Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Businesses Books Media Security Book Reviews

Infosec Career Hacking 85

Posted by timothy from the jose-does-it dept.
nazarijo writes "Plenty of people are curious as to how to become an information security professional. It's a profession that has a bit of an establishment atmosphere to it where entry to various levels is granted in secret. And it's often hard to understand where to start. Infosec Career Hacking attempts to demystify this process and show you not only generic strategies for employment, but ones specific to the information security field." Read on for the rest of Nazario's review.
Infosec Career Hacking: Sell Your Skillz, Not Your Soul
author Aaron W. Bayles, Chris Hurley, Johnny Long, Ed Brindley, James C. Foster, Christopher W. Klaus
pages 448
publisher Syngress
rating 7/10
reviewer Jose Nazario
ISBN 1597490113
summary Career guide specifically tuned to the information security professional


The first part of the book is especially useful, and I think provides most of the value that's not available elsewhere. Things that are covered may seem like basics that people should have just picked up, but it's hard to know what you're supposed to know when you change environments, let alone see it all together in one place. I find this section to be especially useful and reasonably well written.

Chapter 1 opens up with a basic orientation of the infosec landscape, including the types of companies and organizations you may want to look at working with, the types of work and positions you see typically, and what kinds of skills you'll need to consider get the interview, let alone the job. Chapter 2 is much like a hacking book in that you're encouraged to perform some scout work on your potential places of employment. Good advice, and it's nice to see it demonstrated. Chapter 3 talks about getting experience and getting your feet wet in the infosec world. Things like conferences, local groups and meetings, and even security clearances are covered. A nice overview, but a it shallow in places, too. Chapter 4 focuses on the resume and the interview, the kinds of things that normally jump to mind when you think about career hacking. A decent overview, and good things to learn.

Part 2 focuses on technical parts. These chapters, I felt, were a bit thin on value and attempted to provide too much coverage but without the depth. What I felt this part of the book was trying to do was to be a quick overview of what you should know if you want a career in information security without any of the work it takes. Because this is such a broad amount of material, and the book only spends about 180 pages on it, the coverage isn't deep. Instead, the cursory coverage is a detriment to the book's value.

Chapter 5 is where I found the most material to complain about. This chapter is titled, 'The Laws of Security', and can be used for your benefit or your downfall. In the right hands, where the nuances that come from actually encountering these challenges in the wild and discovering the reasoning behind them, you can display wisdom. In the wrong hands, where you can't successfully defend a challenge to these axioms, at best you'll appear to be someone who parrots security luminaries, and at worst you'll look like an uninformed buffoon. If you decide to accept conclusions without understanding the reasoning behind them, you're asking for it.

Chapter 6 talks about building a home lab of machines for attack. I felt this chapter devoted too much time to drooling over gear and not enough time discussing more equipment and more valuable gear. Large classes of lab resources, including enterprise applications, networking gear, and even commercial security software was left out. The disclosure debate was reasonably well handled in chapter 7, discussing the various ways that people have established this process. What's missing here is how to actually find where to send the report to and how to ensure it's been acted upon. And finally, a nice, succinct and reasonably comprehensive (if a little too short at times) classification of vulnerabilities and attacks fills chapter 8.

Part 3, 'On the Job', is for when you finally have the position and now you want to keep your job, advance your career, and improve your skills. Unfortunately, this section feels a bit undeveloped in too many places. There's a lot to cover, but the chapters here lack any significant depth to them, and it doesn't feel like they really deliver as strongly as they could.

