Logo
Forums
Forums
UniSearch
UniSearch
UniSuggest
UniSuggest
AdmitTrend
AdmitTrend
CourseLiX
CourseLiX
RoommateFinder
RoommateFinder
EduTravel
EduTravel
EdulixExpress
EdulixExpress
Chat
Chat
Blog
Grad Studies
About Us
About Edulix

Post Reply  Post Thread 
 
Thread Rating:
  • 3 Votes - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to - Info-Sec jobs, internships and such.
Author Message
AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor

AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor


Posts: 365
Likes Given: 5
Likes Received: 54 in 20 posts
Joined: Aug 2008
Unisearch: Link
Reputation: 33
Post: #1
How to - Info-Sec jobs, internships and such.
0
0
Let me throw my two cents about Info-Sec here. I did not know where else to put this but I definitely think this would be valuable information. Here is a general list of things that I did and I would expect a passionate and sincere guy to do if he wants to secure good internships/jobs in info-sec industry:

1. Do justice to your coursework. What I mean by this is that I have seen a lot of guys who score good grades and have a good GPA but they just do what they required to do, they don't travel that extra mile. Doing justice according to me is not only getting grades but also knowing the stuff, following the security news, following blogs of famous researchers and industry stalwarts. For instance, if you aspire to be a Web-Application pen-tester and you dont know who Jeremiah Grossman is or Rsnake is then I would say you are not doing justice.

2. Linked-in and professional networking. The way I see it, it is very important to network in US. One way to do it is through linked-in. There are various groups which one can join according to his/her interests. For example you are interested in botnet research, then you should join the botnet research related groups on linked-in. Follow the discussions in that group and try participating. Participation definitely gets you noticed and increases chances of networking.
Try to get in touch with alums in the industry. Search jobs on Linked-in and connect with technical recruiters.

3. Follow Security news and mailing lists. SecurityFocus.com has various very good mailing lists where people from security industry share knowledge and discuss real-time problems related to various aspects of security. Try to participate in these lists by solving the problems-trust me this is a very good practice for scenario based questions asked in the interviews. If you are interested in forensics, reading SANS forensics blogs is a very good practice. Forensics experts like Rob T Lee, Eoghan Casey, Lenny Zeltsar blog at SANS and talk about awesome things.

4. Info Sec conferences: As student it's very difficult to attend major conferences as the conferences might not be happening in your town and some conferences are expensive. But you could try to get it sponsored, for instance from your department or school. I tried to force JHUISI to sponsor a few students to attend Blackhat or Defcon ( which happens every year in Las Vegas Very Happy ) but they did not do it. This could be changed, I feel that since these schools give a masters in info-sec then why not send some students to conferences. Conferences are also a great way to network.
Some of the famous conferences are:
Blackhat- it's the best out there, you would get to meet real time hackers and awesomest people of Info-Sec world.
Defcon- Again, awesome conference.
OWASP Appsec - Premier place for application security.
DFRWS- Digital Forensics Research workshop.
NullCon- Its a group that holds security conferences in India.
Can-Sec- Most of the Apple products and almost all browsers are hacked/rooted in this conference.

Similarly follow OWASP and WASC for application security related stuff. Join the OWASP local chapter in your city.
Follow news from cnet, SANS, ISACA, Computer Wold security, CSO Online, Astalavista, Hack in the box, Darkreading, ZDnet. I have been asked in various interviews the question: " Whats the latest security news you have heard ?" or "What do you think about the recent XYZ hacking?". So reading news helps.

Don't stop at this, create a twitter account or start writing a blog about great things that you are learning.

Here is an awesome post by reef_d. He has poured down all that needs to be done to be a good info-sec professional:

Ok so I'll add in my few bits here:

First up it's all about your mindset. Are you an Engineer? By that I don't mean a degree holding robot churned out by the rote-based Indian system or any book-knowledge system. Ever observed that annoying relative of yours who likes taking things apart without knowing how to put it back together? Or if you've followed shows on the Travel Channel on the Bike Building Contests where they build a bike out of scrap metal?

So similarly in this field you have the hackers and crackers. You might know the definition and hackers are usually modders while crackers are the whole exploit creating, reverse engineering, DDoSing/Brute Forcing bad guys.

This is one field where you have to upgrade yourself constantly and have a fairly concrete idea of the technology concepts used in the area you plan to build your career around.

If you're a developer and you like security, you don't have to specifically jump ship onto pen-testing or network security. Learn the fine aspects of writing brilliant code. Writing code is an art and coming from a developer background, you learn the nuances of coding styles such as you can make out coders dependent on an IDE vs old school Vim guys (screw you Emacs). Or the guys who have learned from the procedural language days and the jumped to OO frameworks.

If writing code is an art, writing secure code is something virtuosos are made of. Most of us through our learning process never bother to learn secure coding and if your school offers any secure coding class, enroll in it if you plan on becoming a developer even if you don't care about a career in Infosec. You'll just get that much more respect from annoying IT guys and pen-testers who will always get their lulz in life picking on you (Check out TheDailyWTF for horribly written code). If you don't have any class offered, keep looking for good resources. OWASP offers a lot of secure coding guides for free and maybe you can invest in some books (I'll list some of my favorite books in another post).

Use Security centric APIs. The OWASP ESAPI, Microsoft Enterprise Library, Anti-XSS library, CSRF-Guard etc.

From a job point of view, this secure coding built into your mindset and part of your routine in writing code will not only help you get a good development job as a secure developer, you can also work with static analysis tools knowing exactly how to solve coding blunders and even would help you in your growth to a security architect position.

So that's the builder point of view.

As a breaker, build that mindset of "How?". That's the key question of any scientific methodology. We've advanced to where we are by asking how things work, reverse engineering them, testing hypotheses to falsify them and then progress. Decide what area you want to question the most? Network vulnerabilities, Web applications, operating systems, mobile devices, hardware, human beings? Choose one and just go wild. Keep reading a tonne on the latest hacks and if you have a safe environment at home to experiement on, give it a shot. For example, I used to be a php developer writing modules for Drupal. So I used to read on every new Drupal vulnerability and try it out. Read the whole idea of how that vulnerability is exploited and what you can do to avoid it apart from just installing a patch. My first ever exploit was questioning how keygens work (Yes we pirates in India are all familiar with keygens). So with a slight background in Assembly language, I tried reverse engineering one particular software license check and it took me about 2 sleepless nights but the reward, I tell you is great. You guys all know that Eureka moment.

Anyway to summarize this post, just keep questioning "How". You're a computer scientist and an engineer. Start acting like one. Don't just be another trained monkey.
------------------------END-------------------------------------

Some common roles that I have seen in Security Industry are:

Security Consultant:
Working in a consulting firm doing Web-App Pen-Testing, Network Pen-Testing, Wireless, Intranet and Secuirty Audits like PCI, HIPAA etc.
Security Engineer:
Working in a security team for a company like say Qualcom or Motorola and implementing security in their products.
Security Analyst
Working in a company like Yahoo,Google etc. and doing job like securing networks, dealing with IDS, IPS and firewalls.
Security Dev:
Development of Security based products like AVs or Appliances like Cisco firewall etc.
Security Researcher:
Working for some firm doing Vulnerability Assessment of different softwares like Adobe Flash or Microsoft IIS and researching to find new flaws.
Malware Analyst:
Reverse engineers malwares, botnet binaries to understand their behaviors.
Forensic Examiner:
Does all kinds of Forensics tasks like Network Forensics, File System and mobile forensics.

How does the job scene work?


There 3 categories of companies:

1. Govt. Organizations: The simple plain fact is that no immigrant can work in the government departments. (CIA, NSA, FBI etc etc.) To work for the government you need to be a US Citizen.
2. Private Govt Contractors: Now there are some private companies that are contractors to the US government for instance Lockheed Martin, Raytheon etc. These companies have tonnes of security openings but they won't entertain international students as they work federal government projects.
3. Private firms: The last category is companies which are private. They might also do some federal work but not all their work is federal. This includes companies that just wont sponsor H1 because of various reasons. Then there are companies which sponsor H1. So these are the companies one should target. How would someone know whether the company sponsors H1 or not ? The answer is networking. Networking with seniors, recruiters etc. helps here too.


