edge technologies and find security interesting.
You can forget dealing with the cutting edge. Security work is all about currently deployed applications. For example, doing an audit at the moment is much more likely to require a good knowledge of Windows 2000 than XP or Vista.
http://twitter.com/onion2k
Those are a few things I can think of. HTH.
ConsultingFair.com
You must be able to quote at least 75% of the movie "Hackers," 85% of "War Games," and for extra credit about 10-20% of either "Swordfish" or "The Lawnmower Man."
Slashdot Burying Stories About Slashdot Media Owned
You clearly are a security professional, as you skipped all the actual initial steps, probably because you're so used to them :)
The FIRST thing to do is learn the mechanics of the system(s) you are protecting. There are a lot of "generic" classes of threats out there, some relevant to certain systems, some to all. Before you can begin trying to protect against them, however, you need to completely understand:
1. If/how they affect the systems you're protecting.
2. What about your system makes the threat especially dangerous or nominal.
3. What mechanisms your system has to wall off such threats, if any.
You can't truly secure a system you don't inside and out, no matter how much security "theory" you know, so the FIRST step is making sure you understand the technology at your disposal, even before you try to understand what threatens to compromise it.
From now on, I buy only Intel.
As a system and network admin, security is something I think about quite a bit. As far as I can determine, truly good security people are the best of the best in the computer world. There is _nothing_ in computers as difficult.
As an admin/architect, you need a prodigious memory; you have to know all the software you're deploying, with all its various warts. You have to know your operating systems, and their interactions with your chosen hardware, both system and network. And you have to understand your network layout and be able to troubleshoot.
As a programmer, you need less knowledge and more raw brainpower. You still need to know how other people do things, but a great deal of the job is raw invention on the spot. Knowledge in the programming field tends to be narrow, specialized, and very deep.
As a security person, at least to be a GOOD one, you need all the skills of both fields, plus more besides. You have to be able to audit source code and find weaknesses; you have to be able to probe a network remotely and understand its layout and where its holes are likely to be. Defensively, you have to understand all the possible ramifications and interactions with combinations of software. Offensively, you have to be able to find the holes that nobody else has seen before.
Both programming and sysadminning can lead into security, but if you want to be GOOD, I'd strongly suggest trying to be both. You might want to program first; that's usually harder to break into, and it can be easier to get a job out of college. Admins tend to like experience as much or more than education, so once you have a good degree of programming skill, you can probably branch out and pick up what you need in terms of system administration. You don't necessarily need the day-to-day details, but you do need a very, very deep understanding of _exactly_ what the operating system and programs are _actually_ doing... not just the cruder models most of us tend to use.
It is a very interesting field, but it'll take everything you have and then some just to keep up.
As with most things involving deep technical expertise, you don't choose the career so much as the career chooses you. Here's how it goes for network security:
You work as a junior network administrator.
You get interested in the security aspects.
You find you have a knack for it and tend to spend any unassigned manhours scanning logs for connection attempts and looking up the ports to see what the originator was attempting.
Your boss notices that you have a knack for it and lets you spend more time working on it.
You start reading the available literature to gain more insight.
A job comes along where they're looking for a network security specialist instead of a general network admin. You apply and get the job.
With all of your work-hours spent on network security your rate of learning increases.
You run in to a few unusual situations and start to consult with experts on the 'net.
etc.
At some point you cross a line. Now you are one the experts and folks consult with you.
You'll notice there is no coursework listed anywhere in there. It wasn't an oversight. Coursework provides a decent overview for folks who don't have the knack. It lets them get by without being completely ignorant. Someone with the knack, someone who should consider network security as a career path, will get the same results by spending an evening with a book.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
You must be able to write very long reports that management and the board of directors will be reading. You will use terms like "Due Care and Diligence", "Disaster Recovery" and "Business Continuity Planning". Security professionals don't provide anything tangible to a business so to prove your value you must consider every potantial problem and document it in advance even if management doesn't even read your reports. This is the only way to cover your ass.
So many people consider Network Security to be about running sploits and such, but really its about risk management. Have a good look at certifications such as CISSP, read some of the self training books and if you don't get bored to tears reading them then think about what it would take to write them because thats what you'll be doing 90% of your time.
Information security is a pretty large field, with different professionnals who may have very different backgrounds and expertises. The OP talks about network security, which is a subset of information security, but it is far from the only "kind" of security job out there.
Traditionnally, the easiest way to get into network security is by first being a network engineer/sysadmin. As you learn the ins and outs of networks administration, you'll have to tackle the related security issues at one point or another. Nowaday, all good sysadmins must have at least some general knowledge in security; the difference between the amateur and the professional is thus only in term of scope and depth.
