This brings me to a thread on TechExams.net from a few years ago that discusses what it takes to be an industry-recognized security professional. Something to note here, this forum assumes that certifications are earned through rigorous study and hands-on experience, not through memorizing stolen test-questions or cramming a book just enough to pass the test. That being said, this particular conversation discusses the much-lauded CISSP certification, which requires professional experience and a degree, in addition to a test, in order to obtain.

Keatron, who teaches courses in network security, had the following advice for another forum-member asking how to get into security:

I’ve had many people sit my CEH class and realize they should have had Security+ level knowledge under their belts first. I by have it, I actually mean have it, not just pass the test.

I would say probably Sec+ (even if you do it self study).
Then MCSA:Sec
Then CEH
Then SSCP
At this point I’d suggest getting some Cisco in there. And you must start with CCNA, Then work the CCSP route (will not be easy, but worth it).

By this time you should be very ready to start preparing for the CISSP.

Again, keep in mind that the assumption here is that a professional would be working as he or she earns these certs, and actually learning the material in a practical way over the course of the two or three years it would take to study for all these tests.

So, the response we get from UnixGuy, another member of the forum who is interested in security-work:

Hmmm, isn’t this tooo long a way to earn a CISSP ??

And here is the big payoff, Keatron’s reasoning for all those other skills and experience:

For UnixGuy, think of it this way. Let’s say you have 6 different certifications that all deal with 6 different areas of Information Security. Think of these as your 6 cans of Coke. Now think of the CISSP as the little plastic stuff that holds a six pack of coke together. Take your 6 cans of coke (your experience and other certs) and the little plastic stuff (your CISSP), add those together and you have a solid six pack that’s held together well. For example, you might have a job as a firewall administrator. You might perform this job well for 6 or 7 years. However, you could be an expert firewall administrator, and not know squat about application security. In reality, the CISSP helps a security professional take all their years of experience, and certifications and FINALLY tie them all together and see clear relationships between it all. But there’s the old saying “garbage in, garbage out”. So in other words, if you are a person with only 1 can of coke (mimimal experience and minimal exposure to certifications), then the little plastic thing (CISSP) wont really do you much good, because you don’t have any cans (experience and certs) to tie together. The CISSP is often described as a mile wide and an inch deep. But it should be understood that you don’t go a mile deep because theoretically, you’ve already been 20 miles deep in several of the domains. I always stress experience first, then certs. However, sometimes you need the cert, to be awarded the opportunity to get the experience. But I often recommend people in the security field get vendor specific certs related to operating systems or network equipment they may be responsbile for securing. You can’t possibly secure a large building if you don’t know where all the doors and windows are. Additionally you need to know how to open and close these doors and windows. Same goes for systems and networks. Here’s a few examples;

How can one possibly understand group policy if they’ve never implemented or least labbed it out in preperation for MCSE? How could you know that group policies only apply to computers that are a member of the domain, OU, or site that group policy was applied to if you haven’t done it, or again labbed it out. Not to mention you have to remember to give groups read and apply group policy permissions to the group policy object if it is to have any effect at all. If one doesn’t understand these basics, then how could they possibly even start to secure a Windows based network? How does Kerberos work (in Windows world). What’s sent in clear text and what’s encrypted? How feasible is it for an attacker to forge a ticket and fool another device or computer in the realm to believing it’s legit? If you’ve never implemented a Pix or an ASA then how could you know what it’s default inspection rules for the FTP protocol is? We’re taught that FTP uses ports 20 and 21 only. But is that actually accurate? Is is true that FTP actually uses dynamically allocated ports to actually do the data transfer part of an FTP session? How does the ASA default inspection rules allow for this? And if you know the answer to that, then what security concerns does this behavior and allowance or disallowance by ASA introduce or expose your organization to? Have you observed it’s behavior via ethereal or some other analyzer or sniffer? What about the bazillion other protocols you’re forced to allow into your network? Are you sure DNS only uses port 53? TCP or UDP? Both? When you perform a query for a resource on the web, does the response to query come back in on UDP port 53? What about zone transfers? Is that via port 53 as well? TCP or UDP? Are these zone transfers in cleartext? If they are, what can you implement to encrypt these zone transfers? How does Checkpoint Firewall solutions deal with this behavior? (And saying it just works doesn’t count). Are the ways in which it deals with this behavior introducing unique security considerations? Isn’t it true that the biggest problems with firewall, IDS, and other mechanisms is that they act and behave in a very predictable manner? How does NTFS file systems store data and files? What about NFS? FAT? What about ZFS? So how do ZFS and EXT2 differ in how they store and catergorize data? From a confidentiality perspective, which is more feasible? If you haven’t worked with these file systems you might not know the answers. However, getting certifications can expose you to this very information and least give you some level of knowlegde in those areas.

