Getting an Information Security Job For Dummies. Gregory Peter H.. Читать онлайн. Newlib. NEWLIB.NET

Автор: Gregory Peter H.
Издательство: John Wiley & Sons Limited
Серия:
Жанр произведения: Зарубежная образовательная литература
Год издания: 0
isbn: 9781119002628
Скачать книгу
sysadmin may also manage user accounts, machine by machine or in a central directory such as Microsoft Active Directory or LDAP (lightweight directory access protocol). A sysadmin can learn and apply many security-related principles regarding user account management, such as the following:

       ✓ High-quality passwords: Systems should require long, complex passwords with reasonably short expirations (I suggest 90 days for users and 30 for administrators).

       ✓ No shared user accounts: SAs are usually close to their users, and as such should watch for various forms of abuse, including shared user accounts. That’s bad juju, as I like to say.

       ✓ Accounts with least privilege: Users should have no higher privilege level than is required to accomplish their duties. If you give an ordinary user the local administrator privilege, you will be begging for security-related problems.

       Database administrator

      A database administrator, or DBA, is responsible for the care and feeding of databases that reside on servers as well as external storage systems.

      A database management system is a sizeable piece of software in its own right, often with myriad configuration settings and its own user accounts and related settings. Like the system administrator, the database administrator must follow sound principles with regards to system hardening as well as user account management. Further, the DBA also controls access permissions to databases and their components.

       Software developer

      A software developer (also referred to as programmer, software development engineer, or programmer-analyst) develops systems software, application software, tools and utilities, and system interfaces. Some have a creative, free spirit and down-with-rules attitude that gives the whole lot a reputation for not wanting to work with security people.

      Software development involves several significant security-related activities and aspects, including the following:

       ✓ Secure coding: Developers without training in secure coding are likely to introduce vulnerabilities such as buffer overflow and cross-site request forgery in their programs. Depending on the languages and tools they are using, developers will need to have a varying level of training and awareness, so that their programs will be free of security defects.

       ✓ Security testing: Developers often test the programs they write and maintain. Depending on the languages and tools they use, developers will need to perform security testing in addition to any functionality testing to ensure that their software is free of security-related defects.

       ✓ Code reviews: Developers should be checking each other’s work, looking for security flaws that could permit their software to be compromised by an attacker.

      

My security career started as a developer

      I was working as an engineer writing code for operations in a nuclear power plant. One day (in the early ’80s), I asked the boss how we secured this stuff and who was responsible for making sure our network and supporting computing systems were secure. Two days later, I got a call from corporate headquarters and talked to our CIO. I explained my concern, and that was the beginning of my security career. I became responsible for securing our corporate network and, from there, went on to become one of the first security engineers for the company.

      Bruce Lobree, Seattle

       Project manager

      Have you seen those sleek racing rowboats, with the person in front shouting, “Stroke! Stroke! Stroke!” to keep the rowers in sync? Similarly, project managers keep a project going in the same direction and at the right pace to ensure that it is completed correctly and on time.

      Project managers, or PMs, keep projects running smoothly and ensure that all required resources are available as needed. In many cases, PMs can use their general knowledge of IT security to ensure that security-related activities are included in a project's schedule and carried out by people with the right skills. Some of the things that PMs need to know include the following:

       Laws and regulations applicable to the organization

       Security policies that are relevant to whatever project PMs are working with at the time

       Client or customer security-related expectations

       Security tools used in the organization to verify software security

       Business analyst

      Depending on the organization, a business analyst may be a jack-of-all-trades or focused on one set of activities. In this book, a business analyst is the former. Examples of business analyst activities include

       Running reports

       Analyzing the content of reports to assist other workers in their jobs

       Conducting research tasks and projects on internal business matters

       Organizing information into usable or readable form

      A business analyst can also be thought of as a technical assistant.

      Like other IT workers, a business analyst must be familiar with the concepts of safe computer usage and prudent handling of sensitive data, so that they don’t unwittingly bring harm to the information by compromising sensitive data and systems.

      

Most people in security start out in another IT job, and move laterally into a security position.

       IT manager or IT director

      An IT manager (in smaller organizations, the IT manager) or IT director directs the work of others in the IT organization. To get security savvy and do the right thing security-wise for the organization, an IT manager needs to understand many aspects of information security, including the following:

       ✓ Security policy: The security policy includes both the policy for general workers as well as IT-specific policies related to the design, implementation, and management of information systems.

       ✓ Security aspects of applicable business processes: These aspects include but are not limited to change management, configuration management, incident management, asset management, and employee onboarding and offboarding.

       ✓ Leadership by example: An IT manager is watched by almost everyone on the team, so he or she should lead by example to ensure that IT staffers also toe the line on security policy, procedures, and expected behavior.

      

My security career started on a committee

      I got a job as an IT director for one of the departments in a large municipality. Shortly after arriving, I began work on their first information security committee. Our task was to create a new InfoSec policy. Eventually, we decided that we needed to hire a CISO for the city.

      The person we hired was and is someone many of you would recognize, but I'll leave out his name to protect the innocent (and guilty!). We quickly became good friends and respected colleagues, and when the position of deputy CISO was created, I applied and was hired.

      David R. Matthews, Seattle

       Human resources employee

       Human resources (HR) workers play a big part in information security. They are the linchpin in the procedures followed when hiring and terminating employees. HR has many other important security-related aspects, including the following:

       ✓ Background checks: A background check is relatively straightforward in the United States but trickier in countries