Though computer science is a popular field not many focus on a career in cyber security or ethical hacking. I connected with an expert in the field of cyber security to understand the opportunities available today.
Tell us a bit about yourself
I am Amit Tambe. After my graduation in Computer sciences, I did my masters in network security in US. I worked for almost nine years in the security industry (at McAfee and FireEye). I primarily worked on email security products of these companies, where I got to not only learn about how email security works, but also opportunities to interact with customers (mostly big corporations) to understand their needs and thereby help build better products.
Currently, I am working as a Research Assistant at Singapore University of Technology and Design, on Internet of Things (IoT). This involves working with IoT devices (such as smart watches, cameras, etc.) to understand how these devices can be compromised by attackers thereby building intelligence to prevent such attacks.
What is hacking? Is all kind of hacking bad?
Hacking, is gaining unauthorized access to a system for malicious gain. Such gain can be financial (such as stealing credit card numbers), state sponsored (to gain military advantage or attack electricity grids to cripple another nation) or personal (fired employee holds a grudge and causes destruction to a company’s resources).
However, not all “hacking” is bad. There are enthusiasts who hack away to glory to understand in depth working of systems. This way faults (or vulnerabilities) in systems can be unearthed and patched to prevent real attackers from taking advantage of them. They are viewed as ethical hackers. For e.g. Google has a bug bounty program, where attackers are encouraged to find flaws in their systems and get paid on finding those. Such information can help Google to learn more about the flaws and fix them before real attackers get wind of these flaws.
Another way I view cyber security is by categorizing it into two – attack and defense. I feel both are important. Simply attacking a system can help you only if you are a bad guy. However, the good guys need to think of defending their systems as well. Apart from installing anti malware and antivirus programs, an expert in the field needs to know much more. These are the people who help design and develop such products.
For e.g. If there’s a new virus/malware going around, an expert needs to be able to look into the code for such malware and be able to decipher what it does. A malware may simply copy all your passwords, or delete files or more intelligent malware may just sit on your machine doing nothing till a specific date or time. A malware analyst (as these experts are called), need to correctly understand this behaviour and spread the knowledge.
What kind of educational qualification is desirable for this profession?
Usually, such roles require a high level of technical knowledge gained from both degrees/certifications and experience. An undergraduate degree in computer science or allied fields would be a good start. This can help in laying the foundations required to become a good hacker. Hacking is more of an art rather than a science. So simply obtaining a degree in CS may not be sufficient. You need to have that inquisitiveness and an urge to explore on your own. Supplementing your undergrad degree with further qualifications can be helpful (though not essential). In my case, a Master’s degree helped provide an organized training on the topics of cyber security. Other people I know have acquired several certifications (such as CompTIA, CISSP, CEH or GSEC) to become professional ethical hackers. There are multiple other certifications as well, however the ones mentioned before are recognized and high value. They require not only theoretical knowledge, but also practical knowledge (of attacking systems to pass exams).
Theoretical knowledge and certifications can, however, only take you so far. The field of computer security is ever changing – it started with viruses, evolved to malware, network attacks, email attacks, web attacks and now has moved on to smart devices and national critical infrastructure. One needs to be abreast of recent happenings or face the danger of becoming outdated quickly.
What are the career options in ethical hacking?
There a lot of options. Security products are required by everyone who is connected to the Internet. Companies have devised products for email security, network security and web security. You can become a software developer for a security company to help them design such security products. Possessing a degree in computer science and a thirst for gaining security knowledge can be sufficient for such jobs.
If you have advanced certifications and/or degrees, you can look at joining the R&D departments of such companies. For e.g. McAfee, Google, Microsoft, etc. all invest heavily in security.
Other specialized careers include forensics analysts. Forensics is required after an attack is discovered and it needs to be traced back to its origin. Such analysts need to look through files on computer systems and other logs to identify when an attack happened and how it happened. Such evidence can then be presented in the court of law. Forensics analysts can work for both private companies as well as the government.
Then there are the security consultants. Companies such as Cigital can supply such consultants. These are people who help other companies to study the design of their infrastructure against attacks and then suggest improvements. Consultants also help companies to design entire infrastructures.
You can become a penetration tester. The main job of such people is to ethically attack company systems and help uncover problems. Such attacks can cover different things. For e.g. A penetration tester can come disguised as someone else and try to lure the security guard to let him in the server room. Even physical security comes under the scanner of such analysts.