Careers in Cyber

Does this sound familiar?  You keep seeing headlines about cyber security, about information security, usually when there’s been a loss of passwords or data, sometimes about large fines being levied on companies for poor practice. You’ve heard that there are lots of vacancies in the world of cyber and would like to look at a career in security. But you don’t know what choices there are, you don’t have good IT skills and you don’t know what skills you need.

This article will answer some (though probably not all) of your questions.

Before looking at what roles there are, let’s get the first big concern out of the way shall we? Do you need to be an IT ninja to work in information security?  The answer is a resounding NO (though for some – not all – roles it helps). Read on to find out why…

Broadly speaking, cyber security is split into three main role groups:

  • governance, risk and compliance (GRC), which relates to policies, processes, and, in some cases, training. These roles include consultants, analysts, auditors and trainers
  • offensive security, also known as red teaming, with the aim of trying to get unauthorised access to systems. Roles in this group include ethical hackers (penetration testers), social engineers etc
  • defensive security, also known as blue teaming, with the aim of trying to stop those trying to get unauthorised access to systems. Roles in this group include digital forensics, incident response, Security Operations analysts etc

GRC roles

These roles typically require little to no technical skills, though an understanding of technology helps.

People in these roles will probably spend their time writing and reviewing policies and other documentation, carrying out audits to ensure the organisation is complying with policies and / or industry standards, working with other staff to help them understand and implement the policies. At a more senior level they also encompass consultancy, working with clients to help them understand and improve their security posture.

It’s likely that people in GRC roles will spend time looking at industry standards such as ISO 27001 and NIST, regulations such as GDPR and industry specific requirements such as PCI DSS.

In terms of training, people in this group will be more likely to develop and perhaps deliver general security training rather than specific courses for highly technical staff.

In terms of training, a good basis would be the BCS Certificate in Information Security Management Principles (CISMP), and if you’d like to add some technical knowledge passing the CompTIA Net+ and Sec+ exams would be really good grounding.  There are courses around data privacy which are becoming more common too. Ultimately you’d be aiming for something like the ISACA Certified Information Security Manager (CISM), (ISC)2 Certified Information Systems Security Professional (CISSP) or EC-Council Certified Chief Information Security Officer (C|CISO) qualifications, but they require at least 5 years of practical experience as well as an exam pass.

Red Team (Offensive Security)

This is where many people think the really exciting part of security sits, being paid to test other companies’ defences and helping them improve their security. This is the realm of the ethical hacker, more properly called a penetration (pen) tester.

Pen testers are, by necessity, quite technical. Typically they’ll be able to write scripts and code in several different languages, including Bash and Python.  They’ll understand toolsets such as Metasploit, which is available for free on Kali Linux. (Incidentally, the bad guys will use pretty much the same toolsets for much of their work, and both groups will probably learn a lot about how to use them from YouTube!) They’ll also be able to write exploits, perhaps for use in Metasploit or elsewhere.  Oh, and they better understand network protocols and how firewalls work too.  Essentially, they need to know a lot about a lot of things in order to be very proficient, though it is possible to run a lot of these tools with very little knowledge.

There is a form of red teaming where people try to physically get access to premises and systems using social engineering techniques.  This typically involves carrying out research on the target company using OSINT techniques, before creating some kind of pretext (cover story) or getting in through open doors and windows.  The goal may be to try to access a data centre or other sensitive room in a building, or it may be to leave some kind of listening / communications device in a meeting room, or to see what documentation can be obtained. This is the sort of work that you may have seen in films like Sneakers, where teams of people are testing an organisation’s security capabilities. Skills needed for this type of role are more related to acting / improv, calmness under pressure and the ability to think quickly.  A good understanding of human psychology, empathy, body language and non-verbal communication is really helpful in this field.

Training for the red team can be very technical, or not technical at all. If technical, you probably need to look at something like CompTIA Net+ and Sec+ as a basic grounding, before then looking at something like the Offensive Security Certified Professional (OSCP) or CHECK Team Member (if in the UK). It’s worth saying that when it comes to the technical aspects, lots of practice with different packages, scripting languages and exploits is probably more beneficial than lots of certifications, though having at least one industry respected certification will be helpful.

It’s also worth noting that many red team members will have experience of operating as a blue team member (and vice versa), and the skills gained there will be useful for them in trying to defeat their opponents.

If you know the enemy and know yourself you need not fear the results of a hundred battles.
– Sun Tzu, The Art of War

If looking at the non-technical courses, then typically psychology and sociology are very useful. Experience of acting / talking to lots of different people is also helpful, and an understanding of verbal and non-verbal communications is also very useful.

Blue Team (Defensive Security)

The defensive teams are also likely to have some very technical people in them. They may not write exploits like some pen testers, but some do need to have a very deep and detailed understanding of how things work.

Digital forensics is a highly specialised field, and there are individual specialities within it. For example, someone may only deal with mobile devices, so will need to understand Android, iOS (for Apple devices) and Windows Mobile, amongst others. Some may look mainly at memory stores, or disk drives etc. They also need to know how to capture, store and examine data in a methodical way which can be replicated in court, using the ACPO Good Practice Guide for Digital Forensics (in the UK – other countries may have other standards).

SOC (Security Operations Centre) Analysts look at information coming from a range of sources such as log files, and are skilled at looking at the big picture to identify attacks or other threats.  They need to understand networks, protocols and firewalls, how systems are configured and how the whole network interoperates.  They also need to understand patching and malware, to evaluate likely effects and the best methods of combating those threats.

Training courses vary, though SANS are renowned for their very detailed courses, particularly in the forensics arena.  Again, CompTIA Net+ and Sec+ are good courses to start with before building up experience and looking at the more technical material available. Many courses will relate to the toolsets that the team member uses e.g. when using a Security Information and Event Management (SIEM) application, firewall apps etc. Blue team members may also take some of the same courses that the red team members do – remember Sun Tzu!

Summary

There is a lot of scope for people who are not technical – and have no desire to be technical – to work in Information Security.  In many cases, the key skills / attributes include patience, attention to detail, concentration, focus, diligence and curiosity, as well as people skills like empathy and communication.

As someone who has worked in the industry for over 30 years, since before it was even called security, I’d recommend it to anyone. There are so many opportunities, so many different roles, that there is bound to be something for everyone!

I should also mention that the company I work for, PGI, runs many of the courses mentioned above, or equivalents of them: I’m one of the instructors on the awareness courses…

Unhelpful media headlines

Earlier this week an article appeared on the BBC website called How can we stop being cyber idiots?. I took umbrage at this for a number of reasons.

First, why alienate readers by calling them idiots? Most people who use computers (I won’t call them users because, as a friend of mine pointed out, users has negative connotations around drug and alcohol abuse) generally try to do the right thing. This doesn’t make them idiots.

Second, if people haven’t been educated about the risks of their actions, they may not understand the consequences of not following any guidance theyve been given. This is a failure on the part of information security professionals, not providing meaningul education which reaches everyone, and which informs on and encourages good behaviour. It doesn’t make the people using computers idiots.

Third, why assume that everyone knows what is right and wrong? As Rik Ferguson pointed out on a podcast I listened to last year, every day is someone’s first day online. So every day someone needs to be told the basics of information security. This doesn’t make those people idiots.

There seems to be a general assumption that everyone knows everything they need to about good cyber security practice, but that’s just not true. It’s an every day and ongoing challenge to help people understand the consequences of their actions. The risks are constantly changing and evolving, so security professionals like me need to make sure we’re spreading the right messages in the right way.

 

10 Steps to Cyber Security – Part 2 of 2

This is the second half of the article which I published last week. I have been overwhelmed with the positive responses to the first article, so I’ll take this opportunity to say thank you very much for your kind words. I’m glad that the article was useful for so many of you, and I hope you get just as much out of this edition. 

This article covers the remaining aspects of the UK Government’s 10 Steps to Cyber Security, and is again aimed at those of you with limited or no cyber / information security awareness. Again my aim is to explain the requirements in a simple manner with no jargon or buzzwords. As last week covered steps 1 to 5, this week we start at 6…

6. The first step we’ll look at in this article is all about User Education and Awareness. Yes, training is a very important part of our controls and which help protect our businesses. It forms a part of many regulatory frameworks, but we shouldn’t just do it because the regulations or contracts we work to require it. 

Within the 10 Steps, the guidance suggests that once you’ve produced all your policies and processes you ensure that those are described within the training you provide. It helps to maintain awareness of cyber risks, and at the very least should mean that all staff are aware of what is expected of them. 

Many companies have for years run this as a kind of “tick box” exercise, where people simply rush to the end as fast as possible just so they can say they’ve completed it for another year. That adds no value. The employee gains nothing and the business is not better protected – but it may be sufficient to meet our regulatory, legal or contractual obligations. 

