One of the questions I get asked routinely is how I got started in this business of technology. Quite frankly…I was simply venturing into uncharted territory as a brazen young man not at all afraid of what life or the world would throw at me. I wanted to do what people said couldn't be done. Prove that a college dropout could be a game changer. Of course it didn't matter that other college dropouts such as Bill Gates (Microsoft), Steve Jobs (Apple), Larry Ellison (Oracle) and many others had already proven it. I, Dave Nelson, also needed to prove it. I did eventually return to college and finish my degree, but I had already been very successful to that point. Finishing the degree was more about pride than anything else.
Though my method worked for me, it's not how someone just starting out wants to approach their career. I certainly wouldn't recommend it to all but the craziest risk junkies. Instead I like to point people in the direction of career management. It looks a little different for the college student than a practicing professional so I'll lay out some guidance for the student first. In my next post I'll address the steps existing IT pros should take to break into security.
Step one for students is to pick your career field wisely. Information technology for the most part isn't glamorous or sexy. (Think datacenter in a basement with no natural light…). InfoSec is even worse. You're known as the "NO" people. Even within the IT ranks we're not appreciated or even liked at times. You've got to have thick skin and broad shoulders in this field. You know how TV cops always hate Internal Affairs? Yep…same deal here.
So if you're still reading you must have some interest in this field. That's a good start. Traditionally people moved into a security role from some other technical field such as server and network administration or application development. They knew a specific area really well and are able to find the holes or weaknesses. Up until a few years ago you really couldn't find any mainstream colleges or universities which offered InfoSec or IA programs. That has changed. If you are planning for, are now in or will be returning to college you have many options to choose from. There are bachelors and masters level degrees available which will help you get your foot in the door. The Information Assurance Center at Iowa State University, which is an NSA Center of Academic Excellence, offers a masters certificate and Master of Science degree in Information Assurance.
The federal government is also offering scholarships and fellowships for students in this arena. You go to school on their dime, get a stipend while in school then agree to work for a federal agency for a certain number of years. If that deal had been available to me I'd have jumped at it. It's a crazy to go into debt to the tune of $40,000 or more just for an education when there are plenty of people who are willing to pick up the tab. While working for the US government might not be your first choice you might actually like it. You get to see technology which lots of smaller companies don't use or can't afford. There are lots of promotional opportunities and the pay is very competitive due to some recent changes in the compensation structure for had to fill career fields. You might also get a security clearance which is VERY valuable to government contractors should you ever decide to move into the private sector.
Don't expect to come out of college as an InfoSec Ninja Master though. It will still take you years of on the job experience to develop a fully rounded skill set. What it will do for you is better prepare you to view technology and business integration from a risk perspective. This typically isn't taught in Computer Science or MIS course work. In order to be successful you'll need a broad understanding of different technology components. Take course work in various disciplines such as application development, network infrastructure, communication protocols, cryptography and computer architecture. It won't all make sense to you at first. As you mature in the profession things will begin to click. You need to be able to see the larger portrait that's being painted, not just the individual brush strokes immediately in front of you.
InfoSec is still a maturing field. As we move forward we're finding better ways to recruit and retain talented individuals. We're also learning that just because someone understands security, they might not be really good and understanding and working with the business to reduce risk. You have to be technical but also have some business acumen to truly succeed in this field today.
One last bit of advice as I close. Never, ever get involved with any activity which could be considered illegal, unethical or immoral either online or in the physical world. Remember, the standard you're judged against may not be your own. This career is based on trust. Without trust you have no future. Pick your friends and acquaintances wisely. (Sorry…the father in me just jumps out sometimes…can't help it.)
Next time I'll speak to those already in the IT field who want to break into InfoSec. Stay tuned…
Join the Des Moines chapter of the ISSA for a FREE lunch and learn session sponsored by Purewire. The meeting begins at 11:30. Please RSVP to ensure we have enough food.
Topic: Security Review & Outlook
The Web has shifted, is your network ready?
How hackers are exploiting your employees' Web surfing to gain entry into your network
Location: Buccaneer Computer Systems
1401 50th Street, Suite 200
West Des Moines, Iowa
Speaker: Guy Weaver
Senior Systems Engineer - Central Region
RSVP to Dave Nelson to reserve your spot.
I'm really on this data privacy and forensics kick, so I've got another post to help make you even more paranoid. Let's talk a little bit about how information regarding you or your family including preferences, habits, interests and other tidbits of information can be siphoned from everyday technology in use around you. Here are 10 everyday items we use which can destroy our privacy one bit at a time.
Vehicle GPS – You can save favorite routes, your last route, restaurants, hotels, etc. on these devices.
Vehicle diagnostics – Can track statistics and averages for trip time, trip length, speeds, acceleration, etc.
Portable media players – music, photos, videos, digital audio notes, podcasts. (These are great for profiling an individual for social engineering attacks)
Identification – Military IDs, new US Passports and some state driver licenses now include RFID chips which can be read very easily. A US service member's medical history is now embedded on their chip. WOW! RFID uses weak security and wireless transmission….bad combination.
Cell/Smart phones – Important contact information, calendars, attachments, they're mini computers but we treat them worse than our car keys.
Voicemail – Here are the four default codes used by nearly all answering machines and VM services by default. 0000, 1234, 9999 and last 4 of the number dialed…try calling random numbers until you get VM and login using these…bet you get "lucky" more than once.
Cable and satellite boxes – can record viewing habits, pay per view and other oddities.
Video game systems – Online services such as Xbox Live track every statistic under the sun regarding what you play, when, with whom, what media content you download and tons of other stuff.
Frequent shopper cards – Go to the grocery store, check out and swipe your store loyalty card for the discounts. Your entire purchase history is now stored in a database and tied to your demographics.
eBook readers – Ok…maybe this one isn't mainstream yet but it's popular with the college crowd. How about your entire personal library being open to inspection?
Now I know what you're going to say. "Dave, please step into this padded room, it's for your protection." And that may be true. I'm certainly not out to say we shouldn't use any or all of these devices. But, to do so without understanding the potential downfalls as related to privacy is naïve at best. It also goes to show why more criminals are looking at online networks to discover information about their victims.
The flip side of this is from the law enforcement and government perspective. If accused of a crime, these are all the areas of your life which might be inspected in order to find motive, opportunity or other elements of a case against you.
Sorry folks…whether you like it or not you have a digital persona, and it's not even on Facebook, MySpace or some other social networking site. It's woven into the very fabric of our everyday life. Get used to it.
Gotta go…my refrigerator just alerted me we're low on milk, eggs and hot fudge sundae topping.
Get our blog articles delivered
to your inbox: