Career Planning 2019-Style

I’ve blogged before about how difficult it is to ‘break into’ a security job. Well, a great opportunity came up at my company & so I went for it.

It was a great opportunity & I learnt a stack. Although I didn’t get the role I went for, the good news is that there is some movement just up ahead for me so I thought it was time I re-looked at my career plan.

First days back at work after Christmas is always a killer. Thoughts such as why am I here, what do I actually do & who moved my cheese fill the mind.

But, I was actually glad to get back to work. 2019 should be a big year for me. I still don’t have quite enough time to learn the banjo but I will complete the 2nd year of computing degree & hopefully move into a different role within our IS&T team.

I put my first real career plan together in around 2013 – up to then I’d been drifting in the wind, safe in the knowledge that ‘working hard’ would get you to where you need to be. Also, I was blissfully unaware of any link around creating your own future. I know that sounds like I’m being a smart-ass but I really didn’t think about it.

This is not a career blog & there are loads of sources of information out there but my basic cycle started when an excellent line manager of mine presented me with a career development tool. He must have seen my face – I was like ‘oh lawd…not another review type career type tick box to take up my time’ – as he quickly added – ‘look it’s your career plan, if you don’t want to do anything with this document don’t.’

It was a realization moment for me. Nothing I hadn’t heard before but it made me think. To cut a long story short, it didn’t answer everything in life or provide a guarantee of success but it did make me wake up & take some responsibility.

The career plan I work with is nothing radical. How you do it is less important that doing it. I work better with graphics & pictures so mine has plenty of pictures.

Firstly you need to determine what you want…from work….I know there’s a link in there to what you want from life but I keep mine to work….don’t laugh but I created a career vision for myself. An over-arching statement about what I want to achieve….

Career Vision: To make a positive difference to my company and society through information technology.

I’m not channeling Michael Jackson or anything but you do have to think big. It’s a vision.

I then break this down into my medium-term objectives – this statement goes along the following lines:

Career Objectives: To become a qualified & experienced technology professional by June 2019, with specialisms in web projects , data technologies, cyber-security & technology-driven business change. To complete courses T227/TT284 by the end of May 2019. To develop the profile, experience, knowledge & qualifications to achieve BCS chartered status by the end of 2021.

Now it’s taken me a while to get here. Behind this I have lists of things I enjoy, potential career opportunities, things I’m good at, training courses I’d like to do etc.

Importantly, I’ve found that you can dream big. Great. But your plan will end up as a composite of your vision, ambition, the opportunities available & of course your own skills. Now you can impact on all of these but somethings are outside your control. In my humble opinion, if you’re crap at numbers then a career in data analytics may not be the right move. If you find ISO & data compliance boring then maybe data security isn’t for you.

Anyhow, I don’t have a magic formula but that’s my approach to 2019. I hope you all had a good break & look forward to more cyber-security adventures in the year ahead!

A Rough Guide to (some) Information Security Standards

For sure, cyber-security is a vast field these days with more terminology than you can shake a stick it. Witty banter aside – I wanted to put together a post summarising some key learnings I’ve picked up so far.

Stuff I think we should all know about….

Before we get started – here are a few books I’ve found invaluable to my own learning journey. It’s a mixed combo as I’ve found you can’t just learn the technical stuff, you need to understand process stuff too. Equally, you can’t be the world’s expert on firewall configuration if you ignore the various principle frameworks that have been create to help us out.

blog-piccie

No pressure to buy these or anything – just some books to ask Santa for….

The bullet points below are in no particular order but overall they should provide some decent tent-poles on which to hang your knowledge of information security.

What is Information Security?

Basics right – the principle that information is not made available or disclosed to unauthorised individuals, entities or processes. It also includes integrity – the property of safeguarding the accuracy and completeness of information. And, availability – that it is accessible & usable on demand from an authorised user.

Threats, Vulnerabilities, Risks & Impacts?

Not a new superhero show. A threat is simply something that could happen & cause some unwanted consequence. Vulnerability is a weakness that could be exploited to cause some unwanted consequence. I spend a lot of time thinking about & searching for vulnerabilities. Risk is that a given threat will exploit a vulnerability – it’s a combo of threat & vulnerability.

Impact gets a section on its own – it’s all about impact baby. Where do you focus your time with limited resources – where the impact is most significant – think damage to data, people, legal requirements, business continuity…

IS027001

ISO27001 specifies the requirement standards for an information security management system – it’s a framework of policies & procedures. Your organisation can be certified against the standard. Its approach is top-down, risk-based & technology neutral. It won’t tell you how to configure your firewall.

It outlines a range of different controls that need to be in place & documented including physical controls (locked doors/secure cabinets), procedural controls (checks on references) & product or technical controls (passwords/encryption).

