I have heard a lot of buzz around security and CISSP in IT organizations, but I am not sure what this entails. What are the day to day roles of a Security Analyst/Engineer and what steps do you need to take to become one?
Most of the security people I know are consultants, who work with multiple organizations to make sure they are in compliance with various industry security specifications (PCI DSS, HIPAA, etc.) In larger organizations, they work with the engineering and operations teams to make sure that new deployments and installations are built securely from the beginning, as well as identifying problem areas and setting up plans and procedures to get the problems fixed, as well as to prevent them from happening again.
It's challenging work.
As for finding a job, SANS training is probably a good place to start, as it'll give you some fairly well-recognized certifications, as well as access to all of the pay-for content on the SANS websites (and it's good for networking as well). The big downside is cost; doing the week-long SANS course will run you a total of around $7k, if you include airfare and lodging (not to mention the $5k tuition).
- Make sure all the Application following Compliance policy of the company
- External facing sites are hack proff
- Ethical hack tests
- Security restrictions of the access
- Assesments of the application for audit purpose (normally twice a year, based on the policy)
- determining the procedure for information security rules. (email communications, data archiving, timeout convention, access restrictions)
- Security Awarness.
As niche as "security" seems, it actually encompasses three main types of roles, and a couple of areas of coverage. These are actually quite different...
Common roles:
- Enterprise IT security department
These guys usually deal mostly with policy enforcement, auditing, user awareness, monitoring, maaaaybe some enterprise-wide initiatives (e.g. SIEM, IdM, etc), and an occasional Incident Response. Also probably give a security PoV on purchasing 3rd party products (whether COTS or FOSS), and in any outsourcing RFP. - Security team in development group (either in enterprise or in dev shops)
Mostly deal with programmer education and training, some security testing (or handling external testing, see below) - this includes both pentesting and reviewing code, maybe defining security features. Some orgs will have the security team also managing risks, participating in threat modeling, etc. - External consultant / auditor / security tester
This usually covers, in some form, all of the above, most often with an emphasis on penetration testing, code reviews, and auditing for regulatory compliance (e.g. PCI). In addition, serving as the security expert, go-to guys for the other types of organizations, such as supplying all the relevant advice.... therefore usually expected (though not necessarily the case ;-) ) to be more up to date than anyone else.
Likewise, in all the above there are different areas of expertise, and an expert in one wont necessarily have anything intelligent to say in any other area:
- Network security, e.g. routers, firewall, network segmentation and architecture, etc.
- O/S security, which is of course further subdivided according to O/S flavor (i.e. Windows security expert and Linux security experts might not know much about each other's stuff).
- Application security - i.e. how to program securely (which may be necessary to subdivide according to language, technology, etc.), but also application-layer attacks, e.g. Web attacks, etc.
- Risk management experts - more focused on the business side, less on the technical
- Compliance officers - some places have these dedicated, and they're experts on all the relevant regulations and such (note that this is borderline lawyer-like work!)
- Identity architects - for larger, security conscious orgs, that have complex IdM implementations and the like...
- Auditing and forensics experts, deal mainly with SIEM/SIM/SOC, and also with investigations after the fact.
There are probably some other niche-niches that I'm skipping over, but you're starting to get the picture.... As you can see, what a security guy or gal does on a day to day basis is as wide and varied as the companies in which they work. Most often, this DOES require shifting several hats, and working mostly on short tasks... BUT what stays the same (usually) is the requirement to focus on the risks (and threats), whether its mostly a technical job as defining firewall rules, or communicating with the business and lawyer types about the organization's current security posture.
As to how to get into the field? Ideally, you have some experience (preferably expertise) in some other field, that you can then specialize to security.
You used to be network engineer? Great, start with focusing on network security, and go from there.
You're currently a systems administrator? Wonderful, you've probably worked a bit on security already, start learning more in that field.
You've been programming since you were a kid, and want to move to security? Fantastic, you should already have been learning about input validation, cryptography, threat mitigation, secure DB access, etc... Learn some more, figure out what you're missing, and then give me a call ;-).
And so on... On the other hand, if you have no background and want to START in security, that's tougher - because as I've explained, most often the security guys is expected to be the expert on whatever it is. You can try to join a pentesting team, and grow from there... The important part is to focus on risk management (and, for the technical, threat modeling).
I also strongly suggest you read lots of security books and blogs (I love Bruce Schneier's stuff), and also try out OWASP for the application side of things.