Personally, I would really like to steer my training towards Security. I like the idea of being able to secure a network so that any would be "hacker" would think twice before attempting to compromise any network I support. But this leaves my head spinning because in my mind I think that you would need to know an operating system/network inside out in order to know it's weakness. If this is the case then I would think security to be a long, long, road. Especially with M$ products being released every few years.
So how exactly does someone become proficient in security? Is it being a "hacker"? Knowing how to "break stuff"? Is it really having to know every detail of an operating system? Many more questions could be asked, but this is what I have so far :shock:
When you get into security, you are getting into a whole array of activities.
You are trying to protect the resources of an organization using various techniques to prevent the disruption via situations or attacks from both outside and inside.
You are right, it is a long road and people proficient in security get paid very well. Most security professionals are not "hackers", even in the positive sense. You do need to have some knowledge of the OS's involved in your organizations. But that is just a small part of it. You have to deal with physical security, organizational security and and management procedures and policies.
One of the bests ways to get an idea on what is involved is to read any of the basic security books at the bookstore. This will give you a fair idea on what is involved.
It is a long road and constantly changing. I believe that you have to have a little hacker in you to catch a hacker. Security for networks falls into many areas from perimiter security to the security within progams. Physical security can run from how you enter a building, room, or a computer and also how you can access and enter a networking infrastructure. There are security classes you can take the CISSP bootcamp was very helpful for me and enjoyed the class.
Read my post "An introduction to security" in the Security and Firewalls forum.
Secondly, there are two types of security professionals you have.. the first one is employed with an organisation and tasked with making sure that their networks and information systems are secure. This will involve not just the technical side of things but will involve writing managerial policies that relate to security.
For example in the software company where I work, they haev very strict rules and procedures governing who can carry CD's / Floppies into the office.. and all computers have serial ports disabled.. etc etc. to prevent theft of source code.
The second type of security job you could have is where you work for a security company.. perhaps the company makes security products.. such as eeye (
) or maybe they perform security audits for other corporations.
While you don't need to be a cracker (please don't use hacker, thats a media term) to catch a cracker, you have to know how they work, and the tools they use. Thus you do have to know how a box gets cracked to secure a box.
Let me know what you'd be interested in and I can give you a few pointers on how to go about getting there.
Btw, yes you do need to understand Operating Systems and Networks thoroughly, anyone who tells you otherwise is wrong. Depending on what level you aim to achieve, you really should have a programming language -- C/C++ or at least Perl behind you.