Category: Human Aspects

Human aspects of security including social engineering.

Careers, Concepts, Human Aspects, Security Education

Choosing your Cybersecurity Career Path

Posted on by Ron Woerner

  • Landing and keeping a job in cybersecurity
  • What’s best for your Cybersecurity career: certification or a degree?
  • Strategic (GRC) vs. Tactical (Technical) career paths

I’m often asked by folks entering the cybersecurity career field, “How do I land (or keep) a job in cybersecurity?” and “Should I get a degree in cybersecurity or focus on certifications?” The bottom line is that there is no one answer that fits everyone. As with most things in life, it depends. Where you are at in your career, life’s journey (i.e., age), financial resources and your own ambitions are all things to consider. In this post, I’ll cover options in hopes of helping you understand the benefits of each and how you can grow your career as a cybersecurity professional. This is part 2 of my series on Breaking into Cybersecurity.

From a career or professional perspective, information security (aka cybersecurity or information assurance) is now a stable and growing profession. Information security jobs are expected to increase by 28 percent through 2026, according to the Bureau of Labor Statistics (BLS). With all the opportunity, landing a cybersecurity job can still be tricky trying to meet the laundry list of requirements that are often looking for the optimal candidate who walks on water.

Below are some steps for you to determine certs or degree and help you build your cyber career:

  1. Pick a path. There are two main categories of cybersecurity careers: Strategic and Tactical.
    1. Strategic includes Governance, Risk, and Compliance (GRC), Policy, IT Audit, security frameworks and management.
    2. Tactical includes everything technical: security systems administration, networking, application security, security operations, incident response, vulnerability management, and penetration testing.

Pick the one where you have the most strengths. If you love playing with technology, go tactical. If you’re more prone to management and process, consider strategic. A word of caution: don’t try to do both and be a jack of all cybersecurity trades. Folks in this position (like me) are often seen as a master of none and are disqualified from many jobs. I’ve been told dozens of times that I’m too technical for strategic jobs and not technical enough for tactical. By the way, picking one over the other does not mean you won’t need to know how the other side works. Strategic needs to understand technology and tactical needs to get business risk. The Cyber Seek website (https://www.cyberseek.org/pathway.html) contains a list of careers for each path.

  1. Determine your education path. This is how you will reach the goal of getting the cybersecurity job of your choice. Cybersecurity degrees and certifications each have benefits and costs. Both can be used to open doors on cybersecurity careers.
    1. Degree – Expand or gain knowledge over time. With a degree you learn how to learn. This is crucial in the ever-changing cyber world. You’ll also gain additional professional skills like communications, leadership and management. Another positive for education is that a degree is forever and does not require any upkeep. It will get you in the HR screening process door if an IT degree is a particular job requirement. It indicates that you have the work ethic to complete something. Of course, it comes at a cost; both time and money. An inexpensive education option in the United States are 2-year schools (aka community colleges). The National Security Agency (NSA) designates 2 and 4-year schools as Centers of Academic Excellence in Cyber Defense. See https://www.nsa.gov/resources/students-educators/centers-academic-excellence/.
    2. Certification – Establish your credibility. Certifications show you have knowledge in a specific area or indicates that you have the subject matter expertise. If you’re just starting in cybersecurity, the CompTIA Security+ (http://bit.ly/2Ei6Xtw) is the perfect place to start. It covers the basics, without requiring you have extensive knowledge or experience. Certifications based on a point in time and require continuing certification. The benefit is that you can often take a 1-week boot camp or watch a video series like Cybrary and complete the certification exam shortly after. This can be a low-cost option for many.
  1. Practical Experience / Practice. Getting certifications or a degree does not guarantee a job. You must continually practice what you’ve learned and build on that knowledge. This should come from both practical experience and personal practice.
    1. Experience. For many cybersecurity jobs, this matters more than degrees or certifications. For those who are new to the cybersecurity career field, start in a help/service desk or security operations center (SOC). These are great ways to gain positive professional experience learning how cybersecurity operates within an organization. You can also gain experience by volunteering to fix or security computers for a community group (e.g., senior center, religious organization, etc.). In return, ask for a reference. By the way, you don’t have to start in cybersecurity. All careers can teach about professionalism and how organizational operations. These can provide much-needed perspective outside of technology.
    2. Practice & Do Your Homework. Cybersecurity is a career where you must keep learning and relearning to stay relevant and keep your skills sharp. I often tell my students, “Homework begins after you graduate” and “The real test is in the real world (not in the classroom).” You flunk a test in school, you can still graduate. You flunk a test irl (in real life), you won’t get the job or get to keep your job. This means you need to keep learning. Take advantage of sites like Cybrary that provide free videos on many aspects of security.
      1. For the strategic / GRC track, you need to read a lot about cybersecurity. Study the latest frameworks (NIST, CSC), laws and regulations (PCI, HIPAA, GDPR, State Laws, etc.). Read security news like krebsonsecurity.com.
      2. For the tactical / technical track, practice your skills. You should have a home lab environment with physical equipment, virtual machines or both. You can do much of this for very little cost. Learn Linux by getting a Raspberry Pi or load VMWare or VirtualBox. Learn how to hack and protect yourself.

