Rule of thumb, go out to the stationary store, get a bound log book with
page numbers, and jot down the different things you learn or tips, tricks
and other hints. This journal book will not only serve as a guide on what
you have done day to day, but also as you learn more about how things
works. It then can serve as a guide for you, eventually the notes will be
cohesive enough to someday put together a nice hands-on tutorial that can
be presented at some of the local or national conferences as we have spoken
about in this thread.
As you will learn keeping detailed notes and journal books will not help
you recall different items as your learning progresses but also can serve
as evidence to verify what you had changed the night before did not break
the system and something else did :)
I will never claim I am an expert or a 'bonafide' security auditor, every
environment is different, rules can be the same, but it also depends on
how they are applied with the technology and with the people.
I remember once at a Big N-1 firm, one of the first thing I looked for when
I walked in , did they ask me to sign in, verification of who I am,
anything, Nope. Saw a phone that is easily accessible, empty network jacks
in the lobby.. Plunked down, took out a laptop of sorts, trusty phone
cord, and ethernet cable, plugged in and set out to see what I could find.
No one even blinked, no one even asked if worked there or anything Right
next to the phone was a handy dandy phone list of all the partners and
employees of the firm. It was an interesting place, just some of those
simple doing your job type of things can definitely be amusing. The
amusing part is that this same Big N-1 firm prides itself on its excellent
I wonder if they got the phone bill for my call to Hawaii... :)
Back to your question, having someone teach you the ropes, maybe hard to
find some of those people, since according to Paul, it really is a closest
trade job, but it really isn't anymore.. It is about how newbies learn and
experience people learn something and keep up to date not only in
technology, tools and business practices of different organizations.
Hearding stories like the above, can add to your observation and journal
At 10:14 AM 2/25/98 -0500, Paul D. Robertson wrote:
>On Tue, 24 Feb 1998, J. Kris Baca wrote:
>> As less than a newbie (newbie wannabie) I couldn't agree more. Bennett has
>> personally given me some great tips on how to get into this sector of the
>> industry (thanks Bennett!), but getting in just out of interest seemed
>One of the biggest problems I see in people who want to be involved in
>security is that it is *very* difficult to get a sufficient level of
>assurance that the person will do the right thing. That's one reason I
>suspect that it tends to seem like a closed-door club. We even spend a good
>bit of time slowly extending our trust to folks who have been in the
>company doing related or other things for years. I find it fairly
>difficult to imagine hiring an unknown quantity to specificly work in the
>parts of our business which are security focused.
>No ammount of certification will change that part of the equation.
>> impossible. It seemed as if there were those who knew alot and those
>> heard of snoop from a friend. My remaining question is how does one with a
>> fair amount of systems and network knowledge and experience begin to tackle
>> the security fray? Classes, books, web sites?? Who's willing to give
>It really depends on what part of the industry you're aiming at. If you've
>got a lot of knowledge, then start playing with packet filters and
>application layer gateways. Learn how to set them up, whichever way you
>learn the best. Some of us learn best from doing, others from crawling
>the Web, books, and classes, one-on-one tutorials or mentoriing, and some
>from a combination of things. How you learn is really more of a
>trait of your thought process than a generic way to gain insight.
>If you've got a good deal of networking experience, learn how to secure
>access to your routers, then learn to put packet filters on them, and how to
>filter multiple protocols, protect routing protocols, etc.. With Ethernet
>cards at $17 now, it's also fairly trivial to play with most routing
>protocols on an old 486 or two.
>If you've got a good deal of system administrative experience, then learn
>how to secure you systems. Depending on the OS, there are quite a few
>books, sites, newsgroups, and tools available.
>In other words, use what you know, and expand into securing that first.
>The base principles are going to go with you and you'll already be able
>to tell what breaks or at least feel comfortable with your environment.
>> pointers and benefit of THEIR experience? This clique seems to be plaqued
>> with the same disease the industry as a whole has --
>I haven't seen anyone competent's pay go down yet in the computer
>industry, and I've been doing it for longer than I care to admit.
>We all benifit from having more secure sites and more security professionals,
>so anyone with that limited mindset won't go very far. Watch for what
>you're looking at though, there are times when people will not share a
>particular implementation because of a percieved need for obscurity (or
>policies which require it) rather than because they don't want to share.
>In that case, if they can't think well "outside the box", you'll want to
>look for ways to genericize and rephrase your question. I tend to not
>get enough time in front of whiteboards to explain why and how, but it's
>never been something I'm unwilling to do.
>Understanding the base technologies, and probably more importantly their
>vulnerabilities is one of the biggest keys you can get. After you
>understand the technologies, protocols, OS functions or what have you,
>look at the common exploits and try to figure out how to fix the systems
>so that they aren't exploitable. Look into figuring out how to monitor
>for the particular attack, then that whole class of attack. Go up the
>tree from the physical layer to the social layer with the same level of
>If you're in a company, and you're trying different things, ensure that
>you've got permission. Otherwise you could find yourself very
>unemployed. If you're stuck with an administrator who is too scared to
>share their knowledge, then don't try to directly challenge them, either
>work towards getting their help, or set up an off-network test area or
>network at home. Make sure that even if you set up an off-net area at
>work, you have permission. Creative research is against most usage
>policies if it isn't part of your job title, and you'll be looked on as
>more responsible if you always take responsibility for your actions.
>Learning to justify what you want to do is a vital skill you'll need anyway.
>Remember too that folks who are insecure will often take suggestions for
>improvements as criticism of their current performance. If you can't
>deal with this well, you may want to consider either limiting the scope
>of your quest to a narrowly defined set of things, or choosing something
>else to get into. Getting the cooperation of a single administrator is
>*nothing* compared to getting the cooperation of division presidents,
>thousands of employees, or "that guy in sales who is looking to make
>$200,000 in commissions".
>Hope at least some of this helps,
>Paul D. Robertson "My statements in this message are personal opinions
net which may have no basis whatsoever in fact."