information security : a look
DESCRIPTION
Information Technology era, Jobs and Certifications Source: Beyond the secTRANSCRIPT
Breaking in to Security
2
INFORMATION SECURITY : A SHORT VIEW
“I’d like to get a job in security, how do Iget started?”
6
“What programming language do I need tolearn to be a penetration tester?”
7
“What certification should I get?”
8
Answering these one at a time isinefficient, biased and time consuming
9
Lets ask the community and get adefinitive answer
10
11
But before we get started...
12
Is this what you want to be?
13
Or maybe this
14
The reality
15
A lot of time in here
16
Meetings
17
Still Interested?
18
For those still here, letslook at some stats
19
<1year 22 7%
1-3years 64 22%
4-7years 81 27%
7+years 128 43%
Time In Industry
20
Penetrationtester 173 59%
Vulnerabilityauditor 143 49%
Sys-admin 130 45%
IDS/Firewalladmin 102 35%
Policywriter 97 33%
Loganalyst 97 33%
Incidentresponse 74 25%
Other 66 23%
Manager 64 22%
Malwareanalyst 49 17%
ITForensices 48 16%
Reverseengineer 38 13%
Exploitdeveloper 36 12%
Helpdesk 35 12%
PCIauditor 33 11%
Job Types
21
No,butithelps 182 62%
Yes 78 26%
Other 17 6%
Don'tknow 12 4%
No 6 2%
Do you need to be able to programto be a pen-tester?
22
Python 227 81%
BashScripting 221 79%
Ruby 122 43%
C 116 41%
WindowsPowershell 104 37%
PHP 101 36%
BatchScripting 102 36%
C++ 62 22%
Java 63 22%
Other 51 18%
Perl 46 16%
VB 29 10%
C# 25 9%
Lua 23 8%
What Language?
23
Yes 144 49%
Yes-butonlytogetthroughHR 137 46%
No 14 5%
Are Certifications Useful?
24
SANS/GIAC 189 69%
CISSP 187 68%
OffensiveSecurity(PWB,AWEetc) 111 40%
EC-Council(CEHetc) 64 23%
CompTIA(Security+etc) 63 23%
Vendorspecific 60 22%
Other 55 20%
CHECKTeamLeader(CREST/TigerScheme) 31 11%
CHECKTeamMember(CREST/TigerScheme) 30 11%
Which Certs?
25
Other Certificates Include
•OSSTIM•ISACA•Cisco•Microsoft•Linux/Unix
•Whatever gets you the job•Anything management has heard of•Networking
26
Yes 259 88%
Other 24 8%
No 12 4%
Are Conferences Worth Attending?
27
Which Ones?
All of them got a mention
28
That’s the end of the stats
29
What do you know now thatyou wish you'd known when
starting out?
31
People skills, managing managementand clients
“I think it's important to note that information securityis a role in a company that involves dealing withpeople. Brush up on your public speaking and
negotiation skills. I'm much better at hacking siliconthan I am hacking carbon, but each is important. Take
time to learn and practice those soft skills.”
32
Business skills
“Business skills are more important thantechnical skills.”
33
Report writing skills
“It's all about the report... you can be thebest penetration tester in the world, but if
your report sucks, so does your test!”
34
Networking is important
“Get out there and network, don't be shywe are a friendly lot”
35
You can't secure everything and can't be100% secure so live with it
“Security is a balance between riskmitigation and corporate earnings.Companies must continue making
money to pay your salary. Ergo, the bestsecurity may not be the right security.”
36
“You will live in hotels”
“Pen testing is not so glamorous as itappears”
37
“Cons are bad for your liver”
38
What one piece advice wouldyou give to someone wantingto start a career in security?
39
Learn, learn and learn some more
“Study hard, do the labs and exercises,experiment with tools.”
40
You need your own lab
“Set a lab environment up to practicewith, virtualisation makes these easy
these days.”
41
Get an all-round education
“Develop skills in other areas of IT(system administration, network
management, development, etc.) eitherbefore or in addition to InfoSec.”
42
Make sure you enjoy what you do
“Do it for love of what you do, not tomake money. The money is good, but ifyou really enjoy it, it's the best job in the
world.”
“Make sure its something you really wantand can keep up with, not just something
you enjoy on the side.”
43
More about soft skills and businessknowledge
“Be tolerant of the non-techs, teachthem, but don't talk down to them. Be
aware that sometimes, the businessneeds trump security best practices.”
44
Repeated from earlier, programming is auseful skill
“Learn to program (scripting at least).”
45
Get yourself known
“To get involved in different projects andcontribute, there are a lot of open sourceprojects you can contribute to in different
ways.”
46
“It's all about reputation. Certs areuseful, but if you are unknown you won'tbe taken seriously. Get out there, meet
people, and learn from them!”
47
“Start a blog.. not for fame and glory butmore for keeping a record of what youlearn. Doesn't matter if no one reads it,
do it for yourself.”
48
Find your local community - 2600,hackerspace, DC group
“Find your local community & onlinecommunity”
50
Don’t just trust tools
“Learn whats going behind the tools youare using”
51
“Get in bed with the operations andfinance people (not literally, however this
might also help)”
52
“Work your ass off! Everyone else doesso you better get used to it.”
53
Is it OK to “practice” on sites/companies without permissionif you don't do any damage?
54
Overwhelming opinion - No, there areenough resources out there you don’t
need to
55
“Only if you want a new ‘room-mate’called Bubba......”
56
What I’ve not covered
What do you see as the next up and coming area?
Is there anything you feel you did wrong that youwould advise against?
57
Conclusions
If you aren’t passionate it is just another job
Get stuck in, learn and show your interest
Don’t be afraid to ask questions - but show you’vetried to find the answer yourself first
It isn’t all about the tech
60
Big thanks to all whoresponded
61