This list could go on and on. And obviously a CISSP that thinks they only utilize port 21 when they go to an FTP site and download files probably could have benefited from getting little more experience (or getting more cans) before getting the plastic peice (CISSP) to pull it all together. Because pulling it all together with too few cans causes us to have huge “knowledge gaps” and therefore renders us less effective in our roles as information security professionals.

So UnixGuy, the above is some of the major reasons I suggest a path to the CISSP that’s probably a little longer than what you normally hear. Thanks for reading. And I hope it helps. 

Keatron.

I agree with every word of it. You cannot secure a network, a server, a website, or even a stand-alone PC, if you don’t know how those things work in the first place. Security is a second-tier skillset, you have to learn how it works before you can learn how to protect it. ”Security” isn’t some additional field that was invented for us to work in, it’s a term for the in-depth knowledge we gain as we work and learn about these systems that helps prevent exploits and hacks from being executed. UnixGuy’s question is a common one, and he’s not stupid or self-entitled for thinking that the road is too long. Unfortunately, I think that security isn’t taken seriously enough as a whole by this industry, (and many others,) and the result is that most of us don’t know how much work and effort goes into becoming an expert on that level.

Given, even experts make mistakes and sometimes the black-hats (bad guys) are sometimes smarter than the white hats (good guys), but that’s all the more reason to study, train, and prepare yourself if you want to be a CISSP, for example. Some people think the road is too long. . . I think that the road isn’t often long enough. It’s a big, bad world out there full of threats and people who want to steal our information. The more you know, the fewer times you’ll get caught with your pants down.

I’ve taken programming classes before: a VB6 course back in 2000, an intro to programming with C++ course in 2002, and then I picked up some C# back in 2006, but none of it ever really sunk in because I didn’t spend enough time with any given language to get any good at it. The only “programming languages” I’d been proficient in were XHTML and CSS2. . . well, up until January of this year that is.

In the Spring semester of 2011, I enrolled in CIS 26 at Laney College in Oakland, which was an introductory programming class that used C as the language of choice. It was both a “for beginners” class as well as a course on how to write code in the C language. I really enjoyed it, and now in the Fall semester I’m enrolled in CIS 25: Object-Oriented Programming with C++. So far, it’s been enjoyable. We’ve covered the usual if-else and switch statements; for, while, and do-while loops; functions; pointers and reference variables; classes and polymorphism. . . the usual fare for an OOP class. The teacher assigns no particular book, he simply lectures and sends out notes he wants us to use, then strongly recommends we pick out a book to use ourselves; one we can read and learn from outside of class.

For my money, I chose to go with Stephen Prata’s C++ Primer Plus:

After all, I went to College of Marin, and he used to teach there. . . oh, and the book comes highly recommended, too. It’s a great read, both for beginners and experienced coders. I’m slowly but surely working my way through the last few chapters now, getting my head around classes, among quite a few other things. This’ll be the longest span of time I’ve ever spent doing any kind of coding, for class or otherwise, and I intend to keep it up.

I’m going to take a data structures & algorithms class at Laney at some point in the future, probably next summer. (Yeah, that’s the only time they offer it.) Before then, however, I intend to already have a leg-up and spend some time working my way through a book or two, then maybe find some coding projects to tackle. Which book(s) I intend to read, I haven’t the foggiest idea yet, but I’m hoping to get some suggestions from my classmates and former co-workers on the subject. I don’t intend to let what I’ve learned drop away this time, and I’ll be damned if I go into that next class without some kind of preparation so I can get the most out of it.

So far, I’ve done a bare-bones install of Exchange 2010 three times, (once almost without any screw-ups,) in a lab environment consisting of a domain controller and a member server both running Windows Server 2008 R2. Baby steps, baby steps.

Why would-be engineers end up as English majors.

** Update: finally found this video on YouTube. **

Reading through it, I began to realize that some of the assumptions I’d made about education in my part of the world is pretty much true. For the most part, people find science and mathematics harder to understand and study than they do subjects like history, English, and others that fall under the umbrella of liberal arts. The question I had to ask myself is why. Why do so many people have such a hard time with one area of focus, but not others? Is it because the college coursework for English majors is less complicated and demanding than what engineering and science majors have to deal with? After spending long hours in study-sessions with Hanif Houston, a recent graduate of UC Berkeley’s English undergradute department, I’d say this isn’t true. His workload consisted of sometimes reading an entire novel per week, analyzing it, and writing several lengthy papers at once. My workload consisted of dozens of math problems, physics questions, and code-writing projects each week; all of these together often times didn’t amount to the amount of time and effort Hanif spent dissecting Shakespeare or building arguments for why Philip Roth’s sarcasm should be bottled and sold as a remedy-cure for common stupidity.

Given, I’m still a lower-division computer science and electrical engineering major, while the comparison is to upper-division English studies. Nonetheless, the CNN article describes people dropping out of their first or second years as science majors to pursue liberal arts degrees instead, taking a path of less resistance. So why is it really, then, that people decide that liberal arts are a path of less resistance to a degree? The obvious answer I can give here is that math and science classes in the public K-12 school system aren’t nearly adequate enough to prepare students for college-level work, but that’s not really the only problem. After all, courses in history, English, art, music, and the like are just as lacking in high school and below. So, perhaps there’s a bigger issue to look at. . . maybe it goes back further and deeper than our educational system.

Growing up, I never quite realized how often I heard the same set of mantras: “I don’t care about the science, as long as it works,” “I’m no good at math,” “when am I ever going to use this stuff?”, and of course, “if you spend all your time studying [math, sciences, or other 'nerdy' subjects], you’ll have no life and never get laid.”

The issue here is that all these things are so damned passive, we don’t realize we think this way. When I used to think of professional writers, for example, I used to imagine the people I saw in movies, like Jack Nicholson in As Good as It Gets, playing Melvin Udall, living in an expensive New York apartment and writing books at his leisure. Or I’d picture Michael Douglas in Wonder Boys fighting writer’s block, Sean Connery in Finding Forrester as a reclusive shut-in, coming out of seclusion to help a young writer earn his professor’s respect. All of these guys had two things in common: they didn’t seem to actually work all that hard for their money, and there’s never a time we see them struggling to earn that money. Easy living, right? Just write books, cash your checks, and have all the time in the world to deal with life’s other little problems. How hard could that be?

Scientists, on the other hand, get a different image in pop-culture. Up until recently, physicists, chemists, mathematicians, biologists, and all flavors of engineers have been portrayed either as quirky side-characters, or as eccentric, awkward head-cases that are either used as foils for more charismatic characters, or as “ugly ducklings” that need to be brought out of their shells by friends or a love interest. (See Q from the James Bond movies, the protagonist of the Nutty Professor movies, Doctor Emmet Brown from the Back to the Future series, etc.) The cases where a scientist is considered a sex symbol, a true main character, are the cases where they are more occupied with flashy action sequences than they are with their area of expertise, (see Doctor Jones from Indiana Jones, Doctor Gordon Freeman in the Half-Life video game series, and Doctor Ian Malcom in Jurassic Park.) This is also true for those “lonely nuclear/astro physicists” played by attractive blondes in James Bond movies. The issue here is, simply put, real science isn’t sexy. Most of those nerdy engineers and scientists used as side-kicks and comic relief in movies aren’t what the majority of people want to be.

I say most, however, because there is an exception to the nerdy scientist image. When the movie, video game, book, or television show in question is attempting to make the science, itself, sexy is when we see the geeky scientists become the charismatic protagonist. One good example of this is Dana Scully from The X-Files, as well as Peter Venkman from Ghostbusters and Hawkeye Pierce from M*A*S*H. Often times, with the notable exception of the latter, the main characters are made to look a lot more sexy by virtue of the fact that the science is either questionably feasable, or dumbed-down in order to make for more exciting action or drama. These are people we want to be, for sure, but for the same reason we want to be those writers from a few paragraphs back: their lives consist of other concerns, outside their jobs, that make their existence a lot more fun than our own. Scully performs autopsies on camera, Dr. Venkman actually does perform experiments in psychology, and Hawkeye spends a lot of time in surgery. These scenes, however, aren’t the main focus of the story, they’re merely vehicles for the characters to further conflict between other characters, set mood, or used as a backdrop for later sequences to play out. (Hawkeye also spends a lot of time drinking in his tent and arguing with higher-ranking army officers about the patients he’s worked on in the OR.)

So what’s the payoff for having read this far? My point is that we either paint math and sciences as too dull, too boring, or too difficult. It’s okay to rationalize your C grade in algebra because no one will fault you for saying it’s not your strong point or that you’ll never get any use out of the quadratic formula in your adult life. On the other side of the coin, we sometimes make technical fields seem easy and fun like they are for Indy and Doc Brown, and people are blown away by how much work they have to do in college to achieve a fraction of the progress these characters make and are disillusioned. This isn’t all too different from martial arts movies, signing up for karate classes, then dropping out after a few weeks because you got your ass kicked in a fight after school. The real world isn’t the movies, and usually the jobs we have to do aren’t exciting or sexy at all, so we pick the perceived easier path in order to avoid that work. Between that slap or reality and the stigma of working in “nerdy” fields of study, in my opinon, it’s no wonder people either switch from, or outright avoid, sciences and engineering in school.

How do we rectify this kind of attitude? I suppose we can try to instill in our kids that hard work is a part of life, and if you pursue your intersts you’ll probably end up having a lot of fun as well as studying your butt off. Regardless of the field, reality needs to be observed and people need to start getting genuinely excited and interested in their pursuits. Being an English major isn’t easy, and physics isn’t as hard as you’ve been lead to believe. And honestly, at the end of the day, both writers and scientists are equally geeky in their own right; so are FBI agents, firefighters, and medical doctors.

[Only slight spoilers ahead, nothing you can't figure out from the theatrical trailer.]

In Tron Legacy, Kevin Flynn disappears in 1989, leaving his entire life to fall apart without him. This includes his company, the raising of his son, and his arcade, Flynn’s, which is shown in the film having been closed down and all the game machines covered in plastic. When Kevin’s son, Sam Flynn discovers the arcade and turns the power back on, all the machines come back to life. . . including an original Mortal Kombat arcade machine, which didn’t come out until 1992.

Given Kevin Flynn’s hidden office isn’t discovered until 20 years later, it’s fair to assume that the arcade was shut down as soon as he disappeared. If the arcade had stayed open without Flynn around, his employees would surely have found the office behind the Tron arcade machine just as easily as Sam did.

Continuity mistakes for the win! And that concludes my obligatory uber-nerdery for the year. . . everything from this point on will be completely voluntary.

In the words of the great Ben Croshaw: “Allow me to hold your head under the putrescent waters of knowledge.”

Is the IT industry elitist? In a word: yes. It’s one of the few industries where the words “entry level” actually mean you should have several years of experience before applying. It’s an industry where there is always someone younger, someone smarter, someone willing to work longer hours out to take your job and steal your promotion. It’s an industry notorious for its demand that we update our skills faster and faster with each passing year, and that’s simply to stay current with the job(s) we already work in.

However, there are some pretty good reasons.

