* "Thank You" letter for your Friday enjoyment

Thanks to my son who send me this "jewel" of a "Thank You" letter. I feel that I need to share it with you for a good Friday laugh. He interviwed the guy for a LAN Admin position. On the question what's the difference between the HUB and the SWITCH. He answered: "Hub is just a hub, and the switch it's like a car with a green and red light..." Well, below is a copy of his "Thank You" letter receved just next day over e-mail. I did not correct anything... Njoy! :-)


Dear Mr. YYYYY,

It was very enjoyable to speak with you and your team about the LAN Administrator position at Department of Labor. I think I was too nervous for some technical questions that you and you team asked me such as: how can you joint your server to the domain? The answer should be: go to command prompt then type: DCPROMO then server name. Another question you asked me what if user are not able to see your server? The correct answer should be at the logging window right click on the check box below your user ID change it to the correct server. Then what is the maximum speed of the switch? The correct answer should be 1000 Mbps. I know I get lost this morning from place to place. However, I know that I should have done a better job than what I did this morning. I also know that I am out of your consider about the job you want to hire that's fine with me. I just want to tell you that my brain was shut down this morning (I need a cup of café in the morning) those questions are within my knowledge, and I did do it well. If I have another change I would have done a lot better job.
I appreciate the time you took to interview me; I am very interested in working for you and looking for ward to hearing from you about the second Interview.

Sincerely Yours,
YYYYYY YYYY

Entering the IT Security field

I have answered some career-related question in another blog @teachrepublic.com, and I feel that it's a good info to mirror into this blog, as well.

Common mistake
Being in the IT field for more than 15 years and teaching folks since 1993, I know quite a bit about the IT, and particularly about IT security. I began my journey in that field by taking the responsibility for managing one firewall. It was a good start. It gave me a lot of exposure to the IT security, forced me to read about various protocols in depth, concepts, and it forced me to learn UNIX. The common mistake is to start the career by taking the certification classes or exams. The concept "certification" is about certifying the skills you already have. So, my suggestion (if you really want to be a high-level professional), start with hands-on experience. If you want to know more about certifications, read my article published in 2002 that (some people believe) still has some value:http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf
Find the way to get some exposure to the security appliances (firewalls, proxy servers, content filters, IDS), software (basically the same but software-based), tools (scanners, packet capturing/analyzing, sniffers, etc), and as a “must” read the literature and security-related articles that will expand your horizon. Be a volunteer, find a mentor, or at least build a small network at home and play with the evaluation copies (or freeware) of various software utilities/programs/firewalls. Learn how to harden the OS or web server, etc. Build a Linux server and workstation. Talk to your management and express your interest to get more exposure/responsibilities to IT security. Show it as a potential benefit to your organization.

Another suggestion is not taking the short-term training classes but rather buying the multimedia-based self-training software with live instructors that present the topics you want to learn. There are many benefits (like repeating, stopping, portability, rewinding, pausing, etc). Some of the vendors also offer online mentoring in addition to the software. All this works fine if you have enough self-discipline. If you follow the path that I suggest, the certifications will be achieved easier and will add the value to your hands-on experience. Don’t forget that in the security field the employers are looking for real-world experience. So, the abbreviation letters after your last name will be more powerful if you have something in your resume that highlights your hands-on skills. I would not suggest the CISSP certification at all at this stage of your career. The CISSP certification is valuable when you have substantial experience (5-7 years) in the information security field. It is mostly designed for the management (or at least, senior-level) security professionals. That certification can give you more opportunities to get better paying job but at the right time. If some of the folks disagree with me I would forward them to the article above where I describe the dentist who just got certified.

If you still seriously consider CISSP as one of your choices, at least you can get more information and links about it here: http://www.800-security.com/corporate.html (this site also has a comprehensive Index of free IT security resources).
Best of luck in your career!