380 likes | 566 Views
Career in Information Security. Nata Raju Gurrapu http://mycnis.weebly.com. Agenda. What is Information and Security. Industry Standards Job Profiles Certifications Tips. Why Information Security?. Increasing regulatory compliance
E N D
Career in Information Security Nata Raju Gurrapu http://mycnis.weebly.com
Agenda • What is Information and Security. • Industry Standards • Job Profiles • Certifications • Tips
Why Information Security? • Increasing regulatory compliance • Requires organizations to adopt security standards and frameworks for long-term approach to mitigating risk • Evolving and emerging threats and attacks • Continual learning of new skills and techniques • Convergence of physical and information security • Accountability between information security professionals and management falls on several key executives to manage growing risk exposures
What Is Information? • Information is collection of useful DATA. • Information could be • Your personal details • Your corporate details. • Future plan’s
What is Information Security? • Access Controls • Telecommunications and Network Security • Information Security and Risk Management • Application Security • Cryptography • Security Architecture and Design • Operations Security • Business Continuity and Disaster Recovery Planning • Legal, Regulations, Compliance and Investigations • Physical (Environmental) Security
Explore : – Industry Standard • Knowledge – nothing beats core concept understanding • Certification – helps in proving your exposure as fresher.
Explore : Types of Info-Sec jobs • Ethical Hacker • Vulnerability Assessment • Penetration Tester • Forensic Investigator • Security Governance • Auditor • Security Administrator • Secure Developer
Explore : Type of certification • Security Analyst – CEH, ECSA, OSCP • Development – SCJP, MCSE • Server Security – RHCSS • Auditor – ISO 27000 lead auditor
Clarify : Information Security • keep the bad guys out • let the trusted guys in • give trusted guys access to what they are authorized to access
Clarify : Secure Developer • A Developer who is aware about security issues. • Developers now are classified In 3 major category • Thick Client Developer • Thin Client Developer. • Kernel or driver developer. • If you can exploit it you need to patch it.
Clarify : Security Administrator • Server Administrator with background into Security. • Skills Required • Server Hardening. • Firewall configuration.
Clarify : Vulnerability Assessment • It is the process of finding possible exploitable situation in a given target. • Target could be Desktop/ Laptop, Network, Web Application, literally any device with a processor and motive to achieve • Skill Set • Understanding of target architecture. • Eye for details and thinking of an exploiter. • (Optional) Programming for nessusplugin.
Clarify : Penetration Testing • Next Step to vulnerability assessment. • Here the target is actually evaluated against a live attack. • Skills Required: • Programming : C / C++ , Python, Perl , Ruby • Understanding of an exploitation framework. • Metasploit • Core impact
Clarify : Forensic Expert • The post – mortem specialist for IT • Responsible for after incident evaluation of a target. • Skills • All that’s needed for VA/PT. • Understanding of forensic concepts not limited to data recovery, log evaluation etc.
Clarify : Auditor • Reviews the systems and networks and related security policies with regards to Industrial standards. • Skills Required • Understanding of compliance policies • HIPPA, ISO 27001, PCI DSS, SOX and many more. • Understanding of ethical hacking concepts and application.
Commit : How to gain Knowledge Spend first few years mastering fundamentals • Get involved in as many systems, apps, platforms, languages, etc. as you can • Key technologies and areas • Relevant security experience • Compliance/regulatory/risk management • Encryption • Firewalls • Policy • IDS/IPS • Programming and scripting
Commit : Technical Skills Required • LEARN the Operating System • LEARN the Coding Language • LEARN Assembler & Shell Coding • Learn Metasploit • Learn Nessus • Learn Writing exploit for Metasploit • Learn writing scanning plug-in for Nessus.
Commit : Soft Skills Required • Learn Presentation skills. • Learn business language.Management likes to hear that.
Commit : how to gain certificate • Attend Training • Learn, understand and apply the concepts in a controlled environment. • Take exam when you have confidence.
Commit : how to practice • Set up a lab at home. • Physical Lab (best) • Virtual Lab (second Best) • Keep yourself updated subscribe to Vulnerability DB. • Practice regularly on a secured home lab.
Commit : First job • Lower rungs of the tech ladder • Unpaid Overtime is Expected • When offered company training – take it • Expect to make Mistakes • Learn from them
Things to Remember • Learn to Question Everything. • Keep yourself up-to-date. • Be expert in one field however, security specialist are more on advantage if they develop generalist skills. • Security is extension of business needs and should support it. • Form group of like minded people.
HACKER GOT HACKED • Keep your system and network secure first. • Avoid publicizing about being “HACKER” till you have practiced enough and feel confident. • Self proclaimers are not seen with good eyes in security communities. • Your work should speak and not your mouth.
Why Certification is good • Nothing beats the first hand Job Exposure. However, When you hit roadblock, certifications helps
More on Certification • Passing a Certification exam says that: • You have the minimum knowledge to be considered for certification (at the time of the test) • OR • You are very good at taking tests.
Industry Certifications • EC-Council • CEH, ECSA, CHFI ,ECSP and More • ISC2 • CISSP • Offensive Security • OSCP • ISACA • CISA and CISM