Monday, June 3, 2013

Why and how to teach yourself security

Reader James emails to ask:
I'd love to get a recording of your son's conversation with the consultant.  I almost went Cisco myself, got distracted, and now I just teach, but still a gear head, as clearly you are too.
He was referring, of course, to last Friday's meeting with one of my security consultant buddies.  It was not only fun to catch up with Chad, but seems pretty helpful to motivate #1 Son.

Let me start with why you might consider studying towards a certification in this field: Chad said that right now in Atlanta, the unemployment rate for Internet Security types is about 1% (and as he put it, rightly so - these are the people everyone knows are jerks).  So having this skill set more or less lets you pick where you want to live, and even starting salaries will be comfortable.  This had #1 Son's attention from the get-go.

Chad's recommendation was the same as mine as a starting point for certification: Cisco's CCNA (Cisco Certified Network Associate) is widely valued and gives you a recognized entry.  You can pick up a study book at Barnes & Noble, but Chad recommended that you do hands on configuration of routers and switches.  You can pick up old Cisco 2500 routers for small money on eBay, but the code will be old.  Chad recommended using the Bosun NetSim router simulator which mimics all the Cisco gear and lets you work through the labs.  It's not very expensive, especially compared with College tuition.

They it's a couple hundred bucks to take the CCNA exam which is given all over the place.  Cisco has a bunch of self-study materials for free download.

Chad recommended thinking about looking at Microsoft certification, to see which is more interesting to you.  I'm an old packet pusher (meaning I can just about spell Operating System).  I'd recommend the MCSA certification for servers because it will be more valuable to most organizations than desktop.

But back to security.  These certifications are just the starting point, and while they won't cost too much ($400 or $500) and will open some doors, they will still be entry level.  The next step is playing with some of the security tools.  Chad likes Backtrack which is a complete Linux distribution that includes a huge number of security tools.  You can boot it from a thumbdrive, which makes it pretty handy.  They have online training at their web site.

Chad also recommended getting together with other guys who do security.  There are a bunch of DEFCON local groups which are associated with the DEFCON security conference.  Atlanta has a DEFCON 404 group, for example.

Ultimately you'll want to get Cisco ASA certified, but this is the sort of thing you can study for over a couple years, learning the prerequisites while you have an IT networking day job.  You get to this point and you'll be in the rarefied atmosphere of security pros, and paid commensurately.

I (and Chad) are pushing Cisco because betting against this over the next 20 years or so is basically betting against the Internet.  The security situation is getting worse, there's more of a need for people with this skill set, and it looks like you can use free or low cost tools and materials to put yourself in the driver's seat.


drjim said...

Good advice.

I hope your son takes it to heart.

Dave H said...

I hope your son takes it to heart.

Me too. Even if he doesn't follow in Dad's footsteps, at least he's giving some thought to his future.

I just had a review today and the boss wants me to start studying up on networking, utility comms including DNP and Modbus, and security. I don't know why - we've done fine for decades without any in-house knowledge.

(That was a joke.)

Anyway, BP, thank you for the recommendations.

Old NFO said...

Two others are CISSP and BICSI certification. Just sayin...

Borepatch said...

Old NFO, those are advanced study certifications, which was a little beyond what I was aiming for here.

But you're right - CISSP in particular is probably needed if you want to work in security.

MSgt B said...

Why do I want to change careers all of a sudden?

You make it sound so easy.

Old NFO said...

Sorry BP, not my intention to 'jump' it...