Which Security Career is Right for You?

Security is a growing field, and with its growth come many different career options. As you gain experience in different security areas, you may choose to further specialize or move into management in that area. Some security roles include analyst, network security engineer, auditor, computer forensics and penetration testing.

Analyst

Security analysts interpret security information from within the organization and from outside entities and make recommendations to management. They review security logs and data collectors for organizational systems and alert colleagues to potential threats. Some analysts work in a Network Operations Center (NOC), where information from data collectors is consolidated and presented for ongoing review and decision-making. They also review current security standards and recommend methods and controls to maintain a consistent information security risk level within the organization. Analysts are generally detail oriented, organized and thorough.

Network Security Engineer

Network security engineers implement controls as defined by management or required by regulations. They are responsible for configuring a variety of technologies including perimeter defense systems such as firewalls and intrusion detection systems; authentication systems such as directory services, remote authentication, and biometric systems; and encryption services. Network security engineers often have a background in information systems and networking.

Security Auditor

Security auditors are responsible for assessing whether adequate security controls are in place in an organization in order to satisfy regulatory requirements and organizational risk thresholds. They may work as consultants providing auditing services to clients. Auditors may use multiple methods for assessing controls: observations involve reviewing control documentation, corroboration relies upon interviews and statements of those responsible for controls, while inspection relies on direct control review. Auditors may also test controls by conducting simulations. Auditors are generally detail-oriented, pragmatic and methodical.

Computer Forensics

Computer forensics professionals such as forensic investigators or analysts collect digital evidence from devices such as computers, hard drives, phones and flash media. They follow a strict process that ensures original evidence is not modified and that a chain of custody documenting each interaction with the evidence is maintained. Computer forensics professionals analyze the data on devices, including data in deleted areas, memory or unused portions of media to find data relevant to an investigation. They may also be required to testify in court regarding their findings. Major tools used in computer forensics include Guidance Software’s EnCase, Access Data’s Forensic Toolkit (FTK) and Cellebrite.

Penetration Testing

Penetration testers assess the security of a system by attempting to break into it. Penetration testing occurs only after the owning entity of the system provides authorization for testing to be performed. The attacks used and vulnerabilities discovered are documented along with appropriate remediation steps. Major tools used in penetration testing include Metasploit, Nmap, OpenVAS and Kali. Penetration testers are generally very creative, adventurous and curious about how systems work.

Security Management

Security managers coordinate activities in their area of responsibility. They ensure that those in their department have tasks to accomplish and the resources to complete those tasks. Security managers ensure that costs stay within budgets and approve or make recommendations on new equipment purchases or staffing changes. Security managers also provide leadership and coaching to their departments while interfacing with other executives to coordinate activities and communicate the status of ongoing work. Security managers may be responsible for areas such as a Network Operations Center (NOC), Security Operations Center (SOC), penetration testing team, auditing department, incident response, system analysis, or other areas.

Managers are sometimes promoted from within a department or may come from a business or project management background in another field. If you wish to get into management, gain familiarity with an information security discipline and then begin developing your project management and leadership skills.

You are in for an exciting career no matter which role you choose. Consider your own personality and think about which of these areas appeals to you. One element common to all these roles is continual learning. The security field is constantly changing, and you will need to stay abreast of these changes to be effective in your role.

Continue reading

Risk Homeostasis and its impact on risk reduction

Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious.  Information security is very concerned with managing risk and reducing it to an organizationally acceptable level.  However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does.  If the theory of risk homeostasis is applied to information security, individuals will take riskier actions when the organization implements controls to make them safer or when they perceive the environment to be safer.

This has far reaching ramifications for those in information security because the perceptions of risk by the individual may differ greatly from the actual risk.  Despite awareness of information security breaches in the news and the overwhelming statistics that a data breach is likely, people still have difficulty accepting that a breach could happen to them.  It all comes down to perceptions.  With Wilde’s theory, if a high risk is perceived then users will be more cautious and that is where the security minded organization wants to be.  So the question is, does the risk homeostasis theory hold water and if so, how do organizations manage perceptions in information security?

