Transcript One of 4 professionals world wide to obtain the SANS GSE

My Career in Information Security
Andrew Martin - Information Security Specialist, CIBC
Agenda
 My background
 Pre-CIBC experience and qualifications
 How I got my current job
 Qualifications obtained at CIBC
 Current responsibilities
 Tools
 Attacks
 Opportunities and how to be successful
Background
 Graduated from CTY program in December 2003
before Seneca moved to York
 Specialized in security
 Left the country in January 2004, missed my
convocation and traveled the South Pacific for 7
months
Pre-CIBC experience and qualifications
 Worked for a friend’s small company
 Home / SOHO clients
 First exposure to security involved removing viruses like
Blaster, MyDoom, securing wireless networks,
deploying home firewalls.
 Got a job for Microsoft’s out sourced support company
in Sydney, Australia when the Sasser worm hit in April
2004
 Contract junior network admin for WSI in 2005
 Helped build a small data center
 Secured their workstations, wireless access points
Pre-CIBC experience and qualifications
 Certifications
 A+, Server +, Network +
 MCP in Windows 2003 administration
How I got my current job
 While working at WSI I noticed a job posting at CIBC
for a desktop support analyst
 Applied for and got the job
 Supported CIBC’s trading floor staff including traders,
back office staff and some senior executives
 Spent 8 months in desktop support
How I got my current job
 Noticed a job opening in security group as an analyst
 24/7 support
 12 hour rotating shifts
 7AM-7PM / 7PM -7AM (terrible!)
 Monitor Intrusion Detection System (IDS) and other
security devices
 Passion for security, enthusiasm and willingness to
learn got me the job
 Fantastic position to “get your foot in the door”
How I got my current job
 Excelled at responsibilities as a shift analyst, moved to




9-5 day job after 8 months (more responsibility, same
pay )
My boss wanted to have someone working everyday
who could find and investigate attacks
A new position was created for me
Promoted to specialist a few months later
Have been in my current role for a little over a year
Qualifications obtained at CIBC
 MCSA – 2003, specialized in security
 CCNA
 CISSP
 SANS:
 GCFA Gold (Forensic Analyst) – Mobile Device
Forensics
 GCIH Gold(Incident Handler) – Exploit Kits Revealed –
MPack
 GREM (Reverse Engineering Malware)
 And my most recent…..
Qualifications obtained at CIBC
 One of 4 professionals world wide to obtain the SANS GSE
(Security Expert) Malware certification
 GCFA, GCIH, GREM were prerequisites, I needed to write two
papers to achieve gold status as well. The prereqs took over a
year to complete
 The testing included:
 A telephone interview
 150 multiple choice questions
 2 days (14 hours) of hands on lab assignments at the SANS Las
Vegas 2008 conference
 A written report
 CIBC covered my expenses and flew me to Vegas to take it!
Current responsibilities
 Mentor and lead a team of 9 analysts
 Lead for maintaining CIBC’s Intrusion Detection System
 Influence direction of CIBC’s information security by applying





real world attack experience
Research & investigate security threats to CIBC’s infrastructure
Reverse engineer malware (viruses) to determine their capability
Find, investigate and (sometimes) take down botnets
Recover sensitive stolen information
Assist corporate security and online fraud investigation groups
Tools
 From a high level
 Anti virus
 Intrusion Detection System
 Proxy + Web Filtering
 Log correlation engine
Tools
 For reverse engineering and malware analysis
 Linux
 VMware
 Wireshark
 Perl, strings, file, netcat, hex editor
 Encase (Helix or SANS SIFT)
 Debugger – ollydbg
 Disassembler – IDA pro
 Mandiant red curtain
 PEiD
 Various unpackers
 Memory dumper (lordPE)
 Sysinterals tools – process explorer, process monitor
 Etc, etc
Tools
 Bar none, the MOST important tools for conducting
investigations are your “detective hat” and patience
 You must always answer these questions
 When was the system attacked?
 Who attacked the system? (IP address)
 How was it compromised?
 What was the purpose or payload of the attack?
Attacks
 Trends
 Client side attacks – Workstations are compromised via
malicious websites typically via ActiveX controls
 Server side attacks – Websites are compromised in the
tens of thousands by SQL injection, remote file
inclusion and stolen or weak passwords
Opportunities and how to be
successful
 To excel in security (technically) you should be at least
competent in virtually every area of IT
 Windows administration
 ***Unix/Linux administration***
 Networking / firewall
 Development (scripting, programming)
 Databases / SQL
 Hardware
Opportunities and how to be
successful
 From Tech Republic’s 2008 salary report (US)
 Top 30 job functions
 Security Specialist ranks 8th with avg salary of 85K
 No I don’t make that much sadly 
 #1 - Executive Management (CEO SVP VP) $104,767
 #2 - System Architect $100,734
 #7 - Database Manager $87,261
 #8 - Computer Security Specialist $85,699
 #22 - Network Analyst $64,217
 #30 - Help Desk Support $48,783
Opportunities and how to be
successful
 Information Security is a hot field, but hard to break into
 Hackers won’t stop hacking, they will only hack more. There is
lots of money being made by bad guys
 Two paths to take
 1 – Work for a “Client” ex: CIBC
 2 – Work for a “Vendor” ex: Symantec
 Look for jobs with a company that is governed by regulations.
These regulations will stipulate that they must have dedicated
security staff and resources
 Banks, insurance companies, health care providers, government
 Take a job to “get your foot in the door”
Opportunities and how to be
successful
 “Soft” skills are incredibly valuable
 Enthusiasm
 Willingness to learn
 Public speaking
 Ability to admit mistakes
 Ability to work in a team
 Without strong soft skills your career will be severely
limited
 The most successful people are good at many things
Questions?