Let me be the first to say that I appreciate the path I took to get into the Information Security field. Today, the more common name for the field is Cybersecurity, which I will short hand as cyber for the rest of this post. I know there are purists that totally hate the short form, but they are not typing this, I am. A recent effort by my nephew to consider a career change to move from a sales rep into cyber got me thinking about my path into the field.
First, I was on the leading edge of the generation that could get their hands on a computer before they were 18. I am talking Commodore-64 and others in the age of consumer dial up computer to computer networking. Within a couple of years, I had moved up to a 8088 chip PC clone with a 10MB hard hard drive. The degree I was working on at the time was Digital Computer Technology, which turned out to be more aligned with electrical engineering and PCB design and repair than a generalist in computer technology. Between the challenge of calculus and programming, both of which I passed without issue, I ended up changing my major to my second choice of Police Science/Criminal Justice. Once I finished my degree, I was hired by the agency I interned with over the past two summers, which was the the local crime scene bureau that also ran the fingerprint identification section and performed breath tests for alcohol. It was during this portion of my career that I was able to make my first move toward cyber taking on the role of automation specialist as the bureau moved from 100% manual booking and record keeping processes to a complete IT based record keeping system on an AS/400 with Banyan Vines on token ring topology. It was bleeding edge in that the AS/400 application called on PC applications to capture mugshots and store them in a Vines share and could build photo line-ups within the AS/400 application. Now you know I am really old. I held this position for six years before deciding to dip my toe in the private sector as an AS/400 support person for a large corporation that would operate AS/400 infrastructure on behalf of clients. Infrastructure as a service before it was known as IaaS. I hated this job. Where I had been able to make my own decisions concerning actions to to take address a particular problem, this job was so driven by separation of duties, that deleting a simple qsysopr message practically required the tier above to approve. The other kicker was having my trainer basically sleep all shift leaving me to figure things out. I threw in the towel after he left me on my own to reallocate memory for the back up to run faster and a few too many zeros crashed the client’s system that ran a production line. I was asked to stay on after the incident, but decided the bills were tolerable enough at that point that I could increase my hours to full-time in night college to finish my BA degree. The county heard of my situation and immediately began laying the ground work for me to come back as a contractor. I came back for six months, before being picked up by the police department to do everything from network, PC, terminal and mobile display support. This was great job that offered me a lot of experience with Unix, RS-232 comms and creating ethernet connections by converting 25pin D-Shell connectors into RJ-45. I also got to work with Cellular modems in the early days of that technology as well to support the first generation of mobile display terminals in police cars. One of the fun parts of this job was supporting the 9-1-1 Computer Aided Dispatch (CAD) system and getting a call from a dispatcher at 3am in a really scary voice telling me “Tim, the demon came out again, and he’s killing all his children….” That basically meant going in to restart the CAD process as it was running on 10 year old Unisys hardware that often just lost its mind for no particular reason.
While I have to admit working in the PD was a great learning experience and offered lots of challenges, including building their first first public web site, I had an opportunity to work as a system engineer supporting the Printrak Automated Fingerprint Identification Systems (AFIS) in North Carolina for the State Bureau of Investigation (SBI). This system ran on Digital Equipment Company (DEC) OSF (Unix). What I thought was some magical system turned out to be a bunch of rsync’s and shell script loops to watch for files to process. Talk about a quagmire to untangle when something went wrong is an understatement. Lot’s of manual file moves to get existing stuff processed and holding off new work at the end points until you were sure you could get everything restarted and know it wasn’t going to fail again. I did become the fingerprint card scanner expert while working for the SBI as a contractor. It needed to be replaced about three years before I got there, but was left to hang on another three waiting on a major upgrade.
From this job, I had an opportunity to return to government in my previous automation specialist position, but this time working in the Information Services (IS) department. That had been one of the factors that lead me to look at other opportunities as my supervisor in the ID bureau had no concept of career development and management of an IT position. It was this new role in IS that I would take on a cyber role. This came on two fronts. One was a three inch notebook full of findings from a KPMG risk assessment on the county’s network and systems and the other was performing firewall log searches for law enforcement other needs like HR. For some reason the KPMG audit had been placed on the shelf for over six months before I was assigned the task of reviewing the findings and delegating the remediation tasks to the appropriate team and tracking to completion or risk acceptance with additional controls.
While I was out of government at the county level for over a year, it meant my ability to have medical insurance provided after retirement would require me to work more than the normal requirement of 30 years. In this position, I had been tasked with attending a State IT meeting concerning global firewall rules for the one primary State firewall that was attempting to provide single ingress and egress point for all of the State agencies and local government entities using the State as their ISP. At one of these meetings, a member of the infrastructure security team that ran firewalls and IDS, approached me about a job opening. The job was enticing as it would solve my medical insurance retirement benefit as I could move my previous 13 years of service in the local government system to the State retirement system and vest after five years.