 

Information Security Compliance: ISO 27000

ISO 27000 is a set of security standards that organizations can implement to provide an industry-recognized minimum level of security.  ISO 27000 came out of the BS (British Standard) 7799, originally published in 1995 in three parts.  The first part of BS 7799, dealing with the best practices of information security, was incorporated in ISO 17799 and made part of the ISO 27000 series in 2000.  Part two, titled “Information Security Management Systems – Specification with Guidance for Use” became ISO 27001 and dealt with the implementation of an information security management system.  The third part was not incorporated into the ISO 27000 series.  Similar to ISO’s 9000 series, which focuses on quality, ISO 27000 is an optional accreditation that can be used to show that an organization meets a specified level of information security maturity.

Overview of the ISO 27000 sections

The six parts to the 27000 series each deal with a different area of an Information Security Management System (ISMS).  This document will briefly outline each section and then concentrate on ISO 27001, the section that details the requirements for ISMS.  An overview of what the series deals with can be found in the table below.

ISO 27000 Series

ISO27001 ISMS Requirements
ISO27002 ISMS controls
ISO27003 ISMS implementation guidelines
ISO27004 ISMS Measurements
ISO27005 Risk Management
ISO27006 Guidelines for ISO 27000 accreditation bodies

As can be seen in the table above, ISO 27001 details the actual requirements for businesses to comply with the ISO 27000 standard.  ISO 27002 builds on ISO 27001 by providing a description of the various controls that can be utilized to meet the requirements of ISO 27001.  ISO 27003 provides details on the implementation of the standard including project approval, scope, analysis, risk assessment, and ISMS design.  ISO 27004 outlines how an organization can monitor and measure security about the ISO 27000 standards with metrics.  ISO 27005 defines the high-level risk management approach recommended by ISO and ISO 27006 outlines the requirements for organizations that will measure ISO 27000 compliance for certification.

Series contents

The ISO 27000 series provides recommendations for “establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System” (http://www.27000.org).  The standard can be broken down into the following sections:

  • Risk assessment – a quantitative or qualitative approach to determining the risks to organizational assets. The degree of risk is based on the impact to the asset and the likelihood of occurrence.
  • Security policy – formal statements that define the organization’s security expectations.
  • Asset management – inventory and classification of information assets.
  • Human resources security – security aspects for employees joining, moving within or for those leaving an organization.
  • Physical and environmental security – physical/tangible systems used to protect systems and data such as alarm systems, guards, office layout, locked doors, keypads, cameras, etc..
  • Communications and operations management – management of technical security controls in systems and networks.
  • Access control – restriction of access rights to networks, systems, applications, functions and data; maintaining the confidentiality of access credentials and the integrity of access control systems.
  • Information systems acquisition, development, and maintenance – building security into applications when they are designed or purchased.
  • Information security incident management – planning and responding appropriately to information security breaches.
  • Business continuity management – protecting, maintaining and recovering business-critical processes and systems when they become unavailable.

Certification process

Within the ISO 27001 document, there are specifications to which a company’s ISMS can be submitted for potential certification.  The certification process begins after an accredited organization finds that the corporation has met the requirements as outlined in ISO 27001.  Once this body determines that the company has complied with the requirements of ISO 27001, the certification is granted.  Certification must be renewed every three years and is subject to audits.

Benefit to business

Compliance with the ISO standards provides companies with a credential which demonstrates that the business is in conformity with the requirements of this well-recognized standard.  It also gives employees and clients more assurance that their data is safe with the enterprise.  In some cases, companies may require ISO certification to do business.  The ISO 27000 standard contains many useful recommendations and businesses are encouraged to familiarize themselves with the recommendations, even if they do not plan on becoming certified.  The acquisition of the standard does cost money to obtain; however, qualified compliance practitioners can assist with the preparation for the compliance effort.

