Home > Sheet1 A B C D E F G H I J K L M N O 1 Time in security Job type Do you have to be able to program to be a pen-tes
| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Time in security | Job type | Do you have to be able to program to be a pen-tester? | If so, which would you recommend? (No flame wars please) | Are certifications useful? | If so, which ones? | How did you get your start in security? | What do you know now that you wish you'd known when starting out? | What one piece advice would you give to someone wanting to start a career in security? | What do you see as the next up and coming area? | Is there anything you feel you did wrong that you would advise against? | Is it OK to "practice" on sites/companies without permission if you don't do any damage? | Are conferences worth attending? | Which conferences would you recommend, and if possible, why? | Country, or at least region/continent |
| 2 | 7+ years | Log analyst, IDS/Firewall admin | No, but it helps | Bash Scripting, Python, PHP | Yes - but only to get through HR | CISSP | Realised I had a knack for it, started in the server team but made management aware I wanted in the internet team, 3 months in I was moved over after 3 guys up and left. Work realised they could get me at a cut down price and I was happy to learn on the job. | Politics
will always play a part You will become the most hated dept in the building Change control know nothing and will fuck up your working life |
Read
- constantly Be willing to peer over someone shoulder Ask lots of questions Break things but then learn how to fix them (even if its during production hours) (yes, thats 4) |
Quickers, smaller and more blue blinking lights | The
grass may not always be greener at another company and dont remove a firewalls default route during business hours |
no, there are plenty of practice areas/lab, dont piss off a sec admin like yourself by triggering all his alarms. | Yes | Defcon, might as well go with the biggest. | Aus/UK |
| 3 | <1 year | Penetration tester | Think you can get by without but to get to a decent level it's needed | Bash Scripting, Anything you are comfortable with | Yes - but only to get through HR | Depends on the job | Went to lots of info sec events (2600, owasp, cons, etc) talked to people, read lots, took part in UK Cybersecurity Challenge. | Not been doing this long enough to really say, but I'm coming to the realisation that it's all to easy to become reliant on tools rather than techniques. | No. | Yes | Not been to lots so can't really say. Bsides seems to have the best user experience, and I got a lot from it. | UK | |||
| 4 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Log analyst, IDS/Firewall admin | Yes | Bash Scripting, Windows Powershell, Perl | Yes | SANS/GIAC, CISSP | Offered position in security due to good performance in work | How to deal with management in implementation of security measures. | read, learn ... | yes , educate users first and than implement security measures | NO | Yes | black hat conference, DEFCON | Serbia | |
| 5 | 1-3 years | Software engineer | No, but it helps | Yes | CISSP | O'm a Java developer; got moved into role writing crypto-binding features. Went for Security+ then CISSP. | Probably taken less time in college curriculum focusing on "security" courses. Most is learned on the job. | Get
things on your resume that show you have some understanding of the field. In my industry (defense), the pendulum is swinging from college degrees to certifications. |
The world always needs good programmers :) | Not sure - "fate" somewhat pushed me into where I am now. | No! ...Hell no! | Yes | Maryland, USA | ||
| 6 | <1 year | Malware analyst, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Python, C, Java | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CompTIA (Security+ etc) | Spent the past 4-5 years in a systems administrator role. Security is at most an add-on to the current job or a hobby for the spare time. | uh, alot. | Read, I have so many damn bookmarks chock full of information. | Mostly more of the same. | lacking on the certifications. | Which company? | Yes | Derbycon | Wiconsin, USA |
| 7 | 7+ years | Penetration tester, Policy writer, Manager, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Ruby, Python, C, PHP, C++, Batch Scripting, C# | Yes | SANS/GIAC, CISSP, OSCP | I've always been in security at a very low level just trying to keep the network safe with what limited knowledge that I had. But what pushed me head over heals into the industry was that we got physically breached. I honestly believe that the best way to get into the industry is to experience a breach. It's like cooking. You need to burn a few dishes to realize what doesn't work. After the breach, I knew I never wanted another physical or electronic breach to happen again and it was now personal to me. I started listening in on IRC channels and kept my mouth shut. I didn't know much, but everything that was posted I did research on. Now that I've been doing it a while I can pipe in here and there. It's all about reputation and really "knowing" what you know. | Be silent more often. If you don't know what you are talking about, or only know a little bit, and purport to be an expert, you will be taken to task. Listen more, speak less. | It's all about reputation. Certs are useful, but if you are unknown you won't be taken seriously. Get out there, meet people, and learn from them! | I've been in HealthIT for many years. With all the legislation around electronic health records, this is going to be a huge issue for many orgs. | I didn't get to know more people in the industry when I was at DerbyCon. Just go up to people and start talking to them. Don't be scared. | No. It is not okay to practice. There are several other ways to practice including setting up your own lab. Facebook just sent a student to jail for practicing on their network. | Yes | DerbyCon, because it's a great place to rub elbows with the elite members of this group without feeling like you have to be a rockstar to meet them. I met Kevin Mitnick, Dave Kennedy, Adrian Crenshaw, and others even though it was my first con. | US |
| 8 | 4-7 years | Penetration tester | No, but it helps | Windows Powershell, Ruby, Python | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | Working at large company. Was a software tester, Verification and validation stuff. Tracked down the Info sec group and started talking with them. Convinced them into letting me work part time for them to show I could learn stuff, got brought on after a few months full time. | I still consider myself starting out and still have much id like to know. I guess the big one for me is that sec folks love twitter and its a good place to float ideas. | Make sure its something you really want and can keep up with, not just something you enjoy on the side. | I compare myself against the "rock stars" and make myself feel I know nothing in comparison. Everyone has their niches and everyone can contribute from all levels. | Not in my book. | Yes | Shmoocon,
First talks of the season. Brings in new blood with new ideas Any bsides available- Always going on, free, fresh ideas Defcon- Culture experience. See lots of people you dont see otherwise. Derbycon- Last year was a great start, good speakers and format. |
USA | |
| 9 | <1 year | student | Don't know | Python | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc) | I recently went back to school | Certifications are important | hands on experience is helpful | Yes | usa | ||||
| 10 | 1-3 years | Log analyst, IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Ruby, Python, Lua | Yes | SANS/GIAC | Picking
up books on the topic and constantly asking questions to anyone who
knew more than me until the pushed me away. I'm still trying to get
a job that has "security" title in it, but my everyday goal
is to incorporate security in my decision making and constantly push
for greater things within the work place on security matters. On my
personal time, it involves following members of the industry on twitter,
RSS feeds, and independent research and personal projects. For clarification, my answer of 1-3 yrs in security involves my personal, committed interest in security, not time served in a "security" specific job role. So...I'm still working on it! |
Research before asking questions, it's probably out there. | I've always liked Offensive Security's mantra of "Try harder". It's usually after the point where you are about to give up that you find the answer you were looking for. | Mobile forensics and exploit development. | Not be as concerned with anonymity. | Bob maybe, me no. | Never been, but want to go | US | |
| 11 | 1-3 years | Sys-admin | No, but it helps | Bash Scripting, Python, PHP, C++ | Yes - but only to get through HR | SANS/GIAC, CISSP, CompTIA (Security+ etc) | In the days of dail-up internet my username and password got stolen, and since then I got interested in how are people doing that. I started stealing passwords myself and tried to inform people of the security flaw that they had. | People skills! When I started out I was using some social engineer tricks, but didin't even know that I was doing that. Learn how to exploit people. | Be creative and think out of the box. | Social networks in coorporate environments. | Yes. This is a morally gray area, but I feel like it's ok to "practice" if no damage is done. | Yes | Serbia | ||
| 12 | 7+ years | Penetration tester, Policy writer, Manager, Reverse engineer, Exploit developer, Malware analyst, Log analyst | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, Batch Scripting, Perl | Yes | SANS/GIAC, Offensive Security | Progression from system admin, lots of hard work on my own time | When
I started I thought I knew about security pretty well Now I feel less knowledgeable then when I started |
Work on your "How to convince others" skills | Total
integration. Social engineering, system knowledge, Business knowledge, Social knowledge, |
Not really, Mistakes are important | No Create your own practices lab |
Yes | Blackhat,
Great training /Defcon, it would take too long to explain why this is a classic and a must Brucon great workshops CanSecWest, Bsides, Derbycon, CCC |
Denmark |
| 13 | 4-7 years | Penetration tester | Yes | Ruby, Python, C | Yes - but only to get through HR | Easy, aced the interviews and had an open source portfolio. | Most pen-testers are glorified script kids, don't take their input too seriously. | Don't just learn security, go in deep and you have a definite technical edge. | Not at this time and day. Maybe pre-2k1 it was (barely). If you "practiced" on any serious places (serious = with decent security) and are still able to read this congrats - you have some expertise that your "rank and file ethical hacker" will not be able to match. | No | Europe | ||||
| 14 | 4-7 years | Vulnerability auditor, Policy writer, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Python | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), CISSP | Started as junior sys/net-admin in a datacentre; turns out the rest of the team didn't 'like' security stuff, so got passed all the security related jobs noone else wanted to do. | Rest
of the world doesn't like security, so give it a go. Yes, it looks cool and complicated, but stick at it and you will 'get' it. |
Set a lab environment up to practice with, virtualisation makes these easy these days. | Mobile devices are going to cause problems, but mostly the same problems already encountered in other formfactors | Don't assume you can't do something, even if you're right you'll learn and develop by trying. | Only if you want a new 'room-mate' called Bubba...... | Yes | Only got to BSidesLDN so far. Reviewing material from other cons post event always leaves interesting material, by far most useful aspect of cons seems it be [lobby|corridor]-con. | UK |
| 15 | 1-3 years | Vulnerability auditor, Policy writer, Log analyst | Yes | PHP | Yes - but only to get through HR | CISSP | Yes | ||||||||
| 16 | 4-7 years | Vulnerability auditor, Penetration tester | Yes | Bash Scripting, Ruby, Python, C, VB, Perl | Yes - but only to get through HR | OSCP | Majored (B.S.) in Computer Science in college, took a concentration in Information Assurance. School sponsored my CISSP exam, which I passed first try right after graduation. Got a government job in IA right out of college. | If
you do 5 minutes of research before asking a question, you'll either
ask a better question or figure out the answer yourself. Your heroes are real people, and are usually very approachable. If someone treats you like dirt, first ask, "Am I being inconsiderate or rude? Did I forget to do the 5 minutes of research first?" If the answer is no, then that person is probably not worth your time. |
Do something nobody else has done before. There are a million and a half "penetration testers" and wannabes out there running Nessus and Nexpose and clicking "Exploit" in MSF Pro/Core Impact/Whatever. Find something that interests you, then analyze the security angle. Security is not a "thing" in itself, it always supports some business process. If you can't figure out what the business process is, or what the value is for society, then pick something else, because you're not helping. | Probably something that sounds boring to most people. Nobody gives it attention until someone is passionate enough about it to improve it, then everyone will spin up in a hurricane of buzzwords and exploits, throwing money left and right. SCADA! Mobile! Embedded! Web! | Don't go directly into pentesting without spending time on the defense side, or development, or administration. My knowledge is a mile wide, but an inch deep, so I waste a large part of each pentest engagement learning some particular technology, language, business practice, etc. Ideally, I would have a team of people who have that depth in different areas. | NO. | Only for the networking aspect, see below | I have never attended a security conference, though I would really like to. My experience is from sending my team members to them. Most talks will end up on Youtube, so don't go just to attend the talks. There are plenty of low-cost conferences: don't waste your money on Black Hat, etc. Get involved in online community (Twitter, IRC, etc) and see where the interesting people are going. DerbyCon was an amazing start-up last year and looks to be a great pentest-focused con. Don't rely on a name and history alone: research the speakers and see who's attending. Go to make contacts and discuss issues. If all you do is attend the talks, you're missing out on 80% of the value of the conference. | USA |
| 17 | 7+ years | Penetration tester | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C++, Lua | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | I was a Windows admin who wanted to do something else. I started reading a lot of books and experimenting in my free time. The jump was natural. | I wish that I knew that I would need a functional understanding of programming to be a penetration tester. I was a terrible tester with my limited ability to script. | Anyone who claims their class will make you an expert is a fraud. The industry is also full of frauds and hubris. Do your research and trust your nose to avoid those types of people. People like the guy in this video (http://www.xtranormal.com/watch/12984422/dont-you-know-who-i-am) and their warez should be avoided at all costs. | I see the next area for enterprise security being PowerShell and HTML5. | I spent entirely too much money on crappy training and worthless certifications. Buying (well-reviewed) books is almost always worth it, but good training is few and far between. Its hard to turn down "free" training, but make sure its worth the opportunity cost. | I would avoid this. You aren't doing damage until you are - and then its too late. There are plenty of free sites with challenges for practicing. | Yes | Defcon, Shmoocon and a different small con (like Bsides) a year is a good recipe. | US |
| 18 | 7+ years | Penetration tester | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, Batch Scripting | Yes | Vendor specific, SANS/GIAC, CISSP | I wrote a DES cracker for a undergraduate C course, having successfully retrieved the University library card catalog /etc/passwd file through a TFTP directory recursion vulnerability. Got an A on the project, but also got hauled in front of campus security. The next day, the university offered me a job. | I wish I had started coding earlier, to help me advance faster. | Pick a field you have a passion for, and learn that area in more depth than your peers. | Mobile device exploitation | Vulnerability disclosure is tricky, and should be handled carefully. | No | Yes | A combination of hacker and defender conferences to get a balanced perspective on the problems and the solutions. | USA |
| 19 | 4-7 years | Vulnerability auditor, Penetration tester, PCI auditor, student | Yes | Bash Scripting, Ruby, Python, C, PHP, C++, Batch Scripting | Yes | SANS/GIAC, Offensive Security | Hobbyist to a degree in security at university. | To be patient. The art of debugging. | Be prepared to never stop learning, to never know everything and to never be able to call your self an expert. | The mass adoption of Static Code Analysis, including Hybrid Analysis. | It is always wrong to assume, especially in computing. | As long as no laws were broken, such as gaining unauthorized access and your intentions were non malicious. | Yes | BSidesLondon
- Networking, cost, talks, openness BruCON - Networking, cost, talks, location |
England |
| 20 | 1-3 years | Penetration tester | Yes | Bash Scripting, Python, C, C++, C# | Yes | SANS/GIAC | Was
a web dev got a chance to ramp up in sec, took it. Been breaking shit since i was 10 so sec seemd like a good choice, i was convinced this was my chosen path after ph neutral and meeting the good people of this wonderful community :) \m/ \m/ Rock on! And good luck with the proj! |
Cons are bad for your liver | Get
into the mind set or get the fuck out. Srsly, think outside the box, be motivvated to do so and u will succeed |
Define practice | Yes | Any
con that has training relevant for your field, take it and meet the
people. I think a big part of success in this field is being able to help others and get help from others when needed |
Israel | ||
| 21 | 4-7 years | Policy writer, IDS/Firewall admin, Sys-admin, Vuln Management | Yes | Bash Scripting, Windows Powershell, Ruby, C, PHP, Batch Scripting | Yes | CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC | Applied for a job in a new OpSec team within my current org. Sideways shift from wintel support. | It is much easier to get in at an early point in your career where you can get experience as an intern/junior that try and transition from a "regular" IT position. | Start early. Read as may books on infosec as you can and make sure you have a play with the tools you are learning about in your own lab. | Wireless. It it getting lots of penetration and as a subject can be very difficult to pick up without some understanding of the physics involved. Try hunting down a rouge AP some time ;) | I didn't get my head in the technical books after enough. I waited before I approached the infosec community for fear of being called a n00b. I didn't get into this business early enough in my career. | No. Get that kind of black mark against your name an no reputable employer will touch you with a 10 foot pole. Also be prepared to loose those certs you spent all that time an money getting. And you will never work for any branch of government. | Yes | I have only been to a few "real" cons, but BruCON, BSIDESLondon and dc4420 were all very useful. Not only for content but for networking. Local 2600 groups could be good as well. The trade shows like InfoSec do not add any value. | West Midlands |
| 22 | 1-3 years | Penetration tester, Reverse engineer, Exploit developer | at least a scripting language | Bash Scripting, Ruby, Python | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc) | Breaking stuff in a lab at home, wasting lots of hours reading books, manuals, looking at packets passing on zee wires, and messing about with debuggers, malware samples and trying to defend a server from multiple attacks while also attacking it and learning how attacks work. | That writing reports is a pain in the ass. | Go create your own lab and start breaking shit and fixing it afterwards. | Crypto lots n lots of crypto | no | no | Some | Bsides, defcon because they are cheap, accessible and Black Hat panel who picks the talks sucks. | United Kingdom |
| 23 | 4-7 years | Vulnerability auditor, Penetration tester, PCI auditor, Log analyst | No, but it helps | Bash Scripting, Windows Powershell, Python, Batch Scripting | Yes | SANS/GIAC, CISSP, OSCP, OSWP, OSCE, OSEE, OSWE | I started as an IT generalist. Security always interested me however when I started my career, dedicated InfoSec positions were rare. I started by volunteering for any security specific activities/projects within the organization. When it eventually became time to move on in my career I tailored my resume, highlighting my security experience and joined a firm as an IT Security & Assurance Consultant. | I wish I had the opportunity to start out in InfoSec rather than being forced to put 6-7 years in traditional IT. I do think that working in IT Ops is invaluable and contributes to any success as an InfoSec consultant however 2-3 years would have been plenty. I also would have started attending Cons much sooner. | Read everything, watch videos (Security Tube, Hak5, etc), listen to podcasts, get on Twitter, and go to as many cons as you can afford. | It's difficult to say. I believe our industry is too dynamic to make any accurate predictions. | General advice: Don't get an ego and don't exaggerate your claims. There are a lot of highly intelligent people in our industry and you can expect any claim to be scrutinized. The last thing you want is to end up the Errata page at Attrition.org | No, there are enough places to hone your craft (labs, bug bounties, etc) that you don't need flirt with the law. | Yes | Black Hat, Defcon, Any BSides, ShmooCon, DerbyCon, SOURCE, “Hallway Con”. These are all great learning opertunities and it’s a great way to meet like-minded proffessionals. | USA |
| 24 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer | No, but it helps | Python, C, PHP, Java | Yes | SANS/GIAC | Anti-Piracy/Research | No amount of certification can replace experience | Study hard, do the labs and exercises, experiment with tools. | html5, virtualization & Cloud, mobile-based technologies | cissp - 10 miles wide, 1 inch thick, and proves nothing. | no. | No | Blackhat, CCC - presentations provide insights into cutting edge technologies and techniques | Israel |
| 25 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Python, C, Java, Lua, VB | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP | HIPAA regulations forced my company to create a security position. I was interested in it and told my supervisor I wanted to take it. | How valuable programming/scripting experience could be | Learn programming/scripting if you want to excel | web apps and mobile devices as attack vectors | No, but I suggest building a lab and practicing in a lab environment | NO | Yes | SANS
(any) because of the amazing security pros that you can meet and network
with. Derbycon because it's a smaller conference and even more opportunities to talk one on one with security pros |
USA |
| 26 | 4-7 years | Penetration tester, Policy writer | No, but it helps | Bash Scripting, Windows Powershell, Batch Scripting | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc) | After being a developer and a network engineer/architect for over a decade, security was the best next step for career development without becoming a dedicated manager. | IA work has a lot of paperwork and politics. | Never stop learning. | Mobile devices. | Over estimating an auditor's intelligence and understanding of network security. | No. | Yes | Conferences are great to get CPEs. | US |
| 27 | 4-7 years | Penetration tester, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting, Lua, javascript | Yes | SANS/GIAC, CISSP | I
started out in general IT support roles, and gradually moved into a
system administrator position with a company that put a lot of focus
into info sec. I had to learn a lot of auditing, and how to secure
our systems. I earned the CISSP certification in 2007, which open the
door for me to get my current job as a security engineer. I've had a passion for info sec for a long time, and I think that really came out during my interview. Even though I'm not the best, I'm always trying to learn more. |
Be passionate, and never give up. There will be times when you'll hit a road block. Put your head down, and keep pushing until you overcome it. These are opportunities to grow you. At the time you won't see it this way. You will be frustrated, but it's the ones that can overcome these challenges that stand out. | I started out with a plan to go to college to earn a degree in Computer Engineering. Along the way, I started working in the computer industry on the side. I started making decent money, and that distracted me from finishing school. Now, I'm working to finish my degree with a family and a full-time job. I wish I had just went ahead and finished my degree and been done with it. | It's not ok. There are lots of resources available to practice on. | Yes | I think most of the major ones are beneficial. Not only for learning, but for networking with people. | U.S.A. | ||
| 28 | 7+ years | Manager, Sys-admin | No, but it helps | Bash Scripting, Ruby, Python, PHP, Batch Scripting, VB | No | As a Maths grad I took a grad job after uni (mon-IT) then after 2 years sought a change. Curiosity in IT and simply mentioning on a form that I would be interested in IT security landed me in a dept in which I have now stayed, roles varying, for the past 10 years. | There's a whole worold of work out there, public naively is all that stands in the way. | Dont chance it and exploit your way in, too risky. Get involved online if you can, cyberchallenge etc. run good online comps with certificates that can look good to an employer. If in employment already is there scope in your current organisation? If so don't be afraid to go for it, it is supposing how little knowledge you may have can be incredibly valuable and if you understand the basic risks could well be head and shoulders above the staff that are currently tasked with Security duties. | Didn't study any useful modules at uni. | The
million dollar question. Even damage these days can be considered the
cost and effort to perform analysis to prove you did no wrong. If in doubt and if non invasive means give indication of an issue contact the site/company first. You never know, that may be your route in. |
Yes | Uk with some global reaponsibility | |||
| 29 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Log analyst, IDS/Firewall admin, A security generalist. As part of a team of 2, I do all things security for a large non-profit. | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python | Yes | SANS/GIAC, CISSP | While a programmer at a bank and one year out of undergrad, I got CompTIA's Security+ certification and started applying for every entry level security gig I came across. After about 3 months, I was hired at a utility that was spinning up a security operations center (SOC) as part of a 24x7 team of eight. | Network.
I'm an introvert, and this has never come naturally. However, information
security is a relatively small industry. For the most part, the people
in the industry are amazingly friendly. I work hard and I enjoy learning
new things, but I've still gotten farther with the people that I know
than I have with what I know. As a corollary to "network," I think it's important to note that information security is a role in a company that involves dealing with people. Brush up on your public speaking and negotiation skills. I'm much better at hacking silicon than I am hacking carbon, but each is important. Take time to learn and practice those soft skills. |
Information
security is not nearly as sexy as you think; not that it can't be at
times. I spend way more time writing policies and staring at logs than
I do popping boxes. Information security is quickly evolving; what makes it fun also makes it difficult. If you stop learning, you die. To be effective, you need to quickly learn and stay on top of new developments on the bleeding edge. |
I hope application security gets more visibility. We are making more and more data available on the Internet, but not doing a good job as securing the portals to it. | I try to take a class each year. "Security" is much larger field than people give it credit for, and you should know a little about as much as you can. I wish I started this early and could be more consistent. | No | Yes | Networking,
networking, networking! I get a lot of value out of DEFCON. The concentration of approachable industry superstars is fantastic.I do attend as many talks as I can, and learn a great deal in the process. Whether my employer is willing to pay or not, I haven't missed this one for a the last few years. Watching as many geeks in Vegas alone is worth the time. ;-) Local conferences and gatherings are great. I don't learn as much, but it's helpful to network with those geographically close. Did I mention networking? |
USA |
| 30 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Reverse engineer, Exploit developer, Malware analyst, Log analyst, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting, Lua | Yes - but only to get through HR | Offensive Security PWB | My connections I made on twitter got me 2 solid interviews when I hit rock bottom as a helpdesk guy. Without a doubt, twitter was crucial as a budding security person to connect and get my "name/handle" out there. It showed I was active and interested. | I wish I had started on twitter sooner. | Do not be shy to ask questions, talk to people you admire on twitter. Realize that you may say something ignorant, but you are supposed to be ignorant when you start out, you are learning. | Mobile device security | Do not let rejection make you feel hopeless. For me at least a smaller company was more willing to take a chance on me purely because I had passion and was willing to learn. | No comment | Yes | DerbyCon and Bsides | USA |
| 31 | 7+ years | Vulnerability auditor, Malware analyst | Yes | Bash Scripting, Ruby, Batch Scripting | Yes | SANS/GIAC, CISSP | During graduate school (back in 2000), my advisor had a computer security research group. Through that and his influence, I got a job with the government doing security related work. | Be prepared for the not-so-fun work. I really enjoy what I do, when I am working inside my areas of specialization, but there are a lot of projects that I have to work on that aren't as much fun. | No! "damage' is a relative term - if the company has to spend resources responding to alerts that you cause or tracking down what you did, it still takes time and money. | Yes | BlackHat and DefCon at least a few times to get a feel for the industry and build a network. CanSecWest, BSides | US | |||
| 32 | 1-3 years | Policy writer, incident response and forensics | Yes | Python, C++ | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CISSP | Prior military career started me in this direction as an administrator, but have more interest since moving to a more proactive defensive stance | How hard it is to get into this field and how much it cost to learn both in time and money | Hard work and time are required if you want to succeed, and you should never stop trying to learn | Supply chain risk assessment, aka hardware and/or software analysis to prevent malicious or even poor QA from vendors injecting vulnerabilities into enterprise infrastructure | Not focusing on one area at a time to grow or build on my knowledge base from networking to programming to OS security | It is ethically or morally ok to "test" on someone else's property without their permission as you may never know effect you have on heir business as actions you perform may leave gaps that a malicious person could use against that company | Yes | I have never been to a con because the larger cons are very expensive, not easy to get a ticket to as they sell out quickly, not close to where I live, cannot get my employer to pay for me to go to a "hacker conference" let alone take time off work. There are a few events n NOVA but they intimidating for someone who is new to this fielsd and don't know anyone | usa |
| 33 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor | No, but it helps | Python, PHP, Perl | Yes | SANS/GIAC | 20 years as network manager/engineer in HIPAA space, etc. where security was becoming more discussed and implemented. | Risk management and threat modeling are key components to analyzing the specific risk a vuln is exposing a company to in any given situation. | Develop skills in other areas of IT (system administration, network management, development, etc.) either before or in addition to InfoSec. | Mobile and Web 2.0 technologies | Learn an internet, interpretive programming language | No. | Yes | DefCon Shmoocon DerbyCon BruCon |
U.S. |
| 34 | 4-7 years | Vulnerability auditor, Penetration tester, Exploit developer | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python | Yes - but only to get through HR | SANS/GIAC, CISSP | Security has always interested me. I rekindled my love for security after watching how companies ignored security issues and vulnerabilities. | It's all about the report... you can be the best penetration tester in the world, but if your report sucks, so does your test! | Make sure that you've got the basics down before you even start thinking about security. Spend time working as a sysadmin, programmer, technician etc... BEFORE you move into security. That knowledge will come in more handy than you know! | This changes every week.... ignore what the next up and coming thing is, and make sure you get your basics down! The next big thing is good fundamentals! | Hindsight is 20/20... If I could pick one thing I would do differently, it would be to get started coding and understanding code much much sooner. No excuses, just do it! | Actively
attacking sites is a big no no.... however looking at traffic, and how
sites function isn't. Also, some issues can only be exposed and confirmed
by using a small amount of playful and creative thinking. Lets just say, it's a grey area ;) |
Yes | BSides*
(Any and all...) DefCon (if only to meet with interesting people) BruCON (good mix of people and info) |
Austria |
| 35 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Windows Powershell, Ruby, Python, PHP, Perl | Yes | SANS/GIAC, CISSP, CompTIA (Security+ etc), See email | In
college, spent time poking at systems. Didn't get into trouble, as it
was a different time then. First job out of college involved designing and building what would eventually be called a Linux appliance. Back then, it was just a server. Had to protect data flowing each device, so got involved from a system administration perspective. |
That security is an issue of tradeoffs and not a binary of "secure" or "not secure" | Plan to work more than 40 hours per week for at least five years. The more you work, the more the learn. You have to learn faster than your competition (peers for jobs *and* blackhat attackers) if you want to succeed. | Soft
skill communication with management and accounting. We have enough tech. We need to get better at convincing others to use it properly. |
Don't focus on tech because it's easier than the people stuff. Unless you're protecting actual people, everything you do is useless twiddling of bits. Remember that people matter and grow to love the messiness and uncertainty of dealing with them. | No. There are tons of free learning systems out there (Metasploitable, WebGoat, etc). Also, there is no way to guarantee that you won't do damage. |
Yes, if you go to talk with people. No if you just attend sessions. | Small cons like Shmoo or Derby. | United States |
| 36 | <1 year | Sys-admin | No, but it helps | Bash Scripting, Python, PHP, Java, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), CISSP, CompTIA (Security+ etc) | Intern turned employee in a compliance-based managed hosting company. | Entering security is a SLOW process. You need to know a lot of stuff about a lot of things to be proficient. Being able to recite everything from the Security+ exam is great, but it doesn't prove that you know how to implement any of those concepts. | Take your time, start at the bottom, and don't rush things. Stay current. Make a Twitter account and start following other security/tech people. | Mobile device security/development, "cloud" security, healthcare infosec, and web app pen testing. | DO NOT RUSH THINGS. Don't jump right into a security engineer role. Start in low and absorb as much knowledge as possible. Don't expect your employer to invest in you. A lot of the time, you'll be spending your own money attending training, cons, and other events. | No. Never. Not only is it illegal, but since you are still "practicing," it means that you don't completely know what you are doing. You could seriously break something and cause a DoS or worse. | Yes | ShmooCon Defcon RSA BSide of any locale Derbycon Toorcon Blackhat Good networking opportunities, chances to learn about the current state of security, being surrounded with people of all walks to develop new ways of thinking, employee morale boosting. Most importantly, staying current on the events of the security world is critical for security professionals. |
USA |
| 37 | 7+ years | Penetration tester, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Incident Response/Forensics | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc), OSCP | Started
in the military as a 2651 Secure Communicator/Intel SysAdmin, working
on classified systems; so it was beat into me. However, I got
out and did regular sysadmin stuff, but took on other roles as I was
able to display interest/capabilities (as little they were). I
always just kept up with the security scene as it was, and didn't get
an actual "security" job until about 5 years ago. Thought
that I would never get the job, but things I talked about, my experience,
and passion for security related things got me the job. I was lucky...I didn't have certs or a college degree; and I don't consider myself wicked smart but have a mentality of how to do "things"... I think that 1) passion 2) experience 3) networking are key. Just showing up saying "I'd like a job in security cuz it sounds fun" really isn't the way to do it... |
You can't control everything and let things go...ultimately you are there for the business. If the business decides that your concerns are not that important, so be it - fix what you can. | Get your own "lab" at home, be it a virtual machine setup, wireless equipment, etc...and do your own testing. If you can splurge on Microsoft Technet Subscription and use those to configure and attack... | Incident Response - it has always been there...but I think we will see a blend of those pentester/forensic skills really come together and redefine the Incident Responder position. | Get all your skills, practicing, learning in when you are younger w/ no children. I currently have kids, trying to complete college, and develop professionally and it is hard, really hard. Really my professional development has gone way way down.... | Depends. If you are doing just intelligence gathering...practicing pre-attack operations then it is ok. Actually compromising is not OK. | Yes | Depends
on focus... Blackhat BSides HTCIA - Forensics/IR focus ISSA - Good for networking (light on technical stuff) |
US |
| 38 | 7+ years | Vulnerability auditor, Penetration tester, Exploit developer, IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Python, C, C++, Java | Yes | Vendor specific, SANS/GIAC, CISSP | started in 1994 when tasked with portscanning our clients at a security firm in new england. | start learning encryption types early too, Applied cryptography by Bruce Schneier. | read more talk less. | cloud security. | left college to work. | ethically sure, legally not so much. | Yes | SANS, Blackhat, Defcon. | Boston,MA |
| 39 | 7+ years | Malware analyst, Sys-admin, Forensic Analyst | No, but it helps | Bash Scripting, Windows Powershell, Python, C, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP, CompTIA (Security+ etc) | Started as a Sys Admin with an interest in InfoSec. Had an early manager/mentor who encouraged me in the InfoSec field. | There's more to Information Security than purely technical correctness. There are business and political issues that often trump the "best" technical solutions. | Get a good broad background in computer science fundamentals and "learn how to learn". Technology will completely reinvent itself multiple times during your career. | What we're currently calling "mobile computing". Smart phones, tablets, and other small devices (mostly running proprietary, "walled garden" OSes) will become "computing" for 98% of the population. | I was less kind than I could have been in many circumstances. | Absolutely not. | Yes | United States | |
| 40 | 7+ years | Vulnerability auditor, Log analyst, IDS/Firewall admin, Sys-admin, Social Engineer | scripting at a bare minimum | Bash Scripting, Windows Powershell, Python, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | Learned IT systems in depth Including Windows, Cisco, Novella and core network services (DNS, DHCP, etc.) Learned to use troubleshooting tools and understand what they revealed. Learned to use "hacking" tools to troubleshoot. | More programming | Learn one facet of IT in depth. Learn to be creative an push things from a different angle. Tenacity because the movies are not real. Foster personal happyness. Happy people are more energetic and able to weather tough periods of life. | Social Engineering which also helps in everyday life and your career. | Nothing really tangible that I can describe here. | Only if you want to kill your infosec career. | Yes | Local BSide cons and Derbycon | US, mainly, international |
| 41 | 1-3 years | IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Ruby, Python, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CISSP, CompTIA (Security+ etc) | A class for CEH was being offered at a school I was attending for my MCSE. After taking the CEH course I found that their topics were vastly dated so I began doing my own research into a vast variety of infosec areas. | A computer science degree from a reputable school would help greatly in understanding some of the higher level topics. | Learn as much as you can as often as you can. Practice to hone your skills. | Mobile security is a huge issue that needs to be solved as well as refining the SSL trust model. | This is two fold I think. It isn't ethical to "practice" on sites you do not have permission to do so. However, if the techniques are known not to damage the sites availability then it shouldn't be an issue. Besides, if the system admin is any good they would be able to block the offender giving them valuable practice. | Yes | I feel the conferences you attend should be the ones with talks on topics you are interested in. Because of this there aren't any specific cons that I would recommend. | USA | |
| 42 | 4-7 years | Vulnerability auditor, Penetration tester, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Python, PHP | Yes - but only to get through HR | SANS/GIAC, CISSP | I started as a Linux system administrator which did entail a little bit of security. I then moved to a role that required a little more security for various projects and eventually wanted to move to a full time security position. I then moved to Deloitte where I now work as a security consultant with a primary focus in vulnerability asssessments and penetration testing. | Nothing really. You kind of have to make mistakes and grow from them. The quicker you get used to that mindset and realize that it's the nature of security the better off you will be. | Don't get into security for the money. Most, if not all, of the people who do this do it because it's fun and a challenge. It's just an added bonus that we get to work in a field that pays us to break/fix/research interesting stuff full time. | Near Field Communication and SCADA (shudder). We haven't seen the last of web application security either. | Probably more than I'm willing to admit in a public forum :) | No. Never. | Yes | DefCon
- 4 days of awesome content and crazyness. Gives a very good but varied
intro to the world of security. Brucon - Because it simply rocks. Small crowd but awesome content. Shmoocon CCC Derbycon Recon |
South Africa |
| 43 | 7+ years | NINJA | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua, VB, C# | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme) | Yes | ||||||||
| 44 | 4-7 years | Penetration tester, Reverse engineer, Sys-admin | No, but it helps | Bash Scripting, PHP, C++, VB | Yes - but only to get through HR | SANS/GIAC, CompTIA (Security+ etc) | Joined the Royal Corps of Signals several years ago, which is easy to get into, but very challenging. About 18 months after I left, I was fortunate to get offered a place at university studying Information Security. | The importance of being critical, as I feel that's one of the most important attributes. Also being aware that certifications aren't always a reliable indicator of someone's expertise. | Commercial awareness is essential - read up on everything you can, be critical of everything you read, look for trends and characteristics in the industry. That will provide a strong advantage, especially during interviews. | I believe the cloud computing industry is nearing saturation, contrary to popular belief. We're likely to see a substantial growth in mobile security and anti-malware solutions. | Perhaps making the occasional statement in the past without fully researching the topic. Infosec professionals can and do get called out on that. | Definitely not. Everyone has a right to privacy and security. | Yes | Infosecurity Europe. BCS events (which are held around the UK). Also keep an eye out for any tech-related events happening locally, and even Hackspaces. | UK |
| 45 | 7+ years | Vulnerability auditor, Policy writer, Manager, Log analyst, IDS/Firewall admin, Architect | Yes | Bash Scripting, Windows Powershell, Python, C, PHP, Batch Scripting | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), SANS/GIAC, CISSP | Solid background in system management. Assisting the IT Sy Officer. Promoted to IT Sy Officer when vacancy opened. | How much paperwork would be involved! | First get very strong sysadmin and interpersonal skills. | HTML 5 bedding in, network aware malware on mobile devices. | 'Pot-holing' - concentrating on HMG infosec rather than expanding to the commercial sector. | No. By 'practice' it is clear that the practicer is not fully accomplished therefore may affect the operation of the server. | Yes | InfoSec
Europe. Huge exposure to trending technology (usually) with a broad
representation from the industry. Good speaker sessions. I'm sure there are others but I've not had the opportunity to attend. |
UK |
| 46 | 4-7 years | Penetration tester, Policy writer | No, but it helps | Bash Scripting, Windows Powershell, Python, PHP | Yes | SANS/GIAC, CISSP | Began
reading/studying security; my org found out and asked me to apply for
a job transfer across the org. I was given on the job training because it was known that we needed a security person, but the department was immature in its understanding of the position. |
Security is a balance between risk mitigation and corporate earnings. Companies must continue making money to pay your salary. Ergo, the best security may not be the right security. | Read. Incessantly. If you are never surprised when people speak to you about things, but can comment with specific details, you will build credibility. | BYOD | Find the areas in your org that can be shored up without significant business disruption. Educate people about risk and win them to your side. | Of course not. | Yes | ShmooCon - in the weeds research. | USA |
| 47 | 4-7 years | Penetration tester | No, but it helps | Bash Scripting | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | Working on open source projects and speaking at conferences | How
to use many of the comercial tools that I could never afford but that
some clients require we use. Better writing skills including grammar, punctuation and technical writing skills |
Its not all pentesting, many times clients only want scenarios or policies or vulnerability assessments. If anyone comapny says all the do is "real" pentesting, they are liars or they are broke. | Testing of all the expensive vendor security controls. Many times pentesters ask to be whitelisted in order to speed up testing. This makes a pentest far less valuable to the client. I believe in the future we will see many more "ring the bell" and "Capture the Flag" type pentests which will not only find security holes but also security control misconfigurations. | I never went to college or have any certifications. I got lucky and didn't need them but in the real world education matters. | Hell No. There are enough practice web sites, linux distros and web apps out there to test on. There is no excuse for live pentesting with out permission. | Yes | Def
Con - The sheer number of people you meet is worthwhile Shmoocon - Great talks and lots of the "real" infosec people Derbycon - Because I am a founder :-) |
United States |
| 48 | 1-3 years | IT Security Officer | Yes | Bash Scripting, Windows Powershell, Ruby, Python | No | EC-Council (CEH etc), SANS/GIAC | Learned everything there is to know about UNIX operating systems, especially their security features. | I have not been here long enough to have such retrospection. | Be passionate about it, learn the ins and outs of systems. | Cloud security | Don't specialize in just one OS/system, be a generalist. | Depends on how you do it. Sometimes it's OK. | Yes | Shmoocon | Malta |
| 49 | 1-3 years | Policy writer, Architect | Yes | Bash Scripting, Python, Batch Scripting, VBS | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC | I
was a developer with a side-line in sysadmin/infrastructure; I looked
after the Linux application servers and designed the N-tier architecture
I wanted for my enterprise apps. Looking to progress into a pure architecture role, I joined a company as a Technical Solutions Architect who working with central government and defence clients, which dictated specific security requirements including CHECK testing. |
Technical writing (still learning). | Learn to program (scripting at least). | "cloud" security, or more accurately better securing disparate private WANs | Try and get in early in your career. Pick a path and stick to it - if you can, hackers can somewhat fickle :) | no. Set up your own lab. | Yes | 44Con, B-Sides London. Primarily due to the limited availability of cons in the UK. | UK |
| 50 | 1-3 years | Vulnerability auditor, Penetration tester, IDS/Firewall admin, Sys-admin | No, but it helps | Ruby, Python | Yes | EC-Council (CEH etc), CHECK Team Leader (CREST/Tiger Scheme), CISSP, CompTIA (Security+ etc) | Hobby | Yes | Def con, infosec | UK | |||||
| 51 | 7+ years | Penetration tester, Exploit developer, Trainer | No, but it helps | Bash Scripting, Python | Yes | Offensive Security OSCP OSCE OSWP OSEE | My first "official" security job, I got after releasing from the Army. I moved directly into a Security Analyst position with the government. | It's simply not possible for mere mortals to be good at everything in security. Focus is key. | Dabble in everything security-related you can and try to figure out what you like doing best in the field. Once you've found it, dive in deep and work, live, and breathe it. | The further rise of web application hacking and the decline of memory corruption exploits. | Trying to learn everything. Having dozens of books on dozens on topics is nice but ultimately useless without focus. | NEVER | Yes | DerbyCon
- It's an intimate con where you can actually speak with the smart people
in the industry. BlackHat - If you're looking to move into the corporate world, this is where you'll find all the suits Defcon - Because everybody goes Shmoo - The con that everyone wants to go to |
Canada |
| 52 | 1-3 years | Penetration tester | No, but it helps | Bash Scripting, Ruby, Python, PHP, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP | UG was in Electronics. Got interested in crypto and network security, which led to working under a professor researching on effectiveness of web application firewalls. Got interested in security over all and went on to perform a Masters in InfoSec. Currently working as a penetration tester. | an undergraduate degree in computer science or good workex in computer science helps a lot. Sometimes you need to struggle your way out! But thats the fun! | Information Security is not just Security in applications and networks. Its a huge spectrum of areas which ultimately lead to security for data or controls. Its always good to remember, to be a holistic security professional (more specifically in infosec consulting), it always helps to be knowledgeable over a breadth of topics in security (SCADA,networking,appsec,mobile infrastructure,etc.) than trying to gain deep knowledge in one topic. That too, not having a CS background, I feel this is the way to go for someone wanting to start a career in security like me! And one other thing is security is all about logical thinking. Remember.. you just need to break something.. and you dont need to be an awesome programmer to switch the "ADMIN" cookie from 0 to 1. Its ALL logic! | malware and embedded systems security (more geared towards SCADA) | Getting into consulting (penetration testing) right after Masters helped.. but only for a while. I would highly recommend software development/sys admin kind of experience before consulting. I felt that would have greatly helped me right now. | Nope.
