Would like to go into Computer Security

M

markt435

Supreme [H]ardness
Joined
Aug 9, 2004
Messages
7,590
I've been weighing my options lately and this is something I'd really like to get into. Guess a little background would help...

- I'm 22 (23 in Sept)
- Transferred to a 4 yr university this year and will be most likely going for a general CS degree. Have 2-3 years left total (as long as things go to plan).
- Applied for a campus computer lab job and recently interviewed for it. Hoping I get it as....
- I have 8 months of general IT work experience working at my former school district. If I count the time I was a TA and just helped on my campus while still a senior in HS, it would definitely be just over a year. Adding to that work experience...
- Joined Civil Air Patrol this month and will be training for their IT Officer position for my squadron. Basically serve as Web Security Admin, provide help desk service, training for seniors and cadets, etc. Luckily for me, they have OLD computer equipment and would like to spend the money to overhaul the entire thing so I'll be able to oversee and setup the new equipment. Basically almost works like an internship for me, no?

Is the "plain ol" BSCS the best option? They have CIS and a few other options such as BA in CS Theory which isn't as heavy on math and programming. I don't know if I'd like to minor in anything at this point...I've been in college for too long as I've been going off and on since I got out of HS and I want to be done already. Certs I already know I can supplement the degree with (may do that during the summer as I like to stay somewhat busy). Any suggestions? Do I have a lot of things covered in terms of work experience and adding to it?
 
Well, if you would like to go into Computer Security as far from what I can tell, anything with a BS or BA infront of it will land you a job (within reason!). There's a whole lot to Computer Security and you have to carefully think out what exactly you want to do in the "Security" field.

Do you want to handle encryption? Do you want to be a human anomily detector? Do you want to specialize in HIDS/NIDS, firewalls, encryption, etc... I could go on and on.

Do you know how encryption works? The different protocols used, I could go on and on. Security+ would be a nice Certification to have as well as the CISSP if you really want to get into Security. Do you have a Security Clearance?

Hope this helps clear things up for you, but I just confused myself! :p
 
There are many different areas of Information Assurance. If you plan to do something technical related to security such as writing secure code or penetration testing / consulting then I recommend getting a Computer Engineering degree and picking up some books such as Writing Secure Code. Learn the different methods attackers use and how to test for them and prevent them. If you don't want to do so much programming and would like to focus on IT administration or management then a CIS degree with some Information Assurance / Security electives would serve you well, but a CS or CE degree would get you started just as well. I have worked wth security on the networking / IT administration side and now I deal with security in developing software products.
 
ben chi(f4) said:
Well, if you would like to go into Computer Security as far from what I can tell, anything with a BS or BA infront of it will land you a job (within reason!). There's a whole lot to Computer Security and you have to carefully think out what exactly you want to do in the "Security" field.

Do you want to handle encryption? Do you want to be a human anomily detector? Do you want to specialize in HIDS/NIDS, firewalls, encryption, etc... I could go on and on.

Do you know how encryption works? The different protocols used, I could go on and on. Security+ would be a nice Certification to have as well as the CISSP if you really want to get into Security. Do you have a Security Clearance?

Hope this helps clear things up for you, but I just confused myself! :p
Click to expand...
lol thanks. No security clearance yet. Kinda young for that right now not to mention no reason to get it until I need to. I'd probably want to go into HIDS/NIDS, firewalls, etc. Is there a name for that specialization? I have a spare EeePC that I'd like to start using for testing networks...namely my squadron's network when its finished being set up. Making it secure as possible is something I want to learn how to do and do well. Dunno if that helps you help me out but yeah. I tried. :p
Icemastr said:
There are many different areas of Information Assurance. If you plan to do something technical related to security such as writing secure code or penetration testing / consulting then I recommend getting a Computer Engineering degree and picking up some books such as Writing Secure Code. Learn the different methods attackers use and how to test for them and prevent them. If you don't want to do so much programming and would like to focus on IT administration or management then a CIS degree with some Information Assurance / Security electives would serve you well, but a CS or CE degree would get you started just as well. I have worked wth security on the networking / IT administration side and now I deal with security in developing software products.
Click to expand...
Yeah programming isn't really a focus for me. At least its something I don't want to be a main focus. The CIS degree is supposed to replace most of the math classes with accounting and econ (suppose that comes with the territory) in addition to having the core programming and other CS classes.