So, also think codes of conduct, information security policies, developing a security culture, segregation of duties, user control mechanisms & any awareness training.  The standard has a little sister called ISO27002 that contains best practice recommendations of information security controls & some further definitions.

ISO22301

Another certified standard but this time one that focuses on business continuity management. It specifies the requirements for a management system to protect against, reduce the chances of and ensure that business can recover from disruptive incidents.

Think ‘what happens if’ scenarios.

Ransom ware has kept this standard busy in the last year or so.

PCI-DSS

The Payment Card Industry Data Security Standards are like that the geeky brother to the above standards. In my opinion, they’re more widely known, very detailed and well-established in the card payments industry but not particularly outside.

Also PCI-DSS doesn’t have a girlfriend or anything…

It’s a series of principles around the storage, processing & storage of card details. Think secure network requirements, secure access controls & Cylon-like encryption.

 GPDR

If you haven’t heard of this mammoth chunk of data protection legislation then you must have been either living on the moon or at least under the sea.

The General Data Protection Regulation is now in force & is part of the data landscape in the UK alongside the new Data Protection Act 2018.

Complex? You bet but in simplistic terms it’s a series of principles designed to protect personal data & covers usage of data, breach notifications etc. The area I’ve had most experience with is ‘mailing preferences’ & opting in. If you have anything to do with prospect & customer data then the GDPR will have dominated your life this year.

Right – that’s what I’ve learnt so far….

Information Security World 2018

This week I was mostly visiting this conference at the Institute of Engineering and Technology in London.

IMG_3236

Going to cyber-security conferences can be problematic for those interested in the field.

  1. How can you get past the end point security booths – I’m not responsible for it so I don’t really know what to say to them…
  2. How many suppliers tell you that they are now using machine-learning & AI to boost their cyber-security software….you can stack up 10 of these before you reach the first loo…
  3. What a mix you get at these conferences, some folks talk the jargon, some wear a smart suit…you just know who really knows their stuff…
  4. Blimey there are 20 new companies every time I go. If you are starting a company in cyber-security you have to call it some like Cy-thing or Seco-Bot. Names, it seems are important.

Well, Info Sec World was not like that. It’s a first-class event, with a full programme of lectures & talks plus a very limited selection of approved vendors – did I sound like an advert there? I didn’t mean to – it really is a good conference…I great one day event to stock up on the latest trends. We had a futurist looking at the next 10-20 years, we the VP from Symantec with some great insights then I broke into one of the tracks to focus on the challenge of cyber-cost & complexity in the digital world….

I came back with a back of goodies & pages of notes. Goodies below – were of high quality & will give you enough reading for months….

IMG_3246

That’s why these events are worth going to. I chatted to a few folks around the conference – here’s what one well-known author on cyber-security told me off the record:

“Insider threats account for over 80% of breaches….”

I know it’s not revelation of the year but for me it was one hell of reminder that you don’t just need to learn about firewalls.

In fact, several of the talks highlighted some fundamental truths I’d kinda lost sight of. Here are a few well-known pearls:

  • Patching is important – the boring stuff makes a difference
  • Segmentation is something you need to act on – validating who has access to what
  • Data management – talked about often, done not so much
  • Identity Management – hell yeah, login credentials, compromised administrators & crappy passwords

I hope this doesn’t all sound very flippant – I know its basic stuff but it was a great remember. One of the speakers told us that in his experience over 90% of breaches were avoidable by making effective use of standard controls & processes. That’s the basics – no need for AI here.

Finally, the VP from Symantec talked to us about the Law of Unintended Consequences.

He didn’t use the following example but it’s a good one. Something in hard facilities management think it’s a good idea to hook up the heating system to the Internet.

Smart stuff.

We’ll be able to control the heating via a mobile….you know where this is going.

I think the point he was trying to make was to think through the headlong rush towards Smart-pants & Smart-socks…

All in all, a really valuable conference. I know I haven’t done it justice here but well worth a look next year….

Cyber Security Career Progress Check

As the new university term approaches, I’m having a mini-crisis around my career plans in cyber security.

Firstly, the negatives.

Although my upcoming university courses are around web architecture & so highly relevant, neither of them has cyber security in the title & I look enviously at other more focused courses. I sometimes wish my studies could be more focused. I’ve mentioned this before on the blog but I think the Open University syllabus is looking dated.

I’ve switched my Java course to an IT projects & change course as it’s more relevant to my current job role & I don’t think I could have handled two technical courses in one academic year. I will still be picking up Java but at a future date. A kinda negative.

I don’t know how important this next one is but I don’t yet have ‘cyber security’ or anything related in my job title or remit. And, I’m struggling to see how this transition is going to work. An agent messaged me about another role recently but it was very similar to what I’m currently doing.

