|
Created: September 4, 2002
Updated: November 6, 2007
Author: Steve Hailey
You'll hear me say it in the free seminars and talks
I give in the Pacific Northwest. You'll hear me say
it in my classes. Information security and computer
forensics are the skills that will continue to be
in demand.
In the 80's as a Computer Specialist for the Department
of Defense, we used to joke at how locking up the
server hard drives in a safe at the end of our shift
was overkill. We used computers and printers that
were surrounded by wire mesh so that eavesdropping
on these devices was not possible. I remember thinking
that the only type of data folks would need to take
these extreme measures with would have to belong to
the Government. My how things have changed.
Hiring in the Information Technology sector has slowed.
Many of you with experience and certifications to
boot are having a hard time finding employment. Hiring
for information security however has not slowed. If
you can wade through the myriad of security certifications
out there and select one to go after that's actually
worth it's weight, you'll be ahead of the pack, and
everything else being equal - more employable.
How does one get started?
I'm taking for granted here that you are new to Information
Technology and starting from ground zero. If that's
not the case, simply disregard that which does not
apply to you. Keep in mind that although we mention
certifications throughout this article, college level
certificate and degree programs can be just as beneficial.
Look for certificate and degree programs however that
offer courses of instruction that will help you obtain
your certifications in addition to your certificate
or degree.
First, you need a strong foundation in the essentials.
If you are new to Information Technology, I recommend
the A+ and Network+ training at a minimum. The Cisco
CCNA class would be a big plus, as well as training
in Linux and at least one of the Microsoft server
products, such as Windows 2000. For these, I recommend
the Linux+ training, and a course such as Implementing
Microsoft Windows 2000 Professional and Server.
If you don't already have one, setup a network at
home. I recommend that you have at least three computers,
at a minimum and go with removable hard drives. While
this sounds costly, you'll find some pretty good deals
at used computer stores you have in your area. Be
inventive. Put an ad in your local paper offering
to dispose of old computers for free. You don't need
the latest and greatest. Here in the Pacific Northwest,
we can find used Pentium's at the Boeing surplus for
$100.00 per system. You don't need loads of RAM for
these home systems, but I suggest at least 1 GB per
system as an absolute minimum.
Why three computers? You'll use one as a client,
one as a server, and one as either an intrusion detection
system or firewall. The removable hard drives will
allow you to switch operating systems around with
ease, and will also allow you to familiarize yourself
with new operating system versions as they come out.
Not very many production systems (the systems people
use to do their day to day work) are dual boot systems,
although they are convenient in a classroom/learning
environment.
You'll want to practice everything you learn in class
over and over at home. When you encounter errors and
problems, make it a habit of searching for the error
message or problem specifics within news groups, search
engines, sites such as www.technet.com and www.linux.com.
Good trouble-shooters (the kind that always appear
to know everything) have the ability to find the information
they need quickly.
When you become familiar with setting up systems
and getting Windows/Linux to run properly at home,
volunteer to setup and maintain networks somewhere.
Contact your local United Way chapter or other charitable
organization and volunteer as many hours a week as
you can spare. You'll be helping out a good cause,
and will be racking up hours of real work experience.
Volunteer to help your instructor setup and troubleshoot
the classroom network as well, if you are taking classes
near your home. Please don't tell me you can't find
a charity - in Washington state alone, this
site should serve as a great starting point. The
charities won't come to you - contact them and see
what technology related work you can do for them.
I've been telling my students about gaining experience
through volunteering now for around three years, and
several students have received rave letters of recommendations
from the charities they helped. This helped the students
to land jobs.
Pass your tests
Take your certification tests before you proceed
on with security training. I see too many students
"put this off" and they never get around
to it. With little or no experience, it will be impossible
to get your foot in the door with an entry-level position
if you do not have your certs. This is something you
must do - make it a priority.
Spread the word
At this point, get your resume out to contract and
temporary agencies. These organizations are typically
asked to fill the needs of companies that have periodic
requirements for increased IT staff due to relocating
parts of the company, and/or new operating system
rollouts. These types of jobs are worth their weight
in gold when it comes to gaining experience. If you've
got the right stuff you might even be offered a full-time
position.
Training
Now you are ready for some security training - but
which classes should you take? Currently, I recommend
the Security+ course to start with, then the Security
Certified Program. Shy away from vendor specific training
until you have the "big picture" when it
comes to information security. The SANS courses are
some of the best, but can be cost prohibitive, and
are not offered everywhere. Please - don't take online
or computer based training to earn your security credentials
unless you are already a seasoned IT professional.
As a prospective employer, I want to see proof of
your training and experience. I can't take the chance
with my data and security - sorry. The Security Certified
Program is a well-rounded course of instruction that
will give you enough information for a solid foothold
in the world of Information Security. As well, many
colleges are now offering certificate programs or
degrees that use some of the certification course
materials - this is a plus.
I also recommend the CIW Security course which is
shorter than the Security Certified Program courses.
If you cannot afford the SCP courses right away, take
the CIW Foundations and the CIW Security Professional.
You might be able to self-study for the CIW Foundations
test as well, but you'll need this before you will
be awarded the CIW Security Professional designation.
In all cases, start out with the Comptia Security+
course first, or some type of "Introduction to
Information Security" course.
If you are taking information security courses at
a college, working towards a certificate or degree,
make sure your training covers the ten security domains:
Access Control Systems & Methodology
Applications & Systems Development
Business Continuity Planning
Cryptography
Law, Investigation & Ethics
Operations Security
Physical Security
Security Architecture & Models
Security Management Practices
Telecommunications, Network & Internet Security
Yes folks - being an information security professional
requires knowing a bit more than how to setup a firewall
or virtual private network.
Keep in mind that eventually you'll want to shoot
for the CISSP certification. Some folks will disagree
with me on this one. Regardless, the CISSP certification
is the Daddy of all information security certifications,
and many information security jobs require it. My
advice is to start preparing for it now instead of
bucking it.
For your beginning computer
forensics training, you'll obviously want to take
that from us. Seriously, our program is good and
so is the training offered by many other institutions
as well. We strongly suggest that whatever training
you take includes instruction on using manual forensic
methods as well as automated. We want to stress that
being able to recover and extract data from a computer
system using sound forensic methods is but one part
of computer forensics. Properly interpreting the data
you recover or extract is the most important - we
cannot overemphasize this point. We can show you how
to recover and extract data in a matter of hours.
If you cannot properly interpret what you have, you
have no business representing your findings, and you
certainly have no business advising a lawyer or member
of law enforcement.
Shopping for your instructor
A good instructor is important for your success.
With so many folks hanging out a shingle and offering
security and computer forensics training, whom do
you pick? My advice is to interview prospective instructors.
Hey, you're paying good money for the instruction.
Treat this as any other major purchase you would make
such as a car or home.
If you are interested in computer forensics, you
should look for an instructor that actually does work
as a computer forensic examiner and/or expert technical
witness. Sorry folks, merely picking up a book on
the topic and running through a few exercises does
not show mastery. At the very least, find an instructor
that has been trained by someone that does do this
type of work for real - not just in the classroom.
My computer forensics students have the opportunity
to work with me on real cases. This does a world of
good for their resumes and confidence level.
Ask questions such as:
How many years of information technology experience
do you have?
How many years of security and/or computer forensics
experience do you have? Can you give me specific examples
of when you worked in an information security or computer
forensics capacity?
How many times have you instructed the classes I'm
interested in?
Do you currently do any security and/or computer
forensics work outside of teaching?
Are you a member of any security/computer forensics
related organizations?
Which security specific certifications do you possess?
Can you provide me with any student references?
Will you be willing to answer questions from me after
class is completed?
You get the point. Be your own judge. If an instructor
does not want to answer these questions, or will not
give you a straight answer, move on.
Don't be a sucker
Understand that we instructors are also salesmen/saleswomen.
We make money when you take our classes. There are
an unscrupulous few that will try to sell you classes
that have little or no value in helping you to get
your foot in the door or perhaps advance your existing
career. Understand that you don't need every single
certification available. A new certification and all
of the hoopla that goes along with it might make you
think you need it now to maintain the edge. Give it
time, see what other people have to say about it,
and ask people that have taken the training if it
really helped them. Also, see how many employers start
to ask for or require the certification..
Do your own research. Conduct searches on job listing
type of Web sites (Monster.com) as well as the help
wanted sections of newspapers that are online. Use
keywords related to the training you are thinking
about taking, such as:
computer security
computer forensics
networking
incident response
Take advice from those that have actually done, not
just taught. If this doesn't make sense, see the section
on interviewing your instructor. If someone tells
you to take this this or that type of training because
it can lead to employment, ask them to show you their
information sources, or what they are basing their
statements on.