**Update**
Me and my couple of friends came up with a list of companies that specifically deal with Info-Sec. This was in spring 2010 when I was applying for internships. I am uploading that list here for benefit future Info-Sec grads. Please understand that I have not updated this list after summer 2010. If you are new to Info-Sec and do not know about companies then this might be a good place to start. If anyone happens to update this list then please send me the updated copy so that I can upload it here.

Hopefully other seniors might notice this thread add some valuable advice that they have.


Attached File(s)
.pdf  List.pdf (Size: 108.89 KB / Downloads: 405)

Only PM me if something is Urgent, I check my PMs only once a week.
Info-Sec profile evals only.

Who r u they asked Buddha. I am he said. Not who I am. Just I am. In that singularity he saw infinity.
(This post was last modified: 07-06-2011 06:23 AM by AV15.)
02-27-2011 08:01 AM
Find all posts by this user Like Post Quote this message in a reply
0wn3d Offline
Edulix Senior Member
******

0wn3d Offline
Edulix Senior Member
******


Posts: 54
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Dec 2010
Unisearch: Link
Reputation: 2
Post: #2
RE: How to - Info-Sec jobs, internships and such.
0
0
aayvee15: ApplauseApplauseApplauseApplause

Useful information there. How does a relevant experience help in this job search.?

I am currently working with KPMG Advisory for security consulting. So I have varied experience in short span. Could you suggest different types of security roles one can expect?You might cover different possibilities (so that I can gauge the range of security work in US).
03-01-2011 09:20 AM
Find all posts by this user Like Post Quote this message in a reply
AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor

AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor


Posts: 365
Likes Given: 5
Likes Received: 54 in 20 posts
Joined: Aug 2008
Unisearch: Link
Reputation: 33
Post: #3
RE: How to - Info-Sec jobs, internships and such.
0
0
(03-01-2011 09:20 AM)0wn3d Wrote:  aayvee15: ApplauseApplauseApplauseApplause
Useful information there. How does a relevant experience help in this job search.?
Relevant work-ex definitely helps in getting resume noticed and getting interview calls.
Quote:I am currently working with KPMG Advisory for security consulting. So I have varied experience in short span. Could you suggest different types of security roles one can expect?You might cover different possibilities (so that I can gauge the range of security work in US).
Updated in the post above.

Only PM me if something is Urgent, I check my PMs only once a week.
Info-Sec profile evals only.

Who r u they asked Buddha. I am he said. Not who I am. Just I am. In that singularity he saw infinity.
03-01-2011 10:20 AM
Find all posts by this user Like Post Quote this message in a reply
Coolsunshine Offline
Edulix Active Member
***

Coolsunshine Offline
Edulix Active Member
***


Posts: 57
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Mar 2010
Unisearch: Link
Reputation: 0
Post: #4
RE: How to - Info-Sec jobs, internships and such.
0
0
I am a newbie in Security Field....Thanks for the info SmileSmile

(This post was last modified: 03-06-2011 02:48 PM by Coolsunshine.)
03-06-2011 02:32 PM
Visit this user's website Find all posts by this user Like Post Quote this message in a reply
blackpixel0x17 Offline
New Edulixian
*

blackpixel0x17 Offline
New Edulixian
*


Posts: 3
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Aug 2010
Unisearch: Link
Reputation: 0
Post: #5
RE: How to - Info-Sec jobs, internships and such.
0
0
Very good info indeed!

But please do tell about the pre-requisites for obtaining such jobs.

Moreover, how much important is it to do PG, or is an under-grad degree say B. Tech enough?
04-09-2011 06:41 PM
Find all posts by this user Like Post Quote this message in a reply
AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor

AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor


Posts: 365
Likes Given: 5
Likes Received: 54 in 20 posts
Joined: Aug 2008
Unisearch: Link
Reputation: 33
Post: #6
RE: How to - Info-Sec jobs, internships and such.
0
0
Depends on what kind of job withing info-sec you are looking at. To be a good at Info-Sec you need to be exceptional at CS basics. I won't say a PG is mandatory, I work with a few guys who don't a UG degree yet but they are awesome hackers.

Only PM me if something is Urgent, I check my PMs only once a week.
Info-Sec profile evals only.

