+ Reply to Thread
Results 1 to 16 of 16
  1. Junior Member
    Join Date
    Feb 2007
    Location
    NYC
    Posts
    16

    Certifications
    MCP NT4/Win2k - A+, Network+
    #1

    Default Getting into Information Security?

    Iím 99.9% sure this is the route I want to take now in my IT career. But not so clear on how to start my course. See, Iím confused about getting my foot in the door as a Security Professional. I have about 9 years in IT experience doing various things such as NT/2000 Admin, QA, Web Design -- Intranets, Jr DBA, and now Application Integration. As you can see I have experience with a few things but not security.

    I look at the certs available and see that Security+ is the first one I should obtain, but after that, whatís next? The others I found so far require (infosec) experience. So what would be the next path to take after the security+ cert? I guess Iím tossed up since I donít have the experience wonder how do I get my foot in the door working as a InfoSec pro, while maintaining my current salary (range). I feel I can offer the above items along with the security if that is possible.

    I ask here since Iíve been out of the loop for a while and just not sure where Iím heading in IT but Iíve always been intrigued by security, hacking, hardware, troubleshooting, and tinkering with computers, I guess this is why I started in the first place. Iíve reached the top, as far as I can go in my current employment, and become unsure about IT, and now need to revive the passion I once had for this industry and get my ass in gear.

    Your thoughts, suggestions, cert/reading recommendations would all be greatly appreciated.
    Reply With Quote Quote  

  2. SS
  3. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #2
    It sounds like the CEH is the next logical step after the Security+ for what you want to do.

    Sun, RedHat, and the 2003 MCSE have security specializations.

    You may want to start getting some experience with Cisco and/or other firewall/network appliance vendors.

    You should set your sights on the CISSP as your end goal, but that has some fairly rigid requirements. You can pick up the SSCP after one year of experience (or become an associate with either without meeting the requirements).

    Check out these posts as well:
    http://www.techexams.net/forums/view...=213741#213741
    http://techexams.net/forums/viewtopi...=172435#172435
    http://techexams.net/forums/viewtopic.php?t=19563
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Feb 2007
    Location
    NYC
    Posts
    16

    Certifications
    MCP NT4/Win2k - A+, Network+
    #3
    EDIT: Im still looking through the threads, and may have missed... So if I posted too soon
    Thanks dynamik and I do understand about going CEH possibly next, but other than it still does not really help. I guess I was hoping some Security experts (or guys/gals with the cert.ís in this arena) may chime and show how they achieved their positions. For instance if you go for MCSE you basically are going for an Admin / Infrastructure / Windows Server support gig in IT. Itís a broad cert. and security however, is a little narrower and can be a little more difficult to get your foot in the door. What would help make this easier?

    Iíve researched a little last night and figure I just put a plan together and get my Sec+, and possibly the CEH (since I cannot get anymore without experience, and quite a bit of money from what Iíve read online) to start with and just look at the different available positions in NYC and see what the employers are looking for these days. Maybe even finish my MCSA (which Iím just not into anymore). I have a diverse background and maybe trying to focus on one thing (security in this case) is not the correct way to go about it. If nothing else with any luck I can get into an organization that allows me the opportunity one day.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #4
    I disagree that MCSE is a "broad cert" and security is more "narrow". Security could be argued to be actually broader than MCSE. With MCSE, you need to know how to do patch management for Windows based machines vs. Security as a whole you would need to know how to do it for all operating systems and major applications.

    Carry this to the logical conclusion, and you realize security is a big, broad subject.

    In my experience, you don't get higher level security positions until you prove yourself on platforms. If you don't have advanced skills in any operating system, how are you going to convince potential employers you can secure them?

    I would encourage you to develop skills in at least one platform. That would mean go for MCSE, or a linux cert, whatever.

    I would also recommend you begin developing skills in enterprise class firewalls, too.