Summary

ISO 27000 is comprised of six parts outlining the requirements for certification, guidelines for achieving the requirements, and guidelines for accrediting organizations. The standard provides many useful recommendations for companies seeking certification as well as those merely interested in improving their security.  Similar to the ISO 9000 quality standard, ISO 27000 is optional, but it may soon be a business requirement.

Paranoid, Skeptical, Cheater Wanted for Security Position: Compensation Commensurate with Experience

As you laugh at my title, anticipating several paragraphs of satire, think about what I’ve just said because I’m serious…to a degree.  These traits, mostly viewed in a negative light, can also be harnessed to deliver better security solutions.  Just remember that little trick of moderation.  Observe.

The Paranoid:

The first of these unlikely traits is paranoia.   Security professionals are called to be somewhat distrustful of people and wary of their actions.   The security professional’s circle of trust is limited because he or she must be watchful for suspicious or malicious activities that could constitute a threat to company employees, data, and systems.  After all, insiders represent one of the largest threats to information security.  Combined with proper security training, this individual will raise the level of security in a company thus saving a company headaches and hardships down the road.   While a multitude of threats needs to be considered, not all may be acted upon.  This is where paranoia must be moderated by logic by using a risk-based approach for recognizing threats and then determining the likelihood of each occurring and their impact on the organization.

To elaborate, the paranoid security professional considers many possibilities that others might not.  For each of these possibilities, no matter how far-fetched they might seem, they must determine if it presents a real threat to the organization by assessing the likelihood and impact.  If the threat does present an unacceptable risk to the organization, action will need to be taken to reduce the probability of the threat, minimize the impact or transfer the risk by implementing a security control or changing a process, etc.  Many things considered by the paranoid might be quickly eliminated because they do not present enough of a threat but the act of identifying such things will enable your organization to be better prepared.

Mark Burnett provides a further illustration in his article Security for the Paranoid.  He says,

“I frequently see people posting PGP signed e-mails to security mailing lists…they just make it a practice to sign every e-mail, no matter how trivial it might be.  Sure, these people are signing e-mails when it’s really not important, but I doubt they get caught not signing when it is important.”

In other words, security professionals who always practice security will not neglect it accidentally when it is necessary.  It is important to be vigilant.  For example, locking your computer every time you step away from it will prevent you from accidentally not locking it one day.  You may think you will only grab a cup of coffee and be right back but what happens if you are pulled into a meeting before you get back to your desk?  In other words, it is better to create the habit of security when it is not necessary to be secure when it is needed.  At JURINNOV we call it our Security Pattern.  Such “paranoid” security professionals, who consider all options, execute caution and practice security always can be a great asset to your team.

The Skeptic:

The second of our rather marginalized set of personality traits is skepticism.   The skeptic does not take the claims of software, hardware, vendors or even users at face value.  The skeptic understands that software claims are often idealized and that equipment may not perform to specifications, so they consider ways to ensure availability when such problems do occur.  Similarly, when a user gives a reason for a security violation, the skeptical security professional tests the theory to determine if that is indeed the cause or if something else is wrong.

The skeptic questions assumptions and seeks confirmation of claims.  A recent article from the US Air Force Academy, titled Promoting Skepticism in the Security Classroom, not only recognized the importance of skepticism in security but advocated a project geared to promote skepticism.  The project taught students about how digital signatures could be used to validate the identity of others but then tricked them into downloading malware that sent digitally signed messages from their machines to the professor without their knowledge.  The experience caused them to be more skeptical and to consider that only digitally signing emails is not enough to ensure the authenticity of the message.

Skeptical security professionals avoid many pitfalls in implementing security solutions because they do not assume security where it is not present.  They confirm that security solutions work as expected, they perform procedures to handle failure cases, and they understand the implications of changes made to systems.

