How Did I Figure Out I Wanted to Work in IT Security?

Randomly, I’ve been asked by people how I got started in the security world, specifically within IT.  To be honest, it’s a little amusing to me seeing as I know there is so much more out there I still have to learn.  But looking back, I can see that I have come quite a ways, and I have loved every step along the way.  I figured it might be worthwhile for me to post my thoughts, and the path that I took about how I really started working in this great industry, and give my thoughts on what a successful security person might be (by no means can I provide the all-encompassing list, but it’s just my thoughts).  This will be broken up into numerous blog posts on here.

My first exposure into security probably came at college, I know significantly later than probably many others out there.  I took my first security class at a school which barely offered any, and I could not wait for it to begin.  Throughout the course, I realized it wasn’t going to be all that intensive, I found the material easy and very logical to understand, which resulted in great grades for the class.  However, the real learning came to me when I began talking to the teacher, and meeting up with him after class.  Through this one on one time, I was exposed to the first hacking tool I’ve ever seen, Metasploit.  I still remember him saying, “Hey, see that server over there?  Watch this.”.  He then fired up Metasploit on his computer, typed in all of his commands, and boom, a shell popped up.  When I saw him make a folder via the shell, and then it pop up on the desktop of the server, it was like this black magic to me.  At the time, I felt like people always heard about hacking attacks, network infiltrations, but it’s just some news story far away, and it doesn’t really happen.  When I saw it happen right in front of my eyes, it’s like my whole world opened up.

I went home that very same day, installed Auditor (pre-backtrack days) and fired up metasploit.  This was my very first interaction with not only metasploit, but linux also.  I had never used linux, knew of it, but just never tried it before.  I can’t tell you the number of times I lost my documents (until I finally started saving them on a usb drive) when trying to learn how to setup dual partitions on a single hard drive to run linux and windows.  I finally settled on Kubuntu at the time, and started trying to learn the OS.

At the same time, I was lucky enough to have a roommate who told me, “Yeah, you can try hacking into my computer”.  So I did.  It took quite some time, as I never really knew what I was doing.  But, like the security class, I still remember the first time I was able to break into his system.  It was some basic remote code execution that he hadn’t patched on his XP computer, and I setup to do a VNC injection as the payload.  I just couldn’t believe my eyes when I saw it successfully worked, and then when his actual desktop showed up on my computer, and that I could actually move his mouse on his computer with my computer.

It was right then and there, that I knew exactly what I wanted to do as my job.

My future plans…

I’ve had some time now since I’ve been Security+ certified, and I’ve been trying to think about the next steps that I am going to take.  Largely, I’ve been doing a lot of thinking on what it is that I want to do specifically with IT in the future.  I know that I want to do something relating to security within IT.  A dream job would be part of a company or owning my own that was involved in penetration testing and IT/Network/Business security auditing.

Knowing this, I’ve been trying to plan what certifications might help provide a good demonstration of my background knowledge that would be applicable to the job.  First things first, I am going to get my Network+ before the end of the year.  After taking the Security+, the Network+ does seem to be very similar.  I’ve taken a practice test and it seems the only area that I am specifically need to work on is knowing the protocols for routing.  Once I get this information down, I don’t think there should be a reason that I can’t pass it fairly quickly.

Once I have this, I am going to start studying for the CEH certification (Certified Ethical Hacker).  I’ve come from a background in security, as it has always been something that I have been interested in.  I’ve briefly looked over the certification and it seems that it is a lot of things that I already have had some exposure to.  I do not think that this would be a significant challenge to learn.

Finally, once I have received all the previous certifications, my big certification that I want to go after is the CISSP.  This is the big security certification that you can get.  Having this would provide major credibility to myself, and it is something that I really want to get.  I think I will look into taking a class, along with some book studying as well.  This is very in depth about all formats of security, and would definitely require a good amount of knowledge.  However, since it is something I am very interested in, I have no doubt that I will be able to become CISSP certified.

Security+ Certified!

So, as you all know I have been studying for the Security+ for the past month roughly. This past week, with two weeks left in my class, I just felt that I really knew all the information we had previously gone over, and all the upcoming information. So instead of just sitting there, I figured, why not just try taking the test, and see where I’m at?

Went on a rainy Thursday morning, walked right in, sat down, and 25 minutes later came out a Security+ certified professional!

It was interesting, I felt that for almost every question, I was able to eliminate 2 of the 4 possible answers, so if I didn’t know it, I nearly always had a 50/50 shot at getting it right.

Anyways, I walked away with a score of 845 out of 900, and a big weight off of my shoulders.

Security+ Update

Well, I’ve been “going” to the virtual class for about three weeks now.  We meet twice a week for 3 hours.  This class in all honesty is pretty easy.  Well, I guess that would be attributed to the certification itself.

In the end, I know I could have definitely taken the test and received the Security+ certification without having to go through the class.  Really, all that is being done is the instructor is just reading through the book, which I can do myself.  But, I guess it doesn’t hurt to have an instructor.

The only thing I really need to focus and remember are the encryption algorithms.  How many bits each one is, and if it is asymmetric or symmetric.  Besides that, all the concepts that the book presents seem very straight forward and logical.

I believe the class is going to be sending out our vouchers very soon.  Hopefully I get it this week.  If I can, I’ll take a few more practice tests (already getting 85%) and as long as I stay around the same score, I’ll just go take the exam early, and be done with it.  Not much of a point of sitting for a few more weeks to learn things I already know.

Well, we’ll see, and hopefully I’ll be certified shortly!


For the past week and a couple days I have been studying for the Security+ exam.  I’ve been going through a couple books, websites, and practice tests to get ready, and my work actually has sent me to a class to get ready for the exam.

After going through the books, and the start of the class, I feel I probably could have got this done without going to the class.  The first chapter, and the first day of our class, was learning what updates are, hot patches, service packs, etc.  It was a little funny to learn that, should probably be common sense if you are going for the Security+ cert, but still a good review.

Tonight we are about to have our second class, and I am looking forward to it.  My only weak area (from what I can tell after taking practice tests) seems to be the memorization of things, such as how many bits are in a specific encryption algorithm.  Short of that, all the concepts I feel are straight forward and make sense.

Tonight will be the end of week 1, with 5 weeks to go.  Looking forward to getting through the class, and getting the cert.