    You're in the position you need to get experience with security work before you can get the higher level security certifications. That is more product centric knowledge. Do you know how to configure a PIX/SonicWall/NetScreen firewall for example? Do you know how to harden servers of at least one OS platform? Do you know how to assess the security levels of those servers?
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #5
    You may want to try reposting in the security forum http://techexams.net/forums/viewforum.php?f=52 (or maybe someone can move this there).

    From what I've discerned, getting into security is somewhat of a gradual transition. It seems like very few people get security positions right off the bat, and most have to start as a systems or network admins and take on more responsibilities over time. Definitely keep reading through the security forums though; there's a wealth of information in there.
    Reply With Quote Quote  

  7. sporadic member shednik's Avatar
    Join Date
    Feb 2007
    Location
    Pittsburgh, PA
    Posts
    2,011

    Certifications
    CCNP R&S, JNCIP-ENT, JNCIS-SP, JNCDS-DC, JNCIA, JNCDA, CCNA, CCNA:Security, MCP, A+, N+, L+, MST:InfoSec, CNSS 4011-4015
    #6
    I'm also looking to get into security here is my plan to migrate into security...I'm early in my career with only about 2 years of experience in windows admin, cisco networking, and desktop support. I'm looking to start my Masters of InfoSec this fall which will help me learn alot of the theory and make up for what my undergrad didn't teach me. While doing that I'm currently a network analyst for a extremely large corporation and since i'm in a rotation program for college grads to get exposure to different areas of IT, I will be moved to a second team either the unix team or the network security team who handle the edge router, firewalls, proxies, and anything to do with remote access.. I also have picked up several books, set up a vmware server, and plan to being my Security+ as well. I feel with all of these combined efforts I will move into security nicely within the next few years. I feel the road to security is not defined and you have to make sure you're always on top of your game which can be built from spending time in the trenches, and continuing to educate yourself with technology.
    Reply With Quote Quote  

  8. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,737
    Blog Entries
    50

    Certifications
    PenTest+, CISSP, SSCP, GSEC, CASP, CEH (revoked), CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, MSIT InfoSec
    #7
    My story: I decided to finally move into InfoSec at the same time I decided to go back to school and get a Masters degree. I had a work load that would enable me to go to school part time, and because of the ease of off-shoring of software engineering jobs, I was motivated to specialize in a profession that would not likely be farmed-out overseas. Well, one Masters degree later, I got a cool InfoSec job (InfoSec Research Engineer) and now I'm getting the IT certifications expected of an InfoSec professional. The continual self-education and personal improvement of an InfoSec professional never ends.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Aug 2003
    Location
    Pittsburgh
    Posts
    1,948

    Certifications
    MCSE (old), SSCP, CCA, Sec+, P+, L+, and N+
    #8
    I'm a consultant and my work focuses around Windows, Exchange, and Citrix implementations. I get to do a lot of things that fall into the InfoSec category. ex. Citrix Secure Gateway, Citrix Access Gateway, Disaster Recovery plans, etc. I'm getting some experience in InfoSec, but would like to move into a role that is more focuses on it.

    I completed the Security+. Later this year, i'm going to work on the MCSA: Sec and the CCA: Access Gateway.

    Not sure when I'm looking to move into InfoSec fulltime, but i'm laying the ground work.
    Reply With Quote Quote  

  10. Junior Member
    Join Date
    Feb 2007
    Location
    NYC
    Posts
    16

    Certifications
    MCP NT4/Win2k - A+, Network+
    #9
    Quote Originally Posted by HeroPsycho
    I disagree that MCSE is a "broad cert" and security is more "narrow". Security could be argued to be actually broader than MCSE. With MCSE, you need to know how to do patch management for Windows based machines vs. Security as a whole you would need to know how to do it for all operating systems and major applications.

    Carry this to the logical conclusion, and you realize security is a big, broad subject.

    In my experience, you don't get higher level security positions until you prove yourself on platforms. If you don't have advanced skills in any operating system, how are you going to convince potential employers you can secure them?

    I would encourage you to develop skills in at least one platform. That would mean go for MCSE, or a linux cert, whatever.

    I would also recommend you begin developing skills in enterprise class firewalls, too.