Its not OK. P.S: err... hackers got to be effing Ninjas! think like one..act like one.! :P |
Yes | Each
conference has its own good talks and useless talks. I would prefer
either to attend a wide range of conferences (which is too expensive,
so practically impossible for starters like me) or there are always
videos of conferences on the internet. I do the latter and attend only
one conference a year (whatever my company sponsors). Listed below are
the few good ones I have come across based on talks I ve seen online: - BH + Defcon - Shmoocon - Derbycon - OWASP Appsec |
USA |
| 53 | 4-7 years | Student | No, but it helps | Python, C, PHP, Java, Batch Scripting | Yes | CHECK Team Leader (CREST/Tiger Scheme), CISSP, CompTIA (Security+ etc) | In my second last year of high school a friend introduced me to the backtrack distribution of Linux. It was from this point on that I seemed to gain interest in the field. Playing with various tools and trying to express my newfound knowledge in my classes was how I got to know the field in a herbal sense. Learning the technical aspects was nice but i wanted to learn the principles and businesses decicsions driving IT security. I am now a University graduate of a 3 year course with a major in IT Security, going back for a forth year of honours. I'm still not as knowledable as i aimed to be but am defiantly keeping an eye out for the best start in a field that will be expanding rapidly in the next 5-10 years. | University is only a drop in the ocean of what is happening out there. It is well worth duelling a university security course while also gaining on the job experience or at least researching the role of security in business simultainiously. | Make a friend in the industry who can give you a sneak peak and prepare yourself for the attitude, attention and processes which you will encounter. | Mobile devices. Securing the BYOD (bring your own device) in the enterprise. Managing the risk and asserting ownership over company data in the wild. | Don't throw away opportunities. If some one invites you to an event with industry personal, make time and go. Be proactive in your learning, send emails, ask questions of the people who do it for a living. | Passively - maybe. Analyse public code for education. Look but don't touch. Any attempt to 'test' security, in any form of the word, without permission can be taken as a threat by the victim and their reactions, if they find out, may not be as you expect. At best let them know of any exploits you may find. | Yes | Security specific conferences are helpful to an extent especially if your role requires you to be on the forefront. But conferences that relate to products in use or of future procurement may also be beneficial as you get to experience them before the rest of the world does giving you the edge in terms of finding the holes first. As I'm still a student, I can't say I've attended any specific conferences that may/maynot have helped myself/clients security potential. | Australia |
| 54 | 4-7 years | Vulnerability auditor, Penetration tester, Exploit developer, Log analyst, Sys-admin | Yes | Bash Scripting, Python, C | Yes - but only to get through HR | CISSP | writing/playing hacks while attending university | n/a | hands on experience. learn system programming. | smartphones, of course | yes, wasting time with computers and less with girls :-) | you must be kidding :-) | Yes | black
hat ccc congress defcon |
eu |
| 55 | 7+ years | Cybersecurity communications/employee awareness | No, but it helps | No opinion, not a programmer | Yes | SANS/GIAC, CISSP, CompTIA (Security+ etc) | I had absolutely no technical experience at all. Went to graduate school for political science, only used a computer as a word processor. In the mid 1990's, had a friend who hired me as an administrative assistant supporting a technical support team for a proxy-based firewall software company (when network firewalls were considered emerging technologies). After six months of doing admin work, one of the technical team members left and my boss replaced me with her - I had to learn TCP/IP, Unix administration, security concepts like defense in depth, etc, and firewall administration all on the job, while answering the phone when people called with problems like "all of our email is stuck in the queue, fix it", or "we have no access to the Internet". Good times. When I asked how do I get trained for this - the answer was... you're smart, just figure it out on the job, there are no other ways to learn, and there are no other people to hire who have this experience. :) | I can't think of anything to be honest... | Get as close to the customer experience as possible. Having worked for vendors for most of my career, I know that it can color your perspective. If you work for database security vendor, you'll be convinced that this is the MOST important domain in security, essentially you'll become a "one track mind" security professional. If you work within a customer environment or you are "the customer", then you'll realize the full picture of all of the things that matter in cybersecurity. Alternatively, if you work for a variety of vendors, this can also broaden your perspective. | Document-centric security. Not necessarily DRM, but a way to secure documents no matter where they're stored (the cloud, your laptop, your phone, etc) or distributed and no matter what form factor you're interfacing with them. | Practice what you preach. Even when you're not on the clock. | NO. NEVER. | Yes | RSA
- while this is usually a vendor-fest, I get to see a ton of people
I've known forever, who live all over the place. It's a fun reunion
for all us security geeks. Infosecurity UK - this is a great place for customers - it's the anti-RSA, IMO. People go here to really learn about the new technologies, instead of just trying to establish B-to-B partnerships or trying to find a job. BlackHat in Las Vegas - tons of cool stuff going on at this show, this is where the really knowledgeable and serious white hats, grey hats and black hats come together to share what they know. |
US |
| 56 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, Malware analyst, IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Python, C, PHP | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Yes | defcon blackhat |
Spain | ||||||
| 57 | 7+ years | Penetration tester, Policy writer, Manager | Yes | Bash Scripting, Python, C | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | You need to "look" professional, as much as you should "be" professional... (i.e. certifications / appearance does count as far as the costumers are concerned) | Learn as much as possible about a lot of subjects, and try to specialize in one or two. | No. | Yes | blackhat/defcon/bsides
for the content and the networking local conferences or meetups mostly for the networking with people on your area |
Portugal / Europe | |||
| 58 | 7+ years | Reverse engineer, Exploit developer, Malware analyst | No, but it helps | Bash Scripting, Python, C | No | SANS/GIAC, Offensive Security (PWB, AWE etc) | Yes | USA | |||||||
| 59 | 7+ years | Penetration tester, Reverse engineer, Malware analyst, Sys-admin | Yes | Bash Scripting, Python, C, PHP, C++ | No | It was a natural extension of my education. | That 90% of the tools are useless. | Learn as much as you can, practice, code, and use as less frameworks you can. | Mobile security. | Don't do evil. | It depends on which companies are involved in the process. | Yes | Croatia | ||
| 60 | 1-3 years | Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, Assembly | Yes - but only to get through HR | EC-Council (CEH etc), CISSP | I started listening to podcasts at work, and then I picked up more and more podcasts, and eventually I ran out of pure linux casts that were not full of twits, so I went to security as well. From there everything kind of exploded. | Assembly, and that meerly getting a couple certs won't get your foot in the door like you think they will. It isn't some magical world of "Get an OSCP and get a job" | Meet everyone, and don't play politics as much as possible. | Drones. | Yes, when meeting Robin Wood, don't stand there like a drooling idiot in a starstruck manner. (Sorry about that) | Negative Ghostrider, the port scan is full. | Yes | Currently I have not been to too many conferences so I feel that my word here is not the gold standard, however I would suggest Every BSides Event you can manage to go to in your area, as well as DerbyCon. I would personally skip out on DefCon unless you are just there to party. | USA |
| 61 | 7+ years | Vulnerability auditor, Penetration tester, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Python | Yes | SANS/GIAC | It became a natural next step from my sysadmin position. I moved into log analysis and incident response. I found that it was hard and moved to the red side after that. :) | How much work it was. | Keep exploring no matter what. | Mobile | Don't be shy. | No! | Yes | DerbyCon, Shmoo,SANS. This provides an excellent way to network and become a known entity. | US |
| 62 | 4-7 years | Policy writer, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Python, C++, Batch Scripting, C# | Yes - but only to get through HR | CISSP | Started working for a payment card transaction company after I've designed and created the entrance system used at a Scandinavian Masters event in Sweden, 2003. | How to write proper policies and procedures. | To be more patient and open-minded. Try to think outside the box. And start to enjoy writing reports because you're probably about to create a few of them. | The mobile industry. We see security issues everyday with botnets, malware and security problems. Awareness is the key, but lousy programming isn't a good excuse. | No. Only practice in controlled environments in case #%&!* happens. | Yes | NIST,
RSA, BlackHat. To meet and greet with the professionals in the industry - exchange ideas and raise awareness. And for laughs too, of course. |
Stockholm, Sweden | |
| 63 | 4-7 years | Reverse engineer, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Ruby, Python | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc) | I started in IT Consulting and gradually gained more security-related contracts like Firewall implementations/management, IDS monitoring/tuning, and eventually incident response. Many of the organizations I would consult for had well-established IT departments, but very few had any security roles. | Business skills are more important than technical skills. | Do it for love of what you do, not to make money. The money is good, but if you really enjoy it, it's the best job in the world. | Mobile security (forensics/malware/vulnerabilities). | Spend a lot of time at a stale job where I wasn't progressing or learning anything new. I should have left sooner. | No. | Yes | Any
conferences that have technical talks and especially CTFs or challenges.
Sitting down with like-minded people to take on technical challenges
is a huge boost to motivation and skills. Shmoocon and Defcon have exceptional challenges and CTFs |
US |
| 64 | 1-3 years | Policy writer, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Python | Yes | SANS/GIAC | Started reading Richard Bejitlich | Yes | Bsides - Cheap and great networking potential | USA | |||||
| 65 | 7+ years | Log analyst, IDS/Firewall admin, Sys-admin, Developer | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, ASM | Yes - but only to get through HR | Vendor specific, SANS/GIAC, Offensive Security (PWB, AWE etc) | Cracking
Copy protection systems on the Commodore Amiga. Writing an underground
disk magazine and writing articles about US Hackers (MoD, Sundevil,
etc). Spending too much time on BBS's. Later on: being in the right place at the right time (having Linux skills in 1997, basically), rapidly getting sysadmin jobs and taking the lead on security issues early on, then going full-time infosec from there. |
That
this cyberwar shit would get this big this quickly (so I could get out
of infosec sooner and find a less stressful gig). That the great majority of people in Infosec aren't as smart as you think they are, and I should have had slightly less humility and more ambition, younger in life. That the 'good ideas' I had early on, really were ahead of their time, and i should have stuck working on them: now other people have the credit for inventing them |
Pentesting
might stroke your ego for a while, and will certainly teach you a lot
of good shit, but the world doesn't really need more pentesters right
now. If you want to make an impact, there are plenty of unexplored areas
in Infosec right now, that need more smart minds working in them Don't be ashamed to pay your dues in sysadmin (to see how admins work) and tech support (to see how users work) first.. These two groups are the source of all your problems in infosec.. You should walk a mile in their shoes. Don't be too eager to start your career in infosec. We old-school infosec people don't trust people who 'went to college for infosec' very much.. we find your skills narrow, and your thinking narrower. |
I'm biased here, but the world of incident response and monitoring technologies and processes is due to explode, now that everyone starts to accept that unmonitored controls don't do a damn to defend anyone from anything. | It's
really easy to become very emotionally involved in doing what is right
at all costs, in the infosec world. Remember that Security is not the
most important thing in the world (it really isn't) and learn to be
flexible with your choices career-wise. I spent a lot of time early on, fighting the wrong battles, and getting fired over phyrric victories... At the same time, know where your line in the sand is.... bend like the reed in the wind to anything up to that point, but when you get to that line in the sand for your personal ethics, don't break down for anyone. There's no shame in being fired for refusing to violate your own ethics. |
Sorry
kids, you missed that window. In the age of ubiquitous, cheap computing
and advanced VM technology, you have no excuse any more. We did it out
of necessity, but that was 20 years ago. Once again, you have no need, or excuse any more. Anything you could possibly want to test your skills against now, you can just as easily build in your own bedroom now. |
Yes | Small stuff is usually better. I personally love SOURCE. Defcon is mandatory early on in your career: the sooner you get an exposure to large numbers of smart, noncorporate people, the better. | USA |
| 66 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, Researcher | I know some that don't but it's a big glass ceiling | Bash Scripting, C, PHP, Java, C#, Those are the ones clients want, I think the key point is to have language agility | Yes | CHECK Team Leader (CREST/Tiger Scheme) | Started off as a developer, then worked as an admin, then as an internal operational security on a financial UNIX estate, before current role at a security consultancy. | Computer
Science stuff is useful if you end up doing research. Good research
should always have academic vigor. Peer reviews etc are all part
of a good research project. From a pentest perspective, I don't own the risk, that's the clients responsibility. |
Do something else in IT for a while, security will still be around when you're done and you'll enter the food chain with skills that make customer interaction easier. It's much easier to go and talk to internal folk, if you've been in their shoes and worked on the same technologies. | Nothing that I want to share. | Lot's of small things, but nothing reproducible. I think I've been incredibly lucky with how things have worked out for me. | Not if you want to remain "at large". At least in the UK, the CMA will come into affect, even if your own personal ethics don't. | Depends on the conference and your areas of interest. The industry moves faster than the conference circuit but if you're smart you'll see stuff that's useful | European conferences tend to have a better spread of pure tech vs social and political implications IMO. I'm not a big fan of soft skills / tool talks. Give me the dirty research. | UK |
| 67 | <1 year | Vulnerability auditor, Penetration tester, Malware analyst, IDS/Firewall admin, Sys-admin | Don't know | Bash Scripting, Python, PHP, Java | Yes - but only to get through HR | Don't know | N/A, not currently working in IT industry. | Start early, i'm 29 and not so easy now to take on a new career from scratch, and the associated paydrop. Also sec industry has diversified so much in the last 10 years it is difficult to get an overview of what jobs are available for the inexperienced, and the technical advances have made for a steeper learning curve to get into the industry. | Find out specifically what sector you want to be in before doing anything else, although any knowledge is good knowledge. | Mobile security/apps. Also web apps will become interlinked with security and a lot of developers and web designers will have to learn about security to keep in the job sector they are in. | Not continuing programming when I was in primary school! Recognize your talents and keep working at improving. | Companies
with a web presence should take more responsibility for their own security.
A car driver has a responsibility to ensure their vehicle is roadworthy
and an MOT proves that at the time of test, sites which collect user
data and especially cc data should also have a mandatory pentest and
cert to prove 'webworthiness.' I do not agree with practicing on sites you do not own, but there is so much info available about a site's webserver, db etc, it can become a trivial task to actually access a site after doing some homework, also for kids learning about the web, it may be too much temptation if they have an inquiring mind. In some cases there may be no intention of doing damage, but the hacker/skiddie may suddenly realise the implications of getting caught, and may just delete everything they can access. |
Yes | Any available! Also user groups (linux), OWASP etc | United Kingdom |
| 68 | 7+ years | Vulnerability auditor, Penetration tester, Malware analyst | Yes | Bash Scripting, C, PHP, C++, Java, Batch Scripting, C#, RPG, COBOL, TAL, FinacleScript | Yes | Offensive Security (PWB, AWE etc) | I started by programming web applications and reading books | Salary... and the existence of feeds of security sites like CVE, security focus, full disclosure, open source security, etc. | In this country: Do not start, I only work for art's sake. | Malware analysis on mobile devices. | Yes, I spent a year doing intrusion on web servers, there is a lot of experience there, but is not legal. | No, it is prohibited by Colombian legislation, you have to be certified. | Yes | Colombia | |
| 69 | 1-3 years | Vulnerability auditor, Penetration tester | No, but it helps | Bash Scripting, Python, C, Java, LISP | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I
was fortunate enough to be able to run an independent IT consulting
/ managed services business for almost a decade outside of my previous
day job. This background, plus an eventual MS in InfoSec and strong
soft-skills, allowed me to look good enough on paper to get the interview
/ job. Oh yeah, luck had a huge part to play as well. |
Formal education is great, but it probably didn't prepare you for the realities of InfoSec. Certifications are mostly crap. | Network with the pros and ask lots of questions. | Mobile | I didn't start applying for jobs early enough and not enough networking with people already in the field. | Only for completely passive activities - still with great caution and a firm grasp of the law. | Yes | BlackHat DefCon Bsides |
United States |
| 70 | 7+ years | Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, C#, Perl | Yes | EC-Council (CEH etc), CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc) | migrated from Sys Admin into firewall management / InfoSEC (mainly worked in ISPs) | Nobody
knows everything about everything. Become a specialist in a limited
field and that will be useful and have some longevity. Jack of all trades is hard to maintain. |
Don't buy training certs for the sake of it, they mean nothing unless you have firm foundations in InfoSEC. | InfoSec
and anything internet connected is a constantly attacked and moving
target. IPV6 will creat a lot of headaches for lots of people |
Paying for a CISSP bootcamp out of my own pocket. | no, not ever. | Yes | BSidesLondon
(it's free!) #dc4420 (free apart from cost of beer) InfoSec (free apart from registration and spammy after calls / emails) |
UK |
| 71 | 4-7 years | Policy writer, Log analyst, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, PHP, Batch Scripting | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Necessity. I worked helpdesk for a non-profit, and after one time assisting out VP of Technology (an MBA with no IT experience) do incident response, everything security related flowed through him to me. |
The
relevance of physical proximity in security. (I can hack you in the cloud from across the world, but if I can walk in and carry out a box, I don't have to) |
Network. Get to know people, and get them to know you. People answer n00b questions much more willingly when asked by someone they "know", however slightly. |
Embedded devices. | The
more letters after your name the better, even if you don't think the
courses/classes taught you a single thing. HR is a stumbling block best avoided from the get go. |
No. Especially when you can often get that permission by agreeing to parameters, and to share your results with their IT department. |
Yes | All
IRL contact with people in the industry is beneficial. That being said: 80% education 20% networking Usenix ATC 50% education 50%networking: BSides, Shmoo, C3 60% entertainment 20% networking 20% FUD: defcon/blackhat |
East Coast, USA |
| 72 | 7+ years | Vulnerability auditor, Penetration tester, Exploit developer | It depends. App pentest, I would say yes. Network pentest, it helps. I think you can HELP pentest without all the rest, but eventually you need to script to data parse if nothing else. | Bash Scripting, Windows Powershell, Ruby, Python | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I was moved from a systems administrator role to Incident Management against my will. From there, I became a compliance jockey. From there, access controls. Then one of the managers I knew there gave me a chance doing his old job as a Vulnerability Management Engineer. | No one is going to teach you or sponsor you for training. Take charge of your own life and invest in yourself. SANS work study or self study is the only way to cert solo w/ giac. How to build a home lab, what to do to learn. The industry needs more guidance here. | Be a sysadmin or network admin or DBA first. Or, if you want to do Audit, be a business analyst first. Don't skip the hard work, or you won't have the basics that make you useful in infosec. It's not about breaking stuff; it's about making sure it gets fixed. And that means knowing how it should work, not just how it shouldn't. | App pentest is going to continue to grow, as well as "cloud assessment". I see Risk Management as being te largest area for corporate buy in. Tools automation and programming will eventually deprecate pentesters. :( | I waited for it to come to me instead of going out to get it. I didn't know what I wanted to do and thought I'd figure it out "later." a lot of wasted time and crappy jobs from that. Talk to people doing what you think you want to do. Shadow them. Be sure. | Noooooooo. Stage your own lab. People get pissy and will lock you up. The legal system doesn't know shot about computers. What you call harmless could get you sentenced to jail by a jury of Luddites. Easily. |
Yes | Bsides- cost and social networking ops. Derbycon, cost and content. Cansecwest, content. Local ISSA chapter meetings/conferences, networking. | USA |
| 73 | 4-7 years | Vulnerability auditor, Log analyst, IDS/Firewall admin, Sys-admin | Yes | PHP, Batch Scripting, Perl | Yes | EC-Council (CEH etc), CISSP, CISA | I was always addicted to computers and how "technology works". I started slowly to be interested in pure security in parallel to my daily job. Then, I was hired by a security consultancy company. | Don't focus on "technical aspects" but also the "business". | Passion & don't count your time. | Mobile devices, social networks, IPv6, "machines" connectivity (SCADA, cars, etc) | See #1. | Some countries allow some don't. I could be helpful if vulnerabilities could be reported without being scare of prosecution. | Yes | Defcon
- The "one" BruCON - I'm from Belgium BSides* - Free and good quality |
Belgium |
| 74 | 7+ years | Vulnerability auditor, Reverse engineer, Malware analyst, Log analyst, IDS/Firewall admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua, VB, C#, Everything | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc), Anything to get your door open and you in the role you deserve | Military, but with no promotion prospects or continued use of my skills I broke free and spread my wings. Now I am in control of my own development, learning and everything. | To be strong enough and smart enough to know I was being used to make my superiors look good. You will be used and someone will take your credit, don't let them. | Use the eyes on the back of your head. Stay on top of everything you can but don't hold on too tight or it will break away from you. | I am biased toward intrusion analysis I see big things there. | Trust
and faith, people will do you over just to look good and make money. Watch out for yourself and make sure you come first don't sacrifice your well win for others it will only hurt you. |
No never without explicit written permission from an authority that can give that permission and authorization. | Yes | Again everything inc bsides defcon Blackhat USA and eu rsa first and super secret get together you have to get on the exclusive lists and attend all the after parties a lot of work is done out of hours. | UK |
| 75 | <1 year | Sys-admin | No, but it helps | Ruby, Python | Yes | CHECK Team Member (CREST/Tiger Scheme), CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Started
early in my IT career when I was given a copy of LANalyzer and worked
out I could read all the telnet traffic for our main mainframe system
(NHS system with patient details). I wrote a paper on how a "hacker"
could make use of this information and based on that report the NHS
trust upgraded to switching hubs. After that I dabbled over the years in different things, managed firewalls, VPN's, secure wireless networks that sort of thing. Decided this year after 15 years in IT to focus more on InfoSec related areas and build on my knowledge. Currently learning various tools starting with MetaSploit. |
A
good reading list Concise information about which certifications are worth it and which aren't A good forum or website to meet people and share ideas (not one full of people asking to how to hack their girlfriends hotmail account) A list of basic requirements for each area of InfoSec (pentester, malware analyst etc) and yes I know it would be a big list |
Don't
give up, try to focus on one or two areas and work to improve those
before moving on. Reading "general" InfoSec books is good
but you need to know how to use the tools of the trade. Try and work out what you want to achieve and research.. Google is your friend make the most of it. Join Twitter and track down some of the more reliable twitters and listen to what they say (don't be afraid to have your own opinions). Start a blog.. not for fame and glory but more for keeping a record of what you learn. Doesn't matter if no one reads it, do it for yourself. |
At the moment there is a lot of internet chatter about DDOS, website defacement etc, I think areas such as pentesting will continue to be important. I also think there will be an increase in malware and attacks designed to steal information. | Losing focus and not pushing myself to learn and develop. | No that's what VMware is for, there are some things that might be in a gray area such as port scans, but don't risk it. Practice it in a safe controlled environment, use wireshark or an IDS to get a good in-depth view of what is happening when you try something. | Yes | InfoSec
Europe (gives you a good idea of the available vendor products. Local OWASP meetings (even if you don't write software) Local BSides (it's a good way to hear ideas and meet like minded people) DefCon (who wouldn't want to go to Vegas) |
United Kingdom |
| 76 | 4-7 years | Vulnerability auditor, Reverse engineer, Exploit developer, Malware analyst | Yes | Python, C | No | At
first, by cracking stuff, I wanted to do something my brother (a C and
assembly programmer) didn't want to do. I didn't know any language. Then I went on irc (best place to learn) and I learned assembly, C and python to dev my own tools. I continued to study protections and crackmes, at each time a little bit harder than the precedent. Some years after I played some CTFs and tried to fuzz/exploit things to improve my knowing in vulnerability auditor, exploitation and exotic platforms. Went to conferences, meet some guys irl etc. Know I work as a IT security researcher. You can use all I said but please don't directly cite any of this stuff in your paper. |
Nothing, really, you learn well when you discover things and tried to do them by your own. | Be a student, to learn security you don't need courses or certification, you need to spend a LOT of time in discovering things by your own an by practicing. | Go on IRC, meet guys who do the same things than you or things you are interested in. DO NOT try to know everything, focus on one specialty. (English is not my specialty :p) | hmmm, no, sorry | Well,
yes if you don't get caught. I start to learn reverse engineering by
cracking stuff as 90% of reversers I know (the other part wanted to
develop a rootkit). But don't pass all your time on it and don't be proud of it :) |
yes but not for the conferences, only for the people. | All technical ones :) because as I said, the most important is to encounter people who are interested in IT security. (no ISO/certified crap stuff, or at least for me) | Europe | |
| 77 | 7+ years | Reverse engineer, Malware analyst, Log analyst | No, but it helps | Bash Scripting, Ruby, Python, C, PHP, Java, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CompTIA (Security+ etc) | Lived in very rural area, used BBSs to connect to others. Joined piracy/cracking groups, then went legitimate route at 18 to secure networks. | When to shut up and watch others at work, learning from their actions before I tread forward. | Only get into it if you have a passion for it. Otherwise you'll be beaten and burned out quickly. | Mobile device and centralized account management attacks | No, too much risk of your actions being misconstrued as a crime. | Yes | Local
BSides to find locals to build networking ability. DEFCON to network with others from wider regions. DerbyCon because it rocks. |
USA | |
| 78 | 7+ years | Vulnerability auditor, Penetration tester, Sys-admin, Incident response | Good shell scripting can get you by, but to write good shell scripts you can usually program | Bash Scripting, Ruby, Python, C, PHP, Java, Batch Scripting, C#, NO PERL? WTF! #FAIL | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, Offensive Security (PWB, AWE etc), Certs are usefull if you learn from the training, otherwise: MEH | By curiosity as a kid. Learnt programming, learnt operating systems, read files from BBS's about hacking. Stopped blackhat stuff once some mates got in trouble with the law over hacking. Kept it grey/white hat since. Coding/reading while working as a defender. Decided the other side has more fun, changed careers and now a pen tester. Still reading and coding in my "spare time". | Learn as much as you can all the time. Once you have kids there is no time left for learning until they grow up. | Write
a blog, post blog entries about things you think about, discuss with
others and like to work with. It gives you visibility in the industry
which is small enough that people can learn your name very quickly. Write or contribute to open source or open materials (owasp, exploit db, osvdb). All of the above shows your interrest in the industry, your mindset/skillset can quickly be vetted by your open source contributions and project affiliations can again help your visibility in the industry. AND YOU'LL LEARN ALOT FROM IT! The old saying is still true: Hire for passion, you can always teach skills. |
Mobile anything, web anything | Don't let it get personal, the industry is full or pariah's that can't couldn't handle some trolling and are now shunned by the industry. Also, know your skillset and don't punch too far above your grade. In an industry where your skills largely determines your merit you can quickly go under by not meeting expectations. It's ok to say I don't know how to do that, but I'll find out or can you teach me how to do that. | As a general rule; No, it's not worth the risk. | Yes | ANy conference that focuses on your preferred specialization area is likely to result in increased knowlege, network and job opportunities. | AU |
| 79 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Log analyst | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua | Yes | Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, Offensive Security (PWB, AWE etc), OSSTMM certs | Security guy for my last job asked me to help identify where we were exposing too many services. Started with printers and a PingPro scan and it just escalated from there. I then took over organizations default windows build docs, started doing assessment work and moved over to security team after a year or 2 of doing security in a non-security role. Key point, don't wait for a security job to show your org you care about security and have/develop the skills to create security value add. | How much past indiscretions (background) would hinder me in future employment | Don't wait for a security job to start doing security work. | Mobile apps | Staying in a job that is comfortable. If you are not learning every day and challenging yourself, you are only hurting yourself. Go for the hard stuff, don't be scared. | It's OK if all you are doing is inspecting elements that are freely viewable by anyone on the internet (Inspecting http responses, view source, certificate details, zone transfers, etc) then that is OK, but the minute you take this information and do something with without permission it then you have crossed the line. | Yes | DerbyCon, DefCon, B-sides, ShmooCon, and other low cost conferences provide significant value. Avoid BlackHat and RSA like the plague. Waste of training dollars. Good content but 4 "hacker cons" vs 1 RSA is a no-brainer from a value perspective. | US |
| 80 | 7+ years | No, but it helps | Bash Scripting, Windows Powershell, Python, C, PHP, C++, Java, Batch Scripting, VB | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Before I got a job working in security I just messed around with it, ex-software pirate etc.. but I got a job working to a security software company as a tech support person who they have encourage me to expand and provided training. | Getting out there and meeting people, now there is so much information on the internet.. back in my day, there was no internet just BBS and text files that was 10 years out of date :) | Learn about as much stuff as you can, don't limit yourself to one subject.. research every thing and any thing, and don't be afraid to ask questions.. as long it's not.. teach me to hack :) | not networking sooner, not attending free events like DC4420, Bsides (ok they didn't exist back in the day). | Personally, I say yes.. BUT!! I only 'practice' on sites without permission if I use that site, don't don't agree with testing on site I have no reason to be on.. for example, testing my local council site is ok, as they hold my information.. but testing on Wiltshire council is a no.. and if you do find a hole then report it with correct disclosure. | Yes | All of them depending on your budget and location.. the security conference is just half of the experience.. just meeting people who are like minded can also be very beneficial | UK | ||
| 81 | 7+ years | Vulnerability auditor, Policy writer, Manager, Risk management | No | Yes | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc) | First started in IT on a help desk. From there learned as much as I could about operating systems and networking (SNA and TCP/IP). Slowly started supporting servers and security products. Eventually went into security full time as a manager. | More risk management and fundamental security concepts. | It's difficult to start a career in information security without first having a background in IT. All too often, people look to security for experience. | Risk management | Be more supportive of the business. We are not necessarily there to say "no". We are there to explain the risk and recommend options. If the business makes an informed decision we've done our jobs. Learning to get over power struggles is important. Know when to stand strong but also when to acknowledge that the business will need to acknowledge and accept risks. | No. | Yes | Canada | ||
| 82 | <1 year | No, but it helps | C++ | Yes - but only to get through HR | I'm in the process of exploring new opportunities in the Security field, im not in it yet | Yes | Texas, USA | ||||||||
| 83 | 7+ years | Vulnerability auditor, Penetration tester, Manager, PCI auditor | Yes | Bash Scripting, Python, C, PHP, language less important than programming ability | Yes | CISSP | Genera interest while in college, was hired post masters degree. | How
much compliance drives the industry. You will live in hotels. |
Be
passionate and learn to be personable. Join a group such as ISSA and meet lots of security people. |
Cloud, mobile, and hacking hospitals. | Not spending enough time on project management. | No. Not worth the risk. If you get caught you could damage your career. | Yes | DEFCON is a favorite. Conferences useful because it gives info about cutting edge topics and demonstrates to potential employers that you are committed to infosec. | USA |
| 84 | 7+ years | Penetration tester, Policy writer, Log analyst, IDS/Firewall admin, Sys-admin, Security Architect | I think you need to have a basic familiarity with multiple languages | Bash Scripting, Ruby, Python, C, C++, Java, VB | Yes | SANS/GIAC | I started reading bout it during the dot com bust, and added some basic security services to my part time consulting business. Several months later I answered an ad posted by a company looking for a part time systems administrator. There was no retail about the company in the ad, and when I got the call for the interview I found out that I would be working for SANS. I turned the part time position into a full time one and learned all that I could. | I wish I'd had a better idea when I started of how to communicate to non-technical people. I spent more time than I should have trying to push tech policies through without properly communicating the need to the non-tech groups. | Be tolerant of the non-techs, teach them, but don't talk down to them. Be aware that sometimes, the business needs trump security best practices. | I think cloud security is the next major segment. Users are pushing more and more information out of their control, securing and managing that data is only going to get more important. | On a couple of occasions I have allowed myself and my department to be seen as impediments rather than helpers/protectors. Don't let yourself be put into the position of traffic cop, or the department of "No". If something can't be done the way the user wants, try to come up with alternatives that get the same result as securely and as easily as possible. | No, never without explicit written permission from someone who has the authority to give you such permission. | Yes | Any technical conference where new and interesting information is being presented. The big names cost a lot, but are usually worth it, but the smaller conferences like Bsides, can offer a huge amount of valuable information. | USA |
| 85 | 7+ years | Vulnerability auditor, Penetration tester, Manager, Malware analyst, Log analyst, IDS/Firewall admin | No, but it helps | Windows Powershell, Python, PHP | Yes | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I
had always been interested in computers and "hacking", and
when I was young I was very fascinated with the phreaking scene.
