Question: How can I train myself in IT Security?
I've been a technical consultant, developer and other various SDLC-related roles for quite a while now. My goal is to move into IT Security, so how do I jump-start? What should I read, or do?
I would very much appreciate if anyone can clarify what skillsets an IT Security Consultant should/must have
Answer:......,
As discussed above you have the right foundation to kick-start an IT security career.
IT Security career is a broad term and it can be defined by the combination of several practice areas, and you need the fundamental skills to take the first step. Specializations like Network Security, Application Security, Penetration Testing, Database Security, Cryptology, Audit will come later with specific skill-set requirements.
First fundamental skills:
1- Have a solid understanding of TCP/IP for today’s interconnected world of digital assets.(if any other network technologies are used you need to understand them as well) You may either read one of the good books in the market, (e.g. TCP/IP Illustrated) or write a small socket application from the scratch. You should be able to pass Cisco CCNA cert with your development background without any detailed help/courses, just a few books... When you read a network capture file you must be confident.
2- Have solid understanding of the basic pillars of information security; authentication, authorization, integrity, encryption and non-repudiation. You should be able to relate all the applications you use, in a security perspective. Try evaluating the applications that you use daily in terms of the pillars I mentioned above. Understand approaches, methodologies and solution sets.
3- Have a solid understanding of risk. Make sure that you understand the full risk life-cycle. Assets, Threat, Vulnerabilities, Safeguards, Gaps etc. Once you understand the threats and the safeguards, your vision gets clearer. You can study risk management frameworks that are available publicly.
4- Have solid understanding of IT security specific initiatives like COBIT, ISO27001, NIST, PCI NSA, CERT, CVE etc...
If you want to be a consultant then you need some more basics:
1- Understand market requirements, trend, and solutions sets. Start reading. Start following the top 10 blogs, other interesting blogs for information security, set up your google alerts, subscribe to the mailing lists, start checking security research sites daily
2- Build up your jargon, study CISSP, GIAC, CISM, CISA etc… these certifications help you to speak the same jargon with the rest (the CIA triad, role-based management etc…) When you say web access blocking instead of URL filtering your interviews will be short.
3- Get familiar with common solution sets, vendors, methodologies. Name 3 alternative solutions for each security requirement.
Another shortcut is to focus on 1 area only, if you like any of the areas above (Network Security, Application Security, Penetration Testing, Database Security, Cryptology, Audit) I can provide different paths. You may also try getting a vendor certification first and then start practicing security (Check Point, Cisco etc) as a shortcut.
Again, these are basics, these things will open the door for you, and they will make you book smart... Being a consultant requires active projects and hands-on expertise. On the job training is priceless if you can get an opportunity. If you do not have a project, then you may join to one of the community projects like OWASP, Snort, OSSTMM et al.
I have seen many self starters choosing the security management path. Without genuine information security experience, security management claim will be fun material for the veterans. Baby steps recommended.
I think this is a good start but let me know if have any specific questions.
Cheers,
- yinal ozkan
Sunday, October 12, 2008
IT Security Consultant Jr.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment