Quote:
Originally Posted by Anxst
... I feel like all my research and my schooling has taught me only enough to know I know almost nothing...
...What tips do you have for making myself a candidate when every security position (hell, every IT position) wants years of experience?...
...In the past, every position I've ever had was through personal networking...
|
You've basically given yourself an answer here.
Hard Truth Time: Nobody in the IT industry wants to hire a fresh-out-of-college grad, and that goes double for netsec positions. That piece of paper your just spent two years busting ass for? I wouldn't go so far as to say it's worthless, but without in-the-field experience to back it up it won't get you very far. There's a perception, fair or not, that college grads lack the practical experience necessary to succeed in any sort of position of authority. You may have a good understanding of the theory behind the latest injection attacks, but do you know what to do when you discover that it's been used on one of your webservers? Do you know how to prevent it's use in the first place? And are you going to be able to implement proper security in an environment running a mix of Debian and CentOS on Xen slices hosted on a mix of Dell and Sun hardware? These are the sorts of questions the folks looking at your resume are asking themselves.
You want into the field, you're going to have to be prepared to start at or near the bottom. The best you're likely to do is a junior admin position, but most admins in the field have done their time on the helpdesk and you may very well have to as well. Don't be afraid to shoot for those support positions. Look for smaller shops with a less formal corporate environment. I think that every city has a certain group of movers and shakers in the field, and your goal is to get into proximity to one of them. However, since the field in general involves a fair amount of networking it's not too difficult to play six degrees to get there. Meanwhile, make sure you know BASH inside out, and can also do some scripting in Perl, Python or ideally both. C/++ familiarity is at minimum nice perk too, and probably more geared towards essential if you want to understand how things like buffer exploits work. I wouldn't worry about the Windows stuff as much; depending on who you talk to, Linux holds anywhere from 60-80% of the server market, which as a netsec specialist is what you should be concerned with. If you have an opportunity to learn your way around IIS and/or Exchange go for it, but don't expect to use it much professionally.
As an aside, penetration testers are the rock stars of the IT world. Their jobs are highly romanticized, and it's a very small market. Start there? Hell, you need to make sure you're okay with the fact that you may never get there at all. If it's what you really want, make sure you're constantly busting ass. I wouldn't get so caught up on certificate alphabet soup (though it certainly doesn't hurt you), but what you really want is to make sure you have a deep and fundamental understanding of how attackers are breaking systems, and how to prevent it. As a start, I'd say make sure you're planning to be in Vegas for the first week of August.
Disclaimer: this post is based primarily on my personal experience. Results May Vary.