Now, maybe that's not really what you were looking for when you said "network security". The part about wishing to do analysis rings a bell. There's a lot of other jobs out there in information security that have absolutely nothing to do with networks; you can do systems assessment, audits, business recovery, and other similar projects. While these kinds of activities also require some technical background, they must be backed by strong analytical abilities and a good grasp of how to do proper documentation and follow methodologies. Depending of your inclination, this may be sound fun and rewarding, or boring as hell. The typical career part of these "security professionals" is very different than from the network dudes. A BS in computer science is almost a must, and the best way to get some experience is probably to have some kind of intership with a security consultant firm.
There's a few certifications out there that can also raise your value and awareness in the field, althought personnally I believe that experience is much more important. The CISSP is the most common, but it is targeted more to the security professionals than to the networks dudes. Unfortunately, you can't pass it without prior experience in the field (3 or 4 years - I don't remember). Other certifications, such as the ones offered by the SANS, are generally more technical in nature (which isn't bad, just different). Look for their GIAC certifications paths.
Not trying to dissuade you. It's good to want to learn about security. Just don't romanticize the field. I'm a network security consultant. What does my day consist of? Meetings mostly. I have to go to pre-sales meetings with our sales people, I have to go to project meetings with our customers, I have to go to wrap-up meetings after the projects are done.
What's my second biggest time slice? Writing reports and policy papers. My girlfriend gets asked what I do, and she answers "He mostly writes reports." That's all she ever sees of my work. Usually it's done after hours because of the meetings. For each hour of interesting techie work I do, I probably spend 12 to 24 hours either in meetings or writing papers supporting it. That's the real life of most IT security people.
IMHO, the most basic requirements of being a good network security guy are an ability to write and speak coherently, and the ability to understand and explain complex ideas at the level your audience understands. It doesn't matter how good you are at the techie stuff if you can't put on paper for others to understand. It's also good to keep your head when others are losing theirs. It's pretty much required to have an analytical mind. Some will argue this last one, but I think it's good to have the mind of a criminal. I constantly find myself looking at things from this angle. "How could I get around this impediment..." That's where the knack for this work comes from. Act on those insights however and you can say goodbye to any sort of meaningful career in this field.
Now if you'll excuse me, I've got a meeting to attend. And I've got a report that's due tomorrow.
Where would I start studying to learn whether this field is a good fit for me?
I'd recommend the Northcutt/Novak book "Network Intrusion Detection" as a good one to start with. If you come out with a knowledge of IP packets, how to read them in hex format and TCPdump (yes, TCPdump, not Ethereal) then continue on in the field. If it's not of interest or is too hard, don't.
(Good) Network security isn't often all that interesting or that sexy. You have to do a good deal of ongoing research to stay on top of what the bad guys are developing. Chances are that you'll deal with a lot of bots, spam, script kiddies, and worms rather than some 'leet hacker who will challenge you to an international manhunt. You have to read lots of packets and system logs. You don't have to be an expert programmer, but being able to write $SCRIPT_LANGUAGE well enough to write quick custom log parsers and analyzers is a big plus.
Of course, there's plenty of hacks (in the old, pre-computer meaning of the term) who'll run Nessus against a client and bill them a couple thousand dollars. But I'm assuming you don't want to be one of those.
You can look at the CISSP prep books, but (IMO) their program is less technically oriented than the SANS type ones, and will show you more about how to interact with management as a security analyst than the technical aspects that you would have to know.
IA can be divided into 7 categories:
There are also several dimensions of each category:
I would recommend that you investigate each one to see where your personal strengths might make the best fit. If you enjoy math, then you might want to specialize in crytography, passwords, and secure communication. If you enjoy the business side of things, you can look at developing corporate policies on security matters. If, like you said originally, you've decided on network security, you can focus on network packets, matching attack patterns, creating router and firewall rulesets to block known (and unknown) attacks. Network security can also include network hardening: knowing what services are running, why, and who has the right to use them; and then restrict everything that is outside of that approved use.
Obviously there is a lot to it, but the point to be made here is that you should look at all of the different facets of Information Assurance and find the direction that is right for your skills and interests. Many of the fields will overlap and a well rounded security professional will be talented in many of these directions.
Another important quality of a security professional is a strong set of ethics. You will probably at some point have access to very sensitive information, and you must have the ethics and tact to handle those situations correctly.
An important bit of advice on the side: Before you use any security tools on a network, get permission in writing from the appropriate authority (the higher up the better).