Authors: Ionut – Daniel BARBU & Cristian PASCARIU
Published: IJISC Volume 3, Issue 1, Year 2014
infosecinstitute.com; linkedin.com; wikipedia.org; franklin.edu; eccouncil.org; sourcefire.com; isaca.org; tomsitpro.com; isc2.org; concise-courses.com; certification.about.com; offensive-security.com; networkworld.com; csoonline.com; iso.org; greenwireit.com
Internet of Things is a concept dating back to 1991 and it refers, in fact to a scenario where everything is connected to the Internet. The idea of having everything interconnected and moreover, connected to the internet becomes more and more usual nowadays and futurologists start to be extremely realistic when admitting that from the car to house appliances, body characteristics such as temperature to pet automatic feeding machine, everything will be connected to World Wide Web. In this world a critical aspect emerges, that of information security. We are starting to be more and more reluctant to providing information which relates to us but what if that is taken without our knowledge and what if we are a large enterprise with valuable intellectual property. This is one of the main reasons why in the Information Security field the demand for jobs is growing extremely rapidly. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. This article details the Information Security related jobs, thoroughly studying the InfoSec analyst role. Moreover it highlights the critical importance of training and certification programs.
It already passed some time since the Internet became part of our lives and the trends seem to overcome all predictions. Very soon, every device we are using will be interconnected. This concept is not as new as it may seem. The term Internet of Things was proposed by Kevin Ashton in 1999 though the concept has been discussed since at least 1991. The Internet of Things (IoT) refers to uniquely identifiable objects and their virtual representations in an Internet-like structure.
Taking this aspect into consideration it is utterly important to address the aspect of information security. Sometimes shortened to InfoSec, this is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc…). One of its branches, IT security referrers to information security applied to technology (most often some form of computer system). It is worthwhile to note that a computer does not necessarily mean a home desktop. A computer is any device with a processor and some memory. Such devices can range from non-networked standalone devices as simple as calculators, to networked mobile computing devices such as smartphones and tablet computers. IT security specialists are almost always found in any major enterprise/establishment due to the nature and value of the data within larger businesses. They are responsible for keeping all of the technology within the company secure from malicious cyber-attacks that often attempt to breach into critical private information or gain control of the internal systems. On the other hand, information assurance is the act of ensuring that data is not lost when critical issues arise. These issues include but are not limited to: natural disasters, computer/server malfunction, physical theft, or any other instance where data has the potential of being lost. Since most information is stored on computers in our modern era, information assurance is typically dealt with by IT security specialists.
There is, indeed, a need for security and consequently, the demand for information security analyst jobs increased. Franklin University informs that in 2010 there were 82,253 job openings related to Information Security. That same year, 5,400 students completed programs in Information Security. Although that seems overwhelming, the demand is still on a growing trend. According to usnews.com, information security analyst jobs is ranked 4 among the best technology related jobs in 2014 and 11 in all jobs range. This is a consequence of the fact that this is a very challenging job in an always changing industry.
The most important role and responsibility of an information security analyst is to maintain the security and integrity of client’s data. It is worth mentioning that the client can be internal or external. This is an important aspect and for a better understanding examples of both will be provide. In the case of an internal client, this can refer to HR or financial department of a company which relies on information security analysts department to protect the confidentiality, integrity and availability of the data. On the other hand, as the trend of IT services outsourcing is rapidly growing, IT services providers saw the opportunity and begun proving developing external security operations centers. Put in practice, this means that instead of dealing with the challenges of security, a law firm will delegate a security dedicated company to protect the assets.
The security dedicated employee must, at first analyze the current security measures of client and determine their effectiveness. Furthermore, the analyst should work with business administrators as well as IT professionals to communicate the flaws and recommend effective changes. As documentation is a key aspect in every field, the security enthusiast must assist with creating documentation for processes for preventing, detecting and mitigating incidents. Everyone is aware of the fact that without a target, an employee, a department and the entire business does now know what to expect so being able to develop reporting methods to be shared with the teams and client about the efficiency of security policies and recommend changes is critical.
The concept of continuous service improvement in information security might be more important than in other IT branches. As InfoSec has various verticals training is a key point. Depending on the field that the security enthusiast wants to improve there are several training and certification paths. In such a domain the information changes on a daily basis so, apart from being up to date and keep on training, the analyst should be dedicated to knowledge sharing and always be able to organize and conduct training for colleagues. The various sub categories of security always interconnect. Although information security analyst is not necessary the same as vulnerability assessment analyst, these are strongly interconnecting. Recommendations for software or hardware changes should be made as a consequence of vulnerabilities discovery. Apart from the fact that the employee should be up to date with news in the field, it is very important that after problem discovery and damage mitigation, they should also thoroughly investigate de situation.
Security, in its various fields, is important for both small and huge businesses. As large enterprises have offices around the world and also malevolent are from all the corners of the world, the information security analyst should be always on and ready to provide 24 x 7 support. Additionally, the security systems in place are always on so the engineer should be able to interpret information extracted from them and also communicate intelligently the obtained data. This comes as a consequence of the fact that apart from being an analyst, the employee should also target the role of security consultant.
Consultancy comes, of course, with experience and knowledge so firstly they should keep informed and aware of the client’s culture, security strategies, and goals and built the capabilities. The most important result of being a consultant comes with applying the defense in depth strategies on the client’s business. The unspoken rule of security is knowing what to protect so asset classification and categorization is very important. Moreover, analyst’s ability to prioritize threats, alerts, assets and tasks is critical. Part of prioritization is the ability to determine the escalation path: the further the security issue is properly escalated, the faster the threat is resolved and the effects mitigated.
Especially in the case of security dedicate company providing the communicating is a key factor. The reason is that analyst are dedicated for various clients, so knowledge sharing is more important that it looks. There will be no surprise when an attacker who failed to penetrate one company, will use the same methods for another so observing trends and patterns might prove to be that step ahead that will make the difference. For building relationships and trust, recurrent meetings between analysts, analyst and client must be put in place. False alerts are also part of a security analyst day to day work and as harmless and they might seem, the large amount of noise they generate makes the engineer fail to see the real threats. This aspect was introduced here because is highly related to communication. For example, during a maintenance window or a transition, security systems might trigger numerous denial of service alerts so if this would have been previously communicated, the analyst would not waste time of digging for the root cause. Last but not least, in this case is the feedback part.
As a summary, in my opinion, this is the most challenging job that one might have. Although it may seem hard and demanding at first, it is very important to understand that the information security analysts are not alone. Apart from knowledge sharing between them, security engineers are backed up by security systems monitoring tools, etc. These are mapped to all levels of defense in depth strategies. Moreover, the information security analyst is back up by specialist in the various security verticals: vulnerability assessment, forensics, data loss prevention, penetration testing, network security and so on. Lastly I would like to underline that the information security analyst should be a self-starter security enthusiast, always up to date with security news, concepts, threats and trends.
As previously discussed, Information Security field is has various sub domains and consequently there are numerous jobs separated on verticals. InfoSec Institute divides them as follows: Network Analyst, Database Administrator, Software Developer, Systems Engineer, Network Engineer, Web App Developer, Security Analyst, Business Analyst, Technical Manager, CISO or Director of Security, CTO, Information Systems Manager, Penetration Tester, Computer Forensics Investigator or Forensic Analyst, Vulnerability Security Research Engineer, Security Auditor, Security Architect, Incident Responder, Disaster Recovery Manager, Computer Crime Investigator, Malware Analyst and Project Manager. It is clear that all the previously presented jobs are related to information security, which just makes things event more interesting. However only some of them are 100% dedicated to this filed on a day to day job. To be more precise, we would say that everyone should be security conscious. Furthermore, this emphasizes the fact that security awareness programs should be a critical program in any company.
InfoSec domains divides their certifications into vendor free and vendor directed ones. When referring to vendor free training programs, we are taking into consideration companies that provide certifications that are not directly targeting a product from a dedicated vendor. The most relevant example would be the CISSP title which comes from Certified Information Systems Security Professional. This is said to be the best certification program in the field and it is given by (ISC)². The International Information Systems Security Certification Consortium ((ISC)²) is a non-profit organization which specializes in information security education and certifications and it has been described as “world’s largest IT security organization”.
On the other hand, various companies, apart from services and products, they provide training programs dedicated to their tools. The most relevant example in this case would be CISCO. This, in fact, applies also to information security fields. Security Systems vendors such as Qualys, BlueCoat, Sourcefire and CheckPoint provide training programs and certification paths dedicated to their in house developed tools.
In the next part of this article we will develop more the certification paths aspect of information security. This will describe an approach to getting into the Application Security Area of Expertise. This has a wide target audience described as follows:
Individuals who work in the QA field can focus on the security aspect of application testing, this will be an extension of their current knowledge and can prove to be an advance in the penetration testing path, keeping in mind that their work involves testing applications from the black box perspective.
People who have started in the enterprise organizations offering support on different tools and services can have an advance in their career by entering the security domain of expertise. For corporate environments, people who work in service desk are the missing links in managing enterprise security tools, closing tickets and responding to alerts.
Throughout the years, application development has evolved into a mature and complex area of expertise. Today developers have clear roles and specific parts of a product that they are dedicated on. It was just a matter of time before developers started to take into consideration the security aspect of application development. It is recommended for developers to get a security certification that will enable them to deliver more secure applications.
Since the application security and infrastructure security have become key pillars in the IT domain, professionals are gathered into teams to deliver complex security services, such as security consulting, threat management, auditing etc. These professionals require a strong leadership who can listen and adapt to business needs, support the team in achieving their goals and offering tailored security services
The table remains open to anyone who wants to get into security, and a certification is a great way to start to learn new things and be recognized for your skills.
It is worth mentioning that these are very few certifications in the field but they might prove to be the most relevant. A wider spectrum of certifications strictly related to security and divided by certification providers is the following:
|(ISC)2||CISSP||Certified Information Systems Security Professional|
|CISSP-ISSAP||Information Systems Security Architecture Professional|
|CISSP-ISSEP||Information Systems Security Engineering Professional|
|CISSP-ISSMP||Information Systems Security Management Professional|
|SSCP||Systems Security Certified Practitioner|
|CAP||Certified Authorization Professional|
|CSSLP||Certified Secure Software Lifecycle Professional|
|ISACA||CISA||Certified Information Systems Auditor|
|CISM||Certified Information Security Manager|
|CGEIT||Certified in the Governance of Enterprise IT|
|CRISC||Certified in Risk and Information Systems Control|
|GCIH||Certified Incident Handler|
|GCIA||Certified Intrusion Analyst|
|GCFW||Certified Firewall Analyst|
|GWAPT||Web Application Penetration Tester|
|GCWN||Certified Windows Security Administrator|
|GAWN||Assessing and Auditing Wireless Networks|
|GCUX||Certified UNIX Security Administrator|
|GISF||Information Security Fundamentals|
|GCED||Certified Enterprise Defender|
|GXPN||Exploit Researcher and Advanced Penetration Tester|
|GCFA||Certified Forensic Analyst|
|GREM||Reverse Engineering Malware|
|GCFE||Certified Forensic Examiner|
|GISP||Information Security Professional|
|G2700||Certified ISO-27000 Specialist|
|GCPM||Certified Project Manager|
|GSSP-JAVA||Secure Software Programmer-Java|
|GWEB||Certified Web Application Defender|
|GSSP-.NET||Secure Software Programmer- .NET|
|GSNA||Systems and Network Auditor|
|GLEG||Legal Issues in Information Technology & Security|
