skills for career in security
DESCRIPTION
I used to get questions on what it takes to have a career in Information Security. Here are my thoughts on building a career in Security touching points like skills, job titles, are certifications needed etcTRANSCRIPT
Skills For A Career In Security
http://vprasanna.com
“There is a difference between knowing the path and walking the
path”
http://vprasanna.com
Agenda
Today’s Security trends
Why a Career in Information Security
Skills required
Profiles
Certifications. Are they required?
Q & A
http://vprasanna.com
Today’s Security trendsThe information explosion caused by Internet has also shortened the geographical boundaries, and has brought about immense data for exploration and exploitation.
http://vprasanna.com
'Man is a Social Animal' - Aristotle
http://vprasanna.com
Terms like Cyber crime economy, corporate cyber espionage, Cyber Warfare have now come into vogue..Its a constant game of catch-up
6
Today’s Security trends (cont..)
Governments & Corporations are setting up Cyber Labs with specialized training for its workforce to tackle these….
7
Today’s Security trends (cont..)
www.packetverify.com
Unlike the old times when hacking was for fun and to show off one’s ability, today the primary motivation is driven by Money.
Today’s Security Trends (cont)
…Of-course some still do it for fun and more….
Today’s Security Trends (cont)
Breaches still continue to happen due to user errors as well…
What does this bring to picture?
Need of good folks….http://vprasanna.com
So, who could be these good folks?
http://vprasanna.com
Interesting?
Lets Explore…
http://vprasanna.com
• Requires specialized Skills
• Opportunity for continuous learning• Challenging job prospectus
• Niche Area
• Currently there is a big shortage of skilled Information Security Professionals in line with Data exploration and exploitation.
http://vprasanna.com
Why a career in Security ?
Why a career in Security ?(cont)
Courtesy: www.ecommercetimes.com
http://vprasanna.com
Education Level of Professionals in Security
Statistics: Global Workforce Study www.isc2.org
Source:www.isc2.org
Security Engineering
Field of work: Product design and development
Hardware programming
Application Testing
Hardware Testing
Review codes for vulnerabilities
Fix vulnerabilities through patching (some more coding)
Research and Development
Malware Analysis, Reverse Engineering
Application Security reviewhttp://vprasanna.com
Security Engineering
Typical skills required:
Programming
Unix, C,C++, Shell, PERL,Python, Java, .NET & etc
Scripting
Databases
Cryptography
TCP/IP Stack, OSI Model
Software Development Life Cycle (SDLC)
Common Sense
http://vprasanna.com
Certifications & Resources:
• Certified Secure Software Lifecycle Professional (CSSLP)
from ISC2
• SANS Secure Coding Certifications
– Java - Secure Coding - Developing Defensible Apps
– .NET - Secure Coding - Developing Defensible Apps
– C/C++ - Secure Coding - Developing Defensible Apps
– PCI - Secure Coding for PCI Compliance (DEV 536)
• Microsoft Security Development Lifecycle
• CMMI practises
• Many more…http://vprasanna.com
Popular Job Titles include:
• Security Engineer
• Security Researcher
• Application Security Researcher
• Product Engineer
• Security Tester
http://vprasanna.com
Security AdministrationField of Work:
System Security, OS hardening, patching,
Network Security, Firewall, IDS/IPS, SIEM,PKI
Vulnerability Assessment & Penetration Testing
Incident Response
Troubleshooting and fixing security issues
Awareness and Training
Identity and Access Management
IT Audits
http://vprasanna.com
Security Administration
Typical Skills required:
Solid understanding of Operating Systems
OSI Model, TCP/IP Stack, DNS, Routing, Switching, HTTP,
SSL, LAN, WAN, DNS, DHCP, Routing, Wi-Fi, and VoIP.
Firewalls, Intrusion Detection Systems (IDS), IPS, Routers,
Switches
Antivirus, Content filters
Databases
http://vprasanna.com
Security Administration (cont..) Scripting (highly desirable & makes like easier): Unix,
PERL,Python, Windows Shell Scripting
Data mining
Protocol dissection
Exposure and knowledge of various security best practices
and standards like ISO 27001, PCI-DSS, Common Criteria,
PCI-DSS and etc
Good Documentation and Communications skills
Appetite for Learning
http://vprasanna.com
Certifications & Resources:
• Certified Information Systems Security Professional
(CISSP) from ISC2
• SANS Global Information Assurance Certifications (GIAC)
• Security +
• Certified Ethical Hacker (CEH)
• ISO 27001Implementor /Internal Auditor / Lead Auditor
• Computer Hacking Forensic Investigator
• Vendor Certifications from Checkpoint, Symantec, Juniper,
Cisco and etc http://vprasanna.com
Popular Job Titles include:
• IT Security Manager• Network Security Administrator• Security Analyst• Security Administrator
Involves hands on work generally and partly managerial as well.
http://vprasanna.com
Security Management
Field of work:
More of Auditing, Compliance, Governance & Risk
Management
Compliance to standards like ISO27001, PCI-DSS, HIPAA,
Information Systems Audits
Security Awareness Trainings and evaluation
Business Continuity and Disaster Recovery.
Covers IT as well as Non-IT aspects of Security in an
Organization
http://vprasanna.com
Security Management
Typical Skills:
Good understanding of Auditing standards, Networks, System level Security hardening mechanism Risk Assessment and mitigation strategies Standards & Compliances ISO27001, Common Criteria, COBIT,GLBA SOX Payment Card Industry Data Security Standards (PCI –DSS) IT Legal concepts Indian IT Act 2000 Data Privacy Laws & Regulations Good Documentation and Communications skills
http://vprasanna.com
Certifications & Resources:
• Certified Information Systems Security Professional
(CISSP) from ISC2
• Certified Information Systems Auditor (CISA) from ISACA
• Certified Information Systems Manager(CISM) from ISACA
• ISO 27001Implementor /Internal Auditor / Lead Auditor
• Cyber Law
http://vprasanna.com
Popular Job Titles include:
• Information Security Manager• IT Risk Manager• Chief Information Security Officer• Chief Privacy Officer • Chief Risk Officer
These positions involves more of managerial responsibilities and limited hands on as well
http://vprasanna.com
• Certification compliments the skills and experience
• Give yourself sufficient time and experience to see catch up with the requirements
• Go for the certifications that are accredited by the recognized organizations
• Don’t get certified for the heck of it, rather the whole process from studying to certifying should be an enriching experience
NOTE: Nothing substitutes right skills & experience
http://vprasanna.com
Should I get Certified ?
Does Certifying pay me more?
http://packetverify.com
Survey from ISC2 says, Yes.
Statistics: Global Workforce Study www.isc2.org
Write-ups and Blogs on Security..
• NIST
• SANS Security Resources
• EFF
• Openwall
• Naked Security
• Bruce Schneier on Security
• Krebs on Security
• Open Web Application Security Project
• Open Source Security Testing Methodology Manual (OSSTMM)
• Google Summer Of Code
• Insecure.org Mailing lists
• CERTs http://vprasanna.com
Hackers & Entertainment
• Wargames
• The Matrix
• Italian Job
• Swordfish
• Pirates of Silicon Valley
• Takedown
• & many more.......
http://vprasanna.com
Background about this presentation
Please note that this is not a definitive guide about
starting or building a career in security. I used to get
questions on this subject and thought of skills that
helped me in my InfoSec Career. I have put these
here and believe it could help you in your InfoSec
career journey.
May The Force Be With You
http://vprasanna.com
What I do?
I am a Information Security professional :)
http://vprasanna.com
Thank You
@terminalfixvprasanna.com
Prasanna Venkatesh