Information Security — What, Why, How…

As the world is taking strides in the digital world, information security breaches, without a doubt, are happening at an alarming rate and skillsets are difficult to locate and acquire throughout the industry in this field. Information security is (should be) a priority for most (every) organisations and hence information security is a more lucrative career option today than ever. In most of my interaction with people who have just started or about to start in the field of information security, I have been asked questions inline with below questions:

• What are the different domains within information security?
• Where should we start?
• What skillsets are required for those domains?

In this article, I am jotting down my experience/understanding regarding information security which I have learnt in my information security professional journey so far. By no means, it is an exhaustive explanation, but I hope it will help you to get started.

I strongly believe, before understanding information security, we need to understand the information ecosystem, because in order to secure something we have to understand it first. In today’s digital world we can fairly assume that we can’t extend our arms without interacting directly or indirectly with the information ecosystem (maybe it’s a bit exaggerated but you get the point) and certainly it’s going to grow further exponentially with time.

In this diagram I have depicted the high-level picture of the ecosystem connecting different components of it.

Information Ecosystem

As depicted above, we have a digital world around us (USER) in every aspect of life, be it social networking or our day-to-day utility services or our financial requirements or IoT devices performing different functions of our life. Most, if not all, of these services are served as a software to us via different mediums. Further all software goes through a development process, which varies from organisation to organisation or product to product, which again utilises some form of infrastructure to host it. There are multiple aspects of security like regulatory bodies or SOC which govern and/or function throughout the process.

So what about security — in one way or another we all are aware about security in our day-to-day life. For simplicity let’s consider information as an asset like our home then in our real-life we identify what are the potential dangers to us, protect our home and family from it, detect if anything feels unsafe/insecure, respond to the alarming situations, if any; and recover if anything bad happens (god forbid). To achieve that we implement and follow security practices like having a main gate, setting up security cameras, having a security guard, asking people about who they are when they are entering home, checking if they are going unintended areas and so on…

Before diving into information security I want to touch upon three key pillars of information security:

• Confidentiality is the property, that information is not made available or disclosed to unauthorised individuals, entities, or processes. In simple words, only intended people enter your home.
• Integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle. In simple words, you are confident that you are entering your home only.
• Availability means information must be available when it is needed. In simple words, you can enter your home whenever you desire.

So if I have to define information security in my way, I will do it like this. Information security is an approach to…

- Secure information
- Secure information while making it available
- Secure information while making it available for intended users
- Reduce the risk pertaining to information while making it available for intended users

Below are the roles & responsibilities / domains / profiles in information security (more often than not responsibilities overlap in real-life):

SOC (Security Operation Center) Analyst (junior-mid role) — A SOC analyst performs multiple functions around monitoring the organisation’s network for malicious activities and works in a defensive (blue) team of organisation. A SOC analyst should have solid understanding of below technologies:

• SIEM (Security Information and Event Management)
• Application & Network Firewall
• IDS/IPS (Intrusion Detection/Prevention System)
• DLP (Data Loss Protection)
• Proxy
• Security Analytics

Penetration Tester / Ethical Hacker (junior-mid role) — A penetration tester is expected to ethically hack the organisation assets and provide recommendations which would stop a real attacker to do the same. A penetration tester does below activities as part of his/her day-to-day job:

• Web and Mobile Application Security Assessment
• Network Vulnerability Assessment and Penetration Testing
• Configuration Reviews

Red Team Engineer (junior-mid role) — A red team engineer is expected to perform the activities identical to a real-world attacker targeting any or all components of information ecosystem:

• People
• Process
• Technology

I would like to point out here that most of the roles and responsibilities of a red team engineer and penetration tester overlaps. However there are some subtle differences in objective and approach when to both. A penetration testing ensures that the security aspect of all components of in-scope assets has been assessed in an agreed timeframe, whereas a red team assessment is about doing all you can do to achieve an agreed goal.

