Careers, Concepts, Human Aspects, Security Education

Choosing your Cybersecurity Career Path

Posted on October 21, 2018 by Ron Woerner

Landing and keeping a job in cybersecurity
What’s best for your Cybersecurity career: certification or a degree?
Strategic (GRC) vs. Tactical (Technical) career paths

I’m often asked by folks entering the cybersecurity career field, “How do I land (or keep) a job in cybersecurity?” and “Should I get a degree in cybersecurity or focus on certifications?” The bottom line is that there is no one answer that fits everyone. As with most things in life, it depends. Where you are at in your career, life’s journey (i.e., age), financial resources and your own ambitions are all things to consider. In this post, I’ll cover options in hopes of helping you understand the benefits of each and how you can grow your career as a cybersecurity professional. This is part 2 of my series on Breaking into Cybersecurity.

From a career or professional perspective, information security (aka cybersecurity or information assurance) is now a stable and growing profession. Information security jobs are expected to increase by 28 percent through 2026, according to the Bureau of Labor Statistics (BLS). With all the opportunity, landing a cybersecurity job can still be tricky trying to meet the laundry list of requirements that are often looking for the optimal candidate who walks on water.

Below are some steps for you to determine certs or degree and help you build your cyber career:

Pick a path. There are two main categories of cybersecurity careers: Strategic and Tactical.
1. Strategic includes Governance, Risk, and Compliance (GRC), Policy, IT Audit, security frameworks and management.
2. Tactical includes everything technical: security systems administration, networking, application security, security operations, incident response, vulnerability management, and penetration testing.

Pick the one where you have the most strengths. If you love playing with technology, go tactical. If you’re more prone to management and process, consider strategic. A word of caution: don’t try to do both and be a jack of all cybersecurity trades. Folks in this position (like me) are often seen as a master of none and are disqualified from many jobs. I’ve been told dozens of times that I’m too technical for strategic jobs and not technical enough for tactical. By the way, picking one over the other does not mean you won’t need to know how the other side works. Strategic needs to understand technology and tactical needs to get business risk. The Cyber Seek website (https://www.cyberseek.org/pathway.html) contains a list of careers for each path.

Determine your education path. This is how you will reach the goal of getting the cybersecurity job of your choice. Cybersecurity degrees and certifications each have benefits and costs. Both can be used to open doors on cybersecurity careers.
1. Degree – Expand or gain knowledge over time. With a degree you learn how to learn. This is crucial in the ever-changing cyber world. You’ll also gain additional professional skills like communications, leadership and management. Another positive for education is that a degree is forever and does not require any upkeep. It will get you in the HR screening process door if an IT degree is a particular job requirement. It indicates that you have the work ethic to complete something. Of course, it comes at a cost; both time and money. An inexpensive education option in the United States are 2-year schools (aka community colleges). The National Security Agency (NSA) designates 2 and 4-year schools as Centers of Academic Excellence in Cyber Defense. See https://www.nsa.gov/resources/students-educators/centers-academic-excellence/.
2. Certification – Establish your credibility. Certifications show you have knowledge in a specific area or indicates that you have the subject matter expertise. If you’re just starting in cybersecurity, the CompTIA Security+ (http://bit.ly/2Ei6Xtw) is the perfect place to start. It covers the basics, without requiring you have extensive knowledge or experience. Certifications based on a point in time and require continuing certification. The benefit is that you can often take a 1-week boot camp or watch a video series like Cybrary and complete the certification exam shortly after. This can be a low-cost option for many.

