Monday, August 5, 2013

Help! I want to do Cyber but I don't have a technical degree

Do you need a technical degree in order to work in cyber security? Not really.

As a Navy Reserve Information Warfare Officer (IWO), I recently attended the 2-month long Information Warfare Basic Course (IWBC) at Corry Station, Pensacola Florida. The course aims to provide basic instruction to active duty and reserve IWO's in the all things IW. Cyber was one of the topics of instruction. Some of the officers in the course transfer from different Navy communities into IW. These folks tend to have a mix of technical and non-technical undergraduate degrees. Unless you have been living in a cave for the last several years, cyber is a really hot topic right now, both in the Department of Defense (DoD) and in the private sector. Naturally, some of the officers in class were concerned that their liberal arts degrees would keep them from participating in cyber operations. This is not necessarily the case, and I'd like to share my thoughts on how one can bolster their resume to be more attractive in this area. I believe my thoughts can be applied to both to the military and civilian worlds.

Below is a laundry list of things you can do to get up-to-speed fast in cyber space. For the military folks, becoming a cyber "expert" is not necessarily the route you want to go, unless you plan to get out of the military to pursue a civilian career in cyber. The thoughts which follow will help you get the basic footing needed to operate in the space. If you plan to become an expert, great. But you first need to start with some basics.

  • Initiative: If you are motivated learner, then you won't have anything to worry about. Much of what you will need will be gained from reading books and working with folks to understand areas that you are unfamiliar about. Do not underestimate the power of seeking out a mentor who is cyber savvy.
  • Advanced Degree / Certifications: You can definitely get a master's degree in computer science, information assurance, or cyber security. But if you would rather get an MBA degree or not go to graduate school, you can go after professional certifications. It should be noted that in certain circles, certifications are seen as bogus. This should not factor into your decision to go after one though. Do your homework and understand how well regarded a certification program is before you begin. Below are three of the more common certification organizations.
    • The SANS organization offers a wide-range of training and certification options in the cyber and network security space.
    • The Certified Information Systems Security Professional (CISSP) is a popular certification that provides you with a very wide exposure to all aspects of information systems security. including things you might not think of like physical security.
    • Certified Ethical Hacker (CEH)  is designed to teach how hackers think and execute their trade craft so you, as a information security professional, can actually thwart their attempts.
  • Technology: There is some basic concepts your should get a handle on for cyber. Below are a few of the common technologies you can begin researching and learning.
    • Understand basic networking concepts like Internet Protocol (IP) Addressing and subnetting, routing, address resolution, domain names, and HTTP/HTTPS
    • Understand tunneling techniques using technology like Secure Shell (SSH)
    • Understand Network Security Architecture to include firewalls, intrusion detection/prevention systems (IDS/IPS), host-based intrusion detection systems (HIDS), anti-virus systems, and others
    • Understand what malware is, how it's distributed, how it's detected and re-mediated
    • Incident Response
    • Vulnerability management
    • Ethical Hacking
    • Penetration Testing
    • Big Data Security
    • Cyber Kill Chain
    • Cloud security
  •  Online Resources: There are "many" free or low cost online resources you can use to get educated and learn more. Below are just a few of them.
    • Internet: Searching for keywords and topics will provide a wealth of information on just about anything, including those technologies mentioned above.
    • Safari Books Online: Safari books online was started by tech book publisher O'Reilly, but now includes books from many other publishers. You do have to pay for it, but US Navy members can get free access to Safari from Navy Knowledge Online (NKO). 
    • CourseraMIT Open Courseware, and Udacity: You can now take college courses, online, for free. MIT and other organizations have put full course material (syllabi, homework assignments, notes, etc) online. You can work your way through a full course on discrete math, chemistry, and many others. Other organizations, like Coursera and Udacity, have worked out agreements with universities to put full classes online. You can actually sign up for and take a class while the instructor/professor is teaching the class on campus. You won't get college credit (although this is changing), but in some cases if you pass the exams you will get a certificate of completion. The point here is that as cyber grows in importance, these online education services will stand up cyber and other network security related content.
If you want to do cyber, or find yourself dropped into a cyber-type role, don't panic. Take a breath, take a step back and use some of the resources above to help you get started on your way.


1 comment:

  1. Great topic, Kevin!

    Understanding the cyber speak, technical side of the house is important (understanding and explaining) and I believe that any successful IW Officer could be successful in a "cyber" sort of job. I haven't come across any IWO that went to school and did their undergrad in Signals Intelligence. Sure physics or math, but even they are an exception. Point being, folks have to learn RF just as they learn nibbles, bits, and bytes. It is an aptitude for learning.

    Also, I want to (as I hope others do as well), add to your list of online resources.
    - Navy COOL: Not just for your Sailors, but for YOU too! A sampling of certifications to choose from are... Certified Ethical Hacker (CEH), Certified Information Security Manager (CISM), Check Point Certified Security Administrator (CCSA), Cisco Certified Network Professional (CCNP), CompTIA A+, Computer Hacking Forensic Investigator (CHFI), Network Security Administrator (NSA), and more...