What skill's are needed to become a Security Analyst or Network Security Analyst

GreenHornet

I'm creating a white board targeting 3 specific job roles that I've been researching for the last 2 months. Most of the job boards are not specific enough in describing the necessary skills desired. I've condensed the job titles from Dice, Indeed, and Simply hired job websites and come up with the following list, but I need more specifics from the forum.

Linux-- Administer, LDAP, Apache, Backtrack, Virtualization configurations (need more details on what I should focus on)

Firewall--Cisco ASA and Juniper SRX. The most I got from this was VPN config and SSL, but I know there's more.

IDS IPS---Doesn't state if Open source or vendor specific is needed. I'm thinking Snort and Suricata Things I can download on my own

Python Scripting---I've found some sites and have also purchased a book "Violent Python" to at least get a feel for the what I need to know.

Wireshark---I'm getting more familiar with this and packet analysis

Database---Oracle or Sql. I have CBT nugget videos on Oracle and I'm taking a college course on Databases currently


I would just like to hear from members that either have held, currently hold, or interview candidates for these job roles. I understand that experience and time in trenches plays a role. I've been in It for 6 years now. I've worked desktop support, CDN Engineer, Managed Hosting Enginer, and now Network Support Engineer. I've currently purchased 2 Juniper SRX's and I've set up my gns3 to support cisco asa's. My budget is not extensive so I cant go into further debt in pursuing this. Also I cant afford SANS training and my current company wont pay for this.

Thanks in advance.

YFZblu

Don't forget the foundation of security analysis - TCP/IP.

Regarding Python, I would stick to the basics. I have Violent Python and I think it's a really good read and shows some cool ways of doing things; however I would point beginners in the direction of the official Python documentation, CodeAcademy, and TutorialsPoint for actual understanding of how to become productive with Python. From there it's trivial to gain an understanding of other scripting languages like JavaScript, which I believe is an underrated skill of having considering the exploit kit threats on the market today.

Regarding Linux, once again - I would stick to the basics. I personally just started with the Linux+ book and went from there.

Firewall - In a pure analysis role, specific firewall technologies would be useful but not required. More useful would be knowledge of the capabilities of certain products. Personally the SOC I work in uses a script to make firewall changes at a large scale and it doesn't require knowledge of the vendor-specific CLI's. Generally speaking, that's why we have engineers.

Wireshark - It's definitely good to have a working knowledge of Wireshark, but don't forget TCPdump and Windump.

I agree with becoming familiar with open-source IDS tools like Snort and Suricata. Being capable of reading rules and understanding the framework for creating IDS content would be a huge leg up for you.

veritas_libertas

I'm currently employed as a Security Analyst.

Linux - Understand your way around the command-line. You don't necessarily have to be a genius/expert.

Firewall - Understand how they work. (Every company uses a different type. I'm not sure that you need to be an expert on one brand. I've worked at companies with ASA, Palo Alto and Barracuda

Scripting - Yes. Again, whatever kind works best for you.

Database - Not sure. I haven't had to work with any. It would certainly help!

Wireshark - Yes. You should know how to use it.

Servers - You should know your way around Windows server/Windows Client if it's used in your environment. You should also understand how Group Policy works.

Just my 2 cents.

GreenHornet

Thanks for the advice everyone. I'm just ready for a change in my career. It took a while to decide what type of work I'd be willing to do. Once I narrowed down the technologies that I'd like to work with it became more clear.

Networking-- JNCIA, CCNA,
Security-- CCNA-Security, Security+, JNCIS-Sec(working on), CEH (thinking about it)

Would the CEH add value to my resume. I'm not just talking about cramming for it, but having a basic knowledge and understanding of how some of these hacks work?

docrice

It's okay to have common commercial-name products around, but ultimately knowing how to configure something by itself isn't good enough. You have to dive deeper into traffic, understand what normal traffic looks like, how the protocols work, how the assumptions on switching and routing can be subverted by assumed reliances on protocol behavior, etc.. In other words, I'm echoing the need to understand TCP/IP.

But it's not just TCP/IP, but also how operating systems work, user behavior, threats and attack vectors, social trickery, and so on. Know the mindset of the attackers and victims. All these things come into play and have to be considered when doing analysis and forming a cohesive picture of an event.

