Security Basics mailing list archives

RE: Security+

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 13 Jan 2003 07:34:07 -0800

However; don't do anything illegal in that process!  Nobody
takes kindly to having hacker tools running on their network.


  I've generally been glad to permit read-only tools (scanners,
sniffers) on two conditions:  that the person running them is 
part of the admin team already(*), and that they ASK FIRST.  Non-
admins running them, or without permission, are indistinguishable
from the "internal threats" category that tends to dominate 
security incident statistics....

* - Another person on the admin team who understands the network
and its security issues is someone I can start dumping small
tasks to when there's too much going on at once, and today's
"admin interested in this stuff" is tomorrow's "junior security
engineer" and who knows what down the road.

Dave Gillett

-----Original Message-----
From: Shaw, Kevin [mailto:kevin.shaw () mail va gov]
Sent: January 8, 2003 21:00
To: security-basics () securityfocus com
Subject: RE: Security+

{long post warning}

Mr. McCarthy, as well as the other responders, are very much 
right on the
money here.  If you have little to no experience you have to 
*get* that
experience.  However; don't do anything illegal in that 
process!  Nobody
takes kindly to having hacker tools running on their network. 
 Anything you
experiment with or test should not be connected to the 
outside world in any
way - it's just safer to keep from accidentally releasing a 
trojan or doing
something that will have your cable or DSL company kill your 
account than to
use one of the machines you are working this stuff on have 
'net access.
Keep in mind that you have a fine line to look at; and it's 
easy to ruin
your chances at a good legitimate job or a government 
clearance by even
'hinting' at any wrongdoing.  I'm not saying you plan on it 
but I just felt
I should put my feelings on this here.

I have a couple years' experience "brushing" upon security 
topics as I have
done a lot of installations and troubleshooting in my brief 
eight years in
IT.  That means *nothing* - the folks that hired me where I 
am now could
care less what four-letter designations I already had; they 
wanted to know
what I could learn and do and if I'd sit still for 12 hours watching a
monitor.  You know about this business - it's not as easy at 
it looks on
paper.  I just recently landed and entry-level network 
security position and
am taking as much advantage as I can of the certified and 
highly experienced
security professionals on this team to learn what I can from 
them; and to
apply things to my personal lab at home - which was 
'retooled' from a web
applications QA testing environment to a security 
environment.  I'm working
a while and waiting to see how the security certification 
market matures
over the next year or two before even dreaming of taking any 
exams; and I'll
probably take them in a low-to-high-level progression with 
the Security+ or
SSCP designation first; then make sure I have the real world 
time in to
attempt anything else.  You can take my story as an example 
or leave it; but
the old maxim: "Each one teach one" has proven oh-so-true in 
this field.

I get the impression Security+ is geared towards system or 
network admins
that need to add some security experience to their broad base 
of skills;
while the SSCP/CISSP tracks are an administrative/management 
focus.  A lot
of the managers and experienced network engineers here swear 
by the GIAC
tracks but immediately warn you they are *tough* - with essays and
practicals and grueling exams.  I've read a couple of the 
books from SANS
since I started this job and they are very very good but make 
you *think*.
Your mileage may vary.  Take the time to decide what you 
really want and
please do yourself and the rest of us a favor by getting good 
at what you
want to do so we all have respected certifications and a 
future in this
business.  There are bound to be plenty of opportunities in 
the near future
for all levels of competence in the security area.

{The preceding message is my impression and opinion, and mine 
alone.  I am
not a manager [here though I have managed a help desk in the 
past] and make
no policy or other 'quotable' statements direct or implied.]

-----Original Message-----
From: Jack McCarthy
Sent: Monday, January 06, 2003 1:32 PM
To: security-basics () securityfocus com
Subject: RE: Security+

I'm in a similar situation.  I'm not a pro by a long shot, 
but here are some
things that have
helped me...at least get a better handle on 'some' of the 
concepts.  I'm
still a long way off from
being a security professional...

Build a home network (or some sort of test network) and include the
following:
-A broadband connection. DSL or Cable. If you can afford it, have two
separate connections - two
modems.  Keep one network connected as a regular connection 
so you can check
email and online
documents (technical docs and PDFs) and the other modem 
connected to your
test network.  This way
when you are trying to get (in my case) your UNIX-like firewall/router
working and tying up one
network, you still have the other network to access the 
Internet and look up
online documentation
and check email.  Instead of switching back and forth every 
time you need to
check email.

