Security Basics mailing list archives
RE: Security+
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 13 Jan 2003 07:34:07 -0800
However; don't do anything illegal in that process! Nobody takes kindly to having hacker tools running on their network.
I've generally been glad to permit read-only tools (scanners, sniffers) on two conditions: that the person running them is part of the admin team already(*), and that they ASK FIRST. Non- admins running them, or without permission, are indistinguishable from the "internal threats" category that tends to dominate security incident statistics.... * - Another person on the admin team who understands the network and its security issues is someone I can start dumping small tasks to when there's too much going on at once, and today's "admin interested in this stuff" is tomorrow's "junior security engineer" and who knows what down the road. Dave Gillett
-----Original Message----- From: Shaw, Kevin [mailto:kevin.shaw () mail va gov] Sent: January 8, 2003 21:00 To: security-basics () securityfocus com Subject: RE: Security+ {long post warning} Mr. McCarthy, as well as the other responders, are very much right on the money here. If you have little to no experience you have to *get* that experience. However; don't do anything illegal in that process! Nobody takes kindly to having hacker tools running on their network. Anything you experiment with or test should not be connected to the outside world in any way - it's just safer to keep from accidentally releasing a trojan or doing something that will have your cable or DSL company kill your account than to use one of the machines you are working this stuff on have 'net access. Keep in mind that you have a fine line to look at; and it's easy to ruin your chances at a good legitimate job or a government clearance by even 'hinting' at any wrongdoing. I'm not saying you plan on it but I just felt I should put my feelings on this here. I have a couple years' experience "brushing" upon security topics as I have done a lot of installations and troubleshooting in my brief eight years in IT. That means *nothing* - the folks that hired me where I am now could care less what four-letter designations I already had; they wanted to know what I could learn and do and if I'd sit still for 12 hours watching a monitor. You know about this business - it's not as easy at it looks on paper. I just recently landed and entry-level network security position and am taking as much advantage as I can of the certified and highly experienced security professionals on this team to learn what I can from them; and to apply things to my personal lab at home - which was 'retooled' from a web applications QA testing environment to a security environment. I'm working a while and waiting to see how the security certification market matures over the next year or two before even dreaming of taking any exams; and I'll probably take them in a low-to-high-level progression with the Security+ or SSCP designation first; then make sure I have the real world time in to attempt anything else. You can take my story as an example or leave it; but the old maxim: "Each one teach one" has proven oh-so-true in this field. I get the impression Security+ is geared towards system or network admins that need to add some security experience to their broad base of skills; while the SSCP/CISSP tracks are an administrative/management focus. A lot of the managers and experienced network engineers here swear by the GIAC tracks but immediately warn you they are *tough* - with essays and practicals and grueling exams. I've read a couple of the books from SANS since I started this job and they are very very good but make you *think*. Your mileage may vary. Take the time to decide what you really want and please do yourself and the rest of us a favor by getting good at what you want to do so we all have respected certifications and a future in this business. There are bound to be plenty of opportunities in the near future for all levels of competence in the security area. {The preceding message is my impression and opinion, and mine alone. I am not a manager [here though I have managed a help desk in the past] and make no policy or other 'quotable' statements direct or implied.] -----Original Message----- From: Jack McCarthy Sent: Monday, January 06, 2003 1:32 PM To: security-basics () securityfocus com Subject: RE: Security+ I'm in a similar situation. I'm not a pro by a long shot, but here are some things that have helped me...at least get a better handle on 'some' of the