From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Wed May 21 2003 - 23:07:52 MDT
Michael M. Butler wrote,
> Thanks for posting this resource, Harvey.
>
> This raises the question: how does one get started in network/computer
> security work? I consider it a short hop from some of the kinds
> of testing
> I've done, which includes lookung for buffer vulnerabilities, etc. But I
> probably could use some mentoring, and who would be willing to do that?
I got my start in software development and network development, and moved
from there to quality control and beta-testing like it sounds you do.
Quality, debugging, testing, and evaluation are all parts of the big
security picture. It sounds like you are already on your way to becoming a
security person. The whole point of security is making technology do what
it is supposed to (and not what it isn't).
As for who would mentor you, there are a number of professional training
courses that lead to security certifications. SANS would be a good start
for beginners. CISSP for professionals. CISA for security auditing. CISM
for management. The NSA's Infosec Assessment Methodology for government
contractors doing security.
Working in the telecomm industry or network industry is a good place to
evolve into network security. Being a software developer, especially with
databases and corporate applications, is a good place to evolve into
application security. Any military or aerospace subcontractor work also
runs into a lot of security requirements, and can evolve into security. A
subspecialty in encryption would involve higher mathematical skills evolving
into encryption algorithms.
For someone wanting to move into the security field, I would say software
plus networks, and then learn security. Security certifications are good,
since the lay out and then test a specific set of security skills.
Consulting work or project management work is also very useful. Half of
security is evaluating requirements and making sure they are really met, or
looking at a design or plan and envisioning how it can go wrong and what can
be done to prevent problems. Many implementers simply apply straight
forward logic to doing something that they expect to work, and are totally
surprised when it goes haywire. If someone is good at debugging, testing,
or foreseeing consequences that others don't, they would be an excellent
candidate for security work.
These are the "regular" paths toward security. "Irregular" paths might
include a semi-criminal background in hacking or snooping. Gaining
expertise with underground tools. Learning tricks of the trade from other
hackers. Figuring out the ways things really work under the covers, and
figuring out ways around expected behaviors, all provide a lot of
experience. This is a dangerous method to enter the field, however. It
might be useful if someone had such a colorful background already, since
they could draw on those years of experience. But if someone did not have
that background, it is probably not a good path toward career development.
There is too much hype, and bogus wanna-be's on the Internet, that I doubt a
newcomer to the underground could figure out what was real and what wasn't.
-- Harvey Newstrom, CISSP, IAM, GSEC, IBMCP <www.HarveyNewstrom.com> <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Wed May 21 2003 - 23:22:47 MDT