Have the following equipment:
-UNIX or a UNIX-like box.   e.g. OpenBSD.
-Linux box. Your pick.
-NT/2000 boxes.
-Hubs/switches.

-Build your own firewall/router. UNIX or Linux. If you can 
get your hands on
a Firewall-1, even
better.
-Build your own IDS.  Snort is free.
-Learn how to use Nmap.
-http://project.honeynet.org/ and read all submissions of 'Scan of the
Month'.  
-You have to learn programming!  Being able to read code 
(a.k.a. exploits)
is an absolute MUST!
I'm studding C programming now.

-Read all the security news, articles, mailing lists that you 
possibly can.
-Go to securityfocus.com and get on all of their mailing 
lists.  (Obviously
you've already been
there).
-Read, read, read...

Anyone feel free to expand on this?  Improve or rebut my 
ideas/strategies?

I'd be interested to hear what other people are doing to gain more
knowledge/experience.

-Jack

--- Mike Heitz <mikeheitz () upshotmail com> wrote:

I'm new to Security (just had it heaped on me after my last

performance

review) and am interested in some Certs. I've heard mention

of the CISSP

before, and have seen articles on the Security+. I have really no
programming background and have limited access to funds for

training,

etc... most of my training is through ordering a book from Amazon or
something and trying the stuff out.

So my question is, am I going to be way over my head

looking into these

certs? I have been an admin for Novell for 5 years, and

have spent the

last 3 years in an NT/2000 environment. I want to learn as much as
possible, but really don't like using things like

Transcender just to

pass a test. I want to "KNOW" what I am doing.  :)

Any advice????

mike heitz ** sr it manager ** UPSHOT
312-943-0900 x5190

-----Original Message-----
From: Kriss Warner [mailto:kriss () cyberdinecorp com] 
Sent: Sunday, January 05, 2003 1:45 PM
To: simont () lantic net; 'Security-Basics'
Subject: RE: Security+

Hey Simon: I have been doing security work for the last

couple of years

(Intrusion Detect, Policy compliance etc.) I did some

investigation into

the various Cert's and basically found that most people are

looking for

CISSP.  I wanted to get one Cert this year and it going to

be CISSP.  I

understand that the other cert's are well respected. The

final decision

should be based upon how the Cert will help in your career path.

Hope that helps.

Regards,
Christopher (Kriss) Warner
CYBERDINE
Kriss () cyberdinecorp com
Phone: 905.576.5931
Fax: 905.571.6562
Cell: 416.402.9838
www.cyberdinecorp.com
 

-----Original Message-----
From: Simon Taplin [mailto:simont () lantic net] 
Sent: Saturday, January 04, 2003 3:29 PM
To: Security-Basics
Subject: Security+

Has anybody done/looked at CompTIA's Security+ cert.

Is it a good cert to get because I eventually want to get

into security

but
at the moment I don't have the experience/cash to do the

SANS or CISSP

courses (plus the fact that SANS is offered in South Africa)

Simon


Quote of the day:
Systems Administration is the kind of job that nobody

notices if you're

doing it well. People only take notice of their systems

when they're not

working.
---

This email has been scanned by AVG Anti-Virus
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.435 / Virus Database: 244 - Release Date: 2002/12/30

Current thread:

RE: Security+, (continued)
- - RE: Security+ Jack McCarthy (Jan 06)
- RE: Security+ Mark S. Searle (Jan 06)
  - RE: Security+ Gedi (Jan 08)
    - experience requirement (was: Re: Security+ Meritt James (Jan 09)
    - RE: Security+ Clement Dupuis (Jan 09)
- RE: Security+ Mike Heitz (Jan 07)
- RE: Security+ Lachlan McGill (Jan 09)
  - RE: Security+ Clement Dupuis (Jan 11)
- RE: Security+ Gedi (Jan 11)
- RE: Security+ Shaw, Kevin (Jan 21)
  - RE: Security+ David Gillett (Jan 13)
  - Re: Security+ Nick Shapley (Jan 23)
  - careful! (was: Re: Security+ Meritt James (Jan 23)
    - RE: careful! (was: Re: Security+ Tim V - DZ (Jan 24)