Cybersecurity

Post Reply New Topic

Hi,

I'm a cybersecurity major, and one thing I kinda did was go into this major blind. I get the basic message of what cybersecurity is; but, how does it apply at the workplace? As in, what do you do as a cybersecurity specialist? I can't seem to find much online in that regard.

Just a heads up, so far in my degree program, the only cybersecurity experience I had was in my Java programming class, in which we did some basic penetration testing and learned about making our programs foolproof.

I'm also interested in how much programming is used. Lately, I've been feeling discouraged, as I've struggled in two of my programming courses (but at the same time, I haven't done a good job studying) -- Java and C. I'm doing great in C++, and I don't know why (I just find it easier to apply the syntax, and it feels cleaner and more organized in my mind). I don't have trouble with the logic, that's the easy part -- I can write pseudocode or an outline of a program all day. I just have trouble remembering the syntax and finding the right syntax, and understanding some of the syntax -- I just feel like it isn't explained straightforward by those two professors (in C++, we're left on our own to learn and we go at a bit of a slower pace, and it's been easy to figure it out and remember the syntax).
So, I'm wondering how much program writing I'd be doing in a career in cybersecurity. If it's C++, I shouldn't have trouble, from what I've learned so far; but, my C professor showed us that C dominates the field by 80%, followed by some C++, Java, then other languages (python, then ruby, then "other" as I recall from August).

So, what is it like working cybersecurity? What kind of roles are there? Do any of you folks work civil service or as a contractor or even active duty? Would I be struggling horribly, do you think, or should I be fine as long as I have the logic nailed down (I can easily patch up someone else's program, just not good at writing my own for C and Java).

Thanks in advance.

Regards,
Jared

For me as a Networking/IT major, Cybersecurity is for people who are looking for vulnerabilities in products for software and hardware and have the creators of that said product be patched if vulnerabilities are found within their product. My college does have a Cybersecurity curriculum and although the people would be learning some networking stuff, it also contains things like criminology and maybe some history and the like.

As far as programming, I don't think there is very much except for patching software on Operating Systems or be hired to work on antivirus/malware software or working to patch for new threats that arise. I'm pretty sure there is more about Cybersecurity but that's how far from other classes that I have known where it would be related. I will be taking Cybersecurity classes next year and hopefully, I will have more answers.

The Krack attack that was divulged last week that would let an attacker hijack a wireless connection was found by someone who was reading code.

While that is a prime example of someone who was able to bypass WPA2 security, now companies that made all these home routers will have to do a firmware update so that the WPA2 security is patched to all routers with WPA2 security in your home. So basically, at this time no one is safe. Even changing the security password for access won't do any good. Who knows how long this will take for firmware updates to roll out to each specific make and model router to patch for protection. They may even have to make a new security measure like WPA2 but somehow provide even more security protection. Also, for safety don't bother changing the security measures to WEP or WPA, they still don't provide as much protection as WPA2 even though the attack occurred.

The real danger from the Krack attack is for the devices connecting to the routers. Home routers do need to be patched, but patching the laptops and cell phones is extremely important.

What can happen is that someone could use a man in the middle (MITM) attack that would trick nearby devices into connecting to it. They would then be able to read any http traffic including usernames and passwords. They could also use other methods of attack at that time to force some of the https traffic to switch to http so that they could read the usernames and passwords.

If you have a cell phone that is susceptible to the attack, you might want to turn off the wifi until you can patch it. If you just use it from home, then I would guess that you are probably okay even if you haven't patched your router unless you are likely to be a direct target of someone wanting to steal your credentials. I suspect that the attack would be more likely to be used to target business people in their businesses as well in places like hotels.

That said, most people don't realize just how insecure routers and firewalls can be. Any router or firewall that does not have the latest firmware applied is not trustworthy at all. Even popular commercial firewalls with good reputations have had serious security issues. For example, a number of firewall/router manufacturers have been known to install back doors in their devices so that they could access them without knowing your password. If they have issued new firmware to close these back doors and you haven't installed the firmware update, then you might as well not even have a firewall.

How often do you check for updates to your firewall?

Remember that nearly all intrusions into firewalls and routers are with attacks that have been around for years but the owner of the firewall/router hasn't bothered to upgrade their firmware. If you were an attacker and had a zero day attack, would you use it on everyone and increase the chance of discovery or would you try to limit its' use to high priority targets?

I agree with everything your saying.

I've learned all of this in my networking class.

A lot of the firewall updates come from the OS itself (Which I use Windows 10 and just got it updated last night). I did patch my router a couple months ago however it does need another one as this was released a couple years back. My phone will eventually get a security patch. From what I've learned as far as when updates are pushed out, it starts from the newest device release to the oldest device and by phone carrier when they push them out.

Above all else, for ultimate security, just remain vigilant when going on the internet. I have heard stories of people clicking on ads and downloading something that will most likely contain malware.

Crapload of politics. At least in the government world. Overall in the business, useless infosec people writing documents not caring about if the job gets done or not, too much focus on compliance and redteaming (pentesting) and too little on keeping an ongoing process to securing systems and doing forensics/auditing and actually stopping attacks. Basically the whole business is filled with a lot of bullshitters peddling their crap to consumers and customers.


So, "what do people do"?

I'm gonna give you my honest answer:

* Some people work with crypto, they usually require maths skills, but tinkerers and hackers can work there as well. Implementing crypto protocols, installing hardware, writing lots of papers are some of the tasks i've seen them do.

* Some people stare at logs. It's a tedious task, because most of the tools (SIEMS) are pieces of s**t that barely have developed since the early 2000. Some tools do some thing well, and integrate machinelearning algorithms, but there are better standalone tools that can do this job better, so basically you have to have interoperability and ways to export data if you want to do something useful. Most vendors do not care because they think they are the centre of the universe and everyone should adapt to them.

* The next step for log analysts is: Forensics, it takes curiosity and a deep understanding on how systems work which you get from working as a network tech. Forensics can be divided up into disk, memory, mobile units and network. Now ever drone forensics is starting and IoT will be a total mess. A lack of logs and artefacts is a big problem, and the software industry isn't helping.

* The step beyond forensics is the latest craze: Cyber Threat Intelligence. I'd say 90% of the people working in this field haven't got a bloody clue as to what they are doing. Most haven't got any training in intelligence and people with zero skills go around and talk about APT's 24/7. There will be rapid developments in this field over the next years so it will be an interesting thing to do, if you can get a job, because most positions are taken by clueless IT people.

* Some do infosec, basically these people are compliance monkeys with typewriters writing stuff that has no effect on nation state actors, criminals and malware. I'm sick and tired of this papercrap, so ..moving on.

* Some work as security techs, having mostly IT skills they work close to IT playing around with VMWare and installing certificates on servers, has to take useless certs, and s**t from IT since security is mostly seen as an expense by management, not a way to decrease future expense and prevent Intellectual Property from heading out the window.

* Some do application security, they are basically programmers that are read up on vulnerabilities in various flavour-of-the-moment languages mostly for webapps. Can be fun, but you're basically a glorified programmer that tells other programmers how not to write code...and again, and again... and again, and again... and again...

* Some do pentesting. Basically throwing rocks at other people, and they get away with it. Security is s**t, and most systems (yes that includes Linux) are constantly vulnerable. There is great money to be made here playing around with powershell and metasploit, taking no responsibility while companies struggle learning how to spell defence.

* Some teach, it can be fun, but requires experience. At least if you want to do some quality stuff like SANS courses, if not you can do crap courses and live off one time customers. Security awareness training for end users can be a bit frustrating, knowing you will see them again in 1 year, having forgotten what you taught them.

Still want to work in the business?

Last edited by Ichinin on 27 Oct 2017, 7:16 pm, edited 4 times in total.

Phishing/Wateringhole/Driveby attacks like that have been going on since the late 90s. Some ads doesn't even require you to click on them to compromise your computer. Used to take advanced exploits, but now people do it with fricking javascript.

Well, that is very interesting and exactly the answer I was looking for. Why are these folks getting paid so much? I'm looking at doing a program with a local military base in which they will pay for my master's degree, and they pay starting at GS-12, with all the good civil service benefits (this in Florida, of course,. There's also MITRE, which I was informed by them at the time, pays at GS-13, up to GS-14 depending on experience (of course, they're contractors).
Using https://www.federalpay.org/gs/calculator, I see that for GS-12 step 1, I would be making $72,000. That sounds like a lot just to be doing those kinds of tasks.

Global extreme shortage of skilled workers. If you want to keep skilled people around, you better pay well.

The salaries aren't that great where i live, as a government employee (specialist) i made about the equivalent of 52000/year before taxes, but then the employer has to pay social/pension taxes so if we compare with that it is on par with US salaries. There is usually training (SANS etc) and other perks that come with the job too, i talked to one guy that had taken lots of online training.

Never seen the world as much before the last job, flying can be a problem if you have sensory issues with that, an mp3 player and earplugs helps.

Being a contractor pays lots more, but the job security isn't there.

Forgot, as to what programming language.

C is dead. Gone. Skip if unless you want to write code for dishwashers or do low level stuff and produce insecure code which C is known for.

C++ is for writing tools, but you can just as well write it in VB.net which has the same compiler nowadays - or even Java if performance isn't an issue. Most tools that are written just do a few things then quit. Some things can be done with stuff like ruby on rails and Javascript. I recommend picking a language and learning it well so you know programming, then you can jump to other languages as needed. SQL is another thing i recommend, or even Cypher (Neo4J).

For now, i'd recommend learning Python, both redteam and blueteam use it, it is deployed natively in Linux and it can easily be installed in Windows. Python is the go-to language for security atm.

There is nothing insecure about C. Sure, there is plenty of code written in C that in not secure, but that's because there is so much code written in C.

The security of the software does not depend on whether or not it is written in C.

That's good for me to know, I'm not doing well in C; but, I think that's because I have a bad professor, as much as I don't like to say that. I realized this when I met my C++ professor, and he was just amazing. His lesson plans, although the class is primarily online, are great and goes at an amazing pace. That said, I'm failing my C programming class and doing very well in C++. Recently, I found out that I wasn't the only one having problems with this C class, but I need to pass since it's the pre-requisite for all computer-related majors at my university.

Hopefully the pay will remain good for cybersecurity in the U.S., but in the long-run I'd rather run a business and keep my cybersecurity career short (maybe around 15 years, depending on how things go).

Unless you know how to write secure code in C and why you shouldn't not use it, please do not make claims about it.

You really should talk to the other professor and management about that bad professor, his knowledge is ancient and he needs to go do something else. Noone - no one - takes C to get to be a programmer in a security related field.

Rather pretentious, aren't you?

And very, very wrong.