January 27, 2011

Land the Perfect Linux Job with Security Smarts


Looking for a Linux system administration job? Many employers are looking for admins with Linux skills, but plenty of people are vying for those jobs. If you want to stand out from the crowd, you'll need to make sure you have the security skills that employers are looking for above and beyond Linux administration experience.

According to Dice, information security is "the job of every technology professional." Dice has seen more than 1,600 job postings (up 109% this year) specifically mentioning information security. What does that mean to you, as a job seeker?

Certified Information Systems Security Professional

One of the key qualifiers that employers are looking for is the Certified Information Systems Security Professional (CISSP) certification. Some certifications carry very little weight, but the CISSP has a strong pedigree and requires some significant knowledge and experience to obtain. The cert comes from the International Information Systems Security Certification Consortium (ISC)2, a not-for-profit organization that provides a vendor-neutral program to define standards adopted worldwide for information security.

Qualifying for the CISSP isn't trivial. The (ISC)2 is looking for candidates with five years of experience, at a minimum. If you're just getting your foot in the door to the admin business, you're going to need to have some real-world experience before you can qualify for the CISSP, no matter what else you might know. If you're still junior, the (ISC)2 does have a Associate program to get started. The group will also accept an "advanced degree" in information security, so if you've specialized in information security you may be able to bypass the five year requirement.

In addition to that, you have a few other steps to qualify for the CISSP. It requires passing the CISSP exam with a score of 700 or better, commit to the (ISC)2 Code of Ethics, and have an endorsement from another (ISC)2 certified professional. Some candidates will also be audited on their professional experience, so while it's a bad idea to pad your resume — it's a really bad idea to pad experience for the (ISC)2.

What kind of security knowledge is the organization looking for? The (ISC)2 defines 10 domains, ranging from access control to telecommunications and network security. If the list of 10 sounds scary, breathe easier — they're only looking for candidates to have experience and knowledge in two of the 10. If you're familiar with access control and operations security, you don't need to have experience in cryptography or legal compliance (or vice-versa).

To sum up — you're probably not going to sail through the CISSP by next week for that crucial job interview. But if you're serious about a career in Linux administration, this is something to put on your long-term plan.

Linux Specific Knowledge

CISSP is vendor-neutral, and therefore platform agnostic. But that doesn't mean that Linux admins don't need to have some domain-specific experience at hand to qualify for the good jobs.

Every Linux admin, if not every Linux user, should have a basic handle on Linux's permission system, access control, extended file permissions, how to set up a firewall, etc.

Luckily, there are two Linux-specific certifications that admins can study for (and take) to show their Linux security credentials. The Linux Professional Institute has a vendor neutral set of Linux certifications under the LPIC exam series, including the LPIC-3 303 Security cert. This cert looks for experience with Cryptography (OpenSSL, GPG, encrypted filesystems), access control, SELinux, other Mandatory Access Control (MAC) including AppArmor, and application specific security knowledge. For example, candidates should know how to lock down Apache, FTP, and have experience setting up secure installs of Postfix or Sendmail.

The exam also looks at network security scanning, network monitoring, intrusion detection, and OpenVPN.

Red Hat also offers a security specific certification, the Red Hat Certified Security Specialist (RHCSS). To qualify for the RHCSS, candidates have to pass three exams: Red Hat Enterprise Security, network services (EX333); Enterprise directory services and authentication (EX423); and SELinux Policy Administration (EX429). This will be much more in-depth (and costly) than the LPIC cert, but also more likely to pique the attention of employers. Again, if you're serious about a career in Linux administration, this should be on your radar.

Even if you don't opt to go the certification route, skimming the (ISC)2, RHCSS and LPIC exam objectives will give you an idea of what you should know if you're applying for admin jobs with a security bent. With the right security skills, you'll be well ahead of the pack.

Click Here!