To put it on the lime-light, information security could be a hectic study in a while if you believe it to be the only profession you will dedicate your time to get into. Certainly anything taken seriously will take time and there’s this same analogy for information security as a profession. This post takes a ride about how one should go about it to cut off time spent on decision-making since switching decisions later could kill time in information security as a career choice.
What’s Information Security?
Information Security is a subject expertise domain where an individual studies security often sub-divided to application, network or host in computer science. It’s not programming, it’s part development of technology to break technology which exists to define new sets of policies which can now defend these broken technologies. In terms of technologies, it could be:
- Software Technology
- Hardware Technology
Software Security is a part when an individual has to access security and qualitatively quantify in terms of its risks and the economic impact of such security risks. For Hardware Security, it’s a routine maintenance of secure implementation to harden infrastructure that is built. Hardware Security might depend on Software Security during its implementation such as in e.g. biometric devices, etc. Any technology which needs ‘security’ for its procedural working without the assets compromised needs information security. Hence in short, information security is a domain which has many sub-categories of security expertise one could pursue as per interests.
Information Security is the core foundation of any digital ‘security’ study independent of its nature i.e. if hardware security or software security. The closer related categories of this super-domain are:
- Application Security
- Network Security
- System Security
Application Security could be web application security, mobile application security and thick client software security whereas network security could have security pin-point for secure network infrastructure set-up, network perimeter security (internal and external), network appliances security (router/switches, etc.), or could be internal server hardening etc. System security is specific to host systems and securing its operating system to function safely in the industry and the environment. There’s no definite limit to Information Security – Data Security is where data warehouses have to be protected, such as their encryption, storage security etc. Information Security also doesn’t have to be set of classified areas because this area keeps growing by addition of new technologies (e.g. API Security is now added since Web 2.0 and hadn’t existed in-between Web 1.0).
How does one climb one ladder up in InfoSec?
There’s no easy shortcut. One must put their own efforts to gain the fundamental concepts and then professionally opt for certifications – even if it doesn’t help much in the practical industry. For an instance Certified Ethical Hacker is a very renowned certification to start out with – but it seldom provides any value to the organization in terms of technical security testing. Long down the way, I have enumerated some of the best certifications to grab from to sustain into the security industry, and these are:
- OSCP via Offensive Security (entry level information security)
- OSEE via Offensive Security (windows/*nix exploit dev aligned)
- OSWP via Offensive Security (inclined to wireless security)
- OSCE (inclined to pure exploitation and can be persuaded via OSEE)
- SANS GIAC GXPN via SANS (targeted to Exploit Research, more of OSEE)
- SANS GIAC GPEN via SANS (targeted to entry level pentesting)
- SANS GIAC GSEC via SANS (lateral entry in Information Security, not specifics)
- SANS GIAC GWAPT via SANS (specifics to web application)
- SANS GIAC GWAN via SANS (specifics to wireless security)
- CREST (considered best in Europe, and applicable industry standard @Europe)
- CREST CRT Pen via CREST (for Offensive Security Certified candidates in Europe)
The certification in itself won’t do the job. To be a constant learner and keeping one-self updated about new technologies and ways to break them is for sure the best way to keep track of progresses. There’s already ton of certifications that are being provided at lesser value but without any technical know-how and most of them are based out of theory. Keeping aside network security and application security, there’s hardware security and curious people will often find breaking hardware devices very fascinating. Newer technologies such as Raspberry Pi, etc. make IoT (Internet Of Things) easier and hackable.
In this regards, climbing one step at a time must be in terms of conceptual gain and with the right mind-set towards the path taken. For an example if Application Security is taken by a fresher in the industry – he/she should be familiar with the underlying technologies and fundamentals first and then move into its security. A lot of OWASP documentation carries information regarding application security and it’s freely available on the web. There are recommended books which comes at hand in general for ‘penetration testing’ and some of them are:
- Penetration Tester’s Open Source Toolkit, Vol. 2
- Dissecting the Hack: The F0rb1dd3n Network, Revised Edition
- Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques
- Gray Hat Hacking, Second Edition: The Ethical Hacker’s Handbook
- Professional Pen Testing for Web Applications (Programmer to Programmer)
To start with – these books can be convenient as it’s easily readable and gives a first-hand impression of how penetration testing works overall. It’s also recommended to take up a code crash course in one of the web technologies and parallel go through a scripting language to automate certain tasks which will be an added beneficiary during professional penetration tests.
Working of InfoSec Industry?
It would be very critical to know how an industry works before any serious commitments are taken to a specific industry and therefore the same is with information security industry. To sustain and regularly grow in the industry – a professional security enthusiast must put efforts to know working of his industry specifics. Doing a blind folded penetration test might not be the best approach to solve appropriate problems in an industry – there’re processes and regulations that has to be followed and keeping certain standards constant.
As I talked here before, information security is a growing and so its application and overall categories, it’s crucial here to understand how software economy works and hence how to develop a plan to access risks related to information that the business provides. Securing assets of the business will be the task which has to be carried away by security consultants, penetration testers, security auditors and security analysts.
The most basic way to access risks in information security is to have a ‘threat modeling’ in place. Threat modeling helps the industry to understand its specific assets and how these assets could be affected and by whom? The ‘whom’ factor are the ‘threat agents’. To keep it short and to the point – a threat agent is something which gives rise to a threat. To treat the threat right way – there is risk treatment and in information security, the risk treatment procedure could be called ‘mitigations’. Dedicated group of security auditors and security team plans for mitigation techniques which the team shall respond in case a risk/threat arises. To carefully handle the risk/threats could be a huge task in itself and hence frameworks are used to keep track of all the security risks and actively monitor for active vulnerabilities – the task of identifying these vulnerabilities are done by penetration testers, by black-box, white-box, grey-box or glass-box testing. To keep risks at minimum, SDLC should be securely developed from the scratch. Integrating security into SDLC isn’t the norm but the need of the time which is a must now.
Shritam Bhowmick is a web application penetration tester professionally equipped with traditional application security testing as well as professional security management leading to team of expertiseand adding active value to Defencely Cloud Security Pvt. Ltd. He currently holds Technical Expertise at web application threat reporting and coordination for DefencelyCloud Security Pvt. Ltd.’s clients.
At his belt of accomplishments, he has experience in identifying critical web application vulnerabilities and add value to Defencely with his research work and developing the R&D team. The R&D sector towards application security is growing green at Defencely and is taken care by him. Professionally, he have had experiences with several other companies working on critical application penetration test engagement, leading the Red Team and also holds experience training curious students at his leisure time.
Out of professional expertise at Application Security, Shritam Bhowmick utilizes his knowledge for constructive Red Teaming Penetration Test Engagements for key Indian Top Notch Clients and has a proven record for his excellence in the field of IT Security. A Google search with his name would suffice the eye. Shritam Bhowmick has been delivering numerous research papers which are mostly application security centric and loves to go beyond in the details. This approach has taken him into innovating stuff rather than re-inventing the wheel for others to harness old security concepts. In his spare time, which is barely a little; he blogs, brain-storms on web security concepts and prefers to stay away from the normal living. Apart from his professional living, he finds bliss in reading books, playing chess, philanthropy, and basket-ball for the sweat. He wildly loves watching horror movies for the thrill.
If you want more about the story behind defencely click here