Prices
Usually when it comes to training, you get what you
pay for. You'll run into situations where the same
class is offered for half the price somewhere else.
I'll refer you back to interviewing your instructor.
In most cases, you'll find the higher priced classes
have more stringent experience requirements for the
instructors, and that the instructors can therefore
command a higher wage - thus the higher price. Also,
physically checkout the training location. Are the
classrooms well equipped? Will you be learning on
modern equipment, or old equipment that was donated?
You get the picture.
Also, look for schools that have "open lab"
time were you could come in and get additional hands
on. A school that offers a free retake of the entire
course or a portion thereof is a big plus as well.
Regardless of the instructor and your eagerness to
learn, certification courses can be like trying to
drink water out of a fire hose. You might need some
additional exposure to feel comfortable with the subject
matter.
Getting the most from your training
During your training, you'll want to repeat as many
labs as you can at home with your network. If you
need advice on setting this up, ask your instructor.
You'll need to be dedicated to the task at hand. Review
any additional materials your instructor recommends.
Conduct searches yourself on the Web related to the
material being covered in class. Become an expert
at finding information this way. No one knows every
piece of information related to security, but professionals
know where the good sources of information are. You'll
need to keep yourself updated on current security
issues and exploits. It's going to take work. Ask
your instructor about recommended Web sites to visit
and newsletters to subscribe to.
Now what?
Pass your security certification tests and update
your resume. Get your updated resume out to your local
contract and temporary agencies. Ask your instructor
if you can be a "free" assistant for the
security and computer forensics classes you've already
taken. If you've done well in class and have good
people skills, this opportunity might be available
to you.
Perform free vulnerability assessments for companies
in your area. If you are unsure of particular points
such as the forms to get your clients to sign, ask
your instructor for help. Team up with other students
and perform these vulnerability assessments as a group.
Also, talk to your instructor for pointers on obtaining
liability insurance before a vulnerability assessment
is conducted.
Get to know people that actively work in the security
industry. Volunteer your time to help them. Join local
security related organizations and attend meetings.
If your instructor does computer forensics work,
you might be able to assist them on actual cases.
With permission from the retaining attorney or client,
and your signature on a few forms, this should not
be a problem.
Additional study material
Man, there are a lot of security books out there
now. Some are really good, some are copy cat's of
the last guy's/gal's book. Many deal with hacker exploits,
and are "cool" but have little information
pertaining to what is needed in order to protect your
network. Ask your instructor for additional resources.
He or She should have many additional resources for
you. I depend on information that is largely free
from various Web sites. Just a few of my favorites:
CERT
NIST
NSA
Information
Security Magazine
SANS
Reading Room
SecurityFocus
You can drive yourself crazy trying to keep up to
date with all of the information on all of the security
related sites out there. There is much redundancy
between sites. Select a few that seem to cover most
security issues and are updated frequently. Once again,
ask your instructor about the sites he/she depends
on to stay updated.
A prediction
Our government's work on Homeland Security - specifically
Cyber Security is in its infancy. Many people are
speculating on what the future will hold for both
government assistance and expenditures in this area.
Unfortunately, some companies will need to be hit
hard by hackers or illicit activity taking place on
their networks before they put any serious money towards
security.
I foresee an ever-increasing need for qualified security
and computer forensics professionals. I see no end
in sight. Computer and networking skills no longer
suffice by themselves. Even if your job is not security
specific, companies want to know that you can protect
their data. They want to know that you are thinking
about security when you configure that server, workstation,
or router.
Get your security training now and be ahead of the
pack. We haven't seen the real "rush" for
security professionals yet - that's a few years down
the road. In today's economy and job market, I believe
the key to getting noticed and landing that job is
setting yourself apart from everyone else. Get training
in information security and computer forensics - you
won't be sorry.
In closing
What I've outlined here is a good start. Becoming
a security professional or computer forensics practitioner
takes hard work and dedication. I wish all of you
the best as you gain the skills needed to launch your
careers. Once again, set yourself apart from the pack.
Security and computer forensics training will give
you the skills that will get you noticed.
Feel free to contact me If I can be of assistance,
or if you have specific questions.
Steve
Hailey |
