cyber security

information security analyst job description

information security job description

information security job description
image from nextgov.com

The position information security analyst is a great opportunity for a security professionals to expand their skill set.

There are many types of information security analysts.  Some information security analysts examine the security features of a system, while others might be responsible for analyzing the security features of an entire organizations infrastructure.

Analysts are usually professionals with enough security to provide guidance on security incidents, security features and/or risks in a given information systems environment.

That being said, the term information security analyst is used in many different ways by many different organizations.  For example, sometimes organizations call their security professionals “analysts” when they actually do “engineering”.  And sometimes they will call security analysts engineers.  So take the description below with a grain of salt.

Essentially, an Analyst studies, monitors, computes, considers, contemplates and provides reports, incident handling, responses on existing systems.  Or they check on designs proposed developed by others.  While engineers, create, design, manipulate install, configure existing and/or proposed systems.  There is a lot of overlap so you should always examine the description of the specific job you plan on doing.

Analysts analyze.  Engineers build stuff.  But of course there can be lots of overlap.

Prerequisites for Typical Information Security Analyst:

If you have a solid understanding of networking, TCP/IP, subnetting, a little bit of server administration, malware identification and lots of system security experience than Information Security Analyst is for you.  Organization dealing with the federal government usually desire a BS degree or specific IT certifications.

Basic Job Description of Typical Information Security Analyst:

The Information Security Analyst responsibilities can sometimes include ensuring that system Information Security requirements are reached.  Another task might be to provide support for systems engineering life cycle from the specification through the design  oof hardware or software, procurement, development, to integration, test, operations and maintenance.  Provide analysis, definition, and the recommendation of information assurance and security requirements for advancing Information Security technologies of computing and network infrastructure. 

Responsibilities may include but are not limited to:
• Ensure compliance with Configuration Management (CM), Information Security governance, policy, directives, and guidance are followed.

Ensure compliance with certain security policies / standards such as:

  • Federal Information Security Management Act (FISMA)
  • NIST Special Publications (SP) 800 Series
  • Security Technical Implementation Guides (STIGs)
  • PCI
  • Sarbanes-Oxely Act
  • Risk Management Framework for DoD IT
  • ISO/IEC 27000
  • Health Insurance Portability and Accountability Act (HIPA)

• Conduct Information System Security Engineering activities at the subsystem and system level of design

• Complete Vulnerability scans, Information System Security audits, analysis, risk assessments, vulnerability assessments, intrusion detection/prevention and log monitoring of computing resources

• Computer Network Defense:

  • Analyze TCP/IP traffic
  • Continuous monitoring of information system security
  • Incident handling
  • SIEM Analyst
  • Data Loss prevention .
  • Coordination with computer emergency response team (CERT)

• Certification & Accreditation / Risk Management Framework analysis
• Support C&A Security Test and Evaluation processes

 

reset-password

Windows Password Recovery: ONTPRE

Offline NT Password & Registry Editor (ONTP&RE)

Did you lock yourself out of your Windows system?  Forgot your Windows password?  What is the best Windows password recovery?

The best way is to have a Windows Recovery disc ready.  But this is something you must do BEFORE you get locked out.

reset-password

reset-password

There are tools you can use to get into your system, but the first think you should try is to use “Administrator” as the user with no password.  “Administrator” is a default account on Windows systems.  On Windows 7 it is disabled by default but if someone has used the account you may be able to use it as backdoor into the system.

If their is not Administrator account and no Windows Recovery disc you will have to use a Windows password recovery tool.  ONTP&RE is a password recovery tool that allows quick access to windows systems.

Reset Password : Windows 7

1.  Download ONTP&E: First, download the Windows password recovery software from pogostick.net . pogostick.net/~pnh/ntpasswd/cd110511.zip

2.  Unzip ONTP&E:  Files are compressed into 1 folder named ( cd110511.zip).  Unzip the file.

3.  Create CD with ISO:  Set the cd disc creator into ‘image to  disc’’. Burn the image to the cd.  Each CD burner software is different, so you will have to figure out how to create a CD from the ISO.  Sometimes its as easy as double clicking the ISO but it depends on the type of software.

4.  Reboot & Insert:  Actually, you need to make sure your Windows system is able to boot from the CD.  Once its done , insert the cd back to the CD ROM  and reboot your computer.