This section opens with an approach to your career much like an intruder would take to advancing their compromise. Chapter 9 covers how to perform scouting of your new environment, how to get through meetings without messing up, landing your own projects and succeeding with basic project management. Thinking about striking out on your own? That's natural, and the next few chapters will help with that. Chapter 10 is a short list of ideas on how you can use your new knowledge and skills to benefit others, which can help you build a name for yourself and maybe even clients. Chapter 11 looks like it's trying to encourage you to become a local leader of information security knowledge, using that information specifically for incident response. In a crisis, everyone loves a hero, so why can't that be you? And finally, the book closes with a chapter on how to start looking at being an independent consultant. It's been said that you'll never succeed working for someone else, so why not work for yourself? This chapter introduces you to some of the possibilities here, along with some of the considerations. Overall, these chapters have some clear value to them, but because they try and cover so much, they feel underdeveloped and fail to really deliver a strong benefit to the reader.

One of my big concerns when I began reading this book was that it would encourage you to simply become another script kiddy type consultant, capable of downloading a few tools and use old hat techniques to deliver sub-par results. That's a crowded marketplace already, so I didn't want to see anyone encourage that. Instead, it tries to impart valuable career skills. My big complaint is that it tries to do so much that it can't possibly succeed in all of them. It does a decent job, but in some places it definitely lacks the solid landing to make it stick. Overall, though, this uncommon book is a nice twist on the old career guides, tuned for the information security market.

You can purchase Infosec Career Hacking: Sell Your Skillz, Not Your Soul from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Infosec Career Hacking More

Infosec Career Hacking

Comments Filter:

  • Hacking? (Score:4, Funny)

    by pete6677 ( 681676 ) on Monday August 08, 2005 @03:33PM (#13272434)
    Why must every advice book for geeks have the work "Hacking" in the title? Instead of calling it a career advice book like they would for any other profession, it's "career hacking". Wasn't there some topic on Slashdot about "car hacking"? Maybe somebody can publish a cookbook with foods that appeal to geeks and call it "Food hacking". Maybe I should go register that trademark right now...

  • security as a field is dying (Score:2, Funny)

    by Anonymous Coward
    Microsoft is making more secure software so security profesionals will no longer be in such great demand

  • Straight up career advice for this field (Score:3, Interesting)

    by BillsPetMonkey ( 654200 ) on Monday August 08, 2005 @03:34PM (#13272443)
    1. Learn about computers at an ivy-league but technically questionable university.
    2. Ask your well-connected buddy from said university if you can join him working at the NSA.
    3. Get a job in security because you're just "the right kinda guy".
    • Four year Information Security Career Plan outlined (for free!)

      1. Join the military.
      2. Be an ISSO for like 2 years
      3. Leave military after 4 years
      4. Write on your resume that you are an InfoSec expert.
      5. Get hired on by defense contractor company X.

      Its that simple.
      • Interestingly, the parent is correct in that this is a path that a lot of people are taking, and an added bonus is that you end up with a current (and valuble) security clearence. KJust keep in mind that it's safest to join the Air Force, us "pretty boys" tend to stay out of the line of fire. You do have to be willing to "whore" yourself a bit and keep your mouth shut about politics. Oh, and drink like a sailor but stay away from smoke...
      • 3. Leave military after 4 years

        What about the part where this does not happen because the 'stop loss' order prevents you from leaving the service until after the Vietnam^d^d^d^d^d^d^dIraq war is over?

        • Currently, there is not stop-loss in effect for those career fields, but the re-enlistment bonus is HUGE.

  • "Career Hacking?!? (Score:5, Insightful)

    by Otter ( 3800 ) on Monday August 08, 2005 @03:36PM (#13272468) Journal
    "Sell Your Skillz, Not Your Soul"?!?

    Not that they're having me interview the information security personnel anyway*, but not in a million years would I ever hire someone who talked that way...

    * To their detriment -- at least I'd find someone who knows there's more to security than making users change longer and longer passwords more and more often.

    • That's not the theme, that's marketing. They're trying to sell the book to that demographic.

      I would imagine the book doesn't speak that language, nor encourage readers to do so.
    • >>> at least I'd find someone who knows there's more to security than making users change longer and longer passwords more and more often.

