Anxst

Hallo friends.

I graduated from technical college on the 14th of this month. I worked hard for two years, taking 70 credits and finishing with a 3.98 GPA and an Associate of Sciences: Information Technology - Network Security Specialist degree.

I'm 33, and had been wanting to go to school for computers since I was 18. Life didn't let that happen, and when I got laid off in 2009, the government gave me the option to go to school. I jumped at the chance.

Now, I'm attempting to find a job in IT Security. I'm finding it incredibly tough to find positions even tangentially related to security, but IT Security is really my passion. In ten years time, I'd like to have my GIAC gold certification and my CISSP (along with a few other certs, CEH, CPT, etc.) and be working as a Penetration Tester. I know I can't start there, but I feel like all my research and my schooling has taught me only enough to know I know almost nothing.

I've talked my family into being willing to relocate. My wife is working, and we have enough saved up for a few months as long as we're frugal...but relocation costs could eat into that quickly.

Where shall I look for work? How do I look for work out of state? What tips do you have for making myself a candidate when every security position (hell, every IT position) wants years of experience?

In the past, every position I've ever had was through personal networking. I'm pushing hard, and have a few minor leads, but I know very few people in this field myself. Also, my circle of friends has shrunk over the years, and all the contacts I made in school are now competition for similar jobs.

Basically, any tips on making this work? Was I fool for going to a 2 year college for Computer Security?

__________________
Don't mind me. I'm just releasing the insanity pressure from my headvalves.

Martian

You've basically given yourself an answer here.

Hard Truth Time: Nobody in the IT industry wants to hire a fresh-out-of-college grad, and that goes double for netsec positions. That piece of paper your just spent two years busting ass for? I wouldn't go so far as to say it's worthless, but without in-the-field experience to back it up it won't get you very far. There's a perception, fair or not, that college grads lack the practical experience necessary to succeed in any sort of position of authority. You may have a good understanding of the theory behind the latest injection attacks, but do you know what to do when you discover that it's been used on one of your webservers? Do you know how to prevent it's use in the first place? And are you going to be able to implement proper security in an environment running a mix of Debian and CentOS on Xen slices hosted on a mix of Dell and Sun hardware? These are the sorts of questions the folks looking at your resume are asking themselves.

You want into the field, you're going to have to be prepared to start at or near the bottom. The best you're likely to do is a junior admin position, but most admins in the field have done their time on the helpdesk and you may very well have to as well. Don't be afraid to shoot for those support positions. Look for smaller shops with a less formal corporate environment. I think that every city has a certain group of movers and shakers in the field, and your goal is to get into proximity to one of them. However, since the field in general involves a fair amount of networking it's not too difficult to play six degrees to get there. Meanwhile, make sure you know BASH inside out, and can also do some scripting in Perl, Python or ideally both. C/++ familiarity is at minimum nice perk too, and probably more geared towards essential if you want to understand how things like buffer exploits work. I wouldn't worry about the Windows stuff as much; depending on who you talk to, Linux holds anywhere from 60-80% of the server market, which as a netsec specialist is what you should be concerned with. If you have an opportunity to learn your way around IIS and/or Exchange go for it, but don't expect to use it much professionally.

As an aside, penetration testers are the rock stars of the IT world. Their jobs are highly romanticized, and it's a very small market. Start there? Hell, you need to make sure you're okay with the fact that you may never get there at all. If it's what you really want, make sure you're constantly busting ass. I wouldn't get so caught up on certificate alphabet soup (though it certainly doesn't hurt you), but what you really want is to make sure you have a deep and fundamental understanding of how attackers are breaking systems, and how to prevent it. As a start, I'd say make sure you're planning to be in Vegas for the first week of August.

Disclaimer: this post is based primarily on my personal experience. Results May Vary.

__________________
I wake up in the morning more tired than before I slept
I get through cryin' and I'm sadder than before I wept
I get through thinkin' now, and the thoughts have left my head
I get through speakin' and I can't remember, not a word that I said

- Ben Harper, Show Me A Little Shame

Anxst

Thanks, Martian.

I know I need to start at the bottom. I do not have anywhere near the experience with incident response or real situations needed to move straight into the world of Security.

I know networking is the key to finding positions. I would have loved to go to DefCon to make some contacts (or DerbyCon, actually), but there's no way I can afford that. Heck, if I don't find a job before DerbyCon starts, I'm not sure how we'll be paying rent.

While I fully realize that PenTesting is romanticized, and I may never get there, I need a goal to shoot for. I figured I would aim for the top, and see where I can go. Now I just need to find the first rung on the ladder.

I know bash pretty well. I'm okay scripting in Perl and Python. The code is never pretty, but it gets things done. This, for example. I've never looked into C++, other than attempting to figure out what other people's code does, but I know enough x86 Assembly to actually write really simple programs, so walking through a buffer overflow isn't an issue. I've been a linux user at home for years, and have done things like set up an FTP and Apache server on home networks. I was the Linux admin for this year's CCDC team at my tech school, and we took third in the state. I'm proud to say I kept the red team out of our CentOS FTP box for 6 hours, and they never got into our Ubuntu Splunk server at all.

It's nice to hear the degree wasn't a total waste of time. I learned all my Perl scripting in school, and taught myself Python over the last few months. I had a great teacher who pushed me into learning TCP/IP to the point that I feel like I can make a Snort rule to find nearly anything, while on the other side using Scapy to fling packets right past most Snort rules. I'm good with Cisco ASAs, and can do basic switch and router configs. I couldn't do any of that before school, so it was time well spent.

I'll keep looking. Having never made more than 14 dollars an hour, I'm not afraid of help desk positions. I just need to find one, and there seem to be precious few IT shops, outside education and insurance, in the Madison WI area. The education based IT shops all hire their own students for the most part (UW-Madison has a fair number of Comp Sci students) and the Insurance companies all outsource their basic IT staff. Only security and management are in-house.

Now I'm just rambling. Back to the job search! Any further thoughts from anyone would be lovely.

__________________
Don't mind me. I'm just releasing the insanity pressure from my headvalves.

LordEden

Obligatory Statement: What Martian Said. He speaks the truth.

That aside, have you thought about internships? It's a good way to get your foot in the door and some real work experience. I know having a family, you need to make money, but it might be worth it to be someone's bitch for 6 months - 1 year to get yourself setup to take a better job.

*****

The IT industry sucks right now, the only jobs out there are for half of what they are worth and they want twice as much experience as is needed for the job. They can do this because everyone and their brother needs a job. I saw guys with 10+ years network admin experience applying to help desk jobs.

Carpet bomb the everliving shit out of your resume. I was getting to the point I was looking at advertisements for companies and emailing the resume to them (if they got money for ads, they might have money for me). I got my job now (as shitty as it is) by dropping my resume off at a mom-and-pop computer repair shop. One of the part-time techs worked at a company that was hiring, two phone calls later and I had a interview.

__________________
Vice-President of the CinnamonGirl Fan Club - The Meat of the Zombiesquirrel and CinnamonGirl Sandwich