Cybersecurity refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. Cybersecurity may also be referred to as information technology security. Cybersecurity is important, because organizations are collecting, processing, and storing unprecedented amounts of data—a large portion of which can be sensitive, such as personal information, financial data, and intellectual property. Organizations need to protect this data. However, one of the biggest challenges in cybersecurity is the ever-changing landscape of security risks themselves.
- State of the Art
- Job Search
- C.I.A. for Success
To understand where we are going, first we must understand where we came from. Cybersecurity is a relatively young field. How did the cybersecurity field start? Let us go back in time and look at the beginnings of cybersecurity and the major milestones that shaped it into what is today.
A timeline of the beginnings of cybersecurity and major milestones:
1960 Engineer Paul Baran argues that a decentralized communications system with many redundant links could help the United States recover from a Soviet nuclear attack. The key was that information could flow across many different paths – much like today’s Internet – allowing connections even if much of the overall system suffered damage.
1968 Donald Davies, a top official with Britain’s National Physical Laboratory, describes a system for chopping data into smaller pieces to make transmissions more efficient. He calls the pieces “packets” and the technology for transmitting them “packet-switching.”
1969 The Pentagon’s Advanced Research Projects Agency designs and funds a packet-switched network called the ARPANET.
1971 Bob Thomas created a program that bounced between computers and would display a message on any infecting screen stating, “I’m the creeper: catch me if you can.”
1973 Robert Metcalfe, an engineer who would later founded hardware maker 3Com, warns the ARPANET Working Group that it is far too easy to gain access to the network. One of several intrusions he describes apparently was the work of high school students.
1983 ARPANET requires its network users to communicate via TCP/IP, quickly making it the global standard. Networks all over the world could then communicate easily with each other, creating the Internet.
1984 Congress enacts the Computer Fraud and Abuse Act—establishing legal sanctions against data theft, unauthorized network access and some other computer-related crimes.
1988 Robert Morris created a computer worm, which slowed the early internet down significantly—giving us the first DoS attack in history. This really brought to light the idea of having to deal with and respond to cyber attacks.
1989 Joseph Popp created the first ransomware attack. Joseph Popp created a Malware called the AIDS Trojan, which was distributed through his postal mailing lists using a floppy disk, with the hope of extorting people out of money.
1990 The United Kingdom passes The Computer Misuse Act. It effectively made any unauthorized attempts to access computer systems illegal.
1990s The Melissa and ILOVEYOU viruses infected tens of millions of PCs, causing email systems around the globe to fail—leading to the development of antivirus technology.
1993 The first browser, Mosaic, is released.
1999 Microsoft Windows 98 came out. This spike in computer usage paved the way for software security systems to be common. Windows released many patches and commercial products. Additionally, many security vendors released anti-hacking software for home computer usage.
1999 The Melissa virus was released by David L. Smith—a mass-mailing macro virus that targeted Microsoft Word and Outlook-based systems and created considerable network traffic.
2000 ILOVEYOU worm was released, attacking tens of millions of Windows personal computers, spreading as an email message with the subject line "ILOVEYOU" and the attachment "LOVE-LETTER-FOR-YOU.txt.vbs"
2002 The Department of Homeland Security was formed, took on responsibilities for IT infrastructure, and eventually created a division specifically for cybersecurity.
2003 The hacktivist group Anonymous was started—an international hacktivist group known for a variety of cyber attacks against several governments and organizations.
2003 U.S. Computer Emergency Readiness Team (U.S. CERT) was developed.
2007 Albert Gonzalez masterminded a criminal ring that stole information from at least 45.7 million payment cards used by customers of US retailer TJX. Companies soon realized the huge impact that such breaches can have and the need to protect and arm themselves with more sophisticated security technology.
2007 Apple introduces the iPhone—heralded a new era of snooping, as police, spies and even jealous spouses find ways to monitor people through powerful personal computers doubling as phones.