This began my first full-time cyber role where I was tasked with implementation of five Checkpoint firewalls on Sun servers with StoneBeat load balancing at the primary criminal justice agencies in State government. After this project was finished, I handled the configuration and daily operation of a small IDS implementation. Within a year, I was being asked to apply for a position on the incident response team where the manager would actually be my fellow trombone music classmate from sixth grade. The one condition that came with the promotion was I needed to obtain my Certified Information Systems Security Professional (CISSP) credential within the next year. In 2002, I passed the CISSP exam (#34388) while attending the HTCIA conference in Atlantic City. I could tell you lots of things that were super fun to work on while working incident response for the State, but some of them would be top of fold stories and violate my NDA. Towards the end of my government career in incident response, I was approached by a Homeland Security official who was embedded in our State Fusion center (NC ISAAC), created after 9/11, to serve as a Cyber SME for them. From this experience, I was eventually approached about working on the local FBI cyber task force. While most task force members are sworn law enforcement officers, there was an effort in the bureau to focus on cyber intrusions and move the investigation of child exploitation crimes from high tech crimes section to the violent crimes team. This meant the option to bring on non-sworn members to the CTF was an option. Between the roles I had with ISAAC and the FBI CTF, I was able provide cyber translation services when a local law enforcement agency would be facing their first cyber intrusion investigation for a victim in their jurisdiction. This role was to try and explain the technical details of something like a DDOS and guide the development and issuance of subpoenas to social media companies and ISPs to track the attack back to the individuals claiming responsibility to the attack on social media. While on the CTF, I served in consultant capacity on a couple of cases and setting up a virtual environment to demonstrate to the US Attorney’s handling a criminal case what logs, that were missing from evidence in their case, would have shown if they were available from an information content standpoint. I would also enter interesting findings seen on the State network into various tracking systems as part of the overall intelligence gathering effort.
After a change of leadership in State government, I assessed my retirement situation. I had 31+ years if I counted my sick leave and determined it was a great opportunity to retire and continue to work in the field at outside of government. Initially, I worked on a contract running Nessus scans against the EPA E-Rule organization. With the help of another consultant, we were able to automate the manual Excel cut and paste efforts of publishing the Nessus findings into Jira ticket for tracking and remediation. Once the automation was in place, my work load diminished to the point of being under-challenged and I saw an opening on the MetLife incident response team. At this point, I have been in this position for almost five years and my role has changed from pure incident responder to the lead cyber investigator assisting legal, SIU (Corporate Security), and HR when there is need to capture log data or other digital evidence related to their case. My other duties involve the wacky, weird, and sensitive investigations, as well as serving as law enforcement liaison when needed.
For those that maybe trying to get into the cyber field, I recently attended a National Initiative on Cybersecurity Education (NICE) session on the “Top Ten Ways to Discovery a Cybersecurity Career that is Right for You” (<–recording of session at the link) that was very enlightening. If you are young and fortunate enough to be able to attend a college degree program in Cybersecurity, that’s great; but for many people working in other fields and wanting to move into cyber, returning to college may not be an option. One take away for me was the shortage of cyber talent is leading to new approaches to develop talent. In some cases it might be placing less importance on degrees and consider the profession like a skilled trade where apprenticeships are the norm and could provide a larger talent pool in a shorter period of time. Additionally, my usual recommendation of developing a lab of systems to test with was not a preferred method unless the candidate is going to follow-up their lab efforts with sharing their learning experiences through a blog or other forums where potential employers could review those efforts. On certifications, the basic Security+ was a recommendation to get a baseline of knowledge. The ISC2 SCCP was another option, but can be expensive. Personally, when interviewing candidates for entry level positions in IR, I want to see a life long learner who loves a puzzle and approaches solving them with the realization that any problem is multi-faceted and when the simplest effort fails, there is at least two more options to try before asking for help. If I had a baseline for entry level cyber, it would consist of:
- Understanding of basic Networking and Routing along with network defense mechanisms
- Basic operating system principles and understanding auto-runs (persistence) and memory resident malware
- Understand Authentication and Authorization – separation of duties and principle of least privilege.
- Ability to quickly assess contents of various logs even if it is the first time seeing a particular type of log (Like sight reading music, but logs)
- Know the most used vectors of attacks from social engineering, open/exposed vulnerabilities, to supply chain attacks.
- At a high level, know the various categories of attackers and their motives.
- Willing to let their curiosity trump their fear of being embarrassed.
When I was first getting into cyber, I did leverage several books. In addition CISSP prep guides from Shon Harris, Krutz and S. Rao Vallabhaneni, I found a network security book by Eric Maiwald which was great introduction to firewalls, IDS and other network defenses available at the time. Of course, most of those books are dated at the this point, but I mention them as books, for me at least, are great alternative to paying for boot camps or super expensive courses by a particular four letter institute. Some recent books I have bought deal with Python and forensics. Check out “Applied Incident Response” by Steve Anson published in 2020 for a good reference on how to approach review of systems and networks as part of incident response.
If there is one theme that seems to come up with every job change I made in my career, it was “opportunity” and being asked to apply or take on a support role for other organizations while being paid by the State. There are far too many people for me to thank personally and many of them prefer not to be mentioned in a public blog, but I have to say were it not for these individuals that recognized my drive and dedication as well as talents, which I often discount, I would not have been able to claim the title of Information Security Professional for the past 22 years. For those who provided opportunities and support, I say thank you.