I tried to stay up to date with what was going on in the undergound,
using sources such as BBSs and zines such as 2600. A long time ago I worked for the helpdesk, and the company that I was working for had a "AntiVirus Team". This team wanted someone from the helpdesk as a representative on the team. Because I had experience removing malware they asked me to the join the team. This was my introduction to the Corporate Security team, and when they had an opening on the incident response team I applied and was selected. |
More programming skills. Regardless of what people say, you should start there. | Find a nitch that you are particularly interested in and focus in on that. "Security" is an extremely broad word, and you can go in circles if you try to learn it all. Once you become good at that nitch, you can decide to become an expert in it (and push the research forward) or move on to something else. Now you will have two skills. :) | Mobile | It is ok to be curious. It is a felony to commit crimes. | It is ok to be curious. It is a felony to commit crimes. | Yes | Shmoocon DerbyCon Defcon It is less about the talks, and more about meeting people. These are the people who are shaping security as we know it, it is best to get in good with these folks. Everyone has something to teach, as well as something to learn. Try to do both at these cons. |
United States |
| 86 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Reverse engineer, Sys-admin | Yes | C, C++, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), CISSP, Offensive Security (PWB, AWE etc) | Network and Systems Administration | You
need to network! Networking is key |
Dont get into it for the money | Anything with Mobile Security | no | I would say no because if you get caught doing something its game over for your entire career. | Yes | Defcon,Source,Shmoo | United States |
| 87 | 7+ years | Log analyst, Consultant/Vendor | Yes | Bash Scripting, C, PHP, Java, Batch Scripting, VB, Perl | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | Floppy viruses in the early 90's and the Atlanta 2600 group. | Yes | RSA is good to get a business landscape. Shmoocon and DefCon to get the hacker mentality. | US | |||||
| 88 | 7+ years | Vulnerability auditor, Penetration tester | No, but it helps | Bash Scripting, Python, Batch Scripting, Perl | Yes - but only to get through HR | SANS/GIAC, Offensive Security (PWB, AWE etc) | Independent vulnerability research and offensive technology research, freelance pen testing, and an internship with a pen test shop. | There is great incentive for vulnerabilities to be ignored by those who created the products. Do not expect vulnerability reports to be handled well, or nicely, or in a timely fashion. Expect a fight. | Mobile security. The "cloud" is popular and will continue to be, but it's not really a big change. Mobile applications are becoming hugely popular | I think it would be OK to do so if it were easy not to damage your target, but even a vulnerability scan can do serious damage. Even temporarily overloading your target with traffic can cause real financial damage. | Yes | SOURCE,
because it focuses on combining business and security folks. DefCon, because it's a long standing con, cheap, and if you're going to meet people in infosec, it'll likely be at DefCon. |
US | ||
| 89 | 4-7 years | Vulnerability auditor, IDS/Firewall admin, Sys-admin, Generalist | Yes | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting, The ability to understand them. | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | This
is hasty. Long time interest, Did internships, worked at tech shop, worked in NOC, was promoted to security engineer. |
#1
Scripting/programming #2 More Business knowledge #3 How amazing people are at doing security badly. |
Work hard and passionately enough that you attract mentors. | #[buzzword]# | Binge
drinking in college. Getting discouraged and not pursuing my passion. |
That
is a really really bad idea. Even if your young enough to be in
highschool. Personal experience! |
Yes | Defcon
-Huge, famous Derbycon - Smaller awesome Thotcon -Small cheap (if somewhat local) Probably many more. I have limited experience attending all of them. Phreaknic, skydogcon, notacon, outerzone, etc (worth it if your somewhat local and you like the community) |
United States |
| 90 | 1-3 years | Penetration tester | Yes | C, PHP, Java | No | Used
to play alot of hacking challenge games, such as net-force.nl and other
sites on www.wechall.net. When I was searching for a job I typed in "hacker" in a job search site and 1 job showed up close to me. After applying I got the job right away. |
It's
all about web, low level ASM is nice but not very useful. Also, 9/10 sites are crap and vulnerable. |
Learn to program then to hack, not other way around. Also play alot of online hack games that require you to use XSS, SQLi, XSRF, etc. | Phones. | Also learn to report, not just hack. | No, enough of legal sites out there where you have permission. | Yes | Very technology heavy ones like CCC. | The Netherlands | |
| 91 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Reverse engineer, Exploit developer, Malware analyst, Log analyst, IDS/Firewall admin | To be effective, you need to learn bash, python, or pearl (a scripting language). | Bash Scripting, Python, C, VB, Pearl | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Military. Marines. Taught the basics then went to a 4 year university where my knowledge became more generalized. Learned Java, VB, COBOL (yuk), and c. Then graduated worked for the big 4 doing SOX, FISCAM, FISMA audits. Moved to a consulting firm where I took Offensive Security courses and taught myself python after work. Now I work in operational security writing custom SIEM rules, NAC rules, sourcefire rules, do RE on malware and COTS products and conduct pentesting on new builds, and incident response when needed. So my experience and lesson is, get exposed to everything and learn the basics. I have a total of 16 years exp in the industry. | Bash-
but you have to start somewhere. That every exploit released/discovered is due to experience, persistence, or luck; or all three. If you don't have experience then persistence is a requirement. |
Don't quit, and don't get stovepiped into one expertise for too long. You'll get burned out and want to go into management. ;) | The use of darkness technologies to mimic the open cloud technologies we see now that are vulnerable to SOPA type regulations. Tor/i2p etc will continue to mature and will grow into the 2nd Internet out of need. | Start early. I wanted until my 20s to get into security. | Yes/no. I dont see scanning as bad; however with the free software that is out there you can build your lab and test against your own domain/sites etc. It's better to be safe in this realm than serve time in jail because you wanted to learn. | Yes | DerbyCon-small,cheap, and great to meet the other serious professionals (nonmanagement types). | USA |
| 92 | 7+ years | Vulnerability auditor, Reverse engineer, Exploit developer, Malware analyst | No, but it helps | Bash Scripting, Ruby, Python, PHP, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), CISSP | I studied computer engineering in college in a state with a large military-industrial complex. I was campus-interviewed and hired by a defense contractor. The rest is history. | I wish I had known how to negotiate my salary. | Move to northern VA or central MD and get a security clearance. | Mobile (ARM) application hacking. For real this time. X86 isn't going to be running on personal systems much longer at this rate. | Don't limit yourself to something you're good at. Keep working on the things you are not yet good at. | Not if you go past the front door. Finding a vulnerability doesn't require exploiting it. | Yes | BlackHat, because even though it is too big and diluted now, it has always had the best speakers and trainers. | USA |
| 93 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Log analyst, IDS/Firewall admin | Yes | Bash Scripting, Windows Powershell, Ruby, Python, PHP, Lua, VB, ECMA in general | Yes | EC-Council (CEH etc), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP | Started doing tech support, actually, for a vendor. Became passionate about security and eventually got CISSP. Have worked mostly for vendors but have also worked in "inside" IA. | How much women are unwelcome in this field as anything but window dressing. Seriously. | Get a degree if you want but what's really important is practical experience...that and who you know. Also, if you're a woman, prepare to be hated. | Meh. I see the same things recycled over and over again, honestly. | Hm. If I could go back and do my life over, I'd keep going in Maths. It's the one area where I feel deficient. | NO. That's a lawsuit asking to happen and it is NOT ethical. | Yes | If you can only make one, make it a hacker con. | USA |
| 94 | 1-3 years | Vulnerability auditor, Penetration tester | No, but it helps | Bash Scripting, Ruby, Python, C, PHP, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | i found I enjoyed, and I applied for security work. | The programming Languages are valuable. That security has many sub groups, that are completely different. | Find what you love, and follow it. don't go after what the new hot thing is. | mobile | be completely open about where you are working. | No | Yes | Shmoocon Brucon Small cons so you have chance to talk to the speakers. |
USA |
| 95 | 1-3 years | developer | Yes | Ruby, Python, PHP | Yes - but only to get through HR | EC-Council (CEH etc), CISSP | Showing interest around the office, advocating often. | Ha ha ha...no. | Yes | USA | |||||
| 96 | 4-7 years | Policy writer, Log analyst, IDS/Firewall admin, Sys-admin | I would say no, but having seen some of the reports that we get back I might change my mind. | Yes | SANS/GIAC | Developed an interest a number of years ago while working as a sys admin/network engineer. Outside of work attended SANS training as a volunteer and earned GIAC. Followed up with other SANS certs through the work study and volunteer route. About 5 years ago earned my CISSP. That organization was not big enough to have a dedicated security person so about 3 years ago applied for a job with a different organization and was able to use my certs and experience to get a job in security. I have to say have the heldesk, sys admin, network engineer background was great for experience and helped give me "street cred" with the teams I interact now. I have an idea of where they are coming from and am able to work with them on solutions that meet both needs. | I think particularly if you are going to work on defense having a broad background is almost necessary in order to effectively work in an organization. Security has broadened out so know about yourself and what environments you will be successful in, then pick an appropriate area. Also security is a filed that is always changing and requires constant learning. If you are looking for a field where a few years of intense study and work gets you 30 years of career this is probably the wrong field. However if you like change and continual learning, jump in. | The same as it has always been - people and businesses want things now and security is of little concern until the cat is out of the bag so to speak. Figuring out how to balance and mitigate those risks is always going to be a "next area" | Waited to long :-) Security is a blast. It's always changing and never the same. | NO!!!!!! Though I guess I should temper that with what you mean by "practice". | Yes | Derbycon, Bsides | United States | ||
| 97 | 7+ years | Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Python, Batch Scripting | Yes | SANS/GIAC, CISSP | Started
as a Computer Technician, specializing in Apple. Was given an
Apple sever to take care of because the Admin's didn't think it was
a worthwhile endevor. I started hardening it becuase the students
did what they wanted with it. Moved into Windows Admin because
the Unix Admins thought it was beneth them. Again, the students
had free reign of the systems, so I started hardening them. At
that time, I started becoming interested in Security. For my next to jobs, I was mainly a System Admin. Since I was a one man show, security fell into my lap. I hardened, scanned, and secured all the systems I was in charge of. I finally able to get my big break as a Security Analyst after being in IT for about 10 years. During my Sys Admin years, I was lucky enough to have bosses that would send me to Security related seminars. I also took a few SANS courses and got the GSEC and GCFW certifications while I was a Sys Admin. |
Concentrate more on some sort of programming skill and sticking with it. Perl would have been great to know. I remember when Python first came out...I wish I would have picked that up. | Keep play with the software that is out there and try to understand what it does, why it does it and how to defend against it. | Maybe I am old school, but I still see a lot of room for improvement with in the log anlysis, SIEM arena. | Not getting my degree when I first got out of high school. | No. | Yes | SANS conferences, but it has been a while since I have attended any other types. I always enjoyed the InfoSec conferences, but I am not sure if they are still around. DEFCON and BlackHat are two that also stand out. What ever gets me thinking about new ideas is definately worth it to me. | USA |
| 98 | 1-3 years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer | No, but it helps | Bash Scripting, Python, C, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | First I got a master's degree in InfoSec. After that I got my first job as PenTester. | To get involved in different projects and contribute, there are a lot of open source projects you can contribute to in different ways. | Absolutely not. There are enough practice labs out there that can help you to practice all the necessary skills, or you can build up your own. | Yes | Mexico | ||||
| 99 | 1-3 years | Vulnerability auditor, Penetration tester | No, but it helps | Bash Scripting, Ruby, Python | Yes - but only to get through HR | CISSP | By solving web security challenges on www.hackthissite.org . Cool days.. | No | Yes | DefCon and DerbyCon | Tunisia | ||||
| 100 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Log analyst, IDS/Firewall admin, Sys-admin | No | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | My start actually came as a systems administrator and network engineer, when I started trying to bring principles to our customers of deploying secure networks. We weren't focusing on it as a company at the time, but I always tried to make sure good patching strategies were in place, proper password policy was developed, management of infrastructure equipment was using secure protocols, etc. Later on I took a job as a network administrator for a large industrial mining firm, who had a really stable network, so I had a lot of time to play. I began to conduct vulnerability scans, penetration tests, and password audits on the network in order to fill my days. I also started doing a lot of research and projects on my own, and participating in our local 2600 convention (PhreakNIC), and had the opportunity to do a presentation there. Eventually I took a security focused job with an international, publicly traded disease management firm. | It is important to know how to work as a team, and how to deal with other people in your company on security issues in a constructive fashion, as they will not always take what you say as gospel. | Don't start in information security. Start with learning everything you can about networks, authentication technologies, Active Directory, web applications, Linux etc. and then move into security. Having a good foundational knowledge of how things work makes you a better explorer and assessor how to make things not work, or work in a way different than expected, or where weaknesses may lie. | It's all about the web apps now. | It is important to accept the fact that mistakes will be made and to try to learn from them, and not blame other people or deny them. | No, but when you get skilled enough, you will be able to see potential issues without doing anything malicious, and be able to communicate with the company/site about the issue and gain proper testing permission. | Yes | I would not recommend a particular conference, as all of them have valuable content, but one thing I would recommend is to attend both big cons (ie Defcon) and smaller, more social cons (PhreakNIC, ToorCon, DerbyCon, etc.) The networking opportunities and the spontaneous discussions and debates that break out at the smaller cons are invaluable. I wouldn't have the opportunities and contacts I have today without them. | United States | |
| 101 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, Java, Batch Scripting, SQL, Assembler, etc... | Yes - but only to get through HR | SANS/GIAC, Offensive Security (PWB, AWE etc) | Originally worked as generalist in IT, then as a Unix Sysadmin and Network Engineer. Always had security as goal as I got kicked out of college course for "hacking". That was 20+ years ago... | There's no "right" way to get into security... There are just opportunities that you can jump at... | Security is a mindset not a knowledge base. You need to learn to think about how things break and you need to have that twisted mentality that sees the potential for exploitation in every situation. This applies even if you never work as a pen tester. You can never defend what you don't know how to exploit. | Obviously mobile and consumerisation in general... The boundary model of security that most organizations still operate is no longer effective. Security needs to be data-centric, secure your assets then work out... | Yep! Don't get trapped into financial dependency... In other words, live within your means and you will always be in a position to walk away from bad situations. | Emphatically NO! It's not even ok to do it within your own company without permission. | Yes | Any SANS ones as they are focused on education... | UK and Ireland |
| 102 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Python, C++, Java, Lua | Yes | SANS/GIAC | I started as a system admin. I wanted to better secure my systems so started to dive into proper configurations. I also saw a need in managing the organizations firewalls and dove into that. | never | Yes | Any SANS conferences for the networking and practical information. Blackhat and Defcon. | USA | ||||
| 103 | 4-7 years | Vulnerability auditor, Policy writer, Log analyst, IDS/Firewall admin | Yes | Bash Scripting, Ruby, C, Batch Scripting | Yes | SANS/GIAC, CISSP | Web vulnerability scanning as an intern | Save all the code that you write! | Patience and discipline. Do your own work, self start. Find interesting thinkers in the field and absorb everything that they say/write. Break stuff and try to fix it. Also thinking about things in terms of security will always help. | Hard to speculate. The industry is doing lots of things right, but some big players still rely on FUD to sell their products. Would like to see more nimble players with targeted toolsets make a difference. | Do not move into management if you feel it is not for you. Stay close to things that you are interested in, so it does not seem to slog. | It is a risk. My advice: do not take that risk as a company, but you as an individual can choose to accept that risk. | Yes | BSides, local conferences in your area. Networking is interesting, seeing what others are doing. Black Hat and Defcon, to big and hyped, not as useful. | US |
| 104 | 7+ years | Policy writer, Manager | depends - I would encourage someone to at least know some scriipting so that they would not bother others too muchl. | Windows Powershell, Ruby, Python, C, C++, Java, C# | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CISSP | I
got into security by originally breaking into things and well being
generally disruptive in a Fortune 500 company while on the helpdesk
in the early 90's. From there started focusing on security, after
seeing this huge hole that no department was addressing, and worked
for consutling firms Andersen Consulting, etc. Also with your list of Job Types above, I have pretty much done all roles listed at one point or another during my career. This is why I am now a manager/mentor. |
How how hard it would be to stay at the top of your game and have a family (with kids, not dogs as some security people prefer). | Work your ass off! Everyone else does so you better get used to it. | Privacy. Most privacy departments are bloated and realy make zero impact on reducing risks. I think that you will see that this will start to roll up into Information Security/Risk Management Departments. | Don't trust anyone in Silly Valley (that place next to San Francisco). Too many people have agendas and spend most of their time screwing others over. In Silly Valley poor behavior is almost rewarded. | Nope - Once you have something worth keeping - like family and kids, you realize that it is not worth losing. Better off setting up your own systems for fun and learning. | Yes | ShmooCon, DefCon, maybe BlackHat. Most vendor conferences are infomercials and truly waste time and money. | United States |
| 105 | 7+ years | Manager, PCI auditor | Yes | Bash Scripting, Python, Lua, JavaScript/NodeJS | Yes | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP, ISACA | As a Network Engineer/IT Manager I was asked in 1994/1995 to curate the move of our company (D&B and D&B Software) online and onto the Internet. After getting Internet services from PSINet, I spent about a day or two looking at the traffic online and decided we needed a firewall. So I contracted a company to help build the first Token Ring based firewall - based on Novell's UNIX. As our use of Internet expanded, we moved to Check Point on SUN and started using VPN to connect remote offices at considerable savings and increasing network security in the bargain. | How important it would be to use LINUX tools to generate metrics, presentations and data visualization. If you can't talk the language of business all the technical jargon you got won't do you any good. | Learn two things: 1) the language of business and 2) how to gauge relevancy (i.e. some things aren't worth the fight because they aren't relevant to the business) | non-network risk and threat assessment/business continuity. | Yes - don't spend all your time trying to be uber-technical. Learn to HIRE people to do that part. | no. no. no. no. no. no. Practice at home on your own network (or your wife's laptop). | Yes | SANS
- because they're designed around hands-on activity BlackHat/DefCon/Schmoo - because they have very nifty presentations BSides-ANY - because they are where the action is now RSA - mostly for corporate-types DerbyCon - mostly just because of the organizers. |
USA |
| 106 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting, VB | Yes | SANS/GIAC, CISSP | Went through the ranks tech to manager. I was always anal about security, before it was cool. | How one bad boss can ruin one's career. | There is no locality in any company back to the employee. They are usually being run by non-empaths. Get every cert and other marketable education as insurance. | Mobile security and cyberwar. | Trusting the ones you work for, they could change and leave you out. | No. | Yes | Sans,shmoocon,and any local con. | usa |
| 107 | 4-7 years | Penetration tester, Policy writer, PCI auditor, IDS/Firewall admin, Sys-admin | No, but it helps | Python | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP | Government Regulation of Employers Industry | Get all the experience in Network Administration and possibly programming possible. Being able to communicate and present is key. | No | Yes | SANS, RSA | US | |||
| 108 | 4-7 years | Vulnerability auditor, Penetration tester, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Lua | Yes | EC-Council (CEH etc), CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I
wanted to know how to better defend the systems that I was administrating. That desire to learn quickly turned into an obsession and a passion for staying updated and informed. To know the latest exploits that were being used, and testing them against my systems to ensure that we were protected against them. That lead to full-out penetration testing and Red Teaming efforts and before long, I switched roles from a Sys-admin into a Red Team analyst. I also had a desire to help other companies, so I created a private company to perform 3rd party penetration tests and vulnerability assessments to test the security stature of other companies. |
Compliance
standards and good reporting standards to show worth. How active the Twitter InfoSec community is.... it's priceless. |
Start
your interest and obsession in security far before attempting to break
in. Experiment, test, secure, break, live it. It has to be a hobby for you to succeed, and I believe that a lot of employers are looking for that quality in their security individuals now. |
same security landscape, but more need for trained security professionals | When in doubt, don't. Ask a security veteran. | No. There are many tools readily available to download to test against. Having to customize them to set them up as vulnerable testing platforms assists in the learning process as well. | Yes | BlackHat
- to see the breadth of the industry. Defcon - to see where the true hacker's mentality is displayed. Derbycon - to interact with the superstars of the whitehat community face to face. Shmoocon - to see the public sector of the security industry represented in number. |
USA |
| 109 | 7+ years | Penetration tester, Policy writer, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Ruby, Python, C++, Java, Lua | No | none | A challenge from one of my customers, that I would not be able to penetrate their firewall systems | Customers think their safe until you show them otherwise, however when it fails, even when you warned them, it is your mistake. | Get in bed with the operations and finance people (not literally, however this might also help) | Cyber
espionage/warfare, not on national level, however on corporate level. Data protection, internal and external |
Always be honest, even if it can cost your job. | NO, do not do anything on other people's systems, sites, locations without their explicit permission in writing. You can practise at home, your site, your laptop and create a virtual environment. All tools are available today. | Yes | -
BruCON, near me, interesting and not too expensive - DefCON (never been), looks very interesting - BSides (never been, intention), looks interesting - OWASP (never been) interesting to exchange idea's - local activities |
EU+India |
| 110 | 4-7 years | No, but it helps | Bash Scripting, Windows Powershell, Batch Scripting, VB | Yes | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | How
far back to go? When I took my university courses in Network Administration I found the security content to be facinating. I acquiring a security certificate out of that course (SCNP) as well as Windows and Linux admin (MCSA, Linux+). A couple of years as Network Admin, then some time in tech support for a different employer and a 'new' Security Analyst position was created to support the existing Security Specialist. I was working in IT, my security certification was current, I had a good reputation with my co-workers and I had been staying current on IT security issues and recommended processes. I won the position, and over years I have moved up to a senior position. It IS a situation where you need the chance, and it IS often who you know. But if you don't know Security, that won't help - it will be someone else who gets in. |
I
lucked out on this - but I didn't 'know' it. Study Security all the
time. It will be very hard to find a Security position until businesses begin to realize how necessary it is right now. |
If
you are not in a Security position but want to be, prove yourself by
demonstrating an interest. Study, train. Request courses that lead to
certification. Don't fall for the whine that certs are just paper. The
employers are using them to separate out the chaff and see who is working
on their profession. But, you must have some kind of serious technical
chops and experience to even show up on the radar! Learn Linux. The best security tools are based on it. Understand networks. Learn IP addressing, learn packet reading, understand security policy and disaster recovery issues. Learn how your business operates! |
BYOD. Consumer based devices being used within the enterprise. |
Not sure. | No!
Career limiting. Use the Safe to Hack sites. Build your own network and break that. (Great on your resume) |
Yes | SANS
Conferences - Excellent presentations, outstanding courses, very useful
networking. Black Hat - Bleeding edge information. Local or nearby Privacy and Security conferences - Learn your legislative issues. CanSecWest - Superb and near me. |
Canada | |
| 111 | 7+ years | Vulnerability auditor, Penetration tester, Log analyst, IDS/Firewall admin, Sys-admin, Incident response | No, but it helps | Bash Scripting, Python | Yes | SANS/GIAC | After
years of being responsible for Security as a Network and later System's
Architect, I got a break and was hired on as a Information Security
Specialist. My observation is that getting a 'break' is the real in, for the Security Field. Previous experience helps the sell, but really most positions are interested in knowing that you've had previous security titles. |
*
Programing in Python * Understanding that no one has anything figured out; So far its very much a 'make it up as you go' industry still. Don't let vendors convince you that anyone has turn key solutions. |
Be
prepared to work on communication skills Pick your battles Try to keep business justification in mind at all times, make sure you understand any available compensating control |
...
Sigh ... Cloud .* and More fundamental design flaw discoveries in embedded firmware based technologies |
Not
really. But I would recommend that people understand that emotional detachment is a very important virtue in our field. |
It
depends if you are doing it "anonymously" heh. Honestly, I think that it is fairly easy to setup VM's and VPS's to lab most everything you want to test. |
Yes | Blackhat
- Good workshops Defcon - Social Networking is paramount. (Always learn from your peers) Shmoo Con - (Ground breaking announcements are always nice to see in person) |
United States |
| 112 | 4-7 years | Log analyst, IDS/Firewall admin, Sys-admin | Don't know | Yes | SANS/GIAC, CISSP, CompTIA (Security+ etc) | Worked
as a low-level IT-tech and got an offer to "upgrade" to security
administrator. After that, I got stuck doing access control stuff because
no one else "got it". Got drafted into perimeter protection
mostly becasue I knew some basic security concepts and some network
stuff, and after that my interest really took off with trainings, etc. You could say I slipped in on a banana shell. |
I wish I'd learned to code earlier. I'm doing some Perl and I'm looking to start learning Javascript, but man it's hard to find the time when you've got kids and a full time job. | Be prepared to get disapointed. Not by the work in itself, but by those with power who doesn't understand, or want to understand, the need for security. | Don't
know if it qualifies, but IPv6 will be a blast. Some major integrity
concerns there. Also, general web integrity issues will probably be big, as soon as the public starts to realize what being tracked across the web, on your tv, or on your phone actually means. |
Once again with the coding. I should probably have educated myself more too. It's possible to break in only on being quick to learn and having an interest, but education is always a winner. | Basically no, although I do appreciate reading or hearing about those who do. | Yes | Black Hat, RSA, probably Bsides too but I get the feeling you need to know people and be a certain kind of infosec person to be able to fully appreciate that. The major ones (like Black Hat and RSA) are good for learning new stuff, networking, but also because you get a motivational rush from it. | Sweden | |
| 113 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer | No, but it helps | Bash Scripting, Windows Powershell, Python, C, Java | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I did a few certifications, and applied in many firms, got some offers from training institutes but wanted to be in main stream, then gave my first interview in an organisation with the contact i got from a linkedin and cracked the interview, now m in. | I wish I would know the organisation name either small or big players, and the roles I would expect to get as a fresher with the job profile and starter salary. | Get you stuff, show your skill, and have patience | mobile security | Yes, Its ohk, because it is the only way you can get the sufficient hands on practice to clear the interview and recall what you know, but always be on the safer side ;) | Yes | their are many conferences around the worlds, but attending some of the conferences where hackers meet to present or to talk,a local hackers meet will also be helpful as you will know the latest tips and tricks, vocabulary, will get some hackers friend who may guide you in right path and can help you get placed somewhere, or may be you will know the right organisation to start with, and the organisation with the current opening | India | |
| 114 | 1-3 years | Vulnerability auditor, Policy writer, Manager, Log analyst, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C | Yes | EC-Council (CEH etc), CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), CISSP, Offensive Security (PWB, AWE etc) | DWP project that required business to abide by ISO27002 controls. I got volunteered. | Security is a field which is split between Governance, Audit and Technical. Choose carefully which one you want to get into. You also need to be competent in all three. | Show the key players that you are interested. Volunteer for anything that is security related as the experience will never be wasted and you'll get noticed. Network - security is a small sector where you'll get to know the key folks | IT awareness of security | Recognise that security is a balance between usability and security. Sell security as an enabler and not an obstacle to business. | Possibly providing you tell the person afterwards about vulnerabilities/exploits | Yes | Infosec | UK |
| 115 | 4-7 years | Penetration tester, PCI auditor, Exploit developer, Sys-admin, Helpdesk | No, but it helps | Bash Scripting, Python, C, PHP | Yes - but only to get through HR | SANS/GIAC | The movie "Hackers" inspired me when i was young. | That programming really is an essential key to understanding what is really going on under the hood. Scripting is golden when doing pentests and it is MUCH needed. | Learn everything you can. | More client-side security. | In the beginning I was a script-kiddie with no real goals or ambitions. I notice that's a pretty big trend amongst most newcomers. Try to steer clear of that route as much as possible. Try to help the cause, not be a factor in destroying it. | No. You actually wind up doing more damage than you ever expect. I'm talking financially here. If you break a server only just to poke around or "just cuz you can" and the server admin finds out, the company can pay a very large amount of money fixing what you broke. | Yes | DefCon, Blackhat. I've learned many new things there. | United States |
| 116 | 7+ years | Manager | No, but it helps | Bash Scripting, Windows Powershell, Python, perl | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), Offensive Security (PWB, AWE etc) | Graduate recruitment program followed by keen interest in any security related work which came up | how good the community is, always willing to help out | invest in your learning. Not necessarily in money or formal learning, but read, practice and try stuff out | Mobile agent technology on mobile platforms - migrate to server whilst offline. Mind you I've been hanging out for that for 15 years now..... | Staying in formal education isn't as valuable as you may think once you get past the HR entry point. | No, never. | Yes | 44Con
- Top quality talks & great atmosphere (even if I felt like crap
the whole time last year) BlackHat - Good selection of talks and far enough out from 44Con to avoid doubling up on all talks |
UK |
| 117 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, Log analyst, Sys-admin, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, Java, Batch Scripting, Lua | Yes | SANS/GIAC, Offensive Security (PWB, AWE etc) | Assisting system administrators when triaging systems that had been hacked. Also at the same time, I was assisting customers with incident response on their systems. | People say they want security. They really don't. At most, they don't want to be hacked and they usually need to meet a level of security as defined by a compliance body, such as PCI. PCI does not equal good security. | Prepare for people to ignore your recommendations. When you show how something can be exploited, be prepared to hear something akin to "that would never happen to us". | No. I'd be lying to say that I've never done it though. Sometimes Bob just goes and does what he wants to. | Yes | Defcon is nice, but a zoo. Derbycon looks very nice. Anything that gets you to meet like minded people is good. | United States | ||
| 118 | 7+ years | Reverse engineer, Log analyst, Sys-admin, Incident response | Yes | Bash Scripting, Ruby, Python, PHP, Perl | Yes | EC-Council (CEH etc), SANS/GIAC | Job | Pen testing is not so glamorous as it appears | Put your own project on github | Mobil vdevices | No | Yes | Blackhat Source Rootedcon |
spain | |
| 119 | 7+ years | Penetration tester | Yes, but academically | Bash Scripting, Windows Powershell, Ruby, Python, PHP, Java, Batch Scripting | Yes | SANS/GIAC, CISSP | I worked in a large financial financial institution in the messaging and collaborative computing group (email, IM, etc). I worked closely with our info sec team on offering services on the internet. That team hired me as a security consultant. So I was hired based on both my tech and soft skills, even though I didn't have a background in info sec, I had been exposed to it, and the hiring manager figured I could learn on the job with some training. | I wish I had started out doing pen testing much earlier in my info sec career. It has been the most enjoyable. I also wish I had spent more time on web infrastructure and architecture. | There are many paths one may travel in the field of info sec, but all will likely use the fundamentals of security. I would recommend that someone starting a career in info sec learn about the fundamentals. For me, it was getting my CISSP. Not that the cert proved I have a fundamental understanding, but rather the process of studying for the CISSP I gained a lot of foundational knowledge that has helped me in my career in understanding why certain controls exist, and why they work they way they do. | This is always tough. More than likely it will be in the area of Mobile Security. I think smartphones and tablets are the new laptops from 10 years ago. The number of threats, vulnerabilities, and security software will only increase and expand in this space (IMHO). | I want to be in a technical position, and allowed my career to go down a path that became less and less technical, until a couple of years ago when I started making a change in my career and what I was studying in my free time. I should've done that earlier as now I'm playing "catch up". | Depends on what you are practicing. If it's recon, and even some level of mapping, I think it's ok, because it's very unlikely anyone can cause damages doing that. However, there is a line that can be crossed where you suspect that if what you're doing goes wrong, it could have a negative impact on the site, either by exposing information or bringing the site down. However, with that said, there are so many other options for practicing that are available for free or inexpensive, there's really no reason to practice on production systems that do not belong to you. | Yes | I think it really depends on what you do and where you're located. As a pen tester located in the SouthEastern USA, I like the following: DerbyCon, ShmooCon, AppSecDC, and DefCon. For me, these conferences provide the ability to network with other pen testers and info sec service providers, listen to talks on some really good research, get new ideas, and improve some skills along the way. | USA |
| 120 | 1-3 years | Vulnerability auditor, Policy writer, Log analyst, Sys-admin, Incident response | No, but it helps | Bash Scripting, Ruby, Python, C, perl | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | Dreaming of being a pentester | Yes | ALL | ||||||
| 121 | <1 year | Policy writer, IDS/Firewall admin, Sys-admin | Don't know | Bash Scripting, Windows Powershell | Yes | SANS/GIAC, Offensive Security (PWB, AWE etc) | Personal Interest | I'm new to security. I wish I would have known how much of an uphill battle it can be to make changes because people tend to see security as a barrier to their jobs. | Network Security Monitoring | No. | Not sure | United States | |||
| 122 | 1-3 years | Sys-admin, Helpdesk | No, but it helps | Bash Scripting, Windows Powershell, C++, Batch Scripting, C#, DOS | Yes | SANS/GIAC, CISSP, CompTIA (Security+ etc) | As a soldier in the communications field, US Army. | where to go to bid on contracts | Understand it first, get at least a Security+ and CISSP cert if you don't work for a specific vendor. | XCEL Mobility (stock ID XCLL) | choosing a "money-hungry" partner that had minimal security experience | NO - NO - NO it is NEVER OK to do that | Yes | Checkout allconferences.com, and choose which ones interest you. Many of them give you free versions of software and utilities if you stay through the end of the conference. Also, the networking you do is instrumental in building relationships. | US, TX |
| 123 | <1 year | Penetration tester, Reverse engineer, Malware analyst, Sys-admin, Incident response, IT Forensices | No, but it helps | Python, C, C++, Java | Yes - but only to get through HR | SANS/GIAC, CISSP | Note:
The job types chosen above are the jobs that I am interested in doing. I have not yet started working in InfoSec industry but I am currently undertaking study (post graduate) in Information Assurance and Security. Currently I work fulltime as a Systems Tester (mainly mainframe testing) for a government organisation. |
As I am still attempting to gain a foothold in the InfoSec industry, I would have to state that everything I have laernt so far is important. | Get
involved - whether it be going to conferences, local meetings, or working
on projects in the InfoSec community. Also self study - keep up with what is happening in the InfoSec industry as there is always something new to learn. |
An
increase in mobile malware and more organisations (particulary government
and large state owned enterprises) moving to cloud infrastructures. The above are not new areas but more an increase in current trends. |
As I have not yet started working in the InfoSec industry, I can't comment on things I have done wrong but I am in no doubt that there will be one or two things that I could do differently. | NO
- this is crimminal behaviour NOT hacking. Always gain premission upfront before accessing any site that is not controlled / owned by yourself. |
Yes | As
I reside in New Zealand, I can only recommend the few that I have attended. Kiwicon - annual hackers conference in Wellington, New Zealand OWASP NZ Day - conference held yearly in Auckland, New Zealand |
New Zealand |
| 124 | 7+ years | Penetration tester, Manager | No | No | By
having a lot of the right friends and a few of the wrong ones.
