So you want to be a cyber-security analyst

I want to throw out there, that I am by no means the defining expert in my field. I've got ~10 Years of Experience in what the CISSP considers qualifying fields. I have approximately two years of experience in physical security, four years in cybersecurity, and around ten years in IT. So you can take everything I'm about to say with a grain of salt. I wanted to address a common theme that I'm seeing come out of new individuals in the field.

I've had a lot of people come up to me as of recent telling me that they are pursuing their degree in cybersecurity. I suppose this struck me as odd? I don't mean to be dismissive of someone who's willing to hoof it through 4 years of college. It strikes me as odd that anyone could go through 4 years of college and have the skills required for this field. 

I've worked with a lot of different folks who are chasing their careers in IT. Right now cybersecurity is the big thing; because let's face it, we're good at selling people on the field. Because of this, there has been a flood of new people who might have gone into IT instead of going into Cybersecurity.

My frustration is that cybersecurity is such a broad field because of the required knowledge, that 4 years of college classes can't cover it. You need to understand Linux, Windows, and OSX. You should have a decent understanding of Programming, databases, and application security. You should have some core understanding of networking, firewalls, and terminology. But, these are things that are only explored at a conceptual level in college

Even if you are doing practical labs, there is no way that a lab can ever simulate a living breathing corporate environment. The corporate environments of the world have old configurations and years of "Technical Debt". That's not something you can replicate in a laboratory environment. Half of the time, the things triggering alerts are old configurations that were never updated. 

And that's the thing, is that to recognize these things, part of me feels like you need experience as an administrator first. You need to spend a little time on the help desk, so you know what users actually do. Spend a little time as a network administrator so you know why there's a router on a stick in VLAN 20. Take a year as a system administrator so you can see why the GPO pushes old versions of Adobe. To know why the program behaves the way it does you need a programming background. 

College and certifications can help you with the core concepts, but most of cybersecurity isn't digging at core concepts. Those core concepts are only part of the puzzle. You'll spend more time fighting the business units on what college taught you were "The basics" then digging into malware. Basic cyber "Hygiene" like making sure updates get delivered find themselves secondary. Your IDS won't find an Advanced persistent threat (APT) crawling through your network. Instead, they will find the system administrator that wants to RDP to his home network. 

Beyond all that, you're going to have to spend time working with System and Network Admins. Because of this, you should understand where they are coming from when they say "Please don't firewall this". You'll spend a lot of time devising ways to make exceptions to risk instead of mitigating them. 

There was an excellent speech at derbycon this year that highlights a simple concept. Our job isn't to stop the business from falling off the security cliff, only to warn them it's approaching. If you haven't had a few years building the business from an IT perspective, it will be frustrating. The business doesn't like change and cybersecurity's entire purpose is to introduce change. We come into a business and tell them they are doing everything wrong. 

Password policies, phishing exercises, network segmentation, VPN's and more are the hallmark of what we do. If you're in incident response, sometimes you have to understand why users behave as they do. Bob from accounting isn't using Bing because it's a better search engine. He's using Bing because it's the best search engine for finding porn. Jill from HR isn't using duck duck go because she's concerned with privacy, she's using it because it's a good proxy. 

Your users are far cleverer then you give them credit and they've been fighting company change for a while now. You need a background working with them as their friend, not their enemy. And this is all from the business interaction side. 

The technical side can be even more horrendous. Let me give you a simple example. A coworker brought up that there was a lot of NTP request going out to strange foreign servers. They were in China, Russia, and Eastern Europe. I had to point out, that by default Linux distributions have over forty NTP servers that they reach out to. As NTP traffic gets dropped, the distro would continue down the list. 

Or another example, "Why do the domain controllers reach out to the internet". I had to explain that DC's may be reaching out for updates. They were quick to respond that we had a WSUS / SCCM infrastructure, there was no reason for these servers to be reaching out. I had to retort, that while WSUS handles most things, a windows server will still reach out to check CRL's. There's a separate policy object that controls what servers get checked for CRL's.

These are tiny things, but it saves you a lot of time and panic if you realize how these things behave on their own. You need that mental baseline of how a business operates on a regular basis before you start locking it down. I would say the same thing to systems administrators or programmers, that they need to spend time with users. 

Cybersecurity is too complex to walk into without understanding its fundamental components. Programming, Networking, Databases, Systems Administration. These are all pieces of the greater whole and you're robbing yourself if you don't have some practical know-how with each of them. 

I guess that makes me an elitist prick, but I suppose I'd say the same to someone wanting to go right into networking. You should spend a little time running cables or troubleshooting with users. Sometimes the user hasn't lost internet, the excel spreadsheet isn't doing what they wanted. 

Having said that, let me give some real advice for folks wanting to pursue the field. First, the Security+ and Network+ are worthless certifications, but they introduce terminology. They are great resume padding and simple enough to get. Almost every HR department likes them. The CEH looks great on a resume but doesn't have useful information. Get a four-year degree in computer science and then spend your practical work doing help desk and networking. Use your college years to lock down conceptual, not practical knowledge (also have fun). 

Keep up to date on the field with a podcast, new sites and more. /r/sysadmin, /r/netsec on reddit. Jupiter broadcasting, Reply All, Dark Net diaries, and Linus Tech Tips are all great building blocks for understanding "the industry "., Udemy, and the occasional humble bundle can give you good knowledge for cheap. Keep up on vendor websites (McAfee, Symantec, Palo Alto) and build a cheap lab at home. You don't need much, but you can mimic a sizable network. 

Build a virtual firewall, DNS Server, IDS, Sandbox, and more and watch to learn what's normal and what's not. To me, cybersecurity is the deep end, and if you jump in not knowing how to swim then you're not going to have as much fun. 


Popular Posts