Читать книгу Getting an Information Security Job For Dummies - Gregory Peter H. - Страница 11

Workers early in their careers have the following complaint:

✓ I want to get this new job, but it requires experience. How can I get experience if I don’t have this job?

Sounds like a chicken-or-egg problem, right? Not necessarily. Most security professionals didn't have a non-security-related job one day and a security job the next. Instead, they gained and built upon security skills in their current IT job.

In this section, you explore the following IT roles and discover how to build your information security knowledge and skills while in those roles:

✓ Service desk analyst

✓ Network administrator

✓ Systems administrator

✓ Database administrator

✓ Software developer

✓ Project manager

✓ Business analyst

✓ IT manager

✓ Human resources employee

All IT positions contain security-related skills and responsibilities. Everyone in IT should be aware of the security-related aspects of their jobs. IT workers are entrusted with a high level of privilege: they have access to sensitive data and the systems that control it.

Service desk analyst

A service desk analyst assists users how have problems with their computers, user accounts, or business applications. In some companies this position is the equivalent of a help desk technician or a PC fix-it dude (or dudette).

In many ways, service desk analysts have one of the most important non-security positions because they are in contact with users in all levels of the organization. For many employees, service desk analysts are the only IT people they will ever contact.

A service desk person must be able to recognize several types of security issues, such as the following:

✓ Forgotten passwords

✓ Requests to install software

✓ Phishing messages

✓ Unsafe practices, such as sharing passwords or visiting malicious web sites

Network administrator

The network administrator title can mean different things in different organizations. This role often includes the administration of the following:

✓ User accounts

✓ File server access

✓ Remote access

Network administrators are on the front lines of access control, and effective access control practices reduce the likelihood of a number of security-related problems, such as active user accounts for terminated personnel, granting excessive privileges, group accounts, and user accounts with non-expiring or non-complex passwords.

My security career started in network support

Back in 1990, I was doing network support for a large dairy. They were having problems with their network and had been experiencing some unexpected financial reporting problems, so they had started to suspect fraud. The CFO approached me one Friday afternoon as I was working on the network and said something like, “So this system is secure, isn’t it, and can’t be the cause of our problems?”

Caught off-guard, I answered, “Yes, sure, it must be”

Driving home, I became increasingly concerned that I had answered without any evidence to back my words. This really worried me, so I went into the lab on the weekend and built an equivalent system that I proceeded to hack. I identified four or five issues and then devised controls to prevent or detect these.

On Monday, I went back into the dairy and applied the fixes – and explained to the CFO why. At the time, security was not recognized as a separate skill or even a job; it was just something good network admins did.

Without realizing it, I had become a white hat hacker and I moved full time into security about two years later!

Richard N., London

Systems administrator

A systems administrator (also called a systems engineer) configures and maintains server operating systems and, in some organizations, desktop operating systems.

A systems administrator – often shortened to sysadmin or SA – is usually responsible for all security-related configurations in operating systems, including the all-important system hardening, which is the practice of configuring a system to make it more resistant to attack.

A sysadmin may also manage user accounts, machine by machine or in a central directory such as Microsoft Active Directory or LDAP (lightweight directory access protocol). A sysadmin can learn and apply many security-related principles regarding user account management, such as the following:

✓ High-quality passwords: Systems should require long, complex passwords with reasonably short expirations (I suggest 90 days for users and 30 for administrators).

✓ No shared user accounts: SAs are usually close to their users, and as such should watch for various forms of abuse, including shared user accounts. That’s bad juju, as I like to say.

✓ Accounts with least privilege: Users should have no higher privilege level than is required to accomplish their duties. If you give an ordinary user the local administrator privilege, you will be begging for security-related problems.

Database administrator

A database administrator, or DBA, is responsible for the care and feeding of databases that reside on servers as well as external storage systems.

A database management system is a sizeable piece of software in its own right, often with myriad configuration settings and its own user accounts and related settings. Like the system administrator, the database administrator must follow sound principles with regards to system hardening as well as user account management. Further, the DBA also controls access permissions to databases and their components.

Software developer

A software developer (also referred to as programmer, software development engineer, or programmer-analyst) develops systems software, application software, tools and utilities, and system interfaces. Some have a creative, free spirit and down-with-rules attitude that gives the whole lot a reputation for not wanting to work with security people.

Software development involves several significant security-related activities and aspects, including the following:

✓ Secure coding: Developers without training in secure coding are likely to introduce vulnerabilities such as buffer overflow and cross-site request forgery in their programs. Depending on the languages and tools they are using, developers will need to have a varying level of training and awareness, so that their programs will be free of security defects.

