If you missed part one, you can get caught up here: www.blackhillsinfosec.com/a-career-in-information-security-faq-part-1/
Let’s jump straight back in to the Q & A!
4)What are some of the college courses that you took that had a lasting impact on your career?
Courses in Human Capital Management had the most lasting impacting on my career. But, I might be the minority on that. Human Capital Management is about human knowledge, human resources, and matching a pay service to a human capable of doing the work. Being a Security analysts with that background helps you find vulnerabilities as a result of a knowledge/skill gap has become their weakest link. Businesses that have invested in Human Capital Management typically cover their IT assets in such a way that the right eyes are looking in the right places at the right time and have a continuity plan for when those eyes get tired. – Kent Ickler
Ethical Hacking was really the primary course I took in college that had a “lasting impact” on my career. Any programming classes I took also had an impact but on a daily basis I use more that I’ve learned from real-world experience than what college classes taught me. In terms of quality educational courses I highly recommend SANS courses though. Each SANS course I’ve taken has been packed with information that I’ve been able to utilize daily. –Beau Bullock
Philosophy 105: Logic and Reasoning. This covered formal and informal logic: syllogisms and fallacies and those sorts of things. I took it as an elective for fun, but it gave me a solid understanding of how to build an argument and how to recognize cognitive biases and flawed reasoning. When I shifted my focus to computers, I found boolean logic and truth tables were nice and familiar. –Brian BB King
Programming was by far one of my most beneficial classes. No I’m not saying take nothing but programming classes (unless that is your desired field). The reason I say this is it teaches fundamentals on how applications work as well as design flow which helps correlate to possible findings of vulns as well as a basis for troubleshooting in a systematic way/thinking outside the box. – Derrick Rauch
We had a course called “Legal and Ethical Issues in Computing”. I find myself using concepts and ideas from that class on an almost daily basis. – Craig Vincent
Really none. I didn’t even take a security class in college. –Kelsey Bellew
The basics of computer science are pretty universal and good to have a grasp on: Discrete Math, Data Structures, Algorithms. Knowing how to program in a couple languages is useful. Networking knowledge is crucial but can be self-taught and Operating Systems fundamentals is sometimes handy too. – Ethan Robish
Project Management. Microsoft Office bootcamp. Java basics. Finance, I still carry a calculator that can do TimeValueOfMoney. Marketing – understanding demographics. MacroEcon – I now take a macro perspective in every situation. HTML. Spanish!!! I can’t emphasize this enough and haven’t mentioned that the only reason I got a break at HP was because I could answer a telephone in semi functional Espanol. Seriously, this coursework and the construction day to day with Mexicans paved my way in to IT. No joke. Looking back, I would have invested in more Computer Science. –Jordan Drysdale
5)What are some aspects about your career that you didn’t know about or consider when you were starting?
My career has been a winding path of industry fields all having focused on IT in some fashion. Five years ago I didn’t know I would be doing this now, but I enjoy the work I do and being able to (and motivated to) give back to the community is amazing. – Kent Ickler
When starting out I didn’t really consider how much time would be spent doing reporting. I spend a lot of my week with Microsoft Word open writing reports for customers. This is the most important piece as it is the deliverable to the person who is paying your company for you to do your job. So, if you are interested in getting into penetration testing or red teaming just be aware it’s not all hacking. You will be spending a lot of time typing up reports. –Beau Bullock
I thought it was a purely technical field. It’s not. Learn to write well. You can learn a lot of the technical skills as-you-go, but you’ll never have as good a chance to learn how to use language as you do in school. Practice writing every chance you get. –Brian BB King
I did not consider the fact that I would have to dedicate so much time to continuing education, however this is a double edged sword for me as I love to learn! – Derrick Rauch
Starting out, I didn’t realized how tightly coupled my technical work was with the business/operational aspects of the companies and organizations I worked for. I found that considering my role from the “business perspective” made me more valuable. It ultimately made my job much easier and more enjoyable too. – Craig Vincent
I have to deal with people a LOT. Any time I thought of a technical job I thought it would mean being in a dark remote cave somewhere, and if you interacted with anyone it would be the other people in the cave. This isn’t true at all in security, and I don’t think it matters what branch you go into. By nature, it’s a very social job. You have to get very good at clearly explaining events and your own point of view if you want to get very far. –Kelsey Bellew
Before that pivotal phone call with John, I didn’t know that hacking into things was a legitimate job. Afterwards, I think what maybe surprised me the most was how much different corporate cultures influenced overall security. In general the places with the worst security were the ones who A) didn’t want us to be there B) were forced to consider security by compliance, a customer, or some other department and C) were territorial and either defensive or aggressive towards us and other IT-related departments in their company. – Ethan Robish
I never imagined that my life would be where it is now. There couldn’t possibly a closer connection from what I do on a daily basis to what is going on in the real world. SANS SEC504 – Hacker Techniques and Incident Handling – this class is what we do on a daily basis and what defenders these days are up against. There are breaches every single day. We are trying desperately to educate, help people, businesses and anyone that will listen. But, trying to step back and answer the question more directly…We all just expect to get out, get an awesome job and love our lives. The struggle is real. Working at HP in a large corporate environment was super tough and got to be more and more stressful. I quit after five years, a twitchy right eye, and a stressed out life. Sure, money was good, but it was hard. –Jordan Drysdale
6)What are some things I should be spending my time doing now (outside of school) to help prepare me for a career in this field?
