Hi all,

I know this is the most random place to post an information security related question, but I thought I may get some good informal advice instead of all the formal type answers I get in infosec specific forums.

Basically, I come from a non-IT background, and now work in Information Security. I now really need to make a push at learning about our company’s network infrastructure, firewalls, data routing, etc, so I can ensure that any risks are mitigated.

Therefore……my question is: can anyone recommend me some ‘for dummies’ style books to help me grasp this? I’m relatively tech-savvy, but it really needs to be worded in a non-IT manner. Additionally, any intensive training courses that could be recommended?

Thanks in advance 🙂

YIKES!!!!

It’s the Network Police

Everyone look busy!

Whoever makes your firewall / VPN box eg Cisco, will no doubt have a course for it. There are loads of books on Firewalls, VPNs, tunnels etc.

depends what you want to achieve, if you want to understand the risks then look as audit/ risk books. if you are on about understanding it from a technical perspective then good look if you are not form an IT back ground as even some seasoned IT pros seem to fail to understand security properly. As a useful insite sygress books are generally written by people who understand the subject. Again on the training coarse if you mean teak you to test the setup again you will struggle although there are good ethical hacking courses they are aimed at technical people.

if you want more detailed information then email in profile.

I’m a pentester or to make it sound all profesional IT security Consultant.

Basically, I come from a non-IT background, and now work in Information Security. I now really need to make a push at learning about our company’s network infrastructure, firewalls, data routing, etc, so I can ensure that any risks are mitigated.

At least you can take comfort from the fact that they don’t see IS as a risk in your company 🙄

I’m a pentester

Ooh. At some point, you and I need to have a conversation.

You need a course – any simple book will be to simple for an organisation and any other book will assume basic IT skills and knowledge.

Cougar email in profile drop me a mail.

For my sins, I do this. Mainly incident response and vulnerability management, but I get involved with pentesting at the weekends so to speak.

From a starting point of view, have a look at the CISSP revision guides. The CISSP syllabus is very broad but relatively shallow so you’ll get a flavour of what the whole thing is about. You can then go and look for any books in your specific area of responsibility that will get you more relevant information.

The risk assessment/risk management area is quite niche, so there are bound to be quite hefty, expensive books on it somewhere on Amazon. I’ll ask around and see if anyone on my team can recommend one.

Basically, I come from a non-IT background, and now work in Information Security. I now really need to make a push at learning about our company’s network infrastructure, firewalls, data routing, etc, so I can ensure that any risks are mitigated.

So how exactly did you manage to get a job that you have absolutely no experience of?? I’m intrigued 🙂 (especially one as important as Net Security).

Cougar email in profile drop me a mail.

Will do. It’ll probably be tomorrow now, mind.

elzorillo – Member
Basically, I come from a non-IT background, and now work in Information Security. I now really need to make a push at learning about our company’s network infrastructure, firewalls, data routing, etc, so I can ensure that any risks are mitigated.
So how exactly did you manage to get a job that you have absolutely no experience of?? I’m intrigued (especially one as important as Net Security).

Be careful now, there’s a world of picky difference between Network and Information Security! That’s the sort of thing that schisms are made of.

It’ll probably be tomorrow now, mind.

You really do work in IT 😉

So how exactly did you manage to get a job that you have absolutely no experience of?? I’m intrigued (especially one as important as Net Security).

Which was the gist of my post, as I’m now struggling to get work as I’m “too experienced”…

Commission a Pen Test and follow their recommendations. Reading a book or doing a course isn’t going to cut it.

Who manages your network? Have you tried asking them the questions you’re asking here? You’ll end up looking pretty foolish if you come back from a course asking ‘Do we have a firewall’?

I did an ‘Ethical hacking’course with a security company once which was pretty helpful on a basic level, could be a place to start. They too were pen testers and offered courses based in Cambridge, not sure of the name though, sure google will tell you if need be though.

Tech background helps but infosec is a blend of tech, people, policy and process, the latter three having little to do with bits and bytes. Infosec is also broader than IT but the nature of information management and exchange being heavily biased towards computers and networks means that’s where the focus is.

If I was you I’d start with the basics – switching, routing, firewalls, osi model and how infosec often lives up at layer 7 in the content itself. That way you’ll be able to have a conversation with some of the network people over how you might map policy and process at a higher level into something technically deliverable and manageable at a lower level e.g. “the mandatory use of encryption on the management network”.

Hope this helps but there’s no substitute for experience and there’s plenty of room in the world for infosec people who can’t drive a firewall.

Understand the basics really well. Then add a bit of audit understanding (for structure and risk relevance). IT security, risk, privacy are all slightly different but have the same principles. As background I am a cryptographer, started writing code (assembler etc) and over the last 20 years have worked all over the security space from engineering to CISO/CIO roles. Built and sold 2 security companies (managed services x 1 and consulting x 1). I used to write CISSP questions back in the old days when there were no study guides. Now i run a large IT security practice and consult a bit. Happy to answer any specific questions

And as a kicker if there are any good security professionals inc testers esp. CREST then I am looking to hire a few more people based in either Wellington or Auckland.

do you pay moving expenses from the UK? 🙂

Yes.

Stampede…

Back to basics why has the security infrastructure been deployed? For example has it been built to some regulatory or client contractual requirements you need to know these.

@toby1 wasn’t 7safe was it?

@NZCol is crest recognised there yet? i know they were trying to branch out, also whats the company?

elzorillo – Member

So how exactly did you manage to get a job that you have absolutely no experience of?

My money’s on public sector. 😉

So how exactly did you manage to get a job that you have absolutely no experience of?

That could pretty much describe most consulting / management roles……

To be fair, a lot of Information Security people are not techies, they’re risk management people. And process and people are always a way bigger risk than any technology.

For the OP, if you’re not already that way inclined I would avoid any in depth discussions around firewalls, routers and the like. Aim for some of the higher level architectural guidance around network security to just gain a high level understanding.

Understanding how stuff works will only hold you back further on in your career anyway.

And if you want guidance on a course that will teach you high level aspects of IS management, then I would look at CISM rather than CISSP.

CISM and CISSP are good starting points (CISSP itself being a requirement in a lot of roles). After that it’s whether you need/want to stay high-level (in which case do more on the risk and auditing side of things) or get more technical (in which case focus on the technical areas that are relevant to you).

Have a look at the Security+ certification. It’s at a fairly high level and pretty easy/quick to get. Not all of it will be relevant but some will and it will get you in the right mindset.

I worked as a CCSA (checkpoint) a LONG long time ago.. Throughly outdated I’d guess now. Enjoyed it though.

On the original topic (books on the subject) a good one to start with would be “Secrets and Lies” by Bruce Schneier – a bit old now but still IMHO one of the best books for people who want to understand a bit of “why” as well as “how”. If you want to get a bit heavier then “Security Engineering” by Ross Anderson is a bit of a classic. And if you want to understand why and how a lot of people got it wrong try “The New School of Information Security” by Shostack and Stewart.

I’d steer well away from all of the “qualifications” until you understand a bit more about what you’re doing – they won’t teach you anything useful, they’re primarily for your CV.

Coursera has a few (free) courses that would probably be of interest, not done any of them but the courses I have done have all been excellent:

https://www.coursera.org/course/comnetworks

https://www.coursera.org/course/inforisk

https://www.coursera.org/course/inforiskman

Warning: they’re usually hard work if you actually do the weekly exercises.

Thanks so much for all the responses – sorry I haven’t replied, I went away last night, and only just had a chance to login for my daily STW fix! 🙂

Basically, I wont lie – I ‘fell’ into the role about 18 months ago. I’ve been at the company I work for for 7 years, and our IT Director was heavily involved in implementing our ISO27001 certification, and the maintaining of it was too much for him to do as well as his actual IT Director role. So I had just finished a major project I was working on in another department, and then I began to help with the ‘maintenance’ of our ISO27001 certificate and keeping all the other security related policies and controls up to date. So I’m very much on the ‘governance’ side of information security – e.g. I’ve got a good knowledge on the ISO27001 standard (passed a Lead Auditor exam with BSI in July 🙂 ) however knowledge is VERY much lacking in the technical nitty gritty.

As my role has developed, I now manage our ISO 27001 certification, and deal with all the audits etc – so I really need to get some general network infrastructure knowledge embedded into my brain if i’m going to be able to progress my career.

My money’s on public sector.

^ I wish haha, give me 30-odd holidays anytime!!

At least you can take comfort from the fact that they don’t see IS as a risk in your company

^ We have an in-house Certified Ethical Hacker, conduct external pen tests on all our systems every 6 months, and hold over a Billion records in total…believe me, IS is one of our most-considered risks!

I’m going to look into the CISM course I think, because like someone mentioned above, it’s slightly higher level which will suit me more. Also, great suggestion about the CISSP revision notes, looks like i’m going to have some reading over Xmas!

if you are going to big up your in house tester you should make sure they have a better skill set then the ablity to gain CEH, it’s a multi choice exam aimed at school leavers.

For my sins I run a security software company and in the course of a year I get to meet all sorts, from uber geeks, bluffers (the IT game has its fair share and then some) through to all different levels of management and I can only concur with some of the other posters.

Don’t try and get too techy, sure you will need to learn the techy basics and become buzzword compliant but focus on the challenges and risks to your business. I find a simple way to get up to speed on unknown subjects is to ask lots of “what if” questions,in your case they should allow you to identify and prioritise the biggest areas of risk to your business. Keep it simple and business focussed and you won’t go far wrong.