    You're in the position you need to get experience with security work before you can get the higher level security certifications. That is more product centric knowledge. Do you know how to configure a PIX/SonicWall/NetScreen firewall for example? Do you know how to harden servers of at least one OS platform? Do you know how to assess the security levels of those servers?
    Maybe ďbroadĒ was the wrong term to use but you have to agree that ďsecurityĒ is more of niche in IT than Windows (As are security certifications and experience.). Itís a specialty and not something an MCSE can walk into. Its niche market within IT and requires a broad knowledge of things. This is why I posted, just wanted to get various POVís.

    I know I need experience, and knowledge, just wondered how others got there. Itís a mid-career mental block right now and Iím wondering if ďspecializingĒ is the key. Thanks again to those posting I got some good info here.
    Reply With Quote Quote  

  11. Junior Member
    Join Date
    Feb 2007
    Location
    NYC
    Posts
    16

    Certifications
    MCP NT4/Win2k - A+, Network+
    #10
    Quote Originally Posted by JDMurray
    My story: I decided to finally move into InfoSec at the same time I decided to go back to school and get a Masters degree. I had a work load that would enable me to go to school part time, and because of the ease of off-shoring of software engineering jobs, I was motivated to specialize in a profession that would not likely be farmed-out overseas. Well, one Masters degree later, I got a cool InfoSec job (InfoSec Research Engineer) and now I'm getting the IT certifications expected of an InfoSec professional. The continual self-education and personal improvement of an InfoSec professional never ends.
    I like your storyÖ Do you think it's possible to obtain a gig working on more security related items in IT, while pursuing a degree and or the next levelís of MS/Cisco certifications? For instance I have: Security+ certification and Iím an experienced IT guy. No master, but worked on a few things through the years. What role in IT security can I play -- where do I pay my dues? Or is it too soon to even think about it. Like ajs1976 Iím trying to lay down the ground work and who better to ask than my peers.
    Reply With Quote Quote  

  12. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #11
    Quote Originally Posted by Geekboy
    Maybe ďbroadĒ was the wrong term to use but you have to agree that ďsecurityĒ is more of niche in IT than Windows (As are security certifications and experience.). Itís a specialty and not something an MCSE can walk into. Its niche market within IT and requires a broad knowledge of things. This is why I posted, just wanted to get various POVís.

    I know I need experience, and knowledge, just wondered how others got there. Itís a mid-career mental block right now and Iím wondering if ďspecializingĒ is the key. Thanks again to those posting I got some good info here.
    I think you're looking at this a bit wrong. I would argue the average MCSE does security work. Patch management involves security. Locking down IIS properly involves security. Setting up security groups and ACL's is security work.

    What you're not defining is what security work do you want to do? You obviously want to become a higher level security specialist, but what exactly do you want to do? Implement firewalls? Penetration testing? Auditing? Secure network architecture?

    This isn't to start an argument, but it's to point out that what kind of work you want to do years from now should be steering you today. For example, if you want to get into secure network architecture (like recommending what firewall products to institute, where they should be installed, what the policies should be, etc.), you should be gearing up for that by getting experience with firewall products, and learning sound principles of firewall configurations applicable to all firewalls. If you're looking more at auditing, you should be learning OS's, how to evaluate their relative security, the various criteria systems are judged by (CIS, etc.).
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Mar 2007
    Posts
    12,308
    #12
    I think you guys are just looking at it in different ways. If you look at it from a career perspective, it probably is more of a niche area. I'd wager that there are far fewer guys (and gals!) like Keatron than Windows admins. However, if you look at it from a general IT perspective, security is perhaps the widest reaching aspect of the field, and it is integral to nearly every OS, application, and network service.
    Reply With Quote Quote  

  14. Senior Member
    Join Date
    Jun 2007
    Posts
    921

    Certifications
    A+, SEC +, CCNA, 642-533, CCNP, C|EH
    #13
    Quote Originally Posted by dynamik
    I think you guys are just looking at it in different ways. If you look at it from a career perspective, it probably is more of a niche area. I'd wager that there are far fewer guys (and gals!) like Keatron than Windows admins. However, if you look at it from a general IT perspective, security is perhaps the widest reaching aspect of the field, and it is integral to nearly every OS, application, and network service.

