Tuesday, December 03, 2013

How to Get Started in Information Security

I've seen a lot of people lately asking how to get started in the Information Security industry. I think there are a lot of misconceptions about what you need, like expertise with tools, certifications, experience in a role, etc. Those help, but I don't think that's the number one thing that gets you into the industry. I think the biggest things are curiosity and dedication. Those two things will ensure that the rest follows. And if you don't have those drives for an Infosec career then you haven't found what you want to be doing for the rest of your life, so keep looking.

But there's more to it that you'll pick up along the way. Rather than tell you what I think you should do I'll tell you how I got into the industry then try to distill the lessons and skillsets that I think have been most important for me. The story will hopefully tell you why I think the skillsets are important so you can understand for yourself what's the best path for you.

I started out working break-fix PC support. Someone would call the help desk and if they couldn't work it out over the phone I'd go out and fix it. I got good at malware cases - spyware, popups, network worms, etc. because I was curious about how to get rid of the malware, not just reimage the system. That doesn't always cure the issue, as I learned, but it was typically quicker to fix and less work on my part because I didn't have to copy the data, reinstall software, etc. On larger-scale malware incidents then I was on the front lines to help. And whatever I learned I wrote up for others so they didn't have to learn the same thing.

I also made sure to take care of the whole problem before leaving. Again, mainly because I was trying to be more efficient (some might say lazy). If I didn't I'd have to come back out to solve the original problem. And that often meant walking through some basic awareness information so that the system didn't become reinfected. I wasn't great at that, but the people appreciated it. It was this bedside manner that meant I was assigned to the higher profile cases with the folks who were more important in the organization.

When a security role opened up I applied for it. I researched for the interview and conversations, looked over what I'd been working on most and how I'd solved those problems. Then all of the questions were about appsec rather than anything I'd been doing. Oops. I guess I still did OK because I got an offer. It was lower than I knew it should be so I asked for industry average. I didn't get it, but I did get about 5% more than the original offer.

I started reading all the blogs and magazine articles I could, in between doing security things. I figured I'd start writing too. I started my own blog to pass on lessons learned in plain English (go back to the early days of Beau's Cybersecurity Blog and see how raw that stuff was). And comment on other peoples' blogs and stories. People started to notice and comment back, email me, etc. and that encouraged me and keep up my momentum.

When I told my boss I was hitting the ceiling she said she understood and was glad - it meant I was growing and thriving. There wasn't room for me to move up so I let her know I was going to start looking at other organizations. She said that was a good idea - it's always easier to turn down an offer than to get one in the first place.

So I took stock - what was my passion, how could I best monetize my skills and why was I doing this? My passion was helping people fix problems. My most in-demand skillset was my communications and problem solving skillset, as well as my familiarity (not expertise) with security tools. My why (this is always the most important one) was so I could travel the world and work from anywhere, which meant I needed to improve my network connections and ability to make them more than anything.

So I began a low-intensity search - I still had a job so I could afford to wait for the right opportunity. Trawling job boards, Craigslist, companies I wanted to work for, asked friends, etc. Within a month I found one that looked perfect. I reached out, looked around and found who the hiring company was and applied directly too. Just like the last time I did lots of research and preparation and built a dossier on all the people I'd be talking with, as well as their execs in case I met one of them. All of that came in handy and they hired me. (They also found my blog and liked what I was writing about so that helped too.)

Repeat that process a few more times and here I am.

Below are a couple of lists. The first is traits I found inside myself when I found the right outlet - the area I felt I belonged and was passionate about. The second is the skillets I worked to improve along the way. Both lists are in order that I feel were most important. You'll see that there aren't any specific tools listed - that's because I don't think a large investment in time in those really helps. But familiarity and some experience playing with the top tools in what you want to do certainly does. If you're just going for an entry-level job then that's all they'll be expecting.


  • Curiosity
  • Desire to get better
  • Self-exploration
  • Humility
  • Ambition
Skillets I worked hard at improving
  • Communication (quantity and quality)
  • My value and place I fit best
  • Root-cause analysis
  • Patience
  • Perspective
  • Some technical tools
Update: Some links below from others who have written on the same topic.

Thursday, April 11, 2013

Some Thoughts on Malicious Software Prevention and Protection

Today I got a message from a business associate of mine apologizing for a delay in the work, because he'd been hit by malicious software (malware). As it turned out, I replied, computer security is what passes for a day job for me. So I came up with some instructions for him to help improve his security. These should be fairly easy for a non-technical person to use, though a moderately technical person may need to set things up.

Leave feedback in the comments if you agree, disagree or have any additions. Here's the list, in order of what I'm calling Return on PITA (ROP) - or, most benefit for the least pain wins.

Preventing malware infection

  1. Make your account a "Limited User" instead of "Administrator". This prevents the malware from running on your system without you first entering your password.
  2. If you are running Windows, make sure you are on 7 or higher. Windows 7 provides lots more security controls that balance protection with usability. One key feature is AppLocker which prevents unknown software from running without entering your password. The downloadable tool EMET enhances protections and Windows Defender is excellent, free anti-virus software.
  3. Keep all your software updated. Windows does a nice job of updating itself, but other software isn't always as good. I don't generally like to recommend specific software, but in this case it's hard to find if I don't: Secunia PSI is free for personal use and keeps you updated about...well updates.
  4. Be skeptical before opening email attachments or links. This takes some practice, but it's as easy as stopping and asking whether something makes sense or not. Many of the email scams today look real, unless you apply some skepticism. Why would a) this person/company be b) sending me this information c) through email and d) how can I see if it's legit?

Reducing fallout from malware

  1. Work with your financial institution to increase account security. Many people erroneously assume that banks reimburse for financial loss from malware, but that's only for personal accounts. Banks differ in what they offer and can help you figure out what works best for you. 
  2. Use online backup storage. You can store your documents on the Internet securely, so if something happens to your computer you can still get your documents back. Several companies offer a small amount of storage for personal use for free. Also store software licenses so you can rebuild.
  3. Use password safe technology. This is software that will track your passwords and store them protected on your computer and the Internet, as well as generate strong passwords. This means you can have a strong, unique password for each website which reduces the likelihood of having multiple accounts compromised at once.

Cleaning up after malware infection

  1. Notify financial institutions immediately. They will put more scrutiny on your transactions and can work with you to add security measures to your account.
  2. Even the best cleaning may leave malware behind. It's best to wipe everything and start over. Download applications from their legitimate website. Stored copies and third-party sites could have malware embedded in the legitimate software.
  3. Change passwords from a known-clean system. Start first with the websites that could cause the most damage, such as financial institutions or where you could have fraudulent charges against accounts (for example, iTunes and Skype).

Busting some common misconceptions about malware

Anti-virus and a firewall are NOT very effective. 
Your firewall is designed prevent random computers on the Internet from starting to talk to yours. But most malware is spread through the web and email, which means you start to talk with the computer with the malware. That means your firewall is largely useless.

Anti-virus software works by trying to know all of the malware out there and blocking it. The problem is that malware is generated faster than anti-virus can keep up, using techniques that ensure anti-virus companies don't see the exact malware you've downloaded. Anti-virus fails more often than it succeeds at blocking malware in real-world testing.

Malicious software is NOT just spread through sketchy sites.
Most malware today is actually spread through legitimate websites. Malicious attackers break into and store their malware legitimate sites, infecting visitors. It's also common for ads to contain malware  so even large and well-protected websites present some risk.

One web browser is NOT inherently more secure than another.
This was true at one time, but it's not anymore. Some malware still spreads by attacking the web browser, but much more will attack supporting applications like Adobe Reader or Sun Java - two technologies that are independent of your web browser.

Wednesday, March 13, 2013

A Light Look at Cyberwar Capabilities

There has been lots of news for several months about military-grade offensive security capabilities. Within the past couple of weeks this focus has ratcheted up. The tipping point, in my mind was when Mandiant[1] released a report on Chinese hackers that they were tracking. The report claimed a lot of things, among them that the individuals mentioned in the report were carrying out offensive attacks for the Chinese military, against the US military, military contractors and other companies. That's pretty scary stuff! But keep in mind that this report was heavily hyped and coincided with one of the biggest security conferences, so maybe pure altruism wasn't at the heart of the report, maybe it was also in large part driven by PR value.

So now there are lots of people at high levels in the government talking more openly about cybersecurity threats. Generals are testifying in front of congress, the president is meeting with CEOs (I guess they're security experts?), everybody in the government seems to be saying the US is under attack and needs to defend itself. The rhetoric is building to a fever pitch and I'm a bit concerned about what this means for the future. But for now let's look at what the current situation is like.

What a lot of the talk comes down to is one thing: we're being spied on. Well hey that's no surprise is it? Isn't that what the whole Cold War was about? "But" we hear "spying is a lot easier with computers because..." and then they go off and spout a lot of nonsense that comes down to "...we got caught off guard and didn't protect ourselves early enough." OK well that's too bad and we need to fix that problem so let's go do that.

But then if it's so easy for other people to spy on us, isn't it easy for us to spy on them too? Aren't we already doing that? That's a side of the conversation that not a lot of mainstream media talks about, but that a lot of people in the security industry are laughing about. Just within the last couple of years there have been reports of Iranian nuclear facilities being targeted by sophisticated malicious software and most of the evidence points to the US or US contractors as having created it. Ironically about a year before it was officially-unofficially reported that the Iranian cyberattacks were authorized by the Presidenthe declared that cyberattacks against the US would be considered acts of war. Whoops.

