Security Auditing. A way in for every aspiring Cyber Security Professional. Let's talk.
There is no blueprint for getting into this field. There is no right or wrong way. It's what works for you.
The buzz is definitely people who want to be a penetration tester, someone who ethically hacks to help companies discover vulnerabilities before the bad guys do. However, it is competitive. Anyone can achieve it, but it is not the only path into Cyber Security.
Let's talk Security Auditing.
Let me start by making it clear, you do NOT have to be super technical to get into security auditing. There are many auditing frameworks out there, but today I'm going to talk about the NIST Cyber Security Framework.
What is it?
The NIST Cyber Security Framework integrates industry standards and best practices to help organizations manage their cybersecurity risks. Companies like Microsoft, Boeing, Intel, Chase, and many others have adopted this framework.
Of course I don't have room in this post to talk about each control in this NIST Framework, but I'm going to break it down into 5 high level categories. If can learn what these 5 categories are about and understand them, you will have a great start in the world of auditing.
IDENTIFY
This is the process of making sure companies identify what their digital assets are. As one example under this category, most companies that I have done auditing for almost never have an up to date systems inventory list. If they don't have a complete list of their digital assets (systems and software), how can they protect them? They simply can't.
PROTECT
This is the process of safeguarding systems by wrapping controls around them. Some examples: Security patching, hardening standards that define safe processes for implementing systems, access control, and awareness training.
DETECT
What Intrusion Detection and Prevention systems are in place to detect anomalies/breaches on a network? Are system logs being stored telling us who logged in to what?
RESPOND
Is there an Incident Response Plan in place? What playbook is in place to respond once a breach is detected? Is this plan practiced? Are there "scenarios" being conducted to test the strength of the plan?
RECOVER
How will the company recover if systems are knocked down or taken offline. Are there offsite backups or replication? Does the organization have a business continuity plan?
These controls go very deep. Many organizations don't understand them and you as a security auditor can study these and have the ability to help walk a business through them. It certainly doesn't take a certification to learn and help an organization. It is a great start into the auditing field. There are many types of Frameworks, such as PCI, which covers the protection of credit cards. We'll save that for another day.
Inbox me for questions.
#cybersecurity #informationsecurity #infosec