Monday

Tag: Ethical Hacking

Starting Your Cybersecurity Career

Cybersecurity as part of an overall Information Systems environment has existed for many years, but recent cyber-attacks have forced companies of all sizes to focus on cybersecurity to enhance security, protect sensitive customer and employee data, and to prevent damage to their corporate brand. Maybe you are looking to jump into a cybersecurity career? I have some basic tips to help you make the leap to a rewarding career in cybersecurity.

  1. Skills – A company only wants to hire the best employees, usually for the lowest wage possible. Your salary is usually based on your skills, experience, and the local market. If you haven’t got any relevant experience, and you can’t demonstrate relevant skills, you may never get a cybersecurity job and you’ll definitely be underpaid if you do get a job. The best way to demonstrate skills without experience is an industry recognized certification. While having a degree in cybersecurity will open some doors, an EC-Council Certified Ethical Hacker (CEH), CompTIA Security+, or many other certifications will help demonstrate you have the knowledge and skills to tackle the complexities of cybersecurity. Look at job postings to see what types of certifications are needed or common for the type of job you want to pursue. You can get a free certification called Certified in Cybersecurity from (ISC)², the same cybersecurity professional organization known for the popular CISSP certification. Just sign up as an (ISC)² Candidate. When you’re ready to sit for the exam, you can find your exam promo code on the Candidates benefits page. Please note that you may only use the exam promo code once. To register for your exam at a Pearson VUE test center, visit https://www.isc2.org/Register-for-Exam
  2. Experience – This can be the most difficult thing for a beginner to accomplish. How can you be expected to gain experience if you can’t get a job without experience? You can try internships, a part-time job, freelancing for a few friends or associates, volunteering at a local non-profit, or complete Capture-the-Flag (CTF) challenges. These are all great ways to gain hands-on experience in cybersecurity, maybe without giving up your normal job. These initial experiences will not only help you determine if this career is right for your personality and lifestyle, but it will also build your skills and experience to enhance your resume.
  3. Awareness – Most of what is happening in cybersecurity isn’t mainstream news. You need to follow some basic industry news sites (securityweek.com, thehackernews.com, bleepingcomputer.com, etc.) to learn about new attack methods, attend cybersecurity conferences to listen to experts and vendors, participate in free webinars to learn new skills, and join online or local communities to meet your future coworkers. These relationships and information are usually free (or low-cost) ways to stay informed about emerging threats, hacking tools, and industry best practices in the field. Being a well-informed cybersecurity professional adds value to your portfolio and can attract interest from an organization during an interview.
  4. Relationships – By networking and building professional relationships, you can create a strong professional network that can possibly offer you mentorships, job referrals, information about recent job posting, or just someone to talk to when you need a pep talk.
  5. Attitude – You’ll probably meet a few people who still think of security professionals as teenagers living in their parent’s basement trying to hack into the Pentagon or the local video game store. You’ll need to demonstrate your professionalism in actions and appearance. Cybersecurity professionals have access to critical and sensitive business information, so you’ll need to demonstrate you can handle that responsibility with the highest standards of conduct, ethical behavior, and professional demeanor. This includes while at a job interview, attending a conference, and while talking to colleagues or friends. Don’t give anyone a reason to second-guess the opportunity to recommend you for a job.
  6. Focus – Learn everything you can and stay focused on the prize. Don’t take half steps toward getting that dream job in cybersecurity. There are entry-level jobs out there, you just need to be persistent and patient to find the hiring manager willing to give you a chance. The more you know, the more you’ll find out how much you don’t know about cybersecurity. Accept your limitations and lean into finding an entry-level position. Stay curious and accept you have a ton to learn, but demonstrate a willingness and ability to learn.

These are the basic building blocks to finding a rewarding career in cybersecurity. Some people find it easy and get an entry-level job a few weeks into their job search, while others can spend months without any luck. It doesn’t mean you are doing something wrong. Stay positive and focused and you’ll eventually find success.

Understanding Hacking

Most people today have heard about hacking and malicious attacks. You might have even seen the effects of this activity on the news, in your personal life, or while at work. What you might not understand is what a hacker really is and how they are different from other types of network users.

