Infosec Career Hacking 85
nazarijo writes "Plenty of people are curious as to how to become an information security
professional. It's a profession that has a bit of an establishment atmosphere
to it where entry to various levels is granted in secret. And it's often
hard to understand where to start. Infosec Career Hacking
attempts to demystify this process and show you not only generic strategies
for employment, but ones specific to the information security field." Read on for the rest of Nazario's review.
Infosec Career Hacking: Sell Your Skillz, Not Your Soul | |
author | Aaron W. Bayles, Chris Hurley, Johnny Long, Ed Brindley, James C. Foster, Christopher W. Klaus |
pages | 448 |
publisher | Syngress |
rating | 7/10 |
reviewer | Jose Nazario |
ISBN | 1597490113 |
summary | Career guide specifically tuned to the information security professional |
The first part of the book is especially useful, and I think provides most of the value that's not available elsewhere. Things that are covered may seem like basics that people should have just picked up, but it's hard to know what you're supposed to know when you change environments, let alone see it all together in one place. I find this section to be especially useful and reasonably well written.
Chapter 1 opens up with a basic orientation of the infosec landscape, including the types of companies and organizations you may want to look at working with, the types of work and positions you see typically, and what kinds of skills you'll need to consider get the interview, let alone the job. Chapter 2 is much like a hacking book in that you're encouraged to perform some scout work on your potential places of employment. Good advice, and it's nice to see it demonstrated. Chapter 3 talks about getting experience and getting your feet wet in the infosec world. Things like conferences, local groups and meetings, and even security clearances are covered. A nice overview, but a it shallow in places, too. Chapter 4 focuses on the resume and the interview, the kinds of things that normally jump to mind when you think about career hacking. A decent overview, and good things to learn.
Part 2 focuses on technical parts. These chapters, I felt, were a bit thin on value and attempted to provide too much coverage but without the depth. What I felt this part of the book was trying to do was to be a quick overview of what you should know if you want a career in information security without any of the work it takes. Because this is such a broad amount of material, and the book only spends about 180 pages on it, the coverage isn't deep. Instead, the cursory coverage is a detriment to the book's value.
Chapter 5 is where I found the most material to complain about. This chapter is titled, 'The Laws of Security', and can be used for your benefit or your downfall. In the right hands, where the nuances that come from actually encountering these challenges in the wild and discovering the reasoning behind them, you can display wisdom. In the wrong hands, where you can't successfully defend a challenge to these axioms, at best you'll appear to be someone who parrots security luminaries, and at worst you'll look like an uninformed buffoon. If you decide to accept conclusions without understanding the reasoning behind them, you're asking for it.
Chapter 6 talks about building a home lab of machines for attack. I felt this chapter devoted too much time to drooling over gear and not enough time discussing more equipment and more valuable gear. Large classes of lab resources, including enterprise applications, networking gear, and even commercial security software was left out. The disclosure debate was reasonably well handled in chapter 7, discussing the various ways that people have established this process. What's missing here is how to actually find where to send the report to and how to ensure it's been acted upon. And finally, a nice, succinct and reasonably comprehensive (if a little too short at times) classification of vulnerabilities and attacks fills chapter 8.
Part 3, 'On the Job', is for when you finally have the position and now you want to keep your job, advance your career, and improve your skills. Unfortunately, this section feels a bit undeveloped in too many places. There's a lot to cover, but the chapters here lack any significant depth to them, and it doesn't feel like they really deliver as strongly as they could.
This section opens with an approach to your career much like an intruder would take to advancing their compromise. Chapter 9 covers how to perform scouting of your new environment, how to get through meetings without messing up, landing your own projects and succeeding with basic project management. Thinking about striking out on your own? That's natural, and the next few chapters will help with that. Chapter 10 is a short list of ideas on how you can use your new knowledge and skills to benefit others, which can help you build a name for yourself and maybe even clients. Chapter 11 looks like it's trying to encourage you to become a local leader of information security knowledge, using that information specifically for incident response. In a crisis, everyone loves a hero, so why can't that be you? And finally, the book closes with a chapter on how to start looking at being an independent consultant. It's been said that you'll never succeed working for someone else, so why not work for yourself? This chapter introduces you to some of the possibilities here, along with some of the considerations. Overall, these chapters have some clear value to them, but because they try and cover so much, they feel underdeveloped and fail to really deliver a strong benefit to the reader.
One of my big concerns when I began reading this book was that it would encourage you to simply become another script kiddy type consultant, capable of downloading a few tools and use old hat techniques to deliver sub-par results. That's a crowded marketplace already, so I didn't want to see anyone encourage that. Instead, it tries to impart valuable career skills. My big complaint is that it tries to do so much that it can't possibly succeed in all of them. It does a decent job, but in some places it definitely lacks the solid landing to make it stick. Overall, though, this uncommon book is a nice twist on the old career guides, tuned for the information security market.
You can purchase Infosec Career Hacking: Sell Your Skillz, Not Your Soul from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Hacking? (Score:4, Funny)
Re:Hacking? (Score:2)
Re:Hacking? (Score:5, Funny)
If you need help, my mom has some 1337 f00d 5k1llZ.
Re:Hacking? (Score:1)
Re:Hacking? (Score:2)
http://cookingforengineers.com/ [cookingforengineers.com]
and
http://www.livejournal.com/community/2600_cuisine
Re:Hacking? (Score:2)
security as a field is dying (Score:2, Funny)
Re:security as a field is dying (Score:3, Funny)
-paul
greater complexity demands better security (Score:1)
What good is a secure Windows network when your server room and backup tapes are destroyed in a fire?
Back before the Fourth of July, a major bank in Wisconsin had a major fsck up that resulted in direct deposit f
Re:hacked my sense of humour (Score:1)
Straight up career advice for this field (Score:3, Interesting)
2. Ask your well-connected buddy from said university if you can join him working at the NSA.
3. Get a job in security because you're just "the right kinda guy".
Re:Straight up career advice for this field (Score:3, Interesting)
1. Join the military.
2. Be an ISSO for like 2 years
3. Leave military after 4 years
4. Write on your resume that you are an InfoSec expert.
5. Get hired on by defense contractor company X.
Its that simple.
Not bad advice... (Score:2)
Re:Straight up career advice for this field (Score:1, Flamebait)
What about the part where this does not happen because the 'stop loss' order prevents you from leaving the service until after the Vietnam^d^d^d^d^d^d^dIraq war is over?
Re:Straight up career advice for this field (Score:2)
There appears to be something of a disconnect between your expectations of what a modern war is and the type of wars that NATO has been involved in of late.
Wars are not over when someone decides to hold a victory parade. Wars are only over when the loosing side accepts they have lost. That means boots on the ground.
If you join up expect to be doing your share of the dirty work regardless of what role you are
Re:Straight up career advice for this field (Score:2)
Re:Straight up career advice for this field (Score:2)
"Career Hacking?!? (Score:5, Insightful)
Not that they're having me interview the information security personnel anyway*, but not in a million years would I ever hire someone who talked that way...
* To their detriment -- at least I'd find someone who knows there's more to security than making users change longer and longer passwords more and more often.
That's called marketing (Score:2, Informative)
I would imagine the book doesn't speak that language, nor encourage readers to do so.
Don't forget blocking portZ !!! (Score:1, Offtopic)
Don't forget blocking portZ! The truely 3l33t InFoSeC H3ck3r blocks all the portZ he can with his F13ew311! Cool!!
simple.. (Score:1)
And once you're in you'll be able to afford your very own sidekick!
awesome!
Why not just summarize it with... (Score:2)
Career hacking (Score:3, Insightful)
My biggest problem with this type of title is that it assumes your career is something that can be ordered online, like a book. The best security folks I've found have a passion for the topic. They're obsessed with finding vulnerabilities and closing them. I think your money might be better spent on some of the exciting books in the area like Applied Cryptography .
Re:Career hacking (Score:1)
I know a few that work for big brother.. finding them yes, but some of the realy nifty ones.. they arn't so "obsessed" with closing. atleat not for everyone else.. personaly i love the "so you have a NAT that don't mean crap custom TCP stack"
after seeing that in action i double nat
Re:Career hacking (Score:5, Informative)
Andrew Williams
Books (Score:2)
Re:Career hacking (Score:1)
BS and more BS (Score:4, Insightful)
Often, with less-than-enlightened organizations (most of them), a good bit of your activity is justifying your own existence, as InfoSec is a cost-center and doesn't bring anything to the bottom line, unless you get hacked of course. In which case, you're there to take the blame (for management not following your advice).
Am I bitter? Of course! But I still love my job...
Re:BS and more BS (Score:1)
While I nodded my head in agreement to your post, I figure that you forgot to add some key bits:
Writing, policies that are rejected, making integration recommendations that are rejected, attending spec meetings and having your suggestions ignored, reviewing logs that no one else cares about, etc...
Not only are most InfoSec careers unglamorous, they can also have the tendency to grind your pride, passion, determination, and enthusiasm for life in general into dust.
Bitter? Definately. On the other ha
Re:BS and more BS (Score:2)
People who spell skills with a "Z"... (Score:1, Funny)
Where have all the old school hackers gone? (Score:5, Insightful)
Re:Where have all the old school hackers gone? (Score:1)
Re:Where have all the old school hackers gone? (Score:1)
I don't want to toot anysort of horn, but there are plenty of jobs out there (IT and otherwise) that don't go to the most qualified, but oftentimes to the person who 'knows someone' or can otherwise BS theirselves into a position. I myself have plenty of education, certifications,
Re:Where have all the old school hackers gone? (Score:1)
Honestly, the best book I read that has helped me do very well in interviews is This. [amazon.com]
I've found that asking good questions is a very good way to really leave an impressive impression with an interviewer.
It sounds a whole lot better than this:
Interviewer: Do you have any questions for me?
Me: No. You've answered just about everything I could think of.
It makes you sound uninterested in the job/company/people/etc... that you don't really stand a good chance of getting a job. That's why it took me 7
Wish I had mod points for you right now! (Score:2)
I'm definitely seeing where in corporate I.T., it's almost *entirely* about who you know, plus "to the biggest B.S.er go the spoils".
Where does "formal education" come into play? It's pretty much a "key" that turns the "lock" of the H.R. department. They typically don't understand a thing about what the company is really looking for in a technical position like an I.T. opening. So they serve as "gatekeeper", screening for what basics they know how to screen for. If the hirin
Re:Where have all the old school hackers gone? (Score:2)
Anyone who can write code is doing so and making a lot more than they could configuring networks.
Longer answer:
I have been concidering changing my career to infosec. I've been a software engineer for 9 years at a defense constractor (I have been a deputy security officer before in one of our labs), and I have a Master's in CS. My concern going to infosec is that it will be concidered a step down that I may have a hard time getting out of if the respect that the company has for its infose
Re:Where have all the old school hackers gone? (Score:1)
Re:Where have all the old school hackers gone? (Score:1)
I learned on PUNCH CARDS.
I dream in JCL.
VI sooths, while notepad fustrates.
Where was
Where was
I was again busy working in the 1990's when
Re:Where have all the old school hackers gone? (Score:1)
Public Service Announcement (Score:4, Funny)
Remember kids -- if there's a brand-new black SUV out in front of your home within 15 minutes of replying to a post on Slashdot, you may not have hacked your way into a career in the infosec industry, but at the very least, you've earned yourself a very exciting job interview!
Re:Public Service Announcement (Score:2)
Tune up your math skills (Score:2)
Perhaps they mean something different by "Infosec" (the fact that the book has the word "skillz" in the title is perhaps a hint), but from my experience a solid background in a
Re:Tune up your math skills (Score:2)
Finite fields, elliptic curves, algebraic number theory, linear algebra I'm used to, but not axiomatic set theory.
Re:Tune up your math skills (Score:2)
Tips For Obtaining a DOD Security Clearance (Score:1)
1. Don't get in trouble with the law (other than traffic/minor juvenile offenses)
2. Don't screw up your credit (i.e. bankruptcy)
3. Don't use drugs (rather, don't admit to or get caught using drugs)
4. Keep your alternative lifestyle choices in the closet
Or, barrring any or all of the above:
Enlist in the U.S. Air Force, lie to your recruiter, pass the Defense Language Apptitude Battery [about.com], and become a RC-135 Rivet Joint [wikipedia.org] crewmember - arabic speakers preferred
Re:Tips For Obtaining a DOD Security Clearance (Score:1)
2. Don't screw up your credit (i.e. bankruptcy)
3. Don't use drugs (rather, don't admit to or get caught using drugs)
4. Keep your alternative lifestyle choices in the closet
Contrary to popular belief, the US government doesn't care what you have done with your life as long as you are honest and put all of your cards out on the table first. Obtaining a security clearance is more a test of character than anything else. The
Johnny Long again? (Score:1)
Re:Johnny Long again? (Score:1)
Skillz and other things (Score:2, Insightful)
First off, if you can't get beyond the title of a book, then perhaps you fall directly into the elistest category. I know for a fact that the skillz portion of the title was infact the publishers (syngress) decision and not the authors.
Secondly I wish slashdot commenters would actually
Re:Skillz and other things (Score:1)
I worked security for years. It was mostly politions giving out contracts to other politions (give yourself a 'we're world-class kluders' button here. It's typical of the breed. --- they ignored advice, (24 hours notice some damn fool had ticked the wrong kid off and they were gonna get burnt for it. And they did, badly.) stole credit, passe
Re:Skillz and other things (Score:1)
Judging a book by its title (Score:2)
Infosec is not as romantic... (Score:1, Informative)
I work for a company that does nothing but security, and I can tell you that while infosec is cool in theory, it's just another job.
Getting a clearance in this gig allows one to have even more choices within the infosec arena, but then you are almost always dealing with federal stuff (even more borin
interesting.... (Score:1)
www.securitydocs.com
www.sans.com/rr
www.oreilly.com (resource centers)
Re:interesting.... (Score:1)
Don't buy this book, the answer is simple... (Score:1)
UMFK is also a good choice for Information Assurance and Security if you can't afford Perdue's tuition rates