Practical Experience / Practice. Getting certifications or a degree does not guarantee a job. You must continually practice what you’ve learned and build on that knowledge. This should come from both practical experience and personal practice.
1. Experience. For many cybersecurity jobs, this matters more than degrees or certifications. For those who are new to the cybersecurity career field, start in a help/service desk or security operations center (SOC). These are great ways to gain positive professional experience learning how cybersecurity operates within an organization. You can also gain experience by volunteering to fix or security computers for a community group (e.g., senior center, religious organization, etc.). In return, ask for a reference. By the way, you don’t have to start in cybersecurity. All careers can teach about professionalism and how organizational operations. These can provide much-needed perspective outside of technology.
2. Practice & Do Your Homework. Cybersecurity is a career where you must keep learning and relearning to stay relevant and keep your skills sharp. I often tell my students, “Homework begins after you graduate” and “The real test is in the real world (not in the classroom).” You flunk a test in school, you can still graduate. You flunk a test irl (in real life), you won’t get the job or get to keep your job. This means you need to keep learning. Take advantage of sites like Cybrary that provide free videos on many aspects of security.
  1. For the strategic / GRC track, you need to read a lot about cybersecurity. Study the latest frameworks (NIST, CSC), laws and regulations (PCI, HIPAA, GDPR, State Laws, etc.). Read security news like krebsonsecurity.com.
  2. For the tactical / technical track, practice your skills. You should have a home lab environment with physical equipment, virtual machines or both. You can do much of this for very little cost. Learn Linux by getting a Raspberry Pi or load VMWare or VirtualBox. Learn how to hack and protect yourself.

No matter the path, you need to:

Be aware of the other side. If you’re tactical / technical, you still need to understand strategic / business, and vice versa.
Network (the human kind). Join security groups in your community like ISSA, ISACA, ISC2, OWASP, Infragard, etc. This is a great way to meet other passionate cybersecurity professionals. These groups may also provide mentors to help you chose your path and keep your skills sharp through continual learning.

This is just a short tutorial on building your cybersecurity career. Like in the Matrix, you need to pick a path (the red pill or the blue pill / strategic or tactical / education or certification) and move towards your goals.

If you chose not to decide, you still have made a choice. Don’t let the choice be made for you.

Careers, Concepts, Security Education

Breaking into Security Careers – 2018

Posted on July 20, 2018July 25, 2018 by Ron Woerner

Cybersecurity continues to be a hot career field with many job opportunities. This means more and more folks want to break into it. A common question I’m asked is, “How do I get a job in information security / cybersecurity?” We continue seeing people who are interested, but don’t know the steps it takes to start or extend a cyber career. This blog post answers the question, “How do I break into (the) security (career field)?” It’s updated from my 2014 and 2015 blogs.

Career Triad

To get hired as a security professional, you need a mix of experience, education, and certifications. It takes all three to not only land the job, but also be successful in it.

1. Education: With education, you learn how to learn. Cybersecurity is a vast field and it’s nearly impossible to know everything. You need to be able to learn and adapt quickly to new technologies, situations, and processes. Education also builds the soft skills of critical thinking and communications. It’s readily available both online and in-person through local universities and training partners like CyberVista or Cybrary.it. It’s hard to study on your own. These resources provide you with expert instruction and guidance to not only pass the certification exams but also gain knowledge to succeed as a security professional. When looking at formal education, seek out 2 or 4 year schools that are designated Centers of Academic Excellence in Cyber Defense by the NSA and DHS.

2. Experience: You gain experience and a fine-tuning of your abilities through work, volunteering and building your own home cyber playground. Almost every job today has an aspect touching technology. Do your homework and learn all you can about it. Ask others if you don’t know. It’s also easy and inexpensive to build your own home lab or playground. Finding an old computer or getting a Raspberry Pi and learning Linux is a great technical experience builder. You can also gain experience by volunteering to help secure a local non-profit, your church, or other community organization.

3. Certifications: IT certifications get your foot in the door and help you move up in your career by showing employers you have the skills they’re looking for. CompTIA Security+ is and has been the optimal starting point for security certifications. It helps you prove basic competency in topics such as threats, vulnerabilities, and attacks, system security, network infrastructure, access control, cryptography, risk management, and organizational security. Don’t stop there. Keep your career moving by building on it with other ones like the CompTIA cybersecurity certifications (CySA+, CASP, or PenTest+). CompTIA CySA+ and CompTIA PenTest+ delve further into the cybersecurity specialty, validating the complementary skills of offensive and defensive cybersecurity teams. If you’ve been in cybersecurity for a while and want to remain in a hands-on enterprise security, incident response and architecture role rather than moving into management, CASP is for you. Once you’ve gained five years of cyber experience with those certifications, you’ll be ready for advanced cybersecurity certs like (ISC)2’s CISSP or ISACA’s CISM or CISA.

