Three Internet Security

0 views

Skip to first unread message

Custodio Groves

unread,

Aug 4, 2024, 2:12:52 PM8/4/24

to tiotrigirprop

Dataand information protection is the most technical and tangible of the three pillars. The data we gather comes from multiple sources, such as information technology (IT), operational technology (OT), personal data and operational data. It must be properly managed and protected every step of the way.

When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

Availability is a major challenge in collaborative environments, as such environments must be stable and continually maintained. Such systems must also allow users to access required information with little waiting time. Redundant systems may be in place to offer a high level of fail-over. The concept of availability can also refer to the usability of a system.

Information security refers to the preservation of integrity and secrecy when information is stored or transmitted. Information security breaches occur when information is accessed by unauthorized individuals or parties. Breaches may be the result of the actions of hackers, intelligence agencies, criminals, competitors, employees or others. In addition, individuals who value and wish to preserve their privacy are interested in information security.

Twenty-five years ago, when cybersecurity was still emerging as a specialty, most practitioners were transitioning from IT operational roles. As the Internet expanded and firewalls went up, the network team was given additional security duties. Eventually, these security duties become so burdensome that businesses created dedicated security positions. Now organizations had a catchall role for all their security work that included security policy writing, application security review, intrusion detection monitoring, vulnerability scanning, and security awareness training.

The people who did these early security jobs ended up knowing a bit about everything in cybersecurity because they had to. From here came the first cybersecurity generalists. Since then, the field has evolved along with so many new avenues of technology, and most of these generalists either specialized or went into management.

Many kinds of job roles are available within cybersecurity. An easy way to look at them is through the three primary cybersecurity functions: engineering defenses, testing security, and responding to cyberattacks. Some of these roles may not exist in every organization. In smaller organizations, all of these roles may land on a single person or be tacked onto other non-security work. But be wary of such situations, for in the land of toast, the butter is spread very thin.2

The specific skill sets for cybersecurity engineers, testers, and responders will build upon this foundation. Because these skills are narrower and more specialized, many of them can be acquired in industry training classes and cybersecurity bootcamps.

Building on those technical skills, cybersecurity engineers also need a firm grasp on how the specific technical controls in their area function. For example, engineers working in networking should understand firewall features and limitations as well as the specifics of the implemented solution within their organization. Also, this role, more than any other, is heavily dominated by the security vendors who manufacture a majority of these technical controls. However, this also provides an avenue to training and certification in those technologies.

Testers are one of the most glamorous jobs in security, as these are the folks who hack things or find the problems. From auditors to red teamers, cybersecurity testers look for the gaps and mistakes before an attacker does. Some organizations only need these roles some of the time, so the work is often outsourced. Furthermore, testers work well in healthy competition with cyberengineers. Job titles include:

When they are outsourced, cybersecurity testers are often part of the consulting services team. This means they are also the most customer- and revenue-focused of traditional security roles. This is a double-edged sword. On the upside, since they are revenue-driven, it is easier to justify their work and receive the necessary resources. The downside is that the healthy competition between engineers and testers can fester into an adversarial relationship. Not only are they outside of the organization, and therefore not part of the team, but their findings can be seen in a revenue-seeking glow and thus distrusted.

Most importantly, testers need a healthy skeptical attitude. The role of a cybersecurity tester is to question everything, even assumptions. One way to help do this is to learn threat modeling techniques such as STRIDE.4

Like engineers, testers need to be knowledgeable in their technical area. In order to subvert a control or process, it is often necessary to understand the hidden nuances of that technical area. In many cases, they need to use this technical knowledge in unexpected ways, such as chaining together low-severity vulnerabilities to breach a system.

Testers often require many specialized tools and techniques, from hacking tools like Metasploit to effectively wielding a deadly audit questionnaire. Sometimes these tools are self-developed, which means testers should also have some programming skills (if hacking) or statistical knowledge (if auditing).

Lastly, to communicate their findings in the most impactful way, cybersecurity testers need to double down on their skills in explaining risk in relevant business terms. Nearly all the testing work they do needs to be expressed in written documentation. This writing needs to include detailed citations of evidence, such as screenshots, source code, and compliance regulations.

Similar to testers, responders are commonly outsourced in smaller organizations. Some responders are part of subscription service organizations that offer monitoring and response resources on-call as needed.

When they are internal, they can be found in IT, if focused on recovery and repair, or in legal, if focused on forensics. Sometimes they are found within the general business continuity organization under operational risk.

Responders need to be able to wrangle the right resources for cyber incidents, such as appropriate cyber insurance, intrusion detection tools, and forensic and malware analysis tools. Responders should also develop government, legal, and law enforcement contacts and resources to assist in incidents.

Many responders may also find themselves called on to report on incidents in a wide variety of settings, including boardrooms, industry conferences, and even legal depositions. Therefore, presentation and clear writing skills are helpful in this role as well.

First, we should say that your mileage may vary. Many different standards and practices in cybersecurity can contradict each other. Some may disagree with this list and some may find the categories overlap too much. Other ways of categorizing cybersecurity roles and skills include NIST Special Publication 800-181.6 Such is the nature of our immature field.

Raymond Pompon was the Director of F5 Labs. With over 20 years of experience in Internet security, he has worked closely with federal law enforcement in cyber-crime investigations. He was directly involved in several major intrusion cases, including the FBI undercover Flyhook operation and the NW Hospital botnet prosecution. He is the author of IT Security Risk Control Management: An Audit Preparation Plan published by Apress books.

1. The office of information technology services is hereby created within the executive department to have and exercise the functions, powers and duties provided by the provisions of this article and any other provision of law.

2. The head of the office shall be the director of the office, who shall serve as the chief technology officer for the state of New York and shall be designated as management confidential in the noncompetitive class in accordance with the civil service law. The director shall be the chief executive officer of and in sole charge of the administration of the office. The director shall be entitled to receive reimbursement for expenses actually and necessarily incurred by him or her in the performance of his or her duties.

3. The director may, from time to time, create, abolish, transfer and consolidate bureaus and other units within the office not expressly established by law as he or she may determine necessary for the efficient operation of the office, subject to the approval of the director of the budget.

4. The director may appoint, in accordance with the civil service law, such deputies, assistants, and other officers and employees, committees and consultants as he or she may deem necessary, prescribe their powers and duties, fix their compensation, and provide for reimbursement of their expenses within the amounts appropriated therefor.

5. The director may request and receive from any department, division, board, bureau, commission or other agency of the state or any political subdivision thereof or any public authority, staff and other assistance, information, and resources as will enable the office to properly carry out its functions, powers and duties.

1. To act as the official state planning and coordinating office for the advancement of technology to improve government efficiency and effectiveness, and perform all necessary and appropriate services required to fulfill these duties;

2. To advise and assist the state agencies in developing policies, plans and programs for improving the statewide coordination, administration, security, confidentiality, program effectiveness, acquisition and deployment of technology;

4. To review and coordinate the purchase of technology by state agencies. Where applicable, such review shall include but not be limited to: assessing consistency with the statewide strategic technology plan and agency technology plan; statewide technology standards; the safeguarding of information privacy; security of confidential records; and proper dissemination of public information;