Monday, October 31, 2011

Information Security for Fun and Profit

Continuing our series of discussion of job tasks, roles and careers, I wanted to talk about security. As many of you know, I consider myself to be a jack of all trades as opposed to someone that has a deep knowledge of fewer topics. As we will soon see, this actually lends itself well to information security. In this article, I will discuss different disciplines commonly found in security and the skills that are most relevant. We will touch briefly on the certifications that are most relevant to each role and see how we can build our careers as we gain knowledge and experience.
Certifications

Since this article is part of the Cisco Learning Network, I would expect most readers to be at least somewhat interested in certifications. In technology, certifications are one of the more prevalent earmarks of knowledge. In information security, this is also the case. Cisco offers many certification programs. Some are Security centric, while others are not. Even certifications that are not focused on security usually have security components. For example the CCNA program addresses device security, access control lists, and switchport security.

The fact that security is integrated into many non-security centric exams is a theme also found in non-security centric job roles. In other words, security is part of everyone’s job in the enterprise environment, not just information security professionals. For example, one may find themselves working in a network design role. Even though that is not a security position, security is still an important skill that must be integrated into the day to day tasks of that position. Even employees in a non-technical role still need to be well integrated into a solid security program.
Regarding Security centric certifications, Cisco offers the following certifications and specializations. Some of these programs are being discontinued, but may still be associated with individuals.
  • CCNA Security
  • CCSP
  • CCNP Security
  • CCIE Security
  • ASA Specialist
  • Firewall Security Specialist
  • IOS Security Specialist
  • IPS Specialist
  • Network Admission Control Specialist
  • VPN Security Specialist
  • Security Sales Specialist (Reseller Specialization not relevant to the enterprise infosec role)
As you can see Cisco is not only represented with actual security products, but also offers a wealth of security certifications and specializations. However, Cisco isn’t the only security vendor in the security arena. From a security perspective, I consider Cisco a network security vendor. There are other network security vendors who have security certification programs. Examples of these are PaloAlto Networks and Juniper. There are also security certification vendors that do not have an affiliation with specific product vendors. For example, ISC2 offers the CISSP certification and SANS has a variety of information security certifications.
General Security
When I think about information security, I think about data and technology. What can we do to efficiently and effectively protect these resources? A three letter acronym is often used to describe three areas of data protection— Confidentiality, Integrity, and Availability (aka CIA). Obviously this is only one viewpoint or dimension of data protection, but those key points must be maintained across critical systems and corporate data. There are actually several different types of roles that encompass these concepts and different types of people to fill the roles.

Roles

The first security role that I must mention is everyone else. Everyone else is actually everyone in the organization that does not have the word “security” in his or her title. How “everyone else” is used will largely determine the security posture of an organization. Furthermore, if you are reading this article and have the desire to get into security position, you are most likely part of “everyone else”. Security leaders who are reading this article realize that creating a security ecosystem is much easier if "everyone else" is working with you instead of against you.

So what can and should this group of employees do for security? First and foremost, they can familiarize themselves and follow the organizations policies. Possibly even more importantly, they can familiarize themselves with the norm. This will vary widely from position to position, but when someone notices a deviation from the norm, it could be a red flag that something is going on. Good security managers realize that they should never make someone feel unwelcome to bring forth such concerns.

Security Centric Roles
Now let’s talk about the positions in the organization that are security centric. These positions fall into a few categories. The first major category that I would mention is what I call operational security. Later we will also discuss audit and compliance, penetration testers, and security management (a subset of which can also be integrated into any of these roles).
Information Security Roles
When dealing with information security and security in general, operational security personnel are those who have day to day jobs that directly configure, monitor and otherwise maintain the systems that are responsible for the security of corporate data. I often find that security operations is further broken down, into network security, application security and general security operations. In my experience, it is actually difficult to find a single individual who is an experts in all of these areas.

Network Security Roles

Of these three subcategories, Cisco is obviously more prevalent in the network security. Network Security, or netsec, involves securely configuring and monitoring network devices and protocols, building appropriate security boundaries, and configuring secure connections. This infrastructure is then utilized to provide a secure and reliable connectivity for systems and applications. Netsec individuals will likely be responsible for one or more of the following:

  • Firewalls
  • IPS/IDS
  • Router Security
  • Switch Security
  • Network Monitoring System
  • Security Information and Event Management (SIEM)
  • Network Protocol Security
  • Virtual Private Networks (VPNs)
The environment that a network security individual works in (or desires to work in), influences what certifications he or she might have or be seeking. As you can see from the list above, Cisco is well integrated into this area of information security. The depth and breadth an individual is responsible for might also influence the certifications he or she might choose to pursue. For example, someone who is only making day to day firewall changes in a Cisco environment might pursue the Cisco Firewall Specialist. Someone who is making regular ASA Firewall and VPN changes might pursue the Cisco ASA Specialist certification.

If this individual is promoted (or desires to be promoted) from a firewall administrator to a firewall architect or engineer, he or she might pursue the CCNP Security or CCIE Security certification. Typically a person in this field of work who is an engineer or an architect has a broader and deeper knowledge. This person has very likely performed advanced work in many or all of these key netsec areas. Additionally, this senior person will likely manage and/or mentor those who work in their respective areas so they can gain a deep knowledge of the components they are responsible for and how they affect other areas of netsec and the organization holistically.

Application Security Roles
The next key area of information security is application security. Honestly if application security could always be solid, netsec professionals would only need to secure the underlying infrastructure and protocols. Since application security is often overlooked, netsec professionals make an effort to augment the shortcomings. So why is application security such an issue? My opinion is that most developers are naturally focused on providing functionality. Even though they may have concerns about security, it is usually not the primary concern. As a result, a lot of software bugs and vulnerabilities exist. From a netsec perspective, firewall administrators typically permit or deny traffic based on IP addresses, protocols and ports. As a result it is difficult for a firewall to detect anomalous traffic that is potentially malicious against a service that is provided by vulnerable software. This is especially true when the applications perform some type of encryption to further hide conversation details from network security professionals.
So what can an application security professional do? The answer to that really depends on the type of environment that he or she is working in. In some cases, an organization develops their own software, or software for other organizations to use. In those cases, the application security professional might oversee a secure development process. In other organizations, only commercial software may be used. In those cases, an application security professional would need follow various bugtrack sites and understand the ramification of vulnerabilities that have been found in the software used by their organization. In my personal experience, it is difficult to find a single person who is strong in both application security and network security. SANS offers certifications and training that are fairly relevant to application security.

General Operation Security Roles
In the operational security category, there is one more group or type of individual. This position might be simply called operation security (even though it is a subset of the operational security category that I initially mentioned), or something similar. This crucial position or discipline is interested in how an organization processes interact with one another as well as interact with the network and applications securely. Even if an organization has a relatively secure network with relatively secure applications, the methods in which the systems and technology are used can leave the organization very vulnerable. Additionally, a single process may not have any apparent risks. However when that process is combined with other processes in an organization, the risks may be exponential.
A person in this general security position should understand the interaction between systems and processes, making the organization fully aware of operation risks. In a smaller organization, this may be part of the role of the CSO or CISO. This category of individual would benefit from knowledge gained in appsec and netsec as well as understanding the business process that make up their organization. Since these processes vary so widely from organization to organization, certifications may be less relevant. A certification program that provides a broad scope, such as ISC2’s CISSP, may be beneficial though.
Audit and Compliance Roles
I grouped the last three categories of security professionals into one major group that I called operation security. Audit and Compliance is typically a separate group but most work closely with other areas of security. One reason for the separation is to avoid conflicts of interest. This area must be intimately familiar with the ins and outs of all applicable regulatory guidelines. They must work with the respective individuals to establish how each of the guidelines are being met. If there are shortcomings or inadequacies, audit and compliance professionals may further educate the nonconforming area of the regulatory requirements. Although InfoSec is a major component of audit and compliance, it is not the only area of concern.
Penetration Testers:
Earlier I mentioned that it is difficult to find someone who has solid expertise in application security, network security and general operational practices. Penetration Testers, or pen testers, must have expertise in all of these areas. These professionals are individuals who break into systems for fun and profit. The purpose is not to humiliate those responsible for inadequate controls, but to educate the organization regarding weaknesses in their systems.
Penetration testing should be done to some degree by the individual network and application security professionals. This would to test the adequacies of the controls they configured. However, penetration testing that is to be reported to a CEO, board of directors, or other responsible or certifying party, should be performed by an independent third party that has no conflicting interest. It certainly makes little sense for the person who designed and configured a firewall to be the person who is reporting to the board of directors how secures the implementation is. If security is important, an independent assessment should be done. Furthermore, a pen test should go beyond just a firewall, but test the processes and the security posture holistically.
Responsibility
Thus far we have talked about different roles that are actively involved in security. We have also discussed roles that confirm that the organization is compliant with any regulatory mandates. Additionally, we have touched on the role of a pen tester, who can also look for vulnerabilities that may have otherwise been missed. Now we need to talk about responsibility. Responsibility can be assigned at almost any point in the organization. In all actuality, everyone is responsible for their own actions. However, the person I am now talking about is likely an officer in the corporation. When something happens, this is the person that will have to answer the tough questions and explain how this could have happened (given the investment that the company has already made [or thinks it has] in security).
In a larger organization, this person may be the CIO (Chief Information Officer), CISO (Chief Information Security Officer) or CSO (Chief Security Officer. The CIO is typically the person that is responsible holistically for the information systems and data. The CSO and CISO are more focused on security. CSO is more generically related to security, where CISO is focused on information security. Organizations can have any or all of these roles. The CIO often reports directly to the CEO or in some cases, directly to the board of directors. A CISO or CSO may report to the CIO, another member of executive management or directly to the board.

Physical Security
The final thing that should be mentioned about security is that we must not forget about physical security. So those individuals in the organization who are responsible for physical security are very relevant to information security as well. We can install the best firewalls, anti-virus and use the strongest possible encryption. If someone can walk through the front door and carry out a storage enclosure, our information security was all for naught. Hopefully we had full drive encryption, but we are still taking an outage (and that is the third component of CIA).

Conclusion
Security is a constantly evolving area. Specifically with information security, new vulnerabilities are found daily. New threats are coming from some of the least suspecting sources. Like other areas of technology, my advice is to always gravitate toward areas that interest each person individually. If you enjoy deep and broad research and application of technology, information security might be a good career choice.

Ref:
Security Roles
Posted by at No comments:
Labels: , ,
Location: Sydney NSW, Australia
Subscribe to: Posts (Atom)