The Cheater:

There is a reason why the cheater was saved until last.  This characteristic is the most overtly negative of the three and its value will take some explaining.  In the Star Trek series, a test called the Kobayashi Maru was administered to Starfleet cadets to measure their decision-making ability.  They were given a no-win scenario, and the test analyzed their ability to recognize this.  Captain Kirk beats the test by cheating and altering the rules of the game.  Not only did Kirk recognize the no-win scenario but he thought out-of-the-box to come up with a solution.  An article on the IEEE security and privacy journal references this test and explores the value of exploring cheating methods.  Researchers gave students a test they could not pass but encouraged them to cheat.  If they were caught cheating or if they did not cheat, they would fail the test.  Those who did cheat were then asked to describe how they passed the test.  The students came up with a variety of interesting ways of circumventing security.

Likewise, security professionals need to consider how users and attackers might bypass security measures so that security controls can be improved.  For example, a security guard is required to look at a photo ID for each person entering the building and compare it to a list of authorized persons.  Most people show a driver’s license.  One day an attacker shows a student ID and is granted access since their name is on the list.  Since the policy did not say that a government issued photo ID was required, this person was allowed access without it, but student IDs are much easier to fake.  If security professionals consider scenarios like this, then they can create better policies or enact controls to prevent such occurrences.

Attackers will seek out ways around security controls.  They do not have to act according to company policy nor should they be expected to.  They are after your data, and they will seek the easiest way to their goal.  Protecting organizational data requires thought into how systems or procedures might be compromised.

This pessimistic list may seem farfetched, even comical, but these attributes help secure companies from external and internal infringement.  The cheat thinks like those who attempt to destroy or steal company secrets.  Paranoia in conjunction with skepticism keeps security professionals vigilant and thwarts people looking to mount an attack against a relaxed system.  Lastly, individuals with these characteristics ask the questions necessary to keep systems secure.  Just look for these traits in moderation.

 

Cisco Access Controls and Security

Many organizations use Cisco devices to interconnect, protect, filter, and manage networks so it is important to understand ways to improve the security of these devices as part of your information security program. Within this article three basic access controls you can implement on any Cisco device will be discussed. These access controls are intended for those who are new to Cisco, so if you are a Cisco veteran, please peruse some of our more advanced articles on Cisco and information security.

The three basic access controls you can implement are as follows:

  • Set passwords for all methods of access
  • Encrypt the enable mode password
  • Encrypt passwords stored in the configuration

Set passwords for all methods of access

Cisco devices can be managed in a number of ways. The device can be managed by using the console, auxiliary line, virtual terminal, or asynchronous serial lines. A brief description of each of these lines is necessary. Each of these lines can and should be configured with a password so that none of them will provide unauthenticated access to the network device. You can configure passwords for the devices using the following commands issued from the global configuration mode. This can be accessed by entering enable mode (typing “enable” or “en”) and then typing “configure terminal” or “config t”. Note that the prompt will change from router> to router# when you issue this command.

router>enable
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

The console port is a physical RJ45 connector that is located on the device. It is configured for sending serial data. Using a Cisco console cable, you can connect the serial port on a computer to this console port on the Cisco device to perform administrative tasks. You can set a password on this line by issuing the following commands. In this example, I set the password to console password. The first line puts you in line configuration mode so you can configure settings for the console line. The next line sets the password. This is followed by the “login” command which tells the device to prompt for the password. The last line puts you back into global configuration mode.

router(config)#line con 0
router(config-line)#password consolepassword
router(config-line)#login
router(config-line)#exit

The auxiliary line or “aux” is also a physical port on the device and it is a backup to the console port. It can be used in much the same way and therefore must be secured in the same way. Note the example below where I set the password to auxpassword.

router(config)#line aux 0
router(config-line)#password auxpassword
router(config-line)#login
router(config-line)#exit

