Created: September 4, 2002
Updated: November 6, 2008
Author: Steve Hailey
You'll hear me say it in the free seminars and talks
I give in the Pacific Northwest. You'll hear me say
it in my classes. Information security and computer
forensics are the skills that will continue to be
In the 80's as a Computer Specialist for the Department
of Defense, we used to joke at how locking up the
server hard drives in a safe at the end of our shift
was overkill. We used computers and printers that
were surrounded by wire mesh so that eavesdropping
on these devices was not possible. I remember thinking
that the only type of data folks would need to take
these extreme measures with would have to belong to
the Government. My how things have changed.
Hiring in the Information Technology sector has slowed.
Many of you with experience and certifications to
boot are having a hard time finding employment. Hiring
for information security however has not slowed. If
you can wade through the myriad of security certifications
out there and select one to go after that's actually
worth it's weight, you'll be ahead of the pack, and
everything else being equal - more employable.
How does one get started?
I'm taking for granted here that you are new to Information
Technology and starting from ground zero. If that's
not the case, simply disregard that which does not
apply to you. Keep in mind that although we mention
certifications throughout this article, college level
certificate and degree programs can be just as beneficial.
Look for certificate and degree programs however that
offer courses of instruction that will help you obtain
your certifications in addition to your certificate
First, you need a strong foundation in the essentials.
If you are new to Information Technology, I recommend
the A+ and Network+ training at a minimum. The Cisco
CCNA class would be a big plus, as well as training
in Linux and at least one of the Microsoft server
products, such as Windows 2000. For these, I recommend
the Linux+ training, and a course such as Implementing
Microsoft Windows 2000 Professional and Server.
If you don't already have one, setup a network at
home. I recommend that you have at least three computers,
at a minimum and go with removable hard drives. While
this sounds costly, you'll find some pretty good deals
at used computer stores you have in your area. Be
inventive. Put an ad in your local paper offering
to dispose of old computers for free. You don't need
the latest and greatest. Here in the Pacific Northwest,
we can find used Pentium's at the Boeing surplus for
$100.00 per system. You don't need loads of RAM for
these home systems, but I suggest at least 1 GB per
system as an absolute minimum.
Why three computers? You'll use one as a client,
one as a server, and one as either an intrusion detection
system or firewall. The removable hard drives will
allow you to switch operating systems around with
ease, and will also allow you to familiarize yourself
with new operating system versions as they come out.
Not very many production systems (the systems people
use to do their day to day work) are dual boot systems,
although they are convenient in a classroom/learning
You'll want to practice everything you learn in class
over and over at home. When you encounter errors and
problems, make it a habit of searching for the error
message or problem specifics within news groups, search
engines, sites such as www.technet.com and www.linux.com.
Good trouble-shooters (the kind that always appear
to know everything) have the ability to find the information
they need quickly.
When you become familiar with setting up systems
and getting Windows/Linux to run properly at home,
volunteer to setup and maintain networks somewhere.
Contact your local United Way chapter or other charitable
organization and volunteer as many hours a week as
you can spare. You'll be helping out a good cause,
and will be racking up hours of real work experience.
Volunteer to help your instructor setup and troubleshoot
the classroom network as well, if you are taking classes
near your home. Please don't tell me you can't find
a charity - in Washington state alone, this
site should serve as a great starting point. The
charities won't come to you - contact them and see
what technology related work you can do for them.
I've been telling my students about gaining experience
through volunteering now for around three years, and
several students have received rave letters of recommendations
from the charities they helped. This helped the students
to land jobs.
Pass your tests
Take your certification tests before you proceed
on with security training. I see too many students
"put this off" and they never get around
to it. With little or no experience, it will be impossible
to get your foot in the door with an entry-level position
if you do not have your certs. This is something you
must do - make it a priority.
Spread the word
At this point, get your resume out to contract and
temporary agencies. These organizations are typically
asked to fill the needs of companies that have periodic
requirements for increased IT staff due to relocating
parts of the company, and/or new operating system
rollouts. These types of jobs are worth their weight
in gold when it comes to gaining experience. If you've
got the right stuff you might even be offered a full-time
Now you are ready for some security training - but
which classes should you take? Currently, I recommend
the Security+ course to start with, then the Security
Certified Program. Shy away from vendor specific training
until you have the "big picture" when it
comes to information security. The SANS courses are
some of the best, but can be cost prohibitive, and
are not offered everywhere. Please - don't take online
or computer based training to earn your security credentials
unless you are already a seasoned IT professional.
