Security Basics mailing list archives
Re: Security books, portals, blogs and videos
From: offset <offset () ubersecurity org>
Date: Tue, 12 Sep 2006 16:42:12 -0500
On Tue, Sep 12, 2006 at 12:24:24PM -0500, Bob Radvanovsky wrote:
So...you think that simply doing good, hard work will get you recognized and noticed within your company? Interesting.
Some companies are better at this than others. If at some point you get bored or feel your career is stalling because of the company and the company is unwilling to resolve it, then move on. Those with marketable skills dont worry about finding work (it might involve moving, but there isnt a shortage of infosec work for people that know what they are doing).
In my humble opinion, most (not all, but most) companies today have a slightly different attitude: "get what you can, as fast as you can". It says nothing about hard work or "paying your dues" (which is essentially what you are stipulating). I agree in that getting more actively involved within ones business organization, participating in the local communities is a "good thing"; however, there are a few more things (of which, you hit just a few) that many companies want in security folks today (of which, the TOP 3 factors are "INTERPERSONAL SKILLS"):
Ultimately it is a business relationship, you have skills the business needs, the market has a price, employee/company work out payment agreements (salary, bonus, benefits). Interpersonal skills are a given requirement, not everyone is cut out to be strong technically. Perhaps this varies on the type of infosec job, pen-testing requires both very strong technical skills and the ability to convey the results and solutions to a higher level audience (mostly involving excruciating use of powerpoint). I've met way too many well dressed "consultants" that work for expensive consulting firms that run programs and dump out hundreds of pages of useless crap that I then waste my time telling them why their service is useless to me because the work is in the analysis and application to the business than the tools. Buyer beware applies here.
3. Dress nice and present you in a professional manner. If you are technically competent, can walk the walk, talk the talk, but dress like a slob, people won't ever believe you. Look the part, too.
You have to consider the audience/client. Some of the best pen-testers I know dress very differently than the typical corporate environment ;)
9. Research, research, research. Don't be a "book worm". Practice, practice, practice. If you have the time and/or money, build your own research laboratory. I know that I'm not the only one who has a private research lab. There are others out there, like me, who are inquisitive about things, ask ALOT of questions, and do ALOT of reading and researching. Remember: Google is your friend. here are pictures of my lab: http://srvr1003.unixworks.net/www/unixworks.net/lab.cgi/uw-040722.
Agreed, applied research is the best part of InfoSec in my opinion. Not something I recommend, but it is interesting how many people got their start in infosec using other people's computers/networks. -off
----- Original Message ----- From: offset [mailto:offset () ubersecurity org] To: security-basics () securityfocus com Subject: Re: Security books, portals, blogs and videosI know way too many certified people that dont know sh*t in the trenches. Businesses that put too much emphasis on certs and not experience I would stay away from. Personally, I am more suspicious of someone with a lot of certs with no experience to back it up. If something is broken at 2am, you better figure it out or know how to get help. The business generally still pays the bills and they hired you to keep the business secure (even if the business in many cases is their own worst enemy (lack of funding, training, priorities)). A UNIX admin wanting to jump to security? How good is your network of people? Do people know that you like security? Most jobs are through word of mouth/recommendations. Attend local security sig user groups, volunteer to be the security advocate for your area of responsibility, do something in the field you want to pursue. Maintain the UNIX hardening scripts at your company, research security in the area that you already have strengths in, expand later. At the end of the day, you have to know what you are doing, be very strong technically, have good people skills. Having worked in the InfoSec field for awhile, it was always great to have those with a security mindset that are closest to the systems, as no matter the level of separation of duties, you will have more success having a positive working relationship with the technical groups than an adversarial relationship. If a job opening presents itself in the InfoSec group, the security minded technical person that I worked with previously would be high on my list of candidates. -off On Sat, Sep 09, 2006 at 10:32:43PM -0400, Miguel Valentin wrote:I don't work in the security field nor am I certified in any security profession. I guarantee you that being a bookworm is not going to get you anywhere as far as a job is concerned. If you want further proof of thisgoto www.scmagazine.com and check out their story on certifications and the process required to get certified as security professional. I work in Unix and have been since '95 and I've learned more from other's in my field, hands-on / classroom training than from books alone. No one is going tohiresomeone especially in the security field just because you studied thebooksand passed the tests. A lot of what a security professional knows isderivedfrom years spent working in I/T and he/she most likely progressed from System Administration position's to the security field. You must know your enemy in order to defeat your enemy!! Most security professionals have worked in I/T for approximately 10 or more years before jumping into the security field. You can't get that same knowledge and expertise from just reading books, blogs, or magazines. You're probably thinking that if I'mnotcertified in security then how would I know this? Because I keep up with what's going not only in my own field, Unix, but everything that happensinthe I/T in general. I receive emails daily from Security focus ondifferentsecurity-related topics and from other website's, magazine's, and justplainol' detective work on my part throughout the internet. Plus I also pickthebrains of my fellow co-worker's on what's going on that they may know thatImissed. Does that give me the knowledge necessary to just read a few books and then take the exams to become certified as a security professional?? No!! Why?? Because I lack the daily hands-on knowledge necessary to know what to do, what to look for, how to use the various tools security professionals use when doing forensic work, and most of all the skill's to do all this and present it to management in a manner in which they understand. Plus everything else a security professional needs to know in order to be able to effectively market them self. In other words, you have to know how to walk the talk. Paper certifications will get you no whereifyou can't show that you know how to do what is expected of you. In theearly90's when Novell was the King of Network's there were lot's of guy's out there selling themselves off as CNE's, CNA's, and whatever other title Novell gave out. But when they tackled their first assignment they fellflaton their face because they were what was then called "Paper CNE's" or"PaperCNA's". They took the same approach you're trying and it didn't doanythinggood except cause themselves much embarrassment and ultimately getting fired. Go around the internet a few times and find out exactly what is required in order to get into the security field CORRECTLY before going about it the way you intend to. Later on you'll be glad you did. ISC(2) isagood place to start and the SANS website is another as is www.securityfocus.com They have ton's of information online to give you an idea of what is required and how to go about it. Good luck in whatever you choose to do!! -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]OnBehalf Of sun sadm Sent: Saturday, September 09, 2006 11:50 AM To: security-basics () securityfocus com Subject: Security books, portals, blogs and videos Hi colleague, I work since a few years in Sun Solaris system administration. I wish to get a job as security professional, rather than UNIX guy. By auto didactic training I will get the necessary knowledge for information security. - What books would you recommend me? Whats essential reading for every security guy? - What blogs you recommend me? - What print magazines and online portals? Generally speaking: What did you do to get a job in security field? thanks Nico
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Security books, portals, blogs and videos sun sadm (Sep 09)
- RE: Security books, portals, blogs and videos Miguel Valentin (Sep 11)
- Re: Security books, portals, blogs and videos offset (Sep 12)
- <Possible follow-ups>
- Re: Security books, portals, blogs and videos robert (Sep 11)
- Re: Re: Security books, portals, blogs and videos daveh (Sep 12)
- Re: Security books, portals, blogs and videos Bob Radvanovsky (Sep 12)
- Re: Security books, portals, blogs and videos offset (Sep 13)
- RE: Security books, portals, blogs and videos Miguel Valentin (Sep 11)