Developing Cyber Security Personnel
～What is the key to success?～
Advanced Persistent Threat (APT) attacks that target specific companies or organizations are increasing in number around the world. In the era of IoT when all things will be connected to the Internet, damage from cyber attacks will not be limited to single companies; it will affect all of society. For many years NEC has been maintaining and improving its multilayered and dynamic cyber security measures in order to protect the important information assets and systems of its customers. In this roundtable discussion, the key people working on the front lines talk about their efforts to reinforce our systems, and how to develop advanced cyber security personnel.
- Part 1
- Part 2
Reaching the pinnacle of security work: Professional attitude and approach as told by CSIRT members
NEC has cyber security personnel from diverse backgrounds and with diverse skills. It goes without saying that none of them had the talent to be professionals from the start. They had to gain experience and work hard to develop their skills and achieve their goals. We interviewed two security engineers and asked them how they improved their technological abilities and gained the resourcefulness to become cyber security professionals.
Entering the security world after many different experiences
Michibi Uehama and Jun Kodama are respectively veteran and new members of NEC's CSIRT, the company's front line cyber security team. However, contrary to expectations, neither of them started out in the security field.
Uehama majored in software engineering at university. Because he was more interested in system construction than software development, he joined NEC Networks & System Integration Corporation (NESIC) after graduating. He became interested in the security field after coming into contact with remote access and authentication technology when he was an SE in charge of system integration for network infrastructure and teleconferencing system clients. After working as an SE for over ten years, he wanted to become a specialist in something, so he transferred to a job that involved consulting with customers on ISMS certification (ISO/IEC 27001).
"Because I was inexperienced, I was frustrated because I was not able to communicate the risks and true nature of security measures to top management and the front line workers," explains Uehama. "It was at that time that the company told me that I should study how NEC's CSIRT responds to security incidents to improve my security skills. So that is when I transferred to the CSIRT."
Kodama has always been recognized as a personal computer expert. As an undergraduate and a graduate student he majored in information systems and networking, and received specialized education in UNIX operating systems before entering NEC.
"In addition to my classes, I also worked part time in the university computer room, so I was really immersed in computers," says Kodama, looking back. "I made an e-learning video distribution system, and an application to distribute contents on the web as well as some other things."
In his first two years at NEC he was assigned to sales. However, he just could not get used to sales work and asked to be transferred to development, so he was transferred to the data center of a Group company. After working on assessments of storage systems and developing virtual environments, he returned to one of NEC's infrastructure divisions, and was also assigned to work with the CSIRT.
Both of these men entered the world of security after gaining a wide range of experience elsewhere, but neither of them had much of a problem making the transition. Both of them agreed that "It was very easy to blend in because everyone told us that we should ask if we had any questions. There were many training courses and study groups, and we felt reassured because some of Japan's top professionals were our colleagues. The CSIRT is often about teamwork, so there are plenty of opportunities to learn different skills from others, and the environment is conducive to gaining the knowledge we need about security engineering in a structured way."
Asking yourself day after day what skills you don't have
However, because their workplace was the pinnacle of security work, they both spent many days wondering what knowledge and skills they lacked.
"One big stumbling block for me was that I did not have enough program development experience," admitted Uehama. "Sometimes, work at the CSIRT involves examining tens of thousands of lines of logs to discover abnormal character strings that would lead to the discovery and analysis of malware. Therefore, it is necessary to understand what a normal program looks like.
"Today, I am able to read some code, but because we need to learn so many programming languages I am always asking myself what knowledge and skills I am lacking," he continued. "So, I keep trying to fill the gaps by learning the things that have the highest priority."
Kodama is battling attackers on a daily basis, but strongly feels that he is lacking in many skills. However, he says that that fact stimulates him.
"Even in my immediate surroundings there are experts who I cannot compare myself with. At their level, they will find hints in data that looks like meaningless character strings, and then they will use numerous analysis methods to quickly find characters that mean something. I also have the chance a number of times every year to take part in CTF (Capture the Flag) contests in which security specialists from around the world compete, but the problems presented are much more difficult than actual malware analysis. The reason is that CTF involves research on attack methods that are expected to be developed in the future, so it is like being confronted with malware from several years in the future. That is why among my NEC CSIRT teammates I am not yet at the level where I can score points. However, I want to reach that level some day," he laughs.
Battling opponents that you cannot see
NEC's CSIRT members also work on responding to attacks on customers, so they must be ready to handle actual attacks at any time. Immediately after he was assigned to the CSIRT, Kodama was given the task of analyzing ransomware, which was just starting to proliferate at that time.
"I was fortunate to be able to work on a relatively easy-to-solve attack, so that gave me a feel for what I needed to do," he says. "After that, attackers upped their game every few months, but gradually I learned what the attackers were thinking and could understand how they would change their attacks. I was truly battling an opponent that I could not see."
Sometimes the work involves a customer's actual business.
"We once received a request to analyze the possible illegal doctoring of a web site. Upon analyzing the problem, I thought the situation was very serious," recalls Kodama. "After confirming my assessment and consulting with team members, we made the decision to shut down the customer's service. It was a large scale service so it was very nerve racking."
The result was that the team was able to minimize the damage, for which the customer was very thankful. It was a moment when Kodama felt a sense of achievement because he was able to demonstrate the technological ability that he had been working on.
Uehama feels a sense of worth because he is able to prevent many attacks on customers by using his experience with the malware attacks detected by NEC and the corresponding incidence response. In this type of work, past experience is often valuable.
"When explaining risks and measures, I naturally use words that are easy for customers to understand, and customers sometimes thank me for that," he says. "This might be from my experience as an SE and in consulting. Security work requires a broad range of knowledge, so that past knowledge and experience is often invaluable. What I really like, however, are those moments when I can really feel that I have gotten better than I was a year ago or several months ago."
Wanting to become a specialist who will keep the company safe and secure
Both of these employees are improving themselves at the forefront of security, but how do they see their careers developing?
Kodama is aiming to become an engineer at the highest level; that is, he is aiming to become a top gun. "That is what I have been aiming for since I entered this field. To that end, there are still many technical aspects that I must absorb. However, the important things are protecting information, business, and society. So, I believe that it is my mission to protect all social systems from cyber attacks by encouraging CSIRT members to help each other become better by always sharing information."
Kodama talks this way because he believes that cyber security is already a part of the social infrastructure. "Unless measures to protect against malevolent attacks become standard, then neither business nor social life can continue," he concludes.
Uehama says that he aims to become an expert "bridging security personnel" who will connect top management and security workers.
"To achieve this I have to always be aware of the latest security technologies and trends, and make continuous efforts to improve my knowledge and skills," he explains. "In describing the latest risks and the front line conditions to top management, including the top management of customers, I need to use my own words and judgment and not just parrot someone else. I also need to communicate accurate information. It goes without saying that I will have to improve my management skills and communication abilities as well."
The forefront of security is not a place that attracts a lot of attention. However, both of these men understand that they are doing something that helps the entire world, and they have the pride and goals that come with being professionals as they and their CSIRT colleagues continue to battle an enemy that they cannot see.