In my experience, without a long-term road-map, it’s easy to lose focus, faith & motivation in a direction of travel. Exactly how am I going to get into the ‘arena’ I want to be in…how is this miracle going to occur!

That’s the negative points. Here’s the positive side.

I enjoy where I currently work. And, my work is touching aspects of cyber security in so many areas. My most recent positive contribution was calling out the outdated hashing algorithm SHA-1 is a system I’m working on.

It was set up as a configuration but I knew it was compromised so have highlighted & proposed a change. I am trying to use my growing expertise to help in my current role.

I’m planning to complete my BCS Foundation Certificate in Information Security Management Principles to provide a foundation for my further studies & blogging. I’m paying for this one myself so it’s a big investment but I’m hoping it will be a solid stepping stone. I’ve looked long & hard at the various qualifications out there – it’s a confusing market place but I trust the BCS & believe this is the right one to start with.

Finally, my role is involving more e-commerce work which is bringing me into a sphere where data theft & hacks are far more….what’s the word….prevalent? Well, you know what I mean, stealing data is one thing, stealing payment or credit card details, is the golden goose.

So, that’s where I am. Hopefully, I can add some more technical cyber security blog updates as I go along this year. I’ve read some excellent ones out there & I’ll start including some links as I get to know them.

Maybe the work world is also changing a bit. I kinda suspect that moving forward cyber security in various forms is going to be a component of every business role?

An Idiots Guide to Vulnerabilities

Right, just to be clear, I’m not inferring that anyone is an idiot – it just seemed like a catchy title. I really mean folks without the honed technical skills to exploit some of the more hidden vulnerabilities in applications & websites…

Also, you have to realize that I’m not formally trained in any security yet. I’m kinda making it up as I go along & based on my experience.

Still – a useful survey for me as I embark on this learning journey. Read on but don’t get mad. (Also, I should emphasis that I am talking about looking for vulnerabilities to help fix stuff – not really exploit it – use your awesome powers for good, never for evil.)

What is a “vulnerability”?

Not reaching for any ITIL or security manual, for me it’s anyway to exploit a system in some way, shape or form. Think making it do something it wasn’t designed for. Think tricking it into recording a transaction that was never made. Think exploiting some poor coding or poorly configured credentials request.

So far, with my limited technical skills, I’ve helped to find some basic vulnerabilities in projects I’ve worked on including classic SQL injection attacks & API vulnerabilities. But vulnerabilities don’t always live in the technical shadows. Here are a few collected observations I’ve collected so far:

Thinking Differently – one of the things I’ve realized is that good hackers have the ability to look at systems from a different perspective. They look at the whole process (see the next point) – particularly where people get involved or physical entry points crop up. You don’t need to be a coding genius to download some malicious software. You don’t need to be 007 to follow someone through a security barrier & insert your code into the nearest slot. Internal security people tend to look at things one way. Network people are the worst. Not every vulnerability can be stopped by the firewall. It’s pointless locking the windows & doors when the villain is already inside.

Mapping the Process – related to the above, I like to map the process, even if it’s at a basic level. Like the trans-Atlantic convoys during World War Two, any process is only as strong as its weakest link. It’s pointless spending zillions on endpoint security if your IT department has not correctly configured the single-sign on software. I find visually exploring the process a useful tool – I’ve included an example – not the best one granted but I’m just at the start of the process.

Ingenico_Credit_Card_Process_Flow

There are not state secrets above. It’s a basic payment flow – pretty typical really. But when you start breaking it down, you notice real time & non-real time processes etc etc. You get the point. I actually did my own version of this, with more detail but I didn’t want to post that!

Follow the Money, Follow the People – something an experienced hacker told me was to start by following the money – the transactions – makes sense. But also, to follow the people. The people are often the most unpredictable element in any process. They forget stuff. They take short cuts. In my experience, the core financial processes are well-protected with encryption that would give Sheldon Cooper a run for his money (in real terms, they are basically unbreakable….until they get broken). But people, yeah we all love them. My pearl of wisdom here is that a key source of vulnerabilities here is that users tend to do the same thing every time. They like it like that. If they find a short cut or password ‘recipe’, they use it.

Fooling AI – oo-er….I’ve mentioned before that I’ve looked at brilliant companies like Darktrace & what they are doing with network traffic analysis etc. The math behind their machine-learning is smart. But, so far at least, it seems that every AI can at least be misled if not totally fooled. In my limited experience here, it’s in the parameters of the AI search – wherever the AI looks, you need to look just outside of it. As Forrest Gump used to say, that’s about all I have to say about that.

—-

Well, that was it. I warned you at the start. I plan to develop my knowledge in this area with my studies this year but hopefully that provides something of a primer.