✓ Security testing: Developers often test the programs they write and maintain. Depending on the languages and tools they use, developers will need to perform security testing in addition to any functionality testing to ensure that their software is free of security-related defects.

✓ Code reviews: Developers should be checking each other’s work, looking for security flaws that could permit their software to be compromised by an attacker.

My security career started as a developer

I was working as an engineer writing code for operations in a nuclear power plant. One day (in the early ’80s), I asked the boss how we secured this stuff and who was responsible for making sure our network and supporting computing systems were secure. Two days later, I got a call from corporate headquarters and talked to our CIO. I explained my concern, and that was the beginning of my security career. I became responsible for securing our corporate network and, from there, went on to become one of the first security engineers for the company.

Bruce Lobree, Seattle

Project manager

Have you seen those sleek racing rowboats, with the person in front shouting, “Stroke! Stroke! Stroke!” to keep the rowers in sync? Similarly, project managers keep a project going in the same direction and at the right pace to ensure that it is completed correctly and on time.

Project managers, or PMs, keep projects running smoothly and ensure that all required resources are available as needed. In many cases, PMs can use their general knowledge of IT security to ensure that security-related activities are included in a project's schedule and carried out by people with the right skills. Some of the things that PMs need to know include the following:

✓ Laws and regulations applicable to the organization

✓ Security policies that are relevant to whatever project PMs are working with at the time

✓ Client or customer security-related expectations

✓ Security tools used in the organization to verify software security

Business analyst

Depending on the organization, a business analyst may be a jack-of-all-trades or focused on one set of activities. In this book, a business analyst is the former. Examples of business analyst activities include

✓ Running reports

✓ Analyzing the content of reports to assist other workers in their jobs

✓ Conducting research tasks and projects on internal business matters

✓ Organizing information into usable or readable form

A business analyst can also be thought of as a technical assistant.

Like other IT workers, a business analyst must be familiar with the concepts of safe computer usage and prudent handling of sensitive data, so that they don’t unwittingly bring harm to the information by compromising sensitive data and systems.

Most people in security start out in another IT job, and move laterally into a security position.

IT manager or IT director

An IT manager (in smaller organizations, the IT manager) or IT director directs the work of others in the IT organization. To get security savvy and do the right thing security-wise for the organization, an IT manager needs to understand many aspects of information security, including the following:

✓ Security policy: The security policy includes both the policy for general workers as well as IT-specific policies related to the design, implementation, and management of information systems.

✓ Security aspects of applicable business processes: These aspects include but are not limited to change management, configuration management, incident management, asset management, and employee onboarding and offboarding.

✓ Leadership by example: An IT manager is watched by almost everyone on the team, so he or she should lead by example to ensure that IT staffers also toe the line on security policy, procedures, and expected behavior.

My security career started on a committee

I got a job as an IT director for one of the departments in a large municipality. Shortly after arriving, I began work on their first information security committee. Our task was to create a new InfoSec policy. Eventually, we decided that we needed to hire a CISO for the city.

The person we hired was and is someone many of you would recognize, but I'll leave out his name to protect the innocent (and guilty!). We quickly became good friends and respected colleagues, and when the position of deputy CISO was created, I applied and was hired.

David R. Matthews, Seattle

Human resources employee

Human resources (HR) workers play a big part in information security. They are the linchpin in the procedures followed when hiring and terminating employees. HR has many other important security-related aspects, including the following:

✓ Background checks: A background check is relatively straightforward in the United States but trickier in countries that restrict or ban them. Still, it’s important to fully understand the criminal history and ethics of an employment candidate.

✓ Discipline: HR often coordinates formal disciplinary action for all kinds of misbehavior, including violations of security policy. HR must understand the serious nature of different information security violations so that appropriate disciplinary actions are taken in the event of a breach or misconduct.

✓ Job descriptions: HR usually creates and manages the job descriptions in an organization. Security is an essential ingredient in virtually all IT positions, and in many others as well.

In many organizations HR manages only full-time employees, not contractors, consultants, or temporary workers. As a result, access management processes suffer greatly. When contractors, consultants, or temps leave an organization, the personnel responsible for locking their user accounts often don’t know, creating a big security risk and a significant compliance issue. Organizations can get into a lot of trouble if they have active accounts for contractors and temps who are no longer active.

All IT positions require security skills

Making the transition from a non-security job to a security job is not as difficult as you might think. Many companies require relevant, security-related skills for almost every position in IT.

Security is the responsibility of not just the security manager but also every IT worker in the organization. Every position in IT requires security skills and knowledge related to each particular position.