2010 A group of the nation's top scientists conclude in a report to the Pentagon that “the cyber-universe is complex well beyond anyone’s understanding and exhibits behavior that no one predicted, and sometimes can’t even be explained well.”
2014 Security researchers published a guide to hacking automobiles, revealing deep flaws in the way automobile electronics communicate with each other.
2016 Wikileaks published the documents from the 2016 national committee email leak. This email leak involved Russian intelligence agency hackers and greatly affected how Americans viewed the 2016 election.
2018 Facebook taught us that social media is selling our data. Marriott Hotels taught us that security breaches can lay dormant for years before anyone notices them. Dunkin’ Donuts taught us that no one is safe.
Laws affect how security is done, how we work.
As Security Professionals, our primary objective is to help organizations meet their goals by ensuring people, systems, and processes are secure. A significant portion of an organization's activities are governed by legal regulations and various ethical standards that can also have a significant impact on how we do our jobs. Therefore, it is important that security professionals have an understanding of the legal and ethical forces at work.
HIPAA — Health Insurance Portability and Accountability Act (1996). Created primarily to modernize the flow of healthcare information, stipulate how Personally Identifiable Information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft, and address limitations on healthcare insurance coverage.
FISMA — Federal Information Security Management Act (Title III of the E-Government Act, 2002). The purpose of FISMA is to establish a framework for the management and oversight of Federal information, information systems, and security programs. To assist Federal agencies with complying with the requirements of FISMA, the act directs the National Institute of Standards and Technology (NIST) to develop standards, guidelines, methods, and techniques for securing Federal information systems. Was updated in Public Law 113 to Federal Information Security Modernization Act of 2014.
GLB — Gramm Leach Bliley Act (1999). While primarily created to allow corporate mergers among financial and insurance institutions, the GLB also brought about “The Financial Privacy Rule,” which governs the collection and disclosure of customers' personal financial information by financial institutions. And “The Safeguards Rule” requires all financial institutions to design, implement and maintain safeguards to protect customer information.
PCI DSS — Payment Card Industry Data Security Standard. While not a law, it is often talked about at the same time. It is a standard adopted by credit card brands to increase the protection of cardholder data.
SOX — Sarbanes-Oxley Act (2002). Created in reaction to multiple corporate and accounting scandals, the act requires companies to produce an annual report stating that they have adequate internal controls for financial reporting.
CALEA — Communications Assistance for Law Enforcement Act (1994). The law requires telecommunications carriers to assist law enforcement with wire tapping activities. Telecommunications carriers are entities that transmit electronic communications for hire. This includes the local telephone exchange service, mobile service providers and anyone else the FCC identifies as providing similar services as long as it is in the public interest.
DCMA — Digital Millennium Copyright Act (1998). An amendment to the Copyright Act of 1976, DCMA makes it illegal for anyone to manufacture or distribute a device or product designed to circumvent copyright protection measures such as encryption or Digital Rights Management (DRM).
First Amendment — The First Amendment of the United States Constitution protects free-speech. An individual’s speech and writing is protected regardless of its format such as paper, video, Internet, etc. It is also protected no matter how offensive it is, whether it is good or evil, and whether it is true or false—except in a few cases such as Child Pornography, false advertising, and threats of violence. This often has a bearing on cases that also cite the CAN-SPAM Act.
CAN-SPAM — Controlling the Assault of Non-Solicited Pornography And Marketing Act (2003) applies to email messages that promote or advertise a commercial product or service. The act specifically exempts transactional and relationship messages that are a result of banking or vendor-customer type communications. The Act does not address political or religious messages. Even though the CAN-SPAM Act does not explicitly include or exclude email messages with political content, it does require that unsolicited email messages meet several requirements such as having an unsubscribe mechanism, containing the physical address of the publisher, and not containing false or misleading header information. The act also states that it is unlawful to send unsolicited email using addresses that were obtained without permission or by automatically generating addresses through permutation.
