Career Opportunities in Incident ResponseWhat it Takes to Make it in One of Security's Emerging Fields
In January, Heartland Payment Systems, the sixth-largest payments processor in the U.S. announced it had been breached in 2008. Hackers had gained access to its computer networks and had been able to see credit card and debit card numbers as they were processed for several months in 2008, exposing an undetermined number of merchant and retail consumers to potential fraud.
At numerous companies and agencies of late, disgruntled employees have violated internal policies or misused system access for their own monetary gain or for revenge on employers. Insider threat is a growing criminal activity - especially in the event of organizations merging, being acquired and employees being laid off.
Security related incidents such as these have become not only more numerous and diverse, but also more damaging and disruptive. Incident handling and response has, therefore, become increasingly popular for people to consider as a career today.
"As we can take steps to reduce risk in cybersecurity but cannot eliminate risk, we need to come terms with that fact that eventually there will be an incident and an incident response team will be needed," says Shane Sims, Director in the forensic services practice at PricewaterhouseCoopers, where he provides investigative, forensic technology, security incident response and cybersecurity services to commercial and government clients.
The Many Hats of Incident Response
Expert security professionals with proficient skills in preventive activities and appropriate response actions can lower the number and potential of incidents at any organization.
The incident handling and response team consists of a variety of skill sets needing different people expertise:
- Network Security Specialist: Organizations constantly need a network and system specialist who is extremely familiar working and configuring routers, firewalls and intrusion detection systems.
- Penetration Testers: known as a white hat or ethical hackers, these individuals are crucial to the team for assessing a system's potential vulnerabilities that may result from poor or improper system configuration, known and/or software flaws, or operational weaknesses in process or technical countermeasures.
- Incident Handlers: are people with thorough knowledge of attack methodology and incident response, performing analysis and response tasks for various sample incidents, applying critical thinking skills in responding to incidents. "They are the individuals who need to predict that problems are going to happen and what action will be needed to mitigate these issues," says Peter Allor, Steering Committee Member of the Forum for Incident Response and Security Teams (FIRST). He also is the program manager for cyber incident & vulnerability handling for IBM.
- Forensics Analyst: - This role specifically focuses on the rigorous, scientific and thorough forensic analysis of computing systems for evidence and impact of system compromise and digital support of legal, HR, and ethics investigations. The role includes the forensic analysis of digital evidence, and an understanding of evidence handling, chain of custody, and operating systems/file systems. This is an emerging vital role in incident handling which has started getting attention and recognition in recent years maintains, Mike Poor, founder and senior security analyst for the DC firm Inguardians LLC.
- Research Analyst: focus on learning new techniques, mitigation and protection strategies, staying abreast of technology to help in the incident response activities.
- Team Leader: typically is in charge of leading the team through crises and is involved with people across business units communicating what is going on, what it means and cost to business.
An incident response team generally follows the sequence of steps in all types of attacks:
1) Preparation & Training: This includes methods to prevent attack, as well as how to respond to a successful one. In order to minimize the potential damage from an attack, some level of preparation is needed. These practices include backup copies of all key data on a regular basis, monitoring and updating software on a regular basis, updating anti-virus software and creating and implementing a documented incident response policy.
Training is another step that is crucial for the execution of the incident response plan. "The training, in my opinion, should be provided in two forms at a minimum -- what I call a walk-through drill and a tabletop exercise," says Sims.
A walk-through drill is where one would get all of the participants that would be involved in an incident response into a room, create a breach scenario and then walk through and actually tell them what they are supposed to do and what the expectations of them are.
A tabletop exercise is where one gathers all of the incident response players around a table and walk through a breach scenario, asking the different folks who are required to do certain actions to chime in and play the role that they would in the incident response.
2) Identification: While preparation is vital for minimizing the effects of an attack, the first post-attack step in Incident handling is the identification of an incident. Identification of an incident includes knowledge of the fact that an attack is occurring, its effects on local and remote networks and systems and from where it originates.
3) Containment: Once an attack has been identified, steps must be taken to minimize the effects of the attack. Containment allows the incident responder to protect other systems and networks from the attack and limit damage. The response phase details the methods used to stop the attack. Once the attack has been contained, the final phases are recovery and analysis.
4) Recovery and Analysis: The recovery phase allows users to assess what damage has been incurred, what information has been lost etc. Once the user can be assured that the attack has been contained, it is helpful to conduct an analysis of the attack. Why did it happen? Was it handled promptly and properly? Could it have been handled better? The analysis phase allows the users and responders to determine the reason the attack succeeded and the best course of action to protect against future attacks.
An incident handling and response team should be trained to handle "these normal emergencies" that happen day-to-day on the job as well as escalate to a learning and protective mode and secure business and systems at any organization, says Allor. "We need help now, not tomorrow," he states "That is why incident response as a profession is very high among people's wish list."
To be successful the following skill sets are recommended by practitioners.
- An in-depth technical background: Professionals transitioning into this field need to have a thorough knowledge of networks and systems, including operating systems, desktop, servers and network communications. Certain specialty like understanding web and data applications and how they work helps big time, says Poor. Usually a bachelor's or associate degree in IT, computer science or information assurance is preferred.
- Ability to communicate: is crucial, as professionals need to be able to communicate to their clients or business units: What the issue/problem is? What has been the impact? What does that translate to business cost? What are the possible options? When can these options be exercised?" I primarily look for people who can effectively communicate in plain English and understand the importance of being conversant in such issues," says Allor.
- Supporting the business: i.e. getting the business units to be involved in discussing incident handling and response issues is fundamental to see how to best secure the systems and business. "We as practitioners need to provide value, which can be done by understanding how business perceives the underline risks and how jointly we can solve issues," maintains Allor.
- Ability to remain composed: "Ability to remain calm under fire is typically what I look for while hiring candidates," says Poor. "As practitioners we are under the gun the majority of our work life and need to be able to work effectively under this constant pressure."
- Work experience: All experts say that certifications such as the CISSP or the GIAC- Incident handler certificate from SANS are secondary preference compared to the level of work experience they look for in hiring an incident handler. All require prior work experience handling incidents and crises situations. "What we really look in candidates is the technical ability to perform," adds Poor, including participation in security associations, conferences and forums.
- Ability to Network: "When I have an issue, I reach out to my peers in companies like CISCO, Juniper, HP to ensure a good fix can be applied quickly to the problem," says Allor. One needs to establish a network outside their organization to get help when required.
A good entry point into incident handling and response is for professionals already involved with security and network monitoring systems having the desire to escalate and do more. The salary range for incident response professionals is typically between $70,000-$140,000 annually.
Where are the Jobs?
Incident response jobs are readily available with government agencies, including Defense Department, Department of Homeland Security, National Security Agency (NSA) and the U.S. Treasury. Government contracting companies such as General Dynamics, Booz Allen Hamilton, North Grumman and Lockheed Martin increasingly hire individuals with this expertise.
Within banking and financial services, consulting and advisory firms such as KPMG, Deloitte, PricewaterhouseCoopers and others have a constant demand for incident handlers and responders. Usually large community banks, credit unions and national and international banks hire these professionals to act as first responders and investigators to incidents and attacks.
Incident response can include a disruptive and erratic work schedule as well as high work pressure. Job seekers need to be prepared, very committed and passionate to take this up as a career, Poor mentions.
"We are like medical practitioners in our field," he says, "where we are on call 24/7 and are paged to handle a crises situation."