5.   Computer Boot from CD:  As your computer reboots, keep hitting F2 to go through the BIOS.  Select “Boot Options”.  Some versions of BIOS call this “Boot”.  But the idea is the same.  Go into the BIOS and make sure CDROM is on the top of the list for boot options.  This means that the computer first looks at the CD before going to the Hard Drive.  Instructions on modifying BIOS settings will be listed on the page.

6.  Boot into ONTRE:  Once the BIOS boot option is set, save and exit.  Your system will boot into your ONTRE disc.  Software will start running. Just follow the steps.  “Press enter” to boot into the “Offline NT Password & Registry Editor” CD.

windows password recovery

screen shot of Offline NT Password & Registry Editor

7.  Select an Account:  It will ask you to select an account.  If you hit “Enter” it will automatically boot into the [Administrator] account.

*note: Anything in [brackets] is the default value, so if you hit “Enter” it will auto-magically choose that [bracket] value.. its a linux thing.. you wouldn’t understand.

If you choose the “Administrator” account, you may need to Enable the account since the built-in Administrator account is  disabled by default in certain versions of Windows.

8.  Enable Built-in Administrator Account:  The Windows account  needs to be enabled.  Select 4  and enter ‘to Unlock and enable user Account’.

windows ontpre menu enable

windows ontpre menu

9.  Clear (blank) User Password:  After selecting 4-Unlock and Enable user account, you will be sent back to the User Edit Menu. If you want to clear the Administrator password (if it has one) then hit enter or type Administrator and Select 1 and “Enter” – to clear the user password.

10.  Save Changes:  Once you have made all the changes you want (enabled the Administrator account & cleared any passwords), you are ready for the next step.  Hit  ‘!’ and enter.

Windows Password save changes

Windows ONTP&RE password save change

On the screen it asks ‘What to do’?  hit q to quit. You will see:

Step FOUR:  Writing back changes

“About to write file(s) back.  Do it ?’’

Hit   Y  and enter to save changes.

11.  Last Step:  Hit “Ctrl-Alt-Del” to reboot and eject the cd quickly.  This will allow the system to boot into Windows on the Hard drive.

You can now login as “Administrator” with NO password.

Once you are in as Administrator you can change passwords of any local accounts in Control Panel | Users.

The Value of a (Ethical Hacker) Certification

Ok, I admit it. I have totally slacked off on getting that CEH certification. I’ve had the boot camp, I’ve amassed lots of great books and resources, I’ve even talked to some people who have passed it, but I still haven’t been consistent about studying. For a while I was pretty consistent. I read the Official Study Guide and started working on an Unofficial one.

Why don’t I have that cert yet? I suppose I just don’t feel I have a reason to have it. It would just be for show because I don’t really do pen testing. ’d like to, but in my job, I don’t usually have the opportunity to do it or reason to do it. I’ve already got the CISSP so I don’t need the CEH for some kind of prestige. Many hackers piss on certifications they are not impressed with them and are willing hurt anyone who flashes the credentials. The CISSP trumps most certification. The only real benefit for me getting it is that it would force me to get more familiar with tools like netcat and Snort which I don’t use enough. I am interested in cyber kung fu. Lately, I have been more drawn to the scientific and mathematical side of technology.. the side where the innovation are born, not just mastered. I’ve been sharpening up my math skills and plan on getting into Computer Science, Electrical Engineering or physics.

I haven’t decided whether I want to take the CEH because I want to do something that has more depth. I suppose I could complete the CEH, go through Computer Science and specialize in security/crypto/info assurance and follow in the foot steps of Bruce Schneier and Steve Gibson. In the beginning, certifications were definitely a step up, but I’m in a place now where they are just ornaments, flashy bobbles I could decorate my name with when I need an ego boost. If my wife and kids are giving me lip I can say, “don’t you know I am a CISSP, A+, B, C, D, E, F, G. You MUST respect my awesome test taking ability!”

I’ve said it before, I think certifications can be of great value. If you work for the Department of Defense in IT you pretty much MUST have one (per DoD 8570). Certifications can give you that extra edge against competing employees in the private sector. Problem arise when the IT certifications value is taken out of context. Like the 8570 which makes it mandatory to have a certain certification regardless of your experience and/or degrees. That is a bit much. Not everyone who passes the CISSP can configure a firewall properly. But perhaps thats the reason the DoD wants system specific certification.

