Greeting!!!
I'm an Advance Oracle Programmer and I want to change my job into an IT Security Expert, where will I start considering I have a basic knowledge on some Network essentials.
:confused:
Printable View
Greeting!!!
I'm an Advance Oracle Programmer and I want to change my job into an IT Security Expert, where will I start considering I have a basic knowledge on some Network essentials.
:confused:
The are many paths in which you could start, but I recommend only two things: Read, and ask questions.
There are many tutorials and security related topics here, spread across the forums and also directly in the tutorial section, that I recommend you look at. I recommend spending time on http://www.google.com searching about various subjects that interest you or you have questions with. There is no clear cut first step into security as the field itself is broad and wide. Once you have read the tutorials, read the guides, then begin to ask questions to test and further your knowledge. We will be here to answer anything you have and welcome you into the field of Network Security Consulting!
Ok thanks, I'll be sure to try it and tell you how it goes. Thanks.
Have you thought about looking into the CISSP certification?
Hello cartools
Let me say one thing. You can have all the certifications you can pin on your wall, all it shows is that you can pass a securtity test. If you want to get into the security field learn to hack networks and OS's.
I am a security consultant in Las Vegas and the only time I spend time in a class is to TALK to students and field questions on computer security. I say field questions because I don't give direct answers to any security question from students. People REMEMBER Hackers have a VERY creative thinking mind. When a black hat hacker is trying to break into a network their is no teacher their to answer questions or help. He is on his own and MUST solve the problem HIMSELF.
After all of that, I am going to give you a home work assignment..LOL
Go build yourself a small computer (486, Pentium II) box and install a default version of any Linux, UNIX, or Solaris OS and get yourself nmap (if you can't find it I have a one for you) and a vulnerability assessment tool. After you have this all set-up, use these tools to COMPLETELY secure that box. If you want to learn computer security stay away from Windows to begin with. After you learn your way around how an Operating System works, figuring out Windows will come very easy.
Hope this gets you started.
CyberSorcerer
I have to disagree somewhat with CyberSorcerer. First, while certifications are not the silver bullet in getting a security job many empoyers look for them so they help to get your foot in the door. Just get a couple at most, don`t spend all your time doing tests.
Next forgert about learning to 'hack networks' instead start off by understanding networks, read about the joys (?) of TCP/IP, network architecture etc.. and build from that. Then learn about operating systems, the in's and out's, learn some programming skills, then you will finally be able to think about hacking. If you don`t do that I fear you become one of those people who can tellyou all about the latest exploit but can`t actually explain how it affects you and why you should spend some money on dealing with it. So my homework assignment would be to read TCP/IP Illustrated volume 1 and go from there.
Of course the best way to do this is going to be to set up a newtork you can play around with, learn how it works, don`t just build it and then lock it down and then spend the next day trying to figure out why you can no longer access shared drives.
Also, try and start with what you know, if you are an Oracle programmer then why not have a look at Oracle security, see how that works, how you can implement it, what its strengths and weaknesses are etc...then take the knowledge you gain from that and start to apply it to other operating systems. There are serveal core themes (i.e Confidentiality, integrity, and availability) that are the same across all the security areas so once you get a grasp of those you will find the whole subject a lot easier to handle, and if Windows is what you know then take your new found knowledge and apply it to that, then look at Solaris etc..
And finally if you want to be good then learn how to explain security issues in clear language, and also how to justify to someone why they need to spend $XXXXXXX on a new IDS, or new firewall. Far too many people in the field bombard those making the financial decisions with jargon and then wonder why none of their ideas get implemented.
Good luck
I do agree with you R0n1n But!
If cartools or anyone for that matter wants to get into the IT security field and did not start out in school as a computer science major, then it just comes down to how fast they want to get into the field. They can start school now and go that route. If you plan to pass anyone of the top security certifications you are not going to do it just by reading a few books over the year and take the test. You will need a pretty wide scope of knowledge.
If you take my path it will much harder of your part because you will basically need to REALLY know how to breach a companies network if you want to work for them. BELIEVE me, If you break into their system and make a super-user account that will allow you full access, Certification or Not, THEY WILL INTERVIEW YOU.
CyberSorcerer
Cartools, trying to hack a system in order to get an interview will result in an interview, probably with your arresting officer, thats about it. Stories that end up other then this are few and far between. Learn how and why this stuff works the way it does, taking the newest exploit and running it against company XYZ is not going to get you any kind of job offer. I work for a large securirty consultancy and am in fact the only ex "hacker' there is, the rest of the staff are people who have learnt this over time (and i do not have a computer science major). Seiously, if you do this, you will most likely be caught (as you have not learnt the how and why) and will not be able to get any kind of security job whatsoever.
The best thing to do is in the company you work for now try and get some security exposure and then take it from there, and realise that its going to take sometime to get a good grasp on the subject.
www.sans.org
www.giac.org
or more likely they will have you arrested. any skript kiddie can hack a network. it just takes time finding one that is vunerable to the scripts they have. So when they exploit an unsecure system with an old script that they downloaded from packetstorm, does that mean they know anything about security?Quote:
BELIEVE me, If you break into their system and make a super-user account that will allow you full access, Certification or Not, THEY WILL INTERVIEW YOU.
according to your website you are a...you would think that you would include something about the security aspects on your website... not to mention completing your website....Quote:
freelance web designer, applications programmer, multimedia designer, and game designer.
Ok, it doesn't need to get off topic from what cartool posted. Cartool if you want to get into the field bad enough, you will.
I do agree script-kiddies don't know much about security or networking for that matter. But in my post I did say creat a super-user account so that you could get back in no matter if you were outside the network, or in the companies main office with the network admin beside you. Show me a script kiddie that can accomplish that???
CyberSorcerer
Sorry but I did finish reading your post..
Yes my sig is old and being in computers for close to 20 years I have an extensive knowledge of them. I make my living from freelancing and consulting work. I have worked on everything from CP/M all the way up to Solaris.
If you want a whole list of what I do, I am a seller of ebay, a freelance coder of rentacoder.com, graphic/logo design, custom application development etc! I pay my bills with my 20 years off computer experience don't have a guaranteed weekly check like some people but I do make a very nice living and have free time for family and friends.... That is being rich in my opinion......
CyberSorcerer
All of you guys just gave me an idea or scope of what to do. Certifications, experimentals, and other reading materials is what I should expect to do in the first month. Im applying for an IT Security Personnel, to be based on some part of the middle east, and hopefully, I can do it with just a little time and more effort. I hope I can attain my desire to be one of you, guys. In which expertise? Hopefully, to be the best of what I can reach.
Thanks CyberSorcerer, Ron1n, souleman, CT2600, pooh sun tzu for such contribution and support...
I was going to say I hope you are joking, but i think we can already accept that you are the joke, you've proven that yourself. Hack a Network and they'll hire you???? Sounds like something out of the movies. Hell the fact that I demonstrated a flaw in my Network Services departments security scheme got me labelled a hacker. You also said forget about Windows???? Are you a retard, or just trying to look like one? If you get a job working security for the majority of companies you will be dealing with Windows boxes. If you know linux inside and out, that isn't going to help you one f***ing bit on a Windows box. If anyone accepts a word that you've said as the truth, I will be praying for their soul, they're going to need it. As far as script kiddies get super-user access. Piece of cake. use a Unicode or Double Decode attack against an IIS server, then use one of the many privledge escalation tools that are out there. How about the Samba Autorooter for exploiting vulnerable Samba installs. Then it's just a matter of planting your backdoor or rootkit and making sure you hide your tracks. If you truly believe that a script kiddie can't create a super-user account or get access to one, you are sadly mistaken.. and trust me... no one on this site is going to take anything you say at face-value... Hell right now you could tell me your AntiOnline handle was CyberSorcerer and I'd have a hard time believing you.Quote:
Originally posted here by CyberSorcerer
Ok, it doesn't need to get off topic from what cartool posted. Cartool if you want to get into the field bad enough, you will.
I do agree script-kiddies don't know much about security or networking for that matter. But in my post I did say creat a super-user account so that you could get back in no matter if you were outside the network, or in the companies main office with the network admin beside you. Show me a script kiddie that can accomplish that???
CyberSorcerer
cartools: listen to everyone else. Get a few certs, but make sure they are ones that count, set-up your test network and then read everything you can. I've suggested it to people before, read the Hacking Exposed line... I think they are amazing and I know several people that agree, here and at work. Your resume plays a big role. Most employers go through and pick out keywoards. They just scan the resumes and if you have the words they are looking for you may make it to the interview and then you can impress them. Make sure you use the buzz words in your resume and can back up that experience in an interview.
while network security is fun and all, it isn't all there is. I'd recommend taking a peek at the various fields related to security and checking out what might interest you and what the demand is for that position. As a software developer I'm more inclined to go the route of security engineer in development.
Do we have an online certification program on the web? or I'll just take up some money and spend on it?
Ok I give up
truely, with all the secured networks out there from certified knowledgable network experts, I don't really know what the government is so worried about that some third world country or terriorst org will cause any harm.
Let me take an example right out of a security manual. This is what it calls to ROOT of the network security problems today.
1. Network and Host misconfiguration
2. Operating system and application flaws
3. Definiencies in vendor QA/QC efforts and response
4. Lack of QUALIFIED people in the field
Now there is a quandary. How can there be a lack of QUALIFIED people in the field if organizations and companies only hire QUALIFIED or certified people?
