Re: I've passed the CISSP exam, few months back...Now what???

[kevinlh () hotmail com]

Where to begin...

A lot of people ask this question once they pass a test. From a security standpoint, I suggest you start off small with 
easy targets. Setup a system with Windows 2000 SP1. Setup another system with your favorite open source distro 
(FreeBSD). Grab a couple programs such as Nessus, NMap, SARA, Metasploit, and break the Windows system. Run ethereal 
and log the packets to a tcpdump binary file. Install Snort on the scanning host and replay the binary file in snort. 
Use snortsnarf to create html reports of the scan you ran. When you think you have the skills to kill a Windows 2000 
SP1 box, install SP4 and re-run your analysis. Notice any differences? Next move on to Windows XP, then 2003. Then 
broaden your horizon and point that same scan at your routers, neighbors, everyone you can scan without getting sued. 
Thats how I started... and while I don't have a CISSP, I feel the knowledge is worthwhile, and it has helped me secure 
a good job.

Join ISSA or any local IT organization. Network with people in your industry, talk to them about security, disaster 
recovery, business continuity, golf, football... this is a truly important step to guaging your level of experience. It 
also helps your social skills in dealing with clients and potential clients. Having peer review of your security 
practices is nice as well. 

Read anything and everything that has to do with security. It's great if you know encryption in and out, but if Joe the 
disgruntled employee can walk into the data center with a 15lbs sledge hammer your missing the point.

Security consultants do a lot of security audits. Put together a plan to audit your network. Perform the audit 
yourself, and compare it with ISO17799 best practices. Do you have any holes in your plan?



DISCLAIMER:

I am not an expert. I blacked out for a few minutes, and when I came too this was written on the screen. My head hit 
the SUBMIT button by accident.