Cybersecurity experts protect money, data and reputation of companies, their employees and users. Definitely it is a reason to be proud of. Nevertheless, not so much is known about those who protect our security in the Internet space, as they are not developers, which are really popular. Someone wrote an application or game that brought the creator popularity and money, someone else developed a cryptocurrency platform, which we are using. But the work of information security specialists stays hidden from our eyes.

But it is no less important than the work of programmers, because their products are becoming popular also due to the coordinated work of cybersecurity experts. This article tells about what the profession itself is and what you can count on when you start your journey as an information security specialist.

Who can call himself an information security specialist?

As many other technical specialties, information security specialist – one who has a significant technical background. Such a person should have solid experience in practical work with different technologies (which ones – we will talk below), but theoretical training should also be on a high level. Plus, and this is something that is not found in most other specialties – he should good understand a compliance, i.e. know the legal norms and requirements of the information protection field and information security in general.

A good expert in cybersecurity is a practitioner who knows how roughly an attacker thinks and what tools a cybercriminal can use. Of all the techniques and attack vectors only 80% are known to specialists, which makes it possible to successfully deal with them using existing defenses. 20% are 0-day vulnerabilities, newly invented hacking methods, etc. A professional should always be ready to react on time.

The most important specialties in information security

There are many possible answers on this question, since specialties can be divided into different types and varieties. In addition, we can discuss for a long time about which areas of information security are the most important for everyone. Therefore, we make a subjective allocation of three important work areas:

Pentester. We live in a world of applications, they are everywhere – in a smartphone, laptop, hospital, and even in the refrigerator. Unfortunately, not all software developers have advanced skills in information security. But even if so, the vulnerability may arise when, for example, the frontend of the application interacts with the backend. Errors can be also in the written code. An expert who can tell you how to protect an application or service from hacking is a very valuable specialist.

The penetration tester is essentially a white hacker. His task is to study the security of websites, mobile applications, software platforms, etc. Unlike attackers who are punished for their activities, pentesters receive bonuses for detecting vulnerabilities. There are freelancers among pentesters – these are often Bug Bounty hunters, which are getting rewards offered by a company for detecting vulnerabilities in its service or application.

 

Specialist in secure application development. Such an expert is no longer just looking for potential vulnerabilities using ready-made tools or tools of his own design. He is able to understand the code of projects written in different programming languages, identify typical code errors and indicate to developers their presence. In his work, the specialist uses various tools, static and dynamic code analysis and is able to act as an expert for the development team. He can point out to developers the potentially vulnerable pieces of code that need to be rewritten.

 

Information Security Specialist. Here we are talking about professionals who can be experts in 2-3 areas of information security and also have good understanding of 4-5 related areas. Such professionals can dive into the expertise and act as consultants or architects of complex high-load projects.

Well, how long does it take to become a good specialist?

There are two possibilities in this case. If, for example, a journalist who previously wrote about travel came to information security, then he needs to spend about a year and a half to reach the junior level. And it is only if he 5-7 hours a week purposefully studies certain topics.

But if, for example, a system administrator decided to be an information security expert, then he will need much less time. He already knows what and how works, so only what is needed – to apply new knowledge and practice on solid foundation (its solidity depends on experience and time of work). With 5-7 hours of trainings per week, a technical specialist will need about six months to reach the junior level in information security or even a higher level.

In any case, it is recommended to study international practices, for example, ISO / IEC 27000 – a series of international standards that include information security standards published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). In addition, best practices in information security can be found in the standards of various institutions. For example, the non-profit organization MITER ATT & CK allows you to get detailed information about the methods of work of cybercriminals – for example, how they start reconnaissance, then break into one of the security elements, penetrate and become fixed in the system. The MITER ATT & CK framework describes in detail how attackers can perform their task, describe countermeasures or indicate effective ways to minimize damage if the hacking does occur.

As always, there is a “but”. In case that training is carried out formally, for example, for assessments, nothing good will be done. And knowledge without practice will not make from the person a specialist.

Of course, during the self-study, students cannot test all the tools, but they main ones are anyway important. Such basis is quite enough for the junior.

Which tools use an information security specialist?

It all depends on in which area the specialist is engaged, as well as on the place of his work – whether it is a commercial organization or a state one. For example, in Russia, information security specialists often have to work with tools certified by the FSTEC FSB – simply because government organizations are required to use only certified software and hardware. It can be domestic antiviruses, firewalls, all kinds of hardware.

It’s easier for employees of commercial organizations – here you can work with tools from Cisco, Palo Alto, other international or domestic companies.

A newcomer to information security should start with an independent study of open source tools before moving on to paid ones. A wide range of software products that are needed in daily work are in Kali Linux, Parrot OS. You need to learn Wireshark, SqlMap, Nmap, John the Ripper and many other things.

The most necessary competences for a specialist:

  • search for vulnerabilities on the client side of web applications, exploitation of client vulnerabilities, protection methods;
  • search skills for server-side vulnerabilities, understanding the features of Bug Bounty;
  • hacking skills of wireless networks, device networks and ways to ensure security in them;
  • the skill of application reverse, search and exploitation of binary vulnerabilities. The basics of cryptographic protocols.

Duties:

  • Testing of information environments and software products of the company;
  • Testing of information systems for fault tolerance;
  • Instrumental analysis of information systems;
  • Identification of current threats according to OWASP TOP 10 classification, development of compensatory measures;
  • Penetration testing;
  • Security analysis of software source codes.

Requirements:

  • Experience in system vulnerabilities identifying;
  • Experience with Burp Suite, Hydra;
  • Experience with SQLMap, OpenVAS, Metasploit Framework, Fortify, AppScan;
  • Experience with Acunetix, w3af, X-Spider, Max-Patrol, Nmap;
  • Knowledge of the principles of construction and operation of web applications;
  • Knowledge of the typical threats and vulnerabilities of web applications listed in OWASP Top 10;
  • Skills of manual and automated testing of web application security;
  • Penetration testing experience
  • Experience in auditing of IT and information security systems.

As you can see, the list is quite extensive and it can be much larger. But you should not be scared – as a rule, the potential employer tries to cover the maximum “volume” of the market and he doesn’t want to lose all potential candidates at the stage of familiarization with the vacancy. So if you believe in yourself, it’s time to try!