Welcome to securityCRUSH

Welcome to the securityCRUSH blog, a place where you can find random musings as well as postings relevant to information security, penetration testing, and my latest projects - Daniel Wood.
Showing posts with label advice. Show all posts
Showing posts with label advice. Show all posts

Friday, February 17, 2012

Seperating yourself from the herd

Perhaps this could also be entitled: How to specialize and carve a niche for yourself while becoming a subject matter expert (SME).  

If you’re just getting started or thinking about jumping into Information Security as a career you may not know where to get started.  From my experience, a lot of professionals get started with conducting security assessments; whether it’s FISMA SA&A’s (formerly C&A’s) within the government realm, or Security Impact Assessments as Jr. Analysts.

SANS has put together a great list of the Top 20 Coolest Jobs in Information Security that provides a ‘How to be Successful’ blurb for each role.  Below is the list, however, I’ve stricken out the roles in the list that I don’t agree with:

  1. Information Security Crime Investigator/Forensics Expert
  2. System, Network, and/or Web Penetration Tester
  3. Forensic Analyst (this can be lumped into #1)
  4. Incident Responder
  5. Security Architect
  6. Malware Analyst
  7. Network Security Engineer
  8. Security Analyst
  9. Computer Crime Investigator (again this can be lumped into #1)
  10. CISO/ISO or Director of Security (this doesn’t happen until you’ve already shown your expertise…usually)
  11. Application Penetration Tester
  12. Security Operations Center Analyst (this is more of a hybrid of #7/#8 and only applies if you’re in a SOC)
  13. Prosecutor Specializing in Information Security Crime
  14. Technical Director and Deputy CISO
  15. Intrusion Analyst (see #4)
  16. Vulnerability Researcher/ Exploit Developer
  17. Security Auditor (being an auditor does not require specialization, generally speaking)
  18. Security-savvy Software Developer
  19. Security Maven in an Application Developer Organization
  20. Disaster Recovery/Business Continuity Analyst/Manager (related to #4)

Don’t get me wrong, SANS’s list is great and extremely helpful, however, I view it as a bit too high level.  If you really want to get into the weeds and deeper in security, I suggest following these few principles:

  1. Choose a technical area that interests you and start learning more about it; either through online articles, technical reference books, or free tutorials.  For example, if you want to get into penetration testing, I highly suggest picking up several introductory books (see my reading list post) and if you don’t know a programming language, start learning basic HTML, Perl, ASP, Javascript, Database (SQL), PHP, and XML.  These are just primers to get you started.  It helps to use multiple references for learning and pick what works best for you.  Don’t forget to practice, practice, practice!
  2. Learn a new technology; whether it’s firewalls, intrusion detection, or log analysis.  If you’re stuck in an analyst position and are looking for a way to carve that niche, knowing Cisco routing and firewall configuration principles will definitely help with transitioning over to a position as a Network Security Engineer (#7 on the list).
  3. Don’t be afraid to ask your project manager for added responsibility, or volunteer for it.  Showing that you are eager to contribute will increase your added value to the team or company, thus making you more indispensable, then say poor Billy who only does what he’s done a million times before and is essentially a paper pusher with no drive.
  4. Contributing to the security community.  Showing that you know your stuff and willing to share it with others will help make a good name for yourself.  Perhaps start off by tutoring your coworkers or when there’s a company training event, volunteer to conduct a training workshop for the company.
  5. Lastly, being a lifelong student is key.  Learning something new on a regular basis is what keeps our minds sharp.  If you are constantly learning and practicing, you will only get better and your knowledge base will only continue to grow.  This can only help your career.  When hiring someone, I take a look at what they’ve done and what they’re currently doing.  I’m not satisfied with a snapshot in time.  I want a dynamic candidate, not someone who is stagnant and happy just doing their job.

With all this being said, remember to choose what interests you and what excites you.  Don’t be satisfied with the status quo - get out there and challenge yourself!

-sC
Posted by at No comments:
Labels: , , , ,

Friday, February 3, 2012

What it takes to be an "ethical hacker"

Forget all the glitz and glamour that Hollywood would lead you to believe.  Being an “ethical hacker” (sic penetration tester) as a profession is an extremely difficult job with its fair share of ups and downs.

As a pen tester you are required to be the foremost technical subject matter expert on many different topics.  Businesses, organizations and large corporations rely on you to not only find every vulnerability within their architecture (hardware AND software), but also give them accurate and precise information on how to protect themselves and mitigate these vulnerabilities.  This requires you to understand the underlying technology behind networking, specific server OS’s and how they integrate with the application layer, services and middle-ware, etc.

Without knowing these things you cannot be a successful pen tester; the onus is on us to learn as much as we can all the time as the environment we are working within is ever evolving.  We have to wear the hat of a programmer occasionally, requiring us to know scripting languages, we have to be experts in COTS tools as well as open source tools.  We also have to be technical writers, as what good is finding vulnerabilities if we don’t report them.

If you want to be a truly successful “ethical hacker”, penetration tester, cyber security engineer, etc it is up to YOU to learn as much as you can all the time. The satisfaction you can feel once you reach a certain level of knowledge and practical skills can be awe-inspiring, however, when you snap out of it you start to feel as if you truly know nothing again as everything is changing around you constantly with new research in different fields progresses, or new technologies emerge.

Becoming a student for life is key.  Through dedication and persistence you can accomplish anything.

P.S. I hate the term "ethical hacker" - let's ditch the buzz word...

- sC
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Comments (Atom)