The first reason is that, in IT, the spectrum of responsibility you are expected to carry can range from simply making sure a few office-workers can connect to the internet and download their email, to keeping system-critical servers and equipment working for hospitals and banks. We need to stay sharp, we need to keep ourselves up to date, and we need to grow with technology or we can’t do our jobs and maintain that technology. That, of course, brings me to another reason.

Technology changes, the needs of businesses and users change, and we have to change with them. There is no way to do business today the way we did in the 80′s, the 90′s, or even the way we did in 2005. If you want to complain because you’re just now learning what a server is, and most companies want someone who understands virtualization, that’s nobody’s problem but yours. One of the points that Ayn Rand once made is one I whole-heartedly agree with: a person is not hired for a job to his or her best, they’re hired to do what is necessary to complete that job. This industry requires a VAST amount of knowledge on our part, a great deal of flexibility, and a practical understanding of how to use that knowledge to keep the world running. On to the next point.

As Sabalo mentioned, there are lots of people who get into IT thinking it’s easy money, then complain when they find out it’s harder than they thought. Oddly, no one expects to be a doctor, physicist, astronaut, firefighter, or engineer without a lot of work beforehand, and this industry is no different. And, honestly, it’s not for everyone. Not everyone “has the right stuff”, and some people even spend anywhere from two to eight years in school before they figure out that IT isn’t for them. (This is also true for those other professions I mentioned, as well as many others, like computer science.) You keep working, you keep learning, and then you figure out if this is the path for you or if your best simply isn’t good enough and another path is a better choice.

It sounds like you’re fresh out of college, so you’ve got plenty of time to decide what to do with your life. You were told you weren’t a good fit for the job(s) you applied for, so right now you’ve got a choice:

A.) Blame the hiring manager(s) that turned you down for being unfair not realizing your genius.

B.) Figure out why they didn’t want to hire you, and work on those things.

Maybe you need more experience? Volunteer your time. Maybe you need more certs? Study and earn them. Maybe you need to work on your interviewing skills? Talk to professionals, (like the ones on this board,) and ask them for help. Maybe your communication skills are rusty? Take some writing and speech courses. There are lots of things we all need to improve on, don’t expect to be the exception to the rule.

If all this sounds a little harsh, it’s because it is. IT is a competitive industry, and it doesn’t suffer fools. It’s better to know what you’re getting into and try to live up to that, than it is to get thumped on the head a few times and grow bitter because of it. We’ve all been new to IT, and most of us are here to offer help. . . but only if you can accept that you just might need it.

The political landscape of this country can be summed up in one word: vicious. In my lifetime, I’ve never seen the kind of outright partisanship that’s dividing this country into distinct blue and red factions. President Obama’s being called a nazi, a communist, a Kenyan, and the word liberal is still considered a derogatory term by many. So, who is to blame for this onslaught of venom from the right? Why, we are. . . the very same liberals who are under the gun.

During the George W. Bush years, the outrage over his administration’s policies boiled over to such a degree that nothing was taboo. We called him a nazi, we called him a fascist, we burned effigies of him in the streets, and there was nothing sacred about the posters carried during anti-war rallies. Does this mean that we were wrong in feeling outrage? Of course not, there was plenty to be angry about during the Bush years. However, regardless of how we may have felt about the issues, that doesn’t excuse the tone and approach we took. We, who are supposed to be the “intellectual elite”, let ourselves get goaded into a screaming-match that is the basis for what the right is flinging back at us now.

Regardless of if we were right or wrong, no matter how strongly we may believe we were right, we set a horrible precedent. We sank right down to the level of the conservative mud-slingers and gave the conservaties, particularly the Tea Party, all the ammunition they ever needed to rally support. They can now call us freedom-haters with the same poison language we used against them. After all, why wouldn’t they? They’re simply one-upping us, stepping only a few steps over the line that we drew and then ran over. We gave them the weapon they needed to fight us: self-righteous outrage fueled by memories of our attacks on them. And when you give a chimp a gun, you don’t blame the chimp when it shoots somebody.

