Join 3,514 readers in helping fund MetaFilter (Hide)


From newbie to expert in encryption and network security, where to start?
August 29, 2011 7:02 AM   Subscribe

If I wanted banks or companies like LastPass to hire me to be on their security team to make systems safer and to block out hackers, what websites/books/resources should I dive into to go from n00b to pr0 ??

I'm interested in how banks and these password managing software keep things safe, whether if it's through encryption or dual passwords or offline security devices or other things I don't know about.

I have some programming experience but know very little about stuff like encryption, network security, etc. So what should I be looking into?
 
posted by querty to Computers & Internet (7 answers total) 10 users marked this as a favorite
 
There's a lot to learn, but a good start would be to regularly read Bruce Schneier and Light Blue Touchpaper
posted by BinaryApe at 7:12 AM on August 29, 2011


First off, don't use terms like N00b and pr0, i wouldn't hire someone who talked or typed like that...

Look into your CISSP certification... it's the defacto certification for computer security folks. If you want to get into encryption, it's a math heavy field. Take a Cryptography class at a college, you'll learn the theory and math behind it, then you can apply it easily in programming.
posted by fozzie33 at 7:19 AM on August 29, 2011


CISSP or progressively more responsible work experience that demonstrates expertise.
posted by rhizome at 8:44 AM on August 29, 2011 [1 favorite]


There are three distinct paths here.

Path 1: The Information Systems guy, with the CISSP certification, who is hired by the bank. Probably doesn't spend much time writing code, but applies best practices using off-the-shelf products to build complex network systems. Cryptography is one tool in the toolbox, but there are many more aspects to security.

Path 2: A programmer who knows how to use cryptography as a tool. You don't need to understand the algorithms, but you need to know their properties, and you need to know the basics of security.

Path 3: Cryptographer. First step: Get a degree in Computer Science or Mathematics.

For the first two, try MIT's open courseware Network and Computer Security course syllabus as a roadmap. Applied Cryptography is the standard book for learning cryptography, but cryptography is only one aspect of security.
posted by qxntpqbbbqxl at 8:48 AM on August 29, 2011 [1 favorite]


for CISSP, you can take the test, then get the certification if you get the work experience in X number of years...
posted by fozzie33 at 9:15 AM on August 29, 2011


It's not a field you start out in. It's more like a field you grow into. You are going to be required to get your CISSP for sure, but I'd start by getting a CCNA, then a CCNP, and after 5-10 years as a solid network engineer, go into security.
posted by roboton666 at 3:22 PM on August 29, 2011


The important thing about security is that, unlike most of IT, you never really know if you're doing a good job. If you're not getting hacked, it might mean you have perfect security...or it might mean you aren't an interesting target, or that you've already been hacked and you don't know about it.

Unfortunately, that means the field is full of a lot of self-proclaimed "experts" selling snake oil. I've seen speakers get up in front of audiences and give presentations with major factual errors, and "certified" encryption software with glaring security bugs.

There are a lot of people in security (both competent and incompetent) who built their careers by first having a position of trust -- lots of ex-military people, or distinguished executives, etc. The theory is that people with that kind of background wouldn't lie to a client about how secure their system is.

So you need to get a CISSP, and (if you're going the more professional route) a BS or MS in computer science specializing in security. But you ALSO need something that tells employers, "Hey, you can trust me." It's inherently a reputation-based field, and probably always will be.

Re Schneier: I like Applied Cryptography but you should be aware that it has some serious factual errors. I typically turn to Handbook of Applied Cryptography first, which is also nice because it's free online. I learned 99% of everything I know about security from a handful of grad school classes though, none of which had textbooks -- I'm not sure there's any way to avoid formal education.
posted by miyabo at 10:25 AM on August 30, 2011 [3 favorites]


« Older How can I learn to be "in...   |  What should I ask for from Par... Newer »
This thread is closed to new comments.