Getting Started in Information Security and Information Technology

Usual disclaimer, I am not a lawyer, and the following information should not be taken as such.

I have worked with computers and information technology since 1979, security since 1989, resumes can be found here:http://www.hawkenterprising.com

"How do I get started working in information security, especially penetration testing (pentest)?"

Whatever you do, even if you already did so by accident, do NOT walk up to a client and state "you have [xyz] vulnerabilities I found [such as a wide-open wifi access point], I can fix these issues for you if you'll pay me."

You could be sued and/or possibly arrested and convicted for violation of a number of laws. There are many areas that will arrest, convict, and incarcerate you just for scanning for open ports! Do not scan without prior written consent from a client.

Those warning aside, here is an attempt to answer the question.  Of course developing the critical knowledge, skills, and experience are the most important aspect, and really you just need to start out in your own home setting up your own test labs,

and then joining local 2600 and other information security gatherings in your area or online to learn from others, and practice, practice, practice. Read voraciously, and apply what you read, question and verify everything that you  can.

Once you have some idea of what you are doing, the next steps can happen by accident, through a friend or family referral to a company or various individuals asking you to clean up the viruses, etc. You may start

out as just a basic tech, but you  will be building a resume and references, getting some real world experience, and making a little money to help cover the important steps of getting more professional.

Getting to the better paying more professional clients can definitely be a tricky "chicken and the egg" issue that many folks,

especially in the information security industry, run into. I could spend hours talking to you about this topic, but I'll do what can to sum it up here.

If you are looking to work as an employee rather than an independent contractor, you can follow  the usual education, certifications, degrees, resumes, applications, interviews process.

If you are wanting to work as an independent contractor, there are several things you need to do to protect yourself and increase your opportunities, these are not exactly in order, I am  just using the numbers to help keep track of these steps.

1. Form an LLC.

2. Create business cards (Vistaprint.com and others can do a small batch for free/cheap) and create a business-centric website.

3. If possible get liability insurance (see Onforce.com reference later as one approach.)

4. Create boiler plate mutual NDA (Non-Disclosure Agreement) and limited liability contract, and statement of work (scope) documents (many available online).

5. Get some sort of security certification(s) and/or clearance - CISSSP is problematic without an employer, but the SANS.org GIAC.org certs are excellent for information security.

6. If you can afford a lawyer it always helps, but I managed to get by without ever using one (thankfully), and some of my clients were large multinational mega-corporations.

7. Use some key sites to get the word out and connect with prospective clients.

8. Develop and provide report templates

9. Red Book.

1. LLC

You can work as a sole proprietorship, but you and your assets become personally liable in the event of a lawsuit. Also a lot of companies won't contract with you unless you have an official business.

An LLC is the second-least expensive and easiest option (sole-proprieter is the cheapest/easiest), while giving you some protections of a corporation.

Different states have different restrictions on forming LLC's. Some allow a single member, others do not. I went with a Delaware single-member LLC, and then when I settled down in Washington state, setup an "alien" business license that was far less expensive than creating another LLC in Washington state.I highly recommend this if you can afford it, but I did not do this right away myself, I did sole-proprieter as an I-9 (I-8?) contractor and then once I was paid from that contract, used the money to form the LLC. (typically $200-$400).

2. Professional business cards

These are very important, and any prospective clients will automatically expect you to have them, and if you do not they will not take you seriously. Of course every serious business these days needs a website. I highly recommend _against_ using a personal site. Have a separate dedicated domain/site specifically offering your professional services.

3. Liability Insurance

This is more of an issue now than in the past. Though I was lucky enough to never get sued, and (foolishly) got by without any liability insurance, things are different now, and you definitely want to get some as soon as you can, even before forming the LLC, especially since you are so vulnerable as a sole-proprietor.

Once you are starting to make some money, you will want to get some liability insurance as soon as you can, at least $1,000,000.00 when you can afford it (less is better than none, but make it a goal over time to work up to that).

4.Non-disclosure Agreement (NDA)

There are boiler plate contracts available online that you could grab and then edit to insert your (or your company) name. NDA's are very standard for companies. Mutual NDA's state that neither you nor client with divulge the details, trade secrets, vulnerabilities, etc. about the other. Some are more strict and won't allow you to even mention the client's name for a set period of time (typically 1-5 years). be careful about these, because you need to build up a resume, references, and client list. Agree to mutual NDA's, but be wary about those that do not let you at least mention the company name, and roughly the services provided (without detailing any flaws they had).

Liability documents attempt to limit your liability by making the client sign a document giving you permissions to perform pentests and the like, and informing them that though the risks are minimal, sometimes systems can crash during testing, or data even be lost, and most importantly that they are giving you permission to perform the work, which then points to the SOW/Scope document.

The State Of Work (SOW) aka Scope document is probably one of the most important, and yet so often overlooked documents you can have. Without it, you can be sued for not doing the work client expected of you, or at the very least (and most commonly) get into dreaded never-ending "Scope creep", where the client keeps insisting you have not finished the work, and "oh, one more thing you can do while you are here" will eat you alive, especially if you quoted a flat rate rather than hourly, and/or they will argue about how much to pay you, and you will likely eat some hours of work to try to keep the customer happy.