CFAA — Computer Fraud and Abuse Act (1984). Having been amended many times over the years, the original bill was enacted to prohibit accessing a computer without authorization, or in excess of authorization, ensuring that computer-related crimes did not go unpunished—like that depicted in the movie WarGames.
State of the Art
Automation and Orchestration
Security automation is making machines do task-oriented ‘human work’. Security orchestration is making different products (both security and non-security) integrate with each other. We are already familiar with automation in many aspects of our lives—from our banking app to curated news feeds to computer backups. Our organizations and computing environments are producing more data and more alerts than ever before. Automation and Orchestration are the techniques that we are using to better analyze and respond to those alerts.
AI is the buzz word we are hearing in every new security product and service. Mostly, what these products are actually implementing is Machine Learning, which is a subset of AI. There was a time when AI was a joke. Well it is not funny anymore. We are teaching machines how to think, how to defend themselves, and even practice deception. What could go wrong? Should we be scared of AI? Stephen Hawking, Elon Musk, and Bill Gates have all expressed concerns over AI. The takeaway here is this: Recognize that just as we are using AI to better defend our organizations, our adversaries are using AI to better attack our organizations.
Generalist or Specialist?
When it comes to selecting a discipline in cybersecurity, you may ask yourself--Should I be a security Generalist or a security Specialist? There are security generalists. But those types of roles are usually held by individuals with diverse experiences—coming from working in different industries or various types of organizations. In the past, a security generalist would have done well in finding jobs. However, the security field has become so broad and complex, that more recently, organizations are searching for specialists. So, many individuals will work in a specialty. You can choose a specialty for multiple reasons. It could be because it is an area of interest, or it is an area of academic study, or it is a hobby, or it is a job opening, or it is aligned with prior work experience.
- Network Security
- Application Security
- Endpoint Security
- Data Security
- Identity Management
- Database and Infrastructure
- Cloud Security
- Mobile Security
- Disaster Recovery and Business Continuity
- End-user Awareness
- Governance, Risk Management, and Compliance (GRC)
- Incident Response
- Threat Hunting
- Vulnerability Management
- Penetration Testing
Acquiring new skills and knowledge. Assimilation with the field.
Cybersecurity is one of the most sought-after professions today. But right now, there is a shortage of skilled cybersecurity professionals. Educated and experienced security professionals are in high demand. And since cybersecurity salaries are high, there are many people wanting to start careers in cybersecurity. Therefore, cybersecurity education and training is a big business. But how do you know which programs are good? There are a few things to look for when deciding on a cybersecurity education or training program:
National Centers of Academic Excellence - The National Security Agency (NSA) sponsors the National Centers of Academic Excellence (CAE) program. The goal of the program is to promote higher education and research by granting the CAE designation to regionally accredited two-year, four-year, and graduate level institutions that have met stringent criteria.
Regionally Accredited - Most degree-granting institutions and programs receive accreditation from CHEA (Council for Higher Education Accreditation) Regional Accrediting Organizations—demonstrating that their credits and degrees meet minimum standards.
Industry Recognition – While some programs may not be accredited, they are instituted by organizations that are well respected in the security industry.
Public Reviews – Websites like StudentsReview.com and CollegeTimes.co contain valuable, uncensored information about colleges. Unfortunately, many college review websites are filled with fake reviews or are operated by companies with secondary interests, including active associations with specific institutions, kickback or commission arrangements, and other incentives to suppress negative reviews to make schools look good. So, it is always wise to be skeptical of college reviews.
Cybersecurity training programs typically include courses that cover fundamental building blocks in both general information technology and security. Courses may include the basics of application, system, and network architecture; followed by in-depth knowledge about enhancing security; identifying threats and vulnerabilities; defending data and systems; and implementing security tactics, techniques, and technology.