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Figure 1 shows the high-level cybersecurity careers. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

Cybersecurity Career Paths

Once you’ve decided that cybersecurity for you, decide on your career track. Cybersecurity is both vast and wide and covers a myriad of jobs. Don’t try to do or be everything for everyone. What cyber job excites you the most? In which one(s) do you have even a little knowledge and skill? Base your decision on your strengths, interests, experiences, and future goals.

The NIST National Initiative for Cybersecurity Education (NICE) is a great resource for cybersecurity career information. The NICE Cybersecurity Workforce Framework, aka NIST Special Publication 800-181 is a national focused resource that categorizes and describes cybersecurity work. CyberSeek provides detailed data about supply and demand in the cybersecurity job market. Use it to see where and what the cyber jobs are through interactive maps and career pathways. NIST NICE provides numerous other resources invaluable to cybersecurity job seekers. The nice thing about these (pun intended) is that it’s all free.

Security Professional Traits

The following traits are common among successful cybersecurity professionals. Having each will differentiate you from others when you’re hunting for a job or looking for a promotion.

Curiosity – A wonder on how and why things work. All hackers are curious.
Critical Thinking – goes with #1. You need to go beyond the obvious and be able to analyze your environment to best fit business needs.
Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest. Build your ability to both write and speak. This is where education can help.
Technical Skills – You need to know your way around computers, networks, and applications. Understand what’s happening under the covers. You should build this both on-the-job and on your own.
Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

Each are discussed in more detail in Eric Steven Raymond epic paper from 2001, “How to Become a Hacker,” which should be required reading for all cyber professionals.

Join the Community

The last piece of advice is for you to join a local or national cybersecurity organization. ISSA, ISACA, (ISC)2, and OWASP have chapters throughout the World. They provide access to expert instruction on cybersecurity topics. There’s also tremendous power in networking (the human kind). Most jobs are found through someone you know. Plus, at their meetings, you’ll can meet other passionate cybersecurity and IT professionals to help you jumpstart or extend your cybersecurity career.

For more ideas on breaking into cybersecurity careers, I recommend Launch Your Cybersecurity Career in 8 Steps from CompTIA: https://goo.gl/3aV74t.

Cybersecurity jobs are aplenty and it’s a great career. It’s up to each worker to set her/his own path. Use the ideas above and share others.

Concepts, Online Safety Tips, Security Management

Loose Lips Might Sink Ships

Posted on February 13, 2015July 25, 2018 by Ron Woerner

Are you watching what you are telling your neighbors? Do you guard information in your care to make sure only those people with a need to know can see it? Hopefully, you’re not accidentally letting any secrets slip. It could be disastrous if confidential information got out to your competitors. It could hurt your sales, your stock price and your reputation.

It happens in a variety of ways: accidental disclosure, carelessness in storage and protection, and corporate espionage. Many times, it happens because people are not always conscious about how they handle sensitive information. Employees are often the greatest threat in the compromise of sensitive information.

Following the simple steps below will help assure your ship is not sunk by loose lips:

1. Know your information. Is the information you handle sensitive or confidential? What would be the damage if it gets out to the public or one of our competitors?

2. Label sensitive, proprietary or confidential information. You may know that the information is sensitive, but do your co-workers? This is solved by labeling the document or data source as confidential.

3.Stop and think before doing anything with the information. You should be conscious on how you use the information and where you store it. Don’t share it with someone who doesn’t need to know.

4. Protect sensitive, proprietary or confidential information. This is a separate article by itself. In general here are some things you can do:

Place it in a secure location (not the public folder or even your laptop hard drive).
Better yet, don’t store a copy outside of a protected area. Your PCs hard drives are neither secure nor protected. If you don’t need a copy of a document, then don’t keep it on your computer.
Don’t send it to an outside email address unless absolutely necessary.
Encrypt it (using a tool like Microsoft Bitlocker)
Remove any extra copies of sensitive documents. Maintain originals in a secure location and get rid of all other copies.

5. Ask for help. Work with your security department. If you are the security department, ask for help from others.

6. Be on the lookout. Inform security if you find sensitive information that you shouldn’t be able to see. It’s not to get someone else in trouble, but to protect your company. Security should collaborate with the originator to ensure its proper protection.

These may seem like simple ideas, but they are still overlooked. A little time in security now can save many headaches later.

Concepts, Security Assessments, Security Education, Security Management

What to do about Malware?

Posted on October 31, 2014August 30, 2021 by Ron Woerner

Viruses on our computers are about as prevalent as the common cold. It’s not a matter of if you’ll get infected (or a cold), but when. Cold remedies are a multi-billion dollar industry. Anti-Virus (A/V) and malicious software (aka malware) defense and clean-up is quickly catching up. There are a few good sources on A/V products that may help you decide the one that’s best for you (note: these are all for PC):

AV Comparatives Independent Test of Anti-Virus Software Provides a good comparison of top brands. It’s consistent with other, similar reports. See http://www.av-comparatives.org/dynamic-tests/
Techradar provides their list of “Best Free Antivirus Software, 2014” http://www.techradar.com/us/news/software/applications/best-free-antivirus-9-reviewed-and-rated-1057786

The things with colds is that they usually go away on their own given 3-10 days (taking zinc early on helps, btw). That’s often not true with computer viruses. Anti-virus solutions aren’t 100% effective against all types of malware.

What can you do if your PC gets infected and your A/V product isn’t taking care of it? Below is an email from a student who’s grandparent’s computer got infected along with my response. It’s not intended to single-out this student or his grandparents, but to use it as a case on how to respond when the inevitable infection hits.

From the student:

We shouldn’t get tunnel vision when protecting our homes and with all the emerging methods to breach security (e.g. bash bug), we have to stay diligent. Indeed the low hanging fruit is the one to get plucked. I talked with my fiance’s grandparents this week and they have unfortunately fallen victim to a classic social engineering scam. Someone called the grandmother claiming to be a technician from her anti-virus software company. He then asked for various sensitive information from her (i.e. passwords, credit card numbers, etc.) and she naively gave up the information trusting this gentleman, when he told her that something was wrong with her computer.

Now every time she connects to the internet, this d%&$ has remote control over her PC. He contacts her saying that he will not give up control of the PC unless she pays him more money. I’m planning on doing some serious overhaul on their laptop the next time I visit.

My response:

This is a classic case of ransomeware. Re-imaging the PC and starting with a clean slate is the only sure-fire way to get rid of the problem(s). Most companies now don’t even spend time trying to remove malware. They’ll just save any important files first and then re-image. This person should be able to boot to safe mode to grab any local files on the PC before they re-image it.

If the you have time and wants to experiment, she/he can use SysInternals Suite tools to try to manually remove it. Have her/him watch the video, “Malware Hunting with Mark Russinovich and the Sysinternals Tools.” It’s a great tool to learn how to effectively use the SysInternals Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. He makes it look easy.

Of course, there’s always Malwarebytes, Junkware Removal Tool, and Malicious Software Removal Tool. These may also remove the offending files.

(I’m assuming this is a Windows PC.)

What tools / techniques do you like to use for malware defense and removal? Please comment and share your ideas.

Careers, Concepts, Security Education, Security Management

Why Aim for the Ground? Teaching our kids the right computer skills

Posted on September 26, 2014July 25, 2018 by Ron Woerner

We’re in a national crisis. Many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources to teach technology to teenagers. In a talk at DerbyCon 2014, Professor Phil Fitzpatrick explains why our kids need to learn fundamental computer skills in a fun and ethical way; through education and competitions like CyberPatriot. It’s a discussion of why high school students should learn more than just simple computer applications and what security professionals can do to help.

Below are are problems as we see it:

– The general public understands that most jobs out of high school, are based in knowing and having IT skills. Yet, most parents hand off their kids starting in 6th grade assuming all areas of education are covered, especially technology.
– High schools are trying to answer the call for more IT workers by adding technology classes to their curriculum. However, they don’t have a lot of room for a variety of courses because of school year length, teaching expertise and availability, and their nature of school environment.
– Kids only need to take one technology course to graduate and they look for the easy “A” rather then what will help them with their careers.
– Schools are challenged with keeping the curriculum and technology up to date to meet current needs.
– High schools are more concerned with getting students ready for college or working by teaching necessary life skills.

There are solutions available:

– Establish technology academies in schools that teach a variety of cyber skills, not just what’s on the computer science AP test.
– Provide courses in application develop, systems and network administration, database management, and cybersecurity.
– Encourage teachers to build their knowledge base on different computer skills needed by industry.
– Use grants to ensure technology is up to date.
– Promote competitions and clinic like US CyberPatriot (http://www.uscyberpatriot.org/).
– If you’re an IT or Cybersecurity Professional, become a mentor. These kids need someone with experience to help guide them in the journey. They’re not looking for an expert, just someone who cares. AND it’s very rewarding for the mentor.

Lastly, educate yourself. Here are some links to get you started:

– Cybersecurity’s hiring crisis: A troubling trajectory – http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/
– Developing the Next Generation of Cyber Leaders – http://www.serco-na.com/docs/materials/2012-cisse-nextgencyber.pdf
– DoE: Science, Technology, Engineering, and Math: Education for Global Leadership – http://www.ed.gov/stem
– Cyber-Security, IAS and the Cyber Warrior – http://www.cisse.info/archives/category/29-papers?download=297:p11-2012
– High School 12-Week Cybersecurity eLearning Pilot – http://www.cisse.info/archives/category/29-papers?download=295:p09-2012
– Secure Coding Education: Are We Making Progress? – http://nob.cs.ucdavis.edu/~bishop/papers/2012-cisse/seccode.pdf
– Where are the STEM Students? – http://www.stemconnector.org/sites/default/files/store/STEM-Students-STEM-Jobs-Executive-Summary.pdf
– ACM: Toward Curricular Guidelines for Cybersecurity – http://www.acm.org/education/TowardCurricularGuidelinesCybersec.pdf

Also see the previous post, “Hacker High – Why we *need* to teach hacking in school.”

Please help be part of the solution by promoting cyber education in your community.

Concepts, Online Safety Tips

Stop the Insanity – Use Multifactor Authentication

Posted on May 29, 2014July 25, 2018 by Ron Woerner

Albert Einstein defined insanity as, “doing the same thing over and over again and expecting different results.” Isn’t that exactly where we are today with passwords? We keep using the same method for protecting ourselves online, but it’s not working. How many times this year have you had to change your password because of a breach?
Well let’s see… There was the heartbleed bug forcing users to change passwords on numerous sites… Michels… AutoNation… Spotify… and now eBay… All in the last 4-5 months.

This is a royal pain for anyone, but especially the uninformed user. Many use the same password across sites. When there’s a breach, they receive a notification to change their password. But it’s not only for that one site/service. It’s for all of the others where they used that same password. Now, this poor user needs to remember which sites had that same password. Then they need to go to that site, find where they change their password and enter a new one. It’s a lot of work. Oh, and “Who wants my account anyway?”… Let’s be honest, most people won’t go through the trouble…

The bottom line is that PASSWORDS SUCK! There’s just no other way to say it. They’ve sucked for years, but yet they’re still the major form for authenticating ourselves online. They’re cheap and easy for both the user and the service provider.
Yet time and time again, we see they’re not safe. Passwords alone don’t provide the level of protection needed on the world wild web.

There is hope! Many online sites are now providing multi-factor authentication. This allows users to easily secure their accounts using with the standby password (something you know) tied to a second factor: something you have (a physical token, chip, fob, or phone), something you are (your voice or fingerprint) or somewhere you are (your home location). Adding this second factor provides you with added security and will save you the hassle of having to change your password when the security is invariably breached on the site.

StopThinkConnect (http://stopthinkconnect.org/) has made it very easy for users to learn more. They’re new site (http://stopthinkconnect.org/campaigns/details/?id=460) and campaign “Two Steps Ahead: Protecting Your Digital Life” provides a single place to learn how to enable two-factor authentication. But Wait! There’s more!* This one site has links to many other popular sites (e.g., Google, Outlook, Facebook, Tumblr, Twitter, etc.) where you can easily setup two-factor authentication. It’s easy and convenient right from this one site.

UPDATE: There’s one other site you need to be aware of: http://twofactorauth.org/. It’s a crowdsourced site started by a researcher from Iowa State University. It’s a comprehensive list of what websites and services use 2-Factor Authentication (2FA) and which ones don’t.

Please, help stop the insanity. Take the time to set up two-factor authentication. Share this with others. Let’s move together to a more secure tomorrow.

*Sorry, if I sound like a infomercial. It really is a great site.

Concepts, Security Education, Security Management

My Security Bookshelf

Posted on March 24, 2014August 30, 2021 by Ron Woerner

I recently was asked, “What books, article, websites, blogs, or videos do you recommend for those just beginning in Cybersecurity?”
It’s a great question with many answers. Too bad you can’t just come to my office and look on my bookshelf…

There are many reading and viewing options for cybersecurity. The challenge isn’t the lack of material, but the overabundance (which is a good topic for another blog post).
The following resources are great for all levels of cybersecurity professionals.

Blogs & websites:

– Bruce Schneier on Security: https://www.schneier.com/
– Dark Reading: http://www.darkreading.com/
– CSO Online: http://www.csoonline.com/
– Threatpost: http://threatpost.com/

Videos:

– RSA Conference 2014 On-Demand Sessions: http://www.rsaconference.com/events/us14/downloads-and-media/video-index
– TED Talks Playlist, Who are the hackers? – http://www.ted.com/playlists/10/who_are_the_hackers.html
– TED Talk, Bruce Schneier: The security mirage: http://www.ted.com/talks/bruce_schneier.html
– Cambridge Ideas, Professor Risk (Dr. David Spiegelhalter): http://www.youtube.com/watch?v=a1PtQ67urG4

Books:

– “The Cuckoo’s Egg,” Clifford Stoll,
– “Secrets & Lies,” Bruce Schneier
– “The Art of Deception,” Kevin Mitnick
– “Spies Among Us,” Ira Winkler

Book Reviews & Commentary:

– At the 2014 RSA Conference, Rick Howard of Palo Alto Networks gave a talk titled, “The Cybersecurity Canon: Must-Reads.” You can also find the list of his favorite cyber/security books on his Terebrate blog at http://terebrate.blogspot.com/2014/02/books-you-should-have-read-by-now.html.

– Ben Rothke, a well-known security guru / speaker / writer, provides numerous book reviews for RSA including The Best New Books from RSA Conference 2014. You can see all of his RSA blog posts at www.rsaconference.com/blogs?keywords=rothke.

The time you spend on these resources will be well spent in developing yourself as a cybersecurity professional. If you have one you think is missing, please provide a reply or email me.

Concepts, Security Assessments, Threat Modeling

Threat Modeling – What’s the worst that can happen?

Posted on February 11, 2014 by Ron Woerner

A threat is defined as “a person or thing likely to cause damage or danger.” Threats are all around us, but we shouldn’t treat all threats as equal. Too often we fail to identify threats because they aren’t readily apparent or we consider them to be too small.

Threats and vulnerabilities are both part of the overall risk equation. While organizations are getting better at identifying and fixing weaknesses, many still don’t understand the potential threat landscape. We’ve all heard, “Oh no one would ever want to attack us. We’re so small and our systems have no value.” I can hear Target saying that about their HVAC systems. Malicious hackers can use anything connected to a production network in order to gain access. It shouldn’t be assumed that a small target means it can’t be hit.

All organizations should conduct assessments to understand the multitude of threats they face both in and out of their cybersystems. Threat modeling is still a new arena in security, but it’s gaining in prevalence. In CSOOnline (http://www.csoonline.com/), George V. Hulme has an article, “Can threat modeling keep security a step ahead of the risks?” where he makes a case for more effective threat modeling. He references how a CISO uses threat modeling to understand the organization’s risks, prioritize security spending, and focus security efforts.

Adam Shostack is also calling for increased threat awareness. In his book coming out on Feb 17 called, “Threat Modeling: Designing for Security” he explores various threat modeling approaches, explains how to test system designs against threats, and learn effective ways to address threats that have been validated at many top companies.

What does this mean for you? As security professionals, we conduct threat modeling throughout our career. That’s why we take the time to study threat modeling and apply it.

Careers, Concepts, Security Education, Security Management

Breaking into Security

Posted on January 27, 2014October 29, 2015 by Ron Woerner

One of the common questions I am asked is, “How do I get a job in information security?” Infosec continues to be a hot career field with many job opportunities. Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security. This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security. It all started as a computer science major at Michigan State University. I was also in Air Force ROTC. This combination allowed me to start developing my security mindset. As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity. The security community has a vast number of articles on breaking into the security career field.

This article from the great security blog site Securosis contains recommendations for starting in security and potential career tracks: “Who to Recruit for Security, How to Get Started, and Career Tracks”.
“I Am InfoSec, and So Can You:” is an article by Ben Tomhave now a Gartner analyst. In particular see his second paragraph explaining what we really need in security. He also has a number of tips for those who are still crazy enough to enter the field.
George Hulme wrote in March 2015, “Six entry-level cybersecurity job seeker failings,” http://www.csoonline.com/article/2894193/infosec-staffing/six-entry-level-cybersecurity-job-seeker-failings.html
Jenifer Noss (A Bellevue University MS Cybersecurity graduate) has a nice piece on “Finding work as an IT Security Specialist.” She is not only a student, but also a seasoned cybersecurity professional. Check out the links in her blog for where to go tshe provides for increasing your cybersecurity potential.
The National Initiative for Cybersecurity Careers and Studies has a website focused on Promoting Education, Engaging Students, and Fostering Communities.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years. The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success – http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP). It’s great, general information on how to succeed in any career.

Concepts, Security Management

Is it time of Security Rating of Software and Systems?

Posted on January 20, 2014 by Ron Woerner

One of the fundamental papers in the Information Security industry is “The Protection of Information in Computer Systems” written by Jerome Saltzer and Michael Schoeder in the mid-1970s. This paper defines eight design principles to ensure the safety, security, and functionality of computer systems and applications. It’s timeless as those principles still apply today. If you haven’t seen it yet, Adam Shostack of Emergent Chaos does a great job in his blog of explaining the Saltzer and Schroeder Design Principles and equating them to something almost everyone can understand: Security in Star Wars.

One of the ideas that come out of it is the concept of “work factor” and the fire/safety ratings on safes. Safes are classified by Underwriters Laboratory for their ability to protect their contents from both fire and burglars. It’s the degree of protection that safe will protect its contents. There are both construction and performance requirements. The former defines the minimum specifications for the container. The latter defines how long the safe must withstand a burglary attempt. You can read more about it here: http://www.maximumsecurity.com/safes/pc/Burglary-Fire-Rating-Guide-d92.htm.

This idea isn’t new. A DARPA research report from 2001 presents it from a scientific standpoint: “Adversary Work Factor as a Metric for Information Assurance.” In this paper, Schudel and Wood present the hypothesis, “that adversary work factor is a quantifiable metric that yields valuable insights into the relative strengths and weaknesses of modern complex information systems.” The authors go on to develop an approach for observing and reporting adversary work factors for information systems.

It’s time we used the same approach in Cybersecurity. The UL rating system is a standard that’s long been in use in the physical world. Why not begin to follow it in the cyber world? The IT industry should consider creating construction and performance standards for all computer systems and applications. An unbiased, standardized security work factor rating would allow consumers to understand the safety of an application or system to determine if it fits into their risk appetite.

Why reinvent the wheel?

Center for Cybersecurity Education