CIS degree track:
http://www.ewu.edu/x47072.xml

CS degree track:
http://www.ewu.edu/x47068.xml
 
I think you made a great choice by entering into the security field. Data Analyst and security are the hottest fields right now. The low level programming is shrinking in the States, because the Eastern side of the world does better programming at the cheaper labor. Also, the major key players in the market place determined AJAX into the cloud is the future. Of course, people will still need administrators in the States, but demand for Microsoft and Cisco administrators will shrink as we have more than we need in the market. By the time, you graduate, you will have a harder time. Still security analysts with auditing and programming backgrounds are really in need in the market place. I personally wish I made a choice going to the security field when I had a chance.
 
I am looking at getting to the same thing!

Could you PM me any tips you have

I was looking at going to Westwood online

also, what is the best way to get A++

also, once I graduate where do I look at getting a job?
 
requiemnoise said:
I think you made a great choice by entering into the security field. Data Analyst and security are the hottest fields right now. The low level programming is shrinking in the States, because the Eastern side of the world does better programming at the cheaper labor. Also, the major key players in the market place determined AJAX into the cloud is the future. Of course, people will still need administrators in the States, but demand for Microsoft and Cisco administrators will shrink as we have more than we need in the market. By the time, you graduate, you will have a harder time. Still security analysts with auditing and programming backgrounds are really in need in the market place. I personally wish I made a choice going to the security field when I had a chance.
Click to expand...
Yeah. I was originally going to go the administrator route but seeing as the field is gonna go thru a down period, I figured I'd specialize in something else. Once I have my degree I can go in pretty much any direction it seems, just depending on what kind of certs I add and what classes I'm able to add on as electives. Not to mention, doing help desk stuff is sorta boring honestly. Even just doing it for a year showed me that lol. I wanna be hands on and see the results of my work (seeing a robust and secure network) and know I can handle most things that are thrown at it.
 
markt435 said:
Yeah. I was originally going to go the administrator route but seeing as the field is gonna go thru a down period, I figured I'd specialize in something else. Once I have my degree I can go in pretty much any direction it seems, just depending on what kind of certs I add and what classes I'm able to add on as electives. Not to mention, doing help desk stuff is sorta boring honestly. Even just doing it for a year showed me that lol. I wanna be hands on and see the results of my work (seeing a robust and secure network) and know I can handle most things that are thrown at it.
Click to expand...

Yea man. You are being very smart about this. Make sure you stick to the auditing side. You get to do some research. Firewall and IDS are B.S. side of the security field. Most of these so called, security gurus use out of box machines without any security knowledge. They will be kicked out of the field once the market get oversaturated. There are many people who jumped in without knowing too much about the IP programming. Now, that side is being oversaturated and salary will go down soon. Good auditors know a lot about programming and might even had published few articles. If you work for a good security consulting firm, they want you to waste your time and do research. It is less busy stressful work.
 
The best way I learned about security is p[racticing penetration testing and setting up networking environments with VMs. You can setup a virtual machine environment with VM Ware or Hyper V and setup all sorts of different setups. Set up an environment with Windows Server as a domain controller, configure different firewalls, SQL database, web servers, etc. and try and break in. Setup different types of environments to be secure and then attack them, or find someone that knows alot about penetration testing and have them attack your setups. There are lots of tools out there that you can download to try different attacks such as metasploit.

You can also try competing in an event such as the Collegiate Cyber Defense Competition. I organized a team for my college and we took 3rd place and it was excellent practice and also a great networking. 3 of the members of my team were hired after graduation by companies they met at a cyber defense competition.
 
Have you spend some time with Metasploit Framework? If you haven't, I recommend reading few things about it. A lot of things to learn, but it seems like your heart is set and you got some time. I think your future looks bright. Good luck dude.
 
HIDS/NIDS and firewalls are great, but it's basic security. The future is in biometrics, physical security, event correlation and intelligent expert system development to analyze those events and act on them (autonomous security systems), and digital forensics to name a few. Vulnerability/risk assessment, especially where compliance is concerned, will always have a place and pen-testing fits into that nicely. There are a lot of folks out there who think pen-testing means firing up a couple of applications and going at it. True pen-testing is an art and requires a lot of programming, networking, general security, psychology, and social engineering knowledge. BS CS, CE, or EE are good choices to get into security. Minors in math, psych, or business would probably give you the most bang for your buck from what I have been exposed to if you need to minor.

If you want to truly get deep into security, I would look at getting involved with a good security consulting company, or an organization that has a robust security component. Typically financial, insurance, anyone dealing with classified material, and critical infrastructure will invest heavily in security, just to give you an idea on where to begin your search. Security guys will make a comfortable living for the foreseeable future in my opinion, but the real money lies in being a phenomenal security consultant (beyond network security) and in development of security systems.

Getting involved in professional organizations that meet locally such as ISSA is a good idea, and going to conferences and competitions as mentioned is a great way to network.
 
Thanks. And thanks for the tips guys. It helps a lot.

Thankfully we have MSDNAA here so I can pick up Windows Server and mess around with it. Would really like to get another box or two to practice on though. If I can get that lab job, the money will definitely help pay for that stuff. Though there is only so much that can fit in a dorm lol. I have my own room so it shouldn't be too bad.
 
markt435 said:
Thanks. And thanks for the tips guys. It helps a lot.

Thankfully we have MSDNAA here so I can pick up Windows Server and mess around with it. Would really like to get another box or two to practice on though. If I can get that lab job, the money will definitely help pay for that stuff. Though there is only so much that can fit in a dorm lol. I have my own room so it shouldn't be too bad.
Click to expand...

Don't worry about the machines. Download some GNU compilers and howto programming pdfs. You will not get hired as an auditor for keeping up with security mailing lists and wait for othres source code. Anybody can download others source, compile, and execute. Also, don't forget to download some books on cryptographic technology. That will take least 2 to 4 years to have a basic understanding. I'm sure you will have some money for new machines by that time.
 
Would the Express versions of the Visual Studio programs be a good start as well? I've downloaded the DVD iso they were offering and have all 4 installed right now. I messed around with Web Developer a bit but nothing else yet. I'll look up some GNU compilers though.
 
markt435 said:
Would the Express versions of the Visual Studio programs be a good start as well? I've downloaded the DVD iso they were offering and have all 4 installed right now. I messed around with Web Developer a bit but nothing else yet. I'll look up some GNU compilers though.
Click to expand...

I am a consultant who wears many hats. I'm not a security expert. I can only give you clues, but you need to start networking outside here. This forum isn't a place for a real security. But, you need to learn some hardcore stuff before you get accepted by a different community. Couple things you should focus on. You have to understand how Operating Systems operate. Windows is the worst way to figure out how OS works, because it s a closed source OS. Only way to find out is start programming applications. Focus on network service applications such as DNS, http servers, ftp, understand different poising attacks, DoS, OS structures, libraries, crypto, and finally something everyone hates which is MATH. Understanding statistic in the technology environment from coding to the users estimated online norm behaviors are all part of the job. Social behaviors and understand how to engineer people online are all part of how auditors operate. Once you get good, start networking on various IRC chat channels with Black hats to White hats. Don't try to impress these folks by downloading the latest "script kiddie tricks." They probably kick you off the net for few days. Some people have enough talents to knock down an entire company for hours. Learn their behaviors, how codes get traded, and learn how they behave. Also, networking with other security developers are must. Once you covered these things, it is time to learn real networking which is nothing to do with Microsoft. Security guys on Microsoft is kind of known and classified as a "script kiddie" or corporate security person. Most high level development tools will not appear to Windows environment unless you ported the codes yourself.

So what to do now? If you have least 1 gig of ram, download VMWARE server or Virtualbox. They are both free VM hosts. Install every OSes and master them. Learn how codes can be ported. Learn how codes are made for the most popular platforms. Trash your guest machines and learn how OSes work.
 
lol i'm gonna be one busy guy for the next few years i can tell you that right now. :)
 
My college offers CS degrees but for security I would think you would get a better background in telecommunications. Our security program takes us from learning how to program a virus so we know how they work to seeing how they affect a network and how to prevent them. CS majors are just the programming side and with my telecommunications degree they covered that so we knew how it worked. Just my 2 cents.

Plus i'd imagine you'd get a better prevention background on viruses and the like through telecommunications. Especially if you took a policy class for networks.
 
You must log in or register to reply here.
Back
Top