    This correct.

    And he is also correct in stating that it is something you gradually get into.

    I am a security professional. But before this i did: system administration, network administration, and development/coding. Could I do my current job with out all of that experience? Sure, but I wouldn't be nearly as capable as I am now.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Jun 2007
    Posts
    921

    Certifications
    A+, SEC +, CCNA, 642-533, CCNP, C|EH
    #14
    Quote Originally Posted by HeroPsycho
    I disagree that MCSE is a "broad cert" and security is more "narrow". Security could be argued to be actually broader than MCSE. With MCSE, you need to know how to do patch management for Windows based machines vs. Security as a whole you would need to know how to do it for all operating systems and major applications.

    Carry this to the logical conclusion, and you realize security is a big, broad subject.

    In my experience, you don't get higher level security positions until you prove yourself on platforms. If you don't have advanced skills in any operating system, how are you going to convince potential employers you can secure them?

    I would encourage you to develop skills in at least one platform. That would mean go for MCSE, or a linux cert, whatever.

    I would also recommend you begin developing skills in enterprise class firewalls, too.

    You're in the position you need to get experience with security work before you can get the higher level security certifications. That is more product centric knowledge. Do you know how to configure a PIX/SonicWall/NetScreen firewall for example? Do you know how to harden servers of at least one OS platform? Do you know how to assess the security levels of those servers?

    As a security professional I totally agree with these statements also.

    You have to have a really solid grasp on the normal functionality of the systems your going to secure. If you don't have this how on earth can you pretend that you can lock them down?

    And just like Hero states, patch management, account administration, permissions etc. is all security administration. Security covers such a massive amount of things, because of this there are many sub categories of security admin. There are guys you evaluate and secure applications, networks, servers, desktops, physical security the list goes on and one. And unless you work for a small company you will most likely be doing all of the security stuff. It is good practice to separate these disciplines inside of major corporations. This is done for many reasons. One reason is because the forensic guy has so many logs to go through there is no way he is going to have time to check/change firewall rules. Another reason for this separation is it adds another layer of security. If one person has the power to change firewall rules, review logs, and admin the servers that person effectively holds the keys to the castle.

    My whole point with all of this is find out what part of comp technology is your favorite or you excel at the most. Then learn the security side of the that area.
    Reply With Quote Quote  

  16. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,737
    Blog Entries
    50

    Certifications
    PenTest+, CISSP, SSCP, GSEC, CASP, CEH (revoked), CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, MSIT InfoSec
    #15
    Quote Originally Posted by Geekboy
    Do you think it's possible to obtain a gig working on more security related items in IT, while pursuing a degree and or the next levelís of MS/Cisco certifications?
    The answer is, of course, "yes," but you are more interested in the "how," "where," and "when" of getting such a job.

    Assuming you don't have a friend that can easily get you such a job, experience is the most important quality to have. Lacking the experience to get an InfoSec job, you will need to use your other skills to get into an organization where, one day, you can move to an InfoSec position. As an IT person in very large organization, you will have much greater InfoSec-related opportunities than working for small to mid-sized organizations. Also, having the ability to move to a new job rather than staying only where you are increases your opportunities too.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  17. Junior Member
    Join Date
    Feb 2007
    Location
    NYC
    Posts
    16

    Certifications
    MCP NT4/Win2k - A+, Network+
    #16
    As dynamik says we are looking at it in different ways. I have been browsing the boards and around the net and decided to just get myself in the learning frame of mind and tackle the Security+, and then maybe the CCENT or just go for the CCNA next. Iím not just going to focus on getting an InforSec job, but rather getting into a place that may give me the opportunity or learning experience. If time permits I may even try to get back to school in a year or so. Thank you all, your responses were insightful and appreciated.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks