I am thinking about getting into Security
-
@IRJ said in I am thinking about getting into Security:
I heard on the grapevine that their might be a new position soon where I am working for a IT security person. I am unsure of the exact job title, but the job function will basically be trying to hack our own network then send a report to the IT team.
The position will entail penetration scanning, testing, and looking for any possible vulnerabilities on the network. I am told the position will not be in the IT department since it is trying to break into what IT is actually doing.
I have recently been tasked with doing scanning and testing. I am still a rookie, but I am learning fast. So far I have been able to fix a few holes in our network. My boss has given me the Go Ahead to attend 5 days of training with ECC Council. This is the training that I will be taking. https://iclass.eccouncil.org/?p=719
How would you feel about stepping into a new role like this when you're whole career has been based on Windows Server Administration?
A lot, almost all, of the pen testing tools are *nix based and are setup through the command line. So one of the big things you'll need to learn is working in and around a Linux environment and the tools that go along with it. Downloading Kali Linux and getting a testing environment up and running could go a long way.
The other thing, and I think it is vastly understated, is how important social engineering is to a successful attack. Learning some of the common social engineering methods and understanding how people think is huge when pen testing.
-
@coliver said in I am thinking about getting into Security:
@IRJ said in I am thinking about getting into Security:
I heard on the grapevine that their might be a new position soon where I am working for a IT security person. I am unsure of the exact job title, but the job function will basically be trying to hack our own network then send a report to the IT team.
The position will entail penetration scanning, testing, and looking for any possible vulnerabilities on the network. I am told the position will not be in the IT department since it is trying to break into what IT is actually doing.
I have recently been tasked with doing scanning and testing. I am still a rookie, but I am learning fast. So far I have been able to fix a few holes in our network. My boss has given me the Go Ahead to attend 5 days of training with ECC Council. This is the training that I will be taking. https://iclass.eccouncil.org/?p=719
How would you feel about stepping into a new role like this when you're whole career has been based on Windows Server Administration?
A lot, almost all, of the pen testing tools are *nix based and are setup through the command line. So one of the big things you'll need to learn is working in and around a Linux environment and the tools that go along with it. Downloading Kali Linux and getting a testing environment up and running could go a long way.
The other thing, and I think it is vastly understated, is how important social engineering is to a successful attack. Learning some of the common social engineering methods and understanding how people think is huge when pen testing.
I believe social engineering is an entire day of my 5 day class.
-
-
Go for it! I'd enjoy hearing about your experience.
-
But back to your original question. I, personally, wouldn't be comfortable since pen testing and social engineering isn't something I find particularly enjoyable.
-
@coliver said in I am thinking about getting into Security:
But back to your original question. I, personally, wouldn't be comfortable since pen testing and social engineering isn't something I find particularly enjoyable.
I am not sure if I would like it or not, but so far I am enjoying the small things I have been doing.
The thing with IT is that you can't really stick your toes in the pool and feel the water. You need to jump in and sink or swim.
-
This post is deleted! -
@aaron said in I am thinking about getting into Security:
I think this is neat and would pursue it. I've dabbled a bit but would it really be a full time job at one company?
I do think it's a lot more exciting than Win sysadmin for the future.
Yes, there is a group of admins in our system that do nothing but pen testing. Not many I think 3 or 4. They assist with audits and requests. They also help, on request, with some post-mortems.
-
You couldn't get a career with better job security at this point. IT folks with security chops are charging top dollar.
-
I would love a job in that field. I've got the desire to learn everything I can about it. It'd be exciting if I had a chance to move into a role like that!
Edit: With the training you are getting, they may be getting ready to offer it to you.
-
@dafyre I was told that we would like to hire internally for that position. We would look to hire someone with training to do it. Then I got told to find out about the ethical hacker course. Now I'm approved for the training
-
@IRJ said in I am thinking about getting into Security:
@dafyre I was told that we would like to hire internally for that position. We would look to hire someone with training to do it. Then I got told to find out about the ethical hacker course. Now I'm approved for the training
I rest my case.
-
As said before, getting in love with *sh (bash, ksh, ash, ...) is crucial even in a pure Windows environment. Learn it, understand it, marry it, whatever helps. SAM got quite a few starter guides here at ML. Personally, I like to throw my trainees into ice cold water by telling them to do a stage 3 install from source of Gentoo Linux. Depending on their skills, they will go even further by installing some WM with GPU acceleration. They tend to be scared or even cry for mom, but they will understand the basics at the end of the day. Sure, it's cruel, but it works.
Aside from learning Linux, I would think about how permanent this job is. They won't need a dedicated security guy for 40 years, expect you are working at a hoster or with 1000+ users maybe.
-
@thwr said in I am thinking about getting into Security:
Aside from learning Linux, I would think about how permanent this job is. They won't need a dedicated security guy for 40 years, expect you are working at a hoster or with 1000+ users maybe.
Well, I do work in banking. We end up paying for 2 or 3 pen tests a year as it is now.
-
This post is deleted! -
@aaron said in I am thinking about getting into Security:
@thwr oh man that's just cruel comparing SAM's starter guides to making someone install Gentoo. I have a hard time getting folks in the door for interviews, and we use Debian.
I do wonder about he longevity of the position. This is something I'd outsource (and have) but credit unions do weird things and it may be viable. Would be cool to have the experience too.
I have to ask what area of the country you're in? While I prefer CentOS, I'll happily work with Debian!
-
@aaron said in I am thinking about getting into Security:
@thwr oh man that's just cruel comparing SAM's starter guides to making someone install Gentoo. I have a hard time getting folks in the door for interviews, and we use Debian.
I do wonder about he longevity of the position. This is something I'd outsource (and have) but credit unions do weird things and it may be viable. Would be cool to have the experience too.
We're using Debian / Ubuntu here mostly, but also some BSD. Gentoo is just used here as a great learning experience or for systems where I need very deep control, like special ARM boards etc.
-
@Nic said in I am thinking about getting into Security:
You couldn't get a career with better job security at this point. IT folks with security chops are charging top dollar.
Have you actually seen this? I know a few that have been able to do that, but by and large most security people that I talk to are out of work. There don't seem to be many jobs.
Certainly some people do it and love it and do great with it, but my take on it is that the careers are few and far between and you'll struggle to find work if you want to stay in security.
Security as an experiential add on to systems administration is great, you can leverage it into better admin work and standing. But I have yet to meet a single security person making as much as systems admins, for example. Even in big time security companies.
It's become a mantra that these jobs are plentiful, but no one knows where they are or how to get one or knows anyone working in the space.
-
@IRJ said in I am thinking about getting into Security:
@thwr said in I am thinking about getting into Security:
Aside from learning Linux, I would think about how permanent this job is. They won't need a dedicated security guy for 40 years, expect you are working at a hoster or with 1000+ users maybe.
Well, I do work in banking. We end up paying for 2 or 3 pen tests a year as it is now.
that's not much to have an internal person doing it. Someone is going to run the math on that at some point.
-
I think that this decision has to come down to... is this a career change that you want? If this is what you WANT to do, then it is a huge opportunity to build your resume and experience. If this is not something that you want, this could suck big time. it's more about you and your goals than about career options.