Who r u they asked Buddha. I am he said. Not who I am. Just I am. In that singularity he saw infinity.
04-18-2011 06:38 AM
Find all posts by this user Like Post Quote this message in a reply
ameykk Offline
Moderator Emeritus
*******

ameykk Offline
Moderator Emeritus
*******


Posts: 3,654
Likes Given: 0
Likes Received: 6 in 6 posts
Joined: Jan 2009
Unisearch: Link
Reputation: 175
Post: #7
RE: How to - Info-Sec jobs, internships and such.
0
0
@AV15,
Excellent compilation of companies,mate! A BIG thanks!
I always have seen people saying that US citizenship requirements for most of the
info security jobs restrict them from applying variety of internships,
what do you think? How was your experience?, being in JHU helpful?
I would appreciate if you could share your experience with us!

Very Busy. Might take time to respond.
(This post was last modified: 05-07-2011 03:11 AM by ameykk.)
05-07-2011 03:10 AM
Find all posts by this user Like Post Quote this message in a reply
AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor

AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor


Posts: 365
Likes Given: 5
Likes Received: 54 in 20 posts
Joined: Aug 2008
Unisearch: Link
Reputation: 33
Post: #8
RE: How to - Info-Sec jobs, internships and such.
0
0
(05-07-2011 03:10 AM)ameykk Wrote:  @AV15,
Excellent compilation of companies,mate! A BIG thanks!
I always have seen people saying that US citizenship requirements for most of the
info security jobs restrict them from applying variety of internships,
what do you think? How was your experience?, being in JHU helpful?
I would appreciate if you could share your experience with us!

Thanks Ameykk. I have updated the main post with some of the Citizenship stuff. I have answered the JHU specific questions on the University specific thread.

Only PM me if something is Urgent, I check my PMs only once a week.
Info-Sec profile evals only.

Who r u they asked Buddha. I am he said. Not who I am. Just I am. In that singularity he saw infinity.
(This post was last modified: 05-07-2011 03:45 AM by AV15.)
05-07-2011 03:45 AM
Find all posts by this user Like Post Quote this message in a reply
LM10 Offline
Super Moderator
********

LM10 Offline
Super Moderator
********


Posts: 858
Likes Given: 109
Likes Received: 97 in 68 posts
Joined: Mar 2010
Unisearch: Link
Reputation: 52
Post: #9
RE: How to - Info-Sec jobs, internships and such.
0
0
AV15 - Would passing the Associate of (ISC)2 exam (since CISSP requires 5 years of work ex and SSCP requires 1 year) before coming there help offset the lack of work experience in the field?

I don't see any real way I can get relevant security work experience with the placement scene in my college (100% placements, but only IT companies).

SOP eval guidelines have changed. Please read this. Do NOT send me PMs requesting personal SOP reviews, they will be ignored.

Destination CMU

My VI
05-30-2011 10:43 AM
Find all posts by this user Like Post Quote this message in a reply
AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor

AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor


Posts: 365
Likes Given: 5
Likes Received: 54 in 20 posts
Joined: Aug 2008
Unisearch: Link
Reputation: 33
Post: #10
RE: How to - Info-Sec jobs, internships and such.
0
0
(05-30-2011 10:43 AM)lm10 Wrote:  @[AV15] - Would passing the Associate of (ISC)2 exam (since CISSP requires 5 years of work ex and SSCP requires 1 year) before coming there help offset the lack of work experience in the field?

I don't see any real way I can get relevant security work experience with the placement scene in my college (100% placements, but only IT companies).

lm10 Certifications do help your resume get noticed. Relevant security experience is a must for some kind of jobs but a lot of companies hire freshers too. The employers usually look for mindset rather than skill-set. For instance, obviously you cannot have experience and know-how of all Cisco products or firewalls unless you have had 2-3 years experience working on them but bottom line is you should know how a Firewall works.

FYI, you can get a CISSP without 5 years of work-ex too. The exam is same, everything is same, just that you get an Associate of CISSP certification initially and when you have the required work-ex, you can get an upgrade to CISSP without re-appearing for the exam.
There are other bunch of certifications like CEH which require less work-ex but then totally depends which side of security you would want to get into.

Hope this helps.

--AV

PS: A lot of people I know got certifications after they got a job, the reason being, most of the certifications are expensive and usually the employers would sponsor them if you do them while you are working.