The virtual terminal or “VTY” lines are virtual lines that allow connecting to the device using telnet or Secure Shell (SSH). Cisco devices can have up to 16 VTY lines. You can determine how many VTY lines you have by issuing “line vty 0 ?” from global configuration mode. This example has 16 lines and it sets the password to vtypassword.

router(config)#line vty 0 15
router(config-line)#password vtypassword
router(config-line)#login
router(config-line)#exit

The last method of managing a device is with asynchronous serial lines. These are enabled by installing an asynchronous serial card into the router. These lines can be used to connect terminals or models to the device. The commands for configuring a password on the asynchronous line are similar to the above commands but the lines are usually assigned a logical group and then this group is configured. For example purposes, we will assign the interface to group 1.

router(config)#interface group=async 1
router(config)#group-range 1 8
router(config)#line 1 8
router(config-line)#password asyncpassword
router(config-line)#login
router(config-line)#exit

Encrypt the enable mode password

Enable mode is a privileged made on the firewall that allows you to modify major settings on the device. An important information security step is to ensure that a password is required to enter this mode. This password is called an enable password. Furthermore, the password should be encrypted. Unencrypted passwords can be revealed in plain text to unauthorized users if someone executes a show running-configuration from the device. Note: the show running-configuration command does not need to be executed from enable mode. Set an encrypted enable password with the following command from enable mode:

Router#enable secret insertpasswordhere

Encrypt passwords stored in the configuration

Just like the enable password, other passwords are stored by default as unencrypted and could be viewed by issuing the show running-configuration command. Also, you may be storing Cisco configurations somewhere on your network, and if you do, others might be able to access this and view your passwords if they are not encrypted. It is important to make it a practice to encrypt all passwords on the device. One command can encrypt the rest of the passwords and is as follows:

router(config)#run service password-encryption

However, this command encrypts the passwords using a rather weak algorithm, type 7 that can be reversed to reveal the password. This link provides a Perl script that will decrypt type 7 passwords.

Because of this, an alternative to type 7, called type 5 encryption is available. To encrypt the passwords using type 5, issue the above service password-encryption command and then for each of the methods of access mentioned earlier in the article add “5 encrypted-secret” to the end of the line as follows:

router(config)#password consolepassword 5 encrypted-secret

This article presented you with three basic things you can do to better secure access to your Cisco devices. They are (1) Set passwords for all methods of access, (2) Encrypt the enable mode password, and (3) Encrypt passwords stored in the configuration. Remember that this is only a basic step but an important one. Look for further articles on Cisco information security to better protect your networking equipment.

 

Understanding Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is one of those terms that is often mentioned but less often defined. The term can be as ambiguous as its scope which can be both large and small. So what is DLP and why does it matter?

Data Loss Prevention (DLP) is an effort to reduce the risk of sensitive data being exposed to unauthorized persons. Data is extremely valuable to organizations. Just think of trade secrets, financial information, research data, health information, personal information, source code or credit card numbers and you begin to understand both the value this data holds for the organization and the threat its unauthorized disclosure would have on a company. Data loss prevention focuses on this threat by enacting controls to limit access and distribution of data. DLP still establishes controls to restrict outsiders, but it has a major focus on controlling the usage of data within the organization.

Information security efforts have historically been focused on preventing attacks from outside the organization. Controls such as firewalls, network segmentation, and extensive physical controls try to keep the bad guys out, but this is only part of an information security framework. Numerous studies (see further reading below) have identified the weakest information security link as human error or insider threats.

Content Filtering

One method DLP uses content filtering. Content filtering blocks communication leaving the organization by filtering instant messages, emails, file transfers web pages and many other data transfer methods. DLP programs need to be able to work with many different data types and transmission methods. For example, a user may email a sensitive word document or they may store it on an unencrypted flash drive or download it to a mobile phone. Each of these scenarios and thousands more needs to be handled by DLP.

The first step is to determine what data needs to be protected. Above we mentioned trade secrets, financial information, research data, health information, personal information, source code or credit card numbers. These are just some examples of the data an organization holds. Organizations need to determine what to protect and to what extent it should be protected by determining the criticality of each type of information to the business and the loss the organization would incur if the data were to be disclosed to unauthorized entities.

Once the organization understands what it needs to protect, data loss threats to this data can be identified along with effective controls to mitigate such threats. One way to more effectively identify threats is to consider the different states data can be in. These states are as follows:

Data at rest – data that is stored such as data in databases, file shares, backup tapes, laptops, or external storage devices. Data at rest is an important state because it is here that data spends most of its time.

Data in motion – data that is being transmitted from one location to another. As data changes state from being at rest to being in motion, it may become unencrypted or travel over an insecure network. This is why it is important to look at this phase.

Data being accessed – data that is being used by a user such as an open Word document, a report being viewed in a conference room, or statistics displayed on a cell phone widget. Data being accessed has already passed many information security controls, so it is available to the authenticated user. It may be available to others as well. Threats such as shoulder surfing, unlocked and logged in desktops, and printouts on a desk are all potential ways data can be exposed.

Case study

Let’s consider a case study for one type of data so that data loss prevention becomes clearer. A small business determines that financial data needs to be protected. The financial data is stored in a database that is attached to a managerial portal on the company intranet. Accountants use a custom application to input financial data into the database. Each week, managers generate reports and store them on a shared drive. The database and the shared drive are backed up nightly to tapes that are stored in a vault at the company headquarters.

This case study already identified the financial data as something that needs to be protected from disclosure. The company further specifies that financial data should be available only to managers, accounting staff, executives, the IRS, and outside auditors.

First, we will look at the data at rest. The data is stored in the database, file server, and on backup tapes. Data loss prevention can protect the database by limiting the accounts that can directly access the database and by assigning the minimum level of access to each account. The information security data loss prevention system would next establish strict access controls to the file server share and the file server itself. We need to consider the administrative access to the server because anyone who can log onto the server with administrative credentials will have access to the shares as well. Administrators will need to be restricted to one of the groups identified as having access above. Tapes could be encrypted and stored in a separate area for less sensitive data.

Next, we look at data in motion. The data is in motion when it is accessed through the intranet. Granular access controls could be established for intranet access, and the communication channel could be encrypted.

Lastly, data being accessed would include viewing reports through the intranet or updating accounting data by accountants. Client-side caching of data would need to be restricted as part of the data loss prevention system. The accountants also interface with the data through the custom program. This program would need to be evaluated for any information security holes including developer access to financial data. Now, what would prevent managers from storing the financial reports on their local machine? With the information given, we do not know if this happens, but it would need to be addressed possibly through a policy stating that the reports cannot be stored locally or by encrypting local hard drives.

This simple example addresses only a small part of data loss prevention. A true information security analysis would include much more than this, such as whether computers accessing the data contain malware or what to do if financial data is emailed or sent via instant messaging. Additionally, it is not enough to just say that data should be encrypted. A detailed design needs to be specified for the encryption if the data loss prevention controls are to be effective.

Bruce Schneier points out the importance of a well-architected data loss prevention design in his June 2010 article “data at rest vs. data in motion” where he discusses encrypting credit card information for use in a website.

If the database were encrypted, the website would need the key. But if the key were on the same network as the data, what would be the point of encrypting it? Access to the website equals access to the database in either case. Security is achieved by good access control on the website and database, not by encrypting the data. Bruce Schneier

Those implementing data loss prevention need to have a good understanding of how to architect information security controls and to implement controls in layers so that if one control is compromised another control still prevents data loss. Remember, information security is only as effective as its weakest link.

Data loss prevention is a worthy goal and an excellent information security initiative but it requires high level decision making from the beginning and a comprehensive analysis of threats and controls. An understanding of the work flow surrounding organizational data and a detailed design for each control in order for it to be effective is also imperative.