Gregory Peter H.

Getting an Information Security Job For Dummies


Скачать книгу

You need to confirm your identity and increase your storage to continue using your email account.

      In these and virtually all others ruses, you think that you've been directed to the organization’s website for the purpose stated, but you are actually sent to an imposter site. There, you might fill in your login credentials, which the fraudsters use to gain access to the real site and carry out their scheme, such as stealing your money or taking over your email account. Or the imposter site has a form that requests a credit card number, a bank account number, or other sensitive information that the fraudster can use to separate you from your money.

      

Today’s online fraud schemes are nothing more than modern-day confidence tricks designed to convince you to trust an unknown party and then provide them with sensitive information.

      Knowing Your Adversaries

      Many technologists think that an information security program is all about technology: That technology is the root of the problem and technology will solve those problems. If this describes you, I appeal to you to open your mind to other ways of thinking about information security. Even if the aspect of information security that fascinates you the most is technology (and we need a lot more people like you), understanding the people behind technology-related issues can be helpful.

      Information security involves a lot of technology but is at its root a people issue. Information security professionals are responsible for protecting assets against people: careless insiders, malicious outsiders, and many in between. Our vocabulary includes a lot of terms for things, including the different sorts of actors and their unique behaviors that we all eschew. I describe them in this section.

       Hobbyists and enthusiasts

      Because the term hacker has been maligned in recent years, I prefer to use the term computer hobbyist to describe computer enthusiasts who love to explore computers to understand more about how they work. Hackers, hobbyists, and enthusiasts – let’s agree that they’re all about the same.

      Hobbyists are curious, peaceful folk who love technology, love to figure out how things work, and love to improve their electronic gadgets. Hobbyists and inventors are similar. Both enjoy making things better for themselves and others by taking things apart (logically or literally) to see how they work, and then modifying them to make them better. The world is full of people who like to tinker with their cars, motorcycles, radios, and computers. Think of early computer overclockers or musicians whose amps go up to 11.

      Hobbyists with good judgment and discipline are our friends.

       The fall of hackerdom

      Before most people in the world were even born, the term hacker was generally a positive one. A hacker was a hobbyist who was curious about how electronic-ish things worked and would implement customizations to improve or enhance their performance. In the early days of computers, a computer hacker was one who sought to understand how computers worked and to employ changes to improve them.

      Then as now, some hackers would explore computer systems – still seeking how they worked and ways of making modifications – but for malicious purposes.

      The term hacker as a benevolent hobbyist has fallen into disuse and the dominant meaning of the term is a malicious person. And good hackers are generally known as computer hobbyists so they can distance themselves from the others.

       Script kiddies

      A deservedly maligned bunch, script kiddies are teenage troublemakers with too much time on their hands who use tools created by others to attack computers and networks. Typical script kiddies have little or no understanding of the inner workings of the tools they use.

      Early in my career, script kiddies were typically the most significant problem for us – there were a lot of them and the tools they used could cause quite a bit of damage. But in retrospect, they were like gnats that swarmed around our faces, irritating and bothersome but usually not very harmful.

      Like a lot of technologists, some script kiddies start as novices but build their knowledge and skills. They improve the tools they use and, eventually, write hacking tools of their own.

       Hacktivists

       Hackivist is a blend of the words hacker and activist (think Greenpeace or PETA). Hacktivists are generally known for disrupting computers and networks belonging to organizations and governments with whom they disagree politically or ideologically.

      It’s a big crowded world, and the Internet is a never-ending fount of information about every sort of organization. For every organization, you'll likely find people who oppose what the organization does or stands for.

      Some noteworthy examples of hacktivist activities follow:

       ✓ PGP (pretty good privacy): A popular email encryption program, PGP was thought to be released in response to a U.S. Senate bill that demanded government access to the plain text contents of voice, data, and other communications.

       ✓ Website mirroring: When an organization or a government blocks access to a particular website, a hacktivist will mirror (copy) the contents of the blocked site to another site, so that its contents can remain available.

       ✓ Wikileaks: This website publishes leaked industry and government documents.

       Corporate spies

      Companies spying on each other to obtain commercial secrets is nothing new. However, the migration of paper records to computers and the Internet has provided new opportunities and methods for companies to spy on each other. The Internet provides the means for spies to discover target systems and to steal their data for further analysis and exploitation.

       The future is bright for information security jobs

      There is a critical worldwide shortage of workers with information security skills. For the most part, these jobs pay well, with pretty good working conditions and a good standard of living.

      In January 2014, the Ponemon Institute conducted a survey of information security managers and developed several key findings, including:

       70 percent of respondents said that they don’t have enough IT security staff.

       58 percent of senior security staff positions and 36 percent of staff security positions went unfilled in 2013.

      In 2014, Burning Glass Technologies market overview on information security jobs cited that job listings in cybersecurity have grown by 74 percent from 2007–2013, more than twice the growth rate for IT jobs overall.

      Unlike the dot com bubble in the late 1990s, the growth rate in information security jobs is not a flash in the pan but a response to painful advances by cybercriminal organizations as well as increasing regulation on information security and privacy. Short of a miraculous discovery in data protection that cybercriminal organizations are unable to overcome (yeah, right!), the demand for information security jobs should remain strong for many years.

       Malicious insiders

      Take good care of your employees and they’ll take good care of you. However, companies that don’t treat employees so nicely sometimes pay a heavy price. Employees who are bored, angry, unhappy, or who think that they will soon be fired or laid off often use revenge to settle the score.

      Now and then, we hear a tale in which an employee who believed that his or her job was about to end decided to exact revenge on the employer. The popular cult movie Office Space explores this theme in detail.

       Careless insiders

      A careless insider is a legitimate user in an organization but, well, careless. Perhaps the person lacks judgment, or is working too fast, or needs training, or is not paying attention.

      Careless insiders can be especially damaging to an organization because they possess what intruders lack: issued