The scope/SOW document details exactly what you will be doing (from a high level down), and what really is the finish line. This can be as simple as a one page document with a bullet list (be careful about these), or a few pages. Some can go into great detail for the more nit picky or larger clients. Lots of people and companies work without details scope documents, but they almost always end up in scope creep and other contention. I have saved myself a LOT of grief with moderately detailed scope documents. This document is also signed by both you and the project manager, it is not a one-sided document. It can be changed, but then it needs to be re-signed at the new scope. This also helps you better estimate the hours you will take, and thus your quote.

I cannot emphasize enough how important a scope/sow document is to CYA and do the work more effectively, while making clients happier in the long run.

5. Certifications & Clearances

You can get away with not having a security certification and/or clearance with very small companies and individuals, and often you have no choice but to start there. Most of the worthwhile certs require some working background, and often a current employer to sponsor you for various certs and clearances, thus putting you once again into a chicken and the egg dilemma. Though CISSSP-based certs are more broadly known by those less knowledgeable about security, there are other options available through the SANS.org Institute's GIAC.org security certifications. I highly recommend you check them out. As an independent contractor you are going to have a problem getting higher security clearances both because of the prohibitive costs, and the way the rules and bureaucracy are setup. The higher your clearance, the potentially more opportunities you will be able to accept, and potentially more lucrative pay (though I managed to get by without a clearance and still average $120/hr USD and as much as $250/hr after expenses).  If you ever want higher security clearances, you are going to have to either work as employee, or a long term contractor for a large company or government agency that is willing to sponsor you. Just so you are aware, when you see listings requiring clearances, this is becoming increasingly common as a requirement. Starting out however, don't worry about the clearances that can optionally come over time.

6. Lawyer

Having a lawyer help create the boiler plate documents, and to be kept on retainer in case of issues, is always a nice safety net, but as long as you are following the steps I've outlined, should be like a bullet proof vest, you have it hoping you never actually use it. You can generally get by without one initially, if you have your documents in order, and better yet if you have some some liability coverage (don't forget that often renters/home-owners insurance can sometimes have some liability insurance included that _might_ included professional liability protections in a pinch). If you can afford a lawyer, do so, but in the early stages this is generally not an option, and you just have to do the best you can to communicate with the clients clearly, and work very ethically (of course) to reduce your risks - though sometimes you will just get situations or clients that are unreasonable, and those can be scary moments. I'm glad to say I never had to resort to such protections, but in the early years before I improved my scope document requirements, I had to sometimes eat some of my hours because of difficult clients, but it was better than a lawsuit.

7. Marketing

Besides the most valuable word-of-mouth referrals, you want to get a decent cyber-presence on the web, especially in areas you hope to be working if you are not (yet) going to be a jet-set travelling contractor (or even if you are). So certainly setup a site with documents mentioning your local areas, etc.

There are many sites that can help you find contract (or permanent) work, but I'll list just 3 very useful ones that I've used over the years.

* Dice.com is the best tech-related job-posting board I've used. Definitely get your profile and resume up there, and setup regular searches for the type of work you want.

* Linkedin.com is basically a Facebook-style social network site for professionals. Setup a profile there and get other professional to link to you, and get any kind of references from them that you can (try to get at least 3).

* Onforce.com is a technology work hub. It links prospective clients with available contractors. Definitely get signed up with them. Also, they have options for certifications (free or cheap), and offer affordable liability insurance. They also do a fair job of walking you through all the hoops you need to work more effectively. Even if you don't have an LLC, they can provide some help and protections, so I highly recommend you check them out. They make money by taking a percentage and charging some fees when you get work, but you don't pay a dime to get listed. I am not a huge fan of Onforce for various reasons (as I've written about in earlier articles), but it can be a good starting point for many.

8. Reports

Report templates are documents you keep for yourself, and provide a version to give to the clients detailing the work you did, and what was discovered. The more professional and organized the layout the better. Most clients won't actually read all the details, but they will feel more comfortable physically having such a report. It is also critical in case you provide services for them years later, or someone else wishes to, then you or they can read through the reports as a good baseline, potentially saving hours, days, weeks, or even months of repeated work. You want three copies of these reports. 1. for you (the most detailed, with notes and comments you don't want the client to see - for example troublesome employees, etc.), 2. for the client and future contracts that has a lot of detail (minus the little comments in 1.) but in more verbose language to help explain things to the client (especially they WHY it is important), and 3 for the Red Book, with information that can be quickly gleaned without wading through 50 pages of report, and meant to be read by fellow-techies.

9.The Red Book

Finally, the infamous "Red Book". This is a folder that the client (and your keep a copy as well) has on site, with all the configuration information, reports, etc. Anytime someone does some work or changes, it should be logged into the red book. Most smaller clients do not have one in place, so you will want to provide it for them. Literally provide something like a large (3"+ thick), red, three-ring binder at the end of the contract to include your reports in. This should be kept under lock and key. It would have sysadmin passwords, IP configurations, etc.

Again, this is not all-inclusive, but hopefully provides some ideas to help people get a handle on the areas to start.

Good luck!