Information Security Analyst Profile and InfoSec Certification Paths

Authors: Ionut – Daniel BARBU & Cristian PASCARIU

Published: IJISC Volume 3, Issue 1, Year 2014

Sources: 

infosecinstitute.comlinkedin.comwikipedia.orgfranklin.edueccouncil.org; sourcefire.comisaca.org; tomsitpro.com; isc2.org; concise-courses.com; certification.about.com; offensive-security.com; networkworld.com; csoonline.com; iso.org; greenwireit.com

Book references:

CISSP Boxed Set, Second Edition (All-in-One) – Shon Harris

CEH Certified Ethical Hacker Boxed Set – Matt Walker

SANS GIAC Certification: Security Essentials Toolkit (GSEC) – Eric Cole

CISA Certified Information Systems Auditor All-in-One Exam Guide, 2nd Edition – Peter Gregory

Security+ Guide to Network Security Fundamentals – Mark Ciampa

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition – Douglas Landoll

Abstract

Internet of Things is a concept dating back to 1991 and it refers, in fact to a scenario where everything is connected to the Internet. The idea of having everything interconnected and moreover, connected to the internet becomes more and more usual nowadays and futurologists start to be extremely realistic when admitting that from the car to house appliances, body characteristics such as temperature to pet automatic feeding machine, everything will be connected to World Wide Web. In this world a critical aspect emerges, that of information security. We are starting to be more and more reluctant to providing information which relates to us but what if that is taken without our knowledge and what if we are a large enterprise with valuable intellectual property. This is one of the main reasons why in the Information Security field the demand for jobs is growing extremely rapidly. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. This article details the Information Security related jobs, thoroughly studying the InfoSec analyst role. Moreover it highlights the critical importance of training and certification programs. 

Hacker Attack

It already passed some time since the Internet became part of our lives and the trends seem to overcome all predictions. Very soon, every device we are using will be interconnected. This concept is not as new as it may seem. The term Internet of Things was proposed by Kevin Ashton in 1999 though the concept has been discussed since at least 1991. The Internet of Things (IoT) refers to uniquely identifiable objects and their virtual representations in an Internet-like structure.

Taking this aspect into consideration it is utterly important to address the aspect of information security. Sometimes shortened to InfoSec, this is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc…). One of its branches, IT security referrers to information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory. Such devices can range from non-networked standalone devices as simple as calculators, to networked mobile computing devices such as smartphones and tablet computers. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems. On the other hand, information assurance is the act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists.

There is, indeed, a need for security and consequently, the demand for information security analyst jobs increased. Franklin University informs that in 2010 there were 82,253 job openings related to Information Security. That same year, 5,400 students completed programs in Information Security. Although that seems overwhelming, the demand is still on a growing trend. According to usnews.com, information security analyst jobs is ranked 4 among the best technology related jobs in 2014 and 11 in all jobs range. This is a consequence of the fact that this is a very challenging job in an always changing industry.

The most important role and responsibility of an information security analyst is to maintain the security and integrity of client’s data. It is worth mentioning that the client can be internal or external. This is an important aspect and for a better understanding examples of both will be provide. In the case of an internal client, this can refer to HR or financial department of a company which relies on information security analysts department to protect the confidentiality, integrity and availability of the data. On the other hand, as the trend of IT services outsourcing is rapidly growing, IT services providers saw the opportunity and begun proving developing external security operations centers. Put in practice, this means that instead of dealing with the challenges of security, a law firm will delegate a security dedicated company to protect the assets.

The security dedicated employee must, at first analyze the current security measures of client and determine their effectiveness. Furthermore, the analyst should work with business administrators as well as IT professionals to communicate the flaws and recommend effective changes. As documentation is a key aspect in every field, the security enthusiast must assist with creating documentation for processes for preventing, detecting and mitigating incidents. Everyone is aware of the fact that without a target, an employee, a department and the entire business does now know what to expect so being able to develop reporting methods to be shared with the teams and client about the efficiency of security policies and recommend changes is critical.

The concept of continuous service improvement in information security might be more important than in other IT branches. As InfoSec has various verticals training is a key point. Depending on the field that the security enthusiast wants to improve there are several training and certification paths. In such a domain the information changes on a daily basis so, apart from being up to date and keep on training, the analyst should be dedicated to knowledge sharing and always be able to organize and conduct training for colleagues. The various sub categories of security always interconnect. Although information security analyst is not necessary the same as vulnerability assessment analyst, these are strongly interconnecting. Recommendations for software or hardware changes should be made as a consequence of vulnerabilities discovery. Apart from the fact that the employee should be up to date with news in the field, it is very important that after problem discovery and damage mitigation, they should also thoroughly investigate de situation.

Security, in its various fields, is important for both small and huge businesses. As large enterprises have offices around the world and also malevolent are from all the corners of the world, the information security analyst should be always on and ready to provide 24 x 7 support. Additionally, the security systems in place are always on so the engineer should be able to interpret information extracted from them and also communicate intelligently the obtained data. This comes as a consequence of the fact that apart from being an analyst, the employee should also target the role of security consultant.

Consultancy comes, of course, with experience and knowledge so firstly they should keep informed and aware of the client’s culture, security strategies, and goals and built the capabilities. The most important result of being a consultant comes with applying the defense in depth strategies on the client’s business. The unspoken rule of security is knowing what to protect so asset classification and categorization is very important. Moreover, analyst’s ability to prioritize threats, alerts, assets and tasks is critical. Part of prioritization is the ability to determine the escalation path: the further the security issue is properly escalated, the faster the threat is resolved and the effects mitigated.

Especially in the case of security dedicate company providing the communicating is a key factor. The reason is that analyst are dedicated for various clients, so knowledge sharing is more important that it looks. There will be no surprise when an attacker who failed to penetrate one company, will use the same methods for another so observing trends and patterns might prove to be that step ahead that will make the difference. For building relationships and trust, recurrent meetings between analysts, analyst and client must be put in place. False alerts are also part of a security analyst day to day work and as harmless and they might seem, the large amount of noise they generate makes the engineer fail to see the real threats. This aspect was introduced here because is highly related to communication. For example, during a maintenance window or a transition, security systems might trigger numerous denial of service alerts so if this would have been previously communicated, the analyst would not waste time of digging for the root cause. Last but not least, in this case is the feedback part.

As a summary, in my opinion, this is the most challenging job that one might have. Although it may seem hard and demanding at first, it is very important to understand that the information security analysts are not alone. Apart from knowledge sharing between them, security engineers are backed up by security systems monitoring tools, etc. These are mapped to all levels of defense in depth strategies. Moreover, the information security analyst is back up by specialist in the various security verticals: vulnerability assessment, forensics, data loss prevention, penetration testing, network security and so on. Lastly I would like to underline that the information security analyst should be a self-starter security enthusiast, always up to date with security news, concepts, threats and trends.

As previously discussed, Information Security field is has various sub domains and consequently there are numerous jobs separated on verticals. InfoSec Institute divides them as follows: Network Analyst, Database Administrator, Software Developer, Systems Engineer, Network Engineer, Web App Developer, Security Analyst, Business Analyst, Technical Manager, CISO or Director of Security, CTO, Information Systems Manager, Penetration Tester, Computer Forensics Investigator or Forensic Analyst, Vulnerability Security Research Engineer, Security Auditor, Security Architect, Incident Responder, Disaster Recovery Manager, Computer Crime Investigator, Malware Analyst and Project Manager. It is clear that all the previously presented jobs are related to information security, which just makes things event more interesting. However only some of them are 100% dedicated to this filed on a day to day job. To be more precise, we would say that everyone should be security conscious. Furthermore, this emphasizes the fact that security awareness programs should be a critical program in any company.

InfoSec domains divides their certifications into vendor free and vendor directed ones. When referring to vendor free training programs, we are taking into consideration companies that provide certifications that are not directly targeting a product from a dedicated vendor. The most relevant example would be the CISSP title which comes from Certified Information Systems Security Professional. This is said to be the best certification program in the field and it is given by (ISC)². The International Information Systems Security Certification Consortium ((ISC)²) is a non-profit organization which specializes in information security education and certifications and it has been described as “world’s largest IT security organization”.

On the other hand, various companies, apart from services and products, they provide training programs dedicated to their tools. The most relevant example in this case would be CISCO. This, in fact, applies also to information security fields. Security Systems vendors such as Qualys, BlueCoat, Sourcefire and CheckPoint provide training programs and certification paths dedicated to their in house developed tools.

Sourcefire Security Certification Program

In the next part of this article we will develop more the certification paths aspect of information security. This will describe an approach to getting into the Application Security Area of Expertise. This has a wide target audience described as follows:

Target Audience

Quality Assurance

Individuals who work in the QA field can focus on the security aspect of application testing, this will be an extension of their current knowledge and can prove to be an advance in the penetration testing path, keeping in mind that their work involves testing applications from the black box perspective.

Service Desk

People who have started in the enterprise organizations offering support on different tools and services can have an advance in their career by entering the security domain of expertise. For corporate environments, people who work in service desk are the missing links in managing enterprise security tools, closing tickets and responding to alerts.

Development

Throughout the years, application development has evolved into a mature and complex area of expertise. Today developers have clear roles and specific parts of a product that they are dedicated on. It was just a matter of time before developers started to take into consideration the security aspect of application development. It is recommended for developers to get a security certification that will enable them to deliver more secure applications.

Managers

Since the application security and infrastructure security have become key pillars in the IT domain, professionals are gathered into teams to deliver complex security services, such as security consulting, threat management, auditing etc. These professionals require a strong leadership who can listen and adapt to business needs, support the team in achieving their goals and offering tailored security services

Others

The table remains open to anyone who wants to get into security, and a certification is a great way to start to learn new things and be recognized for your skills.

Security Personnel

Security Personnel

Certifications

Certifications

It is worth mentioning that these are very few certifications in the field but they might prove to be the most relevant. A wider spectrum of certifications strictly related to security and divided by certification providers is the following:

(ISC)2 CISSP Certified Information Systems Security Professional
  CISSP-ISSAP Information Systems Security Architecture Professional
  CISSP-ISSEP Information Systems Security Engineering Professional
  CISSP-ISSMP Information Systems Security Management Professional
  SSCP Systems Security Certified Practitioner
  CAP Certified Authorization Professional
  CSSLP Certified Secure Software Lifecycle Professional
ISACA CISA Certified Information Systems Auditor
  CISM Certified Information Security Manager
  CGEIT Certified in the Governance of Enterprise IT
  CRISC Certified in Risk and Information Systems Control
GIAC GSEC Security Essentials
  GCIH Certified Incident Handler
  GCIA Certified Intrusion Analyst
  GPEN Penetration Tester
  GCFW Certified Firewall Analyst
  GWAPT Web Application Penetration Tester
  GCWN Certified Windows Security Administrator
  GAWN Assessing and Auditing Wireless Networks
  GCUX Certified UNIX Security Administrator
  GISF Information Security Fundamentals
  GCED Certified Enterprise Defender
  GXPN Exploit Researcher and Advanced Penetration Tester
  GCFA Certified Forensic Analyst
  GREM Reverse Engineering Malware
  GCFE Certified Forensic Examiner
  GSLC Security Leadership
  GISP Information Security Professional
  G2700 Certified ISO-27000 Specialist
  GCPM Certified Project Manager
  GSSP-JAVA Secure Software Programmer-Java
  GWEB Certified Web Application Defender
  GSSP-.NET Secure Software Programmer- .NET
  GSNA Systems and Network Auditor
  GLEG Legal Issues in Information Technology & Security
EC-Council C|EH Certified Ethical Hacker
  C|HFI Computer Hacking Forensic Investigator
  E|CSA Certified Security Analyst
  L|PT Licensed Penetration Tester
  E|CSP Certified Secure Programmer
  E|DRP Certified Disaster Recovery Professional
  C|CISO Certified Chief Information Security Officer
  C|SCU Certified Secure Computer User
  E|CIH Certified Incident Handler
  E|NSA Network Security Administrator
Cisco CCNA Security Cisco Certified Network Associate Security
  CCNP Security Cisco Certified Network Professional Security
  CCIE Security Cisco Certified Internetwork Expert Security
Offensive Security OSCP Offensive Security Certified Professional
  OSWP Offensive Security Wireless Professional
  OSCE Offensive Security Certified Expert
  OSEE Offensive Security Exploitation Expert
  OSWE Offensive Security Web Expert
CompTIA SMSP Social Media Security Professional
  Security+ Security+
  CASP CompTIA Advanced Security Practitioner
Microsoft MTA Security Fundamentals Microsoft Technical Associate: Security Fundamentals
  MCSE:Security Microsoft Certified Server Expert: Security
CheckPoint CCSA Check Point Security Administration
  CCSE Check Point Certified Security Expert

As an additional relevant information, the cost of the certification exams range from $150 to $10000!

Entry Level Security Certifications

These certifications are targeted to a wide audience starting from students in their final year of education to professionals working in other domains and who want to get into the security area of expertise. A good path to knowledge starts with the basics and therefore an individual has to have understanding of software applications and networking (Microsoft Technology Associate: Networking Fundamentals), the next step is to get a security certification such as:

  • Microsoft Technology Associate: Security Fundamentals
  • CompTIA Security+
  • Cisco Certified Network Associate Security
  • GIAC Security Essentials

Most of these certifications require a single exam and the certification is granted for life apart from the GSEC that requires a recertification after 4 years.

Intermediate Level Security Certifications

Certifications at this level are targeted to individuals who already work in InfoSec, more than that there are certifications for each area of expertise. Certification such as Systems Security Certified Practitioner are aimed at individuals who want to get a better understanding about managing and supporting the overall security posture and policies of an organization.

Technical certifications for those who work actively in the application penetration testing field should target the Certified Ethical Hacker or the Offensive Security Certified Professional. These certification require high technical skills and are recognized worldwide as a standard for penetration testers.

For programmers there is the EC-Council Certified Secure Programmer. Individuals who get this certification have a more secure approach to application development and are able to enhance the security level, also lower the overall risks and mitigate any vulnerabilities that might arise during the application lifecycle.

Expert Level Security Certifications

Certifications at this level are targeted at IT professionals serious about their careers in information security. Certified individuals at this level are decision makers and possess expert knowledge and technical skills necessary to develop, guide and then manage security standards, policies and procedures within their organizations.

Recertification is required after two to five years depending on the certification. Here we want to highlight some of the most highly-sought after certifications by IT security professionals, well recognized by IT organizations:

  • Certified Information Systems Security Professional
  • EC Council Certified Security Analyst
  • ISO 27001

We are living in a world of continuous development and that is no secret now. Consequently everyone should be improving the skill sets and always be up to date. It is clear that we should be the best in what we do in order to be proud of what we do. Personally we are driven by the motto: learn and work until you will no longer need to introduce yourself. This applies to all jobs in this entire world but mostly we see its applicability in the IT industry.

Information gathered from:

http://www.infosecinstitute.com/jobs/security-analyst.html

https://www.linkedin.com/job/q-information-security-analyst-jobs

http://en.wikipedia.org/wiki/Information_security

http://en.wikipedia.org/wiki/Internet_of_Things

http://www.franklin.edu/information-security-bachelors-degree-program

http://www.eccouncil.org/Training/conference-and-events

http://www.infosecinstitute.com/jobs.html

http://en.wikipedia.org/wiki/(ISC)%C2%B2

http://www.sourcefire.com/services/certification

http://www.isaca.org/CERTIFICATION/Pages/default.aspx

http://www.tomsitpro.com/articles/information-security-certifications,2-205.html

https://www.isc2.org/credentials/Default.aspx

http://www.concise-courses.com/security/certifications-list/

http://certification.about.com/od/securitycerts/a/seccertessentls.htm

http://www.offensive-security.com/information-security-certifications/

http://www.networkworld.com/article/2170044/security/7-it-security-skills-certifications-on-the-rise.html

http://www.csoonline.com/article/2123834/business-continuity/the-security-certification-directory.html?page=3

http://www.eccouncil.org/Certification

http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

http://greenwireit.com/blog/2013/03/20/complete-list-it-security-certifications/

Book references:

CISSP Boxed Set, Second Edition (All-in-One) – Shon Harris

CEH Certified Ethical Hacker Boxed Set – Matt Walker

SANS GIAC Certification: Security Essentials Toolkit (GSEC) – Eric Cole

CISA Certified Information Systems Auditor All-in-One Exam Guide, 2nd Edition – Peter Gregory

Security+ Guide to Network Security Fundamentals – Mark Ciampa

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition – Douglas Landoll

Published: IJISC Volume 3, Issue 1, Year 2014

Advertisements

Leave a comment

Filed under General

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s