      Don't forget blocking portZ! The truely 3l33t InFoSeC H3ck3r blocks all the portZ he can with his F13ew311! Cool!!
  • just show 'em how you set up a 'leet ftp site with 0-day warez on Paris Hiltons sidekick. That'll get you the job no problem.

    And once you're in you'll be able to afford your very own sidekick!

    awesome!
  • ..."don't bother." A lot shorter and more concise than the 6kB mini-review Timothy gave it. I suppose it makes him look like he reads bad books too, and isn't just writing advertisement copy.

  • Career hacking (Score:3, Insightful)

    by dogpuppy5 ( 906007 ) on Monday August 08, 2005 @03:41PM (#13272521)
    Hacking your career? Some managers might get upset with this. :-)

    My biggest problem with this type of title is that it assumes your career is something that can be ordered online, like a book. The best security folks I've found have a passion for the topic. They're obsessed with finding vulnerabilities and closing them. I think your money might be better spent on some of the exciting books in the area like Applied Cryptography .
    • "They're obsessed with finding vulnerabilities and closing them"

      I know a few that work for big brother.. finding them yes, but some of the realy nifty ones.. they arn't so "obsessed" with closing. atleat not for everyone else.. personaly i love the "so you have a NAT that don't mean crap custom TCP stack"

      after seeing that in action i double nat

    • Re:Career hacking (Score:5, Informative)

      by WilliamsA ( 865700 ) on Monday August 08, 2005 @03:53PM (#13272644)
      The goal of the book is not to tell people that they can order their careers online. The book teaches readers how to apply their "hacking" skills (like finding vulnerabilities, creative problem solving, etc.) to finding the best job for themselves and turning that job into a rewarding career. Agreed that Applied Cryptograhy is a great book. However, there are many people who really know their stuff technically, but aren't entirely sure of the career options available to them. Full disclosure, I'm the Publisher of the book.

      Andrew Williams

    • If you have the right mindset for security work, you'll be delighted by Ross Anderson's "Security Engineering". Once you realize that security isn't a technical issue, slog through Levenson's "Safeware" and draw your own generalizations from the book's case studies.
    • True but how does one develope passion for such things unless he was done wrong somehow by a hacker what other kind of passion can one have just curious if maybe you have one?

  • BS and more BS (Score:4, Insightful)

    by pegr ( 46683 ) on Monday August 08, 2005 @03:43PM (#13272550) Homepage Journal
    InfoSec careers are often unglamorous. Writing, policies, making integration recommendations, attending spec meetings, reviewing logs, etc... No, your typical InfoSec career isn't being a White-hat security reseacher.
     
    Often, with less-than-enlightened organizations (most of them), a good bit of your activity is justifying your own existence, as InfoSec is a cost-center and doesn't bring anything to the bottom line, unless you get hacked of course. In which case, you're there to take the blame (for management not following your advice).
     
    Am I bitter? Of course! But I still love my job...

    • While I nodded my head in agreement to your post, I figure that you forgot to add some key bits:

      Writing, policies that are rejected, making integration recommendations that are rejected, attending spec meetings and having your suggestions ignored, reviewing logs that no one else cares about, etc...

      Not only are most InfoSec careers unglamorous, they can also have the tendency to grind your pride, passion, determination, and enthusiasm for life in general into dust.

      Bitter? Definately. On the other ha

    • Don't forget "defending your network against arbitrary changes due to 'needed' applications"; not to mention constantly dealing with every possible network problem, or rather striving to prove that it's not your problem, since everyone believes the firewall must be to blame. For some reason, people see storage and backups in a much more reasonable light. For some reason, having those tangible drives (that the managers never see anyway) is more justifiable on a budget than these "security practices", even

  • People who spell skills with a "Z"... (Score:1, Funny)

    by Anonymous Coward
    ...have already lost their souls. Repent, sinnerz!

  • Where have all the old school hackers gone? (Score:5, Insightful)

    by selil ( 774924 ) on Monday August 08, 2005 @03:49PM (#13272601)
    As a former hiring manager at a major corporation I look at this from a different point of view. Are people telling the talent how to get my attention? From the review, the title, and the way information is being imparted (apparent from the review) I would say not. If you want the big job with the big pay check get a real education along with the skillz. If you want to be a trusted partner in the security of a company you had better be able to communicate and do TCP/IP math. Maturity, professionalism, and education are more important the being some leet hacker wannabe. The corporate network is not the place to learn nor is it the playground for the disgruntled. Where have all the old school hackers gone? Where are the people who could actually write code, and configure networks too?
    • Many of the requirements you mention (traditional education, management/people skills, professionalism, TCP/IP, etc) are discussed in the book. In fact, all of these things were HUGE factors for us in publishing the book, becuase many people these days trying to build InfoSec careers have not yet developed these skills. So, the whole point of the book is to educate the reader about areas where they have the least amount of experience/expertise. Yes, the title, packaging, etc. of the book scream "l33t" to ge
    • You know, I wish most hiring managers were like you say you are. First off, You have to ask yourself why books like this make so much money... it's because frankly, at least in my experience, education and experience means diddly.

      I don't want to toot anysort of horn, but there are plenty of jobs out there (IT and otherwise) that don't go to the most qualified, but oftentimes to the person who 'knows someone' or can otherwise BS theirselves into a position. I myself have plenty of education, certifications,

      • Honestly, the best book I read that has helped me do very well in interviews is This. [amazon.com]

        I've found that asking good questions is a very good way to really leave an impressive impression with an interviewer.

        It sounds a whole lot better than this:
        Interviewer: Do you have any questions for me?
        Me: No. You've answered just about everything I could think of.

        It makes you sound uninterested in the job/company/people/etc... that you don't really stand a good chance of getting a job. That's why it took me 7

      • But anyway, yes, yes and yes!

        I'm definitely seeing where in corporate I.T., it's almost *entirely* about who you know, plus "to the biggest B.S.er go the spoils".

        Where does "formal education" come into play? It's pretty much a "key" that turns the "lock" of the H.R. department. They typically don't understand a thing about what the company is really looking for in a technical position like an I.T. opening. So they serve as "gatekeeper", screening for what basics they know how to screen for. If the hirin
    • Short answer:
      Anyone who can write code is doing so and making a lot more than they could configuring networks.

      Longer answer:
      I have been concidering changing my career to infosec. I've been a software engineer for 9 years at a defense constractor (I have been a deputy security officer before in one of our labs), and I have a Master's in CS. My concern going to infosec is that it will be concidered a step down that I may have a hard time getting out of if the respect that the company has for its infose
    • Whoops, read the title wrong. Thought you meant hackers of schools, which is me. (Yes; I'm working on hacking my school.)

  • Public Service Announcement (Score:4, Funny)

    by Tackhead ( 54550 ) on Monday August 08, 2005 @03:55PM (#13272656)
    From an old USENET .sig quote:

    "NSA is now funding research not only in cryptography, but in all areas of advanced mathematics. If you'd like a circular describing these new research opportunities, just pick up your phone, call your mother, and ask for one."

    Remember kids -- if there's a brand-new black SUV out in front of your home within 15 minutes of replying to a post on Slashdot, you may not have hacked your way into a career in the infosec industry, but at the very least, you've earned yourself a very exciting job interview!

  • My advice for people wanting to get into information security is to tune up your mathematics skills. In everything from cryptology (design to implementation) through to secure system programming and even information theory, having a solid grasp of modern mathematics (axiomatic set theory and modern algebra) can make a huge difference.

    Perhaps they mean something different by "Infosec" (the fact that the book has the word "skillz" in the title is perhaps a hint), but from my experience a solid background in a
    • I don't know of a cryptographic application of axiomatic set theory, can you point one out?