We made some pretty horrendous mistakes that the right has taken and run with. So, what can we do? It’s simple, we simply have to rise above it and continue moving forward. The issues at hand are important, but this time we have to address them like the adults in the room, instead of sinking down to the shouting contest of the past. Let the Republicans and other conservatives shout, rally, scream, and yell. They are more than capable of sinking their own ships, especially now that a new crack in the armor is appearing.

During the health care debates, the presence of a group known as the Tea Party was undeniable. Their rallies, promoting mainly fear of the coming changes, were showcases of the kind of rabid ideology conservatives are ready to embrace in this day and age. The Tea Party is a far-right answer to the Republican party’s standard right-of-center  politicians, and there have been several cases where an incumbent Republican politician has been voted out in favor of a Tea Party candidate.

The Tea Party is dividing the Republican party down the middle. And, as one prominent Republican once said, “a house divided against itself cannot stand.” The first targets of the hyper-idealogical Tea Party  are the centrist Republicans, not the Democrats. This creates an interesting set of circumstances: Republican politicians will either have to shift their policies to appease the Tea Party, potentially alienating independent and right-of-center voters, or they’ll be under threat of being replaced by a Tea Party candidate.

What happens next is the tricky part. The Democrats will lose seats in both the senate and in congress, but it’s very unlikely they’ll lose their majorities. Sure, the filibuster-proof majorities will be gone, but that doesn’t matter since the Dems never had the guts to use them anyway. The tension will continue to grow as the Tea Party picks up more and more steam, generating more empty outrage over the Obama administration, putting more pressure on centrist Republicans to fall in line or be ousted in the next election. My advice to them is to run, run across the aisle and stand with the majority in order go get things done. Results will always win over ideals and outrage.

As time passes, the current Tea Party candidates will fail to live up to the impossible ideals of the Tea Party and the rhetoric of the likes of Glenn Beck. Their own candidates will begin to take heat for not bringing change fast enough, much like they did to Obama starting the week after his election. There will be blood in the water, that’s for sure, and Republicans will be scrambling to ensure their seats in congress and the senate come 2012. As I said, results will matter more than promises, and the only way they’ll get any results under their belts, not to mention the support of anyone outside the Tea Party, will be to vote with Democrats on upcoming bills.

So where does that leave the Democrats? They have to rise above the bickering, the name-calling, and stop acknowledging the blubbering outrage of people like Glenn Beck and Rush Limbaugh. Realizing that Beck and Limbaugh are far more concerned with their ratings than the ideals of their party is going to be the first step, and we’re not going to win any elections or approval ratings trying to shout down or even get into debates with radio personalities. President Obama, in particular, needs to worry less about the resistance his policies see in the here and now, and focus on moving his policies forward. The only way for Barack Obama to ensure a victory in the 2012 presidential race is to bring results of his first four years in office, in order to give credibility to the promises for the remaining four.  In the end, history will remember what was accomplished, not what was attempted.

The same can be said for all of us. It’s time to stop engaging the Tea Party and the outrageous claims made by their leaders. Of course Obama is American, of course he’s neither a nazi or a socialist. We know that, Glenn Beck knows that, but the average Tea Party supporter doesn’t know any better and is whipped up into a frenzy based solely on the emotional response produced by hearing those things. We need to rise above them, be the adults, and stop giving in to tempter-tantrums. Debating issues with a Tea Party follower is useless, they have faith that their own views are right and earnestly believe that liberals are evil people out to destroy their way of life. We cannot get caught up in emotional warfare with them any longer. We have to rise above all that and ignore them, let them torpedo themselves, if we are ever going to see reason win out over zealotry.

The truth of the matter is that the deciding factor in the upcoming elections is going to be the independent vote, as it was in the last election. As long as we stick to our principles and avoid jumping down in the mud with the conservatives, we will win. An undecided voter isn’t going to look favorably on the Tea Party’s extreme viewpoints and unfounded claims, but they’re not going to look favorably at us either if we show them exactly the same thing. I say let the conservatives eat each other, we have a lot of serious work to do and it’s far too important to let fear-mongering and self-righteous nationalism distract us from that fact.