Careers in Cyber

Does this sound familiar?  You keep seeing headlines about cyber security, about information security, usually when there’s been a loss of passwords or data, sometimes about large fines being levied on companies for poor practice. You’ve heard that there are lots of vacancies in the world of cyber and would like to look at a career in security. But you don’t know what choices there are, you don’t have good IT skills and you don’t know what skills you need.

This article will answer some (though probably not all) of your questions.

Before looking at what roles there are, let’s get the first big concern out of the way shall we? Do you need to be an IT ninja to work in information security?  The answer is a resounding NO (though for some – not all – roles it helps). Read on to find out why…

Broadly speaking, cyber security is split into three main role groups:

  • governance, risk and compliance (GRC), which relates to policies, processes, and, in some cases, training. These roles include consultants, analysts, auditors and trainers
  • offensive security, also known as red teaming, with the aim of trying to get unauthorised access to systems. Roles in this group include ethical hackers (penetration testers), social engineers etc
  • defensive security, also known as blue teaming, with the aim of trying to stop those trying to get unauthorised access to systems. Roles in this group include digital forensics, incident response, Security Operations analysts etc

GRC roles

These roles typically require little to no technical skills, though an understanding of technology helps.

People in these roles will probably spend their time writing and reviewing policies and other documentation, carrying out audits to ensure the organisation is complying with policies and / or industry standards, working with other staff to help them understand and implement the policies. At a more senior level they also encompass consultancy, working with clients to help them understand and improve their security posture.

It’s likely that people in GRC roles will spend time looking at industry standards such as ISO 27001 and NIST, regulations such as GDPR and industry specific requirements such as PCI DSS.

In terms of training, people in this group will be more likely to develop and perhaps deliver general security training rather than specific courses for highly technical staff.

In terms of training, a good basis would be the BCS Certificate in Information Security Management Principles (CISMP), and if you’d like to add some technical knowledge passing the CompTIA Net+ and Sec+ exams would be really good grounding.  There are courses around data privacy which are becoming more common too. Ultimately you’d be aiming for something like the ISACA Certified Information Security Manager (CISM), (ISC)2 Certified Information Systems Security Professional (CISSP) or EC-Council Certified Chief Information Security Officer (C|CISO) qualifications, but they require at least 5 years of practical experience as well as an exam pass.

Red Team (Offensive Security)

This is where many people think the really exciting part of security sits, being paid to test other companies’ defences and helping them improve their security. This is the realm of the ethical hacker, more properly called a penetration (pen) tester.

Pen testers are, by necessity, quite technical. Typically they’ll be able to write scripts and code in several different languages, including Bash and Python.  They’ll understand toolsets such as Metasploit, which is available for free on Kali Linux. (Incidentally, the bad guys will use pretty much the same toolsets for much of their work, and both groups will probably learn a lot about how to use them from YouTube!) They’ll also be able to write exploits, perhaps for use in Metasploit or elsewhere.  Oh, and they better understand network protocols and how firewalls work too.  Essentially, they need to know a lot about a lot of things in order to be very proficient, though it is possible to run a lot of these tools with very little knowledge.

There is a form of red teaming where people try to physically get access to premises and systems using social engineering techniques.  This typically involves carrying out research on the target company using OSINT techniques, before creating some kind of pretext (cover story) or getting in through open doors and windows.  The goal may be to try to access a data centre or other sensitive room in a building, or it may be to leave some kind of listening / communications device in a meeting room, or to see what documentation can be obtained. This is the sort of work that you may have seen in films like Sneakers, where teams of people are testing an organisation’s security capabilities. Skills needed for this type of role are more related to acting / improv, calmness under pressure and the ability to think quickly.  A good understanding of human psychology, empathy, body language and non-verbal communication is really helpful in this field.

Training for the red team can be very technical, or not technical at all. If technical, you probably need to look at something like CompTIA Net+ and Sec+ as a basic grounding, before then looking at something like the Offensive Security Certified Professional (OSCP) or CHECK Team Member (if in the UK). It’s worth saying that when it comes to the technical aspects, lots of practice with different packages, scripting languages and exploits is probably more beneficial than lots of certifications, though having at least one industry respected certification will be helpful.

It’s also worth noting that many red team members will have experience of operating as a blue team member (and vice versa), and the skills gained there will be useful for them in trying to defeat their opponents.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
– Sun Tzu, The Art of War

If looking at the non-technical courses, then typically psychology and sociology are very useful. Experience of acting / talking to lots of different people is also helpful, and an understanding of verbal and non-verbal communications is also very useful.

Blue Team (Defensive Security)

The defensive teams are also likely to have some very technical people in them. They may not write exploits like some pen testers, but some do need to have a very deep and detailed understanding of how things work.

Digital forensics is a highly specialised field, and there are individual specialities within it. For example, someone may only deal with mobile devices, so will need to understand Android, iOS (for Apple devices) and Windows Mobile, amongst others. Some may look mainly at memory stores, or disk drives etc. They also need to know how to capture, store and examine data in a methodical way which can be replicated in court, using the ACPO Good Practice Guide for Digital Forensics (in the UK – other countries may have other standards).

SOC (Security Operations Centre) Analysts look at information coming from a range of sources such as log files, and are skilled at looking at the big picture to identify attacks or other threats.  They need to understand networks, protocols and firewalls, how systems are configured and how the whole network interoperates.  They also need to understand patching and malware, to evaluate likely effects and the best methods of combating those threats.

Training courses vary, though SANS are renowned for their very detailed courses, particularly in the forensics arena.  Again, CompTIA Net+ and Sec+ are good courses to start with before building up experience and looking at the more technical material available. Many courses will relate to the toolsets that the team member uses e.g. when using a Security Information and Event Management (SIEM) application, firewall apps etc. Blue team members may also take some of the same courses that the red team members do – remember Sun Tzu!

Summary

There is a lot of scope for people who are not technical – and have no desire to be technical – to work in Information Security.  In many cases, the key skills / attributes include patience, attention to detail, concentration, focus, diligence and curiosity, as well as people skills like empathy and communication.

As someone who has worked in the industry for over 30 years, since before it was even called security, I’d recommend it to anyone. There are so many opportunities, so many different roles, that there is bound to be something for everyone!

I should also mention that the company I work for, PGI, runs many of the courses mentioned above, or equivalents of them: I’m one of the instructors on the awareness courses…

H is for…

Hacking

I’m pretty sure that you’ve all heard the term “hacking”, and you probably know that it has negative connotations. But what exactly is it?

Put simply, it’s trying to get access to a computer or network using vulnerabilities in the security of the target. Note that I don’t necessarily say software: people can be hacked too, which is effectively what social engineering is. I won’t go onto social engineering here as it’ll be covered under “S is for…” later this year, so for the moment I’ll concentrate on hacking software.

Almost all software has errors in it which can be used to make the software do things the manufacturer didn’t intend. The bad guys know this, and spend a lot of time looking for those errors, then writing their own software to make use of these vulnerabilities (weaknesses): this process is called writing exploits.

The bad guys have a number of ways of getting their exploits to run on your systems: phishing emails are perhaps the most common and well known method, as are infected websites which download and install software in the background.

The best ways to protect your systems from hackers are:

  • Change your passwords regularly and enforce long, complex passwords for administrator level accounts
  • Keep patching and antivirus updated
  • Ensure your systems are vulnerability scanned, preferably penetration tested, on a regular basis
  • Ensure you / staff are trained to spot phishing emails

Hacktivism

Hackers who attack systems in support of a specific cause are engaging in hacktivism. Organisations like Anonymous rose to attention because they attracted hacktivists supporting different causes to attack companies which were involved in those causes.

Hybrid cloud model

As the name suggests, this kind of model is a mix of cloud and on-premise service provision. Some of the data / servers being used are in data centres run by your organisation, and some are in the cloud.

10 Steps to Cyber Security – Part 1 of 2

Through discussions with various clients and perspective clients, at conferences, events and forums, it is very apparent that a lot of companies know that they need to do “something about cyber” but many, particularly in the Small and Medium Enterprise (SME) arena, are unsure of what that something should be.

My response to them is generally along the same lines, and I thought I’d share it with you now. My apologies for those of you who are seasoned cyber professionals, as you will no doubt know this subject inside out, but for those of you who are wondering just how to get started and are looking for a jargon free, pragmatic explanation, read on…

As far back as 2012 the UK government produced the 10 Steps to Cyber Security which companies should follow to help make them more secure, as part of the drive to make the UK a safe place to do business. Those were followed in 2014 by the Cyber Essentials scheme. Both the 10 Steps and Cyber Essentials have had updates over the years, but those updates relate more to guidance and clarification rather than changes to content.

This article sets out the first 5 requirements of the 10 Steps to Cyber Security: I’ll provide the remaining 5 in my next post which will be in a week or so. You will see that a number of these topics overlap, and that’s absolutely fine. There are some very blurred lines, but so long as the topics are covered then that has to be a good thing, right?

1. The first step is to set up a Risk Management regime. This sounds scary, but could be as simple as having an Excel spreadsheet or a Word document where you list all the risks to your business, determine how severe those risks are, and document how you will mitigate those risks. It doesn’t have to be onerous – it could just be your top 5 or 10 risks to start with.

  • For example, if your business relies exclusively on internet orders eg as a retail outlet, then lack of access to the internet would be a serious risk and mitigation measures could involve something like hosting your website with a specialist hosting provider which can provide protection against physical issues like flooding or power cuts and some technical measures such as denial of service attacks.
  • You should bear in mind that this is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures based on a cost benefit analysis and your company’s risk tolerance.

2. The second step is to look at Secure Configuration of your systems. All this really means is that you need to make sure that your systems are patched appropriately, that anti-virus / anti-malware software is installed, updated and running, that you have an inventory of the equipment you have and what software is installed on it, and that where possible you’ve documented a standard build for all your devices. Let’s look at those in turn, as it all sounds very complicated:

  • Patches are software updates provided by vendors to address vulnerabilities which are found in all software. These are typically graded in terms of severity from low to critical, the idea being that you apply all critical patches as fast as possible, while low severity are less important. One of the reasons the Wannacry ransomware outbreak hit people so hard in May was because a Critical patch released by Microsoft in March hadn’t been applied to the systems affected: that’s a good example of what can go wrong if you don’t keep patches up to date. Many systems allow patches to be downloaded and installed automatically and, if you don’t have an IT department, it’s a good idea to use that option.
  • Antivirus software is similar to patches, in that vendors release regular updates to tackle new viruses. With the volume of viruses increasing massively on a daily basis, it’s a good idea to install these updates as they come out – at least daily. Many of the larger virus companies such as McAfee and Symantec have products which update automatically, and are well worth considering.
  • As an aside, there are rumours that Mac devices aren’t susceptible to or targeted by viruses: this is not the case anymore so make sure those devices are protected too.
  • Keeping an inventory is sensible: if you don’t know what you’ve got, how can you protect it? And if you don’t know what software is running, how do you know you have all the licenses you need, and how do you know how to rebuild the machine if it is damaged or unavailable for some reason? It just stops you starting from the very beginning, and allows you to be more proactive. Knowing what should be on each machine also helps you to develop a strategy for removing or disabling unnecessary functionality on it. Again, going back to Wannacry in May, one of the methods used by the ransomware from machine to machine was through a network protocol which wasn’t really necessary on most machines. Maintaining an up-to-date inventory could help you identify vulnerabilities like that and close them down quickly.
  • The benefits of having a documented standard build have pretty much been covered in above. It also means that when a new machine is bought, your IT team / support company knows exactly what to install and how to configure it to meet your business needs. This saves time and effort.

