Much of IT revolves around information security. There are a ton of opportunities for Exchange administrators to...
learn more and gain skills for their current roles or to move into a dedicated security role. But how do you take things to the next level?
Should Exchange admins wait to get the necessary hands-on experience through trial and error? Or is it better to get certified or go back to school to get a degree in information security? Those are all worthy endeavors, especially the hands-on experience. However, you don't have to invest that much time or go to that much effort to become more knowledgeable in information security.
1. Read books, articles and blog posts. The following are great information security resources:
- DarkReading -- This cybersecurity news site for security professionals consists of 10 communities, including risk management and compliance and cloud security.
- Infosec Island -- An online community, information security portal and social network for IT security professionals.
- Krebs on Security -- This blog, run by former Washington Post reporter Brian Krebs, focuses on cybercrime and Internet security.
- SearchSecurity.com -- TechTarget's portal for security news, expert tips, podcasts and certification training resources.
You don't necessarily need to go out and get your Certified Information Systems Security Professional (CISSP) certification; however, there are some study guides and test prep resources that cover the essentials of information security, such as CISSP For Dummies and the well-liked books and videos from the late Shon Harris. Another great way to grow your information security knowledge is to listen to podcasts and audiobooks while in your car, on the train or at the gym. That's hundreds, if not thousands, of hours a year you can dedicate to learning about security.
2. Watch YouTube videos. Simply search for terms such as "information security" and "IT compliance" for a bevy of video options.
3. Attend seminars and conferences. The following are some well-known shows that might be of interest:
- ISSA chapter meetings -- ISSA has chapters in Asia, Europe, Latin America, North America, the South Pacific and the Middle East.
- RSA Conference -- RSA conferences are held around the globe to help security professionals stay ahead of cyberthreats.
- SecureWorld Expo -- SecureWorld cybersecurity conferences are held throughout the U.S.
- Security BSides -- BSides are community-driven frameworks created for and by information security community members.
- TechTarget events -- TechTarget security events in the U.S., Canada and Europe bring together information security experts, colleagues and vendors.
4. Set up a test environment. Using the free VMware Player or VirtualBox virtual machine (VM) environments, you can set up your own network environment to poke and prod and see what flaws you can uncover and exploit. There are plenty of free and trial products such as the following to get you started:
- Acunetix Web Vulnerability Scanner -- Software for securing and maintaining websites and Web applications against hackers.
- Essential NetTools -- A set of network scanning, security and administrator tools to diagnose networks and monitor a computer's network connection.
- GFI LanGuard -- A network vulnerability scanner and patch management software.
- Kali Linux -- Live Linux DVD and VM for penetration testing and vulnerability scanning.
- Metasploit Community or Framework -- Metasploit's community edition is a free, Web-based user interface for network discovery, module browsing and manual exploitation; the framework edition is a free, command-line interface for third-party import and manual exploitation and brute forcing.
- NetScanTools -- Available for free and as paid editions, NetScan Tools are for professionals working in networking engineering, security, administration or training.
- Nexpose Community Edition -- A free, single-user vulnerability scanner.
- OWASP Zed Attack Proxy -- An open source Web application security scanner.
- Windows Sysinternals -- A set of utilities for managing, diagnosing, troubleshooting and monitoring Windows environments.
There are also numerous tools such as McAfee/Foundstone SASS Hacme Bank and OWASP WebGoat that you can set up in your environment and learn from. Additional security tools can be found on the SecTools.org Top 125 Network Security Tools list.
A large part of what defines your success in IT comes from what you know -- specifically, knowing a lot about a lot. The more you know about information security, the better off you and your employer and clients will be.
Essential security reads for Windows admins
Daily security habits for Exchange admins
Perform an email security self-assessment