Terminology

  • Malicious User – Usually an internal attacker that have limited access to company resources and decides to access sensitive data from within the company or even launch attacks on corporate systems from inside the network. This is usually an intentional attack, but can also be unintentional because their system has been compromised by another user through malware or virus.
  • Hacker – For many years this was defined as someone who liked to tinker with technology and experiment with ways to make technology useful in their environment. This has more recently meant someone who is remotely attacking systems for personal gain. Hackers usually have increased status with their friends if they can prove they accessed high profile environments or networks, but often attacks are completed without any acceptance of responsibility.
  • Ethical Hacker – This is someone who attempts to hack network systems to test the security of the systems involved, and use their knowledge to protect the target systems from unauthorized access or misuse. There are people who do this as part of their jobs, and are generally referred to as “system auditors” or “security specialists”, but that isn’t really ethical hacking.

Ethical Hacking is attempting to find new ways to use technology to improve a process or a different way to use something that is wasn’t intended to be used that way and it is helpful or doesn’t do any harm. It can also be the practice of attempting to find new security vulnerabilities in a piece of network hardware or in the software used in those devices. Security specialists or system auditors generally are testing systems against a list of known vulnerabilities, and ethical hackers are usually finding those new vulnerabilities. These different technology groups are doing different jobs, but are generally working together to make corporate network environments safer and more secure.

You should also be aware that there are several laws and guidelines that dictate the difference between unlawful and lawful activity when it comes to network security. You need to be aware that HIPPA, HITECH, GLBA, NERC, etc. all govern activities under U.S. federal law. There are also private guidelines like the PCI DSS requirements written by the credit card companies. If you stray outside of their requirements you could be identified as a hacker and on find yourself on the wrong side of the law. You should also be aware of any policies your company might have about network activity before you attempt any probing of your network security settings.

Understanding the Need to Hack

You have to think about Ethical Hacking like a treasure hunt. The first person who finds the treasure determines how it is used. If an ethical hacker finds the vulnerability, it can be reported and quickly fixed by the vendor before it can be used for illegal purposes. If a hacker finds the vulnerability, they will not report the issue and will use the new weakness to attack systems for personal gain.

To discover a new vulnerability, you have to think like a hacker. You have to understand what systems they would normally attack, what techniques they would use to compromise those systems, how to test against known vulnerabilities, etc. Since hackers prey on weak system security, you have to make sure you have the strongest possible security and force the average hacker to move along to another system that has weaker security. A determined and skilled hacker will often find a way into your network, but that doesn’t mean you have to make it easy for them to attack your systems.

A good ethical hacker will periodically attack their own network, simulating an attack by a determined hacker. The more vulnerabilities you test against, adding more variety in your attack techniques, and focusing on common attack methods while constantly adjusting and improving your network settings will help achieve your goal of total network security.

Ethical Hacking Techniques

As an ethical hacker, your goal is to secure your network systems:

  • Prioritize systems so your efforts are focused on the systems that matter the most.
  • Use nondestructive attacks to test systems for vulnerabilities.
  • List all known vulnerabilities and which ones you have tested so you can double-check your results and report to your corporate management the scope of your efforts.
  • Immediately address any vulnerabilities discovered on your network.

Another area of attacks to your network systems is non-technical attacks. This can be as simple as calling a few employees until you find on that will provide you with their network password. It could also involve sorting through discarded trash in the dumpster outside of your corporate office. You might also have success just walking around the office and looking for passwords taped to monitors or laptops. The key to improving the non-technical security is education of non-technical users.

One great resource for a list of known vulnerabilities is the NIST Vulnerability Database (NVD).

Remember, if you are going to be an Ethical Hacker, you have to have the highest moral standards and be trustworthy. Any misuse of the systems you are attacking is strictly forbidden and you must respect the privacy of the information discovered.

Assessing Your Technical Skills

We only know what we know, and sometimes we don’t know what we don’t know. If you’re thinking about going after a professional certification (or just trying to assess how much you know in a particular system or security subject area) the new skillset.com site might just be your favorite new web site.

The Skillset site is still in beta, having been launched in March, but already has a huge collection of questions organized into quizzes that can help you prepare for those scary exams or just show you where your strength and weaknesses are in critical technology domains of expertise. And don’t forget it is free.

%d bloggers like this: