Thoughts of a Security Consultant

For my first post here I wanted to discuss what I believe is missing in most of the student/consultants I encounter and what  I would recommend to someone preparing to be a consultant in IT security. So, the first and most important thing to learn in my opinion is TCP/IP. You need to know it as well as you do the alphabet. The majority of people I meet in the University world and out in industry do not have a detailed and thorough knowledge of TCP/IP. For a security consultant it is best that you can look at the packets and know exactly what is taking place at the lowest level the wire. Elite hackers know TCP/IP as well as they can write their name. To be able to secure the environment and the enterprise it is imperative you know it like they do.

Take wireless for example, many people will start playing with Wireshark to observe the traffic over the wireless card, as most of you can attest to when you first use Wireshark with a wireless card you start a capture, and you  see NOTHING, because you are at the application layer, and do not have a good understanding of the lower layers, and also do not understand that you need to be in monitor mode to capture traffic for the most part, and you are connected to the network, and cannot sniff the wireless traffic, so as you read the alert message that tells you to check the selection for promiscuous mode, and then you deselect it, and what do you see?  You see the 802.3 Ethernet traffic and not the 802.11 traffic you were expecting. Taking it one step further you need an understanding of the PHY layer before you start looking at a tools that analyze it for you.

The second most important thing is to learn Linux and Unix. Also, do not stop at Linux, download one of the Unix virtual machines and play with it until you get proficient at it.

A note on certifications, they are good for getting you an interview, but once you get that interview you have to convince the people there that you know what you are doing. There is no certification that can replace hands-on experience and knowledge, you can get that on your own by using virtual machines and building and running your own test labs. The concern over certifications is most are based on rote memorization, it is the same problem we have in academic circles (more on that in a moment).  The problem with this is when you study and cram for a certification exam you memorize something take a test, and then you get certified, but what does this really mean? In my view it means you studied and took a test, and   be honest, some of these classes cram all of the information into your brain in 4-5 days, and if the class does not provide a study guide, or something similar to practice the types of questions you  may encounter you would not see 90% and above exam success rates touted by so many sites. Now, we shall discuss academic thinking, most of the “academics” without industry experience do not understand what I have been talking about either. I was on a team that developed a Master of Science in Information Security, and I was the only non-academic on the team, the entire group was made up of all PhDs but me, and as we discussed the curriculum I focused on teaching the students protocol analysis …  that is packets! Well this shocked pretty much all of the team, but I argued my point in many of the meetings, and finally swayed enough support where we had packet and protocol analysis as part of the curriculum

The most important thing I look for when hiring someone when I was running the Network Operations Center (NOC) is desire and initiative to learn. I would interview people with a list of certification as long as their arm, and when I asked them practical questions, they could not answer them, so they did not get the job. This is because I had junior personnel who could answer the questions, so how could I give someone a position over one of them at about 5 times the amount of pay they were getting. I could not justify it, and never did waiver on that. If  a person has desire that is the most important thing.  I had a guy come in fresh out of bootcamp that did not even know what UNIX was, and in 6 months he became my UNIX expert.

Another thing that helps is understanding programming, you do not have to be proficient at it, but being able to look at code and at least understand the fundamental concepts of it is very important in this field.

Finally, it is all about research, I learned to do research in Graduate school, I had a Professor Frank Coyle that specializes in using JAVA for real time systems, and he was instrumental in teaching me how to do research. Today with the amount of online information you can  research  in a few hours with the Internet. When I was in graduate school, I spent weeks doing research at libraries, take advantage of this opportunity we have today. Recommend you dedicate one hour a night to reading something, a whitepaper etc. There is a saying in the consultant field that as long as you can read the manual and understand it faster than the client you will always get the contract. That is why research is so important.

As I like to tell my clients, up until 2006 my certification count was 0, and now it is at more than 20, so it is not about getting a certification, it is what you do before and after you get that cert.


4 thoughts on “Thoughts of a Security Consultant

  1. very interesting article, love it!
    TCP/IP, Linux/Unix, attitud to learn, some programming, Research.
    4 of 5, missing Linux/Unix knowledge. would like to research on virtual machines, any ideas?

    1. Hi,

      There is a very good resource from Microsoft on TCP/IP. I also like the books from the late Richard Stevens, TCP/IP Illustrated. It is hard to identiy which Certification is better, because it depends on the perspective. I did write an advanced penetration course for EC council and it is 100% hands-on, you can find more out here

      I also wrote a book and published it in June on penetration testing, you can find out more here

      Finally, I do have what I call a Core Security Skills course that teaches what I discuss is missing here.

      The best way to learn is to build a lab and practice, the book can help with that.

      Good luck to you. Let me know if you have any more questions.

      Kevin Cardwell

Leave a Reply

Your email address will not be published. Required fields are marked *