3. The third step concerns Network Security. Again there are some jargon words around what this means and what has to be done, but I’ve broken it down as follows:

  • One of the reasons for network security is to protect your networks from attack. A simple way of checking to see how well the network is protected is by engaging a company such as the one I work for to run a penetration test against all your public facing connections. All that this means is that a trusted person, with your permission, tries to see how far they can get into your network: they then report back to you with details of the vulnerabilities they found and how these can be fixed / remediated. They are actually using the same tools and techniques as hackers, but because they have your permission this is known as ethical hacking.
  • Another area to look at in network security is defending your network perimeter. This means that you should have firewalls installed and configured correctly: the penetration test mentioned just now is one way of ensure that they are. Firewalls are typically installed at the place where your internal network meets the internet, often in a specially segregated area called a DMZ or “De-militarised zone”. It’s a way of stopping traffic from the internet getting directly on to your network.
  • As part of firewall configuration, you should ensure that unauthorised access and malicious content is filtered out. There are a range of companies which provide solutions for this sort of thing, but in simple terms your penetration test will help identify the biggest areas of concern. Network protocols are the ways in which computers talk to each other, and run across a range of different ports. You can think of the firewall as a giant colander, where you block up most of the holes (ports) other than those which are needed for passing a specific strand of spaghetti through a specific hole (port).
  • Last and not least in this section is the requirement to monitor and test security controls. We’ve already talked about testing – penetration testing – and monitoring is a way of measuring the effectiveness of your controls. There are a lot of monitoring toolsets available, ranging from reasonably cheap to quite expensive. It’s worth working out what you want to monitor / measure before starting to look for tools to help. This is one area where engaging a consultant may be beneficial.

4. We’ve already talked a little about Malware Prevention, the fourth step, when we talked about Secure Configuration above. What we didn’t mention is that it’s important to develop a policy around how you will use anti-malware software. For example, what happens when a virus is detected. Should it be deleted automatically or perhaps quarantined for analysis? Is there a process for testing removable media such as USB sticks for malware before connecting them to corporate systems (this is often called a sheepdip process). It’s also important that anti-malware software is running on all devices connected to your business environment: monitoring and measurement will help confirm this.

5. Overlapping malware prevention is the fifth step, Removable Media Control. This again requires specific policy statements about the use of removable media: do you allow it or not, are only specific users in specific roles allowed to use it etc, and also sets out the requirements for scanning media for malware, perhaps using the sheepdip process outlines in 4 above.

Hopefully this all makes sense. Please look out for the next installment when I’ll cover the remaining 5 steps, which are:

6. User education and awareness

7. Managing User Privileges

8. Incident Management

9. Monitoring

10. Home and Mobile Working

Certified Ethical Hacker

In spring 2013 I attended a Certified Ethical Hacker (CEH) training course with Firebrand in Wyboston, England. It was a week long bootcamp, with classes starting on the Sunday evening, 12 hour days in the classroom and a 3 hour exam on the Friday morning.

The classes were made up of a mixture of theory and practical work. All attendees had a number of virtual environments to work in, and we were able to use a number of the tools we’d talked about in a safe environment. After class we had two to three hours reading every night, to read the courseware, so we spent roughly 15 hours a day on the topic.

As you can imagine, this kind of intense training crams a lot in and leaves you pretty drained at the end, but it was worth it. The course “only” gives the background, and it is then down to the individual to keep their education up by reading more on the topic, by trying the tools out and by carrying out this kind of work.

While I don’t currently do any kind of hacking as part of my job, the course gave a very good understanding of the techniques and methods used, and the risks and potential impact that each kind of attack could bring to an organisation. From that perspective, it meant I was well prepared for writing policies and standards to help counteract the threats from this angle.

Recertification takes place every three years, and in that time you have to be able to demonstrate completion of at least 120 hours of Continuing Professional Education (CPE) in related topics. I have recently completed my first recertification and am therefore entitled to use the CEH designation, approved by the EC-Council, until 2019.