- (ISC)2 Center for Cyber Safety and Education Scholarships
- CyberCorps: Scholarship For Service (SFS)
- Department of Defense Information Assurance Scholarship
- University of Maryland-College Park Cybersecurity Scholarship
- University of Illinois at Urbana-Champaign Cybersecurity Scholarship
- Rochester Institute of Technology Cybersecurity Scholarship
- Texas A&M University-College Station Cybersecurity Scholarship
- Virginia Tech Cybersecurity Scholarship
- George Washington University Cybersecurity Scholarship
- NSA CAE-CD Cybersecurity Universities Scholarships
2-year, 4-year, Bachelors, Masters, PhD, ScD, on-campus, online
Popular Sites for Free Online Education:
- Khan Academy
- iTunesU Free Courses
- MIT OpenCourseWare
- Stanford Online
- Open Culture Online Courses
Certifications are a great way to acquire specialized skills, because they provide a structured approach to learning. There may be an area of security that you are interested in, but you don’t know where to start. All certifications have defined domains or common bodies of knowledge that tell you what you need to know. Maybe you are really interested in cloud platforms, but you don’t know all the things that go into securing Microsoft Azure or Amazon Web Services (AWS). The best thing to do is to look at that vendor’s certifications, they will tell you. There are books and online courses that will teach you what you need to know. Just as important, certifications provide skill recognition. Certifications can be divided in two categories—Vendor Specific and Vendor Neutral.
Vendor specific – Microsoft, Cisco, Palo Alto Networks, AWS, VMware
Vendor neutral – (ISC)2 (CISSP), SANS (GSEC), ISACA (CISM), EC-Council (CEH), CompTIA (Security+), CSA (CCSK)
Finding jobs that leverage the skills and knowledge that you have invested in, while providing the compensation you need to live.
Your resume is a marketing vehicle. Bring out your power in your resume, by putting a human voice in it and using stories to highlight your awesomeness. You are writing about yourself, so it is perfectly appropriate to use the word “I” a few times. Include a summary at the top of your resume that frames your experience and your career plans. Include contextual information in your work history to help readers understand what the role was about—such as how big the organization was, what industry they were in, and what you were hired to do. Then, add some bullet-stories to tell the reader about your achievements—the projects you led, the technologies you implemented, and the dragons you had slain.
Popular Sites to review your resume:
- Zety Resume Builder
- Resume Genius
- Resume Baking
A job interview is not an interrogation — it’s a conversation. The interview should be a pleasant, friendly conversation to talk about the job opening, not to quiz the job-seeker. Prior to the interview, research the company and the hiring manager. Identify the pain-points that they may be trying to solve with the position you are interviewing for. Put together your own questions and be prepared to tell your story. At the interview be curious, stay attentive, and acknowledge and appreciate the person you are talking with. Have a perspective and a personal mission. Look for the mutual fit. Show the interviewer that you can fit into their corporate culture by adapting to the formality of the conversation. If the interviewer takes a casual approach, then you should conduct yourself casually--while remaining professional. If the interviewer is very rigid or formal during the conversation, then you should also conduct yourself more formally. Do try to answer the interviewer's questions without side-stepping or rambling. If you do not understand what is being asked, then simply ask for more detail. It is better to admit when you don't know the answer, rather than to make-up an answer.
Popular sites for interview preparation:
- Career Sites
- Human Workplace (https://humanworkplace.com/)
- Work It Daily (https://www.workitdaily.com/)
- Job-Hunt (https://www.job-hunt.org/)
- JobBait (http://www.jobbait.com/)
- Careercloud (https://www.careercloud.com/)
- Personalbrandingblog (https://www.personalbrandingblog.com/)
Working with a recruiter can be a great way to advance your job search. Most recruiters in staffing agencies are paid on commission, earning a fee based on your first year’s salary when you get hired. This often works in your favor. The best recruiters will stand out because they know the history of each company they work with and the hiring manger’s story. Many recruiters want to coach a candidate to be more appealing to hiring managers. So, if they recommend a resume change, then take advantage of their suggestions.
