How can I get started in the security business?

Hi there,

I am a software developer with around ten years of experience. Recently
I have become very interested in obtaining a career in the computer
security business as a security auditor or security anlyst

I know that there a number of certifications available such as the CISA
and CISSP which give somone the qualifications to get a good job.
However most of these certification require prior experiences in the
security business.

So the question is how does one get started in this field quickly?
because it's seems to me that it's a catch 22 problem , with no
experience noone will give me a job and without a job I will never get
the experience.

I would think that my computer experience , developing some security
releated software and degree in computer science doesnt' make too
impossible for me to get my foot through the door.

If anyone has any suggestion/tips, or personal experiences in regards
to that I would greatly appreciate it if you could share it with me

Thanks,
Rob

Re: How can I get started in the security business?

In article <1159570351.827554.315340@i42g2000cwa.googlegroups.com>,
bob wrote:
>I have become very interested in obtaining a career in the computer
>security business as a security auditor or security anlyst

>So the question is how does one get started in this field quickly?

> I would think that my computer experience , developing some security
>releated software and degree in computer science doesnt' make too
>impossible for me to get my foot through the door.

I don't mean anything personal by this, but I wouldn't hire you
as a security auditor or security analyst if those were your credentials.

In the security business, your degree in computer science mostly just
means that you've proven that you're able to pay attention to something
over a period of years. There isn't much security related in a typical
computer science degree. if you went in for a math or advanced logic
theory subspecialty then you might be able to do theoretical security
work (e.g., cryptography theory, security protocols, formal proofs).

Beyond that... I'd be asking myself "Okay, he has a CS degree... so
how many unless practices is he going to have to *unlearn* in order
to be effective at security?"

"Developing some security software"; if you weren't -already- in
the security business when you developed the software, I'd be wondering
where you've hidden the bottle of "snake oil". There is so much that
can wrong in security, and there are so many people who think they've
developed something fool-proof because they've gotten a concept stuck
in their head and never even heard of particular kinds of practical
or theoretical attacks.


You're a programmer? Tell me, then, how do you feel about debugging?
How do you feel about taking someone -else's- badly commented
and buggy code and figuring out not only what it is -intended- to do,
but also rewritting it so that it does it, even if that means
weeks of mechanically adding checks on the return status of every
library call, including every printf() ? If that kind of work
frustrates you, you don't have what it takes to implement good
security -- because good security requires the mindset that
getting the details right is -important-, that the Land Sharks
will claim to be a Pizza Delivery if that's what it takes to get
them through the door.

Re: How can I get started in the security business?

Hey Walter,

I didn't say that my cs degree will make me qualified right now, all I
am asking is what path should I take so that I can get there. I am
looking for a road map.

I don't believe your analogy to debugging is relevant. I like
debugging and I am pretty darn good at it. The reason for me wanting to
switch is the fact that I find computer security very fascinating and
more challanging. It's not that I am looking for an alternate root to
get rid of the frustrations that programming has caused me, in fact it
has been very good to me , never found myself without a job.

So I appreciate your input, however I refuse to believe that it is
impossible for me to make a start in this business, which is sort of
the message you are sending.

So if you have any input as of how to stir towards that path , I would
apprecite it if you could share it.

Regards,
Rob

Walter Roberson wrote:
> In article <1159570351.827554.315340@i42g2000cwa.googlegroups.com>,
> bob wrote:
> >I have become very interested in obtaining a career in the computer
> >security business as a security auditor or security anlyst
>
> >So the question is how does one get started in this field quickly?
>
> > I would think that my computer experience , developing some security
> >releated software and degree in computer science doesnt' make too
> >impossible for me to get my foot through the door.
>
> I don't mean anything personal by this, but I wouldn't hire you
> as a security auditor or security analyst if those were your credentials.
>
> In the security business, your degree in computer science mostly just
> means that you've proven that you're able to pay attention to something
> over a period of years. There isn't much security related in a typical
> computer science degree. if you went in for a math or advanced logic
> theory subspecialty then you might be able to do theoretical security
> work (e.g., cryptography theory, security protocols, formal proofs).
>
> Beyond that... I'd be asking myself "Okay, he has a CS degree... so
> how many unless practices is he going to have to *unlearn* in order
> to be effective at security?"
>
> "Developing some security software"; if you weren't -already- in
> the security business when you developed the software, I'd be wondering
> where you've hidden the bottle of "snake oil". There is so much that
> can wrong in security, and there are so many people who think they've
> developed something fool-proof because they've gotten a concept stuck
> in their head and never even heard of particular kinds of practical
> or theoretical attacks.
>
>
> You're a programmer? Tell me, then, how do you feel about debugging?
> How do you feel about taking someone -else's- badly commented
> and buggy code and figuring out not only what it is -intended- to do,
> but also rewritting it so that it does it, even if that means
> weeks of mechanically adding checks on the return status of every
> library call, including every printf() ? If that kind of work
> frustrates you, you don't have what it takes to implement good
> security -- because good security requires the mindset that
> getting the details right is -important-, that the Land Sharks
> will claim to be a Pizza Delivery if that's what it takes to get
> them through the door.