No matter the path, you need to:

  1. Be aware of the other side. If you’re tactical / technical, you still need to understand strategic / business, and vice versa.
  2. Network (the human kind). Join security groups in your community like ISSA, ISACA, ISC2, OWASP, Infragard, etc. This is a great way to meet other passionate cybersecurity professionals. These groups may also provide mentors to help you chose your path and keep your skills sharp through continual learning.

This is just a short tutorial on building your cybersecurity career. Like in the Matrix, you need to pick a path (the red pill or the blue pill / strategic or tactical / education or certification) and move towards your goals.

If you chose not to decide, you still have made a choice. Don’t let the choice be made for you.

Human Aspects, Security Education, Security Management

Breaking into Security – 2015

Posted on by Ron Woerner

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity.  Traits to be successful in cybersecurity include:

  • Curiosity – A wonder on how and why things work
  • Critical Thinking – goes with #1. You need to go beyond the obvious
  • Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest
  • Technical Skills – You need to know your way around a computer
  • Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

1
Human Aspects, Security Education, Security Management

The best of times and worst of times in security education

Posted on by Ron Woerner

[Note: This article was originally posted on the ‘Educating Next-Gen Cybersecurity Leaders‘ blog on CSOOnline.com.]

“It was the best of times. It was the worst of times.” No, I’m not talking about Dickens’ A Tale of Two Cities. I’m talking about the Internet Age where we have powers beyond our ancestor’s imagination literally at our fingertips. We can work, play, and communicate from almost anywhere and anytime. The flip side is the dangers where people, systems, and data are breached on an all-too-frequent basis. Since you’re reading this, none of it is new to you. What may be new is how Education Technology is rapidly evolving to meet the needs of both students and industry, which epitomizes the best of times and the worst of times.

As a security professional, you may not be aware of all that’s happening in the world of Education Technology (#EdTech) and how it affects the security community. Teachers are using a wide variety of tech tools from smartphones and tablets to Internet applications like Google Docs, Twitter, Edmodo, Udemy, etc. Classrooms are being flipped to be student-focused rather than the traditional ‘sage on the stage’ lecture. The cloud has reached the classroom to where students learn from almost anywhere, anytime from any computing platform. Academic institutions at all levels (K-12, colleges, and universities) are scrambling to keep up with the rapid pace of technology.

Study after study shows we’re lacking combatants on the cyber battlefield to take up both offensive and defensive roles. Steve Morgan’s Cybersecurity Business Report validates this need in the posts Cybersecurity job market to suffer severe workforce shortage and Worldwide cybersecurity market continues its upward trend. He offers some solutions such as, “parents sending their kids to cybersecurity school,” and “getting a Master’s Degree in Cybersecurity.” However, there are underlying issues preventing these from being complete solutions.