Monetize your skills and knowledge.
Some fields have a formalized progression in their career paths. For example, electricians begin their careers as Apprentices, during which they develop their skills and learn about building codes. Then as Journeyman, their experience allows them to apply for licenses and work more independently. Finally, they are recognized as Master Electricians, earning them the privilege to teach and mentor others. The security field is not as formalized, there are many paths into a security career. But generally, security jobs can be classified into a few high-level roles.
Analyst — The security analyst role is the typical entry point into a security career. Analysts are usually responsible for the operation of security controls. For example, they will do things like install and operate software, test new technology, gather and analyze requirements, perform penetration testing, monitor systems for security issues, and document incidents.
Engineer — The security engineer is typically responsible for building security controls. They will do things like analyze security systems and seek improvements; research weaknesses and find cost-effective solutions to cybersecurity problems; and assist fellow employees with cybersecurity, software, hardware or IT needs.
Architect —The security architect designs, builds and oversees the implementation of network and computer security for an organization. As a senior-level employee, they are responsible for creating complex security structures; handling defense and response; building security infrastructures; providing technical guidance; assessing costs & risks; and establishing security policies and procedures.
Manager —Security Managers are responsible for monitoring the security operations for any organization or company. They implement security policies, regulations, rules, and norms and make sure that the environment in their organization is safe for employers and visitors. Managers are required to hire new members for the staff and delegate tasks and duties to them.
Director — The security director is the man or woman in charge of overseeing IT security measures throughout an organization. This senior-level position has strategic oversight of every aspect of security—from staffing and budgets to protocols and incident response. Within smaller companies, the Security Director may be the equivalent of a CISO.
CISO — The Chief Information Security Officer is the executive-level manager who directs strategy, operations and the budget for the protection of the enterprise information assets and manages that program. The scope of responsibility will encompass communications, applications and infrastructure, including the policies and procedures which apply.
There is a broad range of teaching roles in cybersecurity—from certification trainers, to instructors at technical schools, to college professors. It is not uncommon for security professionals to have a teaching role alongside their primary career.
Security is pervasive in all industries. But in some industries, security is at the forefront, or plays a more critical role.
Commercial — security is driven by civil responsibility
Finance — security is driven by consumer privacy
Industrial/Manufacturing — automotive, aerospace, critical infrastructure, etc., security is driven by safety
Government — security is driven by executive order
Healthcare — security is driven by regulations
Defense — security is driven by national security
Tools of the trade.
Prevention is the traditional approach to security—plug all the holes so the bad guys cannot get in. This is things like firewalls, security updates, bug fixes, strong passwords, end user training, application white listing, network segmentation, gates/guards/guns, and anything else we can do to reduce the attack surface. So, we spend money and time on people, processes, and technology to patch all the servers, lockdown all the firewalls, update all the applications, train all the users. We have tens of thousands of vulnerabilities that we are trying to fix, but an attacker only needs to exploit one of them to attack your organization.
If we accept that a bad guy will eventually be able to penetrate our environment, then we want to know when he/she does. We want to know when they log into a computer, change a system setting, install a piece of malware, or exfiltrate data. Detection technologies include anti-virus/anti-malware software, intrusion detection systems, configuration auditing, anomaly detection, environmental sensors, system monitoring, and video surveillance.
Many times an attacker will infiltrate an environment and then lay low for a long period of time—trying not to be detected while conducting reconnaissance. Deception is a psychology game. If an attacker is poking his/her nose around, then we want to confuse them or maybe feed them wrong information, until we can detect and stop their activities. Deception technologies include things like honeypots, honeynets, blackholes, decoy servers, and data obfuscation.
Commercial products are well suited for critical functions that require support, robust features, and defined roadmaps. These solutions are supported by large, diverse, and dedicated development teams and make sense for critical services like firewalls. Commercial products typically integrate better with other solutions.
