(I am not sure if this is most appropriate place to post this silly(?) question, please bear with me.)

If someone wants to pursue a career in Internet/Network Security (tiger team), what fields should he/she concentrate on?

Is it absolutely essential for him/her to have detailed knowledge of Cisco stuff (like the Cisco IOS)?

Thanks.

There was a show called "Tiger Team" that only had two episodes. They had people who specialize in various areas. Someone who was good social engineering people, someone who was an expert in physical security devices, and someone who was an expert at technical hacking.

A lot of businesses don't have as secure of a network infrastructure as they probably should. Also, security researchers are targeting Cisco equipment such as routers more now by developing exploits to run arbitrary code, and creating proof of concept rootkits for IOS. So I would think it's going to become more important over time, and being familiar with Cisco would help if you want to become a technical hacker.

I wouldn't narrow it down to just Cisco gear though, you should have general knowledge of Networking fundamentals, along with OS knowledge. There are certification tracks like Security+, Network+ and so on you can take.

Also you should keep up with security vulnerabilities and exploits. Good security practices and learn the other many ways people gain access to environments outside of computers as well. Security isn't limited to just computers.

Maybe he should buy a gun... .

Nah, that just gives the other people a reason to shoot back!

?

I'm just kidding,gripmaster.

First off, security is not nearly as glamorous as it appears in hacker movies and security vulnerability mailing lists. A whole lot of it is about boring audits, controls, and processes. You have to be extremely detail-oriented and process-driven to work in the security field, just a warning...

From a practical standpoint, research the Common Body of Knowledge. It's used for the CISSP certification. There are tons of books and websites that have study material. Note that I'm not necessarily recommending you try to achieve the certification, but the study material for it is very useful. It covers things like business continuity planning, incident response, physical security, cryptography, etc... Note that the most important things you'll learn about security are the processes and methodologies. Being able to configure a firewall is great, but being able to quantify in dollar value what a particular firewall is worth to your company is even better.

Take some time to study programming/software development security practices. It's important to know what sort of things to keep in mind when developing software and how to be security-conscious. If you don't understand how applications become vulnerable, you won't be able to understand how attackers are exploiting them. One of the biggest things you'll learn in that process is to write human-readable code with plenty of documentation. Most security vulnerabilities occur when technology is poorly understood, or misinterpreted. The more/better you document things, the less chance for error.

There are so many different security applications, and the market is changing so quickly, that there isn't really any point in learning any one product or area right now. Just concentrate on the principles and you'll be able to pickup the specifics as you go along.

Oh yeah, and the #1 thing to understand: The "most secure" thing is almost never the "right thing" to do from an employer's standpoint. Why? Because it prevents work from getting done, which prevents them from making money. You'll need to accept the fact that you often have to compromise on "ideal" security to get something that is acceptable to the business. There's no point in complaining about it, that will just get you labeled as a trouble-maker. Instead, try to understand what your company does to make money and think of ways that security can cooperate with that and make it easier as well as safer. Then you'll be a hero instead of an outcast.

Right but you need to actually be employed in the company to begin with in order to do any of that.

I know this all to well...There are a lot of things that I wish I could implement...but it just won't allow work to happen...

-C

If you want a career in Internet/Network security, you must be an expert in these fields.
Here's an useful site for you:
http://www.penetration-testing.com/
The Open Source methodology knowledge is required in order to get a job at most companies.

This might be useful for you, it lists & describes a lot of different job specialisation areas in security:

http://www.networkintrusion.co.uk/Recjobs.htm

Really? A lot of the major corporations in the US could care less about Open Source Methodology. (Not saying you shouldn't, just saying that required isn't really true... )

Gonna have to agree with this one.

Not all all. The last 4 companies I've worked at have made extensive use of Open Source software, but none of them made source code available to the public and some of them spent quite a bit of time with lawyers making sure they could keep all their stuff secret.

Most companies don't give a damn about "Open Source methodology", they only care about "software that we don't have to pay huge license fees for", so they can in turn make higher profit margins when they turn around and sell it to someone else.

Even companies like IBM that seemingly "contribute" a lot to Open Source projects are only doing it out of greed: Investing a little bit in community projects is much cheaper than employing an army of employees to build the same thing. They can devote only a few employees to making just the changes they want, while the rest of the community maintains all the necessary, but very mundane features that IBM doesn't care that much about.

Don't buy into the gibberish that RMS spews. GNU isn't making any headway in the corporate world--free software is.