Careers in Cyber

Does this sound familiar?  You keep seeing headlines about cyber security, about information security, usually when there’s been a loss of passwords or data, sometimes about large fines being levied on companies for poor practice. You’ve heard that there are lots of vacancies in the world of cyber and would like to look at a career in security. But you don’t know what choices there are, you don’t have good IT skills and you don’t know what skills you need.

This article will answer some (though probably not all) of your questions.

Before looking at what roles there are, let’s get the first big concern out of the way shall we? Do you need to be an IT ninja to work in information security?  The answer is a resounding NO (though for some – not all – roles it helps). Read on to find out why…

Broadly speaking, cyber security is split into three main role groups:

  • governance, risk and compliance (GRC), which relates to policies, processes, and, in some cases, training. These roles include consultants, analysts, auditors and trainers
  • offensive security, also known as red teaming, with the aim of trying to get unauthorised access to systems. Roles in this group include ethical hackers (penetration testers), social engineers etc
  • defensive security, also known as blue teaming, with the aim of trying to stop those trying to get unauthorised access to systems. Roles in this group include digital forensics, incident response, Security Operations analysts etc

GRC roles

These roles typically require little to no technical skills, though an understanding of technology helps.

People in these roles will probably spend their time writing and reviewing policies and other documentation, carrying out audits to ensure the organisation is complying with policies and / or industry standards, working with other staff to help them understand and implement the policies. At a more senior level they also encompass consultancy, working with clients to help them understand and improve their security posture.

It’s likely that people in GRC roles will spend time looking at industry standards such as ISO 27001 and NIST, regulations such as GDPR and industry specific requirements such as PCI DSS.

In terms of training, people in this group will be more likely to develop and perhaps deliver general security training rather than specific courses for highly technical staff.

In terms of training, a good basis would be the BCS Certificate in Information Security Management Principles (CISMP), and if you’d like to add some technical knowledge passing the CompTIA Net+ and Sec+ exams would be really good grounding.  There are courses around data privacy which are becoming more common too. Ultimately you’d be aiming for something like the ISACA Certified Information Security Manager (CISM), (ISC)2 Certified Information Systems Security Professional (CISSP) or EC-Council Certified Chief Information Security Officer (C|CISO) qualifications, but they require at least 5 years of practical experience as well as an exam pass.

Red Team (Offensive Security)

This is where many people think the really exciting part of security sits, being paid to test other companies’ defences and helping them improve their security. This is the realm of the ethical hacker, more properly called a penetration (pen) tester.

Pen testers are, by necessity, quite technical. Typically they’ll be able to write scripts and code in several different languages, including Bash and Python.  They’ll understand toolsets such as Metasploit, which is available for free on Kali Linux. (Incidentally, the bad guys will use pretty much the same toolsets for much of their work, and both groups will probably learn a lot about how to use them from YouTube!) They’ll also be able to write exploits, perhaps for use in Metasploit or elsewhere.  Oh, and they better understand network protocols and how firewalls work too.  Essentially, they need to know a lot about a lot of things in order to be very proficient, though it is possible to run a lot of these tools with very little knowledge.

There is a form of red teaming where people try to physically get access to premises and systems using social engineering techniques.  This typically involves carrying out research on the target company using OSINT techniques, before creating some kind of pretext (cover story) or getting in through open doors and windows.  The goal may be to try to access a data centre or other sensitive room in a building, or it may be to leave some kind of listening / communications device in a meeting room, or to see what documentation can be obtained. This is the sort of work that you may have seen in films like Sneakers, where teams of people are testing an organisation’s security capabilities. Skills needed for this type of role are more related to acting / improv, calmness under pressure and the ability to think quickly.  A good understanding of human psychology, empathy, body language and non-verbal communication is really helpful in this field.

Training for the red team can be very technical, or not technical at all. If technical, you probably need to look at something like CompTIA Net+ and Sec+ as a basic grounding, before then looking at something like the Offensive Security Certified Professional (OSCP) or CHECK Team Member (if in the UK). It’s worth saying that when it comes to the technical aspects, lots of practice with different packages, scripting languages and exploits is probably more beneficial than lots of certifications, though having at least one industry respected certification will be helpful.

It’s also worth noting that many red team members will have experience of operating as a blue team member (and vice versa), and the skills gained there will be useful for them in trying to defeat their opponents.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
– Sun Tzu, The Art of War

If looking at the non-technical courses, then typically psychology and sociology are very useful. Experience of acting / talking to lots of different people is also helpful, and an understanding of verbal and non-verbal communications is also very useful.

Blue Team (Defensive Security)

The defensive teams are also likely to have some very technical people in them. They may not write exploits like some pen testers, but some do need to have a very deep and detailed understanding of how things work.

Digital forensics is a highly specialised field, and there are individual specialities within it. For example, someone may only deal with mobile devices, so will need to understand Android, iOS (for Apple devices) and Windows Mobile, amongst others. Some may look mainly at memory stores, or disk drives etc. They also need to know how to capture, store and examine data in a methodical way which can be replicated in court, using the ACPO Good Practice Guide for Digital Forensics (in the UK – other countries may have other standards).

SOC (Security Operations Centre) Analysts look at information coming from a range of sources such as log files, and are skilled at looking at the big picture to identify attacks or other threats.  They need to understand networks, protocols and firewalls, how systems are configured and how the whole network interoperates.  They also need to understand patching and malware, to evaluate likely effects and the best methods of combating those threats.

Training courses vary, though SANS are renowned for their very detailed courses, particularly in the forensics arena.  Again, CompTIA Net+ and Sec+ are good courses to start with before building up experience and looking at the more technical material available. Many courses will relate to the toolsets that the team member uses e.g. when using a Security Information and Event Management (SIEM) application, firewall apps etc. Blue team members may also take some of the same courses that the red team members do – remember Sun Tzu!

Summary

There is a lot of scope for people who are not technical – and have no desire to be technical – to work in Information Security.  In many cases, the key skills / attributes include patience, attention to detail, concentration, focus, diligence and curiosity, as well as people skills like empathy and communication.

As someone who has worked in the industry for over 30 years, since before it was even called security, I’d recommend it to anyone. There are so many opportunities, so many different roles, that there is bound to be something for everyone!

I should also mention that the company I work for, PGI, runs many of the courses mentioned above, or equivalents of them: I’m one of the instructors on the awareness courses…

V is for …

VPN

A virtual private network (VPN) is a form of network connection between two points which is encrypted. This helps protect the network traffic from being intercepted by others, and helps to keep the message secure.

It’s a really good idea to use a VPN if you’re away from home eg in cafes or using other public WiFi connections. There are quite a few available, for mobile phones as well as for laptops etc, they’re quite easy to find, and there are free as well as paid for versions on the market.

Virus

A computer virus is a form of malware which can carry different payloads. Just like a virus which infects people, a computer virus is designed to infect devices by a number of different methods. Using antivirus software, and keeping the software updated, as well as regularly applying patches, is a good way of reducing the risk of infection.

Vishing

Vishing is a form of phishing which is done over the phone (voice phishing) rather than by email. It’s often used in conjunction with phishing to add credibility to the email which was sent, and to try to improve the chances of the target being successfully socially engineered.

Vulnerabilities

Almost all software has faults in it, which may take some time to discover. These faults are called vulnerabilities, and they are fixed when patches are issued.

Vulnerability scan

A vulnerability scan is similar to a penetration test, but doesn’t go into as much detail. It’s the equivalent of a burglar trying the doors and windows on a house to see if they’re open – and then not going into the house (which would be a penetration test).

All it does is identify how an application, website or other system is vulnerable, but it doesn’t tell you what you could do if you exploited the vulnerability.

Social Engineering and Human Nature

I’m often asked, particularly by new entrants into cyber, what books they should read, and what podcasts they should listen to. The list of both is endless, but I thought I’d share some titles with you. Before we start though, a word about my relationship with books…

I’m a passionate reader, and a compulsive purchaser of books. So I have a lot on my shelves that I’ve not yet read, but loads that I have.  I had cause to sit and ponder today and reckon I’ve over 25m of bookshelves at home, which are mostly full – and a pile of books by my bed, and another on my desk.

For some reason, I group my books by subject matter and height order, and have recently moved away from keeping all by the same author together to having them grouped by colour. (My LPs are stored in alphabetical order, by artist then by album title: this is something I’ve done since I was a teenager!)

The picture with this post shows my “social engineering” shelf, which includes titles on microexpressions (Paul Ekman) and the psychology of persuasion (Robert Cialdini). Interestingly, the author of the Cyber Effect, Mary Aiken, was a producer and consultant for the show CSI: Cyber, and was in fact the inspiration for Patricia Arquette’s character in the programme.  (Beware though, once you start watching, you’ll watch the entire series in one sitting!)

It’s not possible to be a good social engineer, to gain people’s trust and ask them to do things to help you, without understanding human psychology. Ditto if you’re carrying out phishing attacks, you need to know what will make people click on links etc.

Microexpressions give away how someone is really feeling, so it’s really important that social engineers understand and recognise these. If you want to know how they can be used, you might want to watch the show Lie To Me. Paul Ekman was a consultant on the show, and his work is explained particularly well in season 1.   (Another binge watch alert here!)

It’s impossible to talk about social engineering without mentioning Kevin Mitnick. Once one of the FBI’s top 10 Most Wanted fugitives, Mitnick is one of the foremost authorities in the world on social engineering. I have already written a post about his book, Ghost in the Wires.

I’ll share information on some of the other books on my shelf another time. These should be a good starter for you if you’re interested in the meantime!

S is for …

Smishing

This is very similar in concept to phishing, but instead of email being used to deliver malicious code or links to malicious website, SMS text messages are used. The messages often look as though they’ve come from someone you know and / or trust, but they have typically been spoofed to make you think they are legitimate.

As with phishing, if you are in any doubt at all that the message has come from the person you think it has, contact them by another means eg phone them, access their website etc.

Social engineering

This is a broad term, but generally speaking it is the art of persuading someone to provide you with information, or access to something, which they shouldn’t really. It takes many forms, and just as with hacking there are people who do social engineering for good (eg red team members) and those who do it for nefarious purposes (eg con men).

Again in general terms, the good guys will only use techniques that only leave you feeling good about the experience, will not try to manipulate or coerce you into doing somehting you don’t want to. The bad guys will have no qualms about trying everything to bend you to their will.

Spam

This is the catch-all phrase used for unwanted email, much of which may contain viruses or malicious links. In many ways its the electronic version of junk mail (aka direct marketing) which most of us experience.  Over 45% of all email sent globally currently is spam, though in 2014 that figure was over 70%.

When you consider there are over 235 billion emails sent every day, it is clear this is a huge volume of spam, and it is therefore unsurprising that some of it makes it into your mailbox, irrespective of what anti-spam tools you are using.

Spear phishing

Spear phishing is a form of phishing (and whaling), and is different because the emails are directed at specific targets. Information about the target is normally found through Open Source Intelligence gathering, and an email is then crafted to take advantage of that information.

For example, if someone did some research on me and found that I was a fan of London Irish rugby and the band Coldplay, they could create an email designed specifically for me which could perhaps give me the opportunity to get 50% discount on tickets to see Coldplay or 75% off a hospitality package at the rugby. If I was a genuine fan of either I might be tempted by those offers, and might click on any link in the message or open an attachment.

Spoofing

There are software packages available which allow a person to mimic another person’s phone number, and there are also techniques which allow them to send email which looks as though it has come from someone else. This practice is called spoofing.

Imagine you have been receiving text messages from your bank, and one day you get another message (in the same message stream) which asks you to click on a link to update your details. This could be a spoofing attack. One way to check is to contact your bank by phone, in person or on their website.

Next, imagine you get an email from your boss, and it looks genuine. It may be formatted the same as your company email address, and may follow the same naming convention eg mary.brown@acme.corp, but the mail has come from outside your organisation and again it has malicious links or attachments in it. Many organisations protect against this by adding some text to the subject line of an email eg the phrase [EXT] or [external] if it has come from outside the organisation. This is a simple and obvious visual clue.

Stuxnet

Stuxnet was shrouded in secrecy but is now very well known. It was a sophisticated piece of code which targeted a specific make of industrial control system, and was used in an effort to cripple the Iranian nuclear programme. It featured a number of zero day exploits which targeted vulnerabilities in the centrifuges used in a specific power plant, causing them to spin out of control while in the control room everything looked normal. The intent was to prevent the Iranians from developing a nuclear weapons capability.

It is an infamous and ingenious piece of code. For more information, you may want to see the documentary made about it, called Zero Days.

Switch

This is a network device which helps segment a local area network into separate networks. It differs from a router in that it only knows one path from one network to another, whereas a router can search among multiple possible routes and determine the best path for network traffic to take.

 

R is for …

Red Team

Just as penetration testers try to get access to an organisation electronically, red teams try to get physical access to the organisation. They use a combination of Open Source Intelligence gathering and social engineering to get access.

These teams are typically engaged by senior management to test processes such as visitor registration, tailgating, signing in, staff challenging non-wearers of passes etc.

Remote access

As the name suggests, this is the process of providing access to systems from a remote location. For example, many people are given access to their work systems when not in the office. This uses remote access tools including VPNs and Two Factor Authentication, or a combination of multiple tools. It means you don’t physically have to be in the office to access your work systems.

RAT

A Remote Access Trojan (RAT) is a piece of malware which enables attackers to gain control of a target machine from a remote location. When attackers use phishing techniques, the first step after a link is created is often to implement a RAT. This enables an attacker to get access to the device and carry on their attack using other tools.

Router

A router is a network device which examines network traffic and forwards it to the most appropriate part of the network.

 

O is for …

On-premise

This term is used to describe equipment which is physically located in your offices. The alternative would be a third party hosted service such as those offered by cloud hosting providers.

Open Source Intelligence

The internet is full of many sources of information, many of which are free. This is known as Open Source Intelligence (commonly called OSINT).

The most well known sources of information are social media sites like Facebook, LinkedIn and Twitter. If users do not lock down their accounts, potential attackers can learn a lot about them just by trawling their details. For example, Facebook allows you to list family members, friends, schools, colleges and work places, all of which are invaluable to attackers.

Operating System

All computers need code to tell them how to interact with their components eg keyboards, mice, monitors etc. They also need code which tells them what to do when switched on, how to store files and how the file store is structured. All of these services are provided by the Operating System, or OS for short. The most common operating systems for desktop and laptop computers are Microsoft Windows, Mac OS and Linux. Smartphones and tablet devices also have operating systems, the most common being Apple iOS, Android, Blackberry and Windows Mobile.

Ghost in the Wires

Ghost in the Wires by Kevin Mitnick and William L Simon is perhaps the seminal work on social engineering by one of the industry’s most famous exponents. Mitnick attained a certain amount of notoriety by going on the run for two years before finally being apprehended by the FBI, but I think that his biggest claim to fame is his ability [as alleged by prosecutors] to be able to phone NORAD, whistle down the line and launch a nuclear strike. This is obviously preposterous, and is not something that will be discussed in the rest of this article.
When reading the book the first time, I was struck by how early Mitnick embarked on his career as a social engineer. Persuading an LA bus driver to divulge where he could get a machine like the one used to punch tickets at the age of 12 shows how a bit of knowledge and the knack of talking to people can reap dividends.

I also particularly enjoyed the episode Mitnick describes in a South Dakota registrar’s office. Having explained that he was a private investigator, he was given a desk and ultimately given access to the Crown Jewels – blank birth certificates and the official embossing tool for them. In a short space of time he had all the documentation he needed to continue to reinvent his identity as and when needed. Patience and an open personality, with an eye on the prize in the long game again produced rewards.

Having called in to the NSA itself (and in the wake of Snowden’s revelations how ironic is that) and accidentally overheard a conversation about himself must have been incredible. It’s unsurprising that Mitnick didn’t dare to push his luck by calling in again.

It felt that throughout the book Mitnick was at pains to explain how he never hacked anything, just persuaded people to give him access through what he said and how he said it. He also made it clear that he wasn’t doing any of it for financial gain, but more as a test of his abilities, which were honed and improved over the years. Having a remarkable memory for numbers obviously helped tremendously.

I’m not convinced that downloading / obtaining source code and trawling through it for bugs which could be exploited is as innocent as he claims: at the very least, whoever he told about the vulnerabilities may have committed serious crimes.

This was an interesting book, and one which should be on every security professional’s reading list.