concepts. I'm still a long way off from being a security professional... Build a home network (or some sort of test network) and include the following: -A broadband connection. DSL or Cable. If you can afford it, have two separate connections - two modems. Keep one network connected as a regular connection so you can check email and online documents (technical docs and PDFs) and the other modem connected to your test network. This way when you are trying to get (in my case) your UNIX-like firewall/router working and tying up one network, you still have the other network to access the Internet and look up online documentation and check email. Instead of switching back and forth every time you need to check email. Have the following equipment: -UNIX or a UNIX-like box. e.g. OpenBSD. -Linux box. Your pick. -NT/2000 boxes. -Hubs/switches. -Build your own firewall/router. UNIX or Linux. If you can get your hands on a Firewall-1, even better. -Build your own IDS. Snort is free. -Learn how to use Nmap. -http://project.honeynet.org/ and read all submissions of 'Scan of the Month'. -You have to learn programming! Being able to read code (a.k.a. exploits) is an absolute MUST! I'm studding C programming now. -Read all the security news, articles, mailing lists that you possibly can. -Go to securityfocus.com and get on all of their mailing lists. (Obviously you've already been there). -Read, read, read... Anyone feel free to expand on this? Improve or rebut my ideas/strategies? I'd be interested to hear what other people are doing to gain more knowledge/experience. -Jack --- Mike Heitz <mikeheitz () upshotmail com> wrote:I'm new to Security (just had it heaped on me after my lastperformancereview) and am interested in some Certs. I've heard mentionof the CISSPbefore, and have seen articles on the Security+. I have really no programming background and have limited access to funds fortraining,etc... most of my training is through ordering a book from Amazon or something and trying the stuff out. So my question is, am I going to be way over my headlooking into thesecerts? I have been an admin for Novell for 5 years, andhave spent thelast 3 years in an NT/2000 environment. I want to learn as much as possible, but really don't like using things likeTranscender just topass a test. I want to "KNOW" what I am doing. :) Any advice???? mike heitz ** sr it manager ** UPSHOT 312-943-0900 x5190 -----Original Message----- From: Kriss Warner [mailto:kriss () cyberdinecorp com] Sent: Sunday, January 05, 2003 1:45 PM To: simont () lantic net; 'Security-Basics' Subject: RE: Security+ Hey Simon: I have been doing security work for the lastcouple of years(Intrusion Detect, Policy compliance etc.) I did someinvestigation intothe various Cert's and basically found that most people arelooking forCISSP. I wanted to get one Cert this year and it going tobe CISSP. Iunderstand that the other cert's are well respected. Thefinal decisionshould be based upon how the Cert will help in your career path. Hope that helps. Regards, Christopher (Kriss) Warner CYBERDINE Kriss () cyberdinecorp com Phone: 905.576.5931 Fax: 905.571.6562 Cell: 416.402.9838 www.cyberdinecorp.com -----Original Message----- From: Simon Taplin [mailto:simont () lantic net] Sent: Saturday, January 04, 2003 3:29 PM To: Security-Basics Subject: Security+ Has anybody done/looked at CompTIA's Security+ cert. Is it a good cert to get because I eventually want to getinto securitybut at the moment I don't have the experience/cash to do theSANS or CISSPcourses (plus the fact that SANS is offered in South Africa) Simon Quote of the day: Systems Administration is the kind of job that nobodynotices if you'redoing it well. People only take notice of their systemswhen they're notworking. --- This email has been scanned by AVG Anti-Virus Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.435 / Virus Database: 244 - Release Date: 2002/12/30
Current thread:
- RE: Security+, (continued)
- RE: Security+ Jack McCarthy (Jan 06)
- RE: Security+ Mark S. Searle (Jan 06)
- RE: Security+ Gedi (Jan 08)
- experience requirement (was: Re: Security+ Meritt James (Jan 09)
- RE: Security+ Clement Dupuis (Jan 09)
- RE: Security+ Gedi (Jan 08)
- RE: Security+ Mike Heitz (Jan 07)
- RE: Security+ Lachlan McGill (Jan 09)
- RE: Security+ Clement Dupuis (Jan 11)
- RE: Security+ Gedi (Jan 11)
- RE: Security+ Shaw, Kevin (Jan 21)
- RE: Security+ David Gillett (Jan 13)
- Re: Security+ Nick Shapley (Jan 23)
- careful! (was: Re: Security+ Meritt James (Jan 23)
- RE: careful! (was: Re: Security+ Tim V - DZ (Jan 24)