As a prospective employer, I want to see proof of
your training and experience. I can't take the chance
with my data and security - sorry. The Security Certified
Program is a well-rounded course of instruction that
will give you enough information for a solid foothold
in the world of Information Security. As well, many
colleges are now offering certificate programs or
degrees that use some of the certification course
materials - this is a plus.
I also recommend the CIW Security course which is
shorter than the Security Certified Program courses.
If you cannot afford the SCP courses right away, take
the CIW Foundations and the CIW Security Professional.
You might be able to self-study for the CIW Foundations
test as well, but you'll need this before you will
be awarded the CIW Security Professional designation.
In all cases, start out with the Comptia Security+
course first, or some type of "Introduction to
Information Security" course.
If you are taking information security courses at
a college, working towards a certificate or degree,
make sure your training covers the ten security domains:
Access Control Systems & Methodology
Applications & Systems Development
Business Continuity Planning
Law, Investigation & Ethics
Security Architecture & Models
Security Management Practices
Telecommunications, Network & Internet Security
Yes folks - being an information security professional
requires knowing a bit more than how to setup a firewall
or virtual private network.
Keep in mind that eventually you'll want to shoot
for the CISSP certification. Some folks will disagree
with me on this one. Regardless, the CISSP certification
is the Daddy of all information security certifications,
and many information security jobs require it. My
advice is to start preparing for it now instead of
For your beginning computer
forensics training, you'll obviously want to take
that from us. Seriously, our program is good and
so is the training offered by many other institutions
as well. We strongly suggest that whatever training
you take includes instruction on using manual forensic
methods as well as automated. We want to stress that
being able to recover and extract data from a computer
system using sound forensic methods is but one part
of computer forensics. Properly interpreting the data
you recover or extract is the most important - we
cannot overemphasize this point. We can show you how
to recover and extract data in a matter of hours.
If you cannot properly interpret what you have, you
have no business representing your findings, and you
certainly have no business advising a lawyer or member
of law enforcement.
Shopping for your instructor
A good instructor is important for your success.
With so many folks hanging out a shingle and offering
security and computer forensics training, whom do
you pick? My advice is to interview prospective instructors.
Hey, you're paying good money for the instruction.
Treat this as any other major purchase you would make
such as a car or home.
If you are interested in computer forensics, you
should look for an instructor that actually does work
as a computer forensic examiner and/or expert technical
witness. Sorry folks, merely picking up a book on
the topic and running through a few exercises does
not show mastery. At the very least, find an instructor
that has been trained by someone that does do this
type of work for real - not just in the classroom.
My computer forensics students have the opportunity
to work with me on real cases. This does a world of
good for their resumes and confidence level.
Ask questions such as:
How many years of information technology experience
do you have?
How many years of security and/or computer forensics
experience do you have? Can you give me specific examples
of when you worked in an information security or computer
How many times have you instructed the classes I'm
Do you currently do any security and/or computer
forensics work outside of teaching?
Are you a member of any security/computer forensics
Which security specific certifications do you possess?
Can you provide me with any student references?
Will you be willing to answer questions from me after
class is completed?
You get the point. Be your own judge. If an instructor
does not want to answer these questions, or will not
give you a straight answer, move on.
Don't be a sucker
Understand that we instructors are also salesmen/saleswomen.
We make money when you take our classes. There are
an unscrupulous few that will try to sell you classes
that have little or no value in helping you to get
your foot in the door or perhaps advance your existing
career. Understand that you don't need every single
certification available. A new certification and all
of the hoopla that goes along with it might make you
think you need it now to maintain the edge. Give it
time, see what other people have to say about it,
and ask people that have taken the training if it
really helped them. Also, see how many employers start
to ask for or require the certification..
Do your own research. Conduct searches on job listing
type of Web sites (Monster.com) as well as the help
wanted sections of newspapers that are online. Use
keywords related to the training you are thinking
about taking, such as:
Take advice from those that have actually done, not
just taught. If this doesn't make sense, see the section
on interviewing your instructor. If someone tells
you to take this this or that type of training because
it can lead to employment, ask them to show you their