Career shift to security - learning tracks? [closed]
I've had to learn enough to be dangerous (if only to myself), managing the firewalls, switches, etc for small networks over the past ten years. However, I know there's a pretty massive gap between what I've been doing (security as a hobby, really) to actually pursuing mastery of the subject.
Research gives me certifications from Security+ to CISSP and a slew in-between. Are there any certifications out there that you feel would provide a good learning roadmap?
I'll throw out a short list of what seems needful, in case I'm anywhere near the mark.
- Wireshark virtuosity
- *nix familiarity
- Cisco IOS (CCNA would be a 'quick' way to pick this up?)
I realize this is a massive undertaking, but as a comparison from a Win admin perspective, if I could reach back and give my younger self a few pointers, I could have saved myself a TON of time and head-vs-wall encounters by pursuing certain learning shortcuts. It's my hope that some of you security-focused SFers have similar advice.
Solution 1:
What part of security do you wish to work in? Security is a very broad field, even more so if you count all the ways you can work being partially in other fields. Typically there are a few general areas of security
- Corporate security:
Start learning frameworks, ISO/IEC 27001, governance, auditing, risk/benefit, legal framworks and more similar things. You will end up as CISO and perhaps as CSO in a company towards the end of your career. Until you get there expect to spend a lot of time writing policy documents.
- IT security
Start learning the general tools of the trade, wireshark, IOS and the similar are a good start. Pick up the more specialized skills such as forensics when you have the chanse. There are several different sets of courses. SANS have a pretty good reputation, for example. Cisco a reasonable one. Sadly it's hard to get far if you take this path. You might move up into middle management after a while, but there the skills are mostly useless. In some companies you might also deal with physical security, which leaves more openings upwards. If you go to the police you will spend a lot of time looking at nasty pictures if you chose this path.
- Technical security
Start learning advanced math and other technical skills. Choose an area and specialize. And specialize. And specialize. If you are lucky you are in an area where there is high demand, or you find a company where you like working. You will become more or less impossible to replace. If you play your cards right you get to travel around the world and meet lots of very bright people.
From my perspective the first thing to do is to learn to think security. Start reading people like Schneier (Beyond fear) and Ross (Security Engineering). Once you have a grasp of the basic thinking in the security field you can chose your path, if you want to dig down in this field at all. It's not nearly as glamours as some people want to make it. Security is the first budget to cut when things get tight, and expect to get the blame for everything that goes wrong.
Solution 2:
I've been an admin for 20 years (15 years professionally), mostly Unix with a dash of Windows as required. From the beginning, I've tended to play the paranoid admin, mostly because it's practical and instructive, not because I believe hackers from the other side of the globe are targeting my servers. ;-) Security really is a de facto sysadmin requirement, one which can be practiced daily.
You don't specify whether you want to wear the official badge of "Security Specialist" and do things such as pen testing, PCI compliance auditing, incident response (forensics, etc.) or you just want to be an admin with some heavy security creds to help widen your career options and defend high profile systems under your charge.
Of the few peers I know in the "official" category, the CISSP cert was the first they tackled and they went on to land decent jobs because of it (of course, they had 10+ years of hand-on experience, like yourself, to back it up). There are tons of materials online, in addition to official training materials and courses, to asses your grasp of the material.
While the concepts can be learned and applied on any platform, I personally recommend Unix, since you get such low-level access to everything, with the added benefit of being able to access that information easily via remote shell: watching live tcpdump sessions, syslog entries, web server logs, snort dumps, dumping live system memory, to a million other open source tools for peeking and poking at the innards of a running system.
Due to Unix being an ideal platform for learning this kind of stuff, it easily follows that a great way to learn is by throwing yourself to the proverbial wolves. Get yourself an entry-level Linux or FreeBSD VPS, a true virtualized VPS (such as Xen) with all the "hardware" and admin access you'll need to simulate the real deal in a live, exposed internet environment.
Set yourself up with a live, working system. Get a live SMTP server running, and watch the spam bots and scan for malware. Set up a web server and watch the script kiddies try SQL injection attacks in your web and DB logs. Watch your ssh logs for brute force attacks. Set up a common blog engine and have fun fighting off spam bots and attacks. Learn how to deploy various virtualization technologies to partition services from each other. Learn first-hand if ACLs, MAC, and system-level auditing are worth the extra work and hassle over standard system permissions.
Subscribe to the security lists of the OS and software platform you choose. When you get an advisory in your inbox, read up on the attack until you understand how it works. Patch the affected systems, of course. Check your logs for any signs that such an attack was attempted and if one succeeded. Find a security blog or list that is to your liking and keep up with it daily or weekly (whichever applies), picking up the jargon and reading up on what you don't understand.
Use tools to attack and audit your own systems, trying to break your own stuff. This gives you perspective from both sides of the attack. Keep up with cutting edge of the "black hat" mindset by reading papers and presentations from well-established conferences like DEFCON. The archives from the past ten years alone is a treasure trove of information, much still valid.
Granted, I have no certifications, nor do I bill for "security specialist" services. I just make it part of my daily routine to keep up with this stuff to make myself a better admin. Whether or nor the certs are desired or required for your goals is better left to someone who has them. However, I believe that a heavy hands-on approach is the best way to learn this stuff, and I hope some of my suggestions provide some food for thought.