As an example, let's say your IDS sounds the horn and it's telling you there's a buffer-overflow attack detected on an SMB transmission from a client to file server. Do you validate the event (of course you do)? Is the signature relevant? What the hell is a buffer-overflow and what's the potential risk? Was it part of an established TCP connection? What exact payload was being transmitted by the client? Is it normal for this type of activity to occur? At this time of the day? Has this happened before? Are there similar events with other hosts? Is the server Windows or a *nix running an SMB daemon? Is the target server or client vulnerable and not patched for this issue? What does the latest vuln scan reveal? Was it an authenticated scan? Was the IDS sensor tuned to properly reassemble the TCP stream based on the target OS? Are there other compensating controls which may affect the outcome of this event? Is it live or is it Memorex?

Being a security analyst can be both specialized and generalized at the same time. You'll be better at some areas than others. I suck at all of it, personally, but it's both frustrating and fun. What it boils down to is having solid fundamentals, because with that you can see through the appliances and tools which are supposed to work magic for you but always have undocumented limits which vendors will never admit to. You can always adapt the basics to any vendor since they all work off the same principles.

The important thing is to be able to frame things into proper context and ensure that weird log event which is represented by a firewall drop action is validated as a false positive or an actual event of interest which you have to follow-up on. It takes an understanding of the environment by investing time into learning what normal behavior is for a particular network.

GreenHornet

Thanks for the advice docrice. I'm more focused on learning fundamentals of the following:

TCP/IP
Linux (basic)
VPN
Firewall
IDS/IPS
Python scripting (basic)
Wireshark

I've already worked with some of them, but I just needed to get some feed back from members that have either worked, currently working, or interviewed individuals from these specific jobs.

I believe this would be further increase my chances of landing a job as a Network Security Analyst. I've shaking off the "Get Certification Now" fever, and have settled down. I'm going to focus on the "Preferred" option found within the job description of the majority of jobs I'm looking at.

nestech

GreenHornet wrote: »

Thanks for the advice docrice. I'm more focused on learning fundamentals of the following:

TCP/IP
Linux (basic)
VPN
Firewall
IDS/IPS
Python scripting (basic)
Wireshark

I've already worked with some of them, but I just needed to get some feed back from members that have either worked, currently working, or interviewed individuals from these specific jobs.

I believe this would be further increase my chances of landing a job as a Network Security Analyst. I've shaking off the "Get Certification Now" fever, and have settled down. I'm going to focus on the "Preferred" option found within the job description of the majority of jobs I'm looking at.

The ATL is hot right now with lots of security positions. It comes down to what you want to make as a security analyst.

These are some of the question I ask candidates doing our interview process that I got from online.

Information Security Interview Questions

Tags: interview question

1) Is there any difference between Information Security and IT Security?

2) What is the difference between Encoding, Encryption and Hashing?

3) What is the difference between proxy, firewall, IDS and IPS?

4) How does asymmetric encryption work?

5) How does SSL work?

6) What is port scanning? What are the countermeasures to prevent it?

7) What is Man in Middle attack? Can it be prevented?

What is the difference between false positive and false negative?

9) Explain the term ‘Defense in depth’.

10) What do you mean by stateful inspection by a firewall?

11) What is DMZ? Which systems should be placed in DMZ? What are common security precautions for DMZ systems?

12) What is DLP? How does it work?

13) In what scenario, AD authentication should be used?

14) Is SSH completely secured? If not, can it be hardened more?

15) What is Virtualization? What are the security risks in it?

16) What do you mean by ‘BYOD’ ? Explain security concerns related with it.

17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the OSI layer?

16) What are honeypots?

19) Tell about any of the major security incident that happened recently.

20) How do you keep yourself updated with latest trends in Information Security?

21) Which OS do you feel is more secure? Linux or Windows?

22) Explain in brief, Multi Factor authentication.

23) Explain in short how Kerberos works.

24) How to harden a Windows Machine?

25) How to harden a Linux Machine?

26) How can you prevent DOS/DDOS attack?

27) What is a 0-Day Vulnerability? Can it be prevented?

2 What is the biggest difference between Windows OS and Linux OS?

29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)

30) Explain any type of Wi-Fi Attack and how to prevent it.

31) What is SIEM? Why it is useful?

32) What is rainbow attack? Is there a way to prevent it?

33) Explain the difference between hub, switch and router.

34) What do you mean by reverse shell in Linux?

35) Explain file ACL’s (permissions) in Linux. What is the use of sticky bit?

36) What is NAT and PAT? Explain difference between them and how do they work.

37) Comment on security concerns in Cloud Computing.

3 What is the use of ‘salt’ in reference to passwords? Are there any limitations of using it?

39) What is single sign-on? What are security risks with it?

Hope this helps

jamarchitect

nestech wrote: »

The ATL is hot right now with lots of security positions. I comes down to what you want to make as a security analyst.

