And thus googling for that led me here. And I’m using IE10 on Win7 x86 now. By the way this is the first time I am encountering wpad.localdomain and I think Windows Media Center is the culprit – it’s the only Microsoft program I’m running at the moment (of course, the background processes are another story).

I am currently in an Information Security bachelor’s program and I have no idea what direction to take. Honestly, I just want to get into the industry once I graduate to get the ball rolling.

I saw in your comments you said certs are not necessarily tantamount to job acquisition since this article was written. This was my interpretation of it, at least, not trying to put words into your mouth.

What type of job do you recommend looking for upon graduation in about another year? I know that’s a broad question, but could you steer me in a particular direction with a B.S. in IS with no certs?

Thank you!

Just to follow up on my last comment. The drift I get from you is that one is better off diversifying than specializing.
The options I have are getting certification for my skills in Hardware and networking viz A+ and N+and some Oracle Certification courses ie.
Linux, Java, MySQL,Database or alternatively acquire Microsoft Certified courses i.e.

Microsoft Certified Professional (MCP)
Microsoft Certified Technology Specialist (MCTS)
Microsoft Certified IT Professional (MCITP)
Enterprise Administrator
Server Administrator
Database Administrator

Please advice .

My background is a Diploma in IT, currently studying for my undergraduate degree in IT. Most of the jobs that I have so far done involve hardware maintenance, software installation and elementary network administration. I need a challenge , unfortunately I have been unable to come by any please advice, as I feel underutilized.

I know of very few people in infosec with advanced degrees at all; many don’t even have a bachelor’s. Experience is regarded as far more important than education, since the security landscape changes so quickly that education and certifications become rapidly obsolete. If you really want to get into penetration testing and security consulting, you can probably get into that now with one of the major firms (since they’re accustomed to hiring recent college grads and training them), and then leverage that work experience into a more interesting boutique consultancy in a few years. An MSCS could be very useful if you want to go into reverse engineering, malware analysis, or exploit development, though.

As a a manager hiring technical security experts, I admit I don’t even consider an advanced degree as relevant — it’s pretty much ignored in the hiring process. An MSIA may be useful to you 10 years down the line when going for a security management job, but it’s not going to do a lot right now.

Yea, At first I was shocked that a member of an ops team would fall for the ole phishing trick but my infosec eng told me a story today where the city of Seattle was granting admin privileges to people whomhad no business having such access. Sad how common it is.

As for getting the passwords being impossible, while you’re right that they’re stored hashed, a good dictionary attack can often get 30+ of a password file, and that’s feasible even against salted, syskeyed hashes. With today’s GPU-based hash-cracking, 24 hours work can get you another 50%, though a salted hash like AD uses dramatically increases this time. And usually you don’t need the password at all in a Windows environment, due to pass-the-hash attacks and such. Passwords themselves are low-entropy, and it’s hard to get around this problem.

The skeptic in me says this is a cover up for something even more embarrassing.

Thanks!

Joel

However, due to the near-total lack of security programs in colleges, it’s hard to move directly into security from college. Learn the security field you want to go into, and take a job in development or operations as a appropriate to get some experience before moving into security. Being able to demonstrate competence and knowledge is more important than having some specific degree.

Sarang, I’d agree that some of the advanced SANS GIAC certifications are pretty good. As a security professional, one of them would certainly be helpful for moving into a new field — e.g. if you were a forensic analyst who wanted to move into application security or penetration testing. I’m less convinced of the utility of the others you mention; around where I work, at least, CEH is totally disregarded (it’s a nonentity on a resume), and a CISM is very seldom going to be a deciding factor for a security management role — by the time one’s at a technical manager career stage, certifications have less importance than experience. I can’t speak to ECSA as I’m not very familiar with it and don’t know anyone who has one.

CISSP isn’t vendor-oriented, but it’s quite easy and can be acquired with no experience studying from one textbook. It would probably take a very broad experience base to pass it without studying, true (I mean, whose work experience includes application & network security, cryptography, GSM radio, bollard placement, and fire suppression systems?), but no one passes it that way and the ISC2 CBK is small enough to learn from a textbook. This does make it largely a “paper cert” which has devalued it in the industry, but it’s still required to get past the HR gatekeepers in many organizations.

Breadth is certainly valued in the security world; I agree that starting in application security and picking up networking and operations can be lucrative.