The field of computer security

[btill900]

Hello antionline,

I am a sophmore computer & information science major. I plan to go into a career somewhere computer security. I haven't decided which direction in computer security I want to go yet.

Although, I already know from reading other posts that a CIS degree is nice and all, but more will be needed to work in computer security...certifications and so on.

Many people say I should get certifications, I've noticed that a lot of networking experience is usually recommended but I don't have much experience with networking. Where can I go or what book can a buy, thats easy to understand, to learn about networking?

Lastly, I was wondering if anyone reading this could offer 3 to 6 things I could do on my own for the next 2 years outside of what im already learning in college to prepare for a career in security. For instance, books, websites, programming languages, operating systems, certifications, ect.

[nihil]

Hello my friend,

You need to do some accountancy and stuff..................an MBA would be nice?

You see the real people who make decisions, like your paycheck, don't know "alphabet soup"

[IKnowNot]

If no one else posts by the time I finish this, then I will input my two cents (FWIW; read my profile, if it still exists ... and WTF: you a member as long as me with no posts prior to this, and only a sophmore, but can’t even spell sophomore ?
And your reputation is “is on a distinguished road“ and I apparently, at this point, have no reputation at all! God Damn! Before this update [ and still] I had eleven dots at 100% positive and no negative anti-points, but I have NO reputation now!)

Anyway .....

Experience is what really counts. From what I have seen ( through my son ) for an entry level position into any area in the computer field ( and check with you councilors ) most companies are looking for an Associates with 3-5 years experience, or a Bachelors degree.

How one gets experience without being able to work to get experience is beyond me!

Some here have worked for the college/university they attend to gain experience. Others have gone outside and worked for small ISPs during their studies.

As for the reading, read through the archives ( past posts ) of this site and that will give you more then enough ( hint: start with the SANS' Information Security Reading Room .... if you understand everything in there you are really on your way! But there are a lot of great books which are still applicable referenced here and expand on these thoughts. )

As for your 3 to 6 things requested:
I can name only one: find all the computers you can that people want to put in the garbage, and find a use for them on a network you create. Integrate what you learn in school, what you learn here, and what you learn in your continued outside studies with maintaining your network ( such as network design, Active Directory, DNS servers, DHCP servers, firewalls, IDS, IPS, etc. )

And Read, Read, Read! This industry is in constant flux, and if you do not keep up, you are behind.

But above all else, as you will find for yourself if you follow my recommendations, Security does not start at the network level, but long before that. You may find yourself more interested in concentrating your efforts in writing proper ( secure ) code for programs, or for that of Operating Systems. All are equally important, as the
“Chain is only as strong as the weakest link.”

Looks like nihil posted first, so I will address this now as opposed to later, but it will make my post a bit longer!!!!!

Brief history: in its’ infancy the Internet exploded and anyone who knew what a computer was was considered an expert as far as management was concerned. People with absolutely no computer knowledge ( but usually a degree of some type ) were recruited into the IT field.
Many were total flops but survived because they knew more then those that placed them ( I am NOT directing this at nihil !! . )

What nihil is refering to is that now companies are looking for ( this is a slowly but steadily growing trend ) is people who understand IT but also understand the business ( monetary ) end of things.

Bottom line: it doesn’t hurt to have a second major in business ( or an MBA )

Good Luck in your studies, I hope this helped.

[btill900]

I don't even remember registering for Antionline. I happened upon the site the other day and realized I already had an account. Guess I registered some time ago, although im not here for reputation...just information.

I have the accounting area taken care of. The only thing im concentrating on now is finding out what I need to do to work in Computer Security after I get my Computer and Information Sciences degree.

I like the idea of setting up my own network. I own three computers and I have a few more garbage ones laying around that can probably be fixed easily. What kind of Network should I try to set up between them?

[HTRegz]

What kind of network should you setup??? Are you sure you're about to graduate a Comp Sci degree?? However since you asked... I suggest Token Ring.... It's common place in todays networks The obvious answer is you want an Ethernet network.. Cat5 cable with RJ45 connectors running into Switches, Hubs and Routers.... all the good stuff..

nihil made an interesting comment regarding an MBA... While it's an interesting idea... You have to ask yourself where you want to be in IT... I can see where nihil is coming from... I can remember hearing back as far as 6th grade that if you wanted to be any sort of Management you had to have a University Education and a business background... by high school it was You had to have a university education... Today... I disagree with both of those... (Then again I still think that a college education is much more useful in IT than a university education ever could be)... Anyways... If you're looking at being hands on for your entire life.... an MBA is useless but if you want to manage someday and be the boss... an MBA is a great option...

IKnowNot also posted an interesting point regarding experience and how companies require it. I'm torn on this one right now... Most people think of experience as starting when your education ends... This is wrong... By the time you graduate post-secondary you should have the education and experience required for any job that requires 5 years experience or less..

I finished my last course in August 2005. By that time I had:
- Ran a 6 month after school program to provide internet access and training to people without computers at home.
- Worked with the Police on a criminal investigation that involved the use of a computer
- Ran my own computer sales and service business, selling a dozen or so computers, and supporting 20-25 people (enough to get spending money in high school)
- Done international website design for both Canadian and American companies, included a $30,000 contact for a website which the owner of is now involved in a patent application process for the back-end implementation
- Worked 1 year full time and 1 year part-time providing student support in the College's IT department
- Done DSL tech support for a Major American ISP
- Provided Tutoring in programming and networking
- Worked as the sys admin for a small web hosting company.
- Acted as a consultant to a start-up providing technical support on their ideas and designs.

Now this is beyond what many people do... Of the 26ish graduates of my program, I'd say that at least 20 of them graduated with at least 50% of this experience on top of their education...

My classmates graduated into (straight outta school and some before they graduated were already working): Penetration Testing, Systems Administration, and Network Administation... and then Helpdesk positions... at companies that included a college, Magna International, Siemens, IBM, etc... Many of the jobs came because of co-op placements...

That's one of the keys... a program with a good co-op setup... If it doesn't have one you're wasting your time. I graduated with enough experience that I spent 6 months as a Sys Admin before entering the Security world fully as a Vulnerability and Exposure Research Engineer...

So make sure you have Co-op... it's key.. and work on the experience before you graduate..

As for 6 things you can do on your own..

1) Get involved with an open source project
2) Pick up a programming language (I highly suggest Python)... Both Canvas and CORE Impact are based off python so it's not bad to have a slight understanding of the back-end language if you're interested in security.
3) Spend hours looking at packet captures...
4) Download Windbg, Ollydbg and invest in a copy of IDA Pro (or do a quick search for IDA Freeware 4.3... it's old.. but it'll give you an idea)
5) Learn multiple operating systems... Make sure you're running Windows, *nix, OS X and even something like Solaris, HP-UX or AIX if you can get access ot it.
6) Read everything....

On the subject of certs.... I'm of the opinion that they are useless.. There really isn't a useful certification industry.... and here's why..

1) Certifications are based on the idea that you require a specific level of knowledge that ensures you are adequately prepared in the subject area related to the certification.. This should require that the tests be difficult enough that you have to be a subject matter "expert" to obtain the cert.

2) Certification Committees and Organizations (CompTia, Cisco, SANS, etc) are businesses... They want to make money... In order to make money, plenty of people need to write the cert test, in order for people to pay to write the cert test in sufficient quantities to make money, a certain number of people need to pass.... If that number of people aren't passing the test needs to be made easier in order to make a profit...

So... if you need to continually lower the quality of the test in order for people to continue writing it.... then those that pass aren't subject matter experts... sometimes they know nothing (CISSP is a great example of this... look at how many CISSPs are complete idiots)...

Certs are there so organizations can make money... these organizations pressure the industry to place importance on the certs so that more people write the.... but I feel the industry is starting to come around and clue in that these certs are completely useless....

Well I babbled quite a bit... but hopefully you find the information I provided useful..

Peace,
HT

[nihil]

I strongly agree with the recommendation that you need to think of where you would like to be, possibly in 20 year's time

My thinking would be that at your age now is the time to think about your long term qualifications rather than certifications that are relatively short lived.

I feel that certifications are a bit like software specific training........ best obtained "as and when" as you go along?

As for experimenting with a network, I would suggest that you have at least one wireless device in there

[g3neration]

Just my .02 since I'm trying to find a job in the computer field at the moment.

Seems that a lot of where I look, they list experience as the most important criteria, then education. Certifications IMO are a sticky issue since a lot of the job postings seem to prefer some sort ( two of the more popular ones are Cisco and Microsoft certs ). I do agree with HTRegz about certifications and their usefulness. Since it is a business, certifications are a way of testing knowledge on one specific product ( how to use it, etc. ), and I find this pretty stupid.

But not all of them are. For instance the much hyped CCIE ( or equivalents ), require quite a bit of knowledge and work. As is the GIAC's.

[D0pp139an93r]

I've seemed to notice that certifications are simply a requirement for a position, rather than a justification for the position... if you can understand that.

[Highlander]

I personally think that having a degree in a computer related field is useless in 3-4 years because computers are always changing....
In my case I usually know more about computers and computer security than a number of teachers who teach computers at the local colleges do.

[ech0]

it just seems like certs just get you passed the HR departments. Once you talk to someone in IT (to prove you know a thing or too) that will play out if your good or not. I got one of my last computer jobs just because the person doing the interviews on a technical level wanted to see everyone saved me from getting the brush off from some random HR person.