Only PM me if something is Urgent, I check my PMs only once a week.
Info-Sec profile evals only.

Who r u they asked Buddha. I am he said. Not who I am. Just I am. In that singularity he saw infinity.
05-31-2011 08:29 PM
Find all posts by this user Like Post Quote this message in a reply
LM10 Offline
Super Moderator
********

LM10 Offline
Super Moderator
********


Posts: 858
Likes Given: 109
Likes Received: 97 in 68 posts
Joined: Mar 2010
Unisearch: Link
Reputation: 52
Post: #11
RE: How to - Info-Sec jobs, internships and such.
0
0
Aye, that's very helpful AV15, thanks Smile

Is SSCP valued at the same level as CISSP or is it just considered a timepass certification?

SOP eval guidelines have changed. Please read this. Do NOT send me PMs requesting personal SOP reviews, they will be ignored.

Destination CMU

My VI
06-01-2011 09:37 PM
Find all posts by this user Like Post Quote this message in a reply
AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor

AV15 Away
Edulix PenTester
********
Edulix Distinguished Contributor


Posts: 365
Likes Given: 5
Likes Received: 54 in 20 posts
Joined: Aug 2008
Unisearch: Link
Reputation: 33
Post: #12
RE: How to - Info-Sec jobs, internships and such.
0
0
(06-01-2011 09:37 PM)lm10 Wrote:  Aye, that's very helpful AV15, thanks Smile

Is SSCP valued at the same level as CISSP or is it just considered a timepass certification?

Definitely CISSP is very much valued but haven't seen too many guys with SSCP. As I said, you would be better off doing a CEH, CCNA etc at this stage. You might wanna look at certification programs by SANS Institute, they are rigorous, expensive and respected all across Info-Sec world.

Only PM me if something is Urgent, I check my PMs only once a week.
Info-Sec profile evals only.

Who r u they asked Buddha. I am he said. Not who I am. Just I am. In that singularity he saw infinity.
06-02-2011 03:18 AM
Find all posts by this user Like Post Quote this message in a reply
Backtrack Offline
New Edulixian
*

Backtrack Offline
New Edulixian
*


Posts: 8
Likes Given: 0
Likes Received: 0 in 0 posts
Joined: Jun 2011
Unisearch: Link
Reputation: 0
Post: #13
RE: How to - Info-Sec jobs, internships and such.
0
0
This is the perfect information needed for people who are starters in the Network Security field.Thanks AV15 for this wonderful informationApplauseApplause
06-15-2011 07:40 AM
Find all posts by this user Like Post Quote this message in a reply
LM10 Offline
Super Moderator
********

LM10 Offline
Super Moderator
********


Posts: 858
Likes Given: 109
Likes Received: 97 in 68 posts
Joined: Mar 2010
Unisearch: Link
Reputation: 52
Post: #14
RE: How to - Info-Sec jobs, internships and such.
0
0
AV15 - Do you have any idea about the MSISPM course at CMU's Heinz school? I understand it is less technical than most InfoSec courses, focusing more on the documentation and policy aspects of InfoSec. My question is - what sort of job role can one expect as a fresher after taking it? Also, if someone wants to enter the legal field a few years after MS, would MSISPM be a better choice than a core technical course?

SOP eval guidelines have changed. Please read this. Do NOT send me PMs requesting personal SOP reviews, they will be ignored.

Destination CMU

My VI
06-15-2011 07:50 AM
Find all posts by this user Like Post Quote this message in a reply
reef_d Offline
Edulix MVP
*********
Edulix MVP

reef_d Offline
Edulix MVP
*********
Edulix MVP


Posts: 965
Likes Given: 0
Likes Received: 87 in 51 posts
Joined: Mar 2006
Unisearch: Link
Reputation: 35
Post: #15
RE: How to - Info-Sec jobs, internships and such.
0
0
Ah a security thread. Too bad there weren't any around back in 2008. I'll add my information here as well. It really pisses me off when uninformed people in India say that you need to be a citizen to be in the security field!

06-17-2011 07:51 PM
Visit this user's website Find all posts by this user Like Post Quote this message in a reply
« Next Oldest | Next Newest »
Post Reply  Post Thread 


View a Printable Version
Send this Thread to a Friend
Subscribe to this thread