I would like to leave you with a few pointers – if you like solving puzzles, if you are sort of person who likes a challenge & loves finding ways to ‘break’ things, then you should learn more about vulnerabilities & threats.

I think of technical training as a kind of multiplier. Get the basics & attitude right, add the technical skills & you become one dangerous monkey.

The Shadow IT Survival Guide

Recently I’ve been thinking through my next modules, changes at work & my career development. I’ve posted before about the challenges of getting into cyber security. It’s not an easy path for a career changer.

But what about living in shadow IT?

That’s kinda where I am at the moment. My role, like many, incorporates large swathes of technology from reviewing XML files to technology planning, from managing system upgrades to assessing user experience. And, although I work closely with an excellent IS&T team, I’m on the outside. I sit within the business.

I am a shadow IT person.

shadowIT

 

 

 

 

 

 

 

 

Here’s a definition of Shadow IT. There are loads out there on the web but you get the idea:

Shadow IT refers to information technology projects that are managed outside of, and without the knowledge of, the IT department.

The downside to being in Shadow IT is that you never quite feel you’re in the right place.

Development & training can be a struggle as few really understand why you’re trying to get on a particular course.

You don’t get that warm fuzzy feeling of being part of a professional job family.

You rarely have the right tools or access-level to really do what you want.

For the IT team or ‘regulars’, Shadow IT can be a nightmare. Deploying cloud-based systems no one has ever heard off. Creating vulnerabilities at the click of every button. Working round agreed processes because they’re too slow.

My experience has so far revealed a few different species of Shadow IT. Here are the two I know so far:

  • The Shadow IT Natives – a bit like me really. They do have some technical skills. Should they be in IT, who knows? Most of the time they are business people who have transitioned in. We tend to be a pretty pragmatic bunch but that doesn’t stop us causing trouble. We can be a troublesome for IT folks – a little knowledge is very dangerous – isn’t that what they say.
  • The Digital Peeps – ever heard anyone say they work ‘in digital’? These tend to be marketing folks who go ecstatic when anyone mentions AI or block-chain. Or, they know about a bit about a CMS & are now ready to implement major machine-learning projects. Heavy on buzzwords – this group sees block-chain as a solution for everything from managing Brexit to solving the work food crisis.

I’m sure there are more. And, I don’t mean to sound critical of them – after all, I’ve already said I’m part of the zoo as well.

So, is there an upside to it?

Well, technology is everywhere nowadays as my Mum likes to say. Maybe it’s time it came out of the closet. I’ve read a lot of the growing demands for ‘hybrid’ managers – comfortable in both technology & business. With the right mix of digital & people skills. I’ve not personally seen this demand yet but folks like Gartner say it’s there.

Having a foot in both camps can be fun and challenging. My previous line manager was a superb example. She spent years in business & finance before moving into large scale deployment projects & was very effective in her roles. She’s pragmatic, realistic & has the rare talent of being able to bring her years of experience to the table without over-ruling new folks with new ideas. She is also adept at knowing when to lean on the regular IT team.

I don’t know how she does it. If I learn the secret I’ll share it. In the meantime, I’m going to continue learning how to survive in Shadow IT & spot of few more of those different species…

Book Review: Get Coding Kids!

Right, which book is number one on Amazon in the programming category?

Image1

Some fancy Java guide the size of a small house? A Python book to make PhD computer scientists cry? Some new language you must learn but have never heard of?

No, it’s Get Coding from Walker Books. A kid’s & everyone guide to HTML, CSS & Javascript. And you know what, it’s brilliant.

Get_Coding

Why am I reviewing a kid’s book? Long answer follows. Application security & best practice programming is vital in cyber security. I don’t know a lot about programming – I’m covering that off at university next year. Plus, I like the web & want to focus on it.

Enter this book. It’s a colourful work book, with a tonne of explanations, illustrations & exercises. It’s clear, concise & the story is very funny.

HTML, CSS & javascript are essential skills to have. Basically, you need to know them. If you don’t – this is a great place to start. It answers all the questions you were too shy to ask. There’s explanations on everything from HTML tags to how to tell your browser you’re now writing javascript.

I was stunned by the scope of this book & how it effortlessly introduces the core skills any web developer needs.

You got all the tag stuff of course. You got the style sheet madness – in a good level of detail. And, a great introduction to javascript itself.

But, on top of that you have talk of iframes, APIs & wireframing….what more could you ask? Plus, the exercises are fun & part of a funny little story that carries on through the book.

I can’t recommend this enough. If you’re worried about picking up kid’s book – forget it – we all learn in different ways & sometimes approaching like a kid is perfect. For them, learning needs to be interesting & fun. This cool book is both. It’s also backed up by a snazzy website.

Check it out if you’re interested!

Get Coding Book