I really do give up. I can not answer that myself. Sorry if this is out of line but it is a problem to this day I have not seen any answer correctly.
CyberSorcerer
Not sure of online certification.... But yes u can have online training for GIAC certified courses....
Now these courses are extensive and cover all concepts that u would need to know when u involve in inf. security profession....
All said.... Agree with HTRegz that breaking a system is a much simpler job.. But what makes the profession unique is the challenge to prevent ur inf. assets from getting hacked from so many threats that it is exposed....
Remember a famous quote on Information Secuirty.. " YOU ARE AS SECURED AS YOUR WEAKEST LINK" ... Simple example would be that you may have the best lock avaiable attached to your door... But if the walls are weak or if windows are not properly secured and intruder can still get an access to your territory.....
Hence : Cetifications help.. but you should equip yourself with extensive knowledge on inf. security.... have to dirty ur hands by actually working with tools..... and yes a decent knowledge of network is a must.....
BTW... being a oracle expert.. as mentioned by someone u can also take up database security as ur line of interest....
Thanks for the advice, anjali...actually, I have a basic knowledge in Database security in Oracle. And since that is a startup for me... I'd rather go on studying Security Essentials.
I guess following certification from SANS can be of some help to you...
GIAC Security Essentials Certification (GSEC)
Level: Foundational
Renewal: Every two years
Target: Security Professionals that want to fill the gaps in their understanding of technical information security; System, Security, and Network Administrators that want to understand the pragmatic applications of the CBK; managers that want to understand information security beyond simple terminology and concepts; anyone new to information security with some background in information systems and networking.
GIAC Security Essentials Certification graduates have the knowledge, skills and abilities to incorporate good information security practice in any organization. The GSEC tests the essential knowledge and skills required of any individual with security responsibilities within an organization
Click on the link to know more about this course... http://www.sans.org/onlinetraining/track1.php
Alternatively u could appear for CISSP .. http://www.cccure.org
I am sure above courses will help u equip with confidence and knowledge to move into information security domain....
GSEC covers the essentials and actual technical work. It also now covers the cissp cbk. The training and certification test can all be done online. I finished mine a while ago that way...
The cissp however is more of a management certification. If all else fails go GSEC before CISSP and then you have a good foundation in place for your CISSP work.
Do they have the ability to run gcc and compile a program?Quote:
But in my post I did say creat a super-user account so that you could get back in no matter if you were outside the network, or in the companies main office with the network admin beside you. Show me a script kiddie that can accomplish that???
http://www.securiteam.com/exploits/6N00L1F95S.html
oh look, now any computer running Cyrus IMSP 1.4, 1.5a6, 1.6a3, and 1.7 are 0wnd.
http://packetstormsecurity.nl/0401-e...phpgedview.txt
oops, there goes any system with phpgedview.. and only need a web browser...
There are plenty more with a simple search engine. Not many companys keep all their software up to date. Not to mention how easy it would be to send a acopy of sub7 or backorafice to one of the employees and get them to install it at which point you could start learning passwords. If the endusers new enough to NOT open attachments, we wouldn't see the problems with viruses that we see now.
I clearly understand that it's not easy to become a security specialist. It'll take time and effort, regardless of what to become, in mastering all the concepts. I'm pretty sure that all those who contributed in these thread, did their best in the field of what they have become. The only thing that comes into my mind right now is to enjoy the technology we've achieve. It's what we do best.
the question is not how, but why..
If you want to become a security specialist becouse it makes more then an oracle expert..
then don't.. you'll never be a good security specialist..
If you want to become a security specialist becouse you have a desire to know all there is about the subject.. then you'll become one no matter wich road you take..
I'll take your advise jinx, thanks
Jinx does make an excellent point Cartools and that is that the path followed is not as important as deciding to do it. If you decide to be a security expert then you will have to have a broad knowledge base, not limiting yourself to one Operating system. I started with the GIAC certification (GSEC), however I had already been Microsoft certified for several years. I am intrigued by the idea of security, not the platform it sits on, so the GSEC cert helped open that door from me to look outside the Microsoft box.
I also wanted to be in a management position, so I pursued the CISSP and I learned a great deal after I self studied for that for three months. The certification does not guarentee the job or that you are "qualified" however, given the diversity of the networks and platforms, I really doubt anyone is an "expert" until they get into the job, identify the issues, and get thier hands dirty. Pursue the knowledge and the certifications come easily.
ISC2 offers other certifications for practicing security personnel, that I have heard good things about, however, I have not personally pursued. GIAC has the best on-line programs I have seen and there are times that you can pick up used manuals from E-bay to save on the overall cost.
Look at it this way you are off to a good start, you have found a great resource to point you in the right direction. Good Luck!!!