|EC-Council||C|EH||Certified Ethical Hacker|
|C|HFI||Computer Hacking Forensic Investigator|
|E|CSA||Certified Security Analyst|
|L|PT||Licensed Penetration Tester|
|E|CSP||Certified Secure Programmer|
|E|DRP||Certified Disaster Recovery Professional|
|C|CISO||Certified Chief Information Security Officer|
|C|SCU||Certified Secure Computer User|
|E|CIH||Certified Incident Handler|
|E|NSA||Network Security Administrator|
|Cisco||CCNA Security||Cisco Certified Network Associate Security|
|CCNP Security||Cisco Certified Network Professional Security|
|CCIE Security||Cisco Certified Internetwork Expert Security|
|Offensive Security||OSCP||Offensive Security Certified Professional|
|OSWP||Offensive Security Wireless Professional|
|OSCE||Offensive Security Certified Expert|
|OSEE||Offensive Security Exploitation Expert|
|OSWE||Offensive Security Web Expert|
|CompTIA||SMSP||Social Media Security Professional|
|CASP||CompTIA Advanced Security Practitioner|
|Microsoft||MTA Security Fundamentals||Microsoft Technical Associate: Security Fundamentals|
|MCSE:Security||Microsoft Certified Server Expert: Security|
|CheckPoint||CCSA||Check Point Security Administration|
|CCSE||Check Point Certified Security Expert|
As an additional relevant information, the cost of the certification exams range from $150 to $10000!
Entry Level Security Certifications
These certifications are targeted to a wide audience starting from students in their final year of education to professionals working in other domains and who want to get into the security area of expertise. A good path to knowledge starts with the basics and therefore an individual has to have understanding of software applications and networking (Microsoft Technology Associate: Networking Fundamentals), the next step is to get a security certification such as:
- Microsoft Technology Associate: Security Fundamentals
- CompTIA Security+
- Cisco Certified Network Associate Security
- GIAC Security Essentials
Most of these certifications require a single exam and the certification is granted for life apart from the GSEC that requires a recertification after 4 years.
Intermediate Level Security Certifications
Certifications at this level are targeted to individuals who already work in InfoSec, more than that there are certifications for each area of expertise. Certification such as Systems Security Certified Practitioner are aimed at individuals who want to get a better understanding about managing and supporting the overall security posture and policies of an organization.
Technical certifications for those who work actively in the application penetration testing field should target the Certified Ethical Hacker or the Offensive Security Certified Professional. These certification require high technical skills and are recognized worldwide as a standard for penetration testers.
For programmers there is the EC-Council Certified Secure Programmer. Individuals who get this certification have a more secure approach to application development and are able to enhance the security level, also lower the overall risks and mitigate any vulnerabilities that might arise during the application lifecycle.
Expert Level Security Certifications
Certifications at this level are targeted at IT professionals serious about their careers in information security. Certified individuals at this level are decision makers and possess expert knowledge and technical skills necessary to develop, guide and then manage security standards, policies and procedures within their organizations.
Recertification is required after two to five years depending on the certification. Here we want to highlight some of the most highly-sought after certifications by IT security professionals, well recognized by IT organizations:
- Certified Information Systems Security Professional
- EC Council Certified Security Analyst
- ISO 27001
We are living in a world of continuous development and that is no secret now. Consequently everyone should be improving the skill sets and always be up to date. It is clear that we should be the best in what we do in order to be proud of what we do. Personally we are driven by the motto: learn and work until you will no longer need to introduce yourself. This applies to all jobs in this entire world but mostly we see its applicability in the IT industry.
Information gathered from:
CISSP Boxed Set, Second Edition (All-in-One) – Shon Harris
CEH Certified Ethical Hacker Boxed Set – Matt Walker
SANS GIAC Certification: Security Essentials Toolkit (GSEC) – Eric Cole
CISA Certified Information Systems Auditor All-in-One Exam Guide, 2nd Edition – Peter Gregory
Security+ Guide to Network Security Fundamentals – Mark Ciampa
The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition – Douglas Landoll
Published: IJISC Volume 3, Issue 1, Year 2014