These are some of the question I ask candidates doing our interview process that I got form online.

Information Security Interview Questions

Tags: interview question

1) Is there any difference between Information Security and IT Security?

2) What is the difference between Encoding, Encryption and Hashing?

3) What is the difference between proxy, firewall, IDS and IPS?

4) How does asymmetric encryption work?

5) How does SSL work?

6) What is port scanning? What are the countermeasures to prevent it?

7) What is Man in Middle attack? Can it be prevented?

What is the difference between false positive and false negative?

9) Explain the term ‘Defense in depth’.

10) What do you mean by stateful inspection by a firewall?

11) What is DMZ? Which systems should be placed in DMZ? What are common security precautions for DMZ systems?

12) What is DLP? How does it work?

13) In what scenario, AD authentication should be used?

14) Is SSH completely secured? If not, can it be hardened more?

15) What is Virtualization? What are the security risks in it?

16) What do you mean by ‘BYOD’ ? Explain security concerns related with it.

17) What are the different layers of OSI model? Can you list 1 vulnerability corresponding to each of the OSI layer?

16) What are honeypots?

19) Tell about any of the major security incident that happened recently.

20) How do you keep yourself updated with latest trends in Information Security?

21) Which OS do you feel is more secure? Linux or Windows?

22) Explain in brief, Multi Factor authentication.

23) Explain in short how Kerberos works.

24) How to harden a Windows Machine?

25) How to harden a Linux Machine?

26) How can you prevent DOS/DDOS attack?

27) What is a 0-Day Vulnerability? Can it be prevented?

2 What is the biggest difference between Windows OS and Linux OS?

29) Can an IDS be used to prevent intrusions? (Ans is yes, ex- SNORT, one of the open source IDS if configured in in-line mode in conjunction with IPTables, it can act as IPS)

30) Explain any type of Wi-Fi Attack and how to prevent it.

31) What is SIEM? Why it is useful?

32) What is rainbow attack? Is there a way to prevent it?

33) Explain the difference between hub, switch and router.

34) What do you mean by reverse shell in Linux?

35) Explain file ACL’s (permissions) in Linux. What is the use of sticky bit?

36) What is NAT and PAT? Explain difference between them and how do they work.

37) Comment on security concerns in Cloud Computing.

3 What is the use of ‘salt’ in reference to passwords? Are there any limitations of using it?

39) What is single sign-on? What are security risks with it?

Hope this helps

Awesome! How about some answers?

bobloblaw

Those are great questions. If I walked into an interview and got waylaid with all those in a row, I'd stop you and tell you I've taken enough tests.

veritas_libertas

LOL, that actually nearly identical to the questions I was asked when I interviewed.

nestech

bobloblaw wrote: »

Those are great questions. If I walked into an interview and got waylaid with all those in a row, I'd stop you and tell you I've taken enough tests.

If I am the only one interviewing base on their resume I ask about 6 to 10 questions. If it is a group interview I will ask 6 question.

@GreenHornet if you need more assistance you can email me @ bushrowp4@yahoo.com

nestech

jamarchitect wrote: »

Awesome! How about some answers?

What is the fun in that? You do have to do some work you know...

jamarchitect

bobloblaw wrote: »

Those are great questions. If I walked into an interview and got waylaid with all those in a row, I'd stop you and tell you I've taken enough tests.

That's a good answer, but you'd have to be very diplomatic and polite about it... and then answer some questions, or quickly come up with a meta-answer to address the interviewer's concerns. I guess the point of asking those questions is to determine if the candidate simply memorized the answers for the exam and then forgot them, or if they actually absorbed and retained the information. It's also probably a test to see how you respond under pressure.

I guess I'd like some answer to the questions to see how people have succeeded and how they've failed during an interview. I still have trouble writing a cover letter for goodness-sake!

bobloblaw

The answers to almost every one of those questions are pretty direct. It's why I complimented the list. There's nothing worse than seeing or hearing about some ridiculous list of questions that a company asked a potentiality hire. I saw one on here a while back that was the most absurd list of questions I've ever seen asked of an entry level position.

Go hunt on google for each one. Knowing how to find answers on a search engine is also a necessary skill.

nestech

bobloblaw wrote: »

The answers to almost every one of those questions are pretty direct. It's why I complimented the list. There's nothing worse than seeing or hearing about some ridiculous list of questions that a company asked a potentiality hire. I saw one on here a while back that was the most absurd list of questions I've ever seen asked of an entry level position.

Go hunt on google for each one. Knowing how to find answers on a search engine is also a necessary skill.

You are right about that...