So let's look at what we know about the US cyberwar capabilities. The first thing I'll do is to look at where these US capabilities come from. There's several different angles so I'll take a shot at enumerating them for discussion but I'm sure I haven't gotten them all called out so leave comments if you know of others.
  • US Civilian Government Cybersecurity groups like those run in the NSA.
  • US Militarty Cyberwarriors.
  • US Government contractors.
  • US allies like Israel who supposedly has a pretty potent force.
Alright, so let's see if we can take a guess about what resources we have to bring to bear.

  • US Civilian Government Cybersecurity - I mentioned the NSA. The CIA probably also has some people. Maybe FBI. Maybe some others. I haven't run across much information here, but if you know of where some of that could come from I'd love to look at it. The White House wants a lot more of these people and I'm sure Congress is going to fund that. Now it's an interesting thought experiment to ask whether CIA analysts and traditional spies are actually cyberspies. They probably use computers as well as other techniques to carry out their jobs, but does that put them in the cyber arena? 
  • US Military Cyberwarriors - There's a great article over at Foreign Policy magazine came up with 53,000-58,000 Cyber troops. That's the ones that you can count and I've got to suspect that there's more. Also important to note that these are just troops with an offensive mission, not a defensive one. Now to put that into perspective, this is about 4% of the 1.5M active duty troops and is more than all of the CIA (20K according to Wikipedia) and FBI (36K according to their site) agents combined! Hardly a small number. And that's just the obvious ones. No word on what they're spending, but probably a good deal of money here.
  • US Government Cyber security contractors - This is probably one of the largest parts of the cyberwarrior force. There are a lot of reasons that the government would use private companies for this, including the fact that these companies can do things that are illegal if done by the government. Also there's a lot less red tape and oversight so you can hide a lot of money and efforts this way and get them out fast. Most people suspect this is who largely developed the malicious software that targeted Iran over the better part of the last decade. We also know that companies like HB Gary have been supplying cyberweapons to the government for a while, and companies like VUPEN sell attacks as well. I think it's safe to assume that if it's true, this is a pretty mature part of capabilities. 
  • US allies - The US allies can provide a lot of things to the US, probably mostly access and information.  I don't have a lot of knowledge about this so I won't go into it too much but if you know something, share.
That's a lot of force that the US has to bring to the cyber fight without spinning up a bunch of hype and rhetoric. So why are politicians and others talking so much about this stuff? Why not just go out and do what you want? I can't really say. I think it either comes down to distraction from other problems they would rather not address (healthcare, finances, economy, drones) or they need popular support for some new thing that they want to do and they know you wouldn't support it unless you were scared of hackers.

"What does this mean for your weekend?" or "So what?" Well for starters I think it's important to understand that there's more than one side to every story. The reality is that the US has been engaging in cyberwarfare already. Definitely against Iran and most likely against

A lot more people a lot smarter than me have written good stuff about this too, here are some:
Cyberwar: You Lack Imagination by Erratasec
APT1: The Good, The Bad and The Ugly by Krypt3ia
Comments on Comment Crew by Kyle Maxwell
Mandiant APT1 Report has Critical Flaws by Jeffrey Carr
Chinese Hackers and Security Theater - a three-part series by Cyber Nonsense
Cyberwar: The Pentagon Cyberstrategy - a multi-part series by the excellent Marcus Ranum from a few years ago

[1] Mandiant seems to have gotten the lion's share of the attention (and rightly so, the report and the video they released are compelling to look at) but they're far from the only ones selling Fear, Uncertainty and Doubt (FUD). I'm not singling them out for that, just for the fact that their report and all the hype that followed in its wake seemed to make for a tipping point.

Tuesday, February 26, 2013

Lessons from Journalism in Threat Intelligence

Seth Godin has a great blog post that is relevant to information security professionals. He discusses the problem that the closer to the event, the more expensive and less reliable the information is. This problem directly correlates to issues we face in trying to get reliable information about threats, vulnerabilities or other news. That's because as time goes on the story gets shaped and influenced by multiple accounts, investigations and analysis.

Try this experiment. Find all of the Twitter messages about China and Hacking from the last 6 months and read them, as well as the linked articles. I'll wait. Ha - just kidding that'd take you years to take in (if you did exactly what I said I apologize - don't follow every instruction you read on the internet)! Now go take a look at a few articles on China and Hacking in a reputable business periodical like The Economist, Time, etc. In 45 minutes you're up to date on everything from 6 months of twitter feeds. 45 minutes versus 1+ years. That's a huge difference in terms of cost.

And reliability also suffers. In going through the Twitter exercise (again, really sorry about that lost year) you probably found that lots of the info was bogus, misleading, bad conclusions, duplicated, etc. Acting on that bad information costs money too (unless you spend lots of money to try and eliminate the bad information, but that again costs money).

Most companies have figured out that it's expensive to stay up to date on information. That's why there's a big business in Threat Intelligence services. Companies outsource that function. But it's still important to keep in mind that you'll never have a perfect picture of the news just after it's happened. Think of it like a Polaroid picture. No matter how much you blow on it or shake it, it still develops at the same speed.