Security Researcher: A Road Less Frequently Traveled

Security researchers have been instrumental in finding vulnerabilities in products containing software/firmware code over the last few decades. However, despite the fact that the profession has been around for quite some time now, many people still don’t know that it is a potential career path.

An actual real-life conversation regarding security researchers:

Rando 1: “You’ve got to be kidding me? That sounds so easy a monkey could do it. Is that even a real job?”

Me: “Why, yes actually, I can assure it is, in fact, a real job.”

Rando 2: “Wait, you mean to tell me that employers actually pay people to sit around research security? How much do they make and where do I sign up?”

Me: “Why, yes actually, they do. It is rather important work as a matter of fact. The pay is for chimps though, they pay me in bushels of bananas.”

Riotous laughter ensues… Then, the more serious-natured logical questions often begin to follow. So, tell me what kind of work exactly does a security researcher do? How much do they make? What companies hire security researchers? What qualifications are necessary to become one?

To properly address these questions we need to first define what security and research mean before we can understand and further define what a security researcher is because it is obvious there are many misconceptions outside of the information security realm.

What is security?

Merriam-Webster defines security as “the quality of state of being secure: such as freedom from danger; or something that secures: PROTECTION; measures taken to guard against espionage or sabotage, crime, attack, or escape.”

However, in this sense, we are focusing on information security or as it has come to be also known as cybersecurity.

What is research?

Merriam-Webster defines research as “careful or diligent search; studious inquiry or examination, especially investigation or experimentation aimed at the discovery and interpretation of facts, revision of accepted theories or laws in the light of new facts, or practical application of such new or revised theories or laws; the collecting of information about a particular subject.”

What is a security researcher?

A security researcher then is someone who conducts research into security vulnerabilities that exist in software applications, hardware, attempts to discover and reverse engineer malware, and finds flaws in websites and commonly used Internet protocols. Security researchers need to be proficient in various programming languages and scripting not only to be able to understand the decompiled code but also to create their own applications and scripts to perform analysis on different types of technologies.

Better like to read & write

Security researchers need to be proficient in programming languages like Python, C, C++, Java, HTML, Bash as well as be proficient in PowerShell scripting and many other security-related applications like Kali or BlackArch Linux OS distros, x86 Assembly, Nmap, the Shodan search engine, and generally have an advanced understanding of information security, security engineering, networking and Internet protocols to name just a few focus areas. Really, your areas of interest may vary so that will shape what tools and programming languages you may decide to become more proficient in. It is really up to you and what direction you want to take your research in.

Some of the various tools I like to use in my security research work

Reading, More Reading, & Future Readings Still Yet to be Published

Being a security researcher, you will quickly come to realize that you have to read a hell of a lot of books, articles, blogs, academic journals, and periodicals to stay abreast of current technology and cyber threat trends. There is the daily publishing of security-related articles, podcasts, forums, tweets, blogs, and the occasional new book to read or to refer back to. It really is neverending and can consume your life if you let it. You must achieve a balance in your personal and professional career life. Otherwise, just like a lopsided tire on a car, you will only last so long before you burst. To prevent that, you need to become a master of time management unless you are one of the fortunate security researchers who get do it for a living. If it is your hobby, however, as it is for me, then you need to manage expectations and try to maintain some semblance of balance in your personal life so that social relationships and your health don’t “burst” like that lopsided tire analogy.

Presenting Your Research

It is important as a security researcher that you possess strong writing skills because you need to be able to translate the technical ‘mumbo-jumbo’ specifications jargon of computer and network security terminology into laymen's terms. In other words, don’t slack on the creative writing classes. This is a big one, I’ve read a lot of security research that is way too technical for the average person to understand. Sometimes that is intentional, intended for a certain familiar audience. Other times it is just an unfortunate oversight by whoever wrote it.

Some of the traditional focus areas of security research

As you go about your security research you will discover your own areas of interest that may fuel your personal motivations to delve deeper into study to figure out their exact machinations and processes. For me, one of my passions is digital steganography. I find the subject absolutely fascinating because it is practically undetectable to the naked eye and virtually unstoppable in nearly every context for hiding information.

Security Researchers develop their own focus areas

Tinkerer & Hacker

I often tell people that I am an ethical hacker, one of the good guys. Some are skeptical when they hear someone describe themselves as a “hacker,” but I prefer the classical meaning of the word from the 1960’s MIT era where it had more to do with tinkering with electronics and making tech do stuff it was never designed to do. I don’t like the negative connotations of the term “hacker,” much of which has been bestowed by Hollywood movies. Not all hackers are bad, bottom line. Everything else is noise in my humble opinion. Many people outside of the information security profession, however, do not understand there are subtle differences between the various types of hackers. But the naked truth of it is that there is often a bit of bleed-over between the good, the bad, and the in-between when it comes to hacking.

Some various examples of Hardware Hacking; general tomfoolery, my disdain of all things Apple; & a HAK5 Rubber Ducky

The (in)security Researcher

For anyone who has studied computer science, programming, or information security, you probably have a unique appreciation for how insecure computers, Internet of Things (IoT) and Industrial IoT (IIoT) devices, networks and Internet protocols can be. With so many different attack surfaces and an unlimited supply of targets that often don’t patch their systems or applications on a frequent basis, it is no wonder that the thankless job of cybersecurity professionals is often eclipsed by the unending supply of news stories about the latest data breaches and hacks. But why be a security researcher? What motivates you deep down inside? For me, I am passionate about this stuff and I believe the best of us are. We may each have our own personal reasons but in the end, it is all about discovering security vulnerabilities and our desire to make the Internet a safer place.