Good awareness training should help to inform and change behaviour, to make it easier for people to do the right thing than the wrong thing. It should help explain the risks of certain actions in a way that matters and affects the individual: it should explain the “what’s in it for me” question. Humans are the weakest link in any security solution, so we should help them get it right by helping them understand what’s at stake. Many good training solutions now include gamification, or “what would you do” type scenarios. Get the attendees actively involved in the training, rather than passively clicking “Next” to get to the next screen. 

7. Managing User Privileges is the next step. This simply means restricting access to the highest privilege type of account to as few people as possible. You should also monitor user activity if possible, looking out in particular for unusual activity such as logging in at strange times of the day, or for large file transfers out of your business. This also involves looking at audit logs, which you may need help with. 

User accounts on most computers fall into two areas: administrator (also known as admin, superuser, root, or something like that) and standard user. 

The standard user cannot run new programs, cannot install software on their machine etc, because their access rights (another way of saying user privileges) don’t give them carte blanche access to the device.

The administrator account has full access to be able to run any software, to remove components, and to run administrative tools such as reformatting drives. This is very powerful and, as a result, users with this level of access should be restricted as much as possible. 

It is good practice to give most users standard user accounts, because for the most part they should not need to install software or make significant changes to their machines. It’s also good practice to review who has what level of access on a regular basis, and make sure that people only have access to systems and data that they need for their job. For example, someone working in a technical team doesn’t need access to payroll data, and someone working in HR doesn’t generally need to be able to install new software on a server. 

8. The next step is Incident Management. This is not only about how you deal with an incident when it occurs, but about being prepared for one when it happens. (Notice that I’ve said “when” rather than “if”. Statistically, if you’ve not had an incident then you will soon, so it helps to be prepared.) The key areas to bear in mind are:

  • Ensure that you have a documented incident response process, that you know what to do and who to contact. For example, where would you relocate your business / staff to if your offices were unavailable due to fire, flood or a chemical spill? How would you contact staff to tell them where to go and when? Are all staff required or just one or two? What equipment will they need and how would they access your systems? If you’re using a shared recovery office, how are you guaranteed space? What would you do if your office systems were infected by ransomware? This is the sort of thing that should be considered and the processes documented. This is all part of something called Business Continuity or Disaster Recovery Planning. 
  • Once you’ve got your plans in place, test them. You should aim to test them at least once a year. Some companies do a full test where they actively notify people and try running their business from the recovery offices for a day, and some run a table top exercise. Both work, and both have their risks and benefits. 
  • Just as your business will likely have fire marshalls, first aiders and health and safety experts, make sure staff are trained in what to do in the event of an incident. The training doesn’t have to be onerous and many businesses will include it as part of their User Education and Awareness activities described in 6 above. 

Where you find a criminal incident, it should be reported to law enforcement via Action Fraud – http://www.actionfraud.police.uk. You may also choose to inform your local police force. 

9. The penultimate step is Monitoring. As we’ve seen, there is some overlap with step 7, but monitoring covers more than just user account management. There are a couple of things to look at when dealing with this step: 

  • You should establish a strategy for monitoring, and document this – ideally include it in your overall Information Security Policy. Monitoring may also include email and internet use as well as systems and networks: if it does, then you need to make your staff aware that this is the case. 
  • Monitoring of systems and networks should be continuous, so you’ll need a way of identifying anomalies / unusual behaviour. This may be through log analysis or you may look for software which helps to visualise the data, which make the anomalies stand out. 
  • Though the guidance doesn’t specifically mention it, I’d suggest that your monitoring should also include details around key indicators, change management etc. For example, if you have a policy that requires all laptops to be encrypted, then you should check regularly to ensure that they are and report on those that aren’t. Or if you have a policy of removing user access when they leave the organisation, you should check to ensure that is happening on a regular basis. 

10. Finally, Home and Mobile Working is an area that you need to look at. 

  • Make sure that your Information Security Policy includes a section on mobile working. Do you allow it or not? If you do allow it, what are the rules, how is data protected? Do you allow users to use their own devices, or do you provide laptops, tablets, smartphones etc. What security is in place to protect the data, both at rest and in transit (ie when being sent across networks – do you use Virtual Private Networks, encryption, two factor authentication etc)? Make sure you’ve documented what your security baseline is and ensure that is being complied with through regular monitoring as discussed in step 9.  
  • Make sure that users know what is and isn’t allowed, what is acceptable behaviour and what is expected for them if they are working from home or on the road. This is a great topic to include in step 6, your User Education and Awareness.

As you can see, these steps are relatively straightforward, and there is a degree of overlap between them. For the most part it all boils down to how you protect your data, how you ensure the data cannot be tampered with, and how you get access to it in the event of an incident. In Information Security terms, this is known as the CIA triad, Confidentiality, Integrity and Availability. Make sure you’ve documented your requirements and communicated them with staff on a regular basis, and review your requirements regularly too. 

Are there any areas I’ve not explained well? I’m happy to answer any questions you may have so please just ask! 

Getting started in Cyber 

One of the most common questions I’m asked by non-cyber professionals is “How do I start a career in cyber?” and fortunately I think there’s a relatively easy answer. 

The British Computer Society (BCS) have an entry level qualification called the Certificate in Information Security Management Principles (CISMP). It’s typically a five day course and covers most aspects of information security at a high level, digging in to some in a bit more detail. It was the first security course I attended, many years ago, and I can thoroughly recommend it for beginners, even for those with limited IT knowledge. 

If you’re looking for a company that provides this course in fantastic surroundings with outstanding instructors, look no further than these guys below (it’s who I work for). This is one of the courses that I teach, but I don’t think I’m scheduled to teach this particular one. If you do book on it, let me know and I’ll make sure I come along and see you. 

Shiny kit isn’t always what you need

This article appeared on LinkedIn on 5th April 2017, and you can read it in full here. 

Earlier this week I saw an item on LinkedIn where someone was asking advice about building a SOC (Security Operations Centre). It set me thinking that often we see a great clamour for solutions, for the latest shiny bit of kit with flashing lights and a cool name, but do we ever stop to wonder why we need it?

Before we even look at equipment or software, the very first step should be to look at our business objectives. Why are we doing what we do, and do our objectives help achieve that? What is our end goal? Without knowing this, how can we possibly determine the best solution for our needs? 

We should then look at our risk registers, to identify the key areas of risk, and to determine whether by mitigating any of those we will reach our end goal – or at least be closer to it than we currently are. How many of those risks require human interaction, and how many are dependent on hardware and software?

Looking at our policies and procedures next, we should try to establish whether they are helping us achieve our stated aims, or are they hindering that task? Are we able to amend the working processes in a way that makes them cost effective and help us meet our business goals? 

Do your staff understand the business objectives, and are they appropriately skilled / experienced to help reach those objectives? If not, what do they need to help them understand, and what training / guidance do they need? 

Once you’ve gone through all these steps, you’ll have a good idea of what’s missing, what is preventing you from achieving your business goals. Write these down, as they will form the basis of a specification document which will identify the requirements of any solutions you need. It might not be that big shiny box from vendor A: it might be additional training for your staff, it might be a paper based process or it might be a bit of software instead. You’ll also have some idea of the level of risk, and how much money you’re able to devote to addressing the gap, through a cost benefits analysis. This will help determine your budget for any additional actions / solutions you find that you need. In some cases it boils down to scale, and the type of business. For example, why would an SME with 5 people working in an office need their own SOC? They may need one, but could probably outsource it rather than build and maintain their own much more cheaply.  

I’ve worked on a number of consulting engagements where the client has told me they need the latest and greatest bit of kit, but when pressed for the reason behind this decision they could only come up with “because all my competitors are using it so I should have it too” or “the salesman told me it would solve all my problems”. Those are hardly sound business reasons, wouldn’t you agree? 

I was speaking at an event recently, one of a long series, and the moderator told be before it began that they’d had quite a few people in, from the intelligence community as well as vendors, telling the attendees that this gadget or this software would solve all their problems, would address their biggest issues, would remove most of their risk. Fabulous claims, but how could they be sure? They didn’t know the attendees’ businesses, they didn’t know the policies, processes, controls and systems the attendees already had in place, they didn’t know what the attendees’ risks were – so how could they possibly offer a solution? It doesn’t make logical sense, does it?  

I’m reading a really good book at the moment, called Start With Why by Simon Sinek. It very sensibly suggests that before setting out to build a new business, or to grow an existing venture, you should ask yourself why you are doing it. The same applies to technical solutions I think – work out why you are doing what you are doing, and why you need to change, then take things from there. The answer may not be that super cool shiny box with lots of flashing lights.