Scott,

I read the "Scott's 10 Steps for Becoming a CCIE" article (Sept. 14, 2004), but what about getting into security? I want to get into security, but I don't know where to start. Do you have a list of 10 ways to accomplish the five more marketable security certifications in IT?

-- Alex

Alex,

Getting into security is a rewarding experience, but like other IT fields, it requires a lot of work!

First, I'm not sure which you consider the "five more marketable" of the various security certifications out there. I suppose that would all depend on which specific area of security you want to do work in. Here are a couple certifications to consider:

- CISSP/SSCP -- From ISC2, http://www.isc2.org
- SCNA/SCNP -- From Security Certified Program, http://www.securitycertified.net
- CISA/CISM -- From ISACA, http://www.isaca.org
- GIAC/GSEC Series -- From SANS, http://www.sans.org
- Security+ -- From CompTIA, http://www.comptia.org
- CCSA/CCSA -- From CheckPoint, http://www.checkpoint.com
- CCSP/CCIE Security -- From Cisco Systems, http://www.cisco.com/go/certification
- JNCIA-FWV/JNCIS-FWV -- From Juniper networks (formerly NetScreen's
NCSA/NCSP certifications), http://www.juniper.net/training/certification/netscreen

There are others, but the certs above are the primary ones that I can think of. The marketability of any of them certainly depends on your location and surrounding market environment.

Similar to what we, at my company, tell our clients regarding Internet security, it really isn't a matter of "if" you will be attacked but rather a matter of "when." As a security professional, you need to be thinking in this way, but you also need to balance it with a healthy dose of business sense. Being completely paranoid does make for good security, but it also leads to some decisions that make no sense, business-wise, or do not offer sufficient economic incentive. Therefore, consulting in security is concerned with costs as much as performance.

The things I recommend to keep in mind when approaching security certifications are similar to steps in previous guides I've provided in my regular column. Here's how to become a security consultant in 10 simple steps:

1. Give up your social life -- really. If you had one before, you will soon not have one, unless all of your friends like to talk about really esoteric topics and argue on the best way to protect against Internet attacks. But if you have friends like these, ask yourself serious questions about the quality of your social life.

2. Read, read, read, read and read some more! There are plenty of security books and magazines out there, but if you're relying on these for your sole sources of security information, then you're already behind the times. Don't get me wrong -- not that magazines are bad, but you need to stay more up-to-date than that!

Read things other than security magazines. Become familiar with your market and the businesses in your market. Get a sense of how they think and why. The better you can relate network security to any particular business and demonstrate your business sense (rather than technical paranoia), the more accepted you will be.

3. Learn about the bad people that keep security professionals busy. Don't idolize them, but try to think like they do. Attacks that can be anticipated are easier to defend against. You need to know the latest attacks as well as the latest strategies against them.

4. Set up your own network at home, preferably over a broadband connection from a popular provider. Do not a place a firewall at the outer edge of your network. Try to defend against various attacks with your computer alone. Don't keep anything critical on this machine, as it may frequently need to be trashed and recreated. Despite the agony, you will learn a lot from these exercises.

5. Invest in equipment. Since money may be an issue, however, what to get and where to get it is a different story. Check out eBay and used equipment resellers. Depending on which of the certifications you go after, equipment may or may not be necessary, but at some point, you'll need hands-on experience playing with actual equipment to see how things work. No matter how meticulous you are and know your books inside-out, implementing any security product for the first time in real life when a client is watching you, or in response to a security breach, is a really bad idea.

6. Realize that any of the certifications listed above are merely starting points. Each of them is different in focus and detail. Some are technical and some are managerial. Some are vendor-specific and others are broad in scope. Each of them may highlight different areas of your experience or specialties, so one is not necessarily better than the other.

I know people with only the Security+ certification, which keeps them plenty busy at work. On the other hand, I know others with a CISSP as well as some of the more technical certifications who are doing a less-than-stellar job, in my opinion. It largely comes down to your market and how well you can convey your understanding of security to your customer base.

7. Learn to be anal-retentive. Perhaps dating a librarian would help here. Whatever method you use (and believe me, being meticulous in security design and concepts does not have to translate into how you live or organize your personal life), the more structured your approach to security is, the better. The best security design is one of "no more, no less," which gives users the abilities they need to do their jobs without granting them too much access. The more separated things are in your network, the easier it will be to quarantine any bad elements that may invade your system. But don't forget that the best security arrangement is transparent to your users.

8. Depending on which certifications you are working on, purchase as much varied equipment as you can. Performing firewall designs and integration exercises requires a completely different mindset from deploying VPN integrations. Both of these are completely different thinking processes from intrusion detection or prevention implementations.

Remember that home network I told you about? Install an IDS/IPS device or software facing your broadband connection. Watch all the entertaining things people will try to do to you, and to think you aren't even a "popular" target! But research the attacks that come in and be familiar with them. Just when you think you know enough, go back and look again! Things change! Conceptually, there aren't a lot of truly new attacks out there, but every once in a while, something will strike you as being original or creative, at which point, you should take notes. But be careful that you don't emulate these attackers!

9. Keep a journal. You may need three or four of these. Note your progress: your good points and your bad points. Keep separate notes organized on different technologies. Add to them as you learn something new. There are many evolving technologies, and many different areas of theory and technical configuration. The more repetition in writing, analyzing, rewriting, compiling and configuring you do, the better the information will stick in your long-term memory.

10. Attend a class, if possible. After you have been doing this all on your own for a while and are cruising through things, try to attend a class. There are many offered throughout the world with some better than others. Make sure to take the time to evaluate the class and its instructor. There is a huge variance in the quality of instructors out there, and the knowledge learned or not learned is often due to factors like this.

The more technical the certification you pursue, the more important taking a class is. There are different classes for the myriad of different certifications out there. A training course, however, should not be the first time you are subjected to a particular set of technologies or concepts. The first time you learn something, you won't know enough to ask questions or assimilate the information yet. After you've been working with a concept for a while, you'll have developed a basic grasp to be able to handle more advanced information. Of course, the quality of instructor you learn under will determine the quality of additional information you will add to your knowledge.

Becoming a security professional is a stimulating experience, and like with many things, the more you know, the more you realize you don't know. Security is a never-ending learning experience. As long as you realize that no matter how bright you are, there is always someone out there who is smarter than you, you'll do just fine.

Enjoy the educational journey and try not to lose yourself too much in the fray. Decide what aspect of security you want to accomplish first, and then narrow your choices from there!

-- Scott

Scott Morris, quadruple CCIE and Uber-Geek can often be seen traveling around the world consulting and delivering CCIE training. For more information on him check out http://www.uber-geek.net or for CCIE training check out http://www.ipexpert.com.