Motivations for Security Research

When we ignore the threats online, especially on the Dark Web, it allows evil to prevail in a certain sense. While I am not law enforcement or government intelligence-affiliated, I do believe that there are only so many people with the right combination of knowledge, experience, and skills to do this type of work. Security researchers are few and far between, truly a rare breed. The work is important work that contributes to making the Internet a safer place overall for everyone. Of course, arguments can be made to the contrary such as the work we do doesn’t matter or that the cyber threat actors will just switch tactics and set up camp somewhere else. This is often true, but what happens if we all just stop trying? Something tells me that won’t end well… I don’t know, call it a hunch.

Ok, ok, I know. You don’t think things are really as grim as I am making them out to be right? I get it, I thought you might think that. I implore you then to read this article on The OSINT-ification of ISIS on the Dark Web which may help to put things into context.

If the work I perform as a hobbyist security researcher can help save someone’s life or protect their data privacy better, then I view that as a major success. It is not without peril though, there are those who would like to do you harm because they see you as a threat or you cost them financially. Better to know that going into this field than have to learn it the hard way later on.

Try to make a dent in the global bad guy phenomena

My Day Job is My Night Job Too

In my real-life day job, I serve as an Information Security Officer at a not-for-profit institution. After the workday and on weekends is when I get to perform my security research. I’d say that close to 90% of the security research I do in my spare time directly translates to my real-life day job. They often overlap, but it is important to make that distinction between my professional career and the security research I perform on my own volition which is not affiliated with my employer. For hobbyist security researchers, their work is performed “on the side,” as a hobby after the normal 9-to-5 work day is over. There are many security researchers who fall into this category where perhaps they have a regular job working in cybersecurity or some other field, but also devote a substantial amount of time to their passion of security research at nights and on weekends.

Not all security researchers work for Big Tech companies

Some “L337" <elite> security researchers are fortunate enough to find jobs working for employers that actually pay them to perform security research. These are the dream jobs that are few and far between and that if I had to estimate, only 10–20% of security researchers fit into this category. Some of the more well-known security researchers are cherry-picked by companies like Google, Apple, Facebook, Amazon, and Microsoft after discovering gaping vulnerabilities in Internet protocols or zero-day vulnerabilities that they published. I guess you could say that you’ve “arrived” if you’re working as a security researcher for one of the five Big Tech giants and you’ve probably go the salary to prove it. Congrats! Well-deserved, I am sure. Anyone of those five companies can more than afford to pay extremely well, with great benefits, and their most highly skilled researchers can often work remotely (from home) at least part of the time. If you work for one of these companies, you’ve achieved the pinnacle of success and there is nowhere to go but laterally to another competitor or down should you suffer a moral objection or falling out with your employer.

**WARNING: Thick Skin Required — Not for the Feint of Heart**

Too often security researchers are ignored, threatened, and despised which can leave a person feeling kind of jaded and callous with a slightly cynical perspective on humanity. Or, as I like to call it, “Cynicism-as-a-Service.” You need to have thick skin to be a security researcher. Find and report a bug in some vendor software code? Companies ignore you, don’t want to pay you but also may try to come after you legally should you openly disclose a vulnerability in their product’s code after being ignored. Instead of being thankful that a security researcher took the time and effort to find a flaw, they would rather you didn’t try at all and just shut up about it. Rather than view it as a courtesy, companies are more concerned about their reputation and that they have to pay money to patch the flaws. That is if a security researcher is acknowledged at all, sometimes they are just flat-out ignored altogether and for the “full disclosure” option instead of “responsible disclosure.”

Security researchers have increasingly teamed up with certain journalists to put pressure on companies to do the right thing ethically and acknowledge the vulnerability, pay the bug bounty, and publish a security patch to customers in a timely fashion to limit potential exploitation. The threat of publishing the disclosure openly or full disclosure as opposed to “responsible disclosure” is a sad reality that only after a company has had its arm twisted behind it’s back, will it do the right thing. More strict legislation is necessary in this area. Sometimes even the threat of full disclosure isn’t enough though, as security researchers are ignored. Once a vulnerability is disclosed publicly, then a company is likely to feel pressure from consumers and regulators to patch the flaw.

Why You Might Consider A Career in Information Security

The cybersecurity field is always in need of new talent. In case you hadn’t heard, there is a large workforce shortage already that is thought to be widening exponentially in the coming years. Whether you buy into that hype or not, it matters not. What is important to know is that if you decide to enter the InfoSec field, you can make a good living for yourself. It pays well and lends itself toward security research as a hobby if that’s your thing like it is mine.

For all of those Computer Science and Information Technology technical background college major students out there in the SoCal region, I also offer you a wee bit of information about some of the local conferences (or Cons as we call them) that you may enjoy attending. Who knows, I might just bump into you at any one of these.

// life wisdom

if (unhappy( ) === true) {

unhappy( ) .stop ( );

becomeAwesomeinstead( );

}

I hope you enjoyed this post about the less frequently chosen path of a security researcher. There is so much more I could write on this topic, but instead I think sometimes it is best to just keep it simple.

***Trust No One. Verify Everything. Leave No Trace.***