Getting a Job in Information Security

If you want to work in any information technology field, security included, you are lucky to desire both a field and a time when the means of production are very much available to an individual.  This is a huge advantage we have over, for example, a chemist.  Someone wanting to go into chemistry could get some equipment and chemicals on their own, but a large portion of what you need to do serious chemistry is unavailable to an individual.  In IT, a thousand dollars can buy a passable research network.  You can even start out virtualizing everything on your existing computer.

Tools we would recommend playing with:

• Metasploitable : An intentionally vulnerable linux distribution designed as a practice target for practicing security.
• Kali Linux : A linux distribution designed for offensive security.  Includes lots of tools including Metasploit, Burp Suite, OWASP ZAP, and many many others.
• Mininet : creates a virtual network, including switches, firewalls, routers, routing protocols, and SDN controllers.

We would recommend starting out on your own systems and networks, but if you want to go beyond that there are a bunch of things you can discover passively by looking at headers and not engaging in any unauthorized access to sites. 

If you find something at Georgia Tech, please use the vulnerability reporting process to report it to us.

Train yourself to always think how you could exploit a system.  A frequent interview question is what sorts of ethical issues you could find in information security and how you would approach them.  A good information security person shouldn’t be at a loss for a way to exploit privileged access.  That’s not to say they should actually exploit it, but they should always be thinking about it.

As an example I recently had someone telling me that they got locked out of a cloud service and how happy they were that customer service let them back in with the last four digits of their payment card and the billing address.  I’m sure most people would be happy with that, but my first thought is that account takeover should be pretty easy since both of those are fairly public things.

Let’s say someone is hiring a Lead Information Security Engineer and they have two top candidates:

• Alice has been working in a Security Operations Center for five years and knows all about vulnerability and patch management, firewall configuration, and has an excellent security mindset.
• Barbara has been running a massive load balanced LAMP stack and understands at a fundamental level how layer-2 and layer-3 load balancing work, the routing necessary to do them, Linux, Apache, MySQL, Python and Perl, a couple web frameworks, HTTP, HTTPS, WAFs.  She has a passable security mindset and has learned security related to her system, but she has never formally worked in information security.

The selection would be Barbara every time. If she also worked in a SOC starting out or represented the web services group to enterprise security, then that’s another plus that distinguishes her from other web subject matter experts. However, many would much rather have someone securing web services who understands the intricacies of web services and can learn security, rather than someone who understands security and has to take the service owner’s word for it on how web services work.

Even at the very entry level, one would generally rather have somebody who has worked in IT before than someone who hasn’t.  Georgia Tech Cyber Security hires student employees and turns more than half of our applicants away, but the Network Operations Center has trouble filling their student positions.  If you have worked as a student in network operations that certainly distinguishes you from a graduate with no actual work experience.