ten steps to getting into security


I read the “Scott’s 10 Steps for Becoming a CCIE” article (Sept. 14,
2004), but what about getting into security? I want to get into security,
but I don’t know where to start. Do you have a list of 10 ways to
accomplish the five more marketable security certifications in IT?

— Alex


Getting into security is a rewarding experience, but like other IT fields,
it requires a lot of work!

First, I’m not sure which you consider the “five more marketable” of the
various security certifications out there. I suppose that would all depend
on which specific area of security you want to do work in. Here are a
couple certifications to consider:

– CISSP/SSCP — From ISC2, http://www.isc2.org
– SCNA/SCNP — From Security Certified Program,
– CISA/CISM — From ISACA, http://www.isaca.org
– GIAC/GSEC Series — From SANS, http://www.sans.org
– Security+ — From CompTIA, http://www.comptia.org
– CCSA/CCSA — From CheckPoint, http://www.checkpoint.com
– CCSP/CCIE Security — From Cisco Systems,
– JNCIA-FWV/JNCIS-FWV — From Juniper networks (formerly NetScreen’s
NCSA/NCSP certifications),

There are others, but the certs above are the primary ones that I can
think of. The marketability of any of them certainly depends on your
location and surrounding market environment.

Similar to what we, at my company, tell our clients regarding Internet
security, it really isn’t a matter of “if” you will be attacked but rather
a matter of “when.” As a security professional, you need to be thinking
in this way, but you also need to balance it with a healthy dose of
business sense. Being completely paranoid does make for good security, but
it also leads to some decisions that make no sense, business-wise, or do
not offer sufficient economic incentive. Therefore, consulting in security
is concerned with costs as much as performance.

The things I recommend to keep in mind when approaching security
certifications are similar to steps in previous guides I’ve provided in my
regular column. Here’s how to become a security consultant in 10 simple

1. Give up your social life — really. If you had one before, you will
soon not have one, unless all of your friends like to talk about really
esoteric topics and argue on the best way to protect against Internet
attacks. But if you have friends like these, ask yourself serious
questions about the quality of your social life.

2. Read, read, read, read and read some more! There are plenty of
security books and magazines out there, but if you’re relying on these
for your sole sources of security information, then you’re already
behind the times. Don’t get me wrong — not that magazines are bad, but
you need to stay more up-to-date than that!

Read things other than security magazines. Become familiar with your
market and the businesses in your market. Get a sense of how they think
and why. The better you can relate network security to any particular
business and demonstrate your business sense (rather than technical
paranoia), the more accepted you will be.

3. Learn about the bad people that keep security professionals busy.
Don’t idolize them, but try to think like they do. Attacks that can be
anticipated are easier to defend against. You need to know the latest
attacks as well as the latest strategies against them.

4. Set up your own network at home, preferably over a broadband
connection from a popular provider. Do not a place a firewall at the
outer edge of your network. Try to defend against various attacks with
your computer alone. Don’t keep anything critical on this machine, as it
may frequently need to be trashed and recreated. Despite the agony, you
will learn a lot from these exercises.

5. Invest in equipment. Since money may be an issue, however, what to
get and where to get it is a different story. Check out eBay and used
equipment resellers. Depending on which of the certifications you go
after, equipment may or may not be necessary, but at some point, you’ll
need hands-on experience playing with actual equipment to see how things
work. No matter how meticulous you are and know your books inside-out,
implementing any security product for the first time in real life when a
client is watching you, or in response to a security breach, is a really
bad idea.

6. Realize that any of the certifications listed above are merely
starting points. Each of them is different in focus and detail. Some are
technical and some are managerial. Some are vendor-specific and others
are broad in scope. Each of them may highlight different areas of your
experience or specialties, so one is not necessarily better than the

I know people with only the Security+ certification, which keeps them
plenty busy at work. On the other hand, I know others with a CISSP as
well as some of the more technical certifications who are doing a
less-than-stellar job, in my opinion. It largely comes down to your
market and how well you can convey your understanding of security to
your customer base.

7. Learn to be anal-retentive. Perhaps dating a librarian would help
here. Whatever method you use (and believe me, being meticulous in
security design and concepts does not have to translate into how you
live or organize your personal life), the more structured your approach
to security is, the better. The best security design is one of “no more,
no less,” which gives users the abilities they need to do their jobs
without granting them too much access. The more separated things are in
your network, the easier it will be to quarantine any bad elements that
may invade your system. But don’t forget that the best security
arrangement is transparent to your users.

8. Depending on which certifications you are working on, purchase as much
varied equipment as you can. Performing firewall designs and integration
exercises requires a completely different mindset from deploying VPN
integrations. Both of these are completely different thinking processes
from intrusion detection or prevention implementations.

Remember that home network I told you about? Install an IDS/IPS device or
software facing your broadband connection. Watch all the entertaining
things people will try to do to you, and to think you aren’t even a
“popular” target! But research the attacks that come in and be familiar
with them. Just when you think you know enough, go back and look again!
Things change! Conceptually, there aren’t a lot of truly new attacks out
there, but every once in a while, something will strike you as being
original or creative, at which point, you should take notes. But be
careful that you don’t emulate these attackers!

9. Keep a journal. You may need three or four of these. Note your
progress: your good points and your bad points. Keep separate notes
organized on different technologies. Add to them as you learn something
new. There are many evolving technologies, and many different areas of
theory and technical configuration. The more repetition in writing,
analyzing, rewriting, compiling and configuring you do, the better the
information will stick in your long-term memory.

10. Attend a class, if possible. After you have been doing this all on
your own for a while and are cruising through things, try to attend a
class. There are many offered throughout the world with some better than
others. Make sure to take the time to evaluate the class and its
instructor. There is a huge variance in the quality of instructors out
there, and the knowledge learned or not learned is often due to factors
like this.

The more technical the certification you pursue, the more important
taking a class is. There are different classes for the myriad of
different certifications out there. A training course, however, should
not be the first time you are subjected to a particular set of
technologies or concepts. The first time you learn something, you won’t
know enough to ask questions or assimilate the information yet. After
you’ve been working with a concept for a while, you’ll have developed a
basic grasp to be able to handle more advanced information. Of course,
the quality of instructor you learn under will determine the quality of
additional information you will add to your knowledge.

Becoming a security professional is a stimulating experience, and like
with many things, the more you know, the more you realize you don’t know.
Security is a never-ending learning experience. As long as you realize
that no matter how bright you are, there is always someone out there who
is smarter than you, you’ll do just fine.

Enjoy the educational journey and try not to lose yourself too much in
the fray. Decide what aspect of security you want to accomplish first,
and then narrow your choices from there!

— Scott

Scott Morris, quadruple CCIE and Uber-Geek can often be seen
traveling around the world consulting and delivering CCIE
training. For more information on him check out
http://www.uber-geek.net or for CCIE training
check out http://www.ipexpert.com.