Open Source solutions offer low- or no-cost alternatives to pricey commercial products for networks and environments that still need securing. These solutions typically make sense for tasks such as network exploration, scanning, traffic capture, and file integrity monitoring. But there can be some drawbacks. Open source tools don’t come with a warranty and can lack roadmaps for future development.
Everyone and everything needs security.
Some have even said that security is a “social” science. Your interest and experience is valuable outside of your career. We can only win in security through community. So, recognize that you belong to many communities and those communities can only grow stronger with your participation. Communities are a primary method of networking with other professionals. They can be a source of inspiration, support, and innovation.
(ISC)² Chapters provide members with the opportunity to build a local network of peers to share knowledge, exchange resources, collaborate on projects, and create new ways to earn CPE credits.
The Information Systems Security Association (ISSA) is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members.
As an independent, nonprofit, global association, ISACA engages in the development, adoption and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves.
Local social groups that gather to meet new people, learn new things, find support, get out of their comfort zones, and pursue their passions.
Having a career mentor is the best way for you to get your career moving and reach your goals as fast as possible. But you do not get a career mentor by walking up to someone and asking them “Will you mentor me?” A mentor is something that grows out of a friendship. All you need is a vision of where you want to be in your career, the drive to get there, and the confidence to ask for help. It could be a former boss, professor, family member, or friend who may be able to help you. Start by contacting this person, buying them a cup of coffee, and saying “I would like your help please.” The relationship you will have with your mentor will be ongoing—it’s a relationship that can last a very long time. Remain respectful, be punctual and well prepared when you meet with your mentor. If you nurture the relationship, then your mentor can guide you throughout the life of your career.
There is no shortage of security conferences. They come in all shapes and sizes. They can be a great source of inspiration and motivation. Often, we get consumed with our daily work or studies. We start to form blinders that prevent us from seeing outside our jobs and our organizations. Attending a conference gives you the opportunity to see and learn about what other people are doing. It gives you a broader perspective on the security industry—new trends, research, products, and methods.
C.I.A. for Success
There are three pillars in information security—Confidentiality, Integrity, and Availability—C.I.A. Here are three pillars to help you be successful as a cybersecurity professional.
Am I good enough? Clever enough? Hacker enough? Imposter Syndrome is systemic to Information Technology—good, successful people feeling like they do not belong. We are knowledge workers—it is hard to measure what we know. And sometimes there is a misconception that others know more than we do. Maybe the results do not always match the effort that we put in. Or we allow perfectionism to get in the way, minimizing our successes and maximizing our failures. If you ever start to feel like you do not belong,…
- Don't Compare Yourself To Others
- Reframe Your Thoughts
- Acknowledge Your Successes
- Find A Mentor
- Focus More On Others
- Be A Lifelong Learner
- Face Your Fear
- Stay curious
- Keep Going!
Integrity (Intellectual Honesty)
Security is not about being perfect, it is about doing what is right. In cybersecurity we are often faced with making difficult decisions—decisions that could impact a single person, a department, an entire organization, or even millions of consumers. Do your research, make sure you fully understand the problem and its impacts. Consult with others. Look for the facts, seek the truth. Speak honestly. Stand by your decisions and be prepared to explain your reasons for making them.
Inaccuracy and Inconsistently undermine security. In Cybersecurity it is often our job to ask the difficult questions, digging deeper to find what is true and accurate. The information that we gather and the recommendations we make are going to influence decisions that can have significant impacts to the organization. Unfortunately, security is hard—working with people is messy. Trust must exist for us to be successful in our careers and our organizations. We must be able to trust our co-workers and they must be able to trust us. Accountability breeds trust. Being accountable means being transparent, having open communication, standing by your decisions and actions, taking ownership, and following through and getting done what you said you would get done. Ultimately, when team members consistently demonstrate ownership and accountability, trust is formed. You trust someone will do the right thing and trust that they will do what they said they would do. Trust is the backbone of security.