;-) Learning on my own through college and after college, working from the ground up at entry positions in tech repair and help desk, then doing sysadmin work with lockpicking on the side as a hobby. Having to fix my own things and break my own things, taught only from what i could read. Then one day as a trainer at Black Hat, now SANS, then friends in the community and i started getting job offers, but instead have our own company. Interest leads to hacking. Hacking leads to talks at cons. Talks lead to reputation. Reputation leads to trainings and job offers. Trainings and sometimes jobs leads to more exposure, more contacts, and ultimately more work. Then, ultimately, this leads to tweets and emails from people asking you "how do i get into security" as if it's a checklist process that they can complete in a year or so and have "made it." It takes, i'd say, a minimum of 5 to 10 years... once you decide "this seems cool" to reaching the point of "security rock star." |
i don't know how to answer this. | it doesn't happen overnight. do it because you love what you do, not because you think it will be cool. | physical and/or blended pen testing. there's already far too many scan shops out there. | no. | meh. grey area. i'd say it's not OK but it's a good idea. | Yes | absolutely
as many as you can scam your way into, if only to network and meet people.
don't attend talks (unless you're really bored) all the talks wind up online within days. watch them then. go to ShmooCon, THOTCON, DerbyCon, and BlackHat/DEFCON. (scam your way into Black Hat) |
USA. Based in Philly, work nationwide and internationally | ||
| 125 | 1-3 years | Vulnerability auditor, Penetration tester, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, Batch Scripting | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I've been interested in security for years. Been studying on my own. Going to conferences, reading blogs, twitter, etc. I got on with a medium sized company that has really started to grow the last two years. Because I was a sysadmin that knew security I got to become the security guy. I still don't do it full-time as there are few who can pick up my other responsibilities, but I'm getting there. | I still don't know as much as I like to know. But that's okay. Life is a journey. I'm trying to enjoy the ride rather than focus on the destination. | Study, practice, and learn all you want to learn while you're young. It's much harder to devote time to it when you have a full-time job, wife, kids. and other responsibilities. | Mobile and web app sec is still going to be at the top. Behind that as much as I hate the term, cloud security. | Wasting time being afraid of failure. | No. | Yes | CarolinaCon,
Shmoocon It's great to see what other people are working on, what the community values, and network with other folks. |
USA |
| 126 | 7+ years | Penetration tester, Policy writer, Manager, Incident response | No, but it helps | Bash Scripting, Python, C++, Java | Yes - but only to get through HR | Vendor specific, CISSP, ceh | as a young teen took computer classes and figured out how to hack the mainframe's mud to allow me more time. teacher saw this and pointed me to security books. ended up getting referred to a guy at kpmg and they eventually hired me after university (i also got fired for hacking into one of their clients before i graduated and that sealed the deal lol) | that this industry is evenutally getting offshored for the most part | don't
fucking do it. get a more satisfying job like crack dealer |
mobile security | no | Yes | defcon blackhat toorcon bsides they all have different types of communities but great for networking |
usa/canada | |
| 127 | <1 year | Vulnerability auditor, Penetration tester, Sys-admin, hardware/whitebox | No, but it helps | Bash Scripting, Ruby, Python, PHP, C++ | Yes | SANS/GIAC, CISSP, CompTIA (Security+ etc), linux+,cisco/ms | offshoot of repairing computers | just do it! get more web based and diversified. get organized. | read up and also run lots of vms - test test test | big data, linked data, mobile, social, compliance with various protocols hippa/sarbannes, mashups | take more initiative, set firm dates, get more than one cert - 2 or 3 is good - and get out in the field. | no comment | No | defcon,
shmoocon, derbycon. linuxcons, notacon |
usa |
| 128 | 1-3 years | Manager | No, but it helps | Any of the common ones like C/C++/Pascal/PHP | Yes - but only to get through HR | Got lucky... I was in IT already as a tech support/programmer. I looked for a job that would move me into the next step of network admin (or the like) and ended up finding a small start up type company that was willing to train if you had the basics. (I had some certs like MCSE, and Security+ already so they took me on.) | Get
involved; There are many options that are free like twitter, bsides,
etc. Also, check with your college job board for part time or internship positions (assuming that you're still in college) for additional starting jobs |
Integrated security appliances or MSSPs; Appliances that handle more than one function like Firewall/IPS all in one; or MSSPs which can monitor multiple systems at once. | No; It's never ok to practice on sites/companies without permission | Yes | BSides
- it's local and free and offers great exposure to relevant topics and
local community members. BlackHat/DefCon - only if you have the funding; again, offers exposure to a wide range of community members and has some decent talks |
USA | |||
| 129 | 4-7 years | Log analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, perl / what ever lang you know | Yes - but only to get through HR | Vendor specific, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I
got my start in the first NOC I worked in. Between the spam complaint
line and the time we were hacked, it lead to a lot of great ways to
learn. From there my first hit that I'd be interested in security was the fact that was the section I scored highest in on my CCNA in the late 90s. I spent more time bypassing company policy than caring about security, until the firewall admin said one day, ok smarty pants, you keep getting past me, you manage it. Since then, I've gotten in to packet captures in a new way, lots of firewall experience, and am slightly anal about reading my logs. I've recovered data from erased hard drives, found people trying to break into systems, misconfigured proxies, and the like. My interests are definitely on the Blue side. Currently I maintain firewall rules, IPSec VPNs, do a security related podcast and am trying to get a degree in Information Assurance, in applied IA. |
Really, I feel like I'm still learning as I go. I've been around security for 15 years and have picked things up along the way. One thing I would have liked to see 15 years ago, was Jason Street's book. It would have been great to have a more focused this is everything that can be done view. | Learn.
you need to be eveything. You need to know the networking equipment,
you need to know the OSes, you need to know the Apps. You need to know
how they should go to together so you know when they're not working. You also need to study both sides of the coin. I like the Blue side, but that doesn't mean I haven't spent time wearing a red hat, or playing like a script kiddie. You should also have a lab to play with |
Relearning the old ways of attacking. We've seen too many people focus on one part, and things like lock picking and social engineering (both older than dirt) making a come back as the way to attack. | spent too much time not being focused and wasting it doing "other things". no matter what try to keep you hand in the pie and get your name out there in some way. | NO. go build a lab. Set the stuff up. learn both sides of Red and Blue. | Yes | I
like BSides the most. The cost is good, they tend to be more local,
and give you a chance to network with more people doing the type of
work you want to do. I think over all the smaller cons, where you can meet people and build upon existing relationships is the better part of the con |
United States |
| 130 | 4-7 years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer | No, but it helps | Ruby, Python, PHP | Yes - but only to get through HR | SANS/GIAC, Offensive Security (PWB, AWE etc) | Watched
"Hackers" when I was in middle school, decided it was bull
shit and wanted to learn more. Spent most of my free time in High School
reading and learning. When I got to college I was able to go to Shmoocon
and meet some people who were very active in the community. I used these
contacts as examples and continued learning and teaching. I started
on the IT Help Desk at my College to get access to the InfoSec people.
After my 2nt shmoocon I took the opportunity to take my notes and some
free swag down to the InfoSec guys. This made a good impression and
I was transfered from HelpDesk to InfoSec as a student worker. From
there I attached myself to every IS project I could, learning from everyone
around me. The biggest thing was doing the work for smart people for next to no money. The college years were more about learning the job and the skills then the money. If you are just starting you need to be realistic about things. You are not going to make 6 figures your first year on the job! |
Recruiters are useless. Dont talk to them, go to the source. Do this stuff for cheap/free for a couple of years if that will get your foot in the door. | Start slow, surround yourself with smart people and NEVER stop learning. If you do this you will push yourself harder and accomplish more in a shorter time. | Mobile | Negative, Slippery freaking slope. | Yes | Derbycon, Bsides*, Shmoocon. The smaller cons get you the great speakers but time and access to talk to the speakers and others at the con. Defcon is great for the parties but a waste of time otherwise. | USA | |
| 131 | 7+ years | Helpdesk, Incident response | No, but it helps | As many as possible | Yes - but only to get through HR | Depends on HR.... | Looking up best practices on setting up a wireless network. Link directed me to netstumbler.com, met some really cool dudes, the rest is history. | Programming will come in handy. I still can't program myself out of a wet paper sac, though I can usually modify a bash script... | School, classes, more school. Just because you have a cert doesn't mean you know what the hell you're doing. | Cell phones, mobile networks. | not learning to program.... | Nooooooo. | Yes | Shmoocon Defcon Derbycon ^^ No particular order. Any you can really. Why, well one, they're pretty cool. You get to meet your peers, and most of them are pretty cool to hang out with. The talks are awesome, and you might even learn a thing or two. |
US |
| 132 | 1-3 years | Vulnerability auditor, Manager, IDS/Firewall admin, Sys-admin | No, but it helps | Python | Yes - but only to get through HR | Experimenting with reverse engineering software to bypass license requirements. Professionally started as a System Admin and got my Masters in Information Security (with a focus in IDS research). Went on trying out web application penetration testing and auditing. | The many offerings for a career in Infosec. | Look
at the options that security offers, analyze your skills and hone whatever
new skills are required to get into that area. And keep networking. I have to quote muts of Offensive Security on this, "Try Harder" |
Secure
Software Development. Psychological studies show that if you tell someone a problem without clear steps on solving it, they tend to ignore your warnings. Security folk need to work closely with software developers and IT teams to provide clear solutions instead of vague geekspeak. |
Never | Yes | The ones where it's less about vendors and more about learning without having to pay a tonne. | USA | ||
| 133 | 4-7 years | Penetration tester, Policy writer, Manager, PCI auditor, Incident response, IT Forensices | No, but it helps | Bash Scripting, Python, Understanding a script basics | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme) | Working hard / contacts / good CV / good customer skills | Reporting is a killer. | Get used to working long hours, customers who are hard work and report writing skills. Also learn how to explain things in plain English. | Client side / cloud | Nope. | Hell. No. | No | Uk | |
| 134 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Exploit developer, Incident response, Application Security Consultant | Sorry, I find the term pen-tester to be poorly defined. Do you have to be able to code to do a network pentest? No, but it helps. Do you have to be able to code to be an application security professional? Yes. | Ruby, Python, C, PHP, C++, Java, C# | No | I was very active in a Linux user group. I had a personal interest in both securing and auditing the security of servers and networks. I started giving presentations at my LUG on how to lock down Linux boxes and how to use common tools for penetration testing. After I graduated with a Computer Science degree I went to work as a web application developer. I enjoyed the technical work but was bored by the products I was working on so I applied for entry level positions in application security consulting firms. One of them hired me. | It isn't as hard as you think it is. | Find the local security people. Go to hackerspaces, happy hours, speaking events and vendor events. If you don't have local security people move somewhere that does. You can do it alone but it will be a lot harder than it has to be. | Drink less and hack more at your first con. Heck, drink less and hack more at every con. | Only
if they have policies that allow public security research (and you stay
with the terms of those policies). Companies with Bug Bounties are a
good start: http://www.facebook.com/whitehat/bounty/ http://googleonlinesecurity.blogspot.com/2010/11/rewarding-web-application-security.html |
Yes | Black Hat(s) and especially USA, Defcon, CanSecWest, Source and smaller local cons. They are useful mostly from the perspective of meeting others in the community. Earlier I said certifications are not useful. Why did I not say they are useful for getting through HR? Because every job I have ever gotten was because I knew someone or someone who knew someone. Breaking into security is most effectively performed, in my opinion, be meeting and getting to know people active in the security community. | USA | ||
| 135 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Log analyst, IDS/Firewall admin, Sys-admin, Incident response | Yes | Bash Scripting, Python, C | No | Shoulder-tapped from a Unix admin role in a government department. | That I'd still be doing basically the same work 15 years later (reviewing logs, firewall configurations, writing and improving policy, educating users) | It's all about your attitude, skills can be learnt but if you don't have an inherent suspicion of everyone then you'll never succeed. | P2P payments | Going into a management role too soon, it's difficult to do well if you get isolated from the coalface stuff. | Yes, just don't get caught. | Yes | Vendor
conferences for the networking opportunities OWASP, SyScan, Ruxcon, other highly technical conferences to really see what everyone else is doing |
Australia | |
| 136 | 7+ years | Vulnerability auditor, Penetration tester, PCI auditor, Malware analyst, IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Python, C, PHP | Yes | Offensive Security (PWB, AWE etc) | It really started for me when a friend gave me access to his VMS account at a local college. I had no idea what I was doing on the system as I was only familiar with DOS and windows at the time. After spending a lot of time learning the system, I found my self chatting with other users of the system. This lead me accessing other system within the college that I probably shouldn't have been allowed to. Not bad for a 12 year old :-) This exploration and intense curiosity drove me to learn as much as I could. | I wish I knew how approachable people where. Doing a lot of things on your own is very difficult and having people to bounce ideas off is amazing. | Try to find a mentor. There is so many layers to information security and figuring out where and what you want to do might be very challenging. | I think the obvious answers here are "The Cloud" and "Mobile" but beyond that I feel that there is going to be more and more convergence with technology and our physical world. I don't mean just SCADA/smart grid networks, I'm talking about implants for humans and huge ecological projects to control our environment. Imagine a hacker group causing Ozone depletion. yikes! | I think it depends on what you are practicing. If you are working on information gathering techniques, that could possibly be ok. There is a lot of grey area in this subject however. Some people might say dont do anything you wouldn't want done to you. That leaves a lot open. I would say, leave your "practice" to learning about the site/companies as best you can without using your browser | Yes | Personally, I enjoy the smaller conventions. I really enjoy the social networking components. Meeting people in all kinds of different roles talking about ideas and solutions is really inspiring. | usa | |
| 137 | 4-7 years | Policy writer, Log analyst, IDS/Firewall admin, Incident response | No, but you had better be able to learn | Bash Scripting, Python, Perl | Yes - but only to get through HR | SANS/GIAC, CISSP, CBA | I was all ways intrested in how things break. started with your basic pranks on the school networks then in my professional life I spent a few years in the dredges of IT (help desk). I made known my intrest in security and tryed to be involved anyway I could. I got the the point where I had to change companys to do security work full time. I made the jump and have not looked back. | where
all the resources are and how to navagate them. (links, blogs, ect) how to find people in my area also intrested in security (ISSA, local Defcon groups, etc) |
make sure it is what you want and that it fits you. try it out, the learning curve is steep and you have to stay on top of things but I have found it to be the most meaningful and enjoyable work. | the distinctions of work and personal equipment / data will continue to difuse in to one another, causing more opertunity for the "bad guys". the outsourceing of IT will make it dificult for companies to know how there data is secured and could make change more problamatic. you could start to see attacks propagate across cloud providors the same way you see it go accross hosting providers today. | only if you want to go to jail and be bubba's girlfrend. | Yes | B-sides,
not over populated like defcon. Realy any confrence, more for the one on one interaction with people who have great ideas than the talks, but they do set the tone... |
USA, Texas | |
| 138 | 1-3 years | Policy writer, Manager | No, but it helps | Bash Scripting, Ruby, Python, C, PHP, C++, Java, Batch Scripting, VB, C# | Yes | CISSP | Internship in a dev shop responsible for maintaining a wireless security scanner product | If you're not willing to work on your own time to build a test lab and try out these things you read about, you probably won't be happy in the industry. | mobile | This question is misleading. It's not ok, it's probably not legal, and it's not necessary. There are test sites like DVWA & WebGoat you can practice on, or you can build your own test lab. | Yes | BSidesSF
- free, educational, with good exposure to what RSA is about w/o paying
for a ticket SOURCE Boston - Great exposure to technical and business together BruCon - technical, lots of variety, great audience for networking DefCon - good variety of topics, good networking, good for beginners and young people |
USA | ||
| 139 | 1-3 years | Student | No, but it helps | Bash Scripting, Windows Powershell, Python, PHP | Yes - but only to get through HR | Yes | USA | ||||||||
| 140 | 1-3 years | Student | Yes | Python, C, PHP, Perl | Yes - but only to get through HR | CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | A frend brought me to a hacking forum. At first it was just funny(skid) but after a few months, I really started to get interested in security and pentesting. So I started with websecurity and I'm going to start looking more into appsec soon. | Start with learning a programming language first. (when I came in the security world, I didnt have any experience with programming) | / | / | / | I
think u should 'practice' on sites without permission although im also
doing it. I dont harm the site but I report the vulnerabilities when im done. |
Yes | Defcon,
brucon? It think it's a nicr place to meet new people, learn new things. very interesting to see what what the speakers have to see and what new topic will be talked about. |
Belgium |
| 141 | 1-3 years | Manager | Yes | Lua | Yes | SANS/GIAC | Hacking stuff online. Reading papers. Educating myself. | Find a good practical way of disclosure. Dont hack others stuff. Set up your own lab. Write papers. Get involved in communities | Learn to program | Xss framework development | Not enough networking. Jobs are offered directly not just online on recruitment pages | Not really. Gray zone deluxe. Make a lab! VMware 4tw | i dont know | norway | |
| 142 | 1-3 years | Vulnerability auditor, Log analyst, IDS/Firewall admin | No, but it helps | Bash Scripting, Ruby, Python | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Started at my current company as a NOC tech then after five long years I was promoted to Network Engineer. I spent three years at a Network Engineering while getting to know our systems and our security team. A job opening came up in the Information Security Department and I was hired. Since then been promoted to Senior but pretty much have the same functionality. | Nothing that sticks out at the moment. | Don't focus your time and effort into just knowing this attack or that vulnerability. You need a good solid understanding of computing in general (TCP/IP, Operating Systems, Protocols) to have a decent shot of getting into Security. The market is full of people who have taken the CEH or even a GIAC cert or two. However knowing the nitty gritty details of protocols and how things work will set you apart in my experience. | Not really sure | Nothing that sticks out at the moment. | Absolutely not. | Yes | Any conference due to the networking aspect. Getting to know someone from a conference can go along way to getting into the security field. | Colorado, USA |
| 143 | 7+ years | CIRT Team | No, but it helps | Bash Scripting, Python, Assembly Language is a strong option. | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | An existing job just morphed into a security position and I went along for the ride. Learned to like it and I have been there ever since. | I would recommend one of two paths, the first is internship, if you can demonstrate a strong understanding of the field and a willingness to learn you will find the specialist companies will try to retain you. Alternatively head into the general IT field and build a relationship with the security team and try to establish yourself as a strong potential candidate for when the security team are recruiting. | Malware analysis is starting to pick up strength, I see a push to bringing that level of skill and interest in house. | Hell no. You only have to screw up once to find your prospective career path changing to a federal institution. | Yes | I like the SANS conferences, they tend to get a slightly more professional attendees. Also like Defcon/Blackhat, always a lot of fun. | USA | ||
| 144 | 1-3 years | Vulnerability auditor, Penetration tester, big 4 consultant | No, but it helps | Bash Scripting, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I
started with an IT internship at a startup that had me fixing their
network infrastructure, desktop support, vpn troubleshooting, ip telephony,
server support, linux, etc, etc. I was the general go-to person for
all tech related problems, but never the person to talk to before the
problem was created. Slowly I began to convince people around me that
i knew something, and was eventually proposing major changes to the
infrastructure etc, until i was the go-to person for upper management
(VPs, C-levels). I then decided to move on from the startup and join the big 4 to do security consulting. |
high end security consulting companies and exactly what companies are providing security testing services | get certifications, they are the only thing that people will recognize when you are starting your career. a lot recognition is given to year of experience, but can still mean knowing nothing. certs are not the end all be all, but they help. | if you have a choice to join a security consulting company, do it and dont take the job at the big 4. you will forever be deemed to be an accountant or someone in tax. | no very bad |
Yes | local conferences, just to network and meet people in the industry. probably the most important thing to have is good contacts who can recommend you and so you stand out from the jackass who doesnt know shit, but has lots of certifications becuase they're good at passing the crappy exams etc. if you dont know anyone, then you have to try to get known by other people through publishing research, blogs, speaking at conferences, etc. | singapore | |
| 145 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer | No, but it helps | Python | Yes - but only to get through HR | SANS/GIAC, CISSP | Someone broke into my computer. After which I wanted to know how and why so I started coding and figuring things out. Eventually met a friend wh convinced me to go to a conference, after that conference met more people and it snowballed from there. | Talk to people and don't be shy. Paranoia is great except it won't get you very far, social is better. Don't social engineer actually grab a beer and exchange ideas. | Fuck around. Don't go i want ot be X since you honestly don't really know what X is. Play with many fields, VR, crypto all of itlook and figure out how it works. Don't pigeonhole. | Mobile and fringe/cloud crypto | Not
everyone who shits on you is your enemy. Not everyone who gets you out of shit is your friend. People can be real weird accept it and move on. |
Depends. If you are playing with a web app it's a lot more okay than breaking into a subnetwork of computers. | Yes | My
personal favorite is shmoocon. It's size is small, talks aren't
the greatest but the crowd is almost always welcoming kind and very
nice to newcomers. It will help you get a job get a friend or
get a beer, and everything in between. Defcon is good to see old friends again and not much more. Summercon is great to have a great time and get to know new people. |
US |
| 146 | 1-3 years | Reverse engineer, Malware analyst | Yes | Bash Scripting, Ruby, Python, C, Batch Scripting | Yes - but only to get through HR | SANS/GIAC | I first really got exposure to security world a few years ago in college. Aside from what is taught in a CS program, just about everything I have learned on my own, from websites, presentations, and challenges. But learning and intelligence doesn't get you places. That happened after I started writing tools, exploits, and doing and releasing my own research. I consider a strong C programming skill set essential to RE, exploit development, and malware analysis. | I didn't really get the different subcultures of security world. Get familiar with the differences between law enforcement, hacking, and government contractor worlds to name a few. Think about where you can/want to fit in. | Take
initiative. Like any other career field, don't expect anything to be
handed to you. Nobody gets paid to be a novelist without first having
written a novel. Nobody gets paid to be an exploit developer without
having first written exploits. Second piece of advice (I know, you just asked for one, bill me later) is to communicate well. Write, speak, blog; nothing cool you figure out will go anywhere unless you communicate that effectively to people who can take action on that. |
Figure that out, and you'll have it made! No, I don't know. But there will always be a need for incident response, malware analysis, offensive and defensive tool development, and penetration testing. I suppose there will be a bigger role for exploit development, or maybe it will just be more publicly known. :-) | Before asking [stupid] questions or releasing any new exploits/research, be sure to do a search to try answering your own question or figure out if what you are doing has already been done before. People will give you a lot more respect if you show you've done at least a little bit of homework. | No. Absolutely not. Though I know many do it and get away with it, i have seen promising, intelligent kids with a sure future in security hack something and get burned, possibly permanently. | Yes | Defcon Shmoocon Black Hat* Very useful, especially if presenting, to connect with prospective employers, learn something, and meet people. However, travel and conference fees can also be a big money burner (BH) if you don't already have a security job to send you. Go with a plan or at least a determination to meet new people and not be jerk, don't just show up and wander around. Also, I haven't been to many more, so these are just what I have seen. |
USA |
| 147 | 7+ years | Security Architect | Don't know | Bash Scripting | Yes | SANS/GIAC | building linux systems to glue together clients and servers between security zones and character encodings, then system administration, moving into firewall/network security. | That
what I was doing was security :) For quite a while I didn't know what field I was in (which made it hard to progress the career) |
Get a degree, preferrably non-technical (Ethics/Philosophy, Law, Economics) or engineering. | The use of icloud/live accounts for OS authentication is an interesting development. | Wait too long to get a degree. any degree. useful both from the needing to be able to communicate, to get past HR steps in larger orgs, and for the confidence factor. | Only reconnaissance activities and protocol inspection | It depends on the conference, and what you expect to get out of it. | If SANS Conferences count, for the training | Australia |
| 148 | 1-3 years | Vulnerability auditor, Penetration tester, Policy writer, Manager, IDS/Firewall admin, Sys-admin, Incident response | No, but it helps | Ruby, Batch Scripting | Yes | Vendor specific, SANS/GIAC, CISSP | Through Administration of security devices - firewalls, IDS, content filtering, AV, etc. However started with Helpdesk calls, backups, networking and server administration. | You have to give enough time for each and everything....you cannot learn everything. | There will be information overload when you start. Unless you set goals you will keep wavering and will find it hard to stay on course | BYOD, mobile secuirty | Invest in your career by setting aside small amounts. | No. Setup your own lab | Yes | CONS...attended Ruxcon. | India |
| 149 | 1-3 years | Vulnerability auditor, Penetration tester, Policy writer, Manager | No, but it helps | Windows Powershell, Python, Java | No | Reading an pen-test on an application I made | NO | Yes | All
of them ;-) Always nice to meet people, change ideas if the talks themselves would be less relevant/interesting |
Belgium | |||||
| 150 | <1 year | Sys-admin, Helpdesk, Incident response | Yes | Bash Scripting, Python, C++, Batch Scripting | Yes | Protecting what needs to be protected. | Get involved. | Starting late. | Yes. If you do not get caught and do it for good intentions in the long run. | No | USA | ||||
| 151 | <1 year | Log analyst, Helpdesk | Don't know | Yes - but only to get through HR | Started working as general support for an Anti-virus vendor. | Yes | South Africa | ||||||||
| 152 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Log analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting | Yes | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I wrote a thesis on Firewalls during my studies. In my first job after that the largest customer asked if we could come up with a managed firewall solution. I designed the solution and the management procedures for it. I also helped write the customers Internet security policy. | How easy breaking in is. | Get
good at systems management. Get a network in your local sec community. |
Incident response teams/person, in even small companies | I spend too many years doing only network security, should have examined other areas earlier. | NO, NO and NO, never do that. set up a lab instead | Yes | Well all of them, go to what you can get at and network. | Denmark |
| 153 | 7+ years | DoD CIO and 3'rd party DAICAP validator | No, but it helps | Bash Scripting, Windows Powershell, PHP, Batch Scripting, ASP, ASPdotNET, HTML | Yes | EC-Council (CEH etc), Vendor specific, CISSP | network admin, evolved into Information Assurance | How
badly America sux at doing network security COMMENT 1: note that in DoD, "security" means OPSEC, classified versus unclassified, people's clearances, background checks, stuff like that. It generally does NOT mean network offense or defense. In DoD, that is referred to as Information Assurance. Information Security is something entirely different. "Security" is largely non-technical, mostly people oriented. COMMENT 2: "would you mind...." answering "yes" means that I *would* mind, whereas you have !pedantically set yes to mean that I would *not* mind being contacted. |
Dont....its a losing battle....there are a lot more of *them* than there are of us. | IPv6 | Need some rudimentary business courses. | No. The price of mistakes is VERY high. | Yes | $AN$
- Very good content, but ex$pen$ive DISA IA Conference Blackhat CES |
USA |
| 154 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc) | worked for a Security reseller doing low-level helpdesk, worked through organisation | When i started out was naive to "company politics", so always CYA, the company does not have your best interest in mind. But always treat your employer with respect, even when you leave. Especially in a small country, everyone knows everyone things get around and us Security dudes like to gossip. | Understand business, marketing and financials | Social engineering and Forensics | Not really, if you learn from it then its ok. | No. Practice somewhere else. | Yes | Attend any security conferences you can | Ireland |
| 155 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | Yes | Bash Scripting, Windows Powershell, Python, C | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc) | Had a passion for the hacker culture since my first taste of the dark side of AOL. And just never stopped. | About the security clearance process | Dive in, rtfm, give back | Mobile | No | Yes | Any Shmoocon Industry specific (education infosec, healthcare infosec, etc.) |
US | |
| 156 | 7+ years | Vulnerability auditor, Penetration tester, Project reviewer | No | Yes | SANS/GIAC, CISSP | Stumbled into some VXs when I was in high school and got interested in viruses. | How political security was. | Be very humble. | Forensics. Breaches are only going to increase. Secure programming: app issues are the current area of attack focus and that's not going to change. | NEVER | Yes | SANS, they are some of the best people and best training out there. The people you meet are almost worth the price of admission. | US | ||
| 157 | 1-3 years | Vulnerability auditor, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response | No, but it helps | Batch Scripting, VB, autoit; these are what I am currently able to do, not necessarily the best reco | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Someone gave me a chance ;) I came from a Network technician background and had brought that job level to a Server/Network Administration and was very interested in Security. I applied for the position and talked with my current boss. He was happy to see that I was a go getter and that I understood the work involved in learning and figuring things out. | Where to start! There's just so much information... | Stick to it. It's hard but fun. Get a group of colleges that you can bounce ideas off of. Setup a testing/dev environment. | Not sure | Trying to wear too many hats (although helpful to have a broad range of skills). I also deal with BC/DR, Exchange, Server administration, Virtualization, Network admin, helpdesk, etc. | NO! Never, ever, ever... it's against the law. | Yes | Source, Shmoocon, B-Sides, Blackhat | usa |
| 158 | 7+ years | Penetration tester, Manager, IT Forensices, 24 years in physical security, 3 in IT | No, but it helps | Yes | EC-Council (CEH etc), SANS/GIAC, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | As a risk mitigation company working in the more austere environments, we recognized a growing need for IT security consulting and forensics to support investigations, as well as the ever-increasing merger of physical security and IT security needs. So, a little different career track than many I suppose. | Dont try to learn it all at once. Pick something you are interested in and really learn that area. | Education, certification, practice and networking are key. | Critical Infrastructure and mobile device security. | Never. You are risking the reputation of your company, or yourself (if an IC). | Yes | SANS and ASIS conferences are great for networking. | Usa, but work throughout ME & Africa | ||
| 159 | 1-3 years | Vulnerability auditor, Penetration tester, Incident response | Yes | Python, C, PHP, C++, Java | Yes - but only to get through HR | EC-Council (CEH etc) | Yes | Europe | |||||||
| 160 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer | Yes | Bash Scripting, Python, C, PHP, C++, Java, Batch Scripting | Yes - but only to get through HR | Reading phrack, coding, and breaking example vulns. | No. | Only to meet ppl. | Germany | ||||||
| 161 | 4-7 years | Penetration tester, Sys-admin, IT Forensices | No, but it helps | Bash Scripting, Ruby, Python, C, PHP | Yes - but only to get through HR | CISSP, CompTIA (Security+ etc) | Yes | England | |||||||
| 162 | 7+ years | Reverse engineer, Malware analyst | Yes | Bash Scripting, Python, C | Yes - but only to get through HR | SANS/GIAC, CISSP | Mastering at least C and a scripting language like Python or Ruby. | No, it's never acceptable. | Yes | Hackito
Ergo Sum Defcon |
France | ||||
| 163 | 1-3 years | Sys-admin, DLP Integrator | No, but it helps | Bash Scripting, Windows Powershell, Python | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | I've always been interested in security, attending conferences and playing around in my free time. I finally took the plunge and went looking for a job in the security field. So far, so good. | I looked at security much more like something that was equated with pen testing but it's so much more. There are so many areas that involve security, it is hard to pick one. I think people put the glamor on pen testing because it's neat, but Blue team work is fun as well. | Don't wait! I wasted several years trying to get in slowly, earn certs, etc. I finally just went and found a new, entry-level job and went with it. Better to do so early rather than later and get your foot in the door. If you eventually find out it's not for you, well, then change up later. But if you don't go in with the mindset to go all the way, you'll just end up half-assing it. | Blue team. There are so many companies out there with the IP exposed. Foreign nations are using the Net more to gain access to networks and proprietary documents. Companies are going to need (currently need) experienced individuals actively working to stop them. | I was advised to go back and get a Masters degree in CompSci. I don't believe that is necessary for the current job market unless you eventually want to get into a C-level role within a large organization. I think most companies (once past HR) look at what you can do and your willingness to learn. | No. Virtualization is too cheap now to not have some sort of lab environment. Permission is always needed. | Yes | ShmooCon
- small conference; able to talk with people 1-on-1 DefCOn - for exactly the opposite reason. Lots of different people, ideas, cultures BSides - the way a small con used to be Local - Anything local whether a hacker space, ISACA or ISSA meeting to meet others and learn about things going on in your area. |
USA |
| 164 | 4-7 years | Vulnerability auditor, Policy writer, Malware analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, IT Forensices | No, but it helps | Bash Scripting, Ruby, Python | Yes - but only to get through HR | Vendor specific | Assembler, x86 and arm | Never ever think something is impossible. | Smart home. | Don't forget about the security of your own equipment. | No, you never know what could possibly go wrong. Always test on your own equipment or get written permission first. | Yes | DEEPSec, BSides, Berlinsides | EU | |
| 165 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, FISMA Auditor | No, but it helps | Bash Scripting, Batch Scripting, I think the scripting is mandatory but anything else. Is a huge plus | Yes | Vendor specific, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Internal transfer from sys admin and support, I think internal transfer via showing interest my be the simplest way to break in to security. Internally companies will understand your skills and your local knowledge can make up for some of the skills you lack. | That will out a degree you will hit a top in pay / job - it has more long term value than people see if your only looking at the short term. | Learn a strong base in IT. If you can't admin it you can't secure it. Also no one wants a novice security guy so internal transfer will get you the foot in the door for the next job. | Continuous assessment / whitelisting | I did not value a degree early on and it held me back from a lot of jobs I could have enjoyed. Even with lots of years under my belt it was always an issue. It makes for a more robust person. | Errrr no. | Yes | Blackhat USA, ShmooCon, Defcon, Bsides and any local cons. I think being part of the community, networking with others and learning as a group can be VERY important. If you can go to only one BH USA is the one IMO. Spend time with the people! | USA |
| 166 | 1-3 years | Penetration tester, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk | Yes | Bash Scripting, C, Perl | Yes | SANS/GIAC, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Personal interest on the technical background behind large scale network attacks. Started with network security and continued with system security, | Windows administration (still learning a lot of stuff). | If you love it do not start it. | Mobile devices security | Didn't detailed and organized my findings good enough. When I rolled back to see how I have done some things, it was a mess. | Definitely *NOT*. There is plenty of login-to-root boxes and challenges to test your skills. | Yes | Famous
& big conferences (such as DefCon, Blackhat, etc) are definitely
worth attending, to hear from the first hand experts analyzing fresh
kung-fu techniques. And of course the chance to have a talk with them
and hear their pro way of thinking and acting. Although I prefer smaller-scale conferences like OWASP meetings, where you can see and hear young and passionate guys sharing their experiences and ideas. I really enjoy these meetups/conferences. |
Greece |
| 167 | <1 year | Vulnerability auditor, Manager, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | Don't know | Yes | CISSP | Studying at university | No | Spain | |||||||
| 168 | 1-3 years | Policy writer, IDS/Firewall admin, Sys-admin, IT Forensices | No, but it helps | Bash Scripting, Python, C, PHP, C++, Java, Batch Scripting, C# | Yes | CompTIA (Security+ etc) | Curiousity | Be willing to spend the time learning new tech | Yes | U.S.A | |||||
| 169 | 4-7 years | Reverse engineer, Log analyst, Sys-admin, IT Forensices, telco related tracing | Yes | Bash Scripting, Ruby, Python, PHP, C++, Batch Scripting, rb great for writting utilitys | Yes - but only to get through HR | CISSP | Loved computers started programming at 12 went to law school found I still loved computers mixed my understanding of the legal world with that of computers and there you have it. | NO | Yes | usa | |||||
| 170 | 4-7 years | Vulnerability auditor, Penetration tester, Log analyst, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Python | Yes - but only to get through HR | SANS/GIAC, CISSP, Depends what you're trying to accomplish | You don't have to know *everything* to get started in InfoSec. It's important to have a good understanding of 'how things work', and also how to research any specific problem you face. | You may not 'intentionally' do damage, but systems sometimes crash unexpectedly, or some functions may cause excessive system load, etc... Also, unless you take precautions the internet isn't very anonymous, which can have serious consequences in an industry where trust and reputation are *very* important. | Yes | Defcon
- similar content to BH, but much cheaper. Also recordings are
posted online. Whatever regional conference is closest to you - it's good to get to know some people nearby. |
Canada | ||||
| 171 | 1-3 years | Vulnerability auditor, Penetration tester, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C++ | Yes | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | IT was boring so I focused my IT work on security and it morphed into new types of assignments. | Scripting | Read and learn. Don't memorize what you read but actually learn it and how to apply it. | ICS | Expected too much from certs | Nope | Yes | B-Sides
because of the people Def-Con because of the technology Anything else related to interests or focus (Google I/O, SANS SCADA Security, etc.) |
USA |
| 172 | 1-3 years | IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | Yes | Bash Scripting, C, perl | Yes - but only to get through HR | Yes | |||||||||
| 173 | <1 year | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer | Yes | Ruby, C, Perl and ASM | Yes | CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Don't cheat things | Code and hack non stop untill you are very confident, and don't start as a white hat. | In my opinion yes, as long as you keep the "practicing" confidential and don't cause damage. | Yes | Defcon for the shear variety of the talks and skill of people who attend. | ||||
| 174 | 1-3 years | security analyst | Yes | Bash Scripting, Windows Powershell, Python | Yes - but only to get through HR | CISSP | I
got into it because it's my major in school but I got my job by being
on twitter and networking. Here is a blog post on how I did it and my
advice to those that want to break into this exciting field. Feel free
to link to it if you would like. http://fightinginsecurity.wordpress.com/2011/12/20/what-i-have-learned-so-far-on-my-journey-to-becoming-a-security-professional/ |
how to network more | be on twitter and engage in the conversations | mobile | no | I would strongly suggest that you create your own lab. | Yes | Any of them that you could attend. Blackhat, defcon, thotcon, source | United States |
| 175 | 1-3 years | Manager, PCI auditor, IDS/Firewall admin, Sys-admin, Helpdesk | Yes | Bash Scripting, Ruby, C++ | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc) | Mobile | Absolutely not. There are plenty of other opportunities from 3rd parties and easy enough to build your own 'lab'. | Yes | Any and all | US | ||||
| 176 | 7+ years | Vulnerability auditor, Malware analyst, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, PHP | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | System Administration | certifications only help get past HR | test and practice everything - use a vm | not a prognosticator | don't "over" certify | no | no opinion | NE USA | |
| 177 | 7+ years | Penetration tester, Policy writer, Manager, PCI auditor, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, IT Forensices, Forensics | No, but it helps | Windows Powershell, Ruby, Python, Batch Scripting, C# | Yes | SANS/GIAC, CISSP | While working on a LAN support call at a university, I overheard upper management trying to figure out what to do with a subpoena. I put the caller on hold, asked three quick questions about how delivery was served, scope, and whether we in fact had the logs. I finished up the call, and discovered not only was my director standing there waiting for me to go further, but that I would get to handle incident response from that point forward. | "Progress, not perfection." | The business owns its own decisions. Your responsibility is to provide them accurate and timely information and recommendations to make a risk based decision. | Bring Your Own Device is my upcoming nightmare. | Remember the business owns the decisions on what it's own best practice is! | NO. | Yes | SANS
(for the training and contacts) BlackHat/DefCon (for the knowledge, the contacts, and the Toxic BBQ) RSA (for contacts) |
USA |
| 178 | 1-3 years | Penetration tester, Exploit developer, Sys-admin | Yes | Bash Scripting, Ruby, Python | Yes | SANS/GIAC, CISSP | The same way a lot of pimply faced teenagers did back in the early '90's... | I wish I'd known how fast the industry was going to evolve so that I could have stayed on top of it instead of moving outside the industry. Starting out with no tools and now seeing all the automation and tooling available, it's difficult to know where to get back in. | Think like a hacker. If you can't get into the mindset of someone who wants to break into your systems, you will have a hard time attacking (pentesting) or defending (sys-admins). The rest will come naturally. | Mobile security is going to be big, but the underlying infrastructure there is application security. Someone said that we started in the hardware, went through networking, and now we're at application development. I think that's accurate. | I got out of the security industry and went to just systems administration and then tried to get back into it. The people I know who stayed with security are still in it and well known, and I find it difficult to get back in. | That's how I learned! But these days, there are plenty of better ways to learn. When I was learning, there was no such thing as virtual machines and cheap hardware. I may "accidentally" throw a semi-colon or -- into a website every now and then though ;). | Yes | Blackhat, RSA, SANS | USA |
| 179 | 4-7 years | Penetration tester, Policy writer, Manager, Log analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua, VB, C#, All you can learn! | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP | Dont remember. Started to attend meetings, cons etc. Took university classes. Got hooked on security and someone gave me a job. | How much work the reports are. | Its all about knowledge. People and Tech! | Ipv6 :-p | Use MS Word for Reports | Grey Zone. Better rebuild their system in your lab. | Yes | All with High profile talks and speakers. No vendor road shows. | Austria |
| 180 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Python, Batch Scripting | Yes | SANS/GIAC, CISSP, ISACA BS | kinda | none | |||||||
| 181 | 1-3 years | Reverse engineer, Exploit developer, Malware analyst | No | Ruby, Python, C | Yes | CISSP | I started cracking applications | see porn | Yes | Defcon, Blackhat, Ekoparty | Colombia | ||||
| 182 | 7+ years | Penetration tester | Yes | Bash Scripting, Windows Powershell, Ruby | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme) | Moved into IT Security from General IT consultancy | Understanding
that all jobs have their drawbacks and it's worth thinking about what
you particularly enjoy (and dislike) when picking roles. That said, to an extent, that's something people have to experience for themselves. Also after a certain level, getting ahead is as much who you know as what you know. |
Be active in the community. Write a blog, research things and publish them, keep learning things. | Mobile
security will get bigger as the platform does, same with cloud topics. I'd like to say that AppSec and helping development teams write secure code will be huge, if only as there's such a low percentage of companies doing it well, but I think that may only happen if there are changes in laws and regulations which mandate it. |
I personally enjoy the technical side of things, and my mistake was almost moving out of the area and into less technical roles. | No,
absolutely not. It's a pragmatic reason though. If you do something to the wrong company on the wrong day, you could end up in legal trouble and rightly or wrongly that will put off some prospective employers, so I'd say it's just not worth it. Look at the difficulties that researchers have even when everything's completely above board! |
Yes | Different
sets of conferences for different reasons. B-Sides, 44Con, defcon, brucon etc. Good technical contact and chance to meet people. Infosec - find out what's selling in the market. General IT conferences (eg dev conferences, TechEd etc) - Gain more knowledge about the underlying technologies. The best security people can speak to IT people in their language and have a good understanding of the technologies they use. |
Scotland |
| 183 | 7+ years | Vulnerability auditor, Penetration tester, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response | No, but it helps | Bash Scripting, Ruby, Python, C, PHP, C++, Java, Batch Scripting, VB, C#, Perl; be able to read code and pick up a new language as needed | Yes - but only to get through HR | CISSP | I
took software development in college and spent a lot of my time reading
about infosec. I never got hands on with it in college though,
I guess course load & lack of hardware/software for a decent lab
held me back a bit. After I graduated, I was working a job I hated, applying to infosec companies and getting nowhere. I ended up harassing the CEO of a small infosec shop with phone calls, emails & mailed copies of my resume. In the end, I sent him an e-mail basically saying "Look, I know that good people are hard to find. Let me work for free for 10 hrs a week and you decide if I'm a good fit". He took me up on it. I signed an NDA and he put me on a research project. I busted my ass and delivered a sweet report, which in turn, got me a job at the company. I stayed 8 years and got a ton of experience. |
I
wish I would have known about virtualization and interactive hacking
challenges like hackthissite.org. If I'd have explored virtualization more (although it was 1999 when I was trying to learn this stuff) I could have setup a nice lab environment to play around in. When I discovered hackthissite.org, it rapidly improved my skills. Fun and educational! |
Make sure it is your passion. This field requires a life-long commitment to keeping your knowledge current. | Social engineering is popular (again) and is scary as hell. Wireless, Web App Security and Mobile device security are the things that, while not really new, are areas I see as being with us for a long time. | I
busted my ass in college getting straight A's. The rational was
that my grades would set me apart from the crowd. I was really
fighting against the "it's not what you know, it's WHO you know"
mantra. That was a huge mistake. Instead of fighting it, I should have embraced it and gotten to know as many infosec professionals as I could while I was in college. There are tons of groups that meet regularly (and for free) in cities and towns all over the world. Become a regular in one of these groups and it will open a lot of doors. |
I
would say no. When I was learning this stuff, I had it in my head the every sysadmin was monitoring their logs 24/7 and would call the cops after the first nmap scan. That was good because it kept me out of trouble. As I gained real work experience, I found it was really easy to break into client sites without setting off any alarms - but that is what they were paying me to do. We've all heard of cases where well-meaning hackers have been sued or worse for pointing out a security hole and trying to work with the company to get it fixed. Don't put yourself in that position. Setup your own lab and learn on your own gear. It isn't as exhilarating, but that will make your real job that much entertaining! |
Yes | I've
only recently been attending conferences (DefCon & SecTor) and would
recommend both. Any conference you can attend would be to your
benefit. In terms of taking your skills to the next level, there
is nothing better than spending time with like-minded people. Unfortunately, my current employer is not willing to foot the bill for a trip out to DefCon. Last year I skipped it but because I know the value of attending conferences, I'm going out to Las Vegas on my vacation and paying out of pocket for the trip this year. Most of my co-workers think I'm nuts (that's government for you). I really believe that these conferences are a great learning tool. Immerse yourself in the material, participate, meet interesting people - these experiences will stick in your brain a lot longer than what you read in Chapter 6 of the CISSP official study guide. |
Canada |
| 184 | 4-7 years | Penetration tester | No, but it helps | Bash Scripting, Python, PHP, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP | During studies | No need to waste 6,5 years studying computer science ... | Stay legal! | Smart Phone Bot Nets, Cloud Security, another decade of IPv6-hype without actual effect | If you already know you want a career in infosec, choose a proper study path (maybe there are "infosec" courses of studies ... | Definitively no! | No | Germany | |
| 185 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Log analyst, Helpdesk | No, but it helps | Windows Powershell, Python, Batch Scripting | Yes | SANS/GIAC, CISSP | Have always been interested, knew the person leaving the position I wanted (within the company I worked), and asked him to put a good word in for me. Had several other people put in good words, and I got the job. It's been going splendidly since then. | Keep learning. You can never ever know enough. | "No." | Yes | USA | ||||
| 186 | <1 year | Penetration tester, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, PHP, Batch Scripting, VB, C# | Yes | SANS/GIAC | An external audit highlighted the need for a Security Officer. | The ability to dumb down the technical jargon to encourage my employer to take the security issues we have more seriously. | Read, a lot. Build a lab. Do some SANS training. Try not to get too disheartened by the level of complexity you see on Security related blogs. 9 times out 10 the author is just trying to make himself sound more intelligent than he actually is! | For the infosec world? Mobile security. | Nothing springs immediately to mind, try not to become too elitist. | Absolutely
not. Most companies are highly virtualised, it takes very little effort to move what are effectively live systems into lab. Don't be lazy! |
Yes | I've only attended SANS organised conferences thus far! | UK |
| 187 | 7+ years | Penetration tester, Malware analyst, Log analyst, Incident response, IT Forensices | No, but it helps | Bash Scripting, Ruby, Python | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I thought "hacking" sounded cool so I started learning about Linux since that seemed to be the platform on which all the cool hacker tools were written for. My first job was scanning slides and creating brochures for a small university dept. I continued to learn and develop skills on the side that they begin to take advantage of. Within about 2-3 years, I was responsible for all sysadmin and helpdesk duties for that dept. Everything was Windows in the dept but I continued using Linux, learning about security tools, and responding to security-related emails on the university's mailing lists. My involvement in the community led to me being asked to become the security engineer for a large group within the university. Less than 2 years later, I was asked to join the security team for the entire university. 5 years after that, I was hired by a kickass security consulting firm. | I wish I had focused on programming more when I was a student as I think that would help me a little more now. | Have passion and don't be afraid to show it. It's something I specifically look for when hiring or looking for someone to collaborate. | Mobile is getting huge, Smart Grid and SCADA are getting necessary exposure finally. | I didn't pay attention to an opportunity when it first came up because I didn't feel I was worthy. I came back and went for it 4 years later, but I was too naive to realize it the first time. Pay attention to opportunities and relationships! | No. Have I done it. Maybe. But, it's not a good idea. | Yes | DEFCON,
ShmooCon, BSides Las Vegas. They are great places to learn about some of the cool things people are doing and get to meet many of the people you read about and speak to via IRC and Twitter. It's a great time to network. |
US |
| 188 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Log analyst, IDS/Firewall admin, Sys-admin, Incident response | No, but it helps | Bash Scripting, Python, Batch Scripting | Yes | SANS/GIAC, CISSP, CompTIA (Security+ etc) | Our company got an Internet connection, was sold a Sidewinder firewall, and I got assigned the task of managing it | Intuition is important | Don't be a prima Donna. Ask for advice and input | Thinking I was an Expert!!! | No! | Yes | USA | ||
| 189 | 1-3 years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, Malware analyst, IDS/Firewall admin, IT Forensices | Yes | Bash Scripting, Python, C, PHP | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | someone was hacked me when i was a child! and i need to revenge not to hack back but to learn the defensive mechanism, and i can't excel in that if i don't know how to hack. | programming and system internals | learn
how to program in C then write basic scripts in bash/python read about TCP/IP try to get basic certs: GSEC, Security+, CCNA |
cloud security and mobile security which contains: hacking, forensics .. | never
start using hacking tool without knowing how they works learn how tools is written and then you are good to go with using it. |
define
practice? if it means only scanning and viewing i see no problem but if someone is really nasty and try to bruteforce or to exploit or try to sql-inject the site, ofcourse there's a big issue! |
if you have nothing to do or idle, definitely it worth attending | blackhat
- advanced technical talks and basic-to-advanced training derbycon - geeky talks with awsome 2 days training sessoins defcon - alot of experts will be there! and they have a great CTF |
saudi arabia |
| 190 | 1-3 years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, Sys-admin | Yes | Bash Scripting, Python, C, PHP, Perl | Yes - but only to get through HR | Yes | france | ||||||||
| 191 | <1 year | Log analyst | Yes | Bash Scripting, Python, Java | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | Yes | Source conference | US | ||||||
| 192 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, IDS/Firewall admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++ | Yes | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | By chance, was working in networking and got seconded to FIrewalling and IDS. | Focus on a specific area. | Get as many certifications as you can and then go after experience. Promote your abilities through social media and get involved in the community. | Nope. | Yes | BSides Shmoo 44Con etc.. |
UK | ||
| 193 | 1-3 years | Malware analyst, IT Forensices | No, but it helps | Bash Scripting, Python, C | Yes - but only to get through HR | Through wargames/challenges like PullThePlug, Caesum, hacker.org, dievo.org, ... | n/a | be precise in what you do | security challenges around mobile & embedded devices | n/a | no. | Yes | Chaos Congress in Berlin is quite a good exchange, BlackHat (Europe) might be, never been there :) | .de | |
| 194 | 7+ years | Vulnerability auditor, Policy writer, Manager, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python | Yes - but only to get through HR | CISSP | I was always interested in computers during my time in the Navy. I kept asking to be posted to a job involving computers. I was finally appointed as the head of the Information Security organisation where I learned about security on the job. | Everything. | Learn about technology first; securing it will come later. | Virtualisation and compliance issues. | I thought concentrating on policies and procedures without specialising in a particular technology would be sufficient. It isn't. | Absolutely not. If you compromise on ethics, you are in the wrong place. | Yes | Anything covering IT in general and security cons in particular | India |
| 195 | 4-7 years | Vulnerability auditor, Log analyst, IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Windows Powershell, Ruby, Python | Yes | hard question... i clarify why i think certs are useful, they force/ensure the learner acquires general knowledge. The certs themselves arent useful cept to get through HR, but the process of acquisition builds a person | Being curious and wanting to learn | Be social. Give back to the community. Contribute on github to open source projects. Write a blog. Use twitter. | mobile | as long as you are learning and growing, you are headed in a positive direction | heh, no | Yes | I highly recommend Defcon. I haven't been to others, but the concept is the same. Conferences are where you can meet people and network in real life | usa | |
| 196 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin, Incident response | No, but it helps | Ruby, Python, PHP | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, Offensive Security (PWB, AWE etc) | Working at a large bank I was given an old HPUX box to administer, two years later one of the internal pen testers called me out of the blue and told me the password and that it didn't have a shadow file. I thought that was a cool job to just break into stuff all day. | I should have done pen testing sooner, as I'm a far better security manager now I can break and fix things cheaply rather than a checkbox approach. | Read books, posts and listen to podcasts all the time. | Smaller companies realising they need security people. | Obviously no, but I don't think the line is absolutely black and white. If a site looks old and crappy and says secure on it and it then baulks on a search with a ' is that "practice"? | Yes | Def con, schoocon, derbycon etc etc, but as I'm in the UK these are all watching videos online mostly thanks to Iron geek. | UK | |
| 197 | 4-7 years | Vulnerability auditor, Log analyst, IDS/Firewall admin, Sys-admin, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Out of personal interest | That infosecurity can be really frustrating... | Learn as much as you can and keep a creative mind | No.. | Yes | Defcon, blackhat, Brucon, CCC,... | Belgium | ||
| 198 | 4-7 years | Vulnerability auditor, Penetration tester, Log analyst, Incident response, IT Forensices, architect | No, but it helps | Bash Scripting, Python, C, PHP, C++, Batch Scripting | Yes - but only to get through HR | SANS/GIAC | Part time sys admin work while an undergrad | To pay much more attention in assembly and advanced programming classes | get a BS in computer science. you need the fundamentals before you can understand the risks and how software and hardware are broken otherwise you'll end up a script kiddie who just leverages other people's code and have no clue how it works or what to do if it doesn't work. | mobile and cloud | Not taking sufficient time to dig into the more technical aspects of cpu/memory architecture | Not without permission from those site/companies | Yes | shmoocon, defcon - deeply technical and relevant. I have not attended others that I would recommend (RSA, BlackHat) | US |
| 199 | 1-3 years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, Log analyst, Incident response, IT Forensices, I am a director, I do not necessarily perform all the duties I have checked, I am trained in each of them (SANS certs) and I develop and manage the programs. | No, but it helps | Python, PHP, C++, Java | Yes | SANS/GIAC, Offensive Security (PWB, AWE etc) | I was the Director of our application development team and I always had a strong interest in InfoSec as I was involved in answering the security questionnaires as we did not have an InfoSec team at that time. There was a major change to the HIPAA (healthcare) legislation that put our manufacturing facilities within scope of the act. That prompted the creation of a dedicated InfoSec and compliance team. We hired a CISO, I assumed the director role under him and we have now hired a staff of 6 people supporting our initiatives. I have taken 5 SANS courses since then and 1 HIPAA certification. This has all been since 2009. | Yes | Houston Tx | ||||||
| 200 | 4-7 years | Penetration tester, Policy writer, Manager, Incident response | Yes | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting, Lua | Yes | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc), Some are useful practically (offsec), others are to get past HR (CISSP has nothing to do with pen testing, but it helps you get noticed) | Worked my way up from the ground up. Started taking on IT responsibilities in a small business and gradually got more well-rounded in administration and engineering. I started with cabling and soho networking and ended up being quite adept with large AD deployments, virtualization, exchange, etc. Security was an interest of mine from the beginning, so everything I did had a security focus. The transition to penetration testing was natural since I already knew how everything worked. People who go straight into security really sell themselves short. I worked primarily with MS professionally, but an early hobbyist interest in Linux and web apps helped round out the skill set. | Linux
and assembly. I feel like I've been working backwards for several years.
My Linux skills are pretty good now, but this year I'm focusing on assembly
and exploit development. There's no substitute for genuinely knowing
what goes on behind the scenes and not having to rely on tools. The Coding for Penetration Testers book is a highly recommended starting point for any newbie (and it's great for more advanced users as well). |
Don't
focus on security. Focus on mastering various technologies thoroughly.
Once you understand how something works, you will be able to both secure
it and break it. Be patient and don't rush into security. Spend some
time working with systems and/or networking professionally. This additional
perspective will pay off immensely in the long run. Other pieces of advice? Improve your soft skills and understand business concepts. Don't isolate yourself. You'll limit your career if you're afraid to leave your bubble. |
I think web apps are already popular, but I think that popularity is only going to increase over time. Wireless and VOIP will likely become bigger as well. I'll say virtualization instead of "cloud security" (focus on technologies, not buzzwords). | Get
involved with the community. Start a blog, interact on twitter, participate
on ethicalhacker.net, etc. I've delayed this significantly because I
never felt like I knew as much as everyone else, but that's always going
to be the case. As long as you approach conversations with a polite
curiosity (i.e. the opposite of "teach me how to hack!"),
the community will welcome you. Since I put a decent amount of detail into this response, can I guilt you into following @infosiege? Having single-digit followers are crushing my ego ;) (Just kidding, it'd be nice to stay in touch, but no pressure) |
If
you want free room and board and desire a roommate that wants to "cuddle." Get written permission from someone who has the authority to grant it, or practice in a lab. The only exception is when a company openly states that it wants X service tested (be very careful to stay in scope though). |
Yes | DerbyCon
and Shmoocon. I've been to neither but plan on attending both this year.
The smaller, more intimate cons seem to be the most beneficial. DefCon
is ok if you know people, but it's a zoo. A lot of people seem to be
more interested in cosplaying in matrix outfits than learning and networking.
There's undoubtedly a ton of talent there, but it can be difficult to
find at times. World Toor looks insanely awesome, but it's pricy. For
more professional conferences, RSA and USENIX seem to be a good choice. I think the best part of conferences is to network with industry professionals. If you're going to be an introvert and sit in the corner by yourself the whole time, don't bother going. The presentations are usually made available shortly afterwards, so unless you really can't wait a month or so for the info, you'd be better off saving the money and watching them online. |
USA |
| 201 | <1 year | Vulnerability auditor, IT Forensices | No, but it helps | Bash Scripting, Python, Batch Scripting | Yes | EC-Council (CEH etc), CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP | Change of jobs, brought in to launch my expertise (data recovery / digital forensics) within the company, have ended up expanding my knowledge to start concentrating more on security, vulnerability scanning / ethical hacking. | Previous systems I had setup weren't as secure as I thought! | Do it, get following on twitter etc, you'll learn a lot, and you have a lot to learn, I know I still do! | Not really... If you do tho, make sure its not a previous employer and you don't get caught! | Yes | UK | |||
| 202 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor | No, but it helps | Bash Scripting, Python, PHP, Batch Scripting | Yes | SANS/GIAC, Offensive Security (PWB, AWE etc) | had always been interested in it, had many friends in various security roles... they pointed me towards some ways to focus my skills and i essentially talked my way onto a consulting team inside my company.. | just how f'ed up internal IT security departments can be. having always been an outside consultant it was easy to not realize how painful things are on the inside. | practice
your writing and communication skills. in many ways, they
are far more important than pure technical skills, because ultimately
the way to deliver value to people is to clearly explain the problems
and how they can be resolved. also, try to avoid getting caught up in the "conference scene". it's an echo chamber that often creates more problems than it solves. |
mobile security, definitely. | don't
limit yourself to what you think that you're 'good at' - always try
new things. also, don't be afraid to ask questions, of even the 'celebrities' in the security industry. everyone in this business is pretty approachable once you get past the egos.. |
absolutely NOT. they could be a potential client... | Yes | defcon, local security conferences. useful to meet people, learn how much you don't know, and to immerse yourself in the culture... | USA |
| 203 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, Malware analyst, Incident response, IT Forensices, Developer | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua, VB, C#, impossible to say depending on job | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc), anyone a manager may know | Hard
work, I spent 90% of my time to make myself good before I worried about getting a job in that area. I never asked for handouts, training, or anything outside my hard work to get here. Community, (power in numbers) One of the largest things about getting a job is not always what you know but who you know. There are multiple studies that show this to be true. Attend conferences, communicate on blogs, be in IRC, go to your local groups, do stuff to get around other people that are like minded and they will most likely look out for you to get a job when they have one come available. Open Source Projects, Develop your own or be part of a project. This can give you limitless chances to get hired by people looking at your work and also applies to the previous topic of being part of a community. Do well enough you might get swooped up by a larger company. Challenges, I suggest this one a lot and I just got a guy hired where I work because of this. Do challenges groups host. One of them might be hiring and they can give you that option but don't expect this to happen. Mostly just do challenges to get better. Stack a bunch of CERTs, I personally hate this method but it works. I have 1 cert and I don't even have it on my resume and I have made myself fairly successful with what I know and who I know but if that can't work get a bunch of certs and it will get you hired. I only have to say 1 thing, if you stack certs at least be able to do your job well. |
Some
of the best people in security are people you have never heard of. I did this myself but see others skip this, make sure you know the basics before you try the big boy toys. example: Learn what an exploit is before use metasploit (at least EIP overwrite) Learn TCP/IP stack before you use nmap Learn at least 1 language no matter how simple the language is. |
If
you are starting to learn security, make sure you know the basics first.
All it is, is technology from a different perspective. See last example. If you want a career change to security practice some hacking techniques and do some challenges. This has to be specific to what type of security you want to get into. |
mobile
(android, IOS) web I think is always a big issue just because of the number of hacks over last few years malware is always on rise Coming from an exploit developer I would say don't go down that road for a career. Not many jobs in that market and the doors are closing daily on access methods. I would suggest learning it though as a skillset for knowledge purposes. |
Stay
focused on one topic at a time. I like to tackle too much at once. I
still do that a lot and sometimes have to step back and set a focus. Don't think just because you heard someone's name they are worth a damn. I have found out from experience sometimes the local guys blow away the skills of the known names. The local guys are too busy getting better to go out parties at cons constantly. |
Typically
no because it would ruin your chance of ever getting in security if
you get in trouble but places like facebook, google, and microsoft pay
out for people finding bugs in their stuff. So hack away Also sometimes you might think you are hitting a small site and it is hosted by a major company. If you don't know how to be sneaky yet, which I assume you don't if you are starting, then don't do it. |
Yes | Really
any conferences are good. It is more about meeting people then the conference
itself. For security specific ones help to get to meet people that can
give you opportunities. security: Bsides shmoocon derbycon Local Security cons manager type conferences like RSA if you can get to them help for jobs Other: Linux user groups Programming conferences Also give talks, good ones, and you may get noticed. Don't think because your not a big name you can't give a good talk. |
USA |
| 204 | 7+ years | Penetration tester, Reverse engineer, Malware analyst, Log analyst | Yes | Bash Scripting, Python, C, C++ | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Working on Unix machine in 80'ties | Don't know. | Persevere, one single step at a time. | Mobile | No. | No. | Yes | Brucon, Black Hat, Hack.lu | Belgium |
| 205 | 7+ years | Vulnerability auditor, Policy writer, Manager, Incident response, risk manangement | No, but it helps | Bash Scripting, Windows Powershell | Yes | CISSP, cism, cisa etc... | Via
tech support into architecture, ensuring compliance to security policies From within the architecture team, obtained qualifications and developed security architecture function. The into info sec managerment. |
Nothing really matters except undestanding the methodology and the fact that you can't know everything. | Know 27001 and cobit | Bring your own device - the management of personal devices in the corporate arena | If you want to specialise, do so early on, but be prepared to be pigeonholed | Legally no. Stay within the law | Yes | Infosec europe and any freebies from local groups. | uk |
| 206 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, advisor, security architect, director, hacker | No, but it helps | Bash Scripting, Python, C, PHP, C++ | Yes - but only to get through HR | certified experience ;-) | Developed an (un) healthy interest in network security at university. setup a local 2600 group, learned to break stuff, fix stuff, worked building the Internet, then learned how to secure it. worked for some companies, then decided to work for myself. | Lots
of research, practice and experience. get a good grounding in all areas.
Understand the ethics of what you know and do. Always know where the
line is. Learn to use tools and develop your own techniques/methodology. Understand that someone will always do or figure out something that you haven't thought of. |
ipv6
makes things interesting. smartmeters, when they are rolled out really badly en mass. badly done NFC |
Working for the man for too long. | There are plenty of places in the world outside the jurisdiction of the UK/EU/US to practice on. They are most certainly "practising" on us. | Yes | Hxx
(Ohm2013), CCC, Defcon. Back in the day, DNScon (http://www.dnscon.org/) used to be good, but has gone now. UK based conferences seem to be based around making money and selling training. |
UK | |
| 207 | 7+ years | Log analyst, IDS/Firewall admin, Sys-admin, Incident response | Yes | Windows Powershell, Python | Yes - but only to get through HR | SANS/GIAC, Offensive Security (PWB, AWE etc) | sysadmin in computer labs for 3 years, then sysadmin at isp for 14 years, then dedicated security eng at bank for last few years. | When I started out in computers, the correct way to program and a better understanding of programming basics. | Understand how to admin the network and systems first, understand the users perspective and then start with security to better understand the balance. You can lock something down so much it is un useable, without that background in the day to day tasks running them you may not understand. Also, the biggest thing I find doing internal vuln tests at my work is misconfigurations which I know about because I admin'ed those types of devices. (IE netapp with the default ifs share that contains the /etc dir which you can mount r/w) There is no nessus check for that | The internet is the wild west, if you don't want to be tested on don't put it out there. | depends | If you are going to the sales floor at RSA or if you are going to a bsides and hearing whats going on. I would have never known about the PTES without going to BSides I am sure. | usa | ||
| 208 | 7+ years | Penetration tester | No, but it helps | Bash Scripting, Ruby, C | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme) | Started out as a teenage hacker, became a sys admin after uni but became quickly disillusioned so did a masters in InfoSec and moved to London. I started at a VAR as a security engineer but covered their pen testing as well, eventually running the team. | It's not all about the 0 Day. | read ALL THE THINGS. But seriously, read what people are producing, be social and try things for yourself. Bring your own style to the table. | Building Management and Maintenance Systems are going to become something big over the next year. | Never give a new guy a licensed copy of Nessus Pro/Nexpose. Make them figure it out manually and see what happens, if you get good results you have a good tester. They can then have Nessus as a reward. | I'm not a huge fan of this, I usually ask before I play. But then again there are sites like Microsoft, Facebook and Google that explicitly allow you to test so go hog wild on those. If it's something you can install on your machine however that is a different story. Go crazy. | Yes | BSides, 44Con, Defcon and any regular local meets. Big cons life Blackhat are not worth the money in my honest opinion, the talks are watered down versions of what you see at Defcon a few days later. | UK |
| 209 | 4-7 years | Penetration tester, Manager, IDS/Firewall admin, Sys-admin, Helpdesk | No, but it helps | Bash Scripting, Python, Java | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CISSP | Through a University friend introducing me to a group of IT Security Professionals. | My Degree wasn't really that worth while for this industry. The Degree's now are better because you get some that focus on the security elements of IT. Back when I did my degree it would have probably been better to not have bothered and instead started to learn the trade and I would have been further along in my career by now. | Get a good grounding of fundermental networking and WebApp technologies. Start learning the various techniques on OWASP and the like. Download some of the attack labs and practice. | Mobile | Would have started in Security Earlier instead of waiting 11 years into my career. | No, even with permissions it still technical a crime. | Yes | BSides
- Good quality talks and free event thats only 1 day so easier to justify
time off work. Good to mingle Owasp - Some good talks, free and its after work so no contention getting time off for the conference. Good to mingle |
UK |
| 210 | 7+ years | Vulnerability auditor, Policy writer, Log analyst, Sys-admin, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Python, Batch Scripting | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP, CISA/CISM | Transferred to communications in the Air Force in 1999. Worked System admin/engineer duties and started firewall and security duties in 2000 time frame. | Hack more, and don't think things are out of reach. You can learn what you put your mind and heart into learning. Be on helpdesk someday, this is not just a job for the administrators. You learn more from helping users with their problems than you may think. | Be curious, and persistent. Reach out to others, either via 2600 meet ups, or some other place where you can meet others. Learn to carry a conversation and how to listen. | Home
goods...ZIGBEE and other such devices are going to come out, and come
under some real fire when they encounter issues/hacks. Hardware...either manufacturers get the idea that people don't want neutered shit, or they continue to get jailbroken. Microsoft finally got the hint with the Kinect, but what about their next project and who is next to figure it out? Also wireless has a great life ahead of it for failure...unless the standards bodies get their act together. |
Start early when you can still afford to take some drawbacks with your career. Such as lower pay, and intern positions. | Ideally this is a hardline NO, but then I say it depends on what is being "practiced". An xss popup on your own system is pretty hard for me to feel that's malicious and inappropriate in most cases. SQLi on the other hand, is not acceptible in any way, get a WebGoat instance for that stuff. | Yes | SANS,
DEFCON, DERBYCON, CANSECWEST, B-Sides Sans being one of the few "vendor" conferences is no mistake. They teach good skills, it's then up to the individuals to prove they can put them to good use. The less formal Cons are very worthwhile because they get back to the roots of hacking being a curiosity and informal group activity of sharing information and learning. |
US |
| 211 | 7+ years | Penetration tester, Policy writer, Manager, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, C# | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Have been hacking stuff since I first saw a computer in 1996. Worked as a sysadmin/network admin for about 8 years before being in the right place at the right time to fill a vacant security manager position in 2007. | Get on twitter!!!!!!!!!! | Get on twitter!!!!!! | Mobile. | Depends
entirely on that site/companies approach. Google, for example,
encourage and reward you for hacking their site. If the site don't
explicitly allow it, you're breaking the law. Whether you think
it's ok or not is irrelevant, get caught and you're going to prison. OK, that's my official answer. The line is not so clear.....I think you'd be hard pushed to find anyone in this industry who hasn't at some point hacked a website they weren't authorised to, cracked somebody else's wireless network or generally hacked without consent but, crucially, without malice. |
Yes | BSides
London - great crowd, good for meeting like-minded people. BruCON - great talks, international pull, good beer. hashdays - enjoyed the talks and hanging out with some of the "big names" in the industry who you can learn so much from. Ultimately though, being good at infosec is about knowledge. Learning and sharing and conferences are great for that. A lot of the time it's the corridor track which is more valuable than the talks. |
England | |
| 212 | 4-7 years | Vulnerability auditor, Penetration tester, Manager, PCI auditor, Reverse engineer, IT Forensices | Yes | Bash Scripting, Ruby, Python, C, PHP, C++, C# | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | https://www.sfs.opm.gov/ | Learn about everything better than anyone | Mobile | Assuming everyone is going to be happy and receptive when you detail how you broke into their systems and how they should fix it. | Is it OK to break into someones house and look around if you don't take anything? | Select ones and not for the talks | Defcon for its size. Lots of people to meet | US | |
| 213 | 7+ years | Vulnerability auditor, Penetration tester, Exploit developer, Incident response | No, but it helps | Bash Scripting, Batch Scripting | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, Offensive Security (PWB, AWE etc) | By interest during my uni times | Connections, good people to learn and share knowledge. | Be
passionate, continue to learn, self educate. No training is enough apart from self-education and effort. Understand bussiness. |
Quality pen testing. | Impressed by "known" white hats and dissappointed when I finally met them or worked with. Several of them are arrogant and not that impressive. | No, never. | No | Europe | |
| 214 | 7+ years | Penetration tester, Policy writer, IT Forensices | Yes | Bash Scripting, Windows Powershell, Python, C, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP | Military training to be a programmer, then sysadmin, then network admin. | Management is for pussies, stay close to the technology. | Start someplace else where you can make money and then get into it from there. | ai | Consulting fucking rocks it. Get someone to pay for your training and then after a few years go it alone or with a team. | Yes and no. It's complicated. I think it is morally ok, provided nothing is modified, lost, etc, but I also think there should be consequences of getting caught. It's good that it's illegal, it keeps the noise down. OTOH, it's very useful for practicing. If someone doesn't pull the shades and I can see in, that's their fault, not mine. But once I start lurking in their yard for a better view, that's crossed a line. You also shouldn't blab about it or publicize any problems you find, but you should tell the owner, anonymously. And don't get caught. Challenge accepted. | Yes | shmoocon, derbycon, hope, summercon, defcon, hack3rcon, and any other con with hackers and booze. | North America |
| 215 | 7+ years | Vulnerability auditor, Policy writer, Sys-admin, Helpdesk, Network Admin/Architect | No, but it helps | PHP, Java, Batch Scripting | Yes | SANS/GIAC, CISSP, CompTIA (Security+ etc), CISA, CISM | My
very first exposure to IT security was as a university student in working
in operations for the Academic Computing Center back in the dark ages
-- 1983. Most people were generalists at that time.
Within 3 months I was promoted to the help desk and picking up programming,
analysis, and sys admin contracts. Today, I would urge students to pursue internships or do volunteer work focused on the latest trends like SEIM, vulnerability testing, and telecommunications. |
Marketing, and industry organizations like ISSA, SANS, and ISACA. It's not what you know a lot of the time, but how you can market yourself, especially as a female in a very male dominated sector. | Connections.
Join the ISSA and IEEE as a student, and immediately begin to build
mentor and colleague relationships. These organizations
will also help with certification training and keeping pace with industry
trends. For example, my chapter of ISSA received a visit from RSA last fall with a breakdown of their breach, and lessons learned and recruitment offers. |
Mobile and wireless, especially as more consumer gadgets emerge. Virtualization vulnerabilities, and breaches of cloud providers. Too many providers are getting into the cloud arena too quickly without adequate precautions -- look at the big Amazon crash, and the use of Amazon by black hats and nation states in attacks. | Specialized in Cisco in networking. Juniper dominates the telecom marketplace and is beginning to make inroads into | It depends. If you're just running a vulnerability scan or poking around that doesn't substantially impact performance, sure. Causing a denial of service? No, that's unethical. | Yes | SANS
-- they also offer volunteer posts where you can audit their training
for free, then followup with on-line courses to complete your certification WORLDCOMP -- latest academic research and connection. I presented there last year IEEE -- especially in wireless communications and other technologies SecureExpo -- latest products, vendors, great networking opportunity RSA / Guardian if you're interested in CEH or PENTest ISACA if you're interested in audit and compliance |
USA |
| 216 | 1-3 years | Penetration tester, IDS/Firewall admin, Sys-admin | Yes | Ruby, PHP, Java | Yes | CISSP, Offensive Security (PWB, AWE etc) | Making my own website, and it got hacked. | I don't know. | Learn a lot. | Mobile security. | no. | No. | Yes | Defcon,
Hack In The Box, Smoocon, Derbycon. Reason; Don't know, but heard a lot about them. |
Netherlands |
| 217 | 4-7 years | Penetration tester, Sys-admin, Helpdesk | No, but it helps | Bash Scripting, Windows Powershell, Python, Batch Scripting | Yes | Vendor specific, SANS/GIAC | A friend was doing his senior project on Snort and I was helping him out and I came across the PaulDotCom site and that opened my eyes and changed my world and got me interested in security. This was in 2006. | Networking. | Learn all you can about networking and learn how to script proficiently, find a mentor and get involved in the community. | I am really interested in quantum computing and 3D printers. | Getting burned out. | From a legal standpoint I say no. Lawyers are expensive and jail sucks. Also, once your name is tainted it can be hard to regain trust. | Yes | I have only been able to go to Shmoocon and I had a decent time. | US |
| 218 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, IT Forensices | Yes | Bash Scripting, Ruby, C, Lua, VB | Yes - but only to get through HR | CISSP | Released some papers which lead to my first job as a pentester. | A better understanding for weighting "theoretical risks" and "business impact". | Enjoy what you're doing -- It's the most important aspect of success. | Mobile security, cloud-based services, IPv6 (finally?) | no | Not really. Simple mapping and dedicated scan access might be okay. But full-blown scans or even exploitation is dangerous and wrong. | Yes | Everything that is not vendor/product driven | Switzerland |
| 219 | 1-3 years | Vulnerability auditor, Penetration tester | No, but it helps | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | A lucky break. | Start with a solid foundation in networking, systems administration, Linux and a decent programming language like Ruby or Python. | Cloud based computing and associated attacks. | Of course not. | Yes | UK | ||||
| 220 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Python, C, PHP, C++, Batch Scripting, VB, Assembly | Yes | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Program of study at University that offered elective options for Security. | That programming has a significant place and should be encouraged if not required. | Hope you have great reading, comprehension, and retention skills. | Pen-testing for medium and smaller businesses as well as cost-effective Security consulting and services for medium and small businesses. | Have a stronger commitment when starting out. | No. | Yes | Derby Con - still small which gives a more personal feel and touch. | United STates |
| 221 | 1-3 years | Malware analyst, IT Forensices | No, but it helps | C++, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, Offensive Security (PWB, AWE etc) | In university with some virus samples and doing recovery HD in my house | Dedication is the key, and specialization too. Choice one area and focus then. | In Latin America the market of security is rising very quickly, its a good oportunity to start study in forensics e penetrations test now | i try to do a lot of things at the same time, its wrong... focus is the word, choice one or two areas and focus! | No. | Yes | Defcon, BlackHat, I shoot the Sherif, H2HC, Eckoparty | Brazil | |
| 222 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Sys-admin | No, but it helps | Ruby, Python, C | Yes | Offensive Security (PWB, AWE etc) | College | Just how worthless the "big" certs are. CISSP/C|EH, etc. I would have spent the time studying for those on self-learning given the right pointers | But a copy of the Art of Exploitation (or similar), work through it, and see if you're in love with it. | Mobile devices and networks | I would advise listening to anyone else with an opinion on what you're doing. This industry is full of "experts". Be your own expert and just keep learning. | No. | Some | DerbyCon, BlackHat Training (not the briefings) | United States |
| 223 | 1-3 years | Penetration tester | No, but it helps | Bash Scripting, Python | Yes - but only to get through HR | SANS/GIAC, Offensive Security (PWB, AWE etc) | a friend got me hooked. I blame them now. | That this industry really does run on passionate people. | Don't. Please do not join this field if you are not willing to learn or keep an open mind. A CISSP/IAM/IEM/CISA/CISM does not in any shape, way or manner make you good a security professional. I have seen too many security "consultants" that cannot find their way out of their home directory on a Linux machine. A keen eye for things, the ability to work independently and an open mind would. |
Yes, working for cheap. | I wouldn't approve of it but ymmv. | Yes | Singapore | ||
| 224 | 4-7 years | Vulnerability auditor, Penetration tester | No, but it helps | Bash Scripting, Python, Perl | Yes | Vendor specific, SANS/GIAC, CISSP | Always
been interested in it, so I knew the vocabulary, and had some cursory
experience. Made some friends in the security group where I work, and
found out from them when positions opened up. Interviewed, and - here's
the key - clearly and honestly represented my experience (fairly low)
and interest (innate) and what I do on my own to develop it. I got the job, and my team had reasonable expectations of me from the start. |
There's
always far more to learn than there is time to learn, so pick something
that interests you and dig into it. Don't worry if it's directly relevant
to a particular job.The value for you is developing your mindset, and
a deeper understanding of some specific topic. Those lessons easily
map to other areas. The value for your job search is that it shows you have initiative, and a developed skill in some area. A good employer will know that you can apply that again in other areas. |
Same
as above: There's always far more to learn than there is time to learn, so pick something that interests you and dig into it. Don't worry if it's directly relevant to a particular job.The value for you is developing your mindset, and a deeper understanding of some specific topic. Those lessons easily map to other areas. The value for your job search is that it shows you have initiative, and a developed skill in some area. A good employer will know that you can apply that again in other areas. |
Mobile | Only
if you don't mind always looking over your shoulder, and are willing
to go quietly to jail when you're caught. The statutes of limitations
are far longer than you think, and more data is collected than you can
imagine. If you're still in the "practicing" stage, you won't
be able to hide your activity anyhow. So, no. There are plenty of resources where you can practice safely on your own hardware. Vulnerable VMs from OWASP and Metasploit and others. You can always work on exploit development locally, based on info from exploit-db if you want a head start. There's no reason to "practice" on other people's systems without their permission. Look at the bug bounty programs - some companies don't mind if you practice on them, so long as you follow their terms. |
Yes | Not sure on this one - I'm leaning towards the smaller, community-driven ones like B-Sides (because they're cheaper, so you can pay your own way, and more personal, so you can make professional friends), but I havent' been to any of them yet, so can't really say. | USA | |
| 225 | 7+ years | Manager, IDS/Firewall admin, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, Batch Scripting, VB | Yes - but only to get through HR | SANS/GIAC, CISSP | Migrated in from Network Admin | Security is about balancing risk with useability | Run!! Run Away Fast!! | Mobile Device Security | Never. Damages trust and introduces potential for mistakes. | Yes | Various Hacker Cons. Good research presented in large quantities in short term | USA | |
| 226 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Malware analyst, Incident response, IT Forensices | No, but it helps | Ruby, Python, C, Java, ASM, PASCAL (I refuse to let this one go to waste!) | Yes | CISSP, CRISC | Job:
I was an auditor and noticed something that didn't look right.
Being a part of the incident I migrated to the security team. General: I was a kid who was babysat by a 1200 baud modem. |
It isn't as difficult to start. In 1 year I was able to learn enough to be considered "advanced." | If
you want a career in security why don't you have one? Security is and should be involved in every aspect of IT. If you don't have a career in security than it is because you don't want one. |
I see Linux becoming as easy to exploit as Windows. | No. | Never! | Yes | Derbycon!
Everything about this con is amazing. I am getting older and more cranky! Defcon had to many people and I hated waiting in line for food! |
US |
| 227 | 7+ years | Manager, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, IT Forensices | No, but it helps | Bash Scripting, Python | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | How important networking (people) would be, and how important a college degree is. | NO | No | US | |||||
| 228 | 4-7 years | Vulnerability auditor, Penetration tester, Sys-admin | No, but it helps | Bash Scripting, C | Yes | CISSP, Offensive Security (PWB, AWE etc) | I started researching security, hacking, pen testing, etc. during college because I thought it was extremely interesting. | To
learn more programming/scripting. Start getting into hash cracking earlier. |
Setup labs (with VMs) and try to get as much hands on experience has possible. | I wish I was more into exploit development, reverse engineering, and malware analysis. | No | Yes | Carolinacon
- Great first conference for people who haven't been to any/many.
Small where you can meet and interact with a lot of people. Shmoocon - A good solid conference with a great chance to meet new people and learn a lot from topics presented. Defcon & Blackhat - Same as Shmoocon |
USA | |
| 229 | 1-3 years | Sys-admin | Yes | Bash Scripting, Windows Powershell, Ruby, Python | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | i don't work in it yet. but, as a hobby...i stumbled across a hacker message board a few years ago, someone there convinced me to give linux a try, which led to me getting back into programming, then starting to learn networking, then starting to learn security. | i'm not sure yet, since i'm still trying to get my break. | again, i'm not sure, since i'm still trying to get my break. | even though it's not my field of expertise, i think mobile security is the next up and coming field, since smartphones are so ubiquitous, people are lax about them, and mobile malware is becoming so rampant. | my career before computers :) | absolutely. if the vulnerability is out there, someone is going to find it...better by a curious researcher than someone malicious. | Yes | Shmoocon is my favourite, since it's big enough to draw top people, but small enough that everyone is accessible. also, Security B-Sdides events are worth so much due to their informal nature. they have the best hallway tracks of any cons i attend -- there is so much networking that goes on despite feeling no pressure whatsoever to network. | united states |
| 230 | 4-7 years | Vulnerability auditor, Penetration tester | Yes | Bash Scripting, Python, PHP | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I was always involved in IT, but a DoD Red Teaming assignment while on active duty in the US Army forced me into the security field. | Besides what ive learned in terms of skills, nothing. I had great mentors that made sure I knew how it was, so there were no surprises. | If you don't have passions for security, don't do it. It takes large amounts of dedication to succeed. Doing it for the money won't be motivation enough to get you to the top of the field. | Ever changing web technologies. | Resist the temptation to make things seem all about "me". While notoriety and reputation are very important in this field, there is a fine line between arrogance and presenting cool research with self confidence. | Hm.... depends on the vulnerability. For example, reflected XSS against a live app effects no one but yourself (outside of SE). However, Stored XSS actually leaves residual information on the server which may effect other user's experiences with the app. That's crossing the line. | Yes | Shmoocon Black Hat Defcon DerbyCon ... NETWORKING!!!! |
United States |
| 231 | 7+ years | Penetration tester, Red Team member | Yes | Ruby, Python, C, C++ | Yes | CISSP, Offensive Security (PWB, AWE etc) | I was given the chance to do incident response and got addicted to it. After that I moved on to having to administer the devices IR team used, then went into security planning, back to IR as a leader, and then on to pentesting and finally red teaming | Patience | Learn and spend time with the things you are meant to secure. If you are IR, be an admin, if you a pentester, you need to know as much about the majority of stuff you'll be attack as possible. But it comes down to knowing inside and out the things you are meant to secure. | None, I think we need to fix whats broken before we move on to the new stuff. | Trust but verify. If you learn something, do it yourself, or look it up yourself. See if it checks out before you start telling others about it. | No. You will never know what those sites and companies will interpret as 'damage'. It's not worth the court or jail time. | Yes | All of them are good for networking, and there are always 1 or 2 good talks that happen. | US |
| 232 | 4-7 years | Malware analyst, Sys-admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Python, C | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Police Cybercrime investigator | Avoiding C at uni would make my life difficult later. | 1. Don't be a fucking pretender, there's plenty of them around already. Do the hard yards. | I
wont say mobile because I'm sure everyone has said that. I'm not sure, depends how far off you mean by "Next up and coming". ARM exploitation is going to go gangbusters in the next couple of years, thats for sure, but I hope the big mobile OS makers can prevent the carnage. Unlikely though. |
I
didnt have a plan. At least get a rough compass bearing and recognise what sub-fields are not on that path, rather than wandering the great plains of security picking up every shiny rock that catches your eye. |
Not
if you value your career or freedom. Morally speaking the answer has to be no too as you never know when a site will behave unexpectedly and break something unintended. |
Yes | I
wont name names as I haven't been to most of the ones I *really* want
to (with the exception of a B-Sides) but just wanted to say that they
are good for the contacts made. The presentations are generally nothing
you haven't already read about and it is usually the stuff that happens
outside that is of most long term value. My employer has certainly benefited
from the contacts I've made there, but I don't know if it's the most
efficient use of ever decreasing budgets - particularly for people like
me who have to travel half way around the world to go to the good ones. I have a bit of a philosophical diatribe about that, but I'll spare you. The take-away is: there has to be a better paradigm where employers get better value for money but everyone still benefits. I have no suggestions as to what that may be though as all the alternatives I've though of have pretty deep flaws too. That is all. |
Australia |
| 233 | 4-7 years | Vulnerability auditor, PCI auditor, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Java, Perl | Yes | Vendor specific, Offensive Security (PWB, AWE etc) | I
was persistent. I had 0 idea what I was doing but showed up at Summerc0n 2003 with the intent on learning. I would try to read things and keep up on industry goings on. Build a Lab and mess around with stuff. When the company I worked for created a dedicated security practice myself and 3 others were added to the team. I shifted focus into virtualization and storage for a bit, but, I'm trying to bring my focus back to security. |
Pick
1 direction e.g. (wifi or vuln scanning or leanring attack tools) get
comfortable with it and them move on to the next direction. Its good to be through. It can suck trying to learn 10 things at once because though you are getting exposed to a lot you are also being spread quite thin. |
Speak
in fact. Learn that it is ok to say "I don't know". Build a lab/playground and play. Play all day, play for hours, seek help. |
Protecting
Privacy. Defense, Defense, Defense! (its the new sexy). Sadly, the FUD of "the Cyber Warrior". |
I tried to learn a bunch of stuff at once. | No. | Yes | Summerc0n,
the attitudes are great and the presentations are stellar. Shmoocon, there are some great talks and the ability to meet like minded folk. I've never been to but would like to go to Derby Con and/ or a BSides event. |
United States |
| 234 | 1-3 years | Vulnerability auditor, Penetration tester | You should understand how computers work, and progamming is one way | Ruby, Python, Java, Perl | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CISSP, Offensive Security (PWB, AWE etc) | Creating
my own path, people in Costa Rica think, nothing bad will happen to
them, and only financial institutions take security into account, in
part because of international regulations like PCI and in part because
they don't want to pay fines when their customers money has been gone
from their accounts. It's been very hard because people don't want to invest in security, they don't think a vulnerability assessment or a penetration test give them any value to their business. |
I really can't say, maybe because I'm not 100% into security as I would like, because of the market I have to do other things and occasionally do security, but I would have liked to have Backtrack 10 years ago, it would have helped me to get more in dept knowledge. | Read a lot, practice, have a pentest lab or at least access to one, destroy and try to fix things, also, understand how networks work, a lot of people don't understand simple/basic things like DNS, DHCP, SMTP, HTTP, switch/hub, etc. | Mobile security, after that personal (as tech implants) security and space security (as in rockets and satellites) | Sure try to do it yourself, the best way to learn is to get hired in security and do your own research. | No,
it's like saying it's OK for you to practice paintball with my car because
it won't do any damage. It has a cost for the company to look at that "practice", and it's not OK to make people loose money. |
I can't tell, neve been to one | Costa
Rica is so small that people doesn't know about security conferences,
it could help you for having new weapons/knowledge in that others don't.
But won't help you to get a job here. Either way I believe Shmoocon, BlackHat and DefCon |
Costa Rica |
| 235 | 7+ years | Vulnerability auditor, Penetration tester, Manager, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response | No, but it helps | Windows Powershell, Ruby, Python, PHP, C++, Java, Lua, Perl | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | Playing other games on the network in first grade than what I should have been got me in trouble and I have been hooked ever since. | How much push back there is to spending budget dollars on security in general. | Get used to failure and be able to overcome it. Security always fails, it is more important that you know that it fails and how you react to it when it does. | Information security at a large scale. More companies are collecting more data than ever before and it is increasingly easy to access vast amounts of PII. Forensics is also a very big field and will become even more complex with personal file encryption and VP(S/N)/Anonymizers becoming close to mainstream geekery. | Not specializing. I have a tendency to try to learn something about everything which progresses to trying to learn everything about everything, which is very difficult to do and even more difficult to keep up with. Branch out and work in teams and become an expert in a few things. The most successful teams will have individual strengths and should be comprised of several areas. | Not even a little bit. But........it does happen and "no harm, no foul" is tempting to some. | Yes | Security
B-Sides (good info, great price) SANS Network Security (great location normally, pricey, great info) |
USA |
| 236 | 7+ years | Vulnerability auditor, Penetration tester | Yes | Bash Scripting, Windows Powershell, Python, PHP, C++ | Yes - but only to get through HR | EC-Council (CEH etc), CISSP, Offensive Security (PWB, AWE etc) | With a passion for computers and tech at a young age. | This is a lifestyle not a job. | Try harder. | Mobile Devices | Nothing I would admit, don't get caught. | Of course not. | Yes | Defcon, Shmoocon, Torcon | US California |
| 237 | 7+ years | Vulnerability auditor, Penetration tester, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk | Yes | Bash Scripting, Windows Powershell, Ruby, Python, PHP, Batch Scripting, Lua, Perl | Yes | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Working as a firewall and network admin and started to focus on security controls. Then I started a Master program with a focus in Info Sec from Capella university. Then things just snow balled from there...Sec+, CISSP, CCSP, SANS, and etc. | To program better, and more protocol level stuff | start
out as system admin...then a network admin or DBA, then get into security. If you start in security, you don't know the pains of being in IT. you have to crawl and walk before you run...security is a MAD SPRINT.....but it lasts as long as a marathon |
Could
security and the security controls and auditing of the cloud... wait...we first must define the cloud...aahhhhh isnt that were rain comes from...LOL.. |
thinking
security is a product or vendor. A FW is not security, IPS
is not security, and so on... all together is part of security |
depends
on if you like taking group showers... LOL its to risky now days...while I think in the past it was okay...today your are asking to get caught and then take groups showers... |
Yes | Any
SANS, the interaction is great and network opportunities are huge Defcon, its fun...but can be crowded Cisco Live, you get a chance to find out how many of the systems work and where the system might be weak. Other Cons are fun and are helpful, go if you can |
US |
| 238 | 7+ years | Vulnerability auditor, Penetration tester | No, but it helps | Bash Scripting, Ruby, Python | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Managing firewalls. Was phreaker as kids (1990s) | Dealing w people | Diversity in learning | Mobile devices...open scope testing | Not at all | Yes | Defcon, derbycon | USA | |
| 239 | 7+ years | Penetration tester | No, but it helps | Bash Scripting, Ruby, Python | Yes - but only to get through HR | SANS/GIAC | Yes | ||||||||
| 240 | 4-7 years | Vulnerability auditor, Policy writer, Manager, Log analyst | No, but it helps | Bash Scripting, Python, PHP, Java, Batch Scripting, Perl | Yes | SANS/GIAC, CISSP, CISA, CISM | learned it on my own, books and the web, then started taking certs, then started asking for security work, then was given chances once I demonstrated the effort and sincerity. | people dont take you seriously if you have never managed firewalls. | learn, practice, get involved. | that changes daily. web security is always evolving, mobile, cloud, virtualization, etc. | anything is good experience. especially if you regret it. | absolutely not. | if someone is willing to pay | USA | |
| 241 | 7+ years | Vulnerability auditor, Penetration tester, Exploit developer, Malware analyst, Log analyst, Sys-admin, Helpdesk, IT Forensices | No, but it helps | Bash Scripting, Python, Batch Scripting, Perl | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Through the Military | research and notes | research everything | Reverse Engineering | DO NOT BREAK THE LAWS! | no | Yes | DerbyCon BlackHat DefCon |
USA |
| 242 | 7+ years | Manager, Sys-admin, Incident response, Security "Architect" | You have to be able to automate tasks - which usually means scripting at the very least | Bash Scripting, Windows Powershell, Python, Java, Perl | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Was a programmer, applied for a job at a University, joining their IT Security Team | People don't do security for a reason - it spoils their work / fun / ease of use. You need to temper all your suggestions for improvement with this in mind. | Show a basic level of understanding across multiple disciplines; networking, programming, Windows, Linux, etc. - not all, or in great depth, but something other than "I know how to rebuild a Linux kernel, but I've never touched a switch". | The law of unintended consequences will continue to apply - c.f. SCADA, Cloud data storage, etc., etc. | Considered only the security angle. The system still has to be functional at the end of it. | No. No, and No. | Yes | Anything with actual information from other ITSec professionals, not just vendors selling wares. | UK |
| 243 | 1-3 years | Penetration tester, Sys-admin, Helpdesk | No, but it helps | Bash Scripting, Python, C, PHP, Batch Scripting, Perl | Yes - but only to get through HR | SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I heard an interview when I was younger with Kevin Mitnic. I bought his book and really responded with pen testing. | Linux. I was very light on it then but now its my only OS. | Breath it. Don't just read about it but get involved. Live it. | SQL is a massive portion but the next big thing is lack of vendor support for ipv6. | Being cocky. You might know more than the typical sysadmin but don't try and make them sound stupid. | NO. build a test network or have a friend build it then break it. It may be funny to you but you're costing jobs and reputations for your shits and giggles. | Yes | Blackhat
because of networking possibilities. Defcon because of the people. Schmoocon people again. |
Canada |
| 244 | 7+ years | Penetration tester, Policy writer, Manager, Reverse engineer, Malware analyst, Incident response, IT Forensices | It helps, but it really depends on your focus and requirements. | Ruby, C, Java, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, CISSP | A standard tech support position that included defending against phreakers, then onto telecoms security defence and then networks/computers. Essentially, I realized I had security abilities and enjoyed that portion of the job. Recognition and hard work allowed me to focus my career out of technical support/design into a pure security environment. | Nothing comes to mind. | Non-technical
skills are also a requirement ( ie, the ability to related to others,
to communicate, and to be humble). Also, I see some beginners lack focus and the ability to concentrate for long periods of time. Are you skimming the document or actually digesting it? First you get good, then you get fast. |
Embedded/portable devices. | No, no and no. | Yes | Any of the bigger SANS ones, and CANSECWEST. Depending upon your focus, non-technical speciality ones (ie Privacy) can help policy and non-technical portions of the job. | Canada | |
| 245 | 7+ years | Policy writer, Manager, Log analyst, IDS analyst | Yes | Python | Yes | SANS/GIAC | Got hacked, thought this was interesting. | There is no limit to evil | Be curious and persistent | mobile security, including secure app development, secure configuration, mobile log management, mobile forensics | Got a security clearance which limited my future options | No | Yes | SANS, Besides, Chaos | USA |
| 246 | 4-7 years | IDS/Firewall admin, Helpdesk, Network Signature Writer | Don't know | Bash Scripting, Python | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Technical Support for Network Firewalls | Genuinely want to do it for the rest of your career if not life. | Cloud | Taking a position just because it was in the industry. Always make sure the job is the right fit for you and the employer. | No | Yes | I've only been to BlackHat US, Defcon, and TorCon. I suggest going to any con just for the exposure factor. | United States | |
| 247 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, Perl | Yes | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc), Network Certs, Linux/UNIX Certs, Etc. | Initially through being a network administrator and systems administrator followed by VoIP R&D. Now I work 100% in security as my day job and about 25% for side work and tech hobbyist. | How important programming can be. Also knowing that you can learn at least something every single person you come in contact with through work. | There is a lot more to it than popping boxes. | The world. | Organization, notes, and keeping track pf those notes. Also before modifying anything... BACK IT UP! | NO | Yes | Any conference can be useful as long as you are there to learn and put forth effort to learn. | United States/Ky/Louisville |
| 248 | 7+ years | Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | No, but it helps | Python | Yes | SANS/GIAC | Windows sysadmin moved to incident response cause they didn't have any windows expertise at the time. | Attend a SANS conference! | Right now, mobile device forensics. | No!!!! Don't do it. Stand up your own system. | Yes | SANS and EDUCAUSE security professionals, you pick up a lot of helpful information from fellow attendees that you just don't get in the online environment. They are also good to form working relationships with others. You call/rely on each other for help on the job going forward. | USA | ||
| 249 | 7+ years | Vulnerability auditor, Penetration tester, Log analyst, IDS/Firewall admin, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, JavaScript | Yes | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc), Some certs are better for knowledge, while some are better for HR | Through tenacity and good mentors. | That the effort and stress is worth it. | Dedicate yourself to simultaneously being both student and teacher. | HR
cert - Comptia CASP Knowledge certs- Offensive Security Skill - mobile apps |
Didn't realize the importance of an incredibly solid foundation. | No, not at all. Your reputation is everything in security; once tarnished many doors will be forever closed. With so many open source technologies and the ease of virtualization, there is little need or justification to commit what might be considered a crime. | No | US | |
| 250 | 4-7 years | Penetration tester, Policy writer, Log analyst, Incident response | No, but it helps | Bash Scripting, Ruby, Python | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | A security position opened up at the company I was working at. I was a unix/Linux admin for 15 years but ready for a change. I have always had an interest in security - it was always part of a sys admins job responsibility, so the move into security made sense | I would have taken time to be a windows admin for a time to better understand that operating system. I would have also picked up a few more programming languages. | Build a base in another area first. Could be administration, networking, application or database management. Even time spent in non-IT positions could be helpful. Having skill sets in other areas help after your in the security role. | Incident response and data correlation. There are many tools that generate tons of information. The challenge is putting it all together and reacting to real issues, throw out the noise. | I stayed in the system administration field too long with too much focus on unix. I should have branched out into windows administration sooner in my career. | No. Use a virtual infrastructure for practice. If your company can support it, build a lab. | Yes | I prefer small cons, local events sometimes associated with area colleges. The large cons tend to have too many vendors trying to collect contact information. | U.S.A |
| 251 | 4-7 years | Vulnerability auditor, Penetration tester, Manager, Reverse engineer, Malware analyst, Log analyst, IDS/Firewall admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Python, PHP, C++ | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I was originally a mainframe programmer who was later bumped into a network admin position. Which then in starte taking sans courses to defend the network which let to another job change into security. | Find a mentor | Keep your mind open to the fact that security is a wide range of specific job talents. Some places ou can focus in on one and others you'll named to be the "jack of al trades" | Mobile anything. | In my younger career days I was to quick to remove an issue instead of containing and understanding it. | No | Yes | Any that are relate in some form or another | Usa |
| 252 | 7+ years | Sys-admin, Incident response, IT Forensices | Yes | Bash Scripting, Batch Scripting, VB, Perl | Yes | SANS/GIAC, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I started as sys-admin then went from there ! | i wish the internet was there when i started | start as programmer and then move to security | mobile security | less party more study at university | no | Yes | ||
| 253 | 7+ years | Sys-admin | No, but it helps | Windows Powershell, Ruby, Python, C, Batch Scripting, VB, Perl | No | Stumbled across security catalyst site | Community | Find your local community & online community | Meh | Not learn to t talk business | No | Yes | Defcon shmoo. Local cons issa isaca | florida | |
| 254 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Log analyst, Incident response | Yes | Bash Scripting, Ruby, Python | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Worked as a unix/linux administrator for 15 years. Always had an interest in security and it used to be part of an administrators job function. A security role opened up at my company at the time I was ready for a change. | I wish I would have expanded my system administrator role to also support windows operating systems. Having a strong base in the operating system you are attacking / trying to protect is extremely helpful. | Touch on other areas of business and IT first. Database administration, System administration, web and application programming - even working in non-IT environments is helpful. | Incident response and data mining. The tools we use generate a lot of information, pulling the relevant information and correlating it with bits from other tools is still a new but growing area. | I focused too much on one area - unix and linux administration. It built a good foundation for penetration testing and hardening those operating systems - but I struggle with windows and now wish I had more experience there. | No. Practice in a virtual environment. build your own or if your company supports it, work to build a lab environment for testing. | Yes | I
would recommend small conferences - Bsides or smaller local ones done
by area colleges. In my opinion, the larger conferences are more for sales people to build up contact lists. |
U.S.A |
| 255 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Log analyst, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Batch Scripting, Lua | Yes | SANS/GIAC, CISSP | When Networking and Security had to be segregated. | Security consists of multiple non-technical areas including business process, risk management, policy management, governance, compliance | Know thy systems | Mobile and cloud security, privacy | Know the infrasturcure | No | Yes | SANS, Black Hat | USA |
| 256 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, IT Forensices | Yes | Bash Scripting, Python, C, assembly | Yes | SANS/GIAC, CISSP, OSSTMM | I had an interesting job offer when I was looking to move on. | That the basics of networking, programming, and systems admin would be so helpful later on | Begin at the basics and pay your dues, you will get there if you love what you do. | Forensics and penetration testing, same as always, but in interesting new areas. | No, keep experimenting and learning! | No, never. | Yes | Recon, Defcon, Sector | Canada |
| 257 | 7+ years | Vulnerability auditor, Penetration tester, Manager, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Python, Batch Scripting, Perl | Yes | EC-Council (CEH etc), SANS/GIAC, Offensive Security (PWB, AWE etc) | Military assignment | Spend as much time polishing your professional presentation as you do technic skills. In particular when seeking employment, speaking skills (and to a certain extent writing skills) are as valuable as technical capability, regardless of the position. | Focus first on understanding the technology you're assessing (especially for vuln assessing or auditing). Without a deep understanding of common implementations, it is impossible to convincingly describe the security risks you encounter otherwise. | The assessor market will continue to move from a highly commoditized market (especially in the PCI space) to a greater focus on high quality risk assessment, regardless of compliance regime. Additionally, the individuals who know only how to run tool X will become less and less valuable moving forward. There will be more convergence of security engineering of all sorts with other IT engineering efforts. | Not without a large legal costs savings plan. There are several cases before courts in the US where this kind of activity is being decided. | Yes | Black Hat for networking and general familiarity with the professional industry. AppSecDC or Shmoocon for technical interests and networking in the Federal/regulatory market. | US | |
| 258 | 7+ years | Penetration tester, Policy writer, Log analyst, Incident response, IT Forensices | No, but it helps | Windows Powershell, Ruby, Python, Perl | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | Military | Yes | SANS, Blachat, Decon, BSides | USA | |||||
| 259 | 1-3 years | Exploit developer, Sys-admin, IT Forensices | No, but it helps | Ruby, Python, PHP | Yes - but only to get through HR | I'm still working on my master thesis, but security has always been an interest to me | Since i'm still a student I regret that I didn't start a blog a bit earlier for self promotion. I also just got a twitter account | Yes | Austria | ||||||
| 260 | <1 year | Penetration tester, Exploit developer, Sys-admin | No, but it helps | Ruby, Python, C | Yes - but only to get through HR | Offensive Security (PWB, AWE etc) | Curiosity when I first purchased my N900 phone, I started with simple WEP cracking and then moved onto MiTM attacks, I consider myself a mediocre at this stage but Im willing to learn more in the future. | How to actually prevent attacks as opposed to just trying them out. | Learn whats going behind the tools you are using | 3/4G compromising | Only test on your own network as opposed to other people's | No | Yes | shmoocon Defcon Its good to meet the people behind the latest exploits and also to learn from them. |
Malta |
| 261 | 4-7 years | Vulnerability auditor, Penetration tester, Exploit developer | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua, VB, C#, Perl, It cant hurt to know a little about everything! | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc), * my CISSP. Only to get through HR. I think it's worthless otherwise. | I was in network administration for 7 years when I began to get very interested in security. I took a course from John Strand at the University of Denver and that's when I really got obsessed. I did have a problem though, I was going to have to convince an interviewer that I knew what I was talking about to get into security. This interview didnt come for 5 years. I got a MS in Info Sec and began on the certification route. OSCP, OSCE and then CISSP. I did it this way because I knew with the offensive security stuff I would learn a ton but I also knew that no one would hire me, only because HR people dont know about them. So then I got one that everyone at the time wanted to see, CISSP. In addition I began writing exploits and started a blog. I figured these were things that could show the "passion" that so many security people want to see. I think breaking into security is a combination of education/passion and know-how. It helps even more if you can be presented in front of clients and speak the technical side as well as the business side. I'm now a pen tester and the operations experience I had is almost as valuable as the technical skills I've developed. Meaning, I understand how business networks work and where I want to go once I'm in. I also understand being an overworked network admin (like most are) and what you do to cut corners, that ultimately can lead to compromise. I must say, it's definitely much easier to break in than defend, I'm glad to be on this side now. Not to mention having so much fun at work! | Operations experience is really helpful. | Its a field of people who have incredible drive and passion. You've got to exhibit the same things or you wont make it. | Critical infrastructure. It's been on the map for awhile but its really beginning to pick up steam. The state of affairs with critical infrastructure is sad. Most of these networks we go into are horrible, like 10-15 years behind the curve. | As me again in 10 years. Nothing yet. | NO! | Yes | Anything you can afford. Try to get to Defcom/Blackhat and the 100's of other great ones in the US. Not as sure abut EU. | US - Colorado |
| 262 | 7+ years | Architecture | No, but it helps | Windows Powershell, Python, C, Batch Scripting | Yes | Vendor specific, SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I was the only computer type on a classified program that needed to use computers (a long time ago). | It takes a lot of research time to do the job. | Take a CISSP course - it provides exposure to the wide range of topics that make up information security. Don't worry about the certification. | movement away from authentication (passwords) to recognition as a means of providing access to systems. | failed to specialize in any one specific area | Never. | Yes | ShmooCon, DefCon, BSides - networking, information exchange in hallway cons | USA |
| 263 | 4-7 years | Policy writer, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response | Don't know | Bash Scripting, Windows Powershell, Python, Batch Scripting, VB | Yes | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc) | I sort of evolved into the position. It just seemed the more time I spent around computers the i became the "go to" person for technical assistance. Eventually I started working at a Helpdesk which gave me greater exposure to all of the things that were happening on the network. I eventually took the Information Assurance \ Information Security position because nobody else wanted it. I thought I might be good at it. I've been in that position for approx 3 years and it still remains to be seen if I am good at it. The bigest thing I have learned is pushing patches is much harder then I thought. | I wish I truely understood the level of "not caring" that management has towards information security when I started in this position. | Make sure you are getting into security because it is something you enjoy doing and not because you think it will get you a fat paycheck or because it is "cool". | I see the integration of mobile devices into the enterprise network as the next big thing. Trying to secure these platforms without killing the functionality they offer is going to be a real challenge. | I do things wrong all of the time. The biggest thing is to practice what you preach. | No | Yes | I think conferences are worth attending because it gives you a legitimate reason to be unavailable and to focus on what is being presented. Watching recordings of presentations from your desk does not stop people from interupting you. I also think it is a good chance to meet like minded people and discuss items that are being presented. It also allows for people in the same field to talk about things that they might be struggling with and to learn from the others with out the distraction of work. We have all been there. When you tell someone that you will help them then you get swammped with work and the next thing you know its three weeks later and you haven't followed through on that promise of assistance. | USA |
| 264 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Log analyst, IDS/Firewall admin, Sys-admin, IT Forensices | No, but it helps | Bash Scripting, Python, C, PHP, C++, Java, Perl | Yes - but only to get through HR | SANS/GIAC, CISSP | I started as a Unix admin. Security issues caught my attention (they always had since well, well before I was ever paid to put hands to keyboard). I'd talk security and bring up issues as well as alert co-workers of things we might need to do. Pretty soon, I was considered the subject matter expert for my contract and being sent to represent at security meetings. Within the year, I was no longer an admin and I was 100% infosec. | Learn to handle conflict. Infosec is all about conflict. | Have a passion for security - its much to draining if it is "just a job." There's easier IT pursuits to follow if you just want a paycheck to "work with computers." | OK as in moral - maybe. OK as in risk - you could torpedo your career doing it. Not to mention jail / fines. In this day and age, setting up your own victim environment is easy enough to give a taste for "practice" without the personal risk. | Yes | I used to really like the SANS conferences as much for the after-hours birds-of-a-feather. But they've lost their luster. Really - it seems that conferences wax and wane. Its good to keep an ear out to the community and hit conferences that have strong community support / interaction. After all, SANS had decent courses and good instruction... but it was the community that was the real reason to go. | US | ||
| 265 | 7+ years | Vulnerability auditor, Policy writer, Sys-admin, Helpdesk, Incident response | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, PHP, Java, Batch Scripting, VB, Perl | Yes - but only to get through HR | SANS/GIAC, CISSP, CompTIA (Security+ etc) | I
been doing general Workstation / Windows Server / Unix Server support
for 20 years, watching other people specialise in SQL/Web Programming/Project
Management and moving up the salary tree. Seeing that no one values
a good skills of running a live environment, I decided to move into
Security, which I have always had a passion for by keeping live production
systems safe. While doing my general support roles I got involved with lots of project putting in new systems but always got over ruled when I brought up security as it would put a delay into the project, the project managers use to say that it was to be sorted out once live ! Now I am in Security, I can set Security features as part of the project and that the PM will get a bad mark against his name if he misses these steps. |
Don't
outsource IT as you get cheap people doing what they think is IT. Many times you have nice secure designs and procedures which are then let down because of some outsourced junior IT support person thinks he knows better than someone with years of experience. |
Learn how systems work together in depth. | Securing BYOD (Bring Your Own Device) projects. | Let
PM push projects through without myself sticking to my guns on Security
matters. I probably should have learned to bullshit more, so many people I have seen do this and get higher paid jobs, hoping they can pass the blame onto someone else once they are proved wrong. |
No. | Only for networking | . | UK |
| 266 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, Malware analyst, Incident response | No, but it helps | Bash Scripting, Ruby, Python, C, PHP | Yes | Offensive Security (PWB, AWE etc) | Military assigned me to a vulnerability assessment job because I was an engineer and had some (limited) computer abilities | How much I could have learned from the other professionals (a few in particular) if I could have dedicated more time | Seek out others in the community, learn from them, but don't annoy them/hang on them. Take any training you can get your hands on/afford, but if budget is tight, attend hands-on training such as Red Hat and OffSec | Cloud pentesting and forensics | Never go into management! Ha! | No, there are far too many ways to avoid this, especially with virtualization | Yes | Defcon, B-Sides, Shmoocon, and anything at which you can get a chance to present | USA |
| 267 | 4-7 years | Penetration tester, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response | You don't have to be able to write complete programs from scratch, but you need to know enough to be able to understand and edit code | Bash Scripting, Ruby, Python, C, PHP, Batch Scripting | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | As
a job I started out as a helpdesk /sys admin. Always having an interest in security I used to just sit at home, read websites, blogs, twitter, etc. Then downloading and testing tools, and basically trying things at home. I became more of a networking guy, but kept on track with my whish to do some actual security work by doing the Cisco security track (CCSP). Since I wanted to be an ethical hacker I kept doing my personal research and eventually applied for a job as a penetration tester. I now do a couple of penetration tests a year and am doing the OSCP certification to keep improving my knowledge of the field. |
I
have never been a good programmer, nor have I ever wanted to be. Knowing now how important it is to be able to read and analyze exploit code, to be able to compile the code, change it to your needs and iron out any faults is proving more valuable then I could have ever imagined. Knowing what I know now I would have put in more effort earlier to be able to gain at least some basic programming skills. And I would say the same about databases... |
Start
out in 'the trenches'. I think even though the sys admin work seems
unrelated it's invaluable to know how things 'work' in a administrative
organisation. Furthermore: learn some programming, dammit! You'll get more value out of it then you can imagine. |
In
my opinion security follows the way of IT in general. Since IT is moving
'to the cloud' (*drink*) I think security will follow that as well. The way services and applications will be provided to users will change so the bad guys will also change their tactics on taking advantage on that situation. And as such security will follow in their footsteps. |
I
have always felt that you can be a security expert in your own field.
And although this is true for specialisations you well need to be able
to adapt to changes in the field. So basically you just need to learn it all. There's no shortcuts. It will take time and effort and it's not always fun. But I made the mistake of leaving complete parts of IT to other people (coming back to my database and programming remarks). |
No.
I feel you practice in a lab. In a controlled environment. Even though I have to admit I sometimes work at companies in a different role then pentester and things seem so bad it's hard to contain yourself to not just prove, even to yourself, that you could <quote>pwn that box</quote>. However, even this I would consider just attacking or testing the device /network. Not practice. And I would not consider this 'ethical' either. |
Never have been able to attend a conference, so can't really comment. | Netherlands | |
| 268 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, C&A | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I was working 3-6 month contracts after company went out of business and was hired at a CIRC startup as an IDS analyst. | In the U.S. at least, clearances and background checks would be ubiquitous even in civilian work. | Make sure this is an avocation as well as your vocation if you wish to be successful. And build a lab to learn how to and them have something to experiment with. | Mobile devices as more and more people user them for business | I took a chance on a small company that I was not a principal in and when they stopped pursuing security I became redundant. Remember at the end of the day it is all about business. And never let a clearance lapse once you've gotten it, those organizations will train you into jobs. | Absolutely not. | Yes | Defcon,
the largest Black Hat, has been recommended for content Shmoocon, as it is smaller and it is a fun atmosphere |
United States |
| 269 | 7+ years | Policy writer, Manager, Sys-admin, Operational Security | No, but it helps | Bash Scripting, C++, VB | Yes | EC-Council (CEH etc), Vendor specific, SANS/GIAC, CISSP | I applied for and was hired as a Junior Level Security Administrator. I believe that I got into the door based on my security and OS certifications. | Yes | United States | ||||||
| 270 | 7+ years | Penetration tester, Policy writer, Manager, Incident response, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Python, Perl | Yes | SANS/GIAC, CISSP, CISA/ISACA | I started in the IT field over 30 years ago as a programmer then systems analyst and worked as a administrator for networks, mainframes then UNIX systems. It was while I was a UNIX administrator that I started testing firewalls when they first came out even built one using the firewall toolkit. I then started securing some of the vulnerable processes I saw and started writing policies and standards around those processes. I later got into Security Consulting then moved on the build and manage a security department for a company overseeing the writing of all of the security policies and standards and building out the infrastructure to implement those policies. I guess you might say I just created my security position when the need arose, different than now as there was no formal security courses or certifications at the time. | I wish there had been training available when I got started in the security field. I'm now doing mostly management but still keep my technical skill up by taking at least one training course a year and attending one conference a year. | Find someone already in the field (4 - 5 years or more experience) to mentor you. Most of my peers, myself included, are very happy to pass on our experience and act as a sounding board for you ideas. Your mentor would not be able to discuss proprietary specifics with you but generalities around an issue or idea you have. | I think there is going to be a lot more focus on application security as this continues to be a common exploit point even after several years of this same activity. Tied in with this, governments and companies are moving to real-time security so that you can get a constant "score" on how you are at that point in time instead of the old style audit report that is out of date when it gets delivered. | I
started out "seat of my pants" with no real security training
available. I networked a lot with others in the same position
to get a sense if I was doing it right but didn't always feel confident
that I was getting everything I needed to. Things got easier when SANS started and you could get real hands-on training. Get as much training as you can and don't ever stop. You can't always count on an employer paying for training so you need to budget to invest in your own training if you need to. |
Absolutely NOT! Use your own lab gear (old systems anything you can find) and make extensive use of virtualization to create test environments. | Yes | SANS Training Conferences, RSA Conference, HTCIA Conference | Canada |
| 271 | 4-7 years | Policy writer, Manager, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, Safety Inspector, Disaster Recovery/Business Continuity Planner | No, but it helps | Bash Scripting, Python, C, PHP, Perl, Understanding SQL helps | Yes | The ones that show your dedication. Certs dont show ability. | I have always enjoyed breaking and fixing things. My start was the summer I got mono and stayed on the computer the whole time. Professionally my start was in the military. | There is no substitute for work, doing it yourself. Whether for fun, learning, or professionally it doesnt matter. Build and break everything before you open your mouth to question anything. | Pick another field in technology, then another, then another. Security shouldn't be the start to anyone unless you are a computer wizard, who speaks in C, dreams in shell and runs OSS on everything including your kitchen appliances. Security is a well rounded perspective of how to and not to, to be able to do that you have to have had some practical experience that will back you up when you need it. | I truly believe the next thing for the security industry is more regulation, and licensing. Security professionals will be licensed at some point to do there jobs. The security community now has so many trust issues its only a matter of time that we are regulated like doctors, lawyers, private investigators and .. beauticians. | Get as much education as you can handle too much is bad, more hands on and practical experience is better but weigh them out and have a healthy balance. | No. Unless you want to go to jail and never be in the industry credibly. | Yes | Sharkfest,
good community and good software. Derbycon - great speakers, new and improved defcon-ish. Schmoocon - great speakers, if you can get tickets. |
US |
| 272 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Log analyst, IDS/Firewall admin, Helpdesk, Incident response | No, but it helps | Bash Scripting, Python, C, Java, Batch Scripting, Perl | Yes - but only to get through HR | SANS/GIAC, CISSP | It was an interest and I started by researching on my own, then attending local 2600 meetings, then DefCon. Jobs followed. Now been about 20 yrs in the industry. | The value of just sucking up the need to get the CISSP. I resisted getting any certs initially and it hurt in interviews later in life. HR really likes them. | Don't do it just for a job. It's a way of life. Once you're off the clock you still must enjoy doing the job if nothing else, for yourself. | Cloud security. Also application security will continue to mature. | Resist getting certified, especially when employers are willing to pay for them and their upkeep. | No. Good way to close doors for future employment if you get caught. There are plenty of other ways to practice these days. It's just not worth the consequences. | Yes | Thotcon in Chicago. Great technical talks. DerbyCon in Louisville, it started great and looks like it promises to continue to deliver. | USA |
| 273 | 1-3 years | Student | No, but it helps | Bash Scripting, Python, C, Perl | Yes | SANS/GIAC, Offensive Security (PWB, AWE etc) | I was introduced to the 'Google Hack' and TJX hack by my professor. Through further research, I was amazed with the abilities that a person/group can perform with a computer. In the meantime, I was quite shocked to learn how vulnerable I was by accessing the Internet. From there, I fell in love with the field and hope to obtain a career in InfoSec when I graduate. | The importance of programming and low-level languages (assembly). Also, to understand the interaction of the CPU, memory, and software. | Learn to program and start understanding the computer's hardware and the relationship with software. | Mobile computing. | Don't try to rush to learn in order to keep up with the industry or try to know everything. I felt I wasted a lot of time. Pick a certain aspect of information security to specialize. Plan ahead on what to learn - even if it is a small task at a time. Learn other aspects as long as their is a foundation. | Leaning towards 'no' even if the intentions are well. | Yes | DefCon and BlackHat. Great for viewing and hearing about the latest exploits and attacks. Also, to interact with others for defensive ideas for network security. | United States |
| 274 | <1 year | Sys-admin, Helpdesk | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python | Yes | Vendor specific, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Reading and watch videos, working with contracted pentesters. | What
basic knowledge and skills should I have as a foundation. What courses are recommended. |
A strong foundation is key! | yes | Yes | uk | |||
| 275 | 4-7 years | Penetration tester, Reverse engineer, Exploit developer | No, but it helps | Python, C, C++ | Yes - but only to get through HR | Offensive Security (PWB, AWE etc) | an internship | client relationship stuff | start a project, stick with it until you're the best in the world at that particular thing. | forensics, tool dev | for sure, it's how everyone gets started | Yes | kiwicon, it hasn't soldout | australia | |
| 276 | 1-3 years | Penetration tester, Log analyst, IDS/Firewall admin, Incident response | Yes | Bash Scripting, Python | Yes - but only to get through HR | Vendor specific, CISSP, Offensive Security (PWB, AWE etc) | Started as a network engineer and after some time I was assigned to migrate to the new firewall. Moved on to a security consultant where I continued fw administrator, wireless security and then got invloved in pentesting. | Python programming | Get some experience first, preferbly server / network admin and learn how to program to solve everyday problems helps. | Secure application development and security systems that combine with eachother like physical security with integration to logonsystem. Whitelistening of applications. | Didnt learn programming early enough. | No, always get their concent. | I belive so, havnt been to any yet | Sweden | |
| 277 | 7+ years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Ruby, Python, C, Java | No | SANS/GIAC, CISSP | be strong in networks and sysadmin tasks, while learning programming in college. Work hard in all areas to improve, and start on the network penetration testing side of things. Then gradually improve at applicaiton security, source auditing, reverse engineering, exploitation. | It takes alot of time to get good, spend it now, or spend it later. | Get
good at development, develop something and release it, then secure it. Be vocal, do writeups. It forces you to publicize what you find, and how you think about it. |
Mobile, obviously. Also hypervisor kernel attacks to get access to the cloud infrastructure and everything hosted on it. One win yields huge payoffs. | Don't waste time aligning to yourself to tools or programming languages. use everything. | This is tough, if you're a paying consumer of something I think its okay to look. Don't be unusually stupid. | Worth speaking at! | Blackhat
- most corporate appeal, and you will get job opps from talks directly. Shmoocon - small and intimate, good group |
USA |
| 278 | 1-3 years | Student | No, but it helps | Bash Scripting, Ruby | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Studying Ethical Hacking at university | I am starting out! | Learn learn learn! | Cloud | N/A | Not really | Yes | OWASP meets, free and great people | Newcastle, England |
| 279 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, PCI auditor, Incident response | No | Yes | EC-Council (CEH etc), CISSP | graduate from MEng in security and found a job i love, got a lot support from my boss and colleagues. | Certificate will help you to get in the field. | get in the field is always difficult, you can start low and work your way up. But you have to keep developing yourself due to the fast growing industry. | mobile security | NO,NO,NO, to protect yourself , you have to get permissions, some time written permissions. Because some time the damage is hidden and the impact will show some time after. | don't know, never had one | North America | |||
| 280 | 7+ years | Vulnerability auditor, Penetration tester, Manager, Reverse engineer, Exploit developer | No, but it helps | Bash Scripting, C, Perl | No | CHECK Team Leader (CREST/Tiger Scheme) | BBS badness followed by pen test companies (after breaking my university network and then telling them how I did it repeatedly) | That pen testers are hated by everyone | Learn another skill... Unless you are very high end you will be replaced by insurers and audit types | Survival in a post apocalyptic landscape | Never assume you are anything than a hired geek | Nope. Always be paid and get permission, thus avoiding jail | Yes | Anything small and not vendor love ins | UK |
| 281 | 4-7 years | Vulnerability auditor, Penetration tester, Manager | Yes | C# | Yes | EC-Council (CEH etc), SANS/GIAC, CompTIA (Security+ etc) | Actually when I started to plan to be certified from Microsoft on 2003 | The top 10 vulnerabilities from owasp. | He or she has to be more specific on one field since the security like ocean. | Cloud security could be new challnge | Yes, code review process must be planned well. | Depend, | No | Sans and owasp | Saudia |
| 282 | 4-7 years | sales engineer | No, but it helps | Bash Scripting, Ruby, Python, PHP, Java, Perl | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | totally by chance. I interviewed with a security company, kind of "fudged" my way in, then learned everything as quickly and thoroughly as possible. Once I had the basics of VA down, I started dabbling in pen testing here and there as any additional learning was encouraged by my company. | You really have to make a choice early on what you would like your role to be. Meaning, if you're goal is to be a hardcore pen tester, go down that path. Just don't expect to be management anytime soon, because if it takes that much skill to be hardcore, it takes all that x10 to manage a team. | Make sure you have a foundation first that is based around 'defence-in-depth' methodology. Just because you know firewalls really well doesn't make you good at security. Take a look at all aspects, both proactive and reactive, before you even begin to consider yourself skilled. Doesn't mean you have to be a SME at everything, but it does help to have at least a general understanding. | MOBILE | Don't
just scratch the surface and expect things to work. For example: If
you're going to run an exploit, you have to know: 1. What the exploit does 2. What is going to happen on your target 3. What the end result should be 4. What the end result actually is if it isn't what it should be. It is far easier and less frustrating to do the work on the front end as opposed to bashing your head against a wall on google looking for quick fixes. |
no opinion really, just realise if you get caught the rest of the world doesn't share your sentiments on 'practising' in their environment. | Yes | DC4420,
small, intimate setting with various talks in London. B-sides - anywhere will do. London and LV are my favourites. Wide variety of talks, not very commercial. RSA (in the states) - EVERYBODY is there and ready to talk to you. it's a little bit over-the-top commercially, but for elevator pitches on what's out there it's good. Infosec Europe - same reasoning as RSA Blackhat - completely over the top. great info tho, just make sure you turn off your mobile =] |
London, UK |
| 283 | 1-3 years | Penetration tester, Policy writer, Log analyst, Helpdesk, Incident response | No, but it helps | Bash Scripting, Python, PHP | Yes | EC-Council (CEH etc), CISSP, Offensive Security (PWB, AWE etc) | I was a QA engineer a decade ago, since then I've done programming and even sales. I was hired as a programmer for my current company, and noticed they had no one on security. I downloaded BackTrack and started scanning. The sys admins had a fit because someone was scanning internally. A week later they liked my initiative and asked if I'd be the security guy. | Better telecomunications | Setup some VMs, start figuring out how to attack and defend. | IPv6 | Tell everyone in the company you're going to start putting out malware drops. No one trusts me now. | Nope. | Yes | BlackHat, Defcon, BSides. Networking, training, eye-opening, paradigm shifting | USA |
| 284 | 7+ years | Policy writer, Manager | Yes | Yes - but only to get through HR | CISSP, ECIS | Our "EDP Security Officer" quit, and my boss asked me if I wanted to take over physical security, EDP/info security, preparedness/continuity mgmt and fisk financing/insurance. Quite a package, but logically sound - and unusual for those days (ca 1990). I accepted, of course. | Think globally, act locally | No | Sometimes | Sweden | |||||
| 285 | 4-7 years | Vulnerability auditor, Penetration tester | No, but it helps | C, Batch Scripting, Perl | Yes | CISSP, CompTIA (Security+ etc) | Went from break/fix IT and SysAdmin-ing into IT Auditing. Customers started asking for vulnerability assessments and pen-tests. Bootstrapped myself into network security through these engagements. | Being able to write a good report is paramount. | Self-study and take advantage of the resources that are easily available on the Internet. BackTrack, OWASP's WebGoat, Damn Vulnerable Web App, etc. You should always be looking to self-improve, expand knowledge and skills, read/research current topics. You will also develop "soft skills" that will be extremely valuable: how you want your output formatted for reporting, how best to parse output data to make it useful, what to include when reporting, how to store output data for re-use, etc. | When doing testing with social engineering attacks, you have no idea how a target may react. Brainstorm possible reactions from the target and try to account for them, and adjust testing, or come up with a different test that's more controlled. | No. | Yes | USA | ||
| 286 | 1-3 years | No, but it helps | Bash Scripting, C, PHP, Java, C# | Yes - but only to get through HR | CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Yes | |||||||||
| 287 | <1 year | military/ security as hobbyist | Don't know | Bash Scripting, Python, C++, Perl | Yes - but only to get through HR | Always been fascinatted by computers, and by computer security. So began researching as a hobby. | Yes | US | |||||||
| 288 | <1 year | Vulnerability auditor, Penetration tester, Manager, IDS/Firewall admin, Sys-admin, IT Forensices | No, but it helps | Bash Scripting, Ruby, C, PHP, C++, Java, Batch Scripting | Yes | Vendor specific, SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Well saw the movie Hackers back in '02 and thought I wanna do that. So I started carrying around a flash drive with a trojan on it going. "I'm gonna hack you. LOLOLOLOL" I eventually realised I was just being a big douche and so I sat down read through a few books, watched some of the Hak5 podcasts and visited some forums. Where I figured out that had a major love for Networking and anything Networking related. And since then I've spent my time learning so that I may one day hopefully get a job as a Net-Admin. | Basic Network Topology and the breakdown of your Computer's hardware piece by piece. | Practice, practice, practice. Thats all you gotta do. Practice what your good at till your great at it.And then focus on some of the other areas. | Simply FUCK NO! Listen and listen well skiddies or people starting out. You may think its fun or a good idea. But yah know whats gonna happen your gonna go to prison for a couple years if you do that. | Yes | Generally either Derbycon or Obviously Defcon. Defcon for the obvious reason that generally thats where the good conferences are going to happen. Thats wear the big-name security consultants are going to be. Derbycon on the other hand is somewhat smaller, but just as good as Defcon. | America, NY | ||
| 289 | 4-7 years | Vulnerability auditor, Policy writer, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Incident response | No, but it helps | C#, Perl | Yes | Vendor specific, CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP | Malware analysis, worm outbreaks, and incident response | politics in the business arena | get to one of those good conference if possible, and see if you're interested | mobile devices | 'Testing' in the public arena | No. | Yes | BlackHat and Defcon - most information | USA |
| 290 | <1 year | Vulnerability auditor, Penetration tester, Exploit developer, Malware analyst, Helpdesk | Don't know | Bash Scripting, Windows Powershell, Ruby, Python, C++, Java, Perl | Yes | EC-Council (CEH etc), Offensive Security (PWB, AWE etc) | I am barely starting out and I am trying to learn the CEH but I am wondering if this is the route I should take | footprinting more on Scanning and enumerating and also Metasploit and wifi Penetration | explore | security | no | no it is not you need to ask permission | Yes | ToorCon, Defcon | USA |
| 291 | 1-3 years | full | Don't know | Yes - but only to get through HR | CISSP, CompTIA (Security+ etc) | Hak5 -> 2600 -> HOPE | NSA
has a list of centers of academic excellence in information assurance
education. http://www.nsa.gov/ia/academic_outreach/nat_cae/index.shtml |
Learn everything. Learn as much as you can get your hands on. Then do it, set up a lab and practice it. Don't just read about it. | Mobile device forensics and cloud security. | No. Always ethical all the time. Everything comes back out when you go to get a clearance. | Yes | Conferences seem to be more about the networking than the actual talks and presentations. So which ones depends entirely on who you want to meet. HOPE is one of my faviorites though and got me an internship from networking. | full-time student | ||
| 292 | 7+ years | Vulnerability auditor, Penetration tester, Exploit developer, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Python, C, PHP, Perl | Yes | Offensive Security (PWB, AWE etc) | Curiosity, how the heck do I break into it? The rest is history... | assembly | you have to love it and live it 24 hrs a day | No | Yes | defcon hackers at large, what the hack, har... black hat CCC |
Portugal | ||
| 293 | 4-7 years | Vulnerability auditor, Penetration tester, IDS/Firewall admin, IT Forensices | No, but it helps | Bash Scripting, Python, PHP, Batch Scripting, Perl | Yes | Vendor specific | no | Yes | Germany | ||||||
| 294 | 4-7 years | Penetration tester, Sys-admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, C, PHP, C++, Batch Scripting | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | pentesting is not just whacking boxes | if you do not ADORE security, find yourself another job. | moving
pentesting to the next level, where it becomes actually useful in making
our systems and practices more secure. currently, pentesting is taking a wrong path... |
well,
sorta', as long as I am doing it to others :) my point is there's no way you can separate yourself from the criminal intent, My final answer is No, it is not OK. |
No | middle east | |||
| 295 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Helpdesk, Incident response, IT Forensices | No, but it helps | Bash Scripting, Python | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I worked for a small company that didn't have anybody focus strictly on security. Team did the best they could be it wasn't considered a priority. Anyway, every time i would have a meeting with my IT Director, i would always mention the security projects I was working on at home, such as building a snort or UTM PFsense system for my home network. Basically, I tried to plant the birdie in his ear that security was a passion of mine and it was something we should consider here. He finally caved in when the internal network was a victim of malware issue causing an ARP DoS. He turned to me and asked me to look into what we could be doing better as a company to prevent such issues in the future. | When i first started out, i tried to be a jack of all trades and master of none. In security, it is in my opinion impossible to be a master in all that encompasses security. I would recommend to anybody starting out, gain a solid base knowledge base and then find what you really enjoy in security and master that topic alone. For example, if you really enjoy wireless technology, learn all you can about that topic make that the foundation of your security portfolio. IF you try to master all topics, you will get overwhelmed. | Don't get into security because you think its the cool thing to do at the moment. get into security only if you have a passion for it and it was originally one of your hobbies. If you get into this field just for a paycheck, then you can expect to get burned out. This field has to be your passion. | I think with all the focus placed on the actual network with firewalls, IDS/IPS, and other such devices, I think we have only scratched the surface of web applications. As more tasks are being "dumped' on the internet through cloud solutions, i think web applications are going to be emphasized by the attackers, if it hasn't taken place already. | Don't wait to get into this field. I made a career change and turned my hobby of technology into career. IF i could go back and do it all over again, i wish i started out in this field from day one. | No. With today's PII and breach issues, it would be difficult to justify your actions without the proper permissions. | Yes | I would recommend attending any conference available and all that your company would allow. I think conferences in general are a great learning tool. | United States |
| 296 | 7+ years | Malware analyst, Log analyst, Researcher | No, but it helps | Bash Scripting, Windows Powershell, Python, C++, Batch Scripting, Perl | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | As
a teenager playing MMO's, ironically enough. Formally in the US Navy as a CTN, and mostly self taught. Attended a bunch of SANS conferences early on and also through my podcast, SecuraBit. |
There are always ways around HR crud. Stand out, do something with your spare time. If you want to succeed in this industry you have to want to do it. Get to know everyone and be nice to them, it's a small small community. | Start slow. Understand networking in all forms, it's the future. Knowing how data flow works is paramount to understanding higher concepts. | Big data and health care. | Thought I knew it all. I guess it's easy to sometimes when everyone tells you how amazing your job field is. Just stay humble, you never know it all, and if you think you do, someone will knock on your door tomorrow and show you why you don't. | No,
never in my opinion. You're affecting a lot of people when you
take down a website, a lot of people may get woken up in the middle
of the night, or even in the middle of some very private activities
all so you could experiment. Experiment on your own box. It's cheap, get a Raspberry Pi or some old box off craigslist and build yourself a test machine, or use a lab. |
Yes | Derbycon
- It's like Shmoocon but without the DC rubbish. Shmoocon - The original "small" big conference. Defcon - Worth going once, but I dunno if i'd do it twice, it's overwhelmingly huge. Day-Con - Awesome group of people in Ohio, and a nice international presence. |
USA |
| 297 | 4-7 years | Vulnerability auditor, Penetration tester, Incident response, security architect | No, but it helps | Bash Scripting, Windows Powershell, Python, PHP, C++, Java, Perl | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP | I
think I may have been inherently interested in security. At my
first IT job, a local computer shop, they needed somebody to set up
a PIX firewall. I had done some firewall setup with a freebsd
box I had, so I volunteered. After I set up that, I got asked
to support another one, which led to a few more. I had several jobs where maintenance of some security devices, but had a diverse background of Mac support, Windows support, various flavors of Unix admin, ISP net admin, and some development. When I got to my current security job, I got the job not because I had security experience, but because I had such a diverse background. I think this might be one of the most important things - diversity. Once you work with enough systems you realize they're really all the same thing. This makes security much easier as you see how it all relates. The other important thing is curiosity. You have to be curious, tinker, want to break it and put it back together. If you don't have this security, I don't think security is a good option. |
Be curious. Set stuff up, try to break it, understand it, and figure out how to make it better. | No - with the laws as they currently are it's illegal, often a felony, and not worth it. Especially considering how cheap it is to set up a virtual lab these days. | Yes | US | ||||
| 298 | 7+ years | Penetration tester, Manager | No, but it helps | Bash Scripting, Python, Perl | Yes | CHECK Team Leader (CREST/Tiger Scheme), Offensive Security (PWB, AWE etc) | Managed to get a job in technical support for a company providing IT security products. | Try not to upset anyone in the industry or customers it's very small in the UK and chances are you will end up working with people many times during your career regardless of the company you work for. | Don't have an ego, Learn good social and written skills they are as important as technical skills. | Security of mobile applications | Never, not unless you like wearing Orange and want to be Mr Bigs Bi*ch | Yes | CrestCon, Defcon | UK | |
| 299 | <1 year | Web Developer | Don't know | Bash Scripting, PHP, Batch Scripting | No | Reading books, websites, following blogs etc. | Only if you cover your tracks, report any found vulnerabilities and actually don't cause "damage". | Yes | England | ||||||
| 300 | 7+ years | Vulnerability auditor, Penetration tester, Manager, IT Forensices | No, but it helps | Bash Scripting, Windows Powershell, Python, Perl | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP | As a sysadmin for an ISP | Everything covered by the CISSP | Do for the love of the job / hate of attackers / batman-like need to protect the world. Don't do it for the money, fame or women... you'll be disappoint. | Mobile mobile mobile. Cloud cloud cloud. | Minimize your time working for government. | Of course not. | Yes | SecTOR CanSecWest SchmooCon DefCon |
Canada |
| 301 | 1-3 years | Penetration tester, Sys-admin, Helpdesk, Programmer | No, but it helps | Any scripting language | Yes - but only to get through HR | EC-Council (CEH etc) | Moved from a sys-admin position into a security role. | I wish the tool maturity had achieved this level when I was starting out. Backtrack,Metasploit,Nessus,etc are all good, stable products which make learning about the different attacks and techologies much easier. | Get
some solid sys-admin experience. Too many times I see security professionals
making wild recommendations about improving security without having
a good solid understanding of how the techologies work, and why they
might be deployed in the state they are currently in. This also helps when attempting to find weaknesses in systems. Without a good understanding of the shortcuts sysadmin's use, juniors have no idea where to start looking for holes. |
I expect client-side attacks and smart phones to be the next big area of security to be focused on | No,
of course not. Having said that though, I did when I first started out as there were no targets to practice on. Now spinning up a VM is easy, there really isn't much requirement to go testing on actually companies. |
No | None at a junior level. Although they help with people networking, they tend to be focused on specific technology security, which is generally over the head of someone attempting to get into the field. | UK | |
| 302 | 1-3 years | Vulnerability auditor, Sys-admin, IT Forensices | No | Bash Scripting, Python | Yes | CHECK Team Leader (CREST/Tiger Scheme), CISSP, CompTIA (Security+ etc) | Did a Foundation Degree in Computer forensics | Yes | United Kingdom | ||||||
| 303 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer | Yes | Bash Scripting, Python | Yes | EC-Council (CEH etc), CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I was doing competitive intelligence on digital sending features in MFP's and I believed that it was as important to understand the security aspect as it was to understand the digital sending aspect. | Not to get married the first time | Be a self starter | making it easy for people to be safe. | NO | Yes | I think they are worth attending but you have to be very selective on how you use your time there. If you spend the whole time waiting in lines for 45 minutes worth of content in the back of the room then your time is better spent with a book at home. | United states | |
| 304 | 4-7 years | Vulnerability auditor, Penetration tester, Policy writer, Manager | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, Batch Scripting, Perl, expect | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc), Cisco (but not much other vendor specific) | My employer got hacked. | Security isn't black and white. It's more like a linear function of many variables, each representing someone's agenda. And of course, each having different coefficients. And yours most probably is not the largest one. | Drop it. No money here. | No. You should have explicit permission to touch other's stuff, no matter what's the motivation. | Yes | RSA
- to know the market; BlackHat/DefCon - to make the dream come true; Local DefCon chapter - to stay tuned to what others are up to. |
Ukraine | ||
| 305 | 4-7 years | Manager | Yes | Bash Scripting, Ruby, Python | Yes | EC-Council (CEH etc), CISSP | started
in 2nd/3rd line support. Always had an interest in security at home.
Spent a couple of years making security recommendations as part of my
monthly 1 to 1 feedback. Eventually they created a (trainee) security
post, it was the first dedicated security post in the company. The company developed me from there. |
more
asm/coding/reversing skills. I wish i knew more honest opinions about
certs, ie i might not have spent my training budget on CEH as I don't
feel it was good value for money. I wish i knew how to convey risks to senior managers/directors without scaring them, and using terms they will understand. I wish there were more mentor programs, or people/contacts that were willing to give me advice outside of the company, i'm talking about established security pros here. |
Keep at it! learn as much as you can. Focus if you want become an expert in one area. | i wouldnt say it was the next up and coming area, but an often missed area is people. Internal people are an excellent resource if you spend time making them aware and coach them. | don't start down the FUD route when talking to senior managers. Once you start, it's hard to go back and every relies on you making the FUD even more FUD that your last FUD! (too much FUD) | no | Yes | I'd
say it depends on your level. As a manager with projects in mind, info
sec is useful. bsides might not be useful to a manager. However, as I'm the only one doing security at my company, I attend bsides for the techie stuff, and info sec as I know i have upcoming projects that i need to talk to vendors about. |
UK |
| 306 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, Incident response, professional pain in the arse | Yes | Python | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | a summer job | metrics matter | be patient but unrelenting | contract negotiations | no | absolutely not | Yes | local
ones with lots of technical focus SECTOR |
Canada |
| 307 | 1-3 years | Vulnerability auditor, Reverse engineer, Sys-admin, Incident response, IT Forensices | Yes | Bash Scripting, C, PHP, Perl | Yes - but only to get through HR | Learning assembly made me dig deeper. | Programming. | Learn to code. | Mobile device security. | Don't get in trouble while learning. Use common sense, it's easy to get carried away. | Yes. Don't get caught, see above. | Yes | I'm not allowed to leave the country, the conferences here are scarce. However many talks are available online, enough to get my daily dose. Keep it coming. | Russia | |
| 308 | 7+ years | Vulnerability auditor, Reverse engineer, Malware analyst, Log analyst, IDS/Firewall admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Python, C, PHP, Know your target language (think web attacks) | Yes | EC-Council (CEH etc), SANS/GIAC | 1.
