Matthew Hackling over at Infamous Agenda has posted a list of things to know for working in infosec. I really like this list, kinda like previous lists* I’ve pointed to or referenced. I can see a few items on here I certainly could work on!
I’m totally yoinking this list because his site doesn’t look built around getting hits (no ads, good man!), and I’d love to keep this list even if the site someday dies. To every entry he says to configure or install an app, I would also suggest living with it for more than a few days or weeks. Consider that extra credit!
1. TCP/IP basics like OSI model, routing, protocols, ports, NAT
2. Construct a checkpoint firewall rule base
3. Construct a PIX firewall rule set
4. Configure a cisco router to CIS benchmark
5. Configure VLANs and port mirroring on a cisco switch
6. Deploy Microsoft security templates to a group policy object
7. Configure a WSUS server and run MBSA to check it is working
8. Use Solaris Security Toolkit
9. Administer a linux box, enable/disable services, use package managers etc.
10. Install oracle and mysql
11. Be able to construct an SQL query or two
12. Configure a web server or two (say apache and IIS)
13. Configure an application server or three (say tomcat, websphere application server, maybe BEA weblogic)
14. Be able to use a web proxy (burp, webscarab) and a fuzzer
15. Know how the following security controls of authentication, session management, input validation and authorisation are implemented securely for a number of application development frameworks
16. Configure an IDS or three (Snort, IBM solution set)
17. Know the ten domains in ISO27002 and their content
18. Be able to identify control gaps from ISO27002 in your operations
19. Be able to build a security plan to address control gaps (planned end state, costs and benefits, dates, actions and responsibilities)
* sadly, while I can visualize the page I have in mind, I have no idea where my link to it is.