Legal Hacking Cases

The official Certified Ethical Hacking course material identifies three types of hackers:

Black Hats: criminal hackers

Grey Hats: hackers that find exploits because they want to (not for good or bad intentions)

White Hats: hired penetration testers

The media and many parts of the information security profession lumps all ‘hackers’ into one big box labeled “criminals”.  I used to think this way as well until I went to Defcon.  It was a real eye opener.  I saw hackers who want to do something good for the consumners.  I saw several government agencies attempting to hire the best and brightest hackers and of course, I saw hackers that may very well have been working on the darkside.  The point is that “hacking” itself is the just a technique to find, and exploit weakness in a given system.  It is not intrinsically evil.  Hacking is just a method, the intent of the user determines whether or not there is a adverse effect on individuals, organizations or a given society.

Contrary to popular conservative/traditional beliefs the world is not black and white.  There are cases in which hacking is legal.  Just take a look at these legal hacking cases:

Ethical Hacking.  Involves getting formal permission from the “target” prior to hacking.

Hackthissite.  Hack this site is one of many sites that allow users to freely hack their way in.  This is done for fun, for learning or just for the heck of it.  Typically, there are rules and guidelines that are create so that the user and the host can benefit from the learning experience. 

Reverse Engineering is Legal.  Cases of reverse engineering have been deemed as legal in the U.S. in many other industries.  The legalities for reverse engineering software are still being shaped by a new breed of cases. 

1999-2002: DVD Copy Control Association (DVD-CCA) vs. Bunner, et al.  The DVD-CCA attempts to sue anyone distributing a descrambler software that was created by reverse engineering their product.  They even attempt to sue anyone linking to sites giving out the descrambler.  initial case 2 | eef involvement |  Bunner and other won the case  *note: there were not even the ones who reverse engineered the product

The attempt to Legalize Intrusions for Corporations.  In 2002, Rep. Howard Berman (D-Calif) tried to pass a law called the Peer to Peer Privacy Prevention Act (2002) which would have created section 514 of U.S.C 17 Chapt 5 allowing companies to legally hack into computers to find pirated software and intellectual property and use that information in a court of law against the assailant.  Article on Peer to Peer Prevention Act

 

 

Ethical Hacking Official Course Material (Book)

As of July 2007, the official course material book on Ethical Hacking is going for $5 on Amazon.  The cover price is $70 in the US and over $100 in Canada.  This should tell you a lot about what people feel about this book.

The hate for this book is so profound that it makes me laugh.

Here are a few comments:

“I know this has been said but it really needs emphasis. This is perhaps the most poorly written and presented compilation of misinformation I have seen since the 5th grade.”

“If the author of this book isn’t going to take the time to correct the misspellings and grammar issues, that speaks volumes about the quality of the content.”

” The EC-Council has a great CUT and Paste method of publishing a book, they don’t even list the Author.”

“I agree with all the negative comments. This book is poorly written.”

It touches on all of the modules of the test, its just that there are so many issues with the way it is put together.  Its almost as if the EC Council had a week to put something together so they gathered all there slides and copied and pasted them in this book then expanded on each slide.

One of the Amazon readers put it well:

Here are a few notable indicators of the quality of the book:

* There is no reference section or bibliography and there are only a couple references made to outside works. Most of which is the legislation they quote and a couple quotes from notable manufacturers.
* They do not cite any of their quotes correctly. The closest they get is, “A quote from the Internet says…” or “(Reference: Cryptography FAQs published on the World Wide Web)” No web site, date or proper credit is ever given. I’m suprised they actually listed the URLs for the tools they discuss.
* The table of contents is very high level, there is no table of figures, or table of tables. There is also no index or list of terms.
* They attempt to redefine established industry terms in their own style, often incorrectly or in contradiction to earlier statements.
* As noted in previous reviews, grammar, spelling and typos are prevalent throughout the book. Most notably is the pres ence of sp aces in the midd le of wo rds.

When course material is this bad, it is very hard to take the certification seriously.

Certified Ethical Hacker Exam Prep (amazon review)

Found a good review of Mike Greggs book, Certified Ethical Hacker Exam Prep from Amazon reviewer, N. Rossino (NY) : 

 

   

The previous poster did bring up a good point: this book will not teach you how to hack. It WILL help you pass the CEH exam. It lays a very good foundation, and the only reason I give it 4 stars was because it was lacking the detail and depth to be fully comprehensive.

Keep in mind, that this book is meant for people who do have an administration background and who happen to be pretty familiar with Linux and Windows. The book is written for that group of people because without that experience, you probably won’t have the experience necessary to be a CEH.