Unknown to me, I was "hacking" at BBSs in the mid 90s. Then,
worked for Hosting Providers for years where dealing with hacks happened
all the time. Didn't really think of it as a full time job until I joined a bank as a SecureID admin, then moved into Investigations and IR - been doing it ever since. |
I should have competed SOME sort of College/University. Even if It was a different subject then the one I started. Even move to something that I thought was bellow me. | Get a personal lab, buy toys. Poke a stick at things. Do what you would do for a career at home to the best of your abilities. ie: Run VLANs and a Firewall - Guest Wiressless access, servers, VMs.. | IR and Forensics - Lots of opertunity here, and little skilled people. | Never, Ever, Ever fully drop out - do some sort of base diploma or schooling. | No. Besides, it's easy enough to build your own environment - http://sourceforge.net/projects/dvwa/ (Damn Vuln Linux seems to have gone) | Yes | Sector, Defcon, Any and all BSides Events. | Canada |
| 309 | 4-7 years | Vulnerability auditor, Penetration tester | Yes | Bash Scripting, Python | Yes - but only to get through HR | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, Offensive Security (PWB, AWE etc) | interested while in university in 2008 and set on security books virtual labs and videos to learn currently working for a computer security firm | yes | Yes | any security conference you can get access to | KENYA | ||||
| 310 | 1-3 years | Student | No, but it helps | Bash Scripting, Python, Batch Scripting | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), Offensive Security (PWB, AWE etc) | Currently studying at university. | Degree in this area is almost useless. Much more about certs and experience. | Get as much experience as possible whenever and where ever you can. | Unsure. | Wasting time and money on a degree in this area. | If you can 100% guarantee no damage will be done then yes. Otherwise no. | Yes | First major conference I will be attending so can't really comment. | England |
| 311 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, Incident response | No, but it helps | Bash Scripting, Windows Powershell, really all of the above, but start with shell scripting | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | I
have had an interest in security since high school starting with the
BBS scene. Even got chances to go to some early security conventions
like Summercon and HoHoCon and met some interesting people (Emmanuel
Goldstein, Captain Crunch, etc.) From a career standpoint started working in system administration in roles at smaller companies that included security. With the experience managing firewalls, IDS, etc and these smaller companies I was able to get a job as a security analyst, and moved up from there. I'd say starting with system and network administration not only helped me get into the security field, but that I gained experience that helps me be effective, as so much of the work crosses over to either IT infrastructure or development. |
Learning to script and program is important, and will help you along the way. | Learn everything you can about all areas of IT. Information Security impacts, and is impacted by, them all. | Increased automation, integration and data processing - i.e. DevOpsSec / SecOps. Routine, tedious work should be automated so people can get on with more important work. | It is never okay to perform any kind of testing without permission. Breaking the law can end your career before it begins. Famous hackers that have gone on to be successful are the exception rather than the rule. Besides, home labs are cheap and easy to put together, so it's also not necessary. | Yes | I like the more community focused conferences like BSides, DerbyCon, and of the larger conferences DefCon. The price to info ratio is much better than larger corporate conferences, and they are a great opportunity to meet others in the community. | United States | |
| 312 | 4-7 years | Vulnerability auditor, Penetration tester, Log analyst, IDS/Firewall admin | Yes | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting | Yes | SANS/GIAC, Offensive Security (PWB, AWE etc) | Started in IT as an intern, moved up to be a SysAdmin for a while and then was lucky enough to be working for a company that was creating a security team and opened new positions. Previously, because the company didn't have a security team, the Sys Admin team was also responsible for security so I had "some" experience from there. | You can never stop learning. Ever. This is not an easy career but if you have the energy for it, it can be very rewarding. | Web App / Mobile App / Cloud security | Never. | Yes | USA | |||
| 313 | 7+ years | Policy writer, Manager, IDS/Firewall admin, Incident response | No | Yes | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, IISP | Working in a department that provided secure solutions to Government departments, and moved into network security | Not every question has a right answer, sometimes people just want your answer. | Do not get into security if you want the business to love you, sometimes you will be saying stuff they do not want to hear. Stay strong, stay passionate. | BYOD | stay in the same role for too long | No, build you own lab and do it there. | Yes | A variety to understand different perspectives, eg B-sides for techy, RSA for Security business, others for security management,....... | UK | |
| 314 | 7+ years | Manager | Don't know | Yes | Vendor specific, CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP | from networks | no matter how much you know about security...you don't know it all | security principles apply to all including you so live what you preach | no.. is not ok. besides in my experience when you ask permission mot people say yes | Yes | EMEA | ||||
| 315 | 1-3 years | Student | No, but it helps | Bash Scripting, Python, C#, ASM | No | CISSP | Enrolled on an Ethical Hacking Degree in Scotland | Not unless they advertise it. An example of this is Hackthissite.org, Google offers bounties aswell as Facebook. | Yes | BSidesLondon - Very focused and less vendor driven than other cons. As a student I find it a very approachable environment and a great place to learn about Ethical Hacking from an industry perspective. Affordable too! | United Kingdom | ||||
| 316 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Malware analyst, Log analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Python, C, Perl | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Independant consulting; SOHO engagements and found vacuum. | No | US | ||||||
| 317 | 7+ years | Vulnerability auditor, Penetration tester, Policy writer, Manager, PCI auditor, Incident response | Yes | Bash Scripting, Windows Powershell, Ruby, Python, Batch Scripting, Perl | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | It grew over time. I started as a field tech and volunteered for any and all security related tasks. I also spent (and still spend) 10-20 hrs per week tinkering on the side. Eventually I had enough experience that I felt confident enough to highlight it on my CV and apply for security centric jobs. I eventually landed a gig as security consultant. | I wish I had spent more time coding. | Lean as much as you can, attend cons & classes, visit sites with security tutorials (ex. SecurityTube.net, Corelan.be, etc). Get in IRC and on twitter to interact with the InfoSec community. | Mobile security. | Don't be arrogant. There's nothing wrong with sharing war stories but don't brag. There is always someone better than you and you don't want to become the subject on the Errata page of Attrition.org. | No, never. There are plenty of opportunities to practice elsewhere and building your own lab will help you better understand what is happening. | Yes | Black Hat, DEFCON, DerbyCon, ShmooCon, SOURCE (Any) - These conference give you a healthy blend of all sides of the security world (pentesting, web, dev, business, etc). Also, the contacts made at conferences are invaluable . | USA |
| 318 | 1-3 years | Penetration tester, Malware analyst, Log analyst, IT Forensices, On-Site Server Rack Management | No, but it helps | Python, C++, Java, Perl | Yes | CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I started in security by picking up a book in the library when I was 13 or so titled "Hacking". Ever since I read it cover to cover I became fascinated with the concept, so I began to pursue it more, branching off into creating labs, working for experience (still a full time student) at a local company. I am going into college next year but already have a job lined up as a sysadmin, pentester, firewall manager, and just about everything you can name as the business is just kicking off. I don't know where I'll go or if the business will pull through, but I am confident that with this arms race between malicious crackers and corporate defenders ensues, so will the demand for people manning the terminals and locking them down. | That Hak5 was available around 6 years ago, it really would have helped as I lacked structure. | Only get into it if you really love it and wish to pursue it, don't do it because some movie shows a person smashing away at keys to break into systems, although that is good for sparking interest you must maintain that interest if you truly hope to succeed. I personally study every night from 9 P.M. to 3 A.M. (or until I fall asleep at my desk). | Not entirely sure what you mean by this, if you mean for career paths then I believe network security is on the greatest rise of them all. As I said earlier with the rise of people trying to break and enter, corporations will demand people to stand guard and push them back. | I wouldn't advise against anything really other than unauthorized access of networks. USE LABS!!!! Virtual machines exist for a reason! If you're truly passionate and are caught breaking in to a system nobody will want to hire you! It just shows that you're untrustworthy. | I personally don't believe it is, as there is the possibility to do damage and tarnish your reputation, as you can never conceal your location 100% | Yes | Defcon of course! What better way to be informed about the latest in hackery than to meet up with others who, in my case, know way more information than I do and to learn from them! | united states |
| 319 | 7+ years | Penetration tester, Reverse engineer, Malware analyst, Log analyst | Yes | Bash Scripting, Python, C, Perl | No | By passion. | Yes | HES Hack.lu |
EU | ||||||
| 320 | <1 year | IT Forensices | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Batch Scripting, Perl | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), CISSP, Offensive Security (PWB, AWE etc) | University and Compsec Society | Yes | B-Sides, DC4420 and OWASP | UK | |||||
| 321 | 7+ years | Manager | No, but it helps | Bash Scripting, C, C++, Perl | Yes | CISSP, CompTIA (Security+ etc) | Writing anti-virus software as C/C++ software developer. | that certifications bring value | start learning for a certification | ubiquitous computing | no | no | Yes | virus
bulletin blackhat |
germany |
| 322 | 1-3 years | Network Engineer | Probably, I don't do pen testing myself though. | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua, VB, C#, Perl, The more programming languages you are at least familiar with the better. | Yes | Vendor specific, CISSP | Coming from a network engineering/systems administrator background, took a position as a network security engineer. | When working for a corporation you must take the business objectives into account when designing a secure system. If the system hinders production then your security is useless. | Get to know others in the security industry and learn from them. | Spend time on the design process when developing a secure system. | No. | Yes | I've never been to a conference but I see their value. get to anything you are able to get to and network with other security professionals. | US | |
| 323 | 7+ years | Policy writer, Manager, Incident response | Yes | Bash Scripting, Windows Powershell, Perl | Yes | Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC | Royal Holloway MSc. | Politics is important. | Get a proper grounding in the basic concepts and principles of security. E.g. from an MSc. Course. It's amazing how many 'experienced' security staff I meet that don't understand basic principles of risk management and assurance. | Back to basics. | Didn't start contracting while I had no personal ties. | No. | Yes | Garner
security summit Industry specific conferences e.g. IA12 |
uk |
| 324 | 1-3 years | Sys-admin | No, but it helps | Bash Scripting, Python, C | Yes | EC-Council (CEH etc), SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Working in a one man IT shop means you are wear every hat in the shop. | Even if you are really good at your job, if management doesn't value security and IT in general, you are pissing up a rope. | Specialize. Working in smaller shops, I've done the IT jack-of-all-trades thing for the last 10 years, and really feel like it has limited my professional development. | Mobile device security | Got comfortable. | No | Yes | SANS conferences are great....if your company is footing the bill anyway. | US |
| 325 | 1-3 years | Vulnerability auditor, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, PHP, Perl | Yes - but only to get through HR | Vendor specific | University | I guess you could say anything, but you're always learning. | Contact people who do it for a living, not documentaries or movies. Understand what you're actually going to be doing on a daily basis. It may suit you as a hobby but not a career. | I think it will be interesting when more devices make use of IPv6. | Always trying the quickets option. | No. I'm in the UK and practice is not a term used in a court. If you attempt to gain access to a machine you violate section 1 of the Computer Misuse Act 1990. Practice footprinting, but not anything else. |
Depends, read what they're expected to cover. | UK | |
| 326 | 4-7 years | Vulnerability auditor, Penetration tester, Sys-admin, Helpdesk, Incident response | No, but it helps | Python, C, C++, Batch Scripting, VB, Perl | Yes - but only to get through HR | SANS/GIAC, CISSP, CompTIA (Security+ etc), CCNA | Got started through my school's information assurance degree program. | Experience, work ethic, and personal connections will get you farther in your career than only strong technical skills. | Read books. Security Engineering by Ross Anderson will put you well ahead of the pack. | Incident Response. Perimeter defense has run it's course and you cannot prevent everything. At some point you have to admit you've been penetrated and solve the problem from the inside out. Your network and domains should have a strong perimeter and a strong center. | Not really, no. | No. | No | USA | |
| 327 | 7+ years | Vulnerability auditor, Policy writer, Manager, Log analyst, Incident response | No, but it helps | Perl | Yes - but only to get through HR | Vendor specific, SANS/GIAC, CISSP | Migrated from network admin | Focus on one skill area. Generalists are only wanted at small businesses. | Be ready to be in a state of constant education because security changes more than any other area of IT. Also find an outlet for the stress that comes with the job. | Should have finished college and started in big 4 to get a good overview of the field and the fundamental processes. | Recon is fine, but nothing intrusive without prior written consent. | No | None of them are great, but the ones focused on attack/defense usually have at least some good content. Most talks at rsa or bsides are high level abstracts that aren't very useful. | USA | |
| 328 | 7+ years | Penetration tester | No, but it helps | Python | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | i was born this way | wow, so much | start small, learn how computers work first then you can make them do what you like | Scada | trust your self | LOL, depends | as a social event yes | defcon,
LAS bsides |
USA |
| 329 | 1-3 years | Vulnerability auditor, Policy writer, Manager, PCI auditor, Sys-admin | No, but it helps | Bash Scripting, Ruby, PHP, C++, VB | Yes - but only to get through HR | Started out as a programmer for the company, then as the company grew, my responsibilities grew. Before that, I've always been interested in net/sec, so I was happy when I was able to do it for my work. | There is no easy way to get started. | Practice and play around while practicing. | No opinion | If a college degree isn't for you, it's not the end of the world. You mainly just need to get your foot in the door of the company then know your shit about all things security and impress them. Not really answering this question, but still relevant I think. | Personally I say yes, as long as you know the infrastructure is stable. It is good to get real world experience, since if you set up a virtual lab for it, you know everything about it already. | Yes | Really depends on what you want to focus on, there are so many you can always find one that suits you well. | USA | |
| 330 | <1 year | Penetration tester, Exploit developer, IDS/Firewall admin, Incident response, IT Forensices | No, but it helps | Bash Scripting, Python | Yes | CISSP | Once I entered my college major, I saw that senior year there was a cyber-security track. I decided it was something I wanted to do and decided to specialize in security within my major | That programming is valuable and I wish I had a better foundation. | Jump into hands on learning. | Social Engineering | Not strong enough programming background | According to my university- no. | Yes | DefCon and BlackHat. | USA |
| 331 | 1-3 years | Vulnerability auditor, Penetration tester, Log analyst | Yes | PHP, C++, Java, Perl | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP | Masters in IS | Yes | US | ||||||
| 332 | 1-3 years | Vulnerability auditor, Penetration tester, Policy writer, Incident response | Yes | Bash Scripting, Ruby, Python, C, Java | Yes - but only to get through HR | Vendor specific, CISSP | par hazard | No | Tunisia | ||||||
| 333 | <1 year | IT Forensices | No, but it helps | Ruby, C, C++, Java | Yes | EC-Council (CEH etc), CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Sys-Admin assistant | Don't jump into everything. Master one approach at a time. | Do not assume anything is secure. | A rewrite of all networking protocols. | Nothing I can think of right now. | No. | Yes | DefCon | USA |
| 334 | <1 year | Manager | No, but it helps | Bash Scripting, Ruby, Python, Java | Yes | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | I haven't started yet. | I still don't know much. | Drink a lot of water. | Yes it is. | Yes | Don't know | Bulgaria | ||
| 335 | 1-3 years | Manager, IT Forensices | Yes | Bash Scripting, Windows Powershell, Python, PHP, C++, Batch Scripting | Yes - but only to get through HR | SANS/GIAC, Offensive Security (PWB, AWE etc) | A lot, there's too much thing in the domain. Because everyday you touch a lot of new things. | Yes | |||||||
| 336 | 7+ years | Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, VB, Perl | Yes - but only to get through HR | The importance of regular patching and updates. | Yes | USA | |||||||
| 337 | <1 year | Computer repair | No, but it helps | Yes | Yes | UK | |||||||||
| 338 | 1-3 years | IDS/Firewall admin, Sys-admin | Yes | Bash Scripting, Python, C | Yes - but only to get through HR | Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme) | Career
Path is roughly: Helpdesk -> Desktop Monkey -> Network Monkey -> Network Admin -> Firewall Monkey -> Starting to know a bit about networks and therefore being the guy who knows a bit about stuff and therefore should look after xyz project |
Don't try to run before you can crawl. Knowledge needs to be both wide & deep, so start with the basics. | See above! You need time and patience, as nothing happens overnight. You need to understand what it is that you're protecting, before you're able to secure it. | The integration of mobile technologies with security methodologies. | Nope. Unless you want notoriety. The days of the rockstar hackers is long gone and if you get caught it's not a free ride to your own security firm, it's a fast-track to jail. | Don't really get to go to any! | UK | ||
| 339 | 7+ years | Penetration tester | Yes | Bash Scripting, Python, C, Batch Scripting | Yes | CHECK Team Leader (CREST/Tiger Scheme) | No | Greece | |||||||
| 340 | 1-3 years | Vulnerability auditor, Malware analyst | Yes | PHP, C++, Java | No | exploring flaws | No | india | |||||||
| 341 | 1-3 years | Sys-admin | Yes | Python, C++ | Yes - but only to get through HR | EC-Council (CEH etc), Vendor specific, CISSP | As IT administrator | No | Zambia | ||||||
| 342 | 1-3 years | Penetration tester, Policy writer, PCI auditor, Reverse engineer, Log analyst, IT Forensices | Don't know | Yes - but only to get through HR | SANS/GIAC, CISSP | Yes | |||||||||
| 343 | <1 year | Policy writer, IDS/Firewall admin, Sys-admin, Incident response | No | Yes - but only to get through HR | Yes | Netherlands | |||||||||
| 344 | 1-3 years | Sys-admin | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python | Yes - but only to get through HR | Vendor specific | hacking | Yes | australia | ||||||
| 345 | 1-3 years | Policy writer, Log analyst, Sys-admin, Incident response, Wintel Consultant | No, but it helps | Bash Scripting, Windows Powershell, Ruby, Python, Perl | Yes | EC-Council (CEH etc), Vendor specific, CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc), ePCCT | secondment into the security team from the second/third line sys admin position i was in | how to reign in my curiosity when first starting out, so i didn't have to restart in IT after overstepping the boundaries | look, listen & learn | SCADA | see first answer | only if you're confident you will not be caught and are prepared to take the punishment if/when you are caught out | Some are, others are just a talking shop | UK | |
| 346 | 1-3 years | Student | Yes | Bash Scripting, Python, C++, Java, Autohotkey | No | My natural curiosity and computer aptitudes as a kid growing up led me to want to explore computers in their entirety. When I hit school, and suddenly computers were locked, and privileges disabled, I tried to learn run arounds, I script-kiddied and learned about the vulnerabilites of WEP (who hasn't). Eventually I started to wonder how I could turn this into a profession, but also how do these attacks work on a fundamental computer science level, as well as how can I prevent such manipulations to the computational logic from happening. | The field is highly over-saturated. | Read a lot, try and envision the process in your head as you do the steps. Visualize the consequences for each line of code. | Wireless security | Don't Slack | yes | No experience | united states | ||
| 347 | 4-7 years | Penetration tester | No, but it helps | Bash Scripting, Python | Yes - but only to get through HR | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Yes | ||||||||
| 348 | <1 year | Penetration tester | No, but it helps | C, ASM | Yes - but only to get through HR | EC-Council (CEH etc), CISSP | No | USA | |||||||
| 349 | 4-7 years | Vulnerability auditor, Penetration tester | No | Python | Yes - but only to get through HR | No | India | ||||||||
| 350 | <1 year | IT Night Grunt | No, but it helps | Python, C, C++ | Yes - but only to get through HR | Vendor specific, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc), Any and All | Haven't just yet. Mostly just as a hobby at the moment. | Start
early, and actually read and understand EVERYTHING inside and out. I've
missed a few key concepts through my reading, and then have to backtrack
through and try to understand something, and THEN the later item makes
much more sense.... Don't quit. Just don't. I've done it enough in my short life to know better. I just wish someone had told me this much much earlier. |
Explore
as much as you can. Regardless of your security clearance, or your user
rights at work, at home, out and about, if you can touch a system, there
is the possibility you can own it. Better to ask forgiveness than permission; tried and true, and sorta cheesy, but a large part of the time, it works. If you break in somewhere, and someone catches you, just say you were looking around. It's what I'd do, and so far hasn't steered me wrong. The things broken generally get fixed, whether software or meatware (humans). |
Cloud PenTesting. Whether via Amazons EC or a private cloud. | Quitting mid-way through a lot of things. Honestly, if there had been proper documentation (looking at you Slackware guy(s)), I might have switched to Linux a decade ago. I still haven't, being that Windows is still the major OS used everywhere, and there's always something wrong to get fixed with it in corporations. | Yes.
I think you should. Hell, I've cracked and owned a couple WiFi networks
in my day. Still own one to my knowledge, and it's just neighbors I
don't really know. Most of the time it's just to poke around, nothing malicious, but exploration is key. If you do change something, remember to set it back if it doesn't work, or causes wonky behavior. Preferably before anyone notices. I know a few sites that actually encourage a bit of it; scanme.org is one that comes right to mind! |
I don't know as yet | BlackHat,
because it's awesome DEFCON, because it's also awesome Haven't attended either as yet, but one day....... |
USA |
| 351 | 7+ years | Penetration tester, Policy writer, Exploit developer, Log analyst, IDS/Firewall admin, Sys-admin | No, but it helps | Bash Scripting, Python, C, Batch Scripting, VB | Yes | EC-Council (CEH etc), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Research | C | Be interested in all aspects of security | Mobile | No | No | Yes | Defcon, blackhat, hex, CCC | |
| 352 | <1 year | Vulnerability auditor, Penetration tester, IT Forensices | No, but it helps | Bash Scripting, Python, PHP | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc) | Yes | United States | |||||||
| 353 | 7+ years | Reverse engineer, Malware analyst, Log analyst, IDS/Firewall admin, Incident response | No, but it helps | Python, C, Knowing how to work with databases and/or XML can be very useful. | Yes - but only to get through HR | Vendor specific, SANS/GIAC, Offensive Security (PWB, AWE etc) | Have been interested since a teenager and started working professionally while in the Navy. | Having a balance between patience and decisiveness. | Read and do as much as possible, especially things outside of your comfort zone. | Hmm, tough question. I work in the incident response field and the major thing I see lacking right now is a really solid way to compile all the data from an incident in a coherent manner. It's very much a manual process. I'm hoping various efforts by MITRE will help alleviate this as tools get developed. | Be patient, don't jump to conclusions, and realize you probably don't know the whole story despite how much data you might have. | No. | Yes | Shmoocon and Derbycon were both fun and informative. I haven't been to Blackhat/Defcon because Vegas and the huge crowds aren't particularly appealing to me. I've been to shmoocon the past 3 years and it's always been a blast and I usually walk away with some new knowledge or with excitement about a new tool that was released. I want to check out Cansecwest and RECon. | USA |
| 354 | 1-3 years | Helpdesk | No | Yes | CISSP, CompTIA (Security+ etc) | No | United states | ||||||||
| 355 | 4-7 years | Policy writer, PCI auditor, Log analyst, IDS/Firewall admin, Incident response, IT Forensices | it helps but times are changing | Bash Scripting, Windows Powershell, Python, Java | Yes - but only to get through HR | EC-Council (CEH etc), CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), CISSP | 25 years in IT and teaching and i saw the need coming so did a second degree in it | That
university degrees in security, tend to concentrate on informatics such
as Iso 27001 rather that 27002 .Absence of ab initio training, no opportunities
in a legal environment or experiential learning provided,out of date
exploits discussed,fear of breaching general ethical mandates ,adversely
effects,effective training, No real discussion of social engineering ,Brute force taught ,nothing of rainbow tables. |
Learn via commercial training online ie E-Learning on cissp or via Backtrack course where opportunities to LEGALLY run exploits exist . | Mobile exploits via android , cloud pen testing abuse , | No | NO. its a criminal act ,you can not keep some laws sacrosanct and ignore others. | varies | uk | |
| 356 | 1-3 years | Penetration tester, Reverse engineer, Exploit developer, Malware analyst, Incident response, IT Forensices | Yes | Bash Scripting, Python, C, Batch Scripting, C#, Perl | Yes | CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, Offensive Security (PWB, AWE etc) | I was looking for hard things to do. I love building software and I have a desire to build BETTER software. That implies easier to use, faster and more secure. Security is a fascinating area full of hard problems. I don't ever find it boring. | I wish I had not chosen to go down the path of working in the games industry and instead just focused my time on infosec. | Just get in there. Read, code, learn, keep trying things. Post blogs, read Twitter, talk to people, attend conferences, network with people, create communities, attend usergroups. Just get out there and DO it. | Mobile security, privacy issues online and security of things like medical devices. | Given that I'm new, no. But I'm sure I will! | No. | Yes | Australia | |
| 357 | 1-3 years | Penetration tester, IDS/Firewall admin, Helpdesk, Incident response | No, but it helps | Python | Yes - but only to get through HR | Watching shows about it as a kid, always being good on a PC | Most of this is a lot easier to learn through experience then to prelearn it through books and ignorant professors | Don't take a course, dont take a class. Get real experience | BioInformatics, Cyborgs, AI | Getting a college degree - what a waste of money | Yes. This is called robin hood hacking and Google pays you for finding vulns through their apps, ect. Don't do this on any prissy netowrks, though, because we do in fact live in a sue happy country where damage estimates can be drastically exaggerated. Fucking corporate pigs. | Yes | Schmoocon, Toorcon, CanSecWest, Blackhat, HOPE | USA | |
| 358 | <1 year | Vulnerability auditor, Penetration tester, Policy writer, Reverse engineer, Exploit developer, Log analyst, Sys-admin | Yes | Bash Scripting, Ruby, Python, PHP, Batch Scripting | Yes - but only to get through HR | EC-Council (CEH etc), CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | From reading papers | Yes | Croatia | ||||||
| 359 | 4-7 years | Helpdesk | No, but it helps | Bash Scripting, Python, C, C++, Perl | Yes | Vendor specific, CISSP | No | usa | |||||||
| 360 | <1 year | developer | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, C#, Perl | Yes - but only to get through HR | I
just wanted to make a backup copy of a game called "North and South"
used to play in my 8086 pc back in 1988 I think. Every time I
tried, the original disk was damaged. So I started asking around... I never got into things in depth but I thought I could at least keep track. I recently realized that I am way behind in security in general and decided to catch up. |
nothing yet. | Prefer to touch fewer subjects but in great depth. | No, it's not. | Yes | I haven't attend any other than AthCon 2012 | Greece | |||
| 361 | 1-3 years | Sys-admin, Helpdesk | Don't know | C, C++, Perl | Yes - but only to get through HR | Education / University - security class | i dont know much yet about security topics, what was the main reason for me to search around the web for gettin started guides | see above | see above | see above | I would think so, if you help to improve the security by practicing and sharing your knowledge | never been to one, so cant say | Germany | ||
| 362 | 4-7 years | Vulnerability auditor, Penetration tester, Log analyst, Incident response | Yes | Bash Scripting, Ruby, Python, Batch Scripting | No | No | america | ||||||||
| 363 | 4-7 years | Information Security Officier | Yes | Yes - but only to get through HR | CISSP | Business analysis around requirements for Identity management projects | Research, network, ask question, work on communication and understanding how findings effect the business and how to present them in a meaningful way | No | Yes | Networking. Broaden skill set or gain interest in broader areas | USA | ||||
| 364 | <1 year | Log analyst, IDS/Firewall admin, Helpdesk | Don't know | Yes - but only to get through HR | EC-Council (CEH etc), CISSP, CompTIA (Security+ etc) | Yes | Turkey | ||||||||
| 365 | <1 year | developer | Yes | Bash Scripting, Python, Batch Scripting | No | tracking project | Yes | mexico | |||||||
| 366 | 1-3 years | Penetration tester, Log analyst, Sys-admin, Helpdesk | Don't know | Bash Scripting, Python, C | Yes - but only to get through HR | EC-Council (CEH etc), SANS/GIAC, CISSP, CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Reading and discovering the *nix world. | Serious
C programming / Assembly Thorough understanding of protocols,especially TCP/IP Competent *nix and sys.adm skills |
can't really answer as myself only enthusiast. | mobile sec,cloud,"V", | not acquiring enough programming skills,I believe it will definitely get me further. | If
one must do or practice with specific sites he can mirror the site and
possibly no harm will be done.In addition there are also a number of
weak VM's to practice. I am not sure about getting into networks where we not belongs,it could definitely get into serious trouble. Especially government ones. |
Yes | Brunei | |
| 367 | <1 year | No, but it helps | Bash Scripting, C++ | Yes | CISSP, Offensive Security (PWB, AWE etc) | Yes | |||||||||
| 368 | 7+ years | Manager | No, but it helps | Windows Powershell, C++, Java, VB | No | I was assigned to test, evaluate, and recommend security products to the CIO. | Read security related publications | Phone hacking | No. | Yes | United States | ||||
| 369 | <1 year | Sys-admin, student | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Batch Scripting, Lua, VB, C#, Perl | Yes | EC-Council (CEH etc), Vendor specific, CISSP, Offensive Security (PWB, AWE etc) | Linux
as a host os from beginning programming knowledge in early teenage internet conectivity |
Be
Jack of all Hacks, this field is full of problems which may have different
answers. Don't try to reinvent wheel ------> use Google ! |
ipv6 web app pentest web programming |
Don't try to oversmart because in the world there are lot of people which are working much more harder than you. | depends ;-) | Yes | defcon beacause it gives us lot of knowledge in field. | india | |
| 370 | <1 year | Vulnerability auditor, IDS/Firewall admin, Helpdesk | Yes | Bash Scripting, Windows Powershell, Python, C, PHP, C++, Perl, Assembly | Yes | Offensive Security (PWB, AWE etc) | Yes | USA | |||||||
| 371 | <1 year | Yes | Bash Scripting, Ruby, Python, C, PHP, C++, Java, Perl | Yes | EC-Council (CEH etc) | By learning web attacks from owasp.org | Yes | india | |||||||
| 372 | 1-3 years | Vulnerability auditor, Penetration tester, Reverse engineer, Exploit developer, Malware analyst, IDS/Firewall admin, Sys-admin, Incident response, IT Forensices | Yes | Bash Scripting, Windows Powershell, Ruby, Python, C, PHP, C++, Java, Perl | Yes | SANS/GIAC, CISSP, Offensive Security (PWB, AWE etc) | Yes | ||||||||
| 373 | 7+ years | Penetration tester | No, but it helps | Bash Scripting, Python, C++, Java, VB, Perl | No | arrested fot cma, got offered job. | how to do what i do now | be one with how your brain works different to those around you and know you will have the last laugh. | crypto | underselling yourself salary wise | yes | Yes | uk | ||
| 374 | <1 year | Helpdesk, IT Forensices | Yes | Windows Powershell, Python, C | Yes - but only to get through HR | Now I know that I don't know a fraction of what is out there. When I started (not that long ago). I assumed I knew more than I actually did. I have some learning to do. | Do not be afraid to ask questions. | Do not assume anything. Check the facts, then check them again. | NO ! Unless you own the given site / company. | Yes | Defcon,
derbycon, even barcamps! Why ? To learn new things, reinforce or even disprove what you've learned before. Meet the community. |
US | |||
| 375 | 7+ years | Penetration tester, Incident response | Yes | Ruby | Yes - but only to get through HR | CISSP | Military | You don't need a degree. | Learn a real skill first then try to secure things related to it. | Finally I think Cloud services are getting hot. | Attacking sites that don't belong to you. | yes | Yes | Pick one and don't go to all of them. YouTube is my favorite conference. | USA |
| 376 | 7+ years | Penetration tester, Reverse engineer, Exploit developer, Developer | Yes | Python, C, PHP, C#, Some form of assembly (x86/ARM) | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme) | Bit
of a long story, really. I've always been interested in computers and programming since I was a kid. Started out as a developer, and a bit of an electronics tinkerer. Got into security as a hobby around my early teens. Dragged myself through school whilst doing a mixture of development and security in my own time, often to the detriment of social endeavours. Went to uni, got my degree in Computing (think CompSci + DevMgmt) and got a job in development. During that time I started going to security conferences. InfoSec and DC4420 were my first cons, and I got into BSidesLondon sans-ticket on the advice of some people I'd met at DC4420. I got onto the Twitters and started chatting with various security folk, and quickly got interested in the security community. Later attended 44con and spoke at Securi-Tay. Quickly got bored of development, fired out a few tweets, and got a job as a pentester in London. Moved half-way across the country for it, and now I'm happy! w00t! |
Two
things: 1. The security community is AWESOME and you should get involved right now. 2. Working in security is AWESOME and you should go do it right now. |
Get out there and do stuff. It's all well and good to sit around absorbing knowledge, but the only way to go forward is to get your hands dirty and delve into something. Most of my vuln discoveries have been from just looking at what a random piece of software on my box does at a low level, and playing with the stuff I find. Not only does it get you real experience, but it's a great thing to show off to prospective employers. | Red teaming and more open-ended tests. I think a lot of companies are starting to realise that the whole "product driven testing" model, while useful, doesn't really simulate what a real hacker (or team of hackers) can and will do. | Verify the ever-living shit out of your bugs / vulns before you release them. You'll feel like an ass if they turn out not to be what you thought they were. | It depends what your intent is, and what the policy is. I'd say yes, it's fine, if you're looking at someone with a history of being open to whitehats (e.g. Facebook, Twitter, Google) and you're genuinely looking for bugs with the aim of reporting them. If you're just looking to screw around then I'd avoid it. | Yes | *
DC4420 - local meetup, relaxed, lots of fun, good SNR * 44con - great talks, great atmosphere, focused on networking + social * BSidesLondon - another great networking con, not as technical as 44con though * Securi-Tay (Dundee) - student ran, lots of new talent, and some surprisingly big names (avoid InfoSuck... damn vendorcon!) |
England |
| 377 | 1-3 years | Penetration tester | Yes | Bash Scripting, Ruby, Python, PHP, VB | Yes | CHECK Team Leader (CREST/Tiger Scheme), CHECK Team Member (CREST/Tiger Scheme), CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Apprentice | Travel | Study and research outside of work. Be prepared to travel. | Malware Analysis | No. | Yes | Bsides | England | |
| 378 | 1-3 years | Penetration tester | Yes | Bash Scripting, Windows Powershell, Python | Yes - but only to get through HR | EC-Council (CEH etc), CompTIA (Security+ etc), Offensive Security (PWB, AWE etc) | Got a job out of the military as a FISMA policy/metrics briefer. Essentially put together the information from audits into slides for management. Studied and took my CEH. Once I got my CEH I was able to move into a vulnerability assessment position. From there by studying on my own, showing motivation and passion, and being a pain in the butt I was able to get some guys from the penetration testing team to take me under their wing. When my contract ended I was able to move on to the penetration testing team as a junior pentester. | I wish I had known how important understanding programming is to understanding everything else. Once you start to deep dive into any subject, it always seems to come down to understanding the code. If I had known that earlier I wouldn't be struggling to learn programming after the fact. | You must have a passion for technology and security. This is for two main reasons. First security requires you to know a huge amount of information and to keep learning. If security is just a job for you, you will quickly fall behind. Second. The majority of people don't understand technology, let alone security. This leads to frustration and a feeling of tilting at windmills. You must have enough passion to carry you through those times of frustration and crisis. | Embedded technologies (ie Internet of Things), Large data science, and the virtualization of networks and systems (cloud, VDI, SDN). | I would advise against it. To me the risk vs reward is not there. There are plenty of training sites available and with VM's, having your own network is fairly easy. | Yes | Personally I have only been to two conferences, but I would suggest DerbyCon. As a smaller venue you can actually interact with the speakers and some of the leaders within the infosec community. I would also suggest the Bsides venues. The talks may not be as great but you can get to know your local security community, great network opportunity. | United States |
All Rights Reserved Powered by Free Document Search and Download
Copyright © 2011