Application Security Engineer (junior-mid role) — An application security engineer works with development throughout the SDLC (software development lifecycle) process. His/her job is to advise, implement, automate and maintain the security in each phase of SDLC. Some of the tasks are listed as below:

• SAST (Static Application Security Assessment)
• DAST (Dynamic Application Security Assessment)
• SCA (Software Composition Analysis)
• Security training to development (or other) teams

Security Incident Responder/Handler (junior-mid role) — As the name suggests a security incident responder/handle is responsible for performing the tasks in order to contain, eradicate, recovery in event of a security incident. Also, they perform the root-cause-analysis to avoid/prepare for future security incidents, typically they are part of the SOC team.

Threat Intelligence Engineer (junior-mid role) — A threat intelligence engineer gathers and processes and analyses the information from multiple sources to identify and understand the threats to organisation, typically they are also part of the SOC team.

Cloud Security Engineer (junior-mid role) — Because of the popularity of cloud in industry, cloud security is one of the hot topics now-a-days. This job is a separate job profile because of nuances with technology and requires you to design (with a security architect), implement and monitor the security pertaining to the cloud.

Security Compliance Analyst (junior-mid role) — A security compliance analyst ensures that adequate policies are in place in order to comply with compliance and regulatory requirements of a certain body like PCI, HIPAA, ISO 27001, FedRAMP etc.

Malware Analyst (junior-mid role) — This is a niche domain which deals with analysis of malware (malicious software) in order to understand the characteristics of it, so that malware activities can be identified and stopped in future events. This domain requires solid understanding of system internals, low-level programming languages, networking protocols.

IoT Security Engineer (junior-mid role) — Similar to cloud, because of nuances in underlying technologies and popularity in current times, IoT security engineering is a separate domain and deals with security aspects in IoT devices.

Digital Forensics Investigator (junior-mid role) — A digital forensics analyst is expected to identify, retrieve and analyse data, network traces and other evidence from digital sources. Additionally, they also perform studies to identify and/or track the source of an unauthorised intrusion in the event of a security incident.

Security Architect (senior role) — This role is one of key role in any organisation. This role works as a central person for assisting and advising different teams within organisation to design and deploy the security in organisation like reviewing the designs of application and infrastructure — what new attack surface it brings to organisation, what security checks it needs to go through, how we can design it in secure way at first; evaluate the security tooling to be used within organisation etc. This role must possess the knowledge of, but limited to, penetration testing, SOC, application security and compliance.

Chief Information Security Officer (Senior executive role) — A CISO is an executive-level role and usually the highest up in the hierarchy in information security. He directs strategy and plans the execution and budget, continuously, in order to protect the information assets of the organisation and their clients.

I would like to mention a note about approach, concluding this article, to everyone who is in this field or about to be that, before securing, first we need to understand what we are securing and how it is being developed and acquire the relevant skill-sets for the same. For e.g. if you are an application security engineer then you must have understanding of programming, SDLC & purpose, end-users of application or if you are a network penetration tester then you must understand how networking works, what are the specification of different protocols & purpose and administration of different devices or if you are a malware analyst you must know about system internals like memory structure, system APIs and low-level programming language or if you are a SOC analyst you must be good in analytics and rules configuration and so on…

But most importantly, as technology changes continuously, methods of (in)securing also change, so you need to adapt, able to connect the dots and think outside the box to succeed in this field.

Hope this article will give you basic understanding about the ever changing information security field. Please comment if you would like to know about any topic in detail or if I missed something.

References:

1. https://www.nist.gov/publications/introduction-information-security
2. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
3. https://en.wikipedia.org/wiki/NIST_Cybersecurity_Framework
4. https://www.itgovernance.co.uk/blog/the-8-cissp-domains-explained
5. https://linuxacademy.com/blog/security/domains-of-cybersecurity-a-brief-overview-hacking-into-cybersecurity/
6. https://blog.rapid7.com/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues
7. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
8. https://zeltser.com/malware-analyst-job-description/
9. https://resources.infosecinstitute.com/job-titles/computer-forensics-investigator/