I happen to read all 3 books for the CEH that are listed on Amazon. The Sybex book, the EC-council book, and this book. By far, this book was the best out of the 3. The Sybex book was a waste of money as it wasn’t as good as this book and it had even less depth. The EC-council book had a bit more detail in some topics, although it lacked cohesion and was poor at presenting the thought behind it. I think this book and the EC-council book compliment each other, and give you a pretty good idea of what you actually need to know. I would start with this book and finish up with the EC-council book and/or courseware. My reasoning is that you should set the foundation first and this book does that.

Also, as with hacking, google is an excellent resource. These two books won’t be enough to fill all the holes, but the internet is a damned good filler.

In conclusion this book provides for pretty good preparation for the actual test, and is a comfortable read.

ABOUT THE TEST:

150 questions, you have 4 hours. I took only 2 and scored an 86%. 70% is passing. I studied for only two weeks, but have extensive background in the subject area.

The test is very specific, and you are expected to know the material in detail – NOT just concepts. The test is geared towards people with security experience, and the test questions are true to that purpose. It will be very difficult to pass if you:
1) Don’t know linux
2) Don’t understand Microsoft’s OS and operations
3) never actually used any of the hacking tools

Linux is not a MAJOR part of the test, but there are enough questions on linux command line operations to make a difference.

Keep in mind, just reading alone will not let you pass this test. It is very important that you try out the most popular and important tools (firsthand!). You will be asked about specific commands, and be expected to know them. Know nmap, snort, hping2, tracert and tcpdump down cold. Know the ICMP codes and types. The only way you learn this stuff is to actually practice it.

SC Magazine Awards 2007: Training Camp listed

Training Camp has been named a finalist in the SC Magazine Awards 2007 for the Best Professional Training Program category. According to SC Magazine, programs in this category are defined as those geared toward strengthening the expertise of IT security professionals, that provide educational programs, continued learning and certifications. 

Contact me to find out more about our award-nominated IT security Training Camps and why they’re the best of the best. Our IT security camps include:

Official (ISC)2 CISSP
Official (ISC)2 ISSEP
Official (ISC)2 SSCP
Certified Ethical Hacker
Forensics
Licensed Penetration Tester
CompTIA Security+
CISA
CISM

What is a Hacker?

“A hacker is someone who thinks outside the box. It’s someone who discards conventional wisdom, and does something else instead. It’s someone who looks at the edge and wonders what’s beyond. It’s someone who sees a set of rules and wonders what happens if you don’t follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.”
The above is a quote from crypto living legend Bruce Shneier’s book, Beyond Fear.  This is exactly how I feel about hacking.  Hacking is a major asset to Information System Security… if fact is THEE only real asset.  I’ve had arguements with some of my peers about this.  Information Security Pro vs. Hacker.  If the typical information system security pro doesn’t get smart on hacking (security/programming) techniques, security will continue to be a losing battle.  Cyber criminals have no problem learning the latest exploits, they have no boundaries and this gives them a “superpower” against security professionals.  Some Information security professionals, on the otherhand, restrict themselves by categorizing hacking as bad.  They see it as unethical and not responsible. 

It is unethical and not responsible to NOT know hacking techniques that might exploit a customers system.

Thanks for the post Bruce.  I hope you will make another appearance at the Defcon
read more | digg story

Former Pentester of FBI, hacks the FBI

This case is not the same as the Department of Veteran Affairs loss of records or the Department of Agricultures security failures.  In this case, a contracting consultant conducted a penetration test with out getting formal approval.  He expoited the FBI's vulnerabilities to gain elevated privledges.

Joseph Thomas Colon, 28, is a former employee of BAE Systems.  His pentest allowed him to obtain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.  According to Colon, the FBI field office in Springfield, Ill., he was attached to gave him approval.

However, every professional pentester and/or ethical hackers knows that you have to get formal approval from an authority. 

Colon's lawyer said in a court filing that his client was hired to work on the FBI's “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI's Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system. 

As a result, Mr. Colon will likely serve about 18 months in prison. :(…

Pentesting and ethical hacking tools and techniques must be dealt with responsibly.  The bureacracies that might allow pentesting must be respected at all costs.  The first thing in Pentesting and ethical hacking that is taught is to ALWAYs, ALWAYS, ALWAYS get writen consent to procede from the owners of the system.

 

1 2