Re: How can I get started in the security business?

On 30 Sep 2006 14:06:13 -0700, bob wrote:
> Hey Walter,
>
> I didn't say that my cs degree will make me qualified right now, all I
> am asking is what path should I take so that I can get there. I am
> looking for a road map.

A road map is always a good idea. Trying to set a goal for yourself is
indeed the best way but I do not thing the current education system can
provide it to anyone.

> I don't believe your analogy to debugging is relevant.

It is. Once you start looking into projects to see if you can provide
any additional security you will need to deal with how people setup their
code/flow. Debugging is part of it.

> I like
> debugging and I am pretty darn good at it. The reason for me wanting to
> switch is the fact that I find computer security very fascinating and
> more challanging. It's not that I am looking for an alternate root to
> get rid of the frustrations that programming has caused me, in fact it
> has been very good to me , never found myself without a job.

Having a job will not mean it is satisfying :-)

B.t.w., please fix your quoting. It is hard to setup a discussion with top
quoters....

Hans
--
IM: hans.wolters@jabber.xs4all.nl
http://lonki.xs4all.nl

Re: How can I get started in the security business?

--____LXKUWWZMPMWUYUMNPTCU____
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; modification-date="Sun, 30 Sep 2006 17:55:21
-0400"

Hi Bob, There's a Pen-tester certification available called "Certified =
ethical Hacker" by Ec-council. www.eccouncil.org

This course teaches you to hack Microsoft and Linux OSs, and webservers, =
etc....Great great course.

I had to go to Washington to get trained. The instructor there also =
teaches the FBI, CIA and Navy Seals. the school is called Vigilar.

but if your from Montreal, there might be a SANS course aswell.

also, go to www.securityfocus.com and subscribe to the postings. There's =
some great info here too.

Good luck !


Frank OZ
Master CNE , CDE, CLP, Certified Ethical Hacker
jedi31337@gmail.com
--____LXKUWWZMPMWUYUMNPTCU____
Content-Type: multipart/related; boundary="____ZJJEBRUWOZNVOHVCCTAO____"


--____ZJJEBRUWOZNVOHVCCTAO____
Content-Type: text/html; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline; modification-date="Sun, 30 Sep 2006 17:55:21
-0400"


">

Re: How can I get started in the security business?

In article <1159650373.038559.249970@i3g2000cwc.googlegroups.com>,
bob wrote:

>I didn't say that my cs degree will make me qualified right now, all I
>am asking is what path should I take so that I can get there. I am
>looking for a road map.

>I don't believe your analogy to debugging is relevant.

There are small number of major branches of security work:

- academic and theoretical work, such as cryptography (e.g.,
public key cryptography, or new encryption algorithms), key exchange
theory (e.g., zero knowledge proofs), finding new theoretical attacks
(e.g., the "birthday paradox" collision attacks on MD5), invention
of new security mechanisms (e.g., better face recognition algorithms),
formal studies of how organizations are actually implementing security
and whether it is working for them, formal studies of whether
security devices actually work (e.g., the Dutch study a couple of
years ago that showed trivial attacks on fingerprinter readers),
and studies on security in public interests such as voting machines
(e.g., Avi Rubin, Rebecca Mercuri)

- formal security process modeling, requirements analysis, documentation,
and compliance checking (security analysts and auditors)

- virus/trojan/malware related work (development of, protection against)

- "front line" security related work (the people who have to
protect real networks)


Your CS degree could hypothetically provide a lead-in to the academic
side, but is -unlikely- to in practice. Professors in charge of graduate
studies programs have told me that *in practice*, very few people
successfully come back from working careers into advanced degrees:
one has to be -highly- motivated to put up with all the aggrevation
that a typical PhD student is put through. And darn, the kids need
orthodontics, so "I'll just take this semester off to earn money for
that"... and few make it back from that (or the new house that has
to be saved for, etc., etc..)


Your CS degree -might- have given you a taste of formal design
specifications and requirements analysis. Your years of work might well
have thrown all that out the window because The Product Must Ship.
You might have been one of the lucky ones that worked in a place
that really cared about changing -processes- to reduce errors: if so,
that experience would be *much* more valuable to security work than
your CS degree.

Keep in mind, though, that a security auditor is an *auditor* --
which can be mostly paperwork and process checking. To be the
kind of auditor that notices the "crooked books" (companies hiding
their true security practices, or intruders who have surreptiously taken
control), it is usually best to already have been on the front lines
and to have experienced security life "behind the scenes".


Very few CS degrees that I've heard of offer courses on malware;
I think I've heard of one in Scotland and two in the USA. Maybe
there are more by now.


That brings us to front line security, in which I mostly refer to
the (generally) unloved and underfunded people who actually have to
make the security *work* in an organization; but I also include those who
provide direct support for that kind of effort by working on
intrusion detection and real log file analysis. Programming
skills can certainly help in this kind of work, in providing the
ability to write or adapt or repair probe programs and analysis tools;
and good knowledge of how networking really works helps a lot.
But those are more a function of experience than of anything gained
through a CS degree. A CS degree might give you the confidence that
your programs will work reasonably well (instead of a perpetual
feeling of "I hacked as best I could"), but the actual programming
is typically an adjunct, not the bulk of the work.

To my mind, there is no academic substitute for front line security
experience, for having been there and done that and having lived
with the panic of security crises. And of having dealt with
the person who think it is their "right" to watch multimedia at work
or their right to have a backdoor to their system at home or from
home to their system at work. And to have figured out what to do about
the people who write their passwords on a post-it note on their screen,
or who demand administrator access. If you haven't had to talk a boss
*out* of a planned security measure then you probably don't know
law and rights and court cases and company policy as well as you should.

I know this harkens back to the old "Certification or Experience"
debates; you can probably tell that I generally favour Experience.
Not that I disdain academic works: they can be very valuable in
providing new ways to think about matters. But books get shut, and
professors and instructors go home at night, and security crises don't...


>I like
>debugging and I am pretty darn good at it.

I wasn't being facetious or irrelevant: in my experience, there
are quite close ties between the skills used in serious debugging
and remdiation and QA, and the skills used in practical security.
Both benefit greatly from strong skills in analysis, and pattern
recognition (very quickly seeing something the slightest bit odd
as being "wrong"); benefit from the perversity of mind to not see the
shiny image of what the program or process -should- do, but instead
see myriad ways that the program or process could go wrong; and
benefit from the QA- type fire to get it *right*. At the same time,
though, a person doing practical security work has to recognize
budgets, and time limits, and politics, and personalities, and overwork,
and to do the important things first... even if it sometimes means
doing what *has* to be done instead of what you've been told to do.


But as for a road map for getting from where you are to where you
want to go; sorry, I don't really have one. I think I'd suggest
starting with getting a business firewall and tossing it on your
network at home and learning how to exploit all the information you
can from it. But I'd also suggest that for learning purposes, it
might be very instructive to get one of the open source honeypots
and study it an implement it; see for example the article at
http://www.securityfocus.com/infocus/1659
And if you were to look at Nessus and were to learn what it scanned
for and why, you'd have learned a lot.

Re: How can I get started in the security business?

bob wrote:

> Hey Walter,
>
> I didn't say that my cs degree will make me qualified right now, all I
> am asking is what path should I take so that I can get there. I am
> looking for a road map.

The problem is here:
>> >So the question is how does one get started in this field quickly?

There is no royal road. You have to start slowly, first building up a good
reputation. Work in a team that focuses on security, maybe get some of the
courses, etc. After a few years your CV may look credible enough to start
on your own.

-- Lassi