      Finite fields, elliptic curves, algebraic number theory, linear algebra I'm used to, but not axiomatic set theory.
      • There is more to InfoSec than cryptography. Crytography may not involve axiomatic set theory. Secure systems programming does. Formal verification of security protocols is often conducted using either theorem-provers rooted in higher-order logic, or using model-checkers that make use of process algebras or temporal logics. A good understanding of things like modern abstract algebra and modern set theory, while not crucial to using these tools, can help immeasurably. I've only dabbled in the area of formal p

  • 1. Don't get in trouble with the law (other than traffic/minor juvenile offenses)
    2. Don't screw up your credit (i.e. bankruptcy)
    3. Don't use drugs (rather, don't admit to or get caught using drugs)
    4. Keep your alternative lifestyle choices in the closet

    Or, barrring any or all of the above:

    Enlist in the U.S. Air Force, lie to your recruiter, pass the Defense Language Apptitude Battery [about.com], and become a RC-135 Rivet Joint [wikipedia.org] crewmember - arabic speakers preferred

    • 1. Don't get in trouble with the law (other than traffic/minor juvenile offenses)
      2. Don't screw up your credit (i.e. bankruptcy)
      3. Don't use drugs (rather, don't admit to or get caught using drugs)
      4. Keep your alternative lifestyle choices in the closet


      Contrary to popular belief, the US government doesn't care what you have done with your life as long as you are honest and put all of your cards out on the table first. Obtaining a security clearance is more a test of character than anything else. The
  • Another book from Johny Long. Does he ever rest?
  • My perspective in writing this comment is a bit biased since I know the authors of the book. That being said, I have a career where my primary responsibilities fall under the umbrella of infosec so it shouldn't be discounted.

    First off, if you can't get beyond the title of a book, then perhaps you fall directly into the elistest category. I know for a fact that the skillz portion of the title was infact the publishers (syngress) decision and not the authors.

    Secondly I wish slashdot commenters would actually
    • join the military. Tht gives me horror chills. Ever see the number of people killed by bad admin during any given war? --- squid is gonna kill me for that comment, too.
      I worked security for years. It was mostly politions giving out contracts to other politions (give yourself a 'we're world-class kluders' button here. It's typical of the breed. --- they ignored advice, (24 hours notice some damn fool had ticked the wrong kid off and they were gonna get burnt for it. And they did, badly.) stole credit, passe
      • If you had any sense of grammar then I would be able to respond to your comments; but the fact that it's so atrocious to the point that I don't even understand your entire meaning, I simply can not.
  • If you need a book with "Skillz" in the title to get a career in security, then--for the love of all things sacred--I hope you fail miserably.

  • Infosec is not as romantic... (Score:1, Informative)

    by Anonymous Coward
    as it seems. I've been in infosec practitioner for a few years now (coming from unix administration), and it's work like anything else. Granted, infosec is considered the "sexy" IT job, but in reality, it's not.
    I work for a company that does nothing but security, and I can tell you that while infosec is cool in theory, it's just another job.
    Getting a clearance in this gig allows one to have even more choices within the infosec arena, but then you are almost always dealing with federal stuff (even more borin
  • does one really need a book? check out the following three places...

    www.securitydocs.com
    www.sans.com/rr
    www.oreilly.com (resource centers)
    • Security Operation Centers in MSSP's often hire young new grads as junior roles. 2-3 yrs in there and you come out knowing more than 10yrs in the customer sector. Its a very good short cut to being the all knowing Sec Geek you've always dreamed of. Helps if you have an unquenchable thrist for knowledge and arent scared of some hard work.
  • The new term for Infosec is "Information Assurance and Security". You want to find a university that offers an IAS program and attend it. The NSA has an IAS certification program if you look arround their website you can find NSA accredited IAS programs. Most notablly are programs offered by Perdue University at thier Center for Education and Research in Information Assurance and Security (CERIAS).

    UMFK is also a good choice for Information Assurance and Security if you can't afford Perdue's tuition rates

Slashdot Top Deals

The optimum committee has no members. -- Norman Augustine

Close