One is the disconnection between what’s required by the security industry and what’s currently provided in academia. The body of knowledge for cybersecurity professionals requires such a wide berth that covering all of those areas at any depth is nearly impossible in the traditional classroom. Educators are forced to focus on some areas, while dropping others. They usually pick what’s easiest to teach in the classroom or their interest area or specialty, rather than what’s most needed in the ‘real-world.’

Then there’s the issue of developing essential professional skills such as hands-on technical know-how, real-world problem solving, and fundamental collaboration / communications abilities. Standardized, multiple choice (guess) tests only go so far. Creating and then grading assignments to meet these needs is much easier said than done. Educators at all levels need to be connected with industry professionals to understand and meet the burgeoning needs of not only what’s being taught, but also how.

There are many great activities promoting the next generation of security leaders. Conferences are getting kids involved in safe arenas to learn cybersecurity and practice their skills. Examples include the RSA Conference’s Cyber Safety Village, R00tz held in conjunction with BlackHat/DefCon, and the Hak4kidz conferences.

Cyber competitions promoting both offensive and defensive skills are also available to students from elementary school up through graduate studies. Examples of this area include US CyberPatriot, the ISC2/MITRE Cyber Challenge 2015, and National Collegiate Cyber Defense Competition (CCDC).  Dr. Dan Manson from California State Polytechnic University, Pomona, is consolidating information on the Cybersecurity Competition Federation website.

If you have a cybersecurity competition or kids’ event you’d like promoted in this blog, please let me know.  More information on all of these resources will be coming in future posts.

We have many opportunities to work together to solve this problem of developing more and better students with cyber savvy skills. We need you to join us in educating, training, and preparing the next generation of security leaders.

Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

Posted on by Ron Woerner

The RSA 2014 Conference took place in San Francisco February 24-28.  It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees.  I had the privilege to attend (and lead a CISO panel).  While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events.  Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference.  The industry is finally realizing it’s about the humans and people will always be the weakest security link

@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”  

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones. @SocEngineerInc

@humanhacker @SocEngineerInc showing stats from . Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.”  He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010).  Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see en.wikipedia.org/wiki/Calculus_).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014.  Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance: 

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Human Aspects, Online Safety Tips, Security Education, Security Management

Security for the Real World – Password Policies

Posted on by Ron Woerner

Passwords suck.  They always have; they always will.  But we’re stuck with them.  They are the cheapest and easiest means of user authentication.

With passwords, come the ubiquitous password policies.  This post addresses two of them seen at most organizations*:
1. Thou shalt not share they password.
2. Thou shalt not write down thy password.

* “Thou shalt” isn’t usually used in policies.  I’m using it for effect.

There are many problems with these rules.  First, they are almost impossible to enforce, unless it’s a really small organization or you have a large police force.  Second, they are often violated by the top echelon in the company.  How many CEO’s share their account with their admin?  Are you going to tell the CEO that he’s violating the company policy?  That’s a CLM (Career Limiting Move) if you ask me.

Rules like the ones above are to protect the organization, not the employee.  They cannot be enforced, except when something bad happens.  Then, the enforcer can point to the policy and report the violation.  I call it a “speed limit” policy, which are good to follow, but aren’t continually nor consistently enforced.

Here’s the key to making those policies work: make the user responsible for his/her account.  The policy statement would then be, “All users are responsible for protecting their login credentials from unauthorized access like they would protect any other corporate asset.”  This puts the onus on the user.  If someone gains unauthorized access to the user’s account because he/she didn’t follow the rules, then the user is accountable.  They are guilty until they can prove themselves innocent.  If someone (like the CEO) wants to share their account, they can as long as they realize that’s it’s them who will be held responsible for any actions taken by the other party.

With so many passwords to remember, people need to write them down.  Telling people not to just isn’t realistic.  Some use a password vault application.  Others use a piece of paper.  Both are fine as long as it’s rigorously protected.  It’s fine for people to write down their passwords as long as they store it in a very safe location.  My mom has a piece of paper with all of her passwords on it in a desk drawer in her apartment.  I’m fine with it, since I may need it one day as her power of attorney.  Her apartment is in a secure facility, so the risk is minimal.  There’s a lot bigger risk of her becoming incapacitated and me not having access to her accounts.

That’s what it comes down to: understanding RISK and establishing Accountability.  What are the risks associated with the actions?  Who’s responsible?  Answer those and you make a cognitive decision that’s both realistic and enforceable.

Human Aspects, Online Safety Tips, Security Education

Happy Safer Internet Day

Posted on by Ron Woerner

Tuesday, February 7, 2012 is Safer Internet Day (SID).  It’s an international event organized to promote safer and more responsible use of online technology and mobile phones, especially amongst the younger generation. We have so many netizens who are unaware of the dangers in the new Internet age.  The only solution is constant and consistent education.

Some of the statistics provided  on the website are telling:

  • 26 per cent of children report having a public social networking profile.
  • Children of all ages are lacking digital skills –confidence is often not matched by skill!
  • 12 per cent of European 9-16 year olds say they have been bothered or upset by something on the internet…
  • …however, 56 per cent of parents whose child has received nasty or hurtful messages online are not aware of this.
  • One in eight parents don’t seem to mediate their children’s online activities…
  • …while 56 per cent of parents take positive steps such as suggesting to their children how to behave towards others online.
  • 44 per cent of children think that parental mediation limits what they do online, 11 per cent say it limits their activities a lot.

One aspect that I find fascinating is that this is a global problem.  Kids worldwide are encountering the same problems that we see here in the United States.  Wesites like SaferInternetDay.org and StaySafeOnline.org provide a large amount of useful information to help folks be secure online.  It’s all free and readily available for anyone who wants it.

It’s great to see a worldwide effort like this. I just wonder how we can better spread the word and educate not only our kids, but everyone.

Human Aspects, Online Safety Tips, Security Education

Congratulations – You are a WINNER!

Posted on by Ron Woerner

Everyone wants to be a winner. You may have seen the pop-up or big letters on a webpage announcing that you have won an iPad2, $1000, or some other grand prize.  All you need to do is “Click here to win your prize!”  It seems simple and harmless, but you should know where it is taking you, what you’re giving up, and what could be loaded on your computer. 

Users are taken to these sites when they mistype well known domain names such as wikipedia.com, amazon.com, and youtube.com.  (I’ll let you conduct your own research, but you can see a list here: http://www.bfk.de/bfk_dnslogger.html?query=69.6.27.100#result. They all resolve to the same IP address. I don’t want anyone accidently clicking on a link to a bad site.  Proceed at your own risk!)   

I’ve included a screenshot as an example:

Example of winning page

To “claim” your prize, you need to enter much of your personal information on a site whose origin is questionable.

Some of these websites even have their own form of privacy policies stating exactly what they’d do with your personal information.  Basically, once you give it to them, they can do with it as they please.

They can sell it, give it away, or use it without ever informing you or asking further permission.  They can even perform further background checks on you.  Since you agree to the policy when you click submit, there may be nothing you can do to stop them; especially if the site owners are in another country.

To avoid this type of fraud, it’s important to remember, “Stop. Think. Click.” from staysafeonline.org. The Protect Yourself website (http://www.staysafeonline.org/in-the-home/protect-yourself) contains a number of great tips to help all webizens. From that website, comes this: 

“Use your judgment about what you post about yourself on Internet sites. When any site requests information about you, ask these questions:

  • Who is asking?
  • What information are they asking for?
  • Why do they need it?

Think about the amount and detail of information being requested.”

Another good website on Identity Theft protection is from the U.S. Federal Trade Commission (FTC): http://www.ftc.gov/bcp/menus/consumer/data/idt.shtm.  What other websites do you recommend? 

Are there other tips you recommend to keep yourself and others safe and secure online?  Feel free to leave comments below. 

Be aware when you surf and remember to “Trust, but verify.”