RE: what is required for an engineer to become an SECURITY engineer

[<skander.ben.mansour () accenture com>]

Hello Ravi,

Aside from the technical knowledge that is essential to a career in
infosec engineering, security engineers also should have the appropriate
mindset.

How many of you ever heard "Nobody would ever do that" when pointing out
an exploitable flaw in a system or process ?
Security people mindset differs from the network/systems administrator
point of view in that we are trying to prevent unauthorized access, when
systems administrators' first goal is to grant access and get the
service running.

While complete paranoia is not the answer, a healthy amount of creative
thinking is required when designing, evaluating and testing information
systems.

The ISECOM (Institute for Security and Open Methodologies) has an
interesting training material covering these aspects of the information
security career:
Jack of All Trades: http://www.isecom.org/projects/jack.shtml

"Jack began as a mentality-determining method for hiring penetration
testers. It's reach became central to teach people security by applying
what they already know to security. As applied security knowledge is
essentially based on critical thinking, observation, and analysis, the
Jack exercises exist to exploit the mentor-method of teaching these
skills."

I hope this helps.

Best Regards,

Skander Ben Mansour, CISA CISSP
---
http://www.benmansour.net


-----Original Message-----
From: Jason Baeder [mailto:jason_baeder () yahoo com] 
Sent: lundi 3 janvier 2005 18:50
To: focus-ids () securityfocus com; 'Ravi Kumar'
Subject: Re: what is required for an engineer to become an SECURITY
engineer

> > Hi,
> >   I was asked to prepare syllabus for security management,incident 
> > handling,forensics analysis, intrusion detection etc., Th intention
> is
> > train an engineer to become a SECURITY engineer.
> >
> >    we know there are several certifications which are designed for
> this
> > purpose. I want from you with your security experience tell us what 
> > should an BASIC course for security really requires.
> >
> >   If industry wants to recruit an engineer for its security needs
> what
> > type of experience they look for?
> >
> > Note: Please dont relate my question with any certifications and be
> generic.
> > Thanks for any help,
> > -Ravi

Ravi,

The list from skill2die4 was exceedingly relevant for a "BASIC course"
in security. (How many of you went down that list thinking to
yourselves, "Yup, know that; yup, know that..."?)  All of those "hard"
skills can be taught.  As with any professional field, there are many
different roles.  Those hard skills may be sufficient for a junior IDS
analyst in a SOC, for instance, or a junior firewall engineer.  Such a
course such as you suggest could re-train a network or systems engineer
to become more security-focused and assume one of these roles.

IMHO, I believe there are some "soft" skills that can not be taught in
the classroom, and some that only come with time and experience.  Jose
Maria Lopez touched upon this; I feel some expansion upon this topic is
needed.  

1) Understand the network and the systems attached to it.  Just as you
need to know the basics of network protocols and OS functions (hard
skills), you need to know the normal parameters of operation of the
network that you are protecting.  You need to know where are the WAN
connections, and why they are there.  You need to know what servers
reside where and what purpose they serve.  You need to know what
"normal" traffic is to be expected on the network.  

2) Understand the business.  Beyond the nuts and bolts of #1, if you
don't understand the business where you work (or the client you serve),
you can't understand how the network and systems are used, and thus you
can't adequately understand the security needs of the organization. 
Moreover, you won't be able to perform that fine balancing act among the
business needs, the operational needs, and the security needs of the
organization.

3) Be customer- and service-oriented.  Surely a profession that relies
on so much knowledge of bits and bytes at the most detailed level can't
rely on something as touchy-feely as customer skills?, you ask.  Ask me
again when you have an angry program manager on the phone who perceives
YOU as the obstacle to his successfully testing a new application that
requires unfettered Internet connectivity.  Point #2 looms large here,
and diplomacy, tact and creativity are absolute necessities.  With the
right attitude, even sales and marketing will be your friends. ;-)

Not all security jobs will put you face-to-face with everyone from the
CIO (or CEO) to the router engineers to the application coders to the
sysadmins to the sales guy from Kansas City.  But I have had jobs where
that has been the case, and find these skills are just as necessary as
my knowledge of PKI or TCP flags.  

Jason Baeder
CISSP, GCIA

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--



This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private 
information.  If you have received it in error, please notify the sender immediately and delete the original.  Any 
other use of the email by you is prohibited.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------