Watch all of BHIS’s webcasts and follow our crew on Twitter! There are lots of IT Security resources around. Work on capture-the-flag challenges! Start a local meet-up to discuss IT security, IT issues, or just to have an hour away from school. Networking is very important in IT Security because the field is so wide it is not possible to be an expert in all aspects. – Kent Ickler
Learn as much about networking fundamentals as possible. Having an understanding of networking before diving into the security aspect of it is very important in my opinion. This is a seven hour course from Microsoft with eight modules and eight really short assessments that might be a good starting place.
Learn the Linux command line. It is one of the primary operating systems we use in penetration testing so it will be very good to get a basic understanding of it and how to use the command line. Almost everything we do in security is driven from the command line. Here are two free courses on Linux and the command line. The second one will walk you through setting up Virtual Box and a Linux virtual machine then show you some command line basics.
In penetration testing we are often attacking other computer systems. One very popular tool for doing this is called Metasploit. There is a free course that introduces it from Offensive Security called Metasploit Unleashed that is worth checking out – https://www.offensive-security.com/metasploit-unleashed/. Download the vulnerable virtual machine Metasploitable two from here: http://downloads.metasploit.com/data/metasploitable/metasploitable-linux-2.0.0.zip and work on attacking it with Metasploit.
For learning about webapp security the go-to standard is DVWA (Damn Vulnerable Web App). Set that up and go through some of the exercises. A good list of some more vulnerable VM’s can be found on this SANS poster: http://counterhack.net/Poster_PenTest_2015.pdf
Lastly, I highly recommend finding some Capture the Flag contests to participate in as well. Those will challenge what you know and force you to learn new things. Google has one that is over now but the challenges are still up: https://capturetheflag.withgoogle.com. Most “Security BSides” events have them, and I really like NYU Poly’s CSAW CTF but there are many others. Also, SANS keeps up their Holiday Hack Challenges every year so you can go do the previous year’s challenges now. They are epic and a lot of fun. –Beau Bullock
Learn how things work, and how to fix them. By “things,” I mean physical items. Replace the kitchen faucet. Swap out an old light fixture. Take the lawnmower apart and put it back together.
Develop a hobby or interest that doesn’t involve computers. Play music. On an instrument that involves no digital circuitry. Join a recreational sport. Take a cooking class. Build a bookshelf. Find *something* you enjoy *doing* that uses a different part of your brain than computering. Look for something you can’t do sitting in a chair at a desk! Develop a skill you can feel good about for your own reasons. –Brian BB King
Get hands on experience. Pick up a job at a help desk or computer sales place or do some moonlighting as a per job gig as you have time to get a broad overview of people’s needs as well as what this industry can cover. This also helps build social interaction skills as well as hands on experience. Even if your job desires lie more in programming or security, a good base of fundamentals like this is always helpful. – Derrick Rauch
Go to cons and talk to people. Go to your local meetups and talk to people. Listen to podcasts. Read blogs. Get on Twitter and follow the people who are doing what you want to do. Play with the stuff you’re interested in at home. – Craig Vincent
Contribute to open source projects, come up with and solve challenges with code, build and administer tons of different systems. Hackers break and make things, pentesters do too. Before you can do either you need to understand how the system/application works. Make a WordPress blog, use Drupal, find an old Cisco switch and play around with it. To quote Jurassic Park “It’s a Unix System. I know this!”. The more things you can say that about the better prepared you will be. If you can demonstrate this to an employer you will never have trouble finding a job. – Matt Toussain
Go learn a coding language if you haven’t already (I recommend Python). Install and run WireShark on your personal computer and just look at the different connections being made. Install something like Wappalyzer in your browser to see what services are being run on different websites if only to familiarize yourself with the terminology. –Kelsey Bellew
Try as many things as you can to find out what you enjoy. But the main thing is to contribute to something in a meaningful way. Don’t just read nonstop and never participate. Here are some examples: coding hackathons, coding competitions, capture the flag competitions, open source development, Google Summer of Code, bug bounties, CCDC, internships. Ranking in competitions or making meaningful coding contributions are great things to have on a resume as they show hands-on experience and that you are good at what you do. – Ethan Robish
Learn to code, even simple stuff – check out CodeCademy. They are awesome. Your family probably needs your help. Learn about better passwords, password managers, 2factor. CAUTION – opinions ahead: Learn about online privacy, read about the electronic frontier foundation. Your privacy matters and protecting it also matters. Buy a book about a technical subject and instead of playing video games or scrolling — read it for 30 minutes a day. Find an old computer and learn how to install Linux on it (Linux Mint or Ubuntu are awesome). Review your personal digital life, and make your passwords longer, your wifi key